[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue May 29 06:31:03 UTC 2018


The branch, master has been updated
       via  5b86203 python/samba/netcmd/schema.py: samdb schema update now
       via  4b1a862 python/samba/tests/samba_tool/schema.py: Improve schema command testing
       via  2c65184 python/samba/netcmd/schema.py: add schema show_oc for attribute
       via  74d85d4 python/samba/netcmd/schema.py: add schema query and management.
       via  289ae87 python/samba/netcmd/group.py: add group show
       via  b8e51a8 python/samba/netcmd/{forest.py,main.py}: add configuration controls
      from  e56b92b torture: Cope with WINBINDD_SHOW_SEQUENCE failure for fake trusts

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5b8620307edfd2897dd61c7e860d95662c547ecc
Author: William Brown <william at blackhats.net.au>
Date:   Sat May 19 12:19:58 2018 +1000

    python/samba/netcmd/schema.py: samdb schema update now
    
    When we change schema values, we should trigger a schema update to refresh
    the changes applied. This is called after a change is made. A helper to
    samdb is added so that it's easier for other locations to call additionally.
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue May 29 08:30:52 CEST 2018 on sn-devel-144

commit 4b1a86235ba454b0e5e27ca621d87c8644b2a98c
Author: William Brown <william at blackhats.net.au>
Date:   Mon May 28 10:30:39 2018 +1000

    python/samba/tests/samba_tool/schema.py: Improve schema command testing
    
    Assert the correct stdout content of the schema test commands.
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 2c65184270500dc99b1697af6e830d62093a627f
Author: William Brown <william at blackhats.net.au>
Date:   Sun Apr 29 13:28:42 2018 +1200

    python/samba/netcmd/schema.py: add schema show_oc for attribute
    
    Often administrators need to add a specific attribute to an object, but
    it may not be possible with the objectClasses present. This tool allows
    searching "what objectclasses must or may?" take an attribute to help hint
    to an administrator what objectclasses can be added to objects to achieve
    the changes they want.
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 74d85d4cc246458f51ec9b264310959055f0a0b9
Author: William Brown <william at blackhats.net.au>
Date:   Sat Apr 28 15:22:29 2018 +1000

    python/samba/netcmd/schema.py: add schema query and management.
    
    Schema management in active directory is complex and dangerous. Having
    a tool that safely wraps administrative tasks as well as allowing query
    of the schema will make this complex topic more accessible to administrators.
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 289ae87c3bb81b2e1cd30a876a3b694b7264edc5
Author: William Brown <william at blackhats.net.au>
Date:   Thu Apr 26 13:59:06 2018 +1000

    python/samba/netcmd/group.py: add group show
    
    The samba-tool user command can show the ldif of a user. This is
    useful for groups also, especially to determine the objectSID and
    objectGUID. Add support for group show to samba-tool.
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit b8e51a8174682149bd8381163a6f1a4658da6271
Author: William Brown <william at blackhats.net.au>
Date:   Wed Apr 25 17:36:17 2018 +1000

    python/samba/netcmd/{forest.py,main.py}: add configuration controls
    
    With samba-tool we should expose ways to easily administer and control
    common configuration options. This adds the base framework for modifying
    forest settings, generally stored in cn=configuration partition.
    
    An example is:
    
    samba-tool forest directory_service show
    samba-tool forest directory_service dsheuristics X
    
    Signed-off-by: William Brown <william at blackhats.net.au>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/samba-tool.8.xml      |  50 +++++
 python/samba/ms_schema.py               |   9 +-
 python/samba/netcmd/domain.py           |  11 +-
 python/samba/netcmd/forest.py           | 162 +++++++++++++++++
 python/samba/netcmd/group.py            |  81 +++++++++
 python/samba/netcmd/main.py             |   2 +
 python/samba/netcmd/schema.py           | 313 ++++++++++++++++++++++++++++++++
 python/samba/samdb.py                   |  13 ++
 python/samba/tests/samba_tool/forest.py |  66 +++++++
 python/samba/tests/samba_tool/group.py  |  10 +
 python/samba/tests/samba_tool/schema.py | 113 ++++++++++++
 source4/selftest/tests.py               |   2 +
 12 files changed, 819 insertions(+), 13 deletions(-)
 create mode 100644 python/samba/netcmd/forest.py
 create mode 100644 python/samba/netcmd/schema.py
 create mode 100644 python/samba/tests/samba_tool/forest.py
 create mode 100644 python/samba/tests/samba_tool/schema.py


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index f2154b9..f785e53 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -460,6 +460,26 @@
 </refsect3>
 
 <refsect2>
+	<title>forest</title>
+	<para>Manage Forest configuration.</para>
+</refsect2>
+
+<refsect3>
+	<title>forest directory_service</title>
+	<para>Manage directory_service behaviour for the forest.</para>
+</refsect3>
+
+<refsect3>
+	<title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
+	<para>Modify dsheuristics directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect3>
+	<title>forest directory_service show</title>
+	<para>Show current directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect2>
 	<title>fsmo</title>
 	<para>Manage Flexible Single Master Operations (FSMO).</para>
 </refsect2>
@@ -590,6 +610,11 @@
 	<para>Remove members from the specified AD group.</para>
 </refsect3>
 
+<refsect3>
+	<title>group show <replaceable>groupname</replaceable> [options]</title>
+	<para>Show group object and it's attributes.</para>
+</refsect3>
+
 <refsect2>
 	<title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
 	<para>Compare two LDAP databases.</para>
@@ -713,6 +738,31 @@
 </refsect3>
 
 <refsect2>
+	<title>schema</title>
+	<para>Manage and query schema.</para>
+</refsect2>
+
+<refsect3>
+	<title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
+	<para>Modify the behaviour of an attribute in schema.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
+	<para>Display an attribute schema definition.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
+	<para>Show objectclasses that MAY or MUST contain this attribute.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
+	<para>Display an objectclass schema definition.</para>
+</refsect3>
+
+<refsect2>
 	<title>sites</title>
 	<para>Manage sites.</para>
 </refsect2>
diff --git a/python/samba/ms_schema.py b/python/samba/ms_schema.py
index de6e4b2..e83637542 100644
--- a/python/samba/ms_schema.py
+++ b/python/samba/ms_schema.py
@@ -36,14 +36,17 @@ bitFields["searchflags"] = {
     'fTUPLEINDEX': 26,       # TP
     'fSUBTREEATTINDEX': 25,  # ST
     'fCONFIDENTIAL': 24,     # CF
+    'fCONFIDENTAIL': 24, # typo
     'fNEVERVALUEAUDIT': 23,  # NV
     'fRODCAttribute': 22,    # RO
 
 
     # missing in ADTS but required by LDIF
-    'fRODCFilteredAttribute': 22,    # RO ?
-    'fCONFIDENTAIL': 24, # typo
-    'fRODCFILTEREDATTRIBUTE': 22 # case
+    'fRODCFilteredAttribute': 22,    # RO
+    'fRODCFILTEREDATTRIBUTE': 22, # case
+    'fEXTENDEDLINKTRACKING': 21,  # XL
+    'fBASEONLY': 20,  # BO
+    'fPARTITIONSECRET': 19,  # SE
     }
 
 # ADTS: 2.2.10
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 6698fc9..819ddd6 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -3909,15 +3909,6 @@ class ldif_schema_update:
         self.dn = None
         self.ldif = ""
 
-    def _ldap_schemaUpdateNow(self, samdb):
-        ldif = """
-dn:
-changetype: modify
-add: schemaUpdateNow
-schemaUpdateNow: 1
-"""
-        samdb.modify_ldif(ldif)
-
     def can_ignore_failure(self, error):
         """Checks if we can safely ignore failure to apply an LDIF update"""
         (num, errstr) = error.args
@@ -3946,7 +3937,7 @@ schemaUpdateNow: 1
                     # Otherwise the OID-to-attribute mapping in
                     # _apply_updates_in_file() won't work, because it
                     # can't lookup the new OID in the schema
-                    self._ldap_schemaUpdateNow(samdb)
+                    samdb.set_schema_update_now()
 
                     samdb.modify_ldif(self.ldif, controls=['relax:0'])
                 else:
diff --git a/python/samba/netcmd/forest.py b/python/samba/netcmd/forest.py
new file mode 100644
index 0000000..9b4f676
--- /dev/null
+++ b/python/samba/netcmd/forest.py
@@ -0,0 +1,162 @@
+# domain management
+#
+# Copyright William Brown <william at blackhats.net.au> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb
+import samba.getopt as options
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.netcmd import (
+    Command,
+    CommandError,
+    SuperCommand,
+    Option
+    )
+
+class cmd_forest_show(Command):
+    """Display forest settings.
+
+    These settings control the behaviour of all domain controllers in this
+    forest. This displays those settings from the replicated configuration
+    partition.
+    """
+
+    synopsis = "%prog [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptions,
+        }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server",
+                type=str, metavar="URL", dest="H"),
+        ]
+
+    def run(self, H=None, credopts=None, sambaopts=None, versionopts=None):
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        samdb = SamDB(url=H, session_info=system_session(),
+            credentials=creds, lp=lp)
+
+        domain_dn = samdb.domain_dn()
+        object_dn = "%s,%s" % (self.objectdn, domain_dn)
+
+        # Show all the settings we know how to set in the forest object!
+        res = samdb.search(base=object_dn, scope=ldb.SCOPE_BASE,
+                           attrs=self.attributes)
+
+        # Now we just display these attributes. The value is that
+        # we make them a bit prettier and human accessible.
+        # There should only be one response!
+        res_object = res[0]
+
+        self.outf.write("Settings for %s\n" % object_dn)
+        for attr in self.attributes:
+            try:
+                self.outf.write("%s: %s\n" % (attr, res_object[attr][0]))
+            except KeyError:
+                self.outf.write("%s: <NO VALUE>\n" % attr)
+
+class cmd_forest_set(Command):
+    """Modify forest settings.
+
+    This will alter the setting specified to value.
+    """
+
+    attribute = None
+    objectdn = None
+
+    synopsis = "%prog value [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "versionopts": options.VersionOptions,
+        "credopts": options.CredentialsOptions,
+        }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server",
+                type=str, metavar="URL", dest="H"),
+        ]
+
+    takes_args = ["value"]
+
+    def run(self, value, H=None, credopts=None, sambaopts=None, versionopts=None):
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        samdb = SamDB(url=H, session_info=system_session(),
+            credentials=creds, lp=lp)
+
+        domain_dn = samdb.domain_dn()
+        object_dn = "%s,%s" % (self.objectdn, domain_dn)
+
+        # Create the modification
+        m = ldb.Message()
+        m.dn = ldb.Dn(samdb, object_dn)
+        m[self.attribute] = ldb.MessageElement(
+            value, ldb.FLAG_MOD_REPLACE, self.attribute)
+
+        samdb.modify(m)
+        self.outf.write("set %s: %s\n" % (self.attribute, value))
+
+
+# Then you override it for each setting name:
+
+class cmd_forest_show_directory_service(cmd_forest_show):
+    """Display Directory Service settings for the forest.
+
+    These settings control how the Directory Service behaves on all domain
+    controllers in the forest.
+    """
+    objectdn = "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration"
+    attributes = ['dsheuristics']
+
+class cmd_forest_set_directory_service_dsheuristics(cmd_forest_set):
+    """Set the value of dsheuristics on the Directory Service.
+
+    This value alters the behaviour of the Directory Service on all domain
+    controllers in the forest. Documentation related to this parameter can be
+    found here: https://msdn.microsoft.com/en-us/library/cc223560.aspx
+
+    In summary each "character" of the number-string, controls a setting.
+    A common setting is to set the value "2" in the 7th character. This controls
+    anonymous search behaviour.
+
+    Example: dsheuristics 0000002
+
+    This would allow anonymous LDAP searches to the domain (you may still need
+    to alter access controls to allow this).
+    """
+    objectdn = "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration"
+    attribute = 'dsheuristics'
+
+class cmd_forest_directory_service(SuperCommand):
+    """Forest configuration partition management."""
+
+    subcommands = {}
+    subcommands["show"] = cmd_forest_show_directory_service()
+    subcommands["dsheuristics"] = cmd_forest_set_directory_service_dsheuristics()
+
+class cmd_forest(SuperCommand):
+    """Forest management."""
+
+    subcommands = {}
+    subcommands["directory_service"] = cmd_forest_directory_service()
diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
index a4969cc..9e1e110 100644
--- a/python/samba/netcmd/group.py
+++ b/python/samba/netcmd/group.py
@@ -26,6 +26,7 @@ from getpass import getpass
 from samba.auth import system_session
 from samba.samdb import SamDB
 from samba.dsdb import (
+    ATYPE_SECURITY_GLOBAL_GROUP,
     GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
     GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
     GTYPE_SECURITY_GLOBAL_GROUP,
@@ -500,6 +501,85 @@ class cmd_group_move(Command):
         self.outf.write('Moved group "%s" into "%s"\n' %
                         (groupname, full_new_parent_dn))
 
+class cmd_group_show(Command):
+    """Display a group AD object.
+
+This command displays a group object and it's attributes in the Active
+Directory domain.
+The group name specified on the command is the sAMAccountName of the group.
+
+The command may be run from the root userid or another authorized userid.
+
+The -H or --URL= option can be used to execute the command against a remote
+server.
+
+Example1:
+samba-tool group show Group1 -H ldap://samba.samdom.example.com \
+-U administrator --password=passw1rd
+
+Example1 shows how to display a group's attributes in the domain against a remote
+LDAP server.
+
+The -H parameter is used to specify the remote target server.
+
+Example2:
+samba-tool group show Group2
+
+Example2 shows how to display a group's attributes in the domain against a local
+LDAP server.
+
+Example3:
+samba-tool group show Group3 --attributes=member,objectGUID
+
+Example3 shows how to display a users objectGUID and member attributes.
+"""
+    synopsis = "%prog <group name> [options]"
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server",
+               type=str, metavar="URL", dest="H"),
+        Option("--attributes",
+               help=("Comma separated list of attributes, "
+                     "which will be printed."),
+               type=str, dest="group_attrs"),
+    ]
+
+    takes_args = ["groupname"]
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+        }
+
+    def run(self, groupname, credopts=None, sambaopts=None, versionopts=None,
+            H=None, group_attrs=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp, fallback_machine=True)
+        samdb = SamDB(url=H, session_info=system_session(),
+                      credentials=creds, lp=lp)
+
+        attrs = None
+        if group_attrs:
+            attrs = group_attrs.split(",")
+
+        filter = ("(&(sAMAccountType=%d)(sAMAccountName=%s))" %
+                     ( ATYPE_SECURITY_GLOBAL_GROUP,
+                       ldb.binary_encode(groupname)))
+
+        domaindn = samdb.domain_dn()
+
+        try:
+            res = samdb.search(base=domaindn, expression=filter,
+                               scope=ldb.SCOPE_SUBTREE, attrs=attrs)
+            user_dn = res[0].dn
+        except IndexError:
+            raise CommandError('Unable to find group "%s"' % (groupname))
+
+        for msg in res:
+            user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
+            self.outf.write(user_ldif)
+
 class cmd_group(SuperCommand):
     """Group management."""
 
@@ -511,3 +591,4 @@ class cmd_group(SuperCommand):
     subcommands["list"] = cmd_group_list()
     subcommands["listmembers"] = cmd_group_list_members()
     subcommands["move"] = cmd_group_move()
+    subcommands["show"] = cmd_group_show()
diff --git a/python/samba/netcmd/main.py b/python/samba/netcmd/main.py
index 40762fa..8379766 100644
--- a/python/samba/netcmd/main.py
+++ b/python/samba/netcmd/main.py
@@ -63,12 +63,14 @@ class cmd_sambatool(SuperCommand):
     subcommands["domain"] = None
     subcommands["drs"] = None
     subcommands["dsacl"] = None
+    subcommands["forest"] = None
     subcommands["fsmo"] = None
     subcommands["gpo"] = None
     subcommands["group"] = None
     subcommands["ldapcmp"] = None
     subcommands["ntacl"] = None
     subcommands["rodc"] = None
+    subcommands["schema"] = None
     subcommands["sites"] = None
     subcommands["spn"] = None
     subcommands["testparm"] = None
diff --git a/python/samba/netcmd/schema.py b/python/samba/netcmd/schema.py
new file mode 100644
index 0000000..9a356a4
--- /dev/null
+++ b/python/samba/netcmd/schema.py
@@ -0,0 +1,313 @@
+# Manipulate ACLs on directory objects
+#
+# Copyright (C) William Brown <william at blackhats.net.au> 2018
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import ldb
+import samba.getopt as options
+from samba.ms_schema import bitFields
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba.netcmd import (
+    Command,
+    CommandError,
+    SuperCommand,
+    Option
+    )
+
+class cmd_schema_attribute_modify(Command):
+    """Modify attribute settings in the schema partition.
+
+    This commands allows minor modifications to attributes in the schema. Active
+    Directory does not allow many changes to schema, but important modifications
+    are related to indexing. This command overwrites the value of searchflags,
+    so be sure to view the current content before making changes.
+
+    Example1:
+    samba-tool schema attribute modify uid \
+        --searchflags="fATTINDEX,fPRESERVEONDELETE"
+
+    This alters the uid attribute to be indexed and to be preserved when
+    converted to a tombstone.
+
+    Important search flag values are:
+
+    fATTINDEX: create an equality index for this attribute.
+    fPDNTATTINDEX: create a container index for this attribute (ie OU).
+    fANR: specify that this attribute is a member of the ambiguous name
+         resolution set.
+    fPRESERVEONDELETE: indicate that the value of this attribute should be
+         preserved when the object is converted to a tombstone (deleted).
+    fCOPY: hint to clients that this attribute should be copied.
+    fTUPLEINDEX: create a tuple index for this attribute. This is used in
+          substring queries.
+    fSUBTREEATTINDEX: create a browsing index for this attribute. VLV searches
+          require this.
+    fCONFIDENTIAL: indicate that the attribute is confidental and requires
+          special access checks.
+    fNEVERVALUEAUDIT: indicate that changes to this value should NOT be audited.
+    fRODCFILTEREDATTRIBUTE: indicate that this value should not be replicated to
+          RODCs.
+    fEXTENDEDLINKTRACKING: indicate to the DC to perform extra link tracking.
+    fBASEONLY: indicate that this attribute should only be displayed when the
+           search scope of the query is SCOPE_BASE or a single object result.
+    fPARTITIONSECRET: indicate that this attribute is a partition secret and
+           requires special access checks.
+
+    The authoritative source of this information is the MS-ADTS.
+    """
+    synopsis = "%prog attribute [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list