[PATCH] samba-tool: Create NIS enabled users and unixHomeDirectory attribute
Andrew Bartlett
abartlet at samba.org
Mon Nov 3 14:25:39 MST 2014
On Thu, 2014-10-30 at 21:19 +0000, Rowland Penny wrote:
> On 30/10/14 20:56, Jelmer Vernooij wrote:
> > Hi Marc,
> >
> > Thanks for helping improve samba-tool. :-)
> >
> > On Thu, Oct 30, 2014 at 09:42:30PM +0100, Marc Muehlfeld wrote:
> > From 5b6afeab2e70232aaf89ef3115bfd9ccd651742a Mon Sep 17 00:00:00 2001
> >> From: Marc Muehlfeld <mmuehlfeld at samba.org>
> >> Date: Thu, 30 Oct 2014 21:20:42 +0100
> >> Subject: [PATCH] samba-tool: Create NIS enabled users and unixHomeDirectory
> >> attribute
> >>
> >> Allow to create NIS enabled user accounts via 'samba-tool user add'.
> >> To create NIS enabled accounts, the parameters
> >> --uid-number=, --login-shell=, --unix-home=, --gid-number=
> >> are mandatory. Because we didn't had a parameter to set unixHomeDirectory
> >> yet, this patch also adds this feature.
> >>
> >> See: https://bugzilla.samba.org/show_bug.cgi?id=10909
> >>
> >> Signed-off-by: Marc Muehlfeld <mmuehlfeld at samba.org>
> >> ---
> >> python/samba/netcmd/user.py | 13 +++++++++++--
> >> python/samba/samdb.py | 19 +++++++++++++++++--
> >> 2 files changed, 28 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
> >> index 344f35f..9c67cfa 100644
> >> --- a/python/samba/netcmd/user.py
> >> +++ b/python/samba/netcmd/user.py
> >> diff --git a/python/samba/samdb.py b/python/samba/samdb.py
> >> index 0ea52fb..09f594a 100644
> >> --- a/python/samba/samdb.py
> >> +++ b/python/samba/samdb.py
> >> @@ -302,7 +302,7 @@ member: %s
> >> description=None, mailaddress=None, internetaddress=None,
> >> telephonenumber=None, physicaldeliveryoffice=None, sd=None,
> >> setpassword=True, uidnumber=None, gidnumber=None, gecos=None,
> >> - loginshell=None, uid=None):
> >> + loginshell=None, uid=None, nisdomain=None, unixhome=None):
> >> """Adds a new user with additional parameters
> >>
> >> :param username: Name of the new user
> >> @@ -333,6 +333,8 @@ member: %s
> >> :param gecos: RFC2307 Unix GECOS field of the new user
> >> :param loginshell: RFC2307 Unix login shell of the new user
> >> :param uid: RFC2307 Unix username of the new user
> >> + :param nisdomain: RFC2307 Unix NIS domain of the new user
> >> + :param unixhome: RFC2307 Unix home directory of the new user
> >> """
> >>
> >> displayname = ""
> >> @@ -412,8 +414,15 @@ member: %s
> >> if sd is not None:
> >> ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
> >>
> >> + if nisdomain is not None:
> >> + if None in (uidnumber, loginshell, unixhome, gidnumber):
> >> + raise Exception("""Missing parameters. To enable NIS features,
> >> +the follwing options have to be given:
> >> +--nis-domain=, --uidNumber=, --login-shell=, --unix-home=, --gid-number=
> >> +Operation cancelled.""")
> >> +
> > Please don't raise Exception for user-facing errors but CommandError. The
> > description should generally also be a single line like in all Python
> > errors.
> >
> > s/follwing/following/
> >
> >> ldbmessage2 = None
> >> - if any(map(lambda b: b is not None, (uid, uidnumber, gidnumber, gecos, loginshell))):
> >> + if any(map(lambda b: b is not None, (uid, uidnumber, gidnumber, gecos, loginshell, nisdomain, unixhome))):
> >> ldbmessage2 = ldb.Message()
> >> ldbmessage2.dn = ldb.Dn(self, user_dn)
> >> ldbmessage2["objectClass"] = ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')
> >> @@ -427,6 +436,12 @@ member: %s
> >> ldbmessage2["gecos"] = ldb.MessageElement(str(gecos), ldb.FLAG_MOD_REPLACE, 'gecos')
> >> if loginshell is not None:
> >> ldbmessage2["loginShell"] = ldb.MessageElement(str(loginshell), ldb.FLAG_MOD_REPLACE, 'loginShell')
> >> + if unixhome is not None:
> >> + ldbmessage2["unixHomeDirectory"] = ldb.MessageElement(str(unixhome), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
> >> + if nisdomain is not None:
> >> + ldbmessage2["msSFU30NisDomain"] = ldb.MessageElement(str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
> >> + ldbmessage2["msSFU30Name"] = ldb.MessageElement(str(username), ldb.FLAG_MOD_REPLACE, 'msSFU30Name')
> >> + ldbmessage2["unixUserPassword"] = ldb.MessageElement('ABCD!efgh12345$67890', ldb.FLAG_MOD_REPLACE, 'unixUserPassword')
> > ^^^ This just seems to hardcode a user password?
> >
> > Jelmer
> It is what ADUC does, every user that has Unix attributes added by the
> UNIX_Attributes tab, gets this password and as the old saying, 'when in
> Rome, do as the Romans do'
Ouch, this is the kind of thing we normally raise a security bug against
Windows for. However, while I'm not at all comfortable with this in
Samba, it seems very well known. I hope we can determine and document
the expected hash algorithms for valid passwords, and determine that
this isn't a valid hash for that algorithm. It's a pity they didn't use
values such as x and * that are used in /etc/passwd and /etc/shadow.
At the very least, we should document clearly in a comment why this
isn't a security threat, both inline and with links.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list