3
# Sets password settings (Password complexity, history length, minimum password
4
# length, the minimum and maximum password age) on a Samba4 server
6
# Copyright Matthias Dieter Wallnoefer 2009
7
# Copyright Andrew Kroeger 2009
9
# This program is free software; you can redistribute it and/or modify
10
# it under the terms of the GNU General Public License as published by
11
# the Free Software Foundation; either version 3 of the License, or
12
# (at your option) any later version.
14
# This program is distributed in the hope that it will be useful,
15
# but WITHOUT ANY WARRANTY; without even the implied warranty of
16
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
# GNU General Public License for more details.
19
# You should have received a copy of the GNU General Public License
20
# along with this program. If not, see <http://www.gnu.org/licenses/>.
25
# Find right directory when running from source tree
26
sys.path.insert(0, "bin/python")
28
import samba.getopt as options
32
from samba.auth import system_session
33
from samba.samdb import SamDB
34
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
36
parser = optparse.OptionParser("pwsettings (show | set <options>)")
37
sambaopts = options.SambaOptions(parser)
38
parser.add_option_group(sambaopts)
39
parser.add_option_group(options.VersionOptions(parser))
40
credopts = options.CredentialsOptions(parser)
41
parser.add_option_group(credopts)
42
parser.add_option("-H", help="LDB URL for database or target server", type=str)
43
parser.add_option("--quiet", help="Be quiet", action="store_true")
44
parser.add_option("--complexity",
45
help="The password complexity (on | off | default). Default is 'on'", type=str)
46
parser.add_option("--history-length",
47
help="The password history length (<integer> | default). Default is 24.", type=str)
48
parser.add_option("--min-pwd-length",
49
help="The minimum password length (<integer> | default). Default is 7.", type=str)
50
parser.add_option("--min-pwd-age",
51
help="The minimum password age (<integer in days> | default). Default is 0.", type=str)
52
parser.add_option("--max-pwd-age",
53
help="The maximum password age (<integer in days> | default). Default is 43.", type=str)
55
opts, args = parser.parse_args()
58
# print a message if quiet is not set
68
lp = sambaopts.get_loadparm()
69
creds = credopts.get_credentials(lp)
71
if opts.H is not None:
74
url = lp.get("sam database")
76
samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
78
domain_dn = SamDB.domain_dn(samdb)
79
res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
80
attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength", "minPwdAge",
84
pwd_props = int(res[0]["pwdProperties"][0])
85
pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
86
min_pwd_len = int(res[0]["minPwdLength"][0])
88
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
89
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
91
print "ERROR: Could not retrieve password properties!"
93
print "So no settings can be displayed!"
97
message("Password informations for domain '" + domain_dn + "'")
99
if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
100
message("Password complexity: on")
102
message("Password complexity: off")
103
message("Password history length: " + str(pwd_hist_len))
104
message("Minimum password length: " + str(min_pwd_len))
105
message("Minimum password age (days): " + str(min_pwd_age))
106
message("Maximum password age (days): " + str(max_pwd_age))
108
elif args[0] == "set":
112
m.dn = ldb.Dn(samdb, domain_dn)
114
if opts.complexity is not None:
115
if opts.complexity == "on" or opts.complexity == "default":
116
pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
117
msgs.append("Password complexity activated!")
118
elif opts.complexity == "off":
119
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
120
msgs.append("Password complexity deactivated!")
122
print "ERROR: Wrong argument '" + opts.complexity + "'!"
125
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
126
ldb.FLAG_MOD_REPLACE, "pwdProperties")
128
if opts.history_length is not None:
129
if opts.history_length == "default":
132
pwd_hist_len = int(opts.history_length)
134
if pwd_hist_len < 0 or pwd_hist_len > 24:
135
print "ERROR: Password history length must be in the range of 0 to 24!"
138
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
139
ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
140
msgs.append("Password history length changed!")
142
if opts.min_pwd_length is not None:
143
if opts.min_pwd_length == "default":
146
min_pwd_len = int(opts.min_pwd_length)
148
if min_pwd_len < 0 or min_pwd_len > 14:
149
print "ERROR: Minimum password length must be in the range of 0 to 14!"
152
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
153
ldb.FLAG_MOD_REPLACE, "minPwdLength")
154
msgs.append("Minimum password length changed!")
156
if opts.min_pwd_age is not None:
157
if opts.min_pwd_age == "default":
160
min_pwd_age = int(opts.min_pwd_age)
162
if min_pwd_age < 0 or min_pwd_age > 998:
163
print "ERROR: Minimum password age must be in the range of 0 to 998!"
167
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
169
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
170
ldb.FLAG_MOD_REPLACE, "minPwdAge")
171
msgs.append("Minimum password age changed!")
173
if opts.max_pwd_age is not None:
174
if opts.max_pwd_age == "default":
177
max_pwd_age = int(opts.max_pwd_age)
179
if max_pwd_age < 0 or max_pwd_age > 999:
180
print "ERROR: Maximum password age must be in the range of 0 to 999!"
184
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
186
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
187
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
188
msgs.append("Maximum password age changed!")
190
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
191
print "ERROR: Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age)
196
msgs.append("All changes applied successfully!")
198
message("\n".join(msgs))
200
print "ERROR: Wrong argument '" + args[0] + "'!"