samba

Merge lp:~kernevil/samba/devel into lp:samba

devel
Merge into trunk

Proposed by Kernevil on 2012-02-19

Status:	Needs review
Proposed branch:	lp:~kernevil/samba/devel
Merge into:	lp:samba
Diff against target:	122 lines (+26/-9) 2 files modified source4/scripting/python/samba/netcmd/user.py (+5/-2) source4/scripting/python/samba/samdb.py (+21/-7)
To merge this branch:	bzr merge lp:~kernevil/samba/devel
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Samba Team		2012-02-19	Pending
Review via email: mp+93744@code.launchpad.net

Description of the change

Added switch "--enable-reversible-encryption" when creating an user. This sets the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag on the user account, storing the password in clear text inside the "supplementalCredentials" blob. This is needed to sync passwords with external applications.

lp:~kernevil/samba/devel updated on 2012-02-20

25247. By Kernevil on 2012-02-20: Merge trunk revs 318..320

Revision history for this message

Jelmer Vernooij (jelmer) wrote on 2012-02-20:

Hi,

Thanks for the MP.

On Sun, Feb 19, 2012 at 07:11:20PM -0000, Kernevil wrote:
> Added switch "--enable-reversible-encryption" when creating an user. This sets the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag on the user account, storing the password in clear text inside the "supplementalCredentials" blob. This is needed to sync passwords with external applications.
> --
> === modified file 'source4/scripting/python/samba/samdb.py'
> --- source4/scripting/python/samba/samdb.py 2011-12-07 02:09:08 +0000
> +++ source4/scripting/python/samba/samdb.py 2012-02-19 19:10:26 +0000
> @@ -104,6 +104,24 @@
> flags = samba.dsdb.UF_ACCOUNTDISABLE | samba.dsdb.UF_PASSWD_NOTREQD
> self.toggle_userAccountFlags(search_filter, flags, on=False)
>
> + def enable_reversible_encryption(self, search_filter):
> + """Enables reversible password encryption
> +
> + :param search_filter: LDAP filter to find the user (eg
> + samccountname=name)
s/samccountname/samaccountname/

> + """
> + flags = samba.dsdb.UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
> + self.toggle_userAccountFlags(search_filter, flags, on=True)
> +
> + def disable_reversible_encryption(self, search_filter):
> + """Disables reversible password encryption
> +
> + :param search_filter: LDAP filter to find the user (eg
> + samccountname=name)
> + """
> + flags = samba.dsdb.UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
> + self.toggle_userAccountFlags(search_filter, flags, on=False)
I'm not sure if this really warrants separate methods (though I guess
it is consistent with the other methods).

Can you make this a single method with just a boolean argument
"enabled" or something like that?
> +
> def toggle_userAccountFlags(self, search_filter, flags, flags_str=None,
> on=True, strict=False):
> """toggle_userAccountFlags
> @@ -292,8 +310,8 @@

Cheers,

Jelmer

lp:~kernevil/samba/devel updated on 2012-02-24

25248. By Kernevil on 2012-02-22: * Fix spell errors on comments
* Replace 'disable_reversible_encryption' method by a boolean parameter on
method 'set_reversible_encryption'
25249. By Kernevil on 2012-02-24: Merge trunk revs 25321..25400
25250. By Kernevil on 2012-02-24: Fix wrong function call

Unmerged revisions

25250. By Kernevil on 2012-02-24: Fix wrong function call
25249. By Kernevil on 2012-02-24: Merge trunk revs 25321..25400
25248. By Kernevil on 2012-02-22: * Fix spell errors on comments
* Replace 'disable_reversible_encryption' method by a boolean parameter on
method 'set_reversible_encryption'
25247. By Kernevil on 2012-02-20: Merge trunk revs 318..320
25246. By Kernevil on 2012-02-19: Merge trunk
25245. By Kernevil on 2012-02-19: Merge trunk
25244. By Kernevil on 2012-02-16: Merge parent branch
25243. By Kernevil on 2012-02-16: Add '--enable-reversible-encryption' to user creation'

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Kernevil

1	=== modified file 'source4/scripting/python/samba/netcmd/user.py'
2	--- source4/scripting/python/samba/netcmd/user.py 2012-02-07 00:11:08 +0000
3	+++ source4/scripting/python/samba/netcmd/user.py 2012-02-24 12:21:22 +0000
4	@@ -98,6 +98,7 @@
5	Option("--internet-address", help="User's home page", type=str),
6	Option("--telephone-number", help="User's phone number", type=str),
7	Option("--physical-delivery-office", help="User's office location", type=str),
8	+ Option("--enable-reversible-encryption", help="Enable reversible password encryption", action="store_true"),
9	]
10
11	takes_args = ["username", "password?"]
12	@@ -113,7 +114,8 @@
13	use_username_as_cn=False, userou=None, surname=None, given_name=None, initials=None,
14	profile_path=None, script_path=None, home_drive=None, home_directory=None,
15	job_title=None, department=None, company=None, description=None,
16	- mail_address=None, internet_address=None, telephone_number=None, physical_delivery_office=None):
17	+ mail_address=None, internet_address=None, telephone_number=None, physical_delivery_office=None,
18	+ enable_reversible_encryption=False):
19
20	if random_password:
21	password = generate_random_password(128, 255)
22	@@ -135,7 +137,8 @@
23	profilepath=profile_path, homedrive=home_drive, scriptpath=script_path, homedirectory=home_directory,
24	jobtitle=job_title, department=department, company=company, description=description,
25	mailaddress=mail_address, internetaddress=internet_address,
26	- telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office)
27	+ telephonenumber=telephone_number, physicaldeliveryoffice=physical_delivery_office,
28	+ enablereversibleencryption=enable_reversible_encryption)
29	except Exception, e:
30	raise CommandError("Failed to add user '%s': " % username, e)
31
32
33	=== modified file 'source4/scripting/python/samba/samdb.py'
34	--- source4/scripting/python/samba/samdb.py 2011-12-07 02:09:08 +0000
35	+++ source4/scripting/python/samba/samdb.py 2012-02-24 12:21:22 +0000
36	@@ -88,7 +88,7 @@
37	"""Disables an account
38
39	:param search_filter: LDAP filter to find the user (eg
40	- samccountname=name)
41	+ samaccountname=name)
42	"""
43
44	flags = samba.dsdb.UF_ACCOUNTDISABLE
45	@@ -98,18 +98,28 @@
46	"""Enables an account
47
48	:param search_filter: LDAP filter to find the user (eg
49	- samccountname=name)
50	+ samaccountname=name)
51	"""
52
53	flags = samba.dsdb.UF_ACCOUNTDISABLE \| samba.dsdb.UF_PASSWD_NOTREQD
54	self.toggle_userAccountFlags(search_filter, flags, on=False)
55
56	+ def set_reversible_encryption(self, search_filter, enabled):
57	+ """Enables or disables the reversible password encryption account flag
58	+
59	+ :param search_filter: LDAP filter to find the user (eg
60	+ samaccountname=name)
61	+ :param enable: Enable or disable the flag
62	+ """
63	+ flags = samba.dsdb.UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
64	+ self.toggle_userAccountFlags(search_filter, flags, on=enabled)
65	+
66	def toggle_userAccountFlags(self, search_filter, flags, flags_str=None,
67	on=True, strict=False):
68	"""toggle_userAccountFlags
69
70	:param search_filter: LDAP filter to find the user (eg
71	- samccountname=name)
72	+ samaccountname=name)
73	:flags: samba.dsdb.UF_* flags
74	:on: on=True (default) => set, on=False => unset
75	:strict: strict=False (default) ignore if no action is needed
76	@@ -153,7 +163,7 @@
77	"""Forces a password change at next login
78
79	:param search_filter: LDAP filter to find the user (eg
80	- samccountname=name)
81	+ samaccountname=name)
82	"""
83	res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
84	expression=search_filter, attrs=[])
85	@@ -292,8 +302,8 @@
86	initials=None, profilepath=None, scriptpath=None, homedrive=None,
87	homedirectory=None, jobtitle=None, department=None, company=None,
88	description=None, mailaddress=None, internetaddress=None,
89	- telephonenumber=None, physicaldeliveryoffice=None, sd=None,
90	- setpassword=True):
91	+ telephonenumber=None, physicaldeliveryoffice=None, enablereversibleencryption=False,
92	+ sd=None, setpassword=True):
93	"""Adds a new user with additional parameters
94
95	:param username: Name of the new user
96	@@ -317,6 +327,7 @@
97	:param internetaddress: Home page of the new user
98	:param telephonenumber: Phone number of the new user
99	:param physicaldeliveryoffice: Office location of the new user
100	+ :param enablereversibleencryption: Enable reversible password encryption
101	:param sd: security descriptor of the object
102	:param setpassword: optionally disable password reset
103	"""
104	@@ -402,6 +413,9 @@
105	try:
106	self.add(ldbmessage)
107
108	+ if enablereversibleencryption:
109	+ self.set_reversible_encryption("(sAMAccountName=%s)" % ldb.binary_encode(username), True)
110	+
111	# Sets the password for it
112	if setpassword:
113	self.setpassword("(samAccountName=%s)" % ldb.binary_encode(username), password,
114	@@ -440,7 +454,7 @@
115	"""Sets the password for a user
116
117	:param search_filter: LDAP filter to find the user (eg
118	- samccountname=name)
119	+ samaccountname=name)
120	:param password: Password for the user
121	:param force_change_at_next_login: Force password change
122	"""