From: Rob van der Linde Date: Wed, 20 Mar 2024 06:40:34 +0000 (+1300) Subject: netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands X-Git-Tag: tdb-1.4.11~1327 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86d3706bd26d4d875d98eba13d32d9d559f3f008;p=thirdparty%2Fsamba.git netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/netcmd/domain/auth/policy/__init__.py b/python/samba/netcmd/domain/auth/policy/__init__.py index 40ae7736be1..67df9308631 100644 --- a/python/samba/netcmd/domain/auth/policy/__init__.py +++ b/python/samba/netcmd/domain/auth/policy/__init__.py @@ -22,6 +22,9 @@ from samba.netcmd import SuperCommand +from .computer_allowed_to_authenticate_to import ( + cmd_domain_auth_policy_computer_allowed_to_authenticate_to, +) from .policy import ( cmd_domain_auth_policy_create, cmd_domain_auth_policy_delete, @@ -40,4 +43,6 @@ class cmd_domain_auth_policy(SuperCommand): "create": cmd_domain_auth_policy_create(), "modify": cmd_domain_auth_policy_modify(), "delete": cmd_domain_auth_policy_delete(), + "computer-allowed-to-authenticate-to": + cmd_domain_auth_policy_computer_allowed_to_authenticate_to(), } diff --git a/python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py b/python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py new file mode 100644 index 00000000000..1e187f3dbf9 --- /dev/null +++ b/python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py @@ -0,0 +1,125 @@ +# Unix SMB/CIFS implementation. +# +# authentication policy - manage computer-allowed-to-authenticate-to property +# +# Copyright (C) Catalyst.Net Ltd. 2024 +# +# Written by Rob van der Linde +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from samba.domain.models import AuthenticationPolicy, AuthenticationSilo, Group +from samba.domain.models.exceptions import ModelError +from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions +from samba.netcmd import Command, CommandError, SuperCommand + + +class cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(Command): + """Set the computer-allowed-to-authenticate-to property based on scenario. + + --by-group: + + The computer account (server, workstation) service requires the + connecting user to be in GROUP. + + --by-silo: + + The computer account (server, workstation) service requires the + connecting user to be in SILO. + + The options above are mutually exclusive, only one can be set at a time. + """ + + synopsis = "%prog -H [options]" + + takes_optiongroups = { + "sambaopts": SambaOptions, + "credopts": CredentialsOptions, + "hostopts": HostOptions, + } + + takes_options = [ + Option("--name", + help="Name of authentication policy to view (required).", + dest="name", action="store", type=str, required=True), + Option("--by-group", + help="The computer account (server, workstation) service " + "requires the connecting user to be in GROUP.", + dest="groupname", action="store", type=str), + Option("--by-silo", + help="The computer account (server, workstation) service " + "requires the connecting user to be in SILO.", + dest="siloname", action="store", type=str), + ] + + def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, + groupname=None, siloname=None): + + if groupname and siloname: + raise CommandError("Cannot have both --by-group and --by-silo options.") + + ldb = self.ldb_connect(hostopts, sambaopts, credopts) + + try: + policy = AuthenticationPolicy.get(ldb, cn=name) + except ModelError as e: + raise CommandError(e) + + if policy is None: + raise CommandError(f"Authentication policy {name} not found.") + + if groupname: + try: + group = Group.get(ldb, cn=groupname) + except ModelError as e: + raise CommandError(e) + + if group is None: + raise CommandError(f"Group {groupname} not found.") + + sddl = group.get_authentication_sddl() + + elif siloname: + try: + silo = AuthenticationSilo.get(ldb, cn=siloname) + except ModelError as e: + raise CommandError(e) + + if silo is None: + raise CommandError(f"Authentication silo {siloname} not found.") + + sddl = silo.get_authentication_sddl() + + else: + raise CommandError("Either --by-group or --by-silo expected.") + + policy.computer_allowed_to_authenticate_to = sddl + + try: + policy.save(ldb) + except ModelError as e: + raise CommandError(e) + + # Authentication policy updated successfully. + print(f"Updated authentication policy: {name}", file=self.outf) + print(f"Updated SDDL: {sddl}", file=self.outf) + + +class cmd_domain_auth_policy_computer_allowed_to_authenticate_to(SuperCommand): + """Manage the computer-allowed-to-authenticate-to property.""" + + subcommands = { + "set": cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(), + }