From: Andrew Bartlett Date: Mon, 11 Dec 2023 03:54:57 +0000 (+1300) Subject: samba-tool: Prepare to allow samba-tool user getpasswords to operate against a remote... X-Git-Tag: talloc-2.4.2~250 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f89a2065a686a20532813e8b2e80987da61333e1;p=thirdparty%2Fsamba.git samba-tool: Prepare to allow samba-tool user getpasswords to operate against a remote server While passwords are not normally available for read, Group Managed Service Account passwords are, as this is how they are distributed. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py index 02f7d36f5fc..8c20de556ea 100644 --- a/python/samba/netcmd/user/readpasswords/common.py +++ b/python/samba/netcmd/user/readpasswords/common.py @@ -188,23 +188,23 @@ class GetPasswordCommand(Command): flags = ldb.ATTR_FLAG_HIDDEN | virtual_attributes[a].get("flags", 0) samdb.schema_attribute_add(a, flags, ldb.SYNTAX_OCTET_STRING) - def connect_system_samdb(self, url, allow_local=False, verbose=False): + def connect_for_passwords(self, url, + creds=None, + require_ldapi=True, + verbose=False): # using anonymous here, results in no authentication # which means we can get system privileges via # the privileged ldapi socket - creds = credentials.Credentials() - creds.set_anonymous() + anon_creds = credentials.Credentials() + anon_creds.set_anonymous() - if url is None and allow_local: + if url is None and not require_ldapi: pass elif url.lower().startswith("ldapi://"): + creds = anon_creds pass - elif url.lower().startswith("ldap://"): - raise CommandError("--url ldap:// is not supported for this command") - elif url.lower().startswith("ldaps://"): - raise CommandError("--url ldaps:// is not supported for this command") - elif not allow_local: + elif require_ldapi: raise CommandError("--url requires an ldapi:// url for this command") if verbose: @@ -213,19 +213,20 @@ class GetPasswordCommand(Command): samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=self.lp) - try: - # - # Make sure we're connected as SYSTEM - # - res = samdb.search(base='', scope=ldb.SCOPE_BASE, attrs=["tokenGroups"]) - assert len(res) == 1 - sids = res[0].get("tokenGroups") - assert len(sids) == 1 - sid = ndr_unpack(security.dom_sid, sids[0]) - assert str(sid) == security.SID_NT_SYSTEM - except Exception as msg: - raise CommandError("You need to specify an URL that gives privileges as SID_NT_SYSTEM(%s)" % - (security.SID_NT_SYSTEM)) + if require_ldapi or url is None: + try: + # + # Make sure we're connected as SYSTEM + # + res = samdb.search(base='', scope=ldb.SCOPE_BASE, attrs=["tokenGroups"]) + assert len(res) == 1 + sids = res[0].get("tokenGroups") + assert len(sids) == 1 + sid = ndr_unpack(security.dom_sid, sids[0]) + assert str(sid) == security.SID_NT_SYSTEM + except Exception as msg: + raise CommandError("You need to specify an URL that gives privileges as SID_NT_SYSTEM(%s)" % + (security.SID_NT_SYSTEM)) self.inject_virtual_attributes(samdb) diff --git a/python/samba/netcmd/user/readpasswords/getpassword.py b/python/samba/netcmd/user/readpasswords/getpassword.py index b5496a8d631..9198626a833 100644 --- a/python/samba/netcmd/user/readpasswords/getpassword.py +++ b/python/samba/netcmd/user/readpasswords/getpassword.py @@ -151,11 +151,11 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS- takes_optiongroups = { "sambaopts": options.SambaOptions, "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + "hostopts": options.HostOptions, } takes_options = [ - Option("-H", "--URL", help="LDB URL for sam.ldb database or local ldapi server", type=str, - metavar="URL", dest="H"), Option("--filter", help="LDAP Filter to set password on", type=str), Option("--attributes", type=str, help=virtual_attributes_help, @@ -169,7 +169,8 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS- def run(self, username=None, H=None, filter=None, attributes=None, decrypt_samba_gpg=None, - sambaopts=None, versionopts=None): + sambaopts=None, versionopts=None, hostopts=None, + credopts=None): self.lp = sambaopts.get_loadparm() if decrypt_samba_gpg and not gpg_decrypt: @@ -186,7 +187,8 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS- password_attrs = self.parse_attributes(attributes) - samdb = self.connect_system_samdb(url=H, allow_local=True) + creds = credopts.get_credentials(self.lp) + samdb = self.connect_for_passwords(url=hostopts.H, require_ldapi=False, creds=creds) obj = self.get_account_attributes(samdb, username, basedn=None, diff --git a/python/samba/netcmd/user/readpasswords/syncpasswords.py b/python/samba/netcmd/user/readpasswords/syncpasswords.py index 7c795b051f9..a9091237612 100644 --- a/python/samba/netcmd/user/readpasswords/syncpasswords.py +++ b/python/samba/netcmd/user/readpasswords/syncpasswords.py @@ -792,8 +792,8 @@ samba-tool user syncpasswords --terminate \\ if cache_ldb_initialize: self.samdb_url = H - self.samdb = self.connect_system_samdb(url=self.samdb_url, - verbose=True) + self.samdb = self.connect_for_passwords(url=self.samdb_url, + verbose=True) load_cache() return @@ -860,7 +860,7 @@ samba-tool user syncpasswords --terminate \\ retry_sleep = retry_sleep_max log_msg("Connecting to '%s'\n" % self.samdb_url) try: - self.samdb = self.connect_system_samdb(url=self.samdb_url) + self.samdb = self.connect_for_passwords(url=self.samdb_url) except Exception as msg: self.samdb = None log_msg("Connect to samdb Exception => (%s)\n" % msg)