Browse Source

Split password recovery and sending password

Simon Fonteneau 2 months ago
parent
commit
28d5be87d7
4 changed files with 29 additions and 59 deletions
  1. 8
    15
      README.md
  2. 17
    36
      libsyncpassword.py
  3. 1
    5
      synchro.conf
  4. 3
    3
      syncpassword.py

+ 8
- 15
README.md View File

@@ -1,26 +1,19 @@
1
-Windows Azure Password Sync for Samba4
2
-===========
1
+Password Sync for Samba4
2
+==================================
3 3
 
4
-Reads from your Samba4 AD and updates passwords in Azure AD
5
-
6
-Note that this solution requires you to enable plaintext passwords:
4
+That this solution requires you to enable plaintext passwords:
7 5
 
8 6
 samba-tool domain passwordsettings set --store-plaintext=on
7
+and check "Store password using reersible encryption" in user account.
8
+
9
+Reads from your Samba4 AD and send user,email and password in script
9 10
 
10
-and check "Store password using reersible encryption" in user account
11
+If the script returns a good exit code, the password in plain text in samba4 is removed.
11 12
 
12 13
 Python Dependencies
13
-===========
14
+============================
14 15
 
15 16
 - daemon
16 17
 - syslog
17 18
 - samba
18
-- azure-sdk-for-python
19
-
20
-azure-sdk-for-python API must be installed with pip:
21
-pip install --upgrade google-api-python-client
22
-
23
-   git clone git://github.com/Azure/azure-sdk-for-python.git
24
-   cd azure-sdk-for-python
25
-   python setup.py install
26 19
 

libpwdazure.py → libsyncpassword.py View File

@@ -1,29 +1,25 @@
1 1
 #!/usr/bin/env python
2
-import binascii
3 2
 import ldb
3
+import os
4
+import json
5
+import syslog
6
+import time
7
+import binascii
8
+import subprocess
4 9
 from samba.auth import system_session
5 10
 from samba.credentials import Credentials
6 11
 from samba.param import LoadParm
7 12
 from samba.samdb import SamDB
8 13
 from ConfigParser import SafeConfigParser
9
-from samba.netcmd.user import GetPasswordCommand
10
-from azure.common.credentials import ServicePrincipalCredentials
11
-from azure.common.credentials import UserPassCredentials
12
-from azure.graphrbac.models import PasswordProfile, UserUpdateParameters
13
-from azure.graphrbac import GraphRbacManagementClient
14
-import os
15
-import json
16
-import syslog
17
-import time
14
+
18 15
 
19 16
 ## Get confgiruation
20 17
 config = SafeConfigParser()
21
-config.read('/etc/synchro-office-password/synchro.conf')
18
+config.read('/etc/syncpassword/synchro.conf')
22 19
 
23 20
 ## Open connection to Syslog ##
24 21
 syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_LOCAL3)
25 22
 
26
-
27 23
 filename = config.get('common', 'path_pwdlastset_file')
28 24
 
29 25
 
@@ -46,31 +42,12 @@ userAccountControl: %s
46 42
 
47 43
 
48 44
 def update_password(mail,pwd,uac,dn,sama,samdb_loc):
49
-    credentials = UserPassCredentials(
50
-        config.get('azure', 'admin_email'), config.get('azure', 'admin_password'), resource="https://graph.windows.net"
51
-    )
52
-
53
-    tenant_id = config.get('azure', 'tenant_id')
54
-
55
-    graphrbac_client = GraphRbacManagementClient(
56
-       credentials,
57
-       tenant_id
58
-    )
59
-
60
-    param =         UserUpdateParameters(
61
-                    password_profile=PasswordProfile(
62
-                    password=pwd,
63
-                    force_change_password_next_login=False)
64
-                    )                   
65
-    try: 
66
-        graphrbac_client.users.update(mail, param)
67
-        service.users().update(userKey = mail, body=user).execute()
45
+    try:
46
+        subprocess.check_output('%s %s %s %s' % (config.get('common', 'external_script_password'),sama,mail,pwd),shell=True)
68 47
         syslog.syslog(syslog.LOG_WARNING, '[NOTICE] Updated password for %s' % mail)
69 48
         disable_clear_password(pwd,uac,dn,sama,samdb_loc)
70 49
     except Exception as e:
71 50
         syslog.syslog(syslog.LOG_WARNING, '[ERROR] %s : %s' % (mail,str(e)))
72
-    finally:
73
-        graphrbac_client = None
74 51
 
75 52
 def run():
76 53
 
@@ -90,12 +67,14 @@ def run():
90 67
     allmail = {}
91 68
 
92 69
     # Search all users
93
-    for user in samdb_loc.search(base=param_samba['adbase'], expression="(&(objectClass=user)(mail=*))", attrs=["mail","sAMAccountName",'userAccountControl','distinguishedName']):
94
-        mail = str(user["mail"])
70
+    for user in samdb_loc.search(base=param_samba['adbase'], expression="(&(objectClass=user)(!(objectClass=computer)))", attrs=["mail","sAMAccountName",'userAccountControl','distinguishedName']):
71
+        mail = str(user.get('mail',''))
95 72
 
96 73
         #replace mail if replace_domain in config
97 74
         if config.getboolean('common', 'replace_domain'):
98
-            mail = mail.split('@')[0] + '@' + config.get('common', 'domain')
75
+            if mail != '':
76
+                mail = mail.split('@')[0] + '@' + config.get('common', 'domain')
77
+
99 78
         uac = user['userAccountControl']
100 79
         username = str(user["sAMAccountName"])
101 80
         dn = str(user["distinguishedName"])
@@ -104,7 +83,9 @@ def run():
104 83
         allmail[mail] = None
105 84
 
106 85
         password = testpawd.get_account_attributes(samdb_loc,None,param_samba['basedn'],filter="(sAMAccountName=%s)" % (username),scope=ldb.SCOPE_SUBTREE,attrs=['virtualClearTextUTF8'],decrypt=True)
86
+
107 87
         if not 'virtualClearTextUTF8' in password:
108 88
             continue
89
+
109 90
         password = str(password['virtualClearTextUTF8'])
110 91
         update_password(mail, password, uac,dn,username,samdb_loc)

+ 1
- 5
synchro.conf View File

@@ -1,11 +1,7 @@
1 1
 [common]
2 2
 domain = yourdomain.com
3 3
 replace_domain = false
4
-
5
-[azure]
6
-admin_email = adminuser@yourdomain.com
7
-admin_password = 'password'
8
-tenant_id =  'abcdf123456789'
4
+external_script_password = python3 /opt/sync-azure/sync.py
9 5
 
10 6
 [samba]
11 7
 private = /usr/local/samba/private

pwdazure.py → syncpassword.py View File

@@ -1,7 +1,7 @@
1 1
 #!/usr/bin/python
2 2
 
3 3
 import time
4
-import libpwdazure
4
+import libsyncpassword
5 5
 import os.path
6 6
 import sys
7 7
 
@@ -18,13 +18,13 @@ class App():
18 18
         if len(sys.argv) >= 2:
19 19
           if sys.argv[1] == "start":
20 20
             if(os.path.exists(self.pidfile_path)):
21
-              print( "SyncPwdAzure is already running. stop|start|restart")
21
+              print( "SyncPassword is already running. stop|start|restart")
22 22
               sys.exit()
23 23
 
24 24
 
25 25
     def run(self):
26 26
         while True:
27
-            libpwdazure.run()
27
+            libsyncpassword.run()
28 28
             time.sleep(60)
29 29
 
30 30
 app = App()

Loading…
Cancel
Save