Password Sync for Samba4
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

libsyncpassword.py 2.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. #!/usr/bin/env python
  2. import ldb
  3. import os
  4. import json
  5. import syslog
  6. import time
  7. import binascii
  8. import base64
  9. from samba.auth import system_session
  10. from samba.credentials import Credentials
  11. from samba.param import LoadParm
  12. from samba.samdb import SamDB
  13. from samba.netcmd.user import GetPasswordCommand
  14. from ConfigParser import SafeConfigParser
  15. ## Get confgiruation
  16. config = SafeConfigParser()
  17. config.read('/etc/syncpassword/synchro.conf')
  18. ## Open connection to Syslog ##
  19. syslog.openlog(logoption=syslog.LOG_PID, facility=syslog.LOG_LOCAL3)
  20. filename = config.get('common', 'path_pwdlastset_file')
  21. def disable_clear_password(pwd,uac,dn,sama,samdb_loc):
  22. ldif_data = """dn: %s
  23. changetype: modify
  24. replace: userAccountControl
  25. userAccountControl: 512
  26. """ % (dn)
  27. samdb_loc.modify_ldif(ldif_data)
  28. samdb_loc.setpassword('(sAMAccountName=%s)' % sama,pwd)
  29. ldif_data = """dn: %s
  30. changetype: modify
  31. replace: userAccountControl
  32. userAccountControl: %s
  33. """ % (dn,uac)
  34. samdb_loc.modify_ldif(ldif_data)
  35. def update_password(mail,pwd,uac,dn,sama,samdb_loc):
  36. script = config.get('common', 'external_script_password')
  37. try:
  38. subprocess.check_output('echo "%s" | %s %s %s' % (script,str(pwd.encode('base64')),sama,mail),shell=True)
  39. syslog.syslog(syslog.LOG_WARNING, '[NOTICE] Updated password for %s' % mail)
  40. disable_clear_password(pwd,uac,dn,sama,samdb_loc)
  41. except Exception as e:
  42. syslog.syslog(syslog.LOG_WARNING, '[ERROR] %s : %s' % (mail,str(e)))
  43. def run():
  44. param_samba = {
  45. 'basedn' : config.get('samba', 'path'),
  46. 'pathsamdb':'%s/sam.ldb' % config.get('samba', 'private'),
  47. 'adbase': config.get('samba', 'base')
  48. }
  49. # SAMDB
  50. lp = LoadParm()
  51. creds = Credentials()
  52. creds.guess(lp)
  53. samdb_loc = SamDB(url=param_samba['pathsamdb'], session_info=system_session(),credentials=creds, lp=lp)
  54. testpawd = GetPasswordCommand()
  55. testpawd.lp = lp
  56. allmail = {}
  57. # Search all users
  58. for user in samdb_loc.search(base=param_samba['adbase'], expression="(&(objectClass=user)(!(objectClass=computer)))", attrs=["mail","sAMAccountName",'userAccountControl','distinguishedName']):
  59. mail = str(user.get('mail',''))
  60. #replace mail if replace_domain in config
  61. if config.getboolean('common', 'replace_domain'):
  62. if mail != '':
  63. mail = mail.split('@')[0] + '@' + config.get('common', 'domain')
  64. uac = user['userAccountControl']
  65. username = str(user["sAMAccountName"])
  66. dn = str(user["distinguishedName"])
  67. #add mail in all mail
  68. allmail[mail] = None
  69. password = testpawd.get_account_attributes(samdb_loc,None,param_samba['basedn'],filter="(sAMAccountName=%s)" % (username),scope=ldb.SCOPE_SUBTREE,attrs=['virtualClearTextUTF8'],decrypt=True)
  70. if not 'virtualClearTextUTF8' in password:
  71. continue
  72. password = str(password['virtualClearTextUTF8'])
  73. update_password(mail, password, uac,dn,username,samdb_loc)