%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python3/dist-packages/samba/netcmd/__pycache__/
Upload File :
Create Path :
Current File : //lib/python3/dist-packages/samba/netcmd/__pycache__/user.cpython-312.pyc

�

�I�d�I���ddlZddlmZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlmZmZmZmZmZddlmZddlmZddlmZmZddlmZddlmZddlmZdd	lmZdd
l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(ddl)m*Z*m+Z+m,Z,m-Z-dd
l.m/Z/ddl.m0Z0ddl1m2Z2d�Z3d�Z4dZ5e5s	ddl6Z6e3Z5e5s	ddl8Z8e4Z5e5rdZ9ndZ9iZ:dejvidejvidejvid�Z<dQd�Z=	ddl>Z>e>j~�ie<d<dD]\ZBZC	ddlDZDe=eBd�ie<eC<�eFdd �D]
ZGie<d!eGz<�ie<d"<d#ZHeHd$d%j�eJe<j����zz
ZHeLe:�dk7r+eHd&d%j�eJe:j����zz
ZHGd'�d(e*�ZMGd)�d*e*�ZNGd+�d,e*�ZOGd-�d.e*�ZPGd/�d0e*�ZQGd1�d2e*�ZRGd3�d4e*�ZSGd5�d6e*�ZTGd7�d8e*�ZUGd9�d:e*�ZVGd;�d<e*�ZWGd=�d>eW�ZXGd?�d@eW�ZYGdA�dBe*�ZZGdC�dDeW�Z[GdE�dFe*�Z\GdG�dHe*�Z]GdI�dJe*�Z^GdK�dLe*�Z_GdM�dNe*�Z`GdO�dPe,�Zay#e7$rY���wxYw#e7$rY���wxYw#e7$rZ@dZAeAdz
ZAdeAie:d<YdZ@[@���dZ@[@wwxYw#e7$rZ@dZAeAdz
ZAdeAie:eC<YdZ@[@���dZ@[@weE$rZ@deBzZAdeAie:eC<YdZ@[@���dZ@[@wwxYw)R�N)�Popen�PIPE�STDOUT�
check_call�CalledProcessError)�getpass)�system_session)�SamDB�
SamDBError)�misc)�security)�drsblobs)�
ndr_unpack)�credentials�dsdb�gensec�generate_random_password�Ldb�nttime2float)�Net)�Command�CommandError�SuperCommand�Option)�	get_bytes)�
get_string�)�commonc���tj�}d|_tj�}|jtj|�|�|j
�S)z-
    Use python[3]-gpgme to decrypt GPG.
    T)�gpgme�Context�armor�io�BytesIO�decrypt�getvalue)�encrypted_bytes�ctx�outs   �3/usr/lib/python3/dist-packages/samba/netcmd/user.py�_gpgme_decryptr+@sD���-�-�/�C��C�I�
�*�*�,�C��K�K��
�
�?�+�S�1��<�<�>��c��tj|��}tjd��}|j|�\}}}|S)z+
    Use python[3]-gpg to decrypt GPG.
    )�stringT)r")�gpg�Datar!r%)r'�
ciphertextr(�	plaintext�_s     r*�_gpg_decryptr4Ks:������1�J�

�+�+�D�
!�C��k�k�*�-�O�I�q�!��r,z1Decrypt the SambaGPG password as cleartext sourcezVDecrypt the SambaGPG password not supported, python[3]-gpgme or python[3]-gpg required�flags)�virtualClearTextUTF8�virtualClearTextUTF16�virtualSambaGPGc��ddiddid�}||vsJ�tjd�}tj|�ddj	dd�jd	�}d
}|dk7r
d|�d|�d|�d�}n	d|�d|�d�}t
j||�}|�td
|z��t|�||dz}t|�|k7rtd|t|�|fz��|S)N�length�+�V)�5�6�r�+�.�utf8��$z$rounds=zcrypt.crypt(%s) returned NonezFcrypt.crypt(%s) returned a value with length %d, expected length is %d)	�os�urandom�base64�	b64encode�replace�decode�crypt�NotImplementedError�len)	�alg�utf8pw�rounds�algs�salt�b64salt�
crypt_salt�crypt_value�expected_lens	         r*�get_crypt_valuerW~s����^���^��D��$�;��;�
�:�:�b�>�D����t�$�Q�r�*�2�2�4��>�E�E�f�M�G��J�
��{�,/���A�
��#&�w�/�
��+�+�f�j�1�K���!�"A�Z�"P�Q�Q��z�?�T�#�Y�x�%8�8�L�
�;��<�'�!�"j���K�(�,�n8�#8�9�	9��r,�virtualSSHAzhashlib.sha1()z	 required�reason))r=�virtualCryptSHA256)r>�virtualCryptSHA512rCrKz'modern '$%s$' salt in crypt(3) required�zvirtualWDigest%02d�virtualKerberosSaltz-The attributes to display (comma separated). z)Possible supported virtual attributes: %sz, z"Unsupported virtual attributes: %sc!���eZdZdZdZedddedd��ed	d
d��ed
dd��eddd��eddd��edde��edde��edde��edde��edde��edde��ed d!e��ed"d#e��ed$d%e��ed&d'e��ed(d)e��ed*d+e��ed,d-e��ed.d/e��ed0d1e��ed2d3e��ed4d5d��ed6d7e��ed8d9e��ed:d;e��ed<d=e��ed>d?e��ed@dAe��edBdCe��gZdDdEgZ	e
je
je
jdF�Z											dIdH�ZyG)J�cmd_user_adda�	Add a new user.

This command adds a new user account to the Active Directory domain.  The username specified on the command is the sAMaccountName.

User accounts may represent physical entities, such as people or may be used as service accounts for applications.  User accounts are also referred to as security principals and are assigned a security identifier (SID).

A user account enables a user to logon to a computer and domain with an identity that can be authenticated.  To maximize security, each user should have their own unique user account and password.  A user's access to domain resources is based on permissions assigned to the user account.

Unix (RFC2307) attributes may be added to the user account. Attributes taken from NSS are obtained on the local machine. Explicitly given values override values obtained from NSS. Configure 'idmap_ldb:use rfc2307 = Yes' to use these attributes for UID/GID mapping.

The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command against a remote server.

Example1:
samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd

Example1 shows how to add a new user to the domain against a remote LDAP server.  The -H parameter is used to specify the remote target server.  The -U option is used to pass the userid and password authorized to issue the command remotely.

Example2:
sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login

Example2 shows how to add a new user to the domain against the local server.   sudo is used so a user may run the command as root.  In this example, after User2 is created, he/she will be forced to change their password when they logon.

Example3:
samba-tool user add User3 passw3rd --userou='OU=OrgUnit'

Example3 shows how to add a new user in the OrgUnit organizational unit.

Example4:
samba-tool user add User4 passw4rd --rfc2307-from-nss --gecos 'some text'

Example4 shows how to add a new user with Unix UID, GID and login-shell set from the local NSS and GECOS set to 'some text'.

Example5:
samba-tool user add User5 passw5rd --nis-domain=samdom --unix-home=/home/User5 \
    --uid-number=10005 --login-shell=/bin/false --gid-number=10000

Example5 shows how to add a new RFC2307/NIS domain enabled user account. If
--nis-domain is set, then the other four parameters are mandatory.

z'%prog <username> [<password>] [options]�-H�--URL�%LDB URL for database or target server�URL�H��help�type�metavar�dest�--must-change-at-next-login�*Force password to be changed on next login�
store_true�rf�action�--random-password�Generate random password�--smartcard-required�*Require a smartcard for interactive logonsz--use-username-as-cnz"Force use of username as user's CNz--userouz�DN of alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created. E. g. 'OU=<OU name>'�rfrg�	--surnamezUser's surname�--given-namezUser's given name�
--initialszUser's initialsz--profile-pathzUser's profile pathz
--script-pathzUser's logon script pathz--home-drivezUser's home drive letterz--home-directoryzUser's home directory pathz--job-titlezUser's job titlez--departmentzUser's departmentz	--companyzUser's companyz
--descriptionzUser's description�--mail-addresszUser's email addressz--internet-addresszUser's home pagez--telephone-numberzUser's phone numberz--physical-delivery-officezUser's office locationz--rfc2307-from-nsszWCopy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell)z--nis-domainzUser's Unix/RFC2307 NIS domain�--unix-home�"User's Unix/RFC2307 home directory�--uid�User's Unix/RFC2307 usernamez--uid-numberzUser's Unix/RFC2307 numeric UID�--gid-numberz&User's Unix/RFC2307 primary GID number�--gecos�User's Unix/RFC2307 GECOS field�
--login-shell�User's Unix/RFC2307 login shell�usernamez	password?��	sambaopts�credopts�versionoptsNc#�0�|"r|�|dk7rtd��|rtd��|r|"stdd�}	|"rnA|�|dk7rn9td�}td�}#||#k(sd}|jj	d��D|r5tj|�}$|�|}|�|$d	}|�|$d
}| �|$d} |!�|$d}!|j�}%|j|%�}&|s|r,|%jd
�s|jj	d�|�d||!||fvrtd��	t|t�|&|%��}'|'j||||	|
|||
|||||||||||||||||| |!|"��|jj	d|z�y#t$r}(td|z|(��d}(~(wwxYw)NrC�NIt is not allowed to specify --newpassword together with --smartcard-required.�\It is not allowed to specify --must-change-at-next-login together with --smartcard-required.���New Password: �Retype Password: �Sorry, passwords do not match.
�����idmap_ldb:use rfc2307z�You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.
z�Missing parameters. To enable NIS features, the following options have to be given: --nis-domain=, --uidNumber=, --login-shell=, --unix-home=, --gid-number= Operation cancelled.��url�session_infor�lp)�'force_password_change_at_next_login_req�useusernameascn�userou�surname�	givenname�initials�profilepath�	homedrive�
scriptpath�
homedirectory�jobtitle�
department�company�description�mailaddress�internetaddress�telephonenumber�physicaldeliveryoffice�	nisdomain�unixhome�uid�	uidnumber�	gidnumber�gecos�
loginshell�smartcard_requiredzFailed to add user '%s': zUser '%s' added successfully
)rrr�outf�write�pwd�getpwnam�get_loadparm�get_credentials�getr
r	�newuser�	Exception))�selfr��passwordr�r�r�rd�must_change_at_next_login�random_password�use_username_as_cnr�r��
given_namer��profile_path�script_path�
home_drive�home_directory�	job_titler�r�r��mail_address�internet_address�telephone_number�physical_delivery_office�rfc2307_from_nss�
nis_domain�	unix_homer��
uid_number�
gid_numberr��login_shellr��passwordverify�pwentr��creds�samdb�es)                                         r*�runzcmd_user_add.run's*����#��B��"�$I�J�J�)�"�$I�J�J��#5�/��S�9�H��!���#��B����/�0�H�$�%8�9�N��~�-����	�	��� B�C������X�.���;�"�C��%�!&�q��J��%�!&�q��J��=�!�!�H�E��&�"'��(�K�
�
#�
#�
%���(�(��,�����6�6�1�2��	�	���!n�o��!��
�K��J�G�G�"�$0�1�1�	J��a�n�.>�&+��4�E��M�M�(�H�Vo�*<�V�U\�hr�~F�&2�j�U`�p~�#,��W�bm�&2�DT�*:�Sk�$.���$.�*� %�+�-?�
�	
A�	
�	�	���8�8�C�D���	J��:�X�E�q�I�I��	J�s�AE8�8	F�F�F)!NNNNNFFFNNNNNNNNNNNNNNNNFNNNNNNNF)�__name__�
__module__�__qualname__�__doc__�synopsisr�str�int�
takes_options�
takes_args�options�SambaOptions�CredentialsOptions�VersionOptions�takes_optiongroupsr��r,r*r_r_�s+��'�P9�H�	�t�W�#J�QT��3�	(��,�@�"�	$�	�"�.�"�	$�	�%�@�"�	$�	�%�8�"�	$�	�z�c��	�	�{�!1��<��~�$7�c�B��|�"3�#�>���&;�#�F���%?�c�J��~�$>�S�I��!�(D�3�O��}�#5�C�@��~�$7�c�B��{�!1��<���%9��D���&<�3�G��#�*<�3�G��#�*?�c�J��+�2J�QT�U��#�m�"�	$�	�~�$D�3�O��}�#G��	��w�;�#�F��~�$E�C�P��~�$L�SV�W��y�@�s�K���%F�S�Q�W,�M�\�k�*�J��)�)��.�.��-�-���EI�@E�DH�GK�>B�GK�GK�<A�BF�59�$�PEr,r_c��eZdZdZdZedddedd��gZd	gZe	je	je	jd
�Z
		d
d�Zy)�cmd_user_deleteaDelete a user.

This command deletes a user account from the Active Directory domain.  The username specified on the command is the sAMAccountName.

Once the account is deleted, all permissions and memberships associated with that account are deleted.  If a new user account is added with the same name as a previously deleted account name, the new user does not have the previous permissions.  The new account user will be assigned a new security identifier (SID) and permissions and memberships will have to be added.

The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command against a remote server.

Example1:
samba-tool user delete User1 -H ldap://samba.samdom.example.com --username=administrator --password=passw1rd

Example1 shows how to delete a user in the domain against a remote LDAP server.  The -H parameter is used to specify the remote target server.  The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to issue the command on that server.

Example2:
sudo samba-tool user delete User2

Example2 shows how to delete a user in the domain against the local server.   sudo is used so a user may run the command as root.

�%prog <username> [options]r`rarbrcrdrer�r�Nc��|j�}|j|d��}t|t�||��}dt	j
|�z}		|j
|j�tj|	dg��}
|
dj}	|j|�|jjd
|z�y#t$rtd|z��wxYw#t$r}td	|z|��d}~wwxYw)NT��fallback_machiner�z0(&(sAMAccountName=%s)(sAMAccountType=805306368))�dn��base�scope�
expression�attrsr�Unable to find user "%s"zFailed to remove user "%s"zDeleted user %s
)r�r�r
r	�ldb�
binary_encode�search�	domain_dn�
SCOPE_SUBTREEr��
IndexErrorr�deleter�r�r�)
r�r�r�r�r�rdr�r�r��filter�res�user_dnr�s
             r*r�zcmd_user_delete.run�s��
�
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0��E��#�#�H�-�.��	H��,�,�E�O�O�$5�%(�%6�%6�*0�&*�V��-�C��!�f�i�i�G�	K��L�L��!�	
�	�	���+�h�6�7���	H��9�X�F�G�G�	H��
�	K��;�h�F��J�J��	K�s%�AC�C!�C�!	C>�*C9�9C>�NNNN�r�r�r�r�r�rr�r�r�r�r�r�r�r�r�r�r,r*r�r�ysi���&,�H�	�t�W�#J�QT��3�	(��M�
��J��)�)��.�.��-�-���HL��8r,r�c���eZdZdZdZedddedd��ed	d
dd�
�edddd��eddde��eddddd��gZejejejd�Z								dd�Z
y)�
cmd_user_listzList all users.�%prog [options]r`rarbrcrdrez--hide-expiredz!Do not list expired user accountsFrl)rf�defaultrnz--hide-disabledz"Do not list disabled user accounts)rrnrfz-bz	--base-dnzSpecify base DN to users�	--full-dn�full_dn�)Display DN instead of the sAMAccountName.�rirrnrfr�Nc	���|j�}	|j|	d��}
t|t�|
|	��}|j	�}|r|j|�}d}
|dur|j
�}d|z}
d}|dur#dtjtjfz}dtjtj||
fz}|j|tj|dg�	�}t|�d
k(ry|D]a}|r.|jj!d|j#d�z��3|jj!d|j#dd
�
�z��cy)NTr�r�rCz)(|(accountExpires=0)(accountExpires>=%u))z(!(userAccountControl:%s:=%u))z4(&(objectClass=user)(userAccountControl:%s:=%u)%s%s)�samaccountname�r�r�r�r�%s
r���idx)r�r�r
r	r��normalize_dn_in_domain�
get_nttimer��OID_COMPARATOR_ANDr�UF_ACCOUNTDISABLE�UF_NORMAL_ACCOUNTr�r�rMr�r�r�)r�r�r�r�rd�hide_expired�
hide_disabled�base_dnrr�r�r��	search_dn�filter_expires�current_nttime�filter_disabledr�r��msgs                   r*r�zcmd_user_list.run�ss���
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0���O�O�%�	���4�4�W�=�I����4��"�-�-�/�N�H�� �N����D� �>��&�&��(>�(>�B@�@�O�H��"�"��"�"���	K����l�l�9�!$�!2�!2�&,�"2�!3��5��
��H��M���	G�C���	�	��������� 6�7���I�I�O�O�F�S�W�W�-=�1�W�%E�E�F�	Gr,)NNNNFFNF�r�r�r�r�r�rr�r�r�r�r�r�r�r�r�r,r*r�r��s���� �H�	�t�W�#J�QT��3�	(���7��"�	$�	� ��"�8�	:�	�t�[�,��	�	�{���"�?�	A��M�*�)�)��.�.��-�-�����������0Gr,r�c��eZdZdZdZejejejd�Z	e
dddedd�	�e
d
de��gZd
gZ
		dd�Zy)�cmd_user_enablea�Enable a user.

This command enables a user account for logon to an Active Directory domain.  The username specified on the command is the sAMAccountName.  The username may also be specified using the --filter option.

There are many reasons why an account may become disabled.  These include:
- If a user exceeds the account policy for logon attempts
- If an administrator disables the account
- If the account expires

The samba-tool user enable command allows an administrator to enable an account which has become disabled.

Additionally, the enable function allows an administrator to have a set of created user accounts defined and setup with default permissions that can be easily enabled for use.

The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command against a remote server.

Example1:
samba-tool user enable Testuser1 --URL=ldap://samba.samdom.example.com --username=administrator --password=passw1rd

Example1 shows how to enable a user in the domain against a remote LDAP server.  The --URL parameter is used to specify the remote target server.  The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to update that server.

Example2:
su samba-tool user enable Testuser2

Example2 shows how to enable user Testuser2 for use in the domain on the local server. sudo is used so a user may run the command as root.

Example3:
samba-tool user enable --filter=samaccountname=Testuser3

Example3 shows how to enable a user in the domain against a local LDAP server.  It uses the --filter=samaccountname to specify the username.

�.%prog (<username>|--filter <filter>) [options]�r�r�r�r`rarbrcrdre�--filter�LDAP Filter to set password onrs�	username?Nc�~�|�
|�td��|�dtj|�z}|j�}|j	|d��}t|t
�||��}		|	j|�|jjd|xs|z�y#t$r}
td|xs|�d|
����d}
~
wwxYw)	N�4Either the username or '--filter' must be specified!�((&(objectClass=user)(sAMAccountName=%s))Tr�r�zFailed to enable user '�': zEnabled user '%s'
)rr�r�r�r�r
r	�enable_accountr�r�r��r�r�r�r�r�r�rdr�r�r�rs           r*r�zcmd_user_enable.run8s��������U�V�V��>�?�3�CT�CT�U]�C^�_�F�
�
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0��	]�� � ��(�	
�	�	���-��1C�V�D�E���	]��8�CU�v�CU�WZ�[�\�\��	]�s�%B�	B<�"B7�7B<�NNNNNN�r�r�r�r�r�r�r�r�r�r�rr�r�r�r�r�r,r*rrsv���>@�H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(��z� @�s�K��M���J�:>�-1�Fr,rc��eZdZdZdZedddedd��ed	d
e��gZdgZe	je	je	jd
�Z
		dd�Zy)�cmd_user_disablezDisable a user.rr`rarbrcrdrerrrsrr�Nc�:�|�
|�td��|�dtj|�z}|j�}|j	|d��}t|t
�||��}		|	j|�y#t$r}
td|xs|�d|
����d}
~
wwxYw)Nr!r"Tr�r�zFailed to disable user 'r#)	rr�r�r�r�r
r	�disable_accountr�r%s           r*r�zcmd_user_disable.run_s��������U�V�V��>�?�3�CT�CT�U]�C^�_�F�
�
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0��	^��!�!�&�)���	^��H�DV�PV�DV�X[�\�]�]��	^�s�%A7�7	B�B�Br&r�r�r,r*r)r)Lss���?�H�	�t�W�#J�QT��3�	(��z� @�s�K��M���J��)�)��.�.��-�-���;?�-1�^r,r)c	���eZdZdZdZejejejd�Z	e
dddedd�	�e
d
de��e
d
ded��e
dddd��gZ
dgZ		dd�Zy)�cmd_user_setexpirya�Set the expiration of a user account.

The user can either be specified by their sAMAccountName or using the --filter option.

When a user account expires, it becomes disabled and the user is unable to logon.  The administrator may issue the samba-tool user enable command to enable the account for logon.  The permissions and memberships associated with the account are retained when the account is enabled.

The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command on a remote server.

Example1:
samba-tool user setexpiry User1 --days=20 --URL=ldap://samba.samdom.example.com --username=administrator --password=passw1rd

Example1 shows how to set the expiration of an account in a remote LDAP server.  The --URL parameter is used to specify the remote target server.  The --username= and --password= options are used to pass the username and password of a user that exists on the remote server and is authorized to update that server.

Example2:
sudo samba-tool user setexpiry User2 --noexpiry

Example2 shows how to set the account expiration of user User2 so it will never expire.  The user in this example resides on the  local server.   sudo is used so a user may run the command as root.

Example3:
samba-tool user setexpiry --days=20 --filter=samaccountname=User3

Example3 shows how to set the account expiration date to end of day 20 days from the current day.  The username or sAMAccountName is specified using the --filter= parameter and the username in this example is User3.

Example4:
samba-tool user setexpiry --noexpiry User4
Example4 shows how to set the account expiration so that it will never expire.  The username and sAMAccountName in this example is User4.

rrr`rarbrcrdrerrrsz--dayszDays to expiryr)rfrgrz
--noexpiryzPassword does never expirerlF)rfrnrrNc	���|�
|�td��|�dtj|�z}|j�}	|j	|	�}
t|t
�|
|	��}	|j||dzdz|��|r#|jjd	|xs|z�y|jjd
|xs||fz�y#t$r}td|xs|�d|����d}~wwxYw)Nr!r"r��i)�
no_expiry_reqzFailed to set expiry for user 'r#zExpiry for user '%s' disabled.
z%Expiry for user '%s' set to %u days.
)rr�r�r�r�r
r	�	setexpiryr�r�r�)
r�r�r�r�r�rdr��days�noexpiryr�r�r�rs
             r*r�zcmd_user_setexpiry.run�s�������U�V�V��>�?�3�CT�CT�U]�C^�_�F�
�
#�
#�
%���(�(��,���!�.�*:�"'�B�0��	*��O�O�F�D�2�I��$4�H�O�M�
��I�I�O�O�>��"�F�$�
%�
�I�I�O�O�D��"�F�D�H*�*�
+���	*���"�F�"�C� )�*�
*��	*�s�#C�	C*�C%�%C*)NNNNNNNN)r�r�r�r�r�r�r�r�r�r�rr�r�r�r�r�r�r,r*r-r-rs����8@�H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(��z� @�s�K��x�.�S�!�D��|�">�|�]b�c��M���J�:>�GK�+r,r-c��eZdZdZdZedde��gZejejejd�Z		d	d�Z
y)
�cmd_user_passwordzIChange password for a user account (the one provided in authentication).
r��
--newpasswordzNew passwordrsr�Nc��|j�}|j|�}|j�}t|||j��}|}		|	�|	dk7rn9td�}	td�}
|	|
k(sd}	|jjd��A	t|	t�s|	jd�}	|j|	�|jjd�y#t$r}td|z��d}~wwxYw)	N)�serverrCr�r�r�rBzFailed to change password : %s�Changed password OK
)r�r��get_passwordr�	ipaddressrr�r��
isinstancer�rJ�change_passwordr�r)r�r�r�r��newpasswordr�r��old_password�netr�r�rs            r*r�zcmd_user_password.run�s����
#�
#�
%���(�(��,���)�)�+���%��H�$6�$6�7������#��B����/�0�H�$�%8�9�N��~�-����	�	��� B�C��	G��h��,�#�?�?�6�2������)�	
�	�	���/�0���	G��?�#�E�F�F��	G�s�2C�	C9�&C4�4C9r�rr�r,r*r5r5�sV���!�H�	��^�#�>��M�
�)�)��.�.��-�-���>B��1r,r5c��eZdZdZdZejejejd�Z	e
dddedd�	�e
d
ddd
d��gZdgZ
					dd�Zy)�cmd_user_getgroupszqGet the direct group memberships of a user account.

The username specified on the command is the sAMAccountName.r�rr`rarbrcrdrerrFrlrrr�Nc��|j�}|j|�}t|t�||��}	dt	j
|�z}
	|	j
|	j�|
tjgd���}|djdd��}ttj|�}
|
j�\}}d|
z}t|djd	d���}|djd
�}|�g}d||fz}d
}
	|	j
||
tj"dg��}t%|dj&�}|djd�}|rD|j(j+d|z�|D] }|j(j+d|z��"yg}|D]J}	|	j
||
tj"dg��}|j-|djd���L|j(j+d|z�|D] }|j(j+d|z��"y#t$rt!d|z��wxYw#t$rt!d|z��wxYw#t$rt!d|z��wxYw)Nr��((&(sAMAccountName=%s)(objectClass=user))��	objectSid�memberOf�primaryGroupID�r�r�r�r�rrFr	�<SID=%s>rHrG�Unable to find user '%s'z<SID=%s-%u>z(objectClass=group)�sAMAccountNamez!Unable to find primary group '%s'r�Unable to find group '%s')r�r�r
r	r�r�r�r�r�r�rr
�dom_sid�splitr�r�r�
SCOPE_BASEr�r�r�r��extend)r�r�r�r�r�rdrr�r�r�r�r��user_sid_binary�user_sid�user_dom_sid�user_rid�user_sid_dn�	user_pgid�user_groups�primarygroup_sid_dn�primary_group_dn�primary_group_name�group_dn�group_names�gdn�
group_names                          r*r�zcmd_user_getgroups.runs����
#�
#�
%���(�(��,���!�.�*:�"'�B�0��=��#�#�H�-�.��	H��,�,�E�O�O�$5�*0�%(�%6�%6�&8��9�C�"�!�f�j�j��!�j�<�O�!�(�"2�"2�O�D�H�'/�~�~�'7�$�\�8�$�x�/�K��C��F�J�J�'7�Q�J�?�@�I��a�&�*�*�Z�0�K��"� ��,�|�Y�.G�G��&��	\��,�,�$7�*0�%(�^�^�&6�%7��9�C� #�3�q�6�9�9�~��!$�Q����,<�!=����I�I�O�O�F�%5�5�6�'�
3���	�	����� 1�2�
3�����	H�C�
H��l�l��.4�),���*:�);�#�=���"�"�3�q�6�:�:�.>�#?�@�
	H�	
�	�	����!3�3�4�%�	1�J��I�I�O�O�F�Z�/�0�	1��E�	H��9�X�F�G�G�	H���	\��B�FY�Z�[�[�	\��"�
H�"�#>�#�#F�G�G�
H�s'�B2H9�AI�,AI/�9I�I,�/J)NNNNFr'r�r,r*rBrB�s���@�,�H��)�)��-�-��.�.���	�t�W�#J���S�	2��{���"�?�	A�
�M���J������
B1r,rBc��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�cmd_user_setprimarygroupaISet the primary group a user account.

This command sets the primary group a user account. The username specified on
the command is the sAMAccountName. The primarygroupname is the sAMAccountName
of the new primary group. The user must be a member of the group.

The command may be run from the root userid or another authorized userid. The
-H or --URL= option can be used to execute the command against a remote server.

Example1:
samba-tool user setprimarygroup TestUser1 newPrimaryGroup --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd

Example1 shows how to set the primary group for TestUser1 on a remote LDAP
server. The --URL parameter is used to specify the remote target server.  The
-U option is used to pass the username and password of a user that exists on
the remote server and is authorized to update the server.
z-%prog <username> <primarygroupname> [options]rr`rarbrcrdrer��primarygroupnameNc	�t�|j�}|j|�}t|t�||��}	dt	j
|�z}
	|	j
|	j�|
tjdggd���}|djdd��}ttj|�}
|
j�\}}d	|
z}t|djd
d���}|djd�}|�g}g}|D]]}t	j"|	t%|��}|j'd
�}ttj|�}|j)|��_dt	j
|�z}
	|	j
|	j�|
tjdg��}|djdd��}ttj|�}|j�\}}||k7rt!d|z��||k7r||vrt!d|�d|�d���d|||fz}	|	j+|�|j.j1d|z�y#t$rt!d|z��wxYw#t$rt!d|z��wxYw#t,$r}t!d|�d|�d|����d}~wwxYw)Nr�rDzextended_dn:1:1rE)r�r�r��controlsr�rrFr	rJrHrGrK�SIDz)(&(sAMAccountName=%s)(objectClass=group))rIrMz/Group '%s' does not belong to the user's domainzUser 'z' is not member of group '�'zl
dn: %s
changetype: modify
delete: primaryGroupID
primaryGroupID: %u
add: primaryGroupID
primaryGroupID: %u
zFailed to set primary group 'z' for user 'r#zChanged primary group to '%s'
)r�r�r
r	r�r�r�r�r�r�rr
rNrOr�r�r�Dnr��get_extended_component�append�modify_ldifr�r�r�)r�r�rbr�r�r�rdr�r�r�r�r�rRrSrTrUrVrWrX�user_group_sids�
user_group�
user_group_dn�user_group_binary_sid�user_group_sid�group_sid_binary�primarygroup_sid�primarygroup_dom_sid�primarygroup_rid�setprimarygroup_ldifrs                              r*r�zcmd_user_setprimarygroup.runis���
#�
#�
%���(�(��,���!�.�*:�"'�B�0��=��#�#�H�-�.��	H��,�,�E�O�O�$5�*0�%(�%6�%6�):�(;�&8�	�9�C�"�!�f�j�j��!�j�<�O�!�(�"2�"2�O�D�H�'/�~�~�'7�$�\�8�$�x�/�K��C��F�J�J�'7�Q�J�?�@�I��a�&�*�*�Z�0�K��"� ����%�	3�J��F�F�5�#�j�/�:�M�$1�$H�$H��$O�!�'��(8�(8�:O�P�N��"�"�>�2�		3�>��#�#�$4�5�6��	Q��,�,�E�O�O�$5�*0�%(�%6�%6�&1�]��4�C� #�1�v�z�z�+�1�z�=��&�h�&6�&6�8H�I��3C�3I�3I�3K�0�	�/��/�/�� (�*:� ;�<�
<��y�(�-=�_�-T�� (�*:� <�=�
=� ��I�/�0� 1��	B����2�3�
	
�	�	���9�<L�L�M��_�	H��9�X�F�G�G�	H��$�	Q��:�>N�O�P�P�	Q��2�	B�� 0�(�C� A�B�
B��	B�s2�B4I�AI:�/J�I7�:J�	J7�J2�2J7r�r'r�r,r*raraHsm���"?�H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(�
�M�
�0�1�J�GK� $�JNr,rac��eZdZdZdZejejejd�Z	e
dddedd�	�e
d
de��e
d
de��e
ddd��e
ddd��e
ddd��e
ddd��gZdgZ
				dd�Zy)�cmd_user_setpassworda$Set or reset the password of a user account.

This command sets or resets the logon password for a user account.  The username specified on the command is the sAMAccountName.  The username may also be specified using the --filter option.

If the password is not specified on the command through the --newpassword parameter, the user is prompted for the password to be entered through the command line.

It is good security practice for the administrator to use the --must-change-at-next-login option which requires that when the user logs on to the account for the first time following the password change, he/she must change the password.

The command may be run from the root userid or another authorized userid.  The -H or --URL= option can be used to execute the command against a remote server.

Example1:
samba-tool user setpassword TestUser1 --newpassword=passw0rd --URL=ldap://samba.samdom.example.com -Uadministrator%passw1rd

Example1 shows how to set the password of user TestUser1 on a remote LDAP server.  The --URL parameter is used to specify the remote target server.  The -U option is used to pass the username and password of a user that exists on the remote server and is authorized to update the server.

Example2:
sudo samba-tool user setpassword TestUser2 --newpassword=passw0rd --must-change-at-next-login

Example2 shows how an administrator would reset the TestUser2 user's password to passw0rd.  The user is running under the root userid using the sudo command.  In this example the user TestUser2 must change their password the next time they logon to the account.

Example3:
samba-tool user setpassword --filter=samaccountname=TestUser3 --newpassword=passw0rd

Example3 shows how an administrator would reset TestUser3 user's password to passw0rd using the --filter= option to specify the username.

rrr`rarbrcrdrerrrsr6zSet passwordrjrkrlrmrorprqrrz--clear-smartcard-requiredz0Don't require a smartcard for interactive logonsrNc�Z�|�
|�td��|}|
r,|�|dk7rtd��|rtd��|rtd��|	r|
stdd�}	|
rnA|�|dk7rn9td	�}td
�}
||
k(sd}|jj	d��D|�dtj|�z}|j�}|j|�}|j|j�tjz�t|t�||�
�}|
rfd}	d|xs|z}tj }|j#||d��d|xs|z}|j%|�|jj	d�yd}	|r-d|xs|z}tj }|j#||d��d|xs|z}|j)||||��|jj	d�y#t&$r}t|�d|����d}~wwxYw#t&$r}t|�d|����d}~wwxYw)Nr!rCr�r�z[It is not allowed to specify --clear-smartcard-required together with --smartcard-required.r�r�Tr�r�r�r"r�z1Failed to set UF_SMARTCARD_REQUIRED for user '%s')�onz&Failed to enable account for user '%s'�: zAdded UF_SMARTCARD_REQUIRED OK
z4Failed to remove UF_SMARTCARD_REQUIRED for user '%s'Fz$Failed to set password for user '%s')�force_change_at_next_loginr�r9)rrrr�r�r�r�r�r��set_gensec_features�get_gensec_featuresr�FEATURE_SEALr
r	r�UF_SMARTCARD_REQUIRED�toggle_userAccountFlagsr$r��setpassword)r�r�r�r�r�r�rdr>r�r�r��clear_smartcard_requiredr�r�r�r�r��commandr5rs                    r*r�zcmd_user_setpassword.run�s����>�h�.��U�V�V�����#��B��"�$I�J�J�)�"�$I�J�J�(�"�$I�J�J��#5�/��S�9�H��!���#��B����/�0�H�$�%8�9�N��~�-����	�	��� B�C���>�?�3�CT�CT�U]�C^�_�F�
�
#�
#�
%���(�(��,��
�!�!�%�";�";�"=��@S�@S�"S�T��!�.�*:�"'�B�0����G�
>�M�QY�Qc�]c�d���2�2���-�-�f�e��-�E�B�h�FX�RX�Y���$�$�V�,�
�I�I�O�O�>�?��G�
>�+�T�X`�Xj�dj�k�G� �6�6�E��1�1�&�%�E�1�J�@�H�DV�PV�W���!�!�&�(�=V�+3�"�5�
�I�I�O�O�3�4��%�
>�"�w��#<�=�=��
>���
>�"�w��#<�=�=��
>�s2�AG+�A
H�+	H	�4H�H	�	H*�H%�%H*)NNNNNNNFFFFr'r�r,r*rvrv�s����4@�H��)�)��-�-��.�.���	�t�W�#J�QT��3�	(��z� @�s�K���^�#�>��,�@�"�	$�	�"�.�"�	$�	�%�@�"�	$�	�+�F�"�	$��M�&��J�GK�26�=B�?D�J5r,rvc�<��eZdZ�fd�Zd�Zdd�Z	dd�Zd�Z�xZS)�GetPasswordCommandc�8��tt|��d|_y�N)�superr��__init__r��r��	__class__s �r*r�zGetPasswordCommand.__init__=s���
� �$�0�2���r,c���ttj��D]M}tjt|jdd�z}|j
||tj��Oy)Nr5r)�sorted�virtual_attributes�keysr��ATTR_FLAG_HIDDENr��schema_attribute_add�SYNTAX_OCTET_STRING)r�r��ar5s    r*�inject_virtual_attributesz,GetPasswordCommand.inject_virtual_attributesAs_���*�/�/�1�2�	J�A��(�(�+=�a�+@�+D�+D�W�a�+P�P�E��&�&�q�%��1H�1H�I�	Jr,c��tj�}|j�|�|rn�|j�j	d�rna|j�j	d�rtd��|j�j	d�rtd��|std��|r|jjd|z�t|t�||j��}	|jd	tjd
g��}t|�dk(sJ�|d
jd
�}t|�dk(sJ�t!t"j$|d
�}t'|�t"j(k(sJ�	|j-|�|S#t*$r!}	tdt"j(z��d}	~	wwxYw)N�ldapi://�ldap://z/--url ldap:// is not supported for this command�ldaps://z0--url ldaps:// is not supported for this commandz/--url requires an ldapi:// url for this command�Connecting to '%s'
r�rC�tokenGroups�r�r�r�rrzEYou need to specify an URL that gives privileges as SID_NT_SYSTEM(%s))r�Credentials�
set_anonymous�lower�
startswithrr�r�r
r	r�r�r�rPrMr�rr
rNr��
SID_NT_SYSTEMr�r�)
r�r��allow_local�verboser�r�r��sids�sidrs
          r*�connect_system_samdbz'GetPasswordCommand.connect_system_samdbHs���
�'�'�)��
�����;�;��
�Y�Y�[�
#�
#�J�
/��
�Y�Y�[�
#�
#�I�
.��P�Q�Q�
�Y�Y�[�
#�
#�J�
/��Q�R�R���P�Q�Q���I�I�O�O�2�S�8�9��#�N�,<�"'�D�G�G�5��	9��,�,�B�c�n�n�]�O�,�T�C��s�8�q�=� �=��q�6�:�:�m�,�D��t�9��>�!�>��X�-�-�t�A�w�7�C��s�8�x�5�5�5�5�5�
	
�&�&�u�-����
�	9��f� (� 6� 6� 8�9�
9��	9�s�-BF�	F=�F8�8F=c		���D�E�F�G�H�I�J�K�L�M�N�O�P�Q�d��Hd��Mgd��G�G�Hfd��NdF�M�Nfd�	}	|dd}
d|
v}d}g}
g}|
D]}|	|�}|
j|��g}d}|
D]=}|d�d	}�|d
�|j|��"|d|vr�*|j|d��?|s$dd
g}|D]}|	|�}|j|��|r(|r&ddg}|D]}|	|d	��}|j|��|D]}|d|vr�|j|d�� |tjk(rddg}ng}	|j|||||��}t	|�dk(rtd|xs|z��t	|�dkDrtdt	|�|fz��	|d�Od�Pd�Qd�Ovr"�Odd}ttj|��Pd�Ovr�Odd�Qt�Odd�}d
�Ovrt�Od
d�}n%|j�}|�d|j���}i�FdG�F�Pfd�	�I�Ifd�}d�Ed}|�\}}|dvrO|jj}|jr-d�}t!t#j$||j�d��E|r��Id d!�"�} | ��	t'| �}!t)j*�}"|"j-�|"j/|!�d}#d}$�Q�|"j1�}#�Q}$n!�E�|�|"j3|�}#�Ej4}$|$�
|$|#k(r|!�Fd#<�fd'��Ld(�D�Dfd)�}&�I�K�Lfd*�}'�E�Qfd+��K�Hfd,�}(t;t<j��D�]}d})|
D]0}*|*d��	|*dj�|j�k7r�.|*})n|)��>|)d-}+|d.k(r �Id#�},|,��S�L||,|xs|�}-|-��d|-}.�n�|d/k(r�Id#�}.|.��p�y|d0k(r��Id#�},|,����L||,|xs|�}-|-���t?j@d1�}/tCjD�}0|0jG|-�|0jG|/�|0jI�|/z}1d2tKjL|1�jOd3�z}.n�|d4k(r|(|+�}2|'|d5|2||�}3|3���=|3}.n�|d6k(r|(|+�}2|'|d7|2||�}3|3���]|3}.n�|d8k(r�Id d!�"�}.|.�w��s|d9k(r|}.|.�l��~|jQd:�rW�Id;�}4|4����|t	d:�d}3	tS|3�}5|jW�}6|j�}7|&|5|4|||6|7�}.|.������tjX|.tjZ|��O|<���Ofd<�}8�Ofd=��J�Jfd>�}9�Jfd?�}:�Jfd@�};i}<�GD]�}=|
D]�}*|*d
��	|*d
|=k7r�|8|*d�}>|>�� |>�dA|=��}?|?|<vr�,|=|<|?<d}.|=dBk(r	|9|>�}.n|=dCk(r	|:|>�}.n
|=dDk(r|;|>�}.|.��_tjX|.tjZ|?��O|?<�����Oj�D]u}@d}A|
D]*}*@j�|*dj�k7r�(d	}AnAr�7d}B|D]*}C@j�|Cdj�k7r�(C}BnB��k|rBdEs�s�O@=�w�OS#t
$r}t
d|xs|�d|����d}~wwxYw#t
$r1}%�j6j9d$|xs|�d%|%�d&��Yd}%~%���d}%~%wwxYw#tT$rY���wxYw)HNc��|sy|D]K}|j�jd|j�z�s�4|jd�\}}}|cSy)Nz%s=�=)r�r��	partition)�opts�name�o�keyr3�vals      r*�
get_optionz=GetPasswordCommand.get_account_attributes.<locals>.get_optionvsT�����
���7�7�9�'�'���
�
��(<�=�$%�K�K��$4�M�S�!�S��J�
�r,c��ttj��D].}|j�|j�k7r�%t|cSyr�)r�r�r�r�)�attr�vans  r*�get_virtual_attr_definitionzNGetPasswordCommand.get_account_attributes.<locals>.get_virtual_attr_definitionsG���0�5�5�7�8�
/���9�9�;�$�*�*�,�.��)�#�.�.�
/�r,)�GeneralizedTime�UnixTime�TimeSpecc�v���|d�}|�y�D]'}|j�|j�k7r�%|cSy)N�format)r�)r��
formatname�fm�formatsr�s   ��r*�get_virtual_format_definitionzPGetPasswordCommand.get_account_attributes.<locals>.get_virtual_format_definition�sK���#�D�(�3�J��!���
���8�8�:��!1�!1�!3�3���	�
�r,Fc���|jd�\}}}|r|jd�}ng}i}||d<||d<||d<�|�|d<�|�|d<||d<|S)N�;�raw_attrr�r��vattr�vformat�	is_hidden)r�rO)	r�r�r�r3�fulloptsr�r�r�r�s	       ��r*�parse_raw_attrzAGetPasswordCommand.get_account_attributes.<locals>.parse_raw_attr�sz���"*�"4�"4�S�"9��T�1�h���~�~�c�*�����A�$�A�j�M��A�f�I��A�f�I�4�T�:�A�g�J�8��>�A�i�L�&�A�k�N��Hr,�*r�Tr�r�rL�userPrincipalName�supplementalCredentials�
unicodePwd)r�r�zshow_deleted:1�show_recycled:1)r�r�r�r�rdrr�rz*Matched %u multiple users with filter "%s"z!Failed to get password for user 'r#�@c���|�vr�|S��y|dkr"t�jj�|z}d}�jjD]=}|dz
}||kr�||jk7r�t	j
|j�cSy)Nrr)rM�sub�packagesr��binascii�a2b_hex�data)r��min_idxr
�p�
calculated�scs    ��r*�get_packagez>GetPasswordCommand.get_account_attributes.<locals>.get_package�s�����z�!�!�$�'�'��z����{��b�f�f�o�o�.��8���C��V�V�_�_�
0���q����'�>���1�6�6�>���'�'����/�/�
0�r,c����d�}|��d�}|�yttj|�}|j|jfS)NzPrimary:Kerberos-Newer-KeyszPrimary:Kerberos)rN)rr�package_PrimaryKerberosBlob�version�ctr)�primary_krb5�	krb5_blobr�s  �r*�get_kerberos_ctrzCGetPasswordCommand.get_account_attributes.<locals>.get_kerberos_ctrsR���&�'D�E�L��#�*�+=�>���#� �"�8�#G�#G�#/�1�I��%�%�y�}�}�5�5r,)r�r�c� �|jdk(S)N�)�keytype)�ks r*�	is_aes256z<GetPasswordCommand.get_account_attributes.<locals>.is_aes256s���9�9��?�*r,zPrimary:SambaGPG���)r��Primary:CLEARTEXT�
WARNING: 'z/': SambaGPG can't be decrypted into CLEARTEXT: �
c����	tt|�d�}|jd�}|S#t$r,}�jj	d|�d|�d��Yd}~yd}~wwxYw)Nz	utf-16-ler�z5': CLEARTEXT is invalid UTF-16-LE unable to generate r��utf-8)r�r�UnicodeDecodeErrorr�r��encode)r��br��ur��u8r�s      �r*�get_utf8z;GetPasswordCommand.get_account_attributes.<locals>.get_utf8Qs\���
��	�!��k�2��
���'�"�B��I��&�
��	�	��� (�!�!-�.���
�s�+�	A �"A�A �Digestc�l��|dk(r|}|}�n4|dk(r"|j�}|j�}�n
|dk(r"|j�}|j�}�n�|dk(r|}|j�}�n�|dk(r|}|j�}�n�|dk(r"|j�}|j�}�n�|dk(r"|j�}|j�}�nf|dk(r|}|j�}�nM|d	k(r"|j�}|j�}�n&|d
k(r"|j�}|j�}�n�|dk(r|}|j�}�n�|dk(r|}|j�}�n�|d
k(r"|j�}|j�}�n�|dk(r"|j�}|j�}�n|dk(r|}d}�nt|dk(r|j�}d}�n[|dk(r|j�}d}�nB|dk(r|�d|��}d}�n2|dk(r'|j��d|j���}d}�n|dk(r&|j��d|j���}d}n�|dk(r|}�
}n�|dk(r|j�}�
}n�|dk(r|j�}�
}n�|dk(r|}�
}n�|dk(r|j�}�
}n|dk(r|j�}�
}ng|dk(r
|�d|��}�
}nX|dk(r&|j��d|j���}�
}n-|dk(r&|j��d|j���}�
}nd}ttj|�}	tjt|j|dz
j��}	|�d �d t|	���S#t$rYywxYw)!Nrr�r�r��r����	�
���
��rCr?�r��\�����r/������:)r��upperrr�package_PrimaryWDigestBlobr��hexlify�	bytearray�hashes�hashrr�)�i�primary_wdigest�account_name�account_upn�domain�
dns_domain�user�realm�digests�digest�DIGESTs          �r*�get_wDigestz>GetPasswordCommand.get_account_attributes.<locals>.get_wDigest_s�����A�v�$�����a��$�*�*�,��������a��$�*�*�,��������a��$��������a��$��������a��$�*�*�,��������a��$�*�*�,��������a��$��"�(�(�*���a��$�*�*�,��"�(�(�*���b��$�*�*�,��"�(�(�*���b��$��"�(�(�*���b��$��"�(�(�*���b��$�*�*�,��"�(�(�*���b��$�*�*�,��"�(�(�*���b��#�����b��#�)�)�+�����b��#�)�)�+�����b��$*�L�9�����b��$*�L�L�N�L�4F�4F�4H�I�����b��$*�L�L�N�L�4F�4F�4H�I�����b��$�����b��$�*�*�,�����b��$�*�*�,�����b��#�����b��#�)�)�+�����b��#�)�)�+�����b��$*�L�9�����b��$*�L�L�N�L�4F�4F�4H�I�����b��$*�L�L�N�L�4F�4F�4H�I������ ��!D�!D�!0�2�G�
�!�)�)�)�G�N�N�1�q�5�4I�4N�4N�*O�P��%)�5�*�V�2D�E�E���
��
�s�A
N'�'	N3�2N3c����d}d}�	d�}|�
�
|||�\}}|�=�	d�}|�/�|||xs|�}|�tt|�t|�|�}|�|}|�yd|zS)NzPrimary:userPasswordr��{CRYPT})rWr�r)r��	algorithmrPr�r�sv�fbr�r�r��get_userPassword_hashr�s         ���r*�get_virtual_crypt_valuezJGetPasswordCommand.get_account_attributes.<locals>.get_virtual_crypt_value�s�����B��B��2�3�A��}�0��I�v�F���R��z� � 3�4���=�!�!�Q��(@�L�A�B��~�-�S��^�Z��^�V�T���:��B��z���r�>�!r,c����ttj|�}d}���}n���jdd}ny|t	|j
j�k7ryd|z}|}|dkDrd||fz}d}|jD]b}	t|	j�}
|�"|	j|k(r|
j|�r|
}|	j|k(s�L|
j|�s�^|
|fcSd|fS)Nrr?)NNz$%d$rz
$%d$rounds=%d)rr�package_PrimaryUserPasswordBlob�valuer	�current_nt_hashrr
r�schemer�)
�blobrrP�up�SCHEME�current_hash�
scheme_prefix�prefix�scheme_match�h�h_value�
aes256_keyr�s
           ��r*rzHGetPasswordCommand.get_account_attributes.<locals>.get_userPassword_hash�s����H�D�D�d�K�B��F��%�)���'�)�/�/���4��!��y��);�);�)@�)@�A�A�!�"�Y�.�M�"�F���z�(�I�v�+>�>���L��Y�Y�	
3��%�Q�W�W�-�� �(��H�H��&��&�&�}�5�#*�L��8�8�v�%�'�*<�*<�V�*D�#�\�2�2�	
3��,�'�'r,c�R���|d�}|�y	t|�S#t$rYywxYw)NrPr)r��
ValueError)r�r�r�s  �r*�
get_roundsz=GetPasswordCommand.get_account_attributes.<locals>.get_roundss7����T�8�,�C��{��
��3�x����
��
�s�
�	&�&r�r6r7rXr�z{SSHA}rBrZr�r[r�r8r]�virtualWDigestzPrimary:WDigestc���|j�}d}�j�D]}||j�k7r�|}|S|Sr�)r�r�)�srcattrg�srcattrl�srcattrr��objs    �r*�get_src_attrnamezCGetPasswordCommand.get_account_attributes.<locals>.get_src_attrnameisN����~�~�'�H��G��X�X�Z�
���q�w�w�y�(������N�
�
�Nr,c���|�vryt�|d�}|jd�r"tj|�}t	|�}|S	t|�}|dk(ry|dk\ryt|�}|S#t$r
}Yd}~yd}~wwxYw)Nrz.0Zl����)r��endswithr��string_to_time�floatr�r/r)r5�vstr�vut�vfl�vntr�r6s      �r*�get_src_time_floatzEGetPasswordCommand.get_account_attributes.<locals>.get_src_time_floatss�����c�!���s�7�|�A��'�D��}�}�U�#��(�(��.���C�j���
�
��$�i���a�x���(�(���s�#�C��J���
���
�s�A0�0	B�>Bc�����|�}|�yt|�}	dtj|�z}|S#t$r(}|jtj
k(rYd}~y�d}~wwxYw)N�%s)r�r��
timestring�OSError�errno�	EOVERFLOW)r5r>r=�vr�r@s     �r*�get_generalizedtimezFGetPasswordCommand.get_account_attributes.<locals>.get_generalizedtime�se���$�W�-�C��{���c�(�C�
��3�>�>�#�.�.��
�H��	�
��7�7�e�o�o�-����
�s�3�	A$�A�A�A$c�>���|�}|�yt|�}d|z}|S)Nz%d)r�)r5r>r=rGr@s    �r*�
get_unixepochz@GetPasswordCommand.get_account_attributes.<locals>.get_unixepoch�s,���$�W�-�C��{���c�(�C��s�
�A��Hr,c�(���|�}|�yd|z}|S)Nz%.9fr�)r5r>rGr@s   �r*�get_timespecz?GetPasswordCommand.get_account_attributes.<locals>.get_timespec�s#���$�W�-�C��{�����A��Hr,z;format=r�r�r�r�)F�r).rir�rPr�rMr�rrr�supplementalCredentialsBlobr��domain_dns_namer�rRr.r��next�builtinsr��gpg_decryptrr�r��set_utf16_password�get_nt_hash�get_aes256_keyr!r�r�r�r�rErF�hashlib�sha1�updaterrGrHrJr�r�r/�domain_netbios_name�MessageElement�FLAG_MOD_REPLACE)Rr�r�r��basednr�r�r�r%�support_pw_attrsr��	raw_attrs�has_wildcard_attr�has_virtual_attrs�requested_attrs�implicit_attrsr�r��search_attrs�required_attrs�
required_attr�search_controlsr�r�sc_blobrrrr��
kerberos_salt�krb5_v�krb5_ctrr��sgv�cv�tmp�	decryptedr'r�rrr0r��ra�	attr_optsr�r�rGrRr+�bvrP�xr
rrrr7rHrJrL�generated_formatsr�r5�an�delname�keep�dattr�iarr-r�r�r�r�r@rr�r�r�r6r�r�sR`                                                                   @@@@@@@@@@@@@@r*�get_account_attributesz)GetPasswordCommand.get_account_attributesss�����	�	�
��	�
	��!�H�	��9�,��!������!�	&�H��x�(�A��"�"�1�%�	&���!�� �
	/�A���z�%�$(�!����|�'�
�%�%�a�(����}��,������*�
�.�
	/�!� �#��N�"0�
)�
�"�=�1���%�%�a�(�
)���-� �"��&4�-�M�&�}��E�A�"�)�)�!�,�-� �	+�A���y�L�(������&�	�*�	+�
�C�N�N�"�/�1B�C�O� �O�
	g��,�,�F�v�%*�,�(7��9�C��3�x�1�}�� :�h�>P�&� Q�R�R��3�x�!�|�� L�PS�TW�PX�Z`�Oa� a�b�b��
�!�f��
���
�$��+��3�4�Q�7�G��H�@�@�'�J�B��3���\�*�1�-�J��3�/�0��3�4���#�%��c�"5�6�q�9�:�K��)�)�+�E�%1�5�;�;�=�A�K��
�	�$	6��
��
�-�/�����V��$�M�M�0�0�M��}�}�+�!�(�/�/�)�X�]�]�"K�"&�(�
���0�"�=�C���:�$�S�)�B�&�1�1�3�C��%�%�'��*�*�2�.� $�I�#'�L�!�-�$'�O�O�$5�	�'1��#�/�M�4M�$'�$6�$6�}�$E�	�'1�'7�'7��#�/�L�I�4M�:<�
�#6�7�	���d	�V	"�2%	(�V	��*�/�/�1�2�O	D�A��E�%�
���g�;�&���f�:�#�#�%�����2�����

��}���f�
�I��*�*�� 3�4���9���a��H�$<��=���:�����-�-�� 3�4���9���m�#�� 3�4���9���a��H�$<��=���:���z�z�!�}���L�L�N�������������X�X�Z�$�&���v�/�/��3�:�:�6�B�B���*�*�#�I�.��+�A�q�&�(�L�Q���9�����*�*�#�I�.��+�A�q�&�(�L�Q���9�����'�'� � 2�B�?���9���+�+�!���9�����.�/�"-�.?�"@��"�*���c�*�+�,�-����A��A��2�2�4��"�2�2�4�
���?�L�+�v�Wa�b���9����'�'��3�+?�+?��C�C��F�_O	D�b	�	�*	�	�	����	J�B�%�
J���i�=�(���i�=�B�&��*�2�f�:�6���?��'.��3���*�*��(*�!�"�%����*�*�+�G�4�A��:�%�%�g�.�A��:�%�$�W�-�A��9���,�,�Q��0D�0D�b�I��B��-
J�	J�4�x�x�z�	�G��D�%�
���=�=�?�b��n�&:�&:�&<�<�����	
�
���E�$�
���=�=�?�b��j�&6�&6�&8�8�����	
�
�}�� ��{�);���G��+	�,�
��c�	g��X�M_�Y_�M_�ad�e�f�f��	g��L!�:��I�I�O�O�%�4��4�a�9�:�:��:��h"����sD�*AZ�
BZ>�8[;�	Z;�!Z6�6Z;�>	[8�&[3�3[8�;	\�\c���|�td��|jd�}g}|D]�}|j�j�}tj�D]@}|j
�|j
�k(s�%t|d}td|�d|����tj�D]'}|j
�|j
�k(s�%|}n||gz
}��|S)N�Please specify --attributes�,rYzVirtual attribute 'z' not supported: )rrO�lstrip�rstrip�disabled_virtual_attributesr�r�r�)r��
attributesr��password_attrs�pa�da�r�vas        r*�parse_attributesz#GetPasswordCommand.parse_attributes�s������<�=�=�� � ��%�����	#�B�����#�#�%�B�1�6�6�8�
/���8�8�:�����+�3�B�7��A�A�&�')�1�(.�/�/�
/�
)�-�-�/�
���8�8�:�����+��B��	
�

�r�d�"�N�	#��r,)FF)T)	r�r�r�r�r�r�ryr��
__classcell__�r�s@r*r�r�;s'����J�)�XAE�b	�Hr,r�c
����eZdZdZ�fd�ZdZejejd�Z	e
dddedd	�
�e
dde�
�e
deedd��e
de
ddd��gZdgZ			dd�Z�xZS)�cmd_user_getpasswordaGet the password fields of a user/computer account.

This command gets the logon password for a user/computer account.

The username specified on the command is the sAMAccountName.
The username may also be specified using the --filter option.

The command must be run from the root user id or another authorized user id.
The '-H' or '--URL' option only supports ldapi:// or [tdb://] and can be
used to adjust the local path. By default tdb:// is used by default.

The '--attributes' parameter takes a comma separated list of attributes,
which will be printed or given to the script specified by '--script'. If a
specified attribute is not available on an object it's silently omitted.
All attributes defined in the schema (e.g. the unicodePwd attribute holds
the NTHASH) and the following virtual attributes are possible (see --help
for which virtual attributes are supported in your environment):

   virtualClearTextUTF16: The raw cleartext as stored in the
                          'Primary:CLEARTEXT' (or 'Primary:SambaGPG'
                          with '--decrypt-samba-gpg') buffer inside of the
                          supplementalCredentials attribute. This typically
                          contains valid UTF-16-LE, but may contain random
                          bytes, e.g. for computer accounts.

   virtualClearTextUTF8:  As virtualClearTextUTF16, but converted to UTF-8
                          (only from valid UTF-16-LE).

   virtualSSHA:           As virtualClearTextUTF8, but a salted SHA-1
                          checksum, useful for OpenLDAP's '{SSHA}' algorithm.

   virtualCryptSHA256:    As virtualClearTextUTF8, but a salted SHA256
                          checksum, useful for OpenLDAP's '{CRYPT}' algorithm,
                          with a $5$... salt, see crypt(3) on modern systems.
                          The number of rounds used to calculate the hash can
                          also be specified. By appending ";rounds=x" to the
                          attribute name i.e. virtualCryptSHA256;rounds=10000
                          will calculate a SHA256 hash with 10,000 rounds.
                          Non numeric values for rounds are silently ignored.
                          The value is calculated as follows:
                          1) If a value exists in 'Primary:userPassword' with
                             the specified number of rounds it is returned.
                          2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG'
                             with '--decrypt-samba-gpg'. Calculate a hash with
                             the specified number of rounds.
                          3) Return the first CryptSHA256 value in
                             'Primary:userPassword'.


   virtualCryptSHA512:    As virtualClearTextUTF8, but a salted SHA512
                          checksum, useful for OpenLDAP's '{CRYPT}' algorithm,
                          with a $6$... salt, see crypt(3) on modern systems.
                          The number of rounds used to calculate the hash can
                          also be specified. By appending ";rounds=x" to the
                          attribute name i.e. virtualCryptSHA512;rounds=10000
                          will calculate a SHA512 hash with 10,000 rounds.
                          Non numeric values for rounds are silently ignored.
                          The value is calculated as follows:
                          1) If a value exists in 'Primary:userPassword' with
                             the specified number of rounds it is returned.
                          2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG'
                             with '--decrypt-samba-gpg'. Calculate a hash with
                             the specified number of rounds.
                          3) Return the first CryptSHA512 value in
                             'Primary:userPassword'.

   virtualWDigestNN:      The individual hash values stored in
                          'Primary:WDigest' where NN is the hash number in
                          the range 01 to 29.
                          NOTE: As at 22-05-2017 the documentation:
                          3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
                        https://msdn.microsoft.com/en-us/library/cc245680.aspx
                          is incorrect.

   virtualKerberosSalt:   This results the salt string that is used to compute
                          Kerberos keys from a UTF-8 cleartext password.

   virtualSambaGPG:       The raw cleartext as stored in the
                          'Primary:SambaGPG' buffer inside of the
                          supplementalCredentials attribute.
                          See the 'password hash gpg key ids' option in
                          smb.conf.

The '--decrypt-samba-gpg' option triggers decryption of the
Primary:SambaGPG buffer. Check with '--help' if this feature is available
in your environment or not (the python-gpgme package is required).  Please
note that you might need to set the GNUPGHOME environment variable.  If the
decryption key has a passphrase you have to make sure that the GPG_AGENT_INFO
environment variable has been set correctly and the passphrase is already
known by the gpg-agent.

Attributes with time values can take an additional format specifier, which
converts the time value into the requested format. The format can be specified
by adding ";format=formatSpecifier" to the requested attribute name, whereby
"formatSpecifier" must be a valid specifier. The syntax looks like:

  --attributes=attributeName;format=formatSpecifier

The following format specifiers are available:
  - GeneralizedTime (e.g. 20210224113259.0Z)
  - UnixTime        (e.g. 1614166392)
  - TimeSpec        (e.g. 161416639.267546892)

Attributes with an original NTTIME value of 0 and 9223372036854775807 are
treated as non-existing value.

Example1:
samba-tool user getpassword TestUser1 --attributes=pwdLastSet,virtualClearTextUTF8

Example2:
samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-KeyVersionNumber,unicodePwd,virtualClearTextUTF16

c�*��tt|��yr�)r�r�r�r�s �r*r�zcmd_user_getpassword.__init__`s���
�"�D�2�4r,r�r�r�r`raz2LDB URL for sam.ldb database or local ldapi serverrcrdrerrrs�--attributes�
ATTRIBUTELISTr��rgrfrhri�--decrypt-samba-gpgrlF�decrypt_samba_gpg�rfrnrrirc	��|j�|_|rtstt��|�
|�td��|�dtj|�z}|�td��|j|�}|j|d��}	|j|	|d|t
j||��}
|	j|
t
j�}|jjd|z�|jjd�y)	Nr!r"r{T)r�r�)r\r�r�r�r%rBzGot password OK
)r�r�rRr�decrypt_samba_gpg_helpr�r�r�r�ryr��
write_ldif�CHANGETYPE_NONEr�r�)r�r�rdr�r�r�r�r�r�r�r6�ldifs            r*r�zcmd_user_getpassword.runxs����(�(�*����[��5�6�6��>�h�.��U�V�V��>�?�3�CT�CT�U]�C^�_�F����<�=�=��.�.�z�:���)�)�a�T�)�B���)�)�%��15�17�03�0A�0A�0>�2C�*�E������S�%8�%8�9���	�	����t��$��	�	���+�,r,)NNNNNNN)r�r�r�r�r�r�r�r�r�r�rr��virtual_attributes_helpr�r�r�r�r�r�s@r*r�r��s����p�b5�@�H��)�)��-�-���	�t�W�#W�^a��3�	(��z� @�s�K��~�C�+�&�\�	;�	�$�*�"�E�8K�	M�
�M���J�04�/3�(,�-r,r�c�v��eZdZdZ�fd�ZdZejejd�Z	e
dddd�	�e
d
dedd
��e
dddedd��e
ddedd��e
deedd��e
de
ddd��e
d d!ed"d#��e
d$d%ddd&��e
d'ed(d)d*��e
d+d,ddd-��e
d.d/ddd0��gZ					d2d1�Z�xZS)3�cmd_user_syncpasswordsa$Sync the password of user accounts.

This syncs logon passwords for user accounts.

Note that this command should run on a single domain controller only
(typically the PDC-emulator). However the "password hash gpg key ids"
option should to be configured on all domain controllers.

The command must be run from the root user id or another authorized user id.
The '-H' or '--URL' option only supports ldapi:// and can be used to adjust the
local path.  By default, ldapi:// is used with the default path to the
privileged ldapi socket.

This command has three modes: "Cache Initialization", "Sync Loop Run" and
"Sync Loop Terminate".


Cache Initialization
====================

The first time, this command needs to be called with
'--cache-ldb-initialize' in order to initialize its cache.

The cache initialization requires '--attributes' and allows the following
optional options: '--decrypt-samba-gpg', '--script', '--filter' or
'-H/--URL'.

The '--attributes' parameter takes a comma separated list of attributes,
which will be printed or given to the script specified by '--script'. If a
specified attribute is not available on an object it will be silently omitted.
All attributes defined in the schema (e.g. the unicodePwd attribute holds
the NTHASH) and the following virtual attributes are possible (see '--help'
for supported virtual attributes in your environment):

   virtualClearTextUTF16: The raw cleartext as stored in the
                          'Primary:CLEARTEXT' (or 'Primary:SambaGPG'
                          with '--decrypt-samba-gpg') buffer inside of the
                          supplementalCredentials attribute. This typically
                          contains valid UTF-16-LE, but may contain random
                          bytes, e.g. for computer accounts.

   virtualClearTextUTF8:  As virtualClearTextUTF16, but converted to UTF-8
                          (only from valid UTF-16-LE).

   virtualSSHA:           As virtualClearTextUTF8, but a salted SHA-1
                          checksum, useful for OpenLDAP's '{SSHA}' algorithm.

   virtualCryptSHA256:    As virtualClearTextUTF8, but a salted SHA256
                          checksum, useful for OpenLDAP's '{CRYPT}' algorithm,
                          with a $5$... salt, see crypt(3) on modern systems.
                          The number of rounds used to calculate the hash can
                          also be specified. By appending ";rounds=x" to the
                          attribute name i.e. virtualCryptSHA256;rounds=10000
                          will calculate a SHA256 hash with 10,000 rounds.
                          Non numeric values for rounds are silently ignored.
                          The value is calculated as follows:
                          1) If a value exists in 'Primary:userPassword' with
                             the specified number of rounds it is returned.
                          2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG' with
                             '--decrypt-samba-gpg'. Calculate a hash with
                             the specified number of rounds
                          3) Return the first CryptSHA256 value in
                             'Primary:userPassword'.

   virtualCryptSHA512:    As virtualClearTextUTF8, but a salted SHA512
                          checksum, useful for OpenLDAP's '{CRYPT}' algorithm,
                          with a $6$... salt, see crypt(3) on modern systems.
                          The number of rounds used to calculate the hash can
                          also be specified. By appending ";rounds=x" to the
                          attribute name i.e. virtualCryptSHA512;rounds=10000
                          will calculate a SHA512 hash with 10,000 rounds.
                          Non numeric values for rounds are silently ignored.
                          The value is calculated as follows:
                          1) If a value exists in 'Primary:userPassword' with
                             the specified number of rounds it is returned.
                          2) If 'Primary:CLEARTEXT', or 'Primary:SambaGPG' with
                             '--decrypt-samba-gpg'. Calculate a hash with
                             the specified number of rounds.
                          3) Return the first CryptSHA512 value in
                             'Primary:userPassword'.

   virtualWDigestNN:      The individual hash values stored in
                          'Primary:WDigest' where NN is the hash number in
                          the range 01 to 29.
                          NOTE: As at 22-05-2017 the documentation:
                          3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction
                        https://msdn.microsoft.com/en-us/library/cc245680.aspx
                          is incorrect.

   virtualKerberosSalt:   This results the salt string that is used to compute
                          Kerberos keys from a UTF-8 cleartext password.

   virtualSambaGPG:       The raw cleartext as stored in the
                          'Primary:SambaGPG' buffer inside of the
                          supplementalCredentials attribute.
                          See the 'password hash gpg key ids' option in
                          smb.conf.

The '--decrypt-samba-gpg' option triggers decryption of the
Primary:SambaGPG buffer. Check with '--help' if this feature is available
in your environment or not (the python-gpgme package is required).  Please
note that you might need to set the GNUPGHOME environment variable.  If the
decryption key has a passphrase you have to make sure that the GPG_AGENT_INFO
environment variable has been set correctly and the passphrase is already
known by the gpg-agent.

The '--script' option specifies a custom script that is called whenever any
of the dirsyncAttributes (see below) was changed. The script is called
without any arguments. It gets the LDIF for exactly one object on STDIN.
If the script processed the object successfully it has to respond with a
single line starting with 'DONE-EXIT: ' followed by an optional message.

Note that the script might be called without any password change, e.g. if
the account was disabled (a userAccountControl change) or the
sAMAccountName was changed. The objectGUID,isDeleted,isRecycled attributes
are always returned as unique identifier of the account. It might be useful
to also ask for non-password attributes like: objectSid, sAMAccountName,
userPrincipalName, userAccountControl, pwdLastSet and msDS-KeyVersionNumber.
Depending on the object, some attributes may not be present/available,
but you always get the current state (and not a diff).

If no '--script' option is specified, the LDIF will be printed on STDOUT or
into the logfile.

The default filter for the LDAP_SERVER_DIRSYNC_OID search is:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)\
    (!(sAMAccountName=krbtgt*)))
This means only normal (non-krbtgt) user
accounts are monitored.  The '--filter' can modify that, e.g. if it's
required to also sync computer accounts.


Sync Loop Run
=============

This (default) mode runs in an endless loop waiting for password related
changes in the active directory database. It makes use of the
LDAP_SERVER_DIRSYNC_OID and LDAP_SERVER_NOTIFICATION_OID controls in order
get changes in a reliable fashion. Objects are monitored for changes of the
following dirsyncAttributes:

  unicodePwd, dBCSPwd, supplementalCredentials, pwdLastSet, sAMAccountName,
  userPrincipalName and userAccountControl.

It recovers from LDAP disconnects and updates the cache in conservative way
(in single steps after each successfully processed change).  An error from
the script (specified by '--script') will result in fatal error and this
command will exit.  But the cache state should be still valid and can be
resumed in the next "Sync Loop Run".

The '--logfile' option specifies an optional (required if '--daemon' is
specified) logfile that takes all output of the command. The logfile is
automatically reopened if fstat returns st_nlink == 0.

The optional '--daemon' option will put the command into the background.

You can stop the command without the '--daemon' option, also by hitting
strg+c.

If you specify the '--no-wait' option the command skips the
LDAP_SERVER_NOTIFICATION_OID 'waiting' step and exit once
all LDAP_SERVER_DIRSYNC_OID changes are consumed.

Sync Loop Terminate
===================

In order to terminate an already running command (likely as daemon) the
'--terminate' option can be used. This also requires the '--logfile' option
to be specified.


Example1:
samba-tool user syncpasswords --cache-ldb-initialize \
    --attributes=virtualClearTextUTF8
samba-tool user syncpasswords

Example2:
samba-tool user syncpasswords --cache-ldb-initialize \
    --attributes=objectGUID,objectSID,sAMAccountName,\
    userPrincipalName,userAccountControl,pwdLastSet,\
    msDS-KeyVersionNumber,virtualCryptSHA512 \
    --script=/path/to/my-custom-syncpasswords-script.py
samba-tool user syncpasswords --daemon \
    --logfile=/var/log/samba/user-syncpasswords.log
samba-tool user syncpasswords --terminate \
    --logfile=/var/log/samba/user-syncpasswords.log

c�*��tt|��yr�)r�r�r�r�s �r*r�zcmd_user_syncpasswords.__init__Vs���
�$�d�4�6r,z(%prog [--cache-ldb-initialize] [options]r�z--cache-ldb-initializez'Initialize the cache for the first time�cache_ldb_initializerl)rfrirnz--cache-ldbz-optional LDB URL user-syncpasswords-cache.ldbzCACHE-LDB-PATH�	cache_ldbrer`raz)optional LDB URL for a local ldapi serverrcrdrz'optional LDAP filter to set password onzLDAP-SEARCH-FILTERr�r�r�r�r�r�Fr�r�z--scriptz.Script that is called for each password changez/path/to/syncpasswords.script�scriptz	--no-waitzDon't block waiting for changes�nowaitz	--logfilez/The logfile to use (required in --daemon mode).z/path/to/syncpasswords.log�logfilez--daemonzdaemonize after initial setup�daemonz--terminatez5Send a SIGTERM to an already running (daemon) process�	terminatec
�*������"�#�$�%�&�'�(�)�*�+�,�-�.�|j��_d�_d�_d�_d�_�sA|�t
d���rt
d��|�t
d��|�t
d����Et
d��|durt
d��|	�t
d��|
durt
d	��|durt
d
��|dur|
durt
d��|durt
d
��|dur|
durt
d��|
dur
|	�t
d��|dur
|	�t
d��|�Ptjj|�st
d|z��dtjj|�z�,nd�,|�$�$�,ddtjtjfzzdzdz�$gd��&�&gd�z�#d�*�r���;dtjj�jjd��z��rt st
t"���j%|��*�*D�cgc]}|j'���}}dD]}|j'�|vs��*|gz
�*���ىj'�j)d�rt
d���j'�j)d�rt
d���j'�j)d �rt
d!���j'�j)d"�rnVtjj��s7�jj���n�jjd#��d$�z�_�)�fd%��)�����#�$�)�*��,f
d&��(�)�fd'��+�&�)�+�fd(��'�)�fd)�}�)�fd*�}�fd+��-�fd,��"�fd-��.�"�'�)��-�.fd.��%�%�)�fd/�}�(�)�fd0�}�r1��_�j-�jd�1��_�(�y|	��.d2dl}|j1|j2�d3}||j4k(rd4}tj6|	tj8tj:ztj<zd5�}�j>jAd6|	z�tCd2|�D]}||k(r�		tjD|�� tjH|d2�tjH|d3�tjH|d7�tjD|��)d8|	z�|	�_�(�||�}|ry�jJ�	�)d9�y|s�)d:�jJz�|d�y�)d;�jJz�tjL�jJtNjP�y|r,t
d<tjR��jJfz��|
dur|�|tjR��d}|dur�d3}d=}|durd}d2}n|}�j�u|d2k7r �)d>|z�tUjV|�|d7z}||k\r|}�)d?�jz�	�j-�j�@��_�j��u	||�|dur��|d�ycc}w#tF$rY��%wxYw#tX$r!}d�_�)dA|z�|dur�Yd}~�^d}~wwxYw#tjZ$r-}|j\\} }!d�_�)dB| |!fz�Yd}~��d}~wwxYw)CNzA--attributes is only allowed together with --cache-ldb-initializezH--decrypt-samba-gpg is only allowed together with --cache-ldb-initializez=--script is only allowed together with --cache-ldb-initializez=--filter is only allowed together with --cache-ldb-initializez=-H/--URL is only allowed together with --cache-ldb-initializeFz=--no-wait is not allowed together with --cache-ldb-initializez=--logfile is not allowed together with --cache-ldb-initializez<--daemon is not allowed together with --cache-ldb-initializez?--terminate is not allowed together with --cache-ldb-initializeTz/--daemon is not allowed together with --no-waitz2--terminate is not allowed together with --no-waitz1--terminate is not allowed together with --daemonz0--daemon is only allowed together with --logfilez3--terminate is only allowed together with --logfilezscript[%s] does not exist!rBz(&(objectClass=user)z(userAccountControl:%s:=%u)z(!(sAMAccountName=krbtgt*))�))r��dBCSPwdr�)�
pwdLastSetrLr��userAccountControl�	isDeleted�
isRecycledz
ldapi://%szldap_priv/ldapi)�
objectGUIDr�r�r�z%--cache_ldb ldapi:// is not supportedr�z$--cache_ldb ldap:// is not supportedr�z%--cache_ldb ldaps:// is not supportedztdb://zuser-syncpasswords-cache.ldbz%s.pidc����j��tjd�}|jdk(rΉj}d�_�d|z�tj|tj
tjztjzd�}tj|d�tj|d�tj|d�tj|��d|z�|�_dtj�tj�|fz}�jj|�y)Nrz$Closing logfile[%s] (st_nlink == 0)
�rr�zReopened logfile[%s]
z%s: pid[%d]: %s)r�rE�fstat�st_nlink�open�O_WRONLY�O_APPEND�O_CREAT�dup2�close�time�ctime�getpidr�r�)r�infor��logfd�log_msgr�s    ��r*r�z+cmd_user_syncpasswords.run.<locals>.log_msg�s�����|�|�'��x�x��{���=�=�A�%�"�l�l�G�#'�D�L��C�w�O�P��G�G�G�R�[�[�2�;�;�-F����-S�UZ�[�E��G�G�E�1�%��G�G�E�1�%��G�G�E�1�%��H�H�U�O��4��@�A�#*�D�L�#��J�J�L��I�I�K��'��C�
�I�I�O�O�C� �r,c���
�gd�}t���_tj�jd��_�jj�jtj|��}t|�dk(r	t|ddd��_	nd�_	�j��std�z���j��rtd�z���j��1�
�_	��_��_
d	d
g�_��_�
�_��_d�jzdzd
t%j&t)�j��j+d�zzdt%j&t)�j��j+d�zzdj-d��jD��zd�jdzzdj-d��jD��z}�j r|dz
}n|dz
}�j"�|d�j"zz
}|dtj.t1t3j2���zz
}�jj5|�d�_�j8j;d�z��jj=|�}t?|�\}}�jjA|tjB�}�j8j;d|z�yt|ddd��_g�_
|ddD]&}�jjEt|���(t|ddd�d
g�_g�_|ddD]&}�jjEt|���(t|ddd�}	|	dvsJ�|	d k(rd!�_nd"�_d#|dvrt|dd#d��_nd�_d$|dvrt1|dd$d��_nd�_�d%�z�y#t$r}d�_	Yd}~���d}~wwxYw)&N)�samdbUrl�
dirsyncFilter�dirsyncAttribute�dirsyncControl�passwordAttribute�decryptSambaGPG�syncCommand�
currentPidzKEY=USERSYNCPASSWORDSr�rrr�zHcache_ldb[%s] not initialized, use --cache-ldb-initialize the first timezEcache_ldb[%s] already initialized, --cache-ldb-initialize not allowedz
dirsync:1:0:0�extended_dn:1:0�dn: %s
zobjectClass: userSyncPasswords
zsamdbUrl:: %s
rBzdirsyncFilter:: %s
rCc3�|K�|]4}dtjt|��jd�z���6y�w)zdirsyncAttribute:: %s
rBN�rGrHrrJ��.0r�s  r*�	<genexpr>zAcmd_user_syncpasswords.run.<locals>.load_cache.<locals>.<genexpr>-	s;����#J�qr�#<�v�?O�?O�PY�Z[�P\�?]�?d�?d�ek�?l�#l�#J���:<�dirsyncControl: %s
c3�|K�|]4}dtjt|��jd�z���6y�w)zpasswordAttribute:: %s
rBNr�r�s  r*r�zAcmd_user_syncpasswords.run.<locals>.load_cache.<locals>.<genexpr>/	s;����#L�rs�#=��@P�@P�QZ�[\�Q]�@^�@e�@e�fl�@m�#m�#L�r�zdecryptSambaGPG: TRUE
zdecryptSambaGPG: FALSE
�syncCommand: %s
�currentTime: %s
zInitialized cache_ldb[%s]
rBr�r�r�r�r�)�TRUE�FALSEr�TFr�r�zUsing cache_ldb[%s]
)#r�cacher�rg�cache_dnr�rPrMr��	samdb_url�KeyErrorr�dirsync_filter�
dirsync_attrs�dirsync_controlsr�r��sync_commandrGrHrrJ�joinrCr�r��add_ldif�current_pidr�r��
parse_ldifrPr�r�ri)�cache_attrsr�r�r��msgs�
changetyperr�r��decrypt_stringrdr�r�r�r�r�r�r�r�r�s          ����������r*�
load_cachez.cmd_user_syncpasswords.run.<locals>.load_cache	sx���	�K��Y��D�J��F�F�4�:�:�/F�G�D�M��*�*�#�#����c�n�n�*5�$�7�C��3�x�1�}�*�%(��Q��
�);�A�)>�%?�D�N�"&����~�~�%�.B�"�#m�#,�$.�/�/��~�~�)�.B�"�#j�#,�$.�/�/��~�~�%�!"���&4��#�%2��"�)8�:K�(L��%�&4��#�):��&�$0��!�%��
�
�5�=�>�,�v�/?�/?�	�$�.�.�@Y�/Z�/a�/a�bh�/i�i�j�2�F�4D�4D�Y�t�Ob�Ob�Ec�4d�4k�4k�lr�4s�s�t��7�7�#J�vz�wI�wI�#J�J�	J�
2�D�4I�4I�!�4L�L�M��7�7�#L�w{�xK�xK�#L�L�
L���)�)�� 9�9�H�� :�:�H��$�$�0�� 3�d�6G�6G� G�G�H��/�#�.�.��T�Y�Y�[�AQ�2R�R�R���
�
�#�#�H�-�#'�� ��	�	��� =�� K�L��z�z�,�,�X�6��"&�t�*��
�C��z�z�,�,�S�#�2E�2E�F���	�	����t��,�4
�1'*�#�a�&��*A�!�*D�&E��#�%'��"��Q�� 2�3�6�A��&�&�-�-�c�!�f�5�6�),�S��V�4D�-E�a�-H�)I�K\�(]��%�&(��#��Q�� 3�4�7�A��'�'�.�.�s�1�v�6�7�!$�S��V�,=�%>�q�%A�!B��%�):�:�;�:�!�V�+�-1�D�*�-2�D�*� �C��F�*�(+�C��F�=�,A�!�,D�(E�D�%�(,�D�%��3�q�6�)�'*�3�q�6�,�+?��+B�'C�D�$�'+�D�$��/�9�=�>���A �*�%)�D�N�N��*�s�Q�	Q �Q�Q c�����d�j�d|�d��t�jttt��}|j	�}|�J�d|z}|j|j
d��djd�}�d|z�|j	�}|�|j�|j�}|jd	�ry�d
|z�td|�d|�d���)
NzCall Popen[z] for r�)�stdin�stdout�stderrrBr�rrzDONE-EXIT: zRESULT: %s
�ERROR: z - )r�rrr�poll�communicater�rJr��waitr�r�)r�r��sync_command_pr��input�replyr�r�s      ��r*�run_sync_commandz4cmd_user_syncpasswords.run.<locals>.run_sync_commandY	s������1B�1B�B�G�H�"�4�#4�#4�)-�*.�*0�2�N�
!�%�%�'�C��;��;��D�M�E�"�.�.����W�%�'�'(�*�*0�&��/�
��F�e�$�%� �%�%�'�C��{��(�(�*� �%�%�'�C����
�.���N�c�*�+��#�u�=�>�>r,c	�@��|jjd�}ttj|�}|jjd�}tt
j|�}|j�\}}|t
jk(r�d|z�yt|j��D]7}�
D]0}	|j�|	j�k(s�%||=dg|d|z<�2�9�jj|tj�}
�d||||
fz��j!�jd|zd|zd	tj"�j$�j&�
�}�jj|tj�}�d|||fz��j(��j*j-d|z�y�j*j-dt/|j��z��|j|�y)
N�GUIDrez'# Dirsync[%d] SKIP: DOMAIN_RID_KRBTGT

zREDACTED SECRET ATTRIBUTEz# %s::z# Dirsync[%d] %s %s
%srBz	<GUID=%s>z(objectClass=user))r�r\r�r�r�r%z# Passwords[%d] %s %s
z# attrs=%s
)r�rhrrr�r
rNrO�DOMAIN_RID_KRBTGT�listr�r�r�r�r�r�ryrPr�r�r�r�r�r�)r
�dirsync_obj�binary_guid�guid�
binary_sidr��
domain_sid�ridr�r+�dirsync_ldifr6r��dirsync_secret_attrsr�r�r�s             ����r*�
handle_objectz1cmd_user_syncpasswords.run.<locals>.handle_objectr	s����%�.�.�?�?��G�K��d�i�i��5�D�$���>�>�u�E�J��X�-�-�z�:�C�!�i�i�k�O�J���h�0�0�0��C�s�K�L���+�*�*�,�-�
R��-�R�A��w�w�y�A�G�G�I�-�'��N�5P�4Q��H�q�L�1�R�
R�
 �:�:�0�0��c�>Q�>Q�R�L��-��d�C��0N�N�O��-�-�d�j�j�7;�c�z�5@�4�5G�5I�47�N�N�48�4G�4G�6:�6L�6L�
.�N�C��:�:�(�(��c�.A�.A�B�D��-��d�C�0@�@�A�� � �(��	�	�����
�.���I�I�O�O�N�f�S�X�X�Z�.@�A�B��S�V�V�T�*r,c�4��tj}|s|tjz}	tj�j|d��_d}	tj�j
tjtjz�d}|sEtj �j
d�}d�_	t%|��_�j"�y|rJ|rH	tj(�j
d�tj*�j
�d	�_y	tj�j
tj,�y#t$rG}|j\}}|tjk(r|rYd}~y�d�j||fz��d}~wwxYw#t$rY}|j\}}|tjk7r,|tjk7r�d�j||fz��Yd}~��sd}~wwxYw#t&$r}Yd}~��Pd}~wwxYw#t$r-}	|	j\}}�d�j||fz��d}	~	wwxYw#t$r1}
|
j\}}�d
�j||fz�Yd}
~
yd}
~
wwxYw)Nr�Fz8check_current_pid_conflict: failed to open[%s] - %s (%d)TzFcheck_current_pid_conflict: failed to get exclusive lock[%s] - %s (%d)�@rz=check_current_pid_conflict: failed to truncate [%s] - %s (%d)r�zCcheck_current_pid_conflict: failed to get shared lock[%s] - %s (%d))rE�O_RDWRr�r��lockfile�lockfd�IOError�argsrE�ENOENT�fcntl�lockf�LOCK_EX�LOCK_NB�EACCES�EAGAIN�readr�r�r/�	ftruncater��LOCK_SH)
r�r5�e4�errr�
got_exclusive�e5�bufr��e2�e6r�r�s
           ��r*�check_current_pid_conflictz>cmd_user_syncpasswords.run.<locals>.check_current_pid_conflict�	sH����I�I�E������#��	
� �g�g�d�m�m�U�E�B���"�M�
����D�K�K�������)F�G� $�
�!��g�g�d�k�k�2�.��#'�� ��'*�3�x�D�$��#�#�/������L�L����a�0�������%� ����
3����D�K�K����7���e�
��W�W�
��c��%�,�,�&� �$��R�����S�1�2�3���
���
��W�W�
��c��%�,�,�&�3�%�,�,�+>��d�!�]�]�C��5�6�7����
��"��������!#���J�S�#��[�!�]�]�C��5�6�7���	���
3��W�W�
��c��]�����S�1�2�3�3���

3�sy�&E�AF(�<H
� H$�&.I�	F%�$F �F � F%�(	H
�1AH�H
�
	H!�H!�$	I�-(I�I�	J�&'J�Jc	����
jdk7r�d}tdd�D]]}	tj�
jtjtj
z�d}|rntjd��_|s5�	d|�d	�
j�d
��td|�d	�
j�d���|�d|z}nd}	tj �
jd�|�)tj"�
jt%|��|�
_�
j&��	d�
j&z�d�
j(zdzdz}�
j&�|d�
j&zz
}|ddt+j,t/tj���zzz
}�
j0j3|�y#t$rZ}|j\}}|tjk7r-|tjk7r�	d|�
j||fz��Yd}~���d}~wwxYw#t$r-}|j\}}�	d
�
j||fz��d}~wwxYw)Nr�Frr�Tz:update_pid(%r): failed to get exclusive lock[%s] - %s (%d)rzupdate_pid(z ): failed to get exclusive lock[�]z] after 5 secondsz%d
zAcheck_current_pid_conflict: failed to write pid to [%s] - %s (%d)zcurrentPid: %d
r��changetype: modify
zreplace: currentPid
�replace: currentTime
r�)r�rangerrrrrrrErr	r�r��sleeprrErr�rr�r�r�rCr�r�rj)�pidrrr�rrr�e3rjr�r�s         ��r*�
update_pidz.cmd_user_syncpasswords.run.<locals>.update_pid�	s/����{�{�b� � %�
��q�!��"�A�"����D�K�K�������1N�O�(,�
�%���J�J�q�M�"�%�� �$�-�-�1�2�&�(+�T�]�]�(<�=�=��?� �3�,�C��C���L�L����a�0���������i��n�=� #�D�����+��*�T�-=�-=�=�>�$��
�
�6�0�1�1�2�K����+��1�T�5E�5E�F�F���3�.�����D�I�I�K�@P�1Q�Q�R�
R�K��J�J�"�"�;�/���S#�"�%&�V�V�
��c��%�,�,�.�3�%�,�,�3F�#�$`�%(�$�-�-��c�$B�%C�D�!���"��0��!#���J�S�#��_�!�]�]�C��5�6�7���	�s2�AF<�AH"�<	H�AH�H�"	I�+(I�Ic���t|�dkDsJ�|djdk(sJ�d|d_t|d�dg�_d�j
zdzdzd�jdzzd	zd
t
jttj���zz}�jj|�y)Nr�1.2.840.113556.1.4.841Tr�r�rzreplace: dirsyncControl
r�rr�)rM�oid�criticalr�r�r�r�rCr�r�r�rj)�res_controlsrjr�s  �r*�update_cachez0cmd_user_syncpasswords.run.<locals>.update_cache�	s�����|�$�q�(�(�(���?�&�&�*B�B�B�B�'+�L��O�$�%(��a��%9�;L�$M�D�!�%��
�
�6�0�1�5�6�1�D�4I�4I�!�4L�M�N�3�	3�
.����s�4�9�9�;�?O�0P�P�Q�K�
�J�J�"�"�;�/�r,c���t|�dkDsJ�|djdk(sJ�|jjd�}t	t
j|�}d|z}t|d�}�jj|tjdtj|�zg��}t|�dk(ryy	)
Nrrre�KEY=%sz(lastCookie=%s)r�rTF)
rMr r�rhrr
rNr�r�r�r�rPr�)r�r"r�r�r��
lastCookier�r�s       �r*�check_objectz0cmd_user_syncpasswords.run.<locals>.check_object
s�����|�$�q�(�(�(���?�&�&�*B�B�B�B�$���>�>�u�E�J��X�-�-�z�:�C��C��B��\�!�_�-�J��*�*�#�#��3�>�>�/@�(+�(9�(9�*�(E�0G�*,�$�.�C��3�x�1�}��r,c���t|�dkDsJ�|djdk(sJ�|jjd�}t	t
j|�}d|z}t|d�}�
jj�	�
jj|tjddg��}t|�dk(r^d|zd	zd
|zzdtjttj���zz}�
jj!|�ncd|zdzd
zd
|zzdzdtjttj���zz}�
jj#|��
jj%�y#t&$r$}	�
jj)�Yd}	~	yd}	~	wwxYw)Nrrrer%z(objectClass=*)r&r�r�zobjectClass: userCookie
zlastCookie: %s
r�rzreplace: lastCookie
r)rMr r�rhrr
rNr�r��transaction_startr�r�rPrCr�r�r�rj�transaction_commitr��transaction_cancel)r�r"r�r�r�r&r�r�rjr�r�s          �r*�
update_objectz1cmd_user_syncpasswords.run.<locals>.update_object!
s�����|�$�q�(�(�(���?�&�&�*B�B�B�B�$���>�>�u�E�J��X�-�-�z�:�C��C��B��\�!�_�-�J��J�J�(�(�*�
0��j�j�'�'�R�s�~�~�3D�/;�n�(�>���s�8�q�=� *�b� 1� ;�!<� 2�j� A�!B�!4�c�n�n�S�����EU�6V� V�!W�H��J�J�'�'��1�",��"3�"8�#9�"9�#:�#5�
�"C�#D�#;�	#;�
#6����s�4�9�9�;�GW�8X�"X�#Y�K��J�J�*�*�;�7��
�
�-�-�/�
���
0��
�
�-�-�/�/���
0�s�	DF!�!	G�*G	�	Gc���	�jjt�j�tj
�j�j��}�dt|�z�d}|D]8}�||j�}|s�||��	||j�|dz
}�:�|j�t|�dk(ry��)N)r�r�r�rdzdirsync_loop(): results %d
rr)
r�r�r�r�r�r�r�r�rMrd)
r��rir��doner'r�r�r�r#r,s
    ������r*�dirsync_loopz0cmd_user_syncpasswords.run.<locals>.dirsync_loopC
s������j�j�'�'�3�t�7J�7J�3K�.1�.?�.?�.2�.@�.@�15�1F�1F�(�H���6��S��A�B�����A�'��3�<�<�8�D��%�b�!�,�%�a����6��!�G�B���S�\�\�*��s�8�q�=��r,c
����gd�}ddg}�
jjdtj||d��}|dur	�	d�n�	d	��
jjd
�
jz��
jjd�
jz��
jjd�
jz���|dury|D]�}t|tj�s�
jjd
|z��<|jd�d}|jd�d}�	d|j�d|�d|�d������|j�}y)N)r��
uSNCreated�
uSNChanged�objectClassznotification:1r�z
objectClass=*r�)r�r�r�rd�timeoutTzResuming monitoring
zGetting changes
zdirsyncFilter: %s
zdirsyncControls: %r
r�z
referral: %s
r2rr3z	# Notify z uSNCreated[z
] uSNChanged[z]
)r��search_iteratorr�r�r�r�r�r�r�r<�Messager�r��result)r��notify_attrs�notify_controls�
notify_handler�created�changedr�r0r�r�s        ���r*�	sync_loopz-cmd_user_syncpasswords.run.<locals>.sync_loopU
sK���N�L�/�1B�C�O� �J�J�6�6�/�=@�=N�=N�=I�@O�?A�	7�C�M��t�|��/�0��+�,��I�I�O�O�1�D�4G�4G�G�H��I�I�O�O�3�d�6K�6K�K�L��I�I�O�O�/�$�2C�2C�C�D��N��4���$�	
��!�#�s�{�{�3��I�I�O�O�$4�s�$:�;���'�'�,�/��2���'�'�,�/��2�������'�3�4���	
� �&�&�(�Cr,c�R��d�_d�_tj�}tj�}|dk(rVtj
�tj�}|dk(r)tj�}�d||fz���ytjd�y)NrzDaemonized as pid %d (from %d)
)r�r�rEr��fork�setsid�_exit)�orig_pidrr�r�r�s  ���r*�	daemonizez-cmd_user_syncpasswords.run.<locals>.daemonizew
sy����D�J��D�J��y�y�{�H��'�'�)�C��a�x��	�	���g�g�i���!�8��)�)�+�C��>�#�x��P�Q��L���H�H�Q�Kr,)r�r�rrir�zUsing logfile[%s]
r�zAttached to logfile[%s]
zNo process running.
z#Process %d is not running anymore.
zSending SIGTERM to process %d.
z4Exiting pid %d, command is already running as pid %diXz Wait before connect - sleep(%d)
r�)r�z#Connect to samdb Exception => (%s)
zldb.LdbError(%d) => (%s)
)/r�r�r�r�r�r�rrE�path�exists�abspathr�r
rr�private_pathrRr�r�r�r�r�r��resource�	getrlimit�
RLIMIT_NOFILE�
RLIM_INFINITYr�r�r�r�r�r�rr�rDr�r��kill�signal�SIGTERMr�r�rr��LdbErrorr)/r�r�r�rdr�r�r�r�r�r�r�r�r�r�rr�lower_attrsr�rrr>rDrI�maxfdr��fd�conflictr��retry_sleep_min�retry_sleep_max�retry_sleepr�e7�enum�estrr'r�r�r0r�r�r�r�r�r�r�r#r,s/````  `                           @@@@@@@@@@@@@r*r�zcmd_user_syncpasswords.run~s�������(�(�*�����������
���
�#��%�"�#f�g�g� �"�#m�n�n��!�"�#b�c�c��!�"�#b�c�c��}�"�#b�c�c��U�"�"�#b�c�c��"�"�#b�c�c��U�"�"�#a�b�b���%�"�#d�e�e��T�>���~�"�#T�U�U���%�"�#W�X�X�����4���R�S�S��T�>�g�o��Q�R�R�������T�U�U����7�7�>�>�&�)�"�#?�&�#H�I�I��"�'�'�/�/�&�"9�9�L��L����!�4�<�#&�#9�#9�4�;Q�;Q�@S� S�S� =�	=�
!�!�N� 
��-�0
�
�
�����y� �2�7�7�?�?�4�7�7�3G�3G�HY�3Z�#[�[�� ��"�#9�:�:�!�2�2�:�>�N�.<�=��1�7�7�9�=�K�=�>�
*���7�7�9�K�/�"�q�c�)�N�
*�� ���� �+�+�J�7�"�#J�K�K����"�-�-�i�8�"�#I�J�J����"�-�-�j�9�"�#J�K�K����"�-�-�h�7���w�w�~�~�i�0� $��� 4� 4�Y� ?�I����,�,�-K�L�I� �9�,��
�	�*S	�S	�j	?�2	+�>9	�v1	�f	�"	�" 	�D	�	�$ 	)�D
	� ��D�N��2�2�t�~�~�;?�3�A�D�J��L������&�&�x�'=�'=�>�q�A�E���.�.�.����G�G�G�R�[�[�2�;�;�%>����%K�U�S�E��I�I�O�O�1�G�;�<��A�u�o�
����;����H�H�R�L�	
�
�G�G�E�1���G�G�E�1���G�G�E�1���H�H�U�O��/�7�;�<�"�D�L���-�i�8������'��/�0����>��(�(�*�+��4� ���6��$�$�&�
'��G�G�D�$�$�f�n�n�5����U�!�y�y�{�D�,<�,<�Y>� >�?�
?��T�>��K��2�9�9�;�����d�l��O�!�O���~�����-���*�*�$��!�#��?�+�M�N��J�J�{�+�)�A�o���/�1�"1�K��.����?�@��!%�!:�!:�t�~�~�!:�!N�D�J��*�*�$� 
E��$��5�d�l�@	�4����G>��B�����h!��!%�D�J��B�S�H�I��4�'��(�����<�<�
E�!�w�w���t�!��
��4��d�|�C�D�D��
E�sH�Z�Z�!Z%�:[�	Z"�!Z"�%	[�.[
�
[�\�%#\
�
\)
FNNNNNNNNNNNN)r�r�r�r�r�r�r�r�r�r�rr�r�r�r�r�r�r�s@r*r�r��sD���{�x7�:�H��)�)��-�-���	�'�=�*�<�	A�	�}�#R�Y\�'�k�	;��t�W�#N�UX��3�	(��z� I�PS�+�(�	<��~�C�+�&�\�	;�	�$�*�"�E�8K�	M�	�z� P�WZ�6�X�	G��{�!B�"�E��	B��{��E�3�)�	E�	�z� ?�"�E��	B��}�K�"�E��	E�3�M�<9=��/3�KO�(,�	]	r,r�c��eZdZdZdZedddedd��ed	d
e��gZdgZe	je	je	jd
�Z
		dd�Zy)�
cmd_user_edita�Modify User AD object.

This command will allow editing of a user account in the Active Directory
domain. You will then be able to add or change attributes and their values.

The username specified on the command is the sAMAccountName.

The command may be run from the root userid or another authorized userid.

The -H or --URL= option can be used to execute the command against a remote
server.

Example1:
samba-tool user edit User1 -H ldap://samba.samdom.example.com \
    -U administrator --password=passw1rd

Example1 shows how to edit a users attributes in the domain against a remote
LDAP server.

The -H parameter is used to specify the remote target server.

Example2:
samba-tool user edit User2

Example2 shows how to edit a users attributes in the domain against a local
LDAP server.

Example3:
samba-tool user edit User3 --editor=nano

Example3 shows how to edit a users attributes in the domain against a local
LDAP server using the 'nano' editor.

r�r`rarbrcrdrez--editorzQEditor to use instead of the system default, or 'vi' if no system default is set.rsr�r�Nc���|j�}|j|d��}t|t�||��}	dtj
t
j|�fz}
|	j�}	|	j||
tj��}|dj}
ddl}|D]�}tj |	|�}|�#t"j$j'd�}|�d	}|j)d
��5}|j+t-|��|j/�	t1||j2g�t7|j2�5}|j9�}ddd�ddd���|	j;�}t=|�d
}|	j?|�}tA|�dk(r|jBj+d�y	|	jE|�|jBj+d|z�y#t$rtd|z��wxYw#t4$r}t5d|��d}~wwxYw#1swY��xYw#1swY���xYw#tF$r}td|z|��d}~wwxYw)NTr�r��)(&(sAMAccountType=%d)(sAMAccountName=%s))�r�r�r�rr��EDITOR�viz.tmp)�suffixr�rzNothing to do
zFailed to modify user '%s': z Modified User '%s' successfully
)$r�r�r
r	r�ATYPE_NORMAL_ACCOUNTr�r�r�r�r�r�r�r�tempfiler�get_ldif_for_editorrE�environr��NamedTemporaryFiler�r�flushrr�rr�r
r�rP�msg_diffrMr��modifyr�)r�r�r�r�r�rd�editorr�r�r�r��domaindnr�r�rdr�result_ldif�t_filer��edited_file�edited_message�msgs_edited�
msg_edited�res_msg_diffs                        r*r�zcmd_user_edit.runsa��
�
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0��>��,�,�c�.?�.?��.I�J�K���?�?�$��	H��,�,�H�*0�%(�%6�%6��8�C��!�f�i�i�G�	��	8�C� �4�4�U�C�@�K��~�������1���>�!�F��,�,�F�,�;�
8�v����Y�{�3�4�����;������4�5��&�+�+�&�8�+�%0�%5�%5�%7�N�8�
8�
8�	8�&�&�&�~�6���+�&�q�)�
��~�~�c�:�6���|���!��I�I�O�O�-�.��	M��L�L��&�	
�	�	���;�h�F�G��I�	H��9�X�F�G�G�	H��"*�;�,�Y��:�:��;��8�8��
8�
8��*�	M��=��H�!�L�L��	M�sl�41H�;+I�'H�>I�H:�$I�I�H�	H7�&H2�2H7�7I�:I�?I�I	�	I0�I+�+I0�NNNNNr�r�r,r*r\r\�
s}��!�D,�H�	�t�W�#J���S�	2��z�!7�=@�	B��M���J��)�)��.�.��-�-���HL��5Hr,r\c��eZdZdZdZedddedd��ed	d
ed��gZd
gZe	je	je	jd�Z
		dd�Zy)�
cmd_user_showa�Display a user AD object.

This command displays a user account and it's attributes in the Active
Directory domain.
The username specified on the command is the sAMAccountName.

The command may be run from the root userid or another authorized userid.

The -H or --URL= option can be used to execute the command against a remote
server.

The '--attributes' parameter takes a comma separated list of the requested
attributes. Without '--attributes' or with '--attributes=*' all usually
available attributes are selected.
Hidden attributes in addition to all usually available attributes can be
selected with e.g. '--attributes=*,msDS-UserPasswordExpiryTimeComputed'.
If a specified attribute is not available on a user object it's silently
omitted.

Attributes with time values can take an additional format specifier, which
converts the time value into the requested format. The format can be specified
by adding ";format=formatSpecifier" to the requested attribute name, whereby
"formatSpecifier" must be a valid specifier. The syntax looks like:

  --attributes=attributeName;format=formatSpecifier

The following format specifiers are available:
  - GeneralizedTime (e.g. 20210224113259.0Z)
  - UnixTime        (e.g. 1614166392)
  - TimeSpec        (e.g. 161416639.267546892)

Attributes with an original NTTIME value of 0 and 9223372036854775807 are
treated as non-existing value.

Example1:
samba-tool user show User1 -H ldap://samba.samdom.example.com \
    -U administrator --password=passw1rd

Example1 shows how to display a users attributes in the domain against a remote
LDAP server.

The -H parameter is used to specify the remote target server.

Example2:
samba-tool user show User2

Example2 shows how to display a users attributes in the domain against a local
LDAP server.

Example3:
samba-tool user show User2 --attributes=objectSid,memberOf

Example3 shows how to display a users objectSid and memberOf attributes.

Example4:
samba-tool user show User2 \
    --attributes='pwdLastSet;format=GeneralizedTime,pwdLastSet;format=UnixTime'

The result of Example 4 provides the pwdLastSet attribute values in the
specified format:
    dn: CN=User2,CN=Users,DC=samdom,DC=example,DC=com
    pwdLastSet;format=GeneralizedTime: 20210120105207.0Z
    pwdLastSet;format=UnixTime: 1611139927
r�r`rarbrcrdrer�z�Comma separated list of attributes, which will be printed. Possible supported virtual attributes: virtualGeneralizedTime, virtualUnixTime, virtualTimeSpec.�
user_attrs)rfrgrir�r�Nc
���|j�}|j|d��}t|t�||��}	|j	|	�|r|j|�}
ndg}
dtjtj|�fz}|	j�}|j|	|||tj|
dd��}
tj|	|
�}|jj!|�y)NTr�r�r�r^F)r\r�r�r�r%r])r�r�r
r	r�r�rrcr�r�r�ryr�rrer�r�)r�r�r�r�r�rdrwr�r�r�r�r�rlr6�	user_ldifs               r*r�zcmd_user_show.run�s����
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0��	
�&�&�u�-���)�)�*�5�E��E�E�=��,�,�c�.?�.?��.I�J�K���?�?�$���)�)�%��19�17�03�0A�0A�05�27�;@�
*�B���.�.�u�c�:�	��	�	���	�"r,rtr�r�r,r*rvrvIs���?�@,�H�	�t�W�#J���S�	2��~�Q��l�	,�	�M���J��)�)��.�.��-�-���HL�#�#r,rvc��eZdZdZdZedddedd��gZd	d
gZe	je	je	jd�Z
		dd
�Zy)�
cmd_user_movea�Move a user to an organizational unit/container.

    This command moves a user account into the specified organizational unit
    or container.
    The username specified on the command is the sAMAccountName.
    The name of the organizational unit or container can be specified as a
    full DN or without the domainDN component.

    The command may be run from the root userid or another authorized userid.

    The -H or --URL= option can be used to execute the command against a remote
    server.

    Example1:
    samba-tool user move User1 'OU=OrgUnit,DC=samdom,DC=example,DC=com' \
        -H ldap://samba.samdom.example.com -U administrator

    Example1 shows how to move a user User1 into the 'OrgUnit' organizational
    unit on a remote LDAP server.

    The -H parameter is used to specify the remote target server.

    Example2:
    samba-tool user move User1 CN=Users

    Example2 shows how to move a user User1 back into the CN=Users container
    on the local server.
    z*%prog <username> <new_parent_dn> [options]r`rarbrcrdrer��
new_parent_dnr�Nc�V�|j�}|j|d��}t|t�||��}	t	j
|	|	j
��}
dtjt	j|�fz}	|	j|
|tj��}|dj}
	|	j|�}t	j
|	t#|
��}|j%t'|
�d
z
�|j)|�	|	j+|
|�|j,j/d|�d
|�d��y#t$rtd|z��wxYw#t $r}td|�d	|����d}~wwxYw#t $r}td|z|��d}~wwxYw)NTr�r�r^r_rr�zInvalid new_parent_dn "z": rzFailed to move user "%s"zMoved user "z" into "z"
)r�r�r
r	r�rgr�rrcr�r�r�r�r�rrr�r��remove_base_componentsrM�add_base�renamer�r�)r�r�r|r�r�r�rdr�r�r�r�r�r�r��full_new_parent_dnr��full_new_user_dns                 r*r�zcmd_user_move.run�s���
�
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0���F�F�5�%�/�/�"3�4�	�=��,�,�c�.?�.?��.I�J�K��	H��,�,�I�*0�%(�%6�%6��8�C��!�f�i�i�G�	3�!&�!=�!=�m�!L��
�6�6�%��W��6���/�/��G��q�0@�A��!�!�"4�5�	I��L�L��"2�3�	
�	�	���!�#5�7�	8��#�	H��9�X�F�G�G�	H��
�	3�� -�q� 2�3�
3��	3���	I��9�H�D�a�H�H��	I�s<�1E�:E)�F�E&�)	F�2F�F�	F(�F#�#F(r�r�r�r,r*r{r{�sk���:<�H�	�t�W�#J���S�	2��M�
�o�.�J��)�)��.�.��-�-���EI� $�!8r,r{c�N�eZdZdZdZedddedd��ed	d
e��edd
e��edde��edded��eddd��edde��edde��edde��edde��g
Zd gZe	je	je	jd!�Z
					d%d#�Zd$�Zy")&�cmd_user_renamea�Rename a user and related attributes.

    This command allows to set the user's name related attributes. The user's
    CN will be renamed automatically.
    The user's new CN will be made up by combining the given-name, initials
    and surname. A dot ('.') will be appended to the initials automatically
    if required.
    Use the --force-new-cn option to specify the new CN manually and the
    --reset-cn option to reset this change.

    Use an empty attribute value to remove the specified attribute.

    The username specified on the command is the sAMAccountName.

    The command may be run locally from the root userid or another authorized
    userid.

    The -H or --URL= option can be used to execute the command against a remote
    server.

    Example1:
    samba-tool user rename johndoe --surname='Bloggs'

    Example1 shows how to change the surname of a user 'johndoe' to 'Bloggs' on
    the local server. The user's CN will be renamed automatically, based on
    the given name, initials and surname.

    Example2:
    samba-tool user rename johndoe --force-new-cn='John Bloggs (Sales)' \
        --surname=Bloggs -H ldap://samba.samdom.example.com -U administrator

    Example2 shows how to rename the CN of a user 'johndoe' to 'John Bloggs (Sales)'.
    Additionally the surname ('sn' attribute) is set to 'Bloggs'.
    The -H parameter is used to specify the remote target server.
    r�r`rarbrcrdrertzNew surnamersruzNew given namervzNew initialsz--force-new-cnz^Specify a new CN (RDN) instead of using a combination of the given name, initials and surname.�NEW_CN)rfrgrhz
--reset-cnz�Set the CN (RDN) to the combination of the given name, initials and surname. Use this option to reset the changes made with the --force-new-cn option.rlrmz--display-namezNew display namerwzNew email addressz--samaccountnamez,New account name (sAMAccountName/logon name)z--upnzNew user principal namer�r�Nc	�d�|
r
|rtd��|
dk(rtd��|dk(rtd��|j�}|j|d��}t|t	�||��}tj||j��}dtjtj|�fz}	|j||t
jgd	��
�}|d}|j}|j�}|d
d}|�|n|d}|
�|
}n|j!|||||��}|j!||d��}t#|�t#|�k7xr(t#|�t#|�k(xs|xst%|
�}tj|d|z�}|j'|�|�#|j)||�dk(rtd|z��tj*�}||_
|j-||d|�|j-||d|�|j-||d|�|j-||d|	�|j-||d|
�|j-||d|�|j-||d|�t/|�dkD}|j1�	|dk(r|j3|�|dk(r|j5||�|j;�|dk(r%|j<j?d|�d|�d|�d��|dk(re|j<j?d|z�|jA�D]3}!|!d k(r�	|j<j?|!�d!||!r||!nd"�d#���5yy#t$rtd|z��wxYw#t6$r$} |j9�td|z| ��d} ~ wwxYw)$NzEIt is not allowed to specify --force-new-cn together with --reset-cn.rCz7Failed to rename user - delete protected attribute 'CN'zCFailed to rename user - delete protected attribute 'sAMAccountName'Tr�r�r^)rL�	givenNamer��sn�mailr��displayName�cnrIrr�r�rL)�	old_attrsr�r�r��fallback_default)r�r�zCN=%sFzo"%s" is not a valid upn. You can manage the upn suffixes with the "samba-tool domain trust namespaces" command.r�r�r�r�r�r�zFailed to rename user "%s"zRenamed CN of user "z" from "z" to "z" successfully
zBFollowing attributes of user "%s" have been changed successfully:
r�ryz	[removed]r�)!rr�r�r
r	r�rgr�rrcr�r�r�r�r��parent�fullname_from_namesr��boolr�is_valid_upnr7�prepare_attr_replacerMr)rjr�r�r+r*r�r�r�)"r�r�r�r�r�rdr�r�r��display_namer�r�upn�force_new_cn�reset_cnr�r�r�r�r�r��old_userr��user_parent_dn�old_cn�new_fallback_cn�new_user_cn�expected_cn�must_change_cn�new_user_dnrw�attributes_changedr�r�s"                                  r*r�zcmd_user_rename.run^s,���H�� ;�<�
<��2��� 0�1�
1��R��� <�=�
=��
#�
#�
%���(�(��d�(�C���!�.�*:�"'�B�0���F�F�5�%�/�/�"3�4�	�=��,�,�c�.?�.?��.I�J�K��	H��,�,�I�*0�%(�%6�%6�&,��
-�C��1�v�H��k�k�G�!���)���$���"��-;�,F�.�*2�3C�*D�	��#�&�K��3�3�h�?I�=E�<C�ET�	4�V�K��/�/�(�9A�BR�9S�0�U���V���K�(8�8�:��f�+��[�)9�9�9�"�9�&*�<�&8�	��f�f�U�G�k�$9�:�����^�,��?�� � ���,��5�"�$@�CF�$F�G�G�
�[�[�]�
��
�
�
�"�"�:�x��j�Q�
�"�"�:�x��X�N�
�"�"�:�x��w�G�
�"�"�:�x���U�
�"�"�:�x���N�
�"�"�:�x�9I�>�Z�
�"�"�:�x�9L�c�R� ��_�q�0��
���!�	K�!�T�)����Z�(���%����W�k�2�	� � �"��T�!��I�I�O�O�08�&�+�O�
P���%��I�I�O�O�6�9A�C�
D�"���)�
G���D�L���	�	���d�#-�d�#3�5?�t�4D�9D�5E�!F�G�
G�&��A�	H��9�X�F�G�G�	H��n�	K��$�$�&��;�h�F��J�J��	K�s$�76M'�-N�'M?�	N/�N*�*N/c��|j�}|j�}||g}|j�}d|z}|j|tj
ddg��}t
|�dk\r;|d}	d|	vr2|	dD]*}
|jt|
�j���,|jd�}t
|�dkry	|d
j�}||vry	y)NzCN=Partitions,%sz(objectClass=crossRefContainer)�uPNSuffixesr�rrr�r�Fr�T)rO�forest_dns_name�get_config_basednr�r�rPrMrir�r�rO)
r�r�r��
domain_dns�
forest_dns�upn_suffixes�
config_basedn�
partitions_dnr�r�s�	upn_split�
upn_suffixs
             r*r�zcmd_user_rename.is_valid_upn�s����*�*�,�
��*�*�,�
�"�J�/���/�/�1�
�*�]�:�
��l�l���.�.�8� �/�	�#��
��H��M��a�&�C���#��]�+�8�A� �'�'��A�����7�8��I�I�c�N�	��	�N�Q����r�]�(�(�*�
��\�)��r,)
NNNNNNNNNNNNN)r�r�r�r�r�rr�r�r�r�r�r�r�r�r�r�r�r,r*r�r�s(��"�H,�H�	�t�W�;���S�	2�	�{�!��	�	�~�$��	�	�|�"��	�	��?���	+�	�|�G�#�		$�
	��&��	�	��'��	�	�!�B��	�	�w�-��	�?"�M�H��J��)�)��.�.��-�-���6:�?C�;?�8<��	mG�^r,r�c
���eZdZdZdZedddedd��ed	d
e��edd
e��edde��edde��edde��gZddgZe	je	je	jd�Z
			dd�Zy)�cmd_user_add_unix_attrsa�
Add RFC2307 attributes to a user.

This command adds Unix attributes to a user account in the Active
Directory domain.

The username specified on the command is the sAMaccountName.

You must supply a unique uidNumber.

Unix (RFC2307) attributes will be added to the user account.

If you supply a gidNumber with '--gid-number', this will be used for the
users Unix 'gidNumber' attribute.

If '--gid-number' is not supplied, the users Unix gidNumber will be set to the
one found in 'Domain Users', this means Domain Users must have a gidNumber
attribute.

if '--unix-home' is not supplied, the users Unix home directory will be
set to /home/DOMAIN/username

if '--login-shell' is not supplied, the users Unix login shell will be
set to '/bin/sh'

if ---gecos' is not supplied, the users Unix gecos field will be set to the
users 'CN'

Add 'idmap_ldb:use rfc2307 = Yes' to the smb.conf on DCs, to use these
attributes for UID/GID mapping.

The command may be run from the root userid or another authorised userid.
The -H or --URL= option can be used to execute the command against a
remote server.

Example1:
samba-tool user addunixattrs User1 10001

Example1 shows how to add RFC2307 attributes to a domain enabled user
account, Domain Users will be set as the users gidNumber.

The users Unix ID will be set to '10001', provided this ID isn't already
in use.

Example2:
samba-tool user addunixattrs User2 10002 --gid-number=10001 --unix-home=/home/User2

Example2 shows how to add RFC2307 attributes to a domain enabled user
account.

The users Unix ID will be set to '10002', provided this ID isn't already
in use.

The users gidNumber attribute will be set to '10001'

The users Unix home directory will be set to '/home/user2'

Example3:
samba-tool user addunixattrs User3 10003 --gid-number=10001 --login-shell=/bin/false --gecos='User3 test'

Example3 shows how to add RFC2307 attributes to a domain enabled user
account.

The users Unix ID will be set to '10003', provided this ID isn't already
in use.

The users gidNumber attribute will be set to '10001'

The users Unix login shell will be set to '/bin/false'

The users gecos field will be set to 'User3 test'

Example4:
samba-tool user addunixattrs User4 10004 --gid-number=10001 --unix-home=/home/User4 --login-shell=/bin/bash --gecos='User4 test'

Example4 shows how to add RFC2307 attributes to a domain enabled user
account.

The users Unix ID will be set to '10004', provided this ID isn't already
in use.

The users gidNumber attribute will be set to '10001'

The users Unix home directory will be set to '/home/User4'

The users Unix login shell will be set to '/bin/bash'

The users gecos field will be set to 'User4 test'

z'%prog <username> <uid-number> [options]r`rarbrcrdrer|zUser's Unix/RFC2307 GIDrsrxryrr�r}r~rzr{r�z
uid-numberr�Nc	��|j�}|j|�}
t|t�|
|��}|j	�}dj|�}|j
|tj|��}t|�dk7rtdj|���djtj|��}|j
|tj|��}t|�dk(rtdj|���|dj}d|dvrtd	j|���|
�|dd
d}
|�|dd
d}|�`djtjd��}	|j
|tj|��}|D]}|jd�}�	|	�d}	|�P|j�}|�td��|jd�}|j!d|�j!d|�}|jd�s|j"j%d�dj||||
||	|�}|j'�	|j)|�|j+�|j"j%dj|��y#t$rtd
��wxYw#tj,$r }tdj||���d}~wwxYw)Nr�z%(&(objectClass=person)(uidNumber={})))r�r�rz#uidNumber {} is already being used.z(samaccountname={})zUnable to find user '{}'�	uidNumberzUser {} is already a Unix user.r�zDomain Users�	gidNumberz0Domain Users does not have a gidNumber attributez/bin/shzUnable to find Unix domainztemplate homedirz%Dz%Ur�z�You are setting a Unix/RFC2307 UID & GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use the attributes for XID/SID-mapping.
z�
dn: {0}
changetype: modify
add: uidNumber
uidNumber: {1}
add: gidnumber
gidNumber: {2}
add: gecos
gecos: {3}
add: uid
uid: {4}
add: loginshell
loginShell: {5}
add: unixHomeDirectory
unixHomeDirectory: {6}
z Modified User '{}' successfully
z Failed to modify user '{0}': {1})r�r�r
r	r�r�r�r�r�rMrr�r�r�r�rYrIr�r�r)rjr*rP)r�r�r�r�r�r�rdr�r�r�r�r�r�r�r�rlr�r�r��
search_filterr�unix_domain�tmpl�user_modr�s                         r*r�zcmd_user_add_unix_attrs.run_
s���
#�
#�
%���(�(��,���!�.�*:�"'�B�0���?�?�$��:��6�*�%�	��l�l�8�!$�!2�!2�&,��.��
��H��M��D� &��z� 2�4�
4�'�-�-�c�.?�.?��.I�J���l�l�8�!$�!2�!2�&,��.��
��H��M��9�@�@��J�K�K��a�&�)�)���#�a�&� ��@� &��x� 0�2�
2��=���F�4�L��O�E��;��a�&��,�q�/�C���2�%�v�c�&7�&7��&G�H�
�
;��l�l�8�),�):�):�.;�#�=���4�C�"�w�w�{�3�J�4���#�K����3�3�5�K��"�"�#?�@�@��6�6�,�-�D����T�;�7�?�?��h�O�I��v�v�-�.��I�I�O�O�1�
2�
��F�7�J�
�E�3��Y�O�	�"	���!�	/����h�'�

�$�$�&��I�I�O�O�?�#�V�H�-�
/��_�
;�"�$:�;�;�
;��T�|�|�	5��A� &��x�� 3�5�
5��	5�s$�:J4�(K�4K	�K?�K:�:K?)	NNNNNNNNNr�r�r,r*r�r��s���[�z9�H�	�t�W�#J���S�	2��~�$=�C�H��}�#G��	���%F��	��y�@�s�K��w�;�#�F�
�M��l�+�J��)�)��.�.��-�-�
��BF�AE�.2�c/r,r�c��eZdZdZdZedddedd��ed	d
e��gZdgZe	je	je	jd
�Z
						dd�Zy)�cmd_user_unlockazUnlock a user account.

    This command unlocks a user account in the Active Directory domain. The
    username specified on the command is the sAMAccountName. The username may
    also be specified using the --filter option.

    The command may be run from the root userid or another authorized userid.
    The -H or --URL= option can be used to execute the command against a remote
    server.

    Example:
    samba-tool user unlock user1 -H ldap://samba.samdom.example.com \
        --username=Administrator --password=Passw0rd

    The example shows how to unlock a user account in the domain against a
    remote LDAP server. The -H parameter is used to specify the remote target
    server. The --username= and --password= options are used to pass the
    username and password of a user that exists on the remote server and is
    authorized to issue the command on that server.
rr`rarbrcrdrerrrsrr�Nc�Z�|�
|�td��|�dtj|�z}|j�}|j	|d��}t|t
�||��}		|	j|�y#ttjf$r}
td|xs|�d|
����d}
~
wwxYw)Nr!r"Tr�r�zFailed to unlock user 'r#)
rr�r�r�r�r
r	�unlock_accountrrPr%s           r*r�zcmd_user_unlock.run�
s�������� ,�-�
-��>�@��!�!�(�+�-�F��
#�
#�
%���(�(��d�(�C���!�#1�#3�"'����	9�� � ��(���C�L�L�)�	9��'�1�6�1�3� 8�9�
9��	9�s�%A7�7B*�B%�%B*r&r�r�r,r*r�r��
s����*@�H�	�t��;����	�	�z�4��	�
�M���J��)�)��.�.��-�-���������
9r,r�c��eZdZdZdZejejejd�Z	e
dddedd�	�gZd
dgZ
		dd
�Zy)�cmd_user_sensitivez2Set/unset or show UF_NOT_DELEGATED for an account.z-%prog <accountname> [(show|on|off)] [options]r�r`rarbrcrdre�accountname�cmdNc��|dvrtd|z��|j�}|j|d��}t|t	�||��}	dtj|�z}
tj}|dk(r�|	jt
j|
dg�	�}t|�d
k(rtd|
z��t|d
jd�d
�}
|jj!dt#|d
j$�z�|jj!d
t'|
|z�z�y|dk(rd}n|dk(rd}	|	j)|
|dd��y#t$r}t|��d}~wwxYw)N)�showrx�offz8invalid argument: '%s' (choose from 'show', 'on', 'off')Tr�r�zsAMAccountName=%sr�r�rrz!Unable to find account where '%s'zAccount-DN: %s
zUF_NOT_DELEGATED: %s
rxr�Fz
Not-Delegated)�	flags_strrx�strict)rr�r�r
r	r�r�r�UF_NOT_DELEGATEDr�r�rMr�r�r�r�r�r�r�r�r)r�r�r�rdr�r�r�r�r��samr��flagr��uacrxrs                r*r�zcmd_user_sensitive.runsw���+�+��Y�\_�_�`�`�
�
#�
#�
%���(�(��d�(�C�����(8� %�"�.��,�c�.?�.?��.L�L�
��$�$���&�=��*�*�3�#4�#4��$8�#9��;�C��3�x�1�}�� C�m� S�T�T��c�!�f�j�j�!5�6�q�9�:�C��I�I�O�O�.��S��V�Y�Y��?�@��I�I�O�O�4�t�C�$�J�7G�G�H���$�;��B�
�E�\��B�	$��'�'�
�t��+-�d�
(�
<���	$��s�#�#��	$�s�E�	E8�(E3�3E8r�)r�r�r�r�r�r�r�r�r�r�rr�r�r�r�r�r,r*r�r�sf��<�>�H��)�)��.�.��-�-���	�t�W�#J�QT��3�	(��M�
 ��'�J�EI��$$r,r�c��eZdZdZiZe�ed<e�ed<e�ed<e�ed<e�ed<e	�ed<e
�ed<e�ed	<e�ed
<e
�ed<e�ed<e�ed
<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<e�ed<y)�cmd_userzUser management.�add�creater��disable�enabler�r1r��	getgroups�setprimarygroupr��getpassword�
syncpasswords�editr��mover��unlock�addunixattrs�	sensitiveN)r�r�r�r��subcommandsr_r�r)rr�r-r5rBrarvr�r�r\rvr{r�r�r�r�r�r,r*r�r�Es	����K�%��K���(�N�K���+�-�K���-�/�K�	��+�-�K���'�/�K���1�3�K���/�1�K�
��1�3�K���%=�%?�K�!�"�!5�!7�K�
��!5�!7�K�
��#9�#;�K�� �'�/�K���'�/�K���'�/�K���+�-�K���+�-�K���"9�";�K���1�3�K��r,r�rM)brQ�samba.getopt�getoptr�r�r�rEr#rrNrEr�rGr��
subprocessrrrrrr�
samba.authr	�samba.samdbr
r�samba.dcerpcrr
r�	samba.ndrr�sambarrrrrr�	samba.netr�samba.netcmdrrrr�samba.commonrrrCrr+r4rRr �ImportErrorr/r�r�ATTR_FLAG_FORCE_BASE64_LDIFr�rWrVrWr�rYrNr�rKrLrrrr�r�r�r�rMr_r�r�rr)r-r5rBrarvr�r�r�r\rvr{r�r�r�r�r�r�r,r*�<module>r�s���(��
�
�	�	��
���
��J�J��%�)��!�!� ������#�#�������
��$���
��"���1��J����
	��0�0��	��0�0��	��0�0��
���:
���G�L�L�N�)��}�%�N�
�K�S�$�
����R� �$
��4� �	
�&
�q�"��6�A�35��+�a�/�0�6�-/��(�)�J���F����SY�Zl�Zq�Zq�Zs�St�Iu�u�u���"�#�q�(��C�d�i�i�PV�Wr�Ww�Ww�Wy�Pz�F{�{�{��qE�7�qE�f:8�g�:8�zOG�G�OG�dAF�g�AF�H#^�w�#^�LH+��H+�V,1��,1�^Y1��Y1�xkN�w�kN�\B5�7�B5�Jp
��p
�fh-�-�h-�VB
�/�B
�JhH�G�hH�Vq#�&�q#�fM8�G�M8�`\�g�\�~W/�g�W/�rF9�g�F9�P6$��6$�r4�|�4��So�
��
���
��
��z��
�F�
�k��F��&�2��
�.�����
����+����f�-
�#�D�)���
�:�c�B���f�-
�#�D�)��
�s`�,J�5J�3J(�K	�J�J�J%�$J%�(K�-K�K�	L�K"�"L�*K<�<L

Zerion Mini Shell 1.0