# Unix SMB/CIFS implementation. # # authentication policy - manage computer-allowed-to-authenticate-to property # # Copyright (C) Catalyst.Net Ltd. 2024 # # Written by Rob van der Linde # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # from samba.domain.models import AuthenticationPolicy, AuthenticationSilo, Group from samba.domain.models.exceptions import ModelError from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions from samba.netcmd import Command, CommandError, SuperCommand class cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(Command): """Set the computer-allowed-to-authenticate-to property based on scenario. --by-group: The computer account (server, workstation) service requires the connecting user to be in GROUP. --by-silo: The computer account (server, workstation) service requires the connecting user to be in SILO. The options above are mutually exclusive, only one can be set at a time. """ synopsis = "%prog -H [options]" takes_optiongroups = { "sambaopts": SambaOptions, "credopts": CredentialsOptions, "hostopts": HostOptions, } takes_options = [ Option("--name", help="Name of authentication policy to view (required).", dest="name", action="store", type=str, required=True), Option("--by-group", help="The computer account (server, workstation) service " "requires the connecting user to be in GROUP.", dest="groupname", action="store", type=str), Option("--by-silo", help="The computer account (server, workstation) service " "requires the connecting user to be in SILO.", dest="siloname", action="store", type=str), ] def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, groupname=None, siloname=None): if groupname and siloname: raise CommandError("Cannot have both --by-group and --by-silo options.") ldb = self.ldb_connect(hostopts, sambaopts, credopts) try: policy = AuthenticationPolicy.get(ldb, cn=name) except ModelError as e: raise CommandError(e) if policy is None: raise CommandError(f"Authentication policy {name} not found.") if groupname: try: group = Group.get(ldb, cn=groupname) except ModelError as e: raise CommandError(e) if group is None: raise CommandError(f"Group {groupname} not found.") sddl = group.get_authentication_sddl() elif siloname: try: silo = AuthenticationSilo.get(ldb, cn=siloname) except ModelError as e: raise CommandError(e) if silo is None: raise CommandError(f"Authentication silo {siloname} not found.") sddl = silo.get_authentication_sddl() else: raise CommandError("Either --by-group or --by-silo expected.") policy.computer_allowed_to_authenticate_to = sddl try: policy.save(ldb) except ModelError as e: raise CommandError(e) # Authentication policy updated successfully. print(f"Updated authentication policy: {name}", file=self.outf) print(f"Updated SDDL: {sddl}", file=self.outf) class cmd_domain_auth_policy_computer_allowed_to_authenticate_to(SuperCommand): """Manage the computer-allowed-to-authenticate-to property.""" subcommands = { "set": cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(), }