#!/usr/bin/python3
# -*- coding: utf-8 -*-
#
# Univention AD Connector
# control the password sync communication with the ad password service
#
# Copyright 2004-2022 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.
import ldap
import univention.debug2 as ud
import univention.connector.ad
import hashlib
import binascii
import time
from Crypto.Cipher import DES, ARC4
import Crypto
from samba.dcerpc import drsuapi, lsa, misc, security, drsblobs
from samba.ndr import ndr_unpack
from samba import NTSTATUSError
from struct import pack
import struct
import traceback
import samba.dcerpc.samr
import heimdal
[docs]def nt_password_to_arcfour_hmac_md5(nt_password):
# all arcfour-hmac-md5 keys begin this way
key = b'0\x1d\xa1\x1b0\x19\xa0\x03\x02\x01\x17\xa1\x12\x04\x10'
for i in range(0, 16):
o = nt_password[2 * i:2 * i + 2]
key += chr(int(o, 16)).encode('ISO8859-1')
return key
[docs]def mySamEncryptNTLMHash(hash, key):
# [MS-SAMR] Section 2.2.11.1.1
Block1 = hash[:8]
Block2 = hash[8:]
Key1 = key[:7]
Key1 = transformKey(Key1)
Key2 = key[7:14]
Key2 = transformKey(Key2)
Crypt1 = DES.new(Key1, DES.MODE_ECB)
Crypt2 = DES.new(Key2, DES.MODE_ECB)
plain1 = Crypt1.encrypt(Block1)
plain2 = Crypt2.encrypt(Block2)
return plain1 + plain2
[docs]def deriveKey(baseKey):
# 2.2.11.1.3 Deriving Key1 and Key2 from a Little-Endian, Unsigned Integer Key
# Let I be the little-endian, unsigned integer.
# Let I[X] be the Xth byte of I, where I is interpreted as a zero-base-index array of bytes.
# Note that because I is in little-endian byte order, I[0] is the least significant byte.
# Key1 is a concatenation of the following values: I[0], I[1], I[2], I[3], I[0], I[1], I[2].
# Key2 is a concatenation of the following values: I[3], I[0], I[1], I[2], I[3], I[0], I[1]
key = pack('<L', baseKey)
key1 = (key[0], key[1], key[2], key[3], key[0], key[1], key[2])
key2 = (key[3], key[0], key[1], key[2], key[3], key[0], key[1])
return transformKey(key1), transformKey(key2)
[docs]def removeDESLayer(cryptedHash, rid):
Key1, Key2 = deriveKey(rid)
Crypt1 = DES.new(Key1, DES.MODE_ECB)
Crypt2 = DES.new(Key2, DES.MODE_ECB)
decryptedHash = Crypt1.decrypt(cryptedHash[:8]) + Crypt2.decrypt(cryptedHash[8:])
return decryptedHash
[docs]def decrypt(key, data, rid):
salt = data[0:16]
# check_sum = data[16:]
md5 = hashlib.new('md5')
md5.update(key)
md5.update(salt)
finalMD5 = md5.digest()
cipher = ARC4.new(finalMD5)
plainText = cipher.decrypt(data[16:])
hash = removeDESLayer(plainText[4:], rid)
return binascii.hexlify(hash)
[docs]def calculate_krb5keys(supplementalCredentialsblob):
spl = supplementalCredentialsblob
#cleartext_hex = None
keys = []
keytypes = []
kvno = 0
context = heimdal.context()
# for i in range(0, spl.sub.num_packages):
# pkg = spl.sub.packages[i]
# if pkg.name != "Primary:CLEARTEXT":
# continue
# cleartext_hex = pkg.data
krb5_old_hex = None
for i in range(0, spl.sub.num_packages):
pkg = spl.sub.packages[i]
if pkg.name != "Primary:Kerberos":
continue
krb5_old_hex = pkg.data
if krb5_old_hex is not None:
krb5_old_raw = binascii.a2b_hex(krb5_old_hex)
krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True)
assert krb5_old.version == 3
for k in krb5_old.ctr.keys:
if k.keytype not in keytypes:
ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr3.key.keytype: %s" % k.keytype)
try:
key = heimdal.keyblock_raw(context, k.keytype, k.value)
krb5SaltObject = heimdal.salt_raw(context, krb5_old.ctr.salt.string)
keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
keytypes.append(k.keytype)
except Exception:
if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name))
else:
ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name))
ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc())
krb5_new_hex = None
for i in range(0, spl.sub.num_packages):
pkg = spl.sub.packages[i]
if pkg.name != "Primary:Kerberos-Newer-Keys":
continue
krb5_new_hex = pkg.data
if krb5_new_hex is not None:
krb_blob = binascii.unhexlify(krb5_new_hex)
krb = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb_blob)
assert krb.version == 4
for k in krb.ctr.keys:
if k.keytype not in keytypes:
ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ctr4.key.keytype: %s" % k.keytype)
try:
key = heimdal.keyblock_raw(context, k.keytype, k.value)
krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)
keys.append(heimdal.asn1_encode_key(key, krb5SaltObject, kvno))
keytypes.append(k.keytype)
except Exception:
if k.keytype == 4294967156: # in all known cases W2k8 AD uses keytype 4294967156 (=-140L) for this
ud.debug(ud.LDAP, ud.INFO, "calculate_krb5key: ignoring unknown key with special keytype %s in %s" % (k.keytype, pkg.name))
else:
ud.debug(ud.LDAP, ud.ERROR, "calculate_krb5key: krb5Key with keytype %s could not be parsed in %s. Ignoring this keytype." % (k.keytype, pkg.name))
ud.debug(ud.LDAP, ud.ERROR, traceback.format_exc())
return keys
[docs]def set_password_in_ad(connector, samaccountname, pwd, reconnect=False):
# print "Static Session Key: %s" % (samr.session_key,)
if reconnect:
if connector.dom_handle:
connector.samr.Close(connector.dom_handle)
connector.samr = None
if not connector.samr:
connector.open_samr()
user_handle = None
info = None
try:
sam_accountname = lsa.String()
sam_accountname.string = samaccountname
(rids, types) = connector.samr.LookupNames(connector.dom_handle, [sam_accountname, ])
rid = rids.ids[0]
user_handle = connector.samr.OpenUser(connector.dom_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, rid)
userinfo18 = samba.dcerpc.samr.UserInfo18()
bin_hash = binascii.a2b_hex(pwd)
enc_hash = mySamEncryptNTLMHash(bin_hash, connector.samr.session_key)
samr_Password = samba.dcerpc.samr.Password()
samr_Password.hash = list(enc_hash)
userinfo18.nt_pwd = samr_Password
userinfo18.nt_pwd_active = 1
userinfo18.password_expired = 0
info = connector.samr.SetUserInfo(user_handle, 18, userinfo18)
finally:
if user_handle:
connector.samr.Close(user_handle)
return info
[docs]def decrypt_supplementalCredentials(connector, spl_crypt):
assert len(spl_crypt) >= 20
confounder = spl_crypt[0:16]
enc_buffer = spl_crypt[16:]
m5 = hashlib.md5()
m5.update(connector.drs.user_session_key)
m5.update(confounder)
enc_key = m5.digest()
rc4 = Crypto.Cipher.ARC4.new(enc_key)
plain_buffer = rc4.decrypt(enc_buffer)
(crc32_v) = struct.unpack("<L", plain_buffer[0:4])
attr_val = plain_buffer[4:]
crc32_c = binascii.crc32(attr_val) & 0xffffffff
assert int(crc32_v[0]) == int(crc32_c), "CRC32 0x%08X != 0x%08X" % (crc32_v[0], crc32_c)
return ndr_unpack(drsblobs.supplementalCredentialsBlob, attr_val)
[docs]def get_password_from_ad(connector, user_dn, reconnect=False):
ud.debug(ud.LDAP, ud.INFO, "get_password_from_ad: Read password from AD: %s" % user_dn)
nt_hash = None
if not connector.drs or reconnect:
connector.open_drs_connection()
req8 = drsuapi.DsGetNCChangesRequest8()
req8.destination_dsa_guid = misc.GUID(connector.computer_guid)
req8.source_dsa_invocation_id = misc.GUID(connector.computer_guid)
req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
req8.naming_context.dn = user_dn
req8.replica_flags = 0
req8.max_object_count = 402
req8.max_ndr_size = 402116
req8.extended_op = drsuapi.DRSUAPI_EXOP_REPL_SECRET
req8.fsmo_info = 0
while True:
(level, ctr) = connector.drs.DsGetNCChanges(connector.drsuapi_handle, 8, req8)
rid = None
unicode_blob = None
keys = []
if ctr.first_object is None:
break
for i in ctr.first_object.object.attribute_ctr.attributes:
if i.attid == 589970:
# DRSUAPI_ATTID_objectSid
if i.value_ctr.values:
for j in i.value_ctr.values:
sid = ndr_unpack(security.dom_sid, j.blob)
_tmp, rid = sid.split()
if i.attid == 589914:
# DRSUAPI_ATTID_unicodePwd
if i.value_ctr.values:
for j in i.value_ctr.values:
unicode_blob = j.blob
ud.debug(ud.LDAP, ud.INFO, "get_password_from_ad: Found unicodePwd blob")
if i.attid == drsuapi.DRSUAPI_ATTID_supplementalCredentials and connector.configRegistry.is_true('%s/ad/mapping/user/password/kerberos/enabled' % connector.CONFIGBASENAME, False):
if i.value_ctr.values:
for j in i.value_ctr.values:
ud.debug(ud.LDAP, ud.INFO, "get_password_from_ad: Found supplementalCredentials blob")
spl = decrypt_supplementalCredentials(connector, j.blob)
keys = calculate_krb5keys(spl)
if rid and unicode_blob:
nt_hash = decrypt(connector.drs.user_session_key, unicode_blob, rid).upper()
if ctr.more_data == 0:
break
ud.debug(ud.LDAP, ud.INFO, "get_password_from_ad: AD Hash: %s" % nt_hash)
return nt_hash, keys
[docs]def password_sync_ucs(connector, key, object):
# externes Programm zum Ãœberptragen des Hash aufrufen
# per ldapmodify pwdlastset auf -1 setzen
ud.debug(ud.LDAP, ud.INFO, "Object DN=%r" % (object['dn'],))
ucs_object = connector._object_mapping(key, object, 'con')
ud.debug(ud.LDAP, ud.INFO, " UCS DN = %r" % (ucs_object['dn'],))
try:
res = connector.lo.lo.search(base=ucs_object['dn'], scope='base', attr=['sambaLMPassword', 'sambaNTPassword', 'sambaPwdLastSet'])
except ldap.NO_SUCH_OBJECT:
ud.debug(ud.LDAP, ud.PROCESS, "password_sync_ucs: The UCS object (%s) was not found. The object was removed." % ucs_object['dn'])
return
sambaPwdLastSet = None
if 'sambaPwdLastSet' in res[0][1]:
sambaPwdLastSet = int(res[0][1]['sambaPwdLastSet'][0])
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: sambaPwdLastSet: %s" % sambaPwdLastSet)
pwd = None
if 'sambaNTPassword' in res[0][1]:
pwd = res[0][1]['sambaNTPassword'][0]
else:
ud.debug(ud.LDAP, ud.WARN, "password_sync_ucs: Failed to get NT Hash from UCS")
res = connector.lo_ad.lo.search_s(object['dn'], ldap.SCOPE_BASE, '(objectClass=*)', ['pwdLastSet', 'objectSid'])
pwdLastSet = None
if 'pwdLastSet' in res[0][1]:
pwdLastSet = int(res[0][1]['pwdLastSet'][0])
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: pwdLastSet from AD : %s" % pwdLastSet)
if 'objectSid' in res[0][1]:
str(univention.connector.ad.decode_sid(res[0][1]['objectSid'][0]).split('-')[-1])
# Only sync passwords from UCS to AD when the password timestamp in UCS is newer
if connector.configRegistry.is_true('%s/ad/password/timestamp/check' % connector.CONFIGBASENAME, False):
ad_password_last_set = 0
# If sambaPwdLast was set to 1 the password must be changed on next login. In this
# case the timestamp is ignored and the password will be synced. This behavior can
# be disabled by setting connector/ad/password/timestamp/syncreset/ucs to false. This
# might be necessary if the connector is configured in read mode and the password will be
# synced in two ways: Bug #22653
if sambaPwdLastSet > 1 or (sambaPwdLastSet <= 2 and connector.configRegistry.is_false('%s/ad/password/timestamp/syncreset/ucs' % connector.CONFIGBASENAME, False)):
ad_password_last_set = univention.connector.ad.ad2samba_time(pwdLastSet)
if sambaPwdLastSet:
if int(ad_password_last_set) >= int(sambaPwdLastSet):
# skip
ud.debug(ud.LDAP, ud.PROCESS, "password_sync: Don't sync the password from UCS to AD because the AD password equal or is newer.")
ud.debug(ud.LDAP, ud.INFO, "password_sync: AD pwdlastset: %s (original (%s))" % (ad_password_last_set, pwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: UCS pwdlastset: %s" % (sambaPwdLastSet))
return
ud.debug(ud.LDAP, ud.INFO, "password_sync: Sync the passwords from UCS to AD.")
ud.debug(ud.LDAP, ud.INFO, "password_sync: AD pwdlastset: %s (original (%s))" % (ad_password_last_set, pwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: UCS pwdlastset: %s" % (sambaPwdLastSet))
pwd_set = False
try:
nt_hash, krb5Key = get_password_from_ad(connector, object['dn'])
except NTSTATUSError as exc:
ud.debug(ud.LDAP, ud.PROCESS, "password_sync_ucs: get_password_from_ad failed with %s, retry with reconnect" % (exc,))
nt_hash, krb5Key = get_password_from_ad(connector, object['dn'], reconnect=True)
if not nt_hash:
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: No password hash could be read from AD")
res = ''
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: Hash AD: %s Hash UCS: %s" % (nt_hash, pwd))
if not pwd or pwd.startswith(b'NO PASSWORD'):
# There are variations of "NO PASSWORD" in customer environments:
# 1. "NO PASSWORD*********************" (password_sync_kinit, see below)
# 2. "NO PASSWORDXXXXXX" (old AD-Connector password service?)
# 3. "NO PASSWORDXXXXXXX" (Ticket #2020121821000706)
# 4. "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX" (/usr/share/univention-heimdal/kerberos_now)
# see https://forge.univention.org/bugzilla/buglist.cgi?longdesc=NO%20PASSWORD&longdesc_type=casesubstring
ud.debug(ud.LDAP, ud.PROCESS, "The sambaNTPassword hash is set to %s. Skip the synchronisation of this hash to AD." % pwd)
elif pwd != nt_hash:
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: Hash AD and Hash UCS differ")
pwd_set = True
try:
res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd)
except NTSTATUSError as exc:
ud.debug(ud.LDAP, ud.PROCESS, "password_sync: set_password_in_ad failed with %s, retry with reconnect" % (exc,))
res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd, reconnect=True)
newpwdlastset = "-1" # if pwd was set in ad we need to set pwdlastset to -1 or it will be 0
# if sambaPwdMustChange >= 0 and sambaPwdMustChange < time.time():
# password expired, must be changed on next login
# ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: samba pwd expired, set newpwdLastSet to 0")
# newpwdlastset = "0"
if sambaPwdLastSet <= 1:
newpwdlastset = "0" # User must change his password
elif pwdLastSet and int(pwdLastSet) > 0 and not pwd_set:
newpwdlastset = "1"
if int(newpwdlastset) != 1:
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: pwdlastset in modlist: %s" % newpwdlastset)
connector.lo_ad.lo.modify_s(object['dn'], [(ldap.MOD_REPLACE, 'pwdlastset', newpwdlastset.encode('ASCII'))])
else:
ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs: don't modify pwdlastset")
[docs]def password_sync_kinit(connector, key, ucs_object):
connector._object_mapping(key, ucs_object, 'ucs')
attr = {'userPassword': b'{KINIT}', 'sambaNTPassword': b'NO PASSWORD*********************', 'sambaLMPassword': b'NO PASSWORD*********************'}
ucs_result = connector.lo.search(base=ucs_object['dn'], attr=attr.keys())
modlist = []
for attribute in attr.keys():
expected_value = attr[attribute]
if attribute in ucs_result[0][1]:
userPassword = ucs_result[0][1][attribute][0]
if userPassword != expected_value:
modlist.append((ldap.MOD_REPLACE, attribute, expected_value))
if modlist:
connector.lo.lo.modify_s(ucs_object['dn'], modlist)
[docs]def password_sync(connector, key, ucs_object):
# externes Programm zum holen des Hash aufrufen
# "kerberos_now"
object = connector._object_mapping(key, ucs_object, 'ucs')
res = connector.lo_ad.lo.search_s(object['dn'], ldap.SCOPE_BASE, '(objectClass=*)', ['objectSid', 'pwdLastSet'])
if connector.isInCreationList(object['dn']):
connector.removeFromCreationList(object['dn'])
ud.debug(ud.LDAP, ud.INFO, "password_sync: Synchronisation of password has been canceled. Object was just created.")
return
pwdLastSet = None
if 'pwdLastSet' in res[0][1]:
pwdLastSet = int(res[0][1]['pwdLastSet'][0])
ud.debug(ud.LDAP, ud.INFO, "password_sync: pwdLastSet from AD: %s (%s)" % (pwdLastSet, res))
if 'objectSid' in res[0][1]:
str(univention.connector.ad.decode_sid(res[0][1]['objectSid'][0]).split('-')[-1])
ucs_result = connector.lo.search(base=ucs_object['dn'], attr=['sambaPwdLastSet', 'sambaNTPassword', 'krb5PrincipalName', 'krb5Key', 'shadowLastChange', 'shadowMax', 'krb5PasswordEnd'])
sambaPwdLastSet = None
if 'sambaPwdLastSet' in ucs_result[0][1]:
sambaPwdLastSet = ucs_result[0][1]['sambaPwdLastSet'][0]
ud.debug(ud.LDAP, ud.INFO, "password_sync: sambaPwdLastSet: %s" % sambaPwdLastSet)
if connector.configRegistry.is_true('%s/ad/password/timestamp/check' % connector.CONFIGBASENAME, False):
# Only sync the passwords from AD to UCS when the pwdLastSet timestamps in AD are newer
ad_password_last_set = 0
# If pwdLastSet was set to 0 the password must be changed on next login. In this
# case the timestamp is ignored and the password will be synced. This behavior can
# be disabled by setting connector/ad/password/timestamp/syncreset/ad to false. This
# might be necessary if the connector is configured in read mode and the password will be
# synced in two ways: Bug #22653
if (pwdLastSet > 1) or (pwdLastSet in [0, 1] and connector.configRegistry.is_false('%s/ad/password/timestamp/syncreset/ad' % connector.CONFIGBASENAME, False)):
ad_password_last_set = univention.connector.ad.ad2samba_time(pwdLastSet)
if sambaPwdLastSet:
if int(sambaPwdLastSet) >= int(ad_password_last_set) and int(sambaPwdLastSet) != 1:
# skip
ud.debug(ud.LDAP, ud.PROCESS, "password_sync: Don't sync the passwords from AD to UCS because the UCS password is equal or newer.")
ud.debug(ud.LDAP, ud.INFO, "password_sync: AD pwdlastset: %s (original (%s))" % (ad_password_last_set, pwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: UCS pwdlastset: %s" % (sambaPwdLastSet))
return
ud.debug(ud.LDAP, ud.INFO, "password_sync: Sync the passwords from AD to UCS.")
ud.debug(ud.LDAP, ud.INFO, "password_sync: AD pwdlastset: %s (original (%s))" % (ad_password_last_set, pwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: UCS pwdlastset: %s" % (sambaPwdLastSet))
try:
nt_hash, krb5Key = get_password_from_ad(connector, object['dn'])
except Exception as exc:
ud.debug(ud.LDAP, ud.PROCESS, "password_sync: get_password_from_ad failed with %s, retry with reconnect" % (exc,))
nt_hash, krb5Key = get_password_from_ad(connector, object['dn'], reconnect=True)
old_krb5end = ucs_result[0][1].get('krb5PasswordEnd', [None])[0]
old_shadowMax = ucs_result[0][1].get('shadowMax', [None])[0]
old_shadowLastChange = ucs_result[0][1].get('shadowLastChange', [None])[0]
modlist = []
if nt_hash:
ntPwd_ucs = b''
krb5Principal = b''
ntPwd = nt_hash
if 'sambaNTPassword' in ucs_result[0][1]:
ntPwd_ucs = ucs_result[0][1]['sambaNTPassword'][0]
if 'krb5PrincipalName' in ucs_result[0][1]:
krb5Principal = ucs_result[0][1]['krb5PrincipalName'][0]
pwd_changed = False
if ntPwd.upper() != ntPwd_ucs.upper():
if ntPwd in [b'00000000000000000000000000000000', b'NO PASSWORD*********************']:
ud.debug(ud.LDAP, ud.WARN, "password_sync: AD connector password daemon returned 0 for the nt hash. Please check the AD settings.")
else:
pwd_changed = True
modlist.append(('sambaNTPassword', ntPwd_ucs, ntPwd.upper()))
if krb5Principal:
connector.lo.lo.modify_s(ucs_object['dn'], [(ldap.MOD_REPLACE, 'krb5Key', nt_password_to_arcfour_hmac_md5(ntPwd.upper()))])
if pwd_changed:
if krb5Key:
krb5Key_ucs = ucs_result[0][1]['krb5Key'][0]
modlist.append(('krb5Key', krb5Key_ucs, krb5Key))
connector.lo.lo.modify_s(ucs_object['dn'], [(ldap.MOD_REPLACE, 'userPassword', b'{K5KEY}')])
# update shadowLastChange
new_shadowLastChange = str(int(time.time()) // 3600 // 24).encode('ASCII')
if pwdLastSet != 0:
modlist.append(('shadowLastChange', old_shadowLastChange, new_shadowLastChange))
ud.debug(ud.LDAP, ud.INFO, "password_sync: update shadowLastChange to %s for %s" % (new_shadowLastChange, ucs_object['dn']))
# get pw policy
new_shadowMax = None
new_krb5end = None
policies = connector.lo.getPolicies(ucs_object['dn'])
policy = policies.get('univentionPolicyPWHistory', {}).get('univentionPWExpiryInterval')
if policy:
ud.debug(ud.LDAP, ud.INFO, "password_sync: password expiry for %s is %s" % (ucs_object['dn'], policy))
policy_value = policy.get('value', [None])[0]
if policy_value:
new_shadowMax = policy_value
new_krb5end = time.strftime("%Y%m%d000000Z", time.gmtime((int(time.time()) + (int(policy_value) * 3600 * 24)))).encode('ASCII')
# update shadowMax (set to value of univentionPWExpiryInterval, otherwise delete) and
# krb5PasswordEnd (set to today + univentionPWExpiryInterval, otherwise delete)
if (old_shadowMax or new_shadowMax) and (pwdLastSet != 0):
ud.debug(ud.LDAP, ud.INFO, "password_sync: update shadowMax to %s for %s" % (new_shadowMax, ucs_object['dn']))
modlist.append(('shadowMax', old_shadowMax, new_shadowMax))
if (old_krb5end or new_krb5end) and (pwdLastSet != 0):
ud.debug(ud.LDAP, ud.INFO, "password_sync: update krb5PasswordEnd to %s for %s" % (new_krb5end, ucs_object['dn']))
modlist.append(('krb5PasswordEnd', old_krb5end, new_krb5end))
else:
ud.debug(ud.LDAP, ud.ERROR, "password_sync: sync failed, no result from AD")
# update sambaPwdLastSet
if pwdLastSet or pwdLastSet == 0:
newSambaPwdLastSet = str(univention.connector.ad.ad2samba_time(pwdLastSet)).encode('ASCII')
if sambaPwdLastSet:
if sambaPwdLastSet != newSambaPwdLastSet:
modlist.append(('sambaPwdLastSet', sambaPwdLastSet, newSambaPwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: sambaPwdLastSet in modlist (replace): %s" % newSambaPwdLastSet)
else:
modlist.append(('sambaPwdLastSet', b'', newSambaPwdLastSet))
ud.debug(ud.LDAP, ud.INFO, "password_sync: sambaPwdLastSet in modlist (set): %s" % newSambaPwdLastSet)
if pwdLastSet == 0:
expiry = int(time.time())
new_krb5end = time.strftime("%Y%m%d000000Z", time.gmtime(expiry)).encode('ASCII')
if old_krb5end:
ud.debug(ud.LDAP, ud.INFO, "password_sync: krb5PasswordEnd in modlist (replace): %s" % new_krb5end)
modlist.append(('krb5PasswordEnd', old_krb5end, new_krb5end))
else:
ud.debug(ud.LDAP, ud.INFO, "password_sync: krb5PasswordEnd in modlist (set): %s" % new_krb5end)
modlist.append(('krb5PasswordEnd', b'', new_krb5end))
if old_shadowMax:
ud.debug(ud.LDAP, ud.INFO, "password_sync: shadowMax in modlist (replace): 0")
modlist.append(('shadowMax', old_shadowMax, b'1'))
else:
ud.debug(ud.LDAP, ud.INFO, "password_sync: shadowMax in modlist (set): 0")
modlist.append(('shadowMax', b'', b'1'))
two_days_ago = int(time.time()) - (86400 * 2)
new_shadowLastChange = str(two_days_ago // 3600 // 24).encode('ASCII')
if old_shadowLastChange:
ud.debug(ud.LDAP, ud.INFO, "password_sync: shadowLastChange in modlist (replace): %s" % new_shadowLastChange)
modlist.append(('shadowLastChange', old_shadowLastChange, new_shadowLastChange))
else:
ud.debug(ud.LDAP, ud.INFO, "password_sync: shadowMax in modlist (set): %s" % new_shadowLastChange)
modlist.append(('shadowLastChange', b'', new_shadowLastChange))
if len(modlist) > 0:
connector.lo.lo.modify(ucs_object['dn'], modlist)
