python/samba/netcmd/user/readpasswords/show.py

   1 # user management
   2 #
   3 # user show command
   4 #
   5 # Copyright Jelmer Vernooij 2010 <jelmer@samba.org>
   6 # Copyright Theresa Halloran 2011 <theresahalloran@gmail.com>
   7 #
   8 # This program is free software; you can redistribute it and/or modify
   9 # it under the terms of the GNU General Public License as published by
  10 # the Free Software Foundation; either version 3 of the License, or
  11 # (at your option) any later version.
  12 #
  13 # This program is distributed in the hope that it will be useful,
  14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 # GNU General Public License for more details.
  17 #
  18 # You should have received a copy of the GNU General Public License
  19 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 #
  21
  22 import samba.getopt as options
  23 from samba import dsdb, ldb
  24 from samba.auth import system_session
  25 from samba.netcmd import Option, common
  26 from samba.samdb import SamDB
  27
  28 from .common import GetPasswordCommand
  29
  30
  31 class cmd_user_show(GetPasswordCommand):
  32     """Display a user AD object.
  33
  34 This command displays a user account and it's attributes in the Active
  35 Directory domain.
  36 The username specified on the command is the sAMAccountName.
  37
  38 The command may be run from the root userid or another authorized userid.
  39
  40 The -H or --URL= option can be used to execute the command against a remote
  41 server.
  42
  43 The '--attributes' parameter takes a comma separated list of the requested
  44 attributes. Without '--attributes' or with '--attributes=*' all usually
  45 available attributes are selected.
  46 Hidden attributes in addition to all usually available attributes can be
  47 selected with e.g. '--attributes=*,msDS-UserPasswordExpiryTimeComputed'.
  48 If a specified attribute is not available on a user object it's silently
  49 omitted.
  50
  51 Attributes with time values can take an additional format specifier, which
  52 converts the time value into the requested format. The format can be specified
  53 by adding ";format=formatSpecifier" to the requested attribute name, whereby
  54 "formatSpecifier" must be a valid specifier. The syntax looks like:
  55
  56   --attributes=attributeName;format=formatSpecifier
  57
  58 The following format specifiers are available:
  59   - GeneralizedTime (e.g. 20210224113259.0Z)
  60   - UnixTime        (e.g. 1614166392)
  61   - TimeSpec        (e.g. 161416639.267546892)
  62
  63 Attributes with an original NTTIME value of 0 and 9223372036854775807 are
  64 treated as non-existing value.
  65
  66 Example1:
  67 samba-tool user show User1 -H ldap://samba.samdom.example.com \\
  68     -U administrator --password=passw1rd
  69
  70 Example1 shows how to display a users attributes in the domain against a remote
  71 LDAP server.
  72
  73 The -H parameter is used to specify the remote target server.
  74
  75 Example2:
  76 samba-tool user show User2
  77
  78 Example2 shows how to display a users attributes in the domain against a local
  79 LDAP server.
  80
  81 Example3:
  82 samba-tool user show User2 --attributes=objectSid,memberOf
  83
  84 Example3 shows how to display a users objectSid and memberOf attributes.
  85
  86 Example4:
  87 samba-tool user show User2 \\
  88     --attributes='pwdLastSet;format=GeneralizedTime,pwdLastSet;format=UnixTime'
  89
  90 The result of Example 4 provides the pwdLastSet attribute values in the
  91 specified format:
  92     dn: CN=User2,CN=Users,DC=samdom,DC=example,DC=com
  93     pwdLastSet;format=GeneralizedTime: 20210120105207.0Z
  94     pwdLastSet;format=UnixTime: 1611139927
  95 """
  96     synopsis = "%prog <username> [options]"
  97
  98     takes_options = [
  99         Option("-H", "--URL", help="LDB URL for database or target server",
 100                type=str, metavar="URL", dest="H"),
 101         Option("--attributes",
 102                help=("Comma separated list of attributes, "
 103                      "which will be printed. "
 104                      "Possible supported virtual attributes: "
 105                      "virtualGeneralizedTime, virtualUnixTime, virtualTimeSpec."),
 106                type=str, dest="user_attrs"),
 107     ]
 108
 109     takes_args = ["username"]
 110     takes_optiongroups = {
 111         "sambaopts": options.SambaOptions,
 112         "credopts": options.CredentialsOptions,
 113         "versionopts": options.VersionOptions,
 114     }
 115
 116     def run(self, username, credopts=None, sambaopts=None, versionopts=None,
 117             H=None, user_attrs=None):
 118
 119         lp = sambaopts.get_loadparm()
 120         creds = credopts.get_credentials(lp, fallback_machine=True)
 121         samdb = SamDB(url=H, session_info=system_session(),
 122                       credentials=creds, lp=lp)
 123
 124         self.inject_virtual_attributes(samdb)
 125
 126         if user_attrs:
 127             attrs = self.parse_attributes(user_attrs)
 128         else:
 129             attrs = ["*"]
 130
 131         filter = ("(&(sAMAccountType=%d)(sAMAccountName=%s))" %
 132                   (dsdb.ATYPE_NORMAL_ACCOUNT, ldb.binary_encode(username)))
 133
 134         domaindn = samdb.domain_dn()
 135
 136         obj = self.get_account_attributes(samdb, username,
 137                                           basedn=domaindn,
 138                                           filter=filter,
 139                                           scope=ldb.SCOPE_SUBTREE,
 140                                           attrs=attrs,
 141                                           decrypt=False,
 142                                           support_pw_attrs=False)
 143         user_ldif = common.get_ldif_for_editor(samdb, obj)
 144         self.outf.write(user_ldif)