a I_; @sddlZddlZddlmZddlmZddlmZmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZd Zd Zd d d dddddZededed ed ediZededededediZgZGdddeZGdddeZdS)N) b64encode)sd_utils) ndr_unpackndr_pack)security) SECINFO_DACL)'get_managed_service_accounts_descriptor)DS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2DS_DOMAIN_FUNCTION_2016KQz$5e1574f6-55df-493e-a671-aaeffca6a100z$d262aae8-41f7-48ed-9f35-56bbb677573dz$82112ba0-7e4c-4a44-89d9-d46c9612bf91z$c3c927a6-cc1d-47c0-966b-be8f9b63d991z$54afcfb9-637a-4251-9f47-4d50e7021211z$f4728883-84dd-483c-9897-274f2ebcf11ez$ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff)rLMNOPrJrX c@s eZdZdS)DomainUpdateExceptionN)__name__ __module__ __qualname__r r 5/usr/lib/python3/dist-packages/samba/domain_update.pyrJsrc@seZdZdZd&ddZd'ddZd d Zd(d d ZddZddZ ddZ ddZ ddZ ddZ ddZddZddZd d!Zd"d#Zd$d%ZdS)) DomainUpdatez2Check and update a SAM database for domain updatesFTcCs||_||_||_d|_|j|_|j|_|j|_t ||_ t | |_|j|_|jdsxtd|j|_|jdstddS)z :param samdb: LDB database :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise DomainUpdateException: Fz(CN=Operations,CN=DomainUpdates,CN=Systemz+Failed to add domain update container childz3CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=Systemz#Failed to add revision object childN)samdbfixadd_update_containerZcheck_update_appliedZget_config_basednZ config_dn domain_dnZget_schema_basednZ schema_dnrZSDUtilsrZdom_sidZget_domain_sid domain_sidZget_root_basedndomainupdate_containerZ add_childrrevision_object)selfr#r$r%r r r!__init__Qs        zDomainUpdate.__init__Nc Cs|jj|jdgtjd}t|}|r6t|}|d7}nt}|||t|}t |ddd}|r||kr|j st d||f|j dt |j|fdS)a Apply all updates for a given old and new functional level :param functional_level: constant :param old_functional_level: constant :param update_revision: modify the stored version :raise DomainUpdateException: Zrevision)baseattrsscoperzERevision is not high enough. Fix is set to False. Expected: %dGot: %dz9dn: %s changetype: modify replace: revision revision: %d N)r#searchr)ldb SCOPE_BASEfunctional_level_to_max_update MIN_UPDATEcheck_updates_rangefunctional_level_to_versionintr$r modify_ldifstr) r*Zfunctional_levelZold_functional_levelZupdate_revisionresZexpected_updateZ min_updateZexpected_versionZ found_versionr r r!check_updates_functional_levelns*     z+DomainUpdate.check_updates_functional_levelcCs8|D].}|tks|tkr tdt|d||qdS)z Apply a list of updates which must be within the valid range of updates :param iterator: Iterable specifying integer update numbers to apply :raise DomainUpdateException: Update number invalid. operation_%dN)r4 MAX_UPDATErgetattr)r*iteratoropr r r!check_updates_iteratorsz#DomainUpdate.check_updates_iteratorrcCsT|}|tks||ks|tkr$td||krP|tvrFt|d|||d7}q$dS)z Apply a range of updates which must be within the valid range of updates :param start: integer update to begin :param end: integer update to end (inclusive) :raise DomainUpdateException: r<r=r/N)r4r>rmissing_updatesr?)r*startendrAr r r!r5sz DomainUpdate.check_updates_rangecCsBz|jj|jdt|d}Wntjy4YdS0t|dkS)zd :param op: Integer update number :return: True if update exists else False z(CN=%s))r, expressionFr/)r#r0r( update_mapr1ZLdbErrorlen)r*rAr:r r r! update_existss  zDomainUpdate.update_existscCs"|jdt|t|jfdS)zo Add the corresponding container object for the given update :param op: Integer update z$dn: CN=%s,%s objectClass: container N)r#add_ldifrGr9r(r*rAr r r! update_addszDomainUpdate.update_addcCs`|d}|dkr0|d||||d}n||}||vrDdS|jj||dtgddS)a Add an ACE to a DACL, checking if it already exists with a simple string search. :param dn: DN to modify :param existing_sddl: existing sddl as string :param ace: string ace to insert :return: True if modified else False S:NF sd_flags:1:%dcontrolsT)rfindrZmodify_sd_on_dnr)r*dn existing_sddlaceindexnew_sddlr r r!insert_ace_into_dacls  z!DomainUpdate.insert_ace_into_daclc Cs|jj||gdgd}t|dks&J|d|d}|d}|dkrf|d||||d}n||}||vrzdSt}||_t|tj|||<|jj |d gd d S) aC Insert an ACE into a string attribute like defaultSecurityDescriptor. This also checks if it already exists using a simple string search. :param dn: DN to modify :param ace: string ace to insert :param attr: attribute to modify :return: True if modified else False search_options:1:2)r,r-rQr/rrMrNNFrelax:0rPT) r#r0rHrRr1ZMessagerSZMessageElementZFLAG_MOD_REPLACEZmodify) r*rSrUattrmsgrTrVrWmr r r!insert_ace_into_strings&   z#DomainUpdate.insert_ace_into_stringcCs|jstd|dS)z Raises an exception if not set to fix. :param op: Integer operation :raise DomainUpdateException: z3Missing operation %d. Fix is currently set to FalseN)r$rrKr r r!raise_if_not_fixszDomainUpdate.raise_if_not_fixcCsF||rdS|||jjd|jddgd|jrB||dS)NzVdn: CN=TPM Devices,%s objectClass: top objectClass: msTPM-InformationObjectsContainer rZ provision:0rP)rIr_r#rJr&r%rLrKr r r! operation_78 s  zDomainUpdate.operation_78cCs||rdS||d}|jjddgdgd}|D]4}ttj|dd}||j}| |j ||q6|jjddgdgd}|D]4}ttj|dd}||j}| |j ||q|j r| |dS)NzY(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(objectClass=samDomain)nTSecurityDescriptorrYrFr-rQr(objectClass=domainDNS) rIr_r#r0rr descriptoras_sddlr'rXrSr%rLr*rArUr:r\Z existing_sdrTr r r! operation_79s4      zDomainUpdate.operation_79cCs||rdS||dt|j}|jj|jtjdgddt gd}|d}t t j |dd}| |j}||j|||jr||dS)Nz5(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;%s-522)rcrYrO)r,r.r-rQr)rIr_r9r'r#r0r&r1r2rrrrgrhrXrSr%rLrir r r! operation_809s&     zDomainUpdate.operation_80cCs||rdS||d}|jjddgdgd}|D]4}ttj|dd}||j}| |j ||q6|jjddgdgd}|D]4}ttj|dd}||j}| |j ||q|j r| |dS)Nz7(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)rbrcrYrdrrerfrir r r! operation_81Rs4      zDomainUpdate.operation_81cCsn||rdS||t|j}t|d}dt|j}|jj d||fddgd|j rj| |dS)Nutf8CN=Managed Service Accounts,%szdn: %s changetype: add objectClass: container description: Default container for managed service accounts showInAdvancedViewOnly: FALSE nTSecurityDescriptor:: %srZr`rP) rIr_rr'rdecoder9r&r#r8r%rL)r*rArgZmanagedservice_descrmanaged_service_dnr r r! operation_75vs   zDomainUpdate.operation_75cCs\||rdS||dt|j}|jjdt|j|fddgd|jrX||dS)Nrnzudn: %s changetype: modify add: otherWellKnownObjects otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:%s rZr`rP)rIr_r9r&r#r8r%rL)r*rArpr r r! operation_76s   zDomainUpdate.operation_76cCsJ||rdS|||jjdt|jddgd|jrF||dS)NzFdn: CN=PSPs,CN=System,%s objectClass: top objectClass: msImaging-PSPs rZr`rP)rIr_r#rJr9r&r%rLrKr r r! operation_77s  zDomainUpdate.operation_77)FT)NF)rr)rrr__doc__r+r;rBr5rIrLrXr^r_rarjrkrlrqrrrsr r r r!r"Ns*  $   # $r")r1Zsambabase64rrZ samba.ndrrrZ samba.dcerpcrZsamba.dcerpc.securityrZsamba.descriptorrZ samba.dsdbr r r r r r4r>rGr3r6rC Exceptionrobjectr"r r r r!sB