a {a2@sddlmZddlmZddlmZddlmZmZm Z m Z m Z ddl Z ddlZddl Z ddlmZmZddlmZmZmZmZmZmZmZmZddlmZdd lmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)dd lm*Z*ddl+m,Z,ddl-m.Z.ddlm/Z/ddlm0Z0ddl1m2Z2ddlm3Z3m4Z4ddlm5Z5ddl6m7Z7m8Z8m9Z9ddl:Z:ddl;Z;ddlZ>ddl?Z?ddl@mAZAddlBmCZCddlBmDZDddlEmFZFGdddeGZHGdddeIZJd*dd ZKd+d!d"ZLd,d$d%ZMGd&d'd'eJZNGd(d)d)eNZOdS)-)print_function)system_session)SamDB)gensecLdb drs_utilsarcfour_encryptstring_to_byte_arrayN)ndr_pack ndr_unpack)securitydrsuapimiscnbtlsadrsblobs dnsserverdnsp)DS_DOMAIN_FUNCTION_2003) CredentialsDONT_USE_KERBEROS)secretsdb_self_join provisionprovision_fillFILL_DRSFILL_SUBDOMAIN DEFAULTSITE) setup_path)Schema) descriptor)Net)setup_bind9_dns)read_and_sub_file)werror) b64encode) WERRORError NTSTATUSError)sd_utils)ARecord AAAARecord CNameRecord) OrderedDict) text_type) get_string) CommandErrorcseZdZfddZZS)DCJoinExceptioncstt|d|dS)NzCan't join, error: %s)superr/__init__)selfmsg __class__,/usr/lib/python3/dist-packages/samba/join.pyr1;szDCJoinException.__init__)__name__ __module__ __qualname__r1 __classcell__r6r6r4r7r/9sr/c@s:eZdZdZdLddZdMddZdNdd ZdOd d Zd d ZddZ ddZ ddZ ddZ ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/ZdPd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&dJdKZ'dS)Q DCJoinContextzPerform a DC join.NFc Cs||_||_||_||_||_| |_| |_||_||_| |_ d|_ g|_ g|_ |j |tjBt|j|jd|_||_||_|r||_|jj|_nj|jr|dur||j|_n.|jd||||_|jd|jtd|jt|j|jd|_|jdurt|_z|jjtjgdWn:tj yd}z|j!\}}t"|WYd}~n d}~00t#|j$|_%t#|j&|_'t#|j(|_)t#|j*|_+t,-|j.|_/|j/|_0|1|_2|3|_4t56t#t78|_9|j:|_;|<|_=|>|_?| dur| |_@ntABdd|_@|jC|_D|r||_Ed |jE|_Fd |jE|j|j+f|_Gd |jG|_Hd |jE|j%f|_Id |jEJ|jDf|_K|jL|_Md|j%}|N|rd|jE|f|_Ond|_Od|jEd|jKd|jK|jMfg|_P|jjtjdg|j%d}|ddd|_Qd|j%|_Rd|j'|_SdtT|jR}|jjtjUg|jV|d}| durtd|_Wn$tX|dkrd|_WtYdn| |_W|jD|_Zd|_[t\j]t\j^Bt\j_Bt\j`Bt\jaB|_bd|_cd|_dd|_ed|_fd|_gd|_\d|_hd|_id|_jd|_kd|_ld|_md|_ndS)N)credslpz&Finding a writeable DC for domain '%s'z Found DC %s ldap://%surl session_info credentialsr>scopeattrs%s$z"CN=%s,CN=Servers,CN=%s,CN=Sites,%szCN=NTDS Settings,%szCN=%s,OU=Domain Controllers,%s%s.%szGCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%szCN=%s,%szHOST/%szGC/%s/%sZrIDManagerReference)rErFbaserzDC=DomainDnsZones,%szDC=ForestDnsZones,%s$(&(objectClass=crossRef)(ncName=%s))rErFrK expressionNONEzCNO DNS zone information found in source domain, not replicating DNSF)ologgerr=r>site targetdir use_ntvfsplaintext_secrets backend_storebackend_store_sizepromote_existingpromote_from_dnnc_list full_nc_listZset_gensec_featuresZget_gensec_featuresrZ FEATURE_SEALr netserverforced_local_samdbsamdbrA find_dc_siteinfofind_dcrrrsearchldb SCOPE_BASELdbErrorargsr/strget_default_basednbase_dnget_root_basednroot_dnZget_schema_basedn schema_dnZget_config_basedn config_dnr dom_sidZget_domain_siddomsid forestsidget_domain_name domain_nameget_forest_domain_nameforest_domain_namerGUIDuuidZuuid4 invocation_idZget_dsServiceName dc_ntds_dnget_dnsHostNameZdc_dnsHostNameget_behavior_versionbehavior_version acct_passsambaZ generate_random_machine_passwordZdomain_dns_name dnsdomainmynamesamname server_dnntds_dnacct_dnlower dnshostnameZforest_dns_name dnsforest dn_exists topology_dnSPNsrid_manager_dndomaindns_zoneforestdns_zone binary_encodeSCOPE_ONELEVELget_partitions_dn dns_backendlenprintrealm tmp_samdbr ZDRSUAPI_DRS_INIT_SYNCZDRSUAPI_DRS_PER_SYNCZDRSUAPI_DRS_GET_ANCZDRSUAPI_DRS_GET_NC_SIZEZDRSUAPI_DRS_NEVER_SYNCED replica_flagsnever_reveal_sid reveal_sid connection_dnRODC krbtgt_dn managedby subdomain adminpass partition_dndns_a_dn dns_cname_dn force_all_ips)ctxrPr\r=r>rQ netbios_namerRdomain machinepassrSrrWrTrUrVr]eenumestrZ topology_baseZres_rid_managerexprZ res_domaindnsr6r6r7r1Bs                       zDCJoinContext.__init__cCs|rNz|jj|tjdgd}Wnty2YdS0|D]}|j|jddq8z|j|td|Wnty|Yn0dS)NdnrKrErFT recursivez Deleted %s) r^rbrcr Exception del_noerrorrdeleter)rrrresrr6r6r7rs   zDCJoinContext.del_noerrorcCs|jj|jdt|jddgd}t|dkr8dS|st}||j z:| |j | |j td|jt||j d}Wn YnD0|jtjdd gd }|dd d|dddkrtd |j|j|djd d |djddd}|dur||_||j|jj|jdtd|jtd|jfgd}|rl|j|djd d |jj|jdtd|jgd}|rtdtd|jtd|jfdS)NsAMAccountName=%smsDS-krbTgtLink objectSIDrKrNrFrr?r@ tokenGroups)rErKrFzNot removing account %s which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdbTrmsDS-KrbTgtLink)idxz/(&(sAMAccountName=%s)(servicePrincipalName=%s))dns-%szdns/%sz(sAMAccountName=%s)znNot removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s)r^rbrhrcrrrrguessr>Zset_machine_accountset_kerberos_stater=Zget_kerberos_staterr\rrdr/rrget new_krbtgt_dnrr)rforcerr=Z machine_samdbZ token_resrr6r6r7cleanup_old_accountssd       z"DCJoinContext.cleanup_old_accountscCsT|js|j|d|jdur(||j|jdur>||j||j|j|jdd|jrl||j|jr~||j|jr(d}t d|j |f|j |j }t }t |_|d|tj}t }|j|_|||t j}|||jjt }|j|_|||t j}|||jj|jr<||j|jrP||jdS)z$Remove any DNs from a previous join.)rNTrsignncacn_ip_tcp:%s[%s]r)rrrrrrrrrrlsarpcr\r>r=ObjectAttributeQosInfosec_qos OpenPolicy2r SEC_FLAG_MAXIMUM_ALLOWEDStringrstringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFODeleteTrustedDomaininfo_exsidrtrr)rrbinding_optionslsaconn objectAttr pol_handlenamer`r6r6r7cleanup_old_joinsF          zDCJoinContext.cleanup_old_joincCs|jrtd|jj|jdt|jgdd}t|dkrPtd|jd|dvstd|dvstd |dvrtd |jt |dd dt j j t j j B@dkrtd |j|dj|_d S)z]confirm that the account is just a bare NT4 BDC or a member server, so can be safely promotedz Can not promote into a subdomainr)ruserAccountControlserverReferenceBLrIDSetReferencesrrzcCould not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'rrrzhAccount '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this accountrzZAccount %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'N)rrr^rbrhrcrrrintr}dsdbUF_WORKSTATION_TRUST_ACCOUNTUF_SERVER_TRUST_ACCOUNTrrXrrr6r6r7promote_possibleKs" $zDCJoinContext.promote_possiblec Csz$|jj|tjtjBtjBd|_WnVty^}z"td||j dfWYd}~n&d}~0t yztd|Yn0|jj dur|jj dkr|jj |_ |jj S)z(find a writeable DC for the given domain)rflagsz1Failed to find a writeable DC for domain '%s': %sNz-Failed to find a writeable DC for domain '%s'r)r[finddcrNBT_SERVER_LDAP NBT_SERVER_DSZNBT_SERVER_WRITABLE cldap_retr&r.rfr client_siterQZ pdc_dns_name)rrerrorr6r6r7ra^s$   zDCJoinContext.find_dccCs:d}|jj|tjtjBd}|jdur6|jdkr6|j}|S)N)Zaddressrr)r[rrrrr)rr\rQrr6r6r7r_ks zDCJoinContext.find_dc_sitecCsD|jj|jtjdgd}d|dvr8t|dddStjjSdS)NmsDS-Behavior-Versionrr) r^rbrircrdrr}rZDS_DOMAIN_FUNCTION_2000rr6r6r7rzss z"DCJoinContext.get_behavior_versioncCs*|jjdtjdgd}t|dddS)Nr dnsHostNamerr)r^rbrcrdrgrr6r6r7ryzszDCJoinContext.get_dnsHostNamec CsJ|j}|jj|tjdgdtt|jd}t|dddSz9get netbios name of the domain from the partitions record nETBIOSNamez ncName=%s)rKrErFrNr)r^rrbrcrrrgrhrZ partitions_dnrr6r6r7rq~s  zDCJoinContext.get_domain_namec CsJ|j}|jj|tjdgdtt|jd}t|dddSr)r^rrbrcrrrgrjrr6r6r7rss  z$DCJoinContext.get_forest_domain_namecCs:|jj|jgdt|jtjtjj fd}t |dj S)7get the parent domain partition DN from parent DNS namez9(&(objectclass=crossRef)(dnsRoot=%s)(systemFlags:%s:=%u)))rKrFrNr) r^rbrmrcrZparent_dnsdomainZOID_COMPARATOR_ANDr}rSYSTEM_FLAG_CR_NTDS_DOMAINrgrrr6r6r7get_parent_partition_dns   z%DCJoinContext.get_parent_partition_dnc Cs|jjd|jdgtjdgd}d|dvrBtd|j|jjfz4tt t |j|ddd d d}Wn*tytd |dddYn0d ||jf}|S) rzCN=Partitions,%sZ fSMORoleOwnerextended_dn:1:1)rKrFrEcontrolsrz1Can't find naming master on partition DN %s in %sutf8ru3Can't find GUID in naming master on partition DN %s %s._msdcs.%s)r^rbrmrcrdr/rrArgrruDndecodeget_extended_componentKeyErrorr)rrZ master_guidZ master_hostr6r6r7get_naming_masters 4 zDCJoinContext.get_naming_mastercCs8|jjdtjdgd}|ddd}t|jd|S)zhget the SID of the connected user. Only works with w2k8 and later, so only used for RODC joinrrrrr)r^rbrcrdr-schema_format_value)rrZbinsidr6r6r7 get_mysidszDCJoinContext.get_mysidc Cshz|jj|tjgd}WnJtjyb}z0|j\}}|tjkrLWYd}~dSWYd}~n d}~00dS)zcheck if a DN existsrNFT)r^rbrcrdrerfZERR_NO_SUCH_OBJECT)rrrZe5rrr6r6r7rs  zDCJoinContext.dn_existscCstd|j|jdttjjtjjBdd|jd}|j |dg|jj |jt j dgd}|d dd |_ td |j t }t |j|j|_t |jt jd |d <|j|d |j |jf|_td |j|jf|j|j|jdS)z#RODCs need a special krbtgt account Adding %suserTRUEz krbtgt for %s)r objectclassZuseraccountcontrolZshowinadvancedviewonlyZ description rodc_join:1:1samAccountNamerrzGot krbtgt_name=%srzCN=%s,CN=Users,%szRenaming %s to %sN)rrrgr}rUF_NORMAL_ACCOUNTUF_ACCOUNTDISABLErr^addrbrcrdZ krbtgt_nameMessagerrrMessageElementFLAG_MOD_REPLACEmodifyrirrename)rrecrmr6r6r7add_krbtgt_accounts, z DCJoinContext.add_krbtgt_accountcCsTd}|jdkr|d7}d|j|f}t||j|j|_t|j\|_|_dS)z.make a DRSUAPI connection to the naming masterseal ,printrN) r> log_levelr\r r=rZ drs_DsBinddrsuapi_handleZbind_supported_extensions)rrZbinding_stringr6r6r7drsuapi_connects zDCJoinContext.drsuapi_connectc CsBt|j|jd|_ttdd|j|jddd|_|j |jdS)z2create a temporary samdb object for schema queries)schemadnNF)rBrAZ auto_connectrCr> global_schemaZam_rodc) rrorlZ tmp_schemarrr=r>rZ set_schemarr6r6r7create_tmp_samdbs  zDCJoinContext.create_tmp_samdbcCs t}|j||_d|_dS)z$build a DsReplicaAttributeCtr objectrN)r ZDsReplicaAttributerZget_attid_from_lDAPDisplayNameZattidZ value_ctr)rattrnameZ attrvaluerr6r6r7build_DsReplicaAttributesz&DCJoinContext.build_DsReplicaAttributecCs>|jdur||jdur$|g}|D]}t}|d|_g}|D]Z}|dkrXqJt||tsr||g}n||}dd|D}|j|j||}| |qJt } t || _ || _ t} || _| | _t} | | _| | q,t} |d| _| j} |ddD]}|| _|} q|j|jd| \}}|dkr|jtjkrftd|jtd |jdtjkrtd |jtd |d kr8|jdkrtd |j|j j!dtjkr|j j"durtd |j j!dntd |j j!d|j j"jftd |j jtjkr8td|j jtd |j#S)z,add a record via the DRSUAPI DsAddEntry callNrcSs$g|]}t|tr|dn|qS)r) isinstancer,encode).0xr6r6r7 z,DCJoinContext.DsAddEntry..rrz!DsAddEntry failed with dir_err %uzDsAddEntry failedz(DsAddEntry failed with status %s info %szexpected err_ver 1, got %uz.DsAddEntry failed with status %s, info omitted)$r rrrDsReplicaObjectIdentifierrrlistZdsdb_DsReplicaAttributeappendZDsReplicaAttributeCtrrZnum_attributesZ attributesZDsReplicaObjectZ identifier attribute_ctrZDsReplicaObjectListItemobjectZDsAddEntryRequest2Z first_objectZ next_object DsAddEntryrZdir_errZDRSUAPI_DIRERR_OKr RuntimeErrorZ extended_errr#Z WERR_SUCCESSZerr_verZerr_dataZstatusr`objects)rrecsr(r idrFavZrattrr$r%Z list_objectZreq2prevolevelZctrr6r6r7r&sn           zDCJoinContext.DsAddEntrycCstd|jtd|jfddttjjfd|jfg}|j|j |jg}|j tjj krdttjj |d<|j tjj kr||j|d<|j rd|j|d <|j|d <d |d <nfd |j|d <|j tjj kr|j|d<g|d<|D]}||jvr|d|qd|d <t|j|d<|S)z return the ntdsdsa object to addrr)rZnTDSDSA systemFlagsZ dMDLocationrzmsDS-HasDomainNCszCN=NTDS-DSA-RO,%sobjectCategoryzmsDS-HasFullReplicaNCsZ37optionszCN=NTDS-DSA,%szmsDS-HasMasterNCsZ HasMasterNCs1 invocationId)rrr+rgr}r#SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETErlrirmr{rZDS_DOMAIN_FUNCTION_2008_R2rrZr#r rw)rr rYncr6r6r7join_ntdsdsa_obj,s4     zDCJoinContext.join_ntdsdsa_objcCs|}|jr"|jj|dgdn$|jr:|j|dgn ||g|jj|jtj dgd}t |j d|ddd|_ dS)zadd the ntdsdsa objectrelax:0rrZ objectGUIDrrN)r7r]r^rrr&rbrrcrdrrur ntds_guid)rr rr6r6r7join_add_ntdsdsaWs zDCJoinContext.join_add_ntdsdsac Cs|jrFtd|j|jd|j|jt|jtjjB|jd}|j tjj kr^ttjj |d<n|j rlg|d<|j r~|j |d<n|j rg|d<|jr|j|d<n|j rg|d<|jr|j|d<n|j rg|d<|rt||d<|j r"|j|jkr|j|j|j|jtj|j|tjn$d }|d ur6d g}|jj||d |jrV||jrtd|j|jd ttjjtjjBtjjB|jd }|jr|j|d<|j||j rd |_!d S|j"r|#dt$|j%}|jj&tj'g|j(|d|j%f}dt$|j)}|jj&tj'g|j(|d|j)f}||fD]n\}}||j*vrZqBt+|dkrBt} |dj,| _,d} |j-rd} t.|j"tj/| | | <|j| qB|j0d urtd|j0|j0ddd|j1d}|j||jrtd|jt} t2|j|j| _,t3t+|j4D]$} |j4| 5dt|j!|j4| <q*t.|j4tjd| d<|j| td|jz(|jj6dt$|j|j7d|jdWnXtj8y} z<| j9\} }| tj:krԂ|j;j<|j|j=|j7d WYd } ~ n d } ~ 00|jj&|jtj>d!d"gd#}d!|dvrBt?|dd!d|_@nd |_@tAtBjC|ddd|_Dtd$t} t2|j|j| _,t.t|jtjd%| d%<|j| |jEFd&rtGd'd(|_H|jItJtKd)|jL|jM|jNtO|jHPd*Qd+|jd,}|D]\}}|tjRksJ|d-}td.|d-|d/=|d0=ttjjStjjB|d%<z|j|Wn@tj8y}z$|j9\} }| tjTkrWYd }~n d }~00qtd1|jNz(|jj6d2t$|jN|jHd|jdWn\tj8yB}z@|j9\} }| tj:kr|j;jd!gd#}d!|dvrt?|dd!d|_Und |_Ud S)4z+add the various objects needed for the joinrZcomputer)rZ objectClassZ displaynameZsamaccountnamerrzmsDS-SupportedEncryptionTypesrzmsDS-NeverRevealGroupzmsDS-RevealOnDemandGroupZ objectSidNr8r9r\)rrr0rZserverReferencerLrMrrzmsDS-NC-Replica-LocationszmsDS-NC-RO-Replica-LocationsZnTDSConnectionrZ65)rrZenabledconnectionr2Z fromServerzAdding SPNs to %sz $NTDSGUIDZservicePrincipalNamezSetting account password for %sz((&(objectClass=user)(sAMAccountName=%s))F)Zforce_change_at_next_loginZusername)Z account_namerrZ newpasswordzmsDS-KeyVersionNumberrrzEnabling accountrBIND9_rGrHzprovision_dns_add_samba.ldif utf-16-ler)Z DNSDOMAINZDOMAINDNZHOSTNAMEZ DNSPASS_B64ZDNSNAMErz#Adding DNS account %s with dns/ SPNclearTextPasswordZisCriticalSystemObjectz#Setting account password for dns-%sz,(&(objectClass=user)(samAccountName=dns-%s))r)Vrrrrgrr}rrrr{ZDS_DOMAIN_FUNCTION_2008Z ENC_ALL_TYPESrWrrrr rXr^r rrcrZ from_dictrrrr rZSYSTEM_FLAG_CONFIG_ALLOW_RENAMEZ%SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVEr5rr:rr;rrrbrrrrYrrrrZ FLAG_MOD_ADDrrxrrangerreplaceZ setpasswordr|rerfZERR_UNWILLING_TO_PERFORMr[ set_passwordrrrdrkey_version_numberr r rnnew_dc_account_sidr startswithZgenerate_random_passworddnspassZ parse_ldifr"rr~rirr$rrZCHANGETYPE_NONErZERR_ENTRY_ALREADY_EXISTSdns_key_version_number)rZ specified_sidr rrrZforestpartzoner attriZe2Znum_rr)Z changetyper3Z dns_acct_dnrZe3r6r6r7join_add_objectsfsz              "                 zDCJoinContext.join_add_objectsc Cstd|jddt|jtjfi}tj|j|d}|jdd|j |j |j |j |j ttjjtjjB|d }|jtjjkrt|j|d<|}|||g}t|d krtd |d j|_td |jj|jtd |jtjtj dtd|jj|j!td |jtjtj ddS)zLadd the various objects needed for the join, for subdomains post replicationrZSubdomainAdminsz%s-%s)name_mapZcrossRefzCN=Cross-Ref,%s) rrr1nCNamerZdnsRootZ trustParentr0ZntSecurityDescriptorrrz"Expected 2 objects from DsAddEntryrzReplicating partition DN$00000000-0000-0000-0000-000000000000)exoprzReplicating NTDS DNN)"rrrgror ZDOMAIN_RID_ADMINSrZ+get_paritions_crossref_subdomain_descriptorrprlrirrr~Zparent_partition_dnr}rZSYSTEM_FLAG_CR_NTDS_NCrr{rr7r&rr/guidr:repl replicaterrur ZDRSUAPI_EXOP_REPL_OBJDRSUAPI_DRS_WRIT_REPr)rrMZ sd_binaryr Zrec2r(r6r6r7join_add_objects2=sD     zDCJoinContext.join_add_objects2cCstd|jj}t|jt||jt|j|j |j |j |j |j |j|j|j|jd|j|j|j|j|j|j|j|jdd}td|j|j|_|j|_|j|_|j|_|j|j_dS)Provision the local SAM.zCalling bare provision"active directory domain controllerT)smbconfrR samdb_fillrrootdndomaindnrconfigdnZserverdnrZhostname domainsidr serverroleZsitenamer>ZntdsguidrSrrTrUrVZ batch_modezProvision OK for domain DN %sN)rr>Z configfilerrPrrRrrrkrirlrmrrrrror|rQr:rSrrTrUrVr[r^ local_samdbpathsnamesrp)rrXpresultr6r6r7join_provisionhs,    zDCJoinContext.join_provisioncCs|tdt|jjdgt|jjdd|_|jt|j |j|_|j d|jj |j tjdgddgd }d |d vrtd |j |jjfz8ttt|j|d dd d d|j_Wn*tytd|d dd Yn0|j d|jj|j dt|jjt|jd}t|j||j |j|jt|jt|j d|j|jj!|jj"|j#|j$d}td|jj%dS)rVzReconnecting to local samdbz#transaction_index_cache_size:200000F)rAr2rBr>rzFinding domain GUID from ncNameZncNamerzreveal_internals:0)rKrErFrrNrz2Can't find naming context on partition DN %s in %srrurzGot domain GUID %szCalling own domain provisionrBr>rW) Zdom_for_fun_levelrRrYrr^r>hostiphostip6rrzProvision OK for domain %sN)&rrr_rArr>r^set_invocation_idrgrwrPr`rbrrcrdr/rrurrrraZ domainguidrrr`secretsrrrRrr|rerfrrr~)rr secrets_ldbrbr6r6r7join_provision_own_domains@  8   z'DCJoinContext.join_provision_own_domaincCs"td|j|f|j||j|jSz2Creates a new DRS object for managing replicationsr)rZ drs_Replicater\r>r_rw)r repl_credsrr6r6r7create_replicators zDCJoinContext.create_replicatorc Cstd|jznt|j}|jdurFtdttj }n|j}|j rt }| |j |t||j||jn|j}d}|j dkr|d7}|||}|j|j||d|j |jd|j|j|||j |jd |js\|jtj@sBtd |jtjO_|j|j|||j |jd |jtjN_|j|j|||j |jd td |j|j fD]:}||j!vrptd t"||j||||j |jd qp|j r|j|j#||tj$dd |j|j%||tj$dd n|j&durfz|j|j&||tj'dWnXt(j)yd}z<|j*\}} |tj+krNtd|j,tdnWYd}~n d}~00||_-||_.||_/tdWn|j0Yn 0|j1|2dS)zReplicate the SAM.zStarting replicationNzUsing DS_BIND_GUID_W2K3r rrT)Zschemarodcr)rnrz;Replicating critical objects from the base DN of the domainz5Done with always replicated NC (base, config, schema)zReplicating %s)rPrn)rPzdWARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master.zxNOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.zCommitting SAM database)3rr_Ztransaction_startrrur^Zget_invocation_idr:r ZDRSUAPI_DS_BIND_GUID_W2K3rrrr>rrZ set_usernamerrAr|r=rrmrSrlrrmrdomain_replica_flagsDRSUAPI_DRS_CRITICAL_ONLYrirrrYrgrZDRSUAPI_EXOP_REPL_SECRETrrZDRSUAPI_EXOP_FSMO_RID_ALLOCr}ZDsExtendedErrorrfZDRSUAPI_EXOP_ERR_FSMO_NOT_OWNERr\rRsource_dsa_invocation_iddestination_dsa_guidZtransaction_cancelZtransaction_commitrefresh_ldb_connection) rrqrrrlrrRr6Ze1rrr6r6r7join_replicates                       zDCJoinContext.join_replicatec Csz|jjtjgdWn~tjy}zd|j\}}|tjkrxd|vsLd|vrx|jdt d|j t |j |j d|_nt|WYd}~n d}~00dS)NrDZ!NT_STATUS_CONNECTION_DISCONNECTEDZNT_STATUS_CONNECTION_RESETz)LDB connection disconnected. Reconnectingr?r@)r^rbrcrdrerfZERR_OPERATIONS_ERRORrPZwarningrr\rr=r>r/)rrrrr6r6r7rss     z$DCJoinContext.refresh_ldb_connectioncCst}t|_t||j_td|j_t d|j_ |j |_ dt|j |jf|_tjtjB|_|js||jtjO_|jdur||j|jd|dS)NrOzS-0-0rr)r ZDsReplicaUpdateRefsRequest1r!Znaming_contextrgrrrurQr rnrr:Z dest_dsa_guidrZdest_dsa_dns_nameZDRSUAPI_DRS_ADD_REFZDRSUAPI_DRS_DEL_REFr2rrTrZDsReplicaUpdateRefsr)rrrr6r6r7send_DsReplicaUpdateRefs(s   z&DCJoinContext.send_DsReplicaUpdateRefsc CsNtj}tjtjB}|j}d|j}|j}t|j}d||f}t |j |j }|j dt|||fd} td|j| f|j |j} d} t|j} t} |j| _tdt|jtjf| _z(| |d|j||d tj|d d \}}Wn<t y(}z"|j!dt"j#krd } WYd }~n d }~00| r|j$D]}|j%D]}|j&tj'ks`|j&tj(kr@t)}||_$z| *|d|j||d |Wn<t y}z"|j!dt"j#krnWYd }~n d }~00q@q6|D]z}|+d d kr|j d |||ft,|}n|j d|||ft-|}t)}||_$| *|d|j|||d qt|dkr>t./|j|j0}|jj1d||f|d\|_2}| j3|j2| dtj4tj5Bgd|j d|||ft)}t6|}||_$| *|d|j|||d t./|j|j7}|jj1d||f|d\|_8}| j3|j8| dtj4tj5Bgd|j dd S)aRemotely Add a DNS record to the target DC. We assume that if we replicate DNS that the server holds the DNS roles and can accept updates. This avoids issues getting replication going after the DC first starts as the rest of the domain does not have to wait for samba_dnsupdate to run successfully. Specifically, we add the records implied by the DsReplicaUpdateRefs call above. We do not just run samba_dnsupdate as we want to strictly operate against the DC we just joined: - We do not want to query another DNS server - We do not want to obtain a Kerberos ticket (as the KDC we select may not be the DC we just joined, and so may not be in sync with the password we just set) - We do not wish to set the _ldap records until we have started - We do not wish to use NTLM (the --use-samba-tool mode forces NTLM) z _msdcs.%srJz&Adding %d remote DNS records for %s.%srrTz%s-%drNF:z,Adding DNS AAAA record %s.%s for IPv6 IP: %sz)Adding DNS A record %s.%s for IPv4 IP: %s)Z dns_partitionz sd_flags:1:%dr9z$Adding DNS CNAME record %s.%s for %sz_All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup)9rZDNS_CLIENT_VERSION_LONGHORNZDNS_RPC_VIEW_AUTHORITY_DATAZDNS_RPC_VIEW_NO_CHILDRENr~rrrgr:r}Z interface_ipsr>rrPr`rr\r=r'ZSDUtilsr^r rrCZ owner_sidrnroZDOMAIN_RID_DCSZ group_sidZDnssrvEnumRecords2rZ DNS_TYPE_ALLr%rfr#Z"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTr ZrecordsZwTypeZ DNS_TYPE_AZ DNS_TYPE_AAAAZDNS_RPC_RECORD_BUFZDnssrvUpdateRecord2findr)r(rcrrZ dns_lookuprZmodify_sd_on_dnZ SECINFO_OWNERZ SECINFO_GROUPr*rr)rZclient_versionZ select_flagsrHZ msdcs_zonerZ msdcs_cnameZ cname_targetZIPsrZdns_connZ name_foundZ sd_helperZchange_owner_sdZbuflenrrr recordZ del_rec_bufZIPZ add_rec_bufZdomaindns_zone_dnZ ldap_recordZforestdns_zone_dnr6r6r7join_add_dns_records9s             z"DCJoinContext.join_add_dns_recordsc CsT|j|jfD]B}||jvr |jdt||jj||j|j |j |j ddq dS)Nz!Replicating new DNS records in %sF)rnrZ full_sync) rrrYrPr`rgrRrSrqr:rr)rr6r6r6r7join_replicate_new_dns_recordss  z,DCJoinContext.join_replicate_new_dns_recordsc Cs|jd|jD]}||q|jrtd|jt|j |j d|j t }t |jd|j|_t t|j t jd|d<|j||j|jdd|jdt }t |jd|_t d t jd |d <|j}t d t|t jd |d <|j||jrd St|jjt|jd}|jdt||j|j|j |j!|j"|j#|j$|j%d |j&'drt(|j||j)|j|j|j|j&|j*|j |j+|j,d d S)z=Finalise the join, mark us synchronised and setup secrets db.z=Sending DsReplicaUpdateRefs for all the replicated partitionszSetting RODC invocationIdZdomainFunctionalityz%sr4r(Setting isSynchronized and dsServiceName@ROOTDSErisSynchronized dsServiceNameNrdzSetting up secrets database)rrr~Z netbiosnamer]rsecure_channel_typerBr<)rrEZos_levelrRrB)-rPr`rYrurrr_rgrgrwZset_opaque_integerr{rcrrrrrr rrZ"set_attribute_replmetadata_versionr:rrr`rhrr>rrrrr~rror|rrBrrDr!rarErRrF)rr6r rQrir6r6r7 join_finalisesd         zDCJoinContext.join_finalisec Cstd|jd}td|j|f|j|j}t}t|_| d d|t j }t }|j|j_|j|j_|j|_tjtjB|_tj|_tj|_zJt}|j|_|||tj}td|j|jjf|||jjWnt yYn0t!|j"#d}t$%} t&|| _'|| _(t$)} t*+t,t--| _.tj/| _0| | _1t$2} d| _3| g| _4t$5} d| _3| | _6t$7} dgd }t8d D]}t9:d d ||<q|| _;| | _<| | _=t>| }t?|j@|}tA}t&||_'t!||_BtC}||_D|E|||t jF}d |jG|jHfd tI|jtI|jtI|j|jJ|jGt>| t>| t>|jKd }|jLM|d|jJ|jHfdtIt*jNjO|j"#dd|jJd}|jLM|dS)zprovision the local SAM.z"Setup domain trusts with server %srzncacn_np:%s[%s]zutf-8z)Removing old trust record for %s (SID %s)r=rr irrHzcn=%s,cn=system,%sZ trustedDomain) rrZ trustTypeZtrustAttributesZtrustDirectionZflatnameZ trustPartnerZtrustAuthIncomingZtrustAuthOutgoingZsecurityIdentifierzcn=%s$,cn=users,%srrI)rrrr>rN)Prr\rrr>r=rrrrrr rZTrustDomainInfoInfoExr~rrrrrorZLSA_TRUST_DIRECTION_INBOUNDZLSA_TRUST_DIRECTION_OUTBOUNDZtrust_directionZLSA_TRUST_TYPE_UPLEVELZ trust_typeZ!LSA_TRUST_ATTRIBUTE_WITHIN_FORESTZtrust_attributesrrrrrr'r Z trustdom_passrrZ AuthInfoClearrsizeZpasswordZAuthenticationInformationr}Z unix2nttimertimeZLastUpdateTimeZTRUST_AUTH_TYPE_CLEARZAuthTypeZAuthInfoZAuthenticationInformationArraycountZarrayZtrustAuthInOutBlobZcurrentZtrustDomainPasswordsr?randomZrandint confounderoutgoingZincomingr rZ session_keyZ DATA_BUF2dataZTrustDomainInfoAuthInfoInternal auth_blobZCreateTrustedDomainEx2ZSEC_STD_DELETErrirgrtrpr_rrZUF_INTERDOMAIN_TRUST_ACCOUNT)rrrrrr`ZoldnameZoldinfoZ password_blobZ clear_valueZ clear_authentication_informationZ authentication_information_arrayrZ trustpassrrJZtrustpass_blobZencrypted_trustpassrZ auth_infoZtrustdom_handler r6r6r7join_setup_trusts$s              zDCJoinContext.join_setup_trustscCs|j|jg|_|j|j|jg|_|jrD|jdkrD|j|jg7_nj|js|j|jg7_|jdkr|j|jg7_|j|jg7_|j|jg7_|j|jg7_dS)NrO) rmrlrYrirZrrrrrr6r6r7build_nc_listss zDCJoinContext.build_nc_listsc Cs||jr|n|z\||||jrX|| | |j dkrr| | |Wn>z tdWntyYn0||Yn0dS)NrOzJoin failed - cleaning up)rrWrrrLrcrtrrUrjrrrzr{rrIOErrorrsrr6r6r7do_joins0     zDCJoinContext.do_join)NNNNNNNNNFNFFNNN)F)F)F)N)(r8r9r:__doc__r1rrrrrar_rzryrqrsrrrrr rrrr&r7r;rLrUrcrjrmrtrsrurzr{rrrrr6r6r6r7r<?s^   5 /    C+ X+-^ Her<FcCsvt||||||||| | | | | ||d}|d|j|d|j|d|j|d|jd|j|jf|_d|jt j fdt j dt j dt j dt jg|_d|jt jf|_|}d|}||_tjjtjjBtjjB|_|jd |jd |jgd |j|_tj |_!d |_"|j#t$j%t$j&BO_#|j#|_'|rT|j't$j(O_'|)|d |j|jfd S)zJoin as a RODC.rUrV workgroupworkgroup is %sr realm is %szCN=krbtgt_%s,CN=Users,%sz zzRestrictedKrbHost/%szCN=RODC Connection (FRS),%sTz$Joined domain %s (SID %s) as an RODCN)*r<setrrr`rrrirror ZDOMAIN_RID_RODC_DENYZSID_BUILTIN_ADMINISTRATORSZSID_BUILTIN_SERVER_OPERATORSZSID_BUILTIN_BACKUP_OPERATORSZSID_BUILTIN_ACCOUNT_OPERATORSrZDOMAIN_RID_RODC_ALLOWrrrr}rrZ)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONZUF_PARTIAL_SECRETS_ACCOUNTrrextendrrrrZ SEC_CHAN_RODCrrrr %DRSUAPI_DRS_SPECIAL_SECRET_PROCESSINGZ$DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIProrpr)rPr\r=r>rQrrRrdomain_critical_onlyrrSrrWrTrUrVrZmysidZadmin_dnr6r6r7 join_RODCsP   rcCst||||||||| | | | | ||d}|d|j|d|j|d|j|d|jtjjtjjB|_ |j d|j t j|_|jtjtjBO_|j|_|r|jtjO_||d|j|jfdS) z Join as a DC.rrrrrz1E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%sz!Joined domain %s (SID %s) as a DCN)r<rrrr`rr}rrZUF_TRUSTED_FOR_DELEGATIONrrr#r~rZ SEC_CHAN_BDCrrr rT!DRSUAPI_DRS_FULL_SYNC_IN_PROGRESSrorprro)rPr\r=r>rQrrRrrrrSrrWrTrUrVrr6r6r7join_DCs*  rrOc Cszt|||||||||| d } |d| j|d| j|d| j|d| j| |d| j| jf| S)z%Creates a local clone of a remote DC.)rRrrinclude_secretsrUrVrrrrzCloned domain %s (SID %s))DCCloneContextrrrr`rrro) rPr\r=r>rRrrrrUrVrr6r6r7 join_clones rc s2eZdZdZd fdd ZddZdd ZZS) rzClones a remote DC.NFc stt|j|||||||| | d d|_d|_d|_|jdd|_d|_ d|_ |j |_ |jtjtjBO_|s|jtjO_|j|_dS)N)rRrrrUrV.r)r0rr1rrrr\splitrr:rr^Z get_ntds_GUIDremote_dc_ntds_guidrr rTrrro) rrPr\r=r>rRrrrrUrVr4r6r7r14s&  zDCCloneContext.__init__cCsj|jdt}t|jd|_tdtjd|d<|j }tdt |tjd|d<|j |dS)Nr|r}rr~rr) rPr`rcrrr_rrrrrgr)rr rQr6r6r7rOs  zDCCloneContext.join_finalisecCs$||||dS)N)rrcrtrrr6r6r7r]szDCCloneContext.do_join) NNNNNNNFNN)r8r9r:rr1rrr;r6r6r4r7r1src sBeZdZdZdfdd ZddZdd Zd d Zd d ZZ S)DCCloneAndRenameContextz6Clones a remote DC, renaming the domain along the way.NTc s8tt|j|||||| | | | d ||_||_||_dS)N)rRrrrrU)r0rr1 new_base_dnnew_domain_name new_realm) rrrrrPr\r=r>rRrrrrUr4r6r7r1lsz DCCloneAndRenameContext.__init__c Cs.d|j|f}t||j||j|j|j|jSrk)r\rZdrs_ReplicateRenamerr>r_rwrir)rrlrZ binding_strr6r6r7rmzs  z)DCCloneAndRenameContext.create_replicatorcCs4t\}}|d|tjj|d}t||S)z?Creates a non-global LoadParm based on the global LP's settingsF)Zfilename_for_non_global_lp)tempfileZmkstempdumpr}ZparamZLoadParmosremove)rZ global_lpfdZtmp_fileZlocal_lpr6r6r7create_non_global_lps   z,DCCloneAndRenameContext.create_non_global_lpcCs|j}td||j|S)z/Uses string substitution to replace the base DNrI)riresubr)rZdn_strZ old_base_dnr6r6r7 rename_dnsz!DCCloneAndRenameContext.rename_dncCstd||j}t|jt|jt|j|| |j |j | |j | |j |j|jd|j|jd}td|j|j|_|j|_dS)z"Provision the local (renamed) SAM.z(Provisioning the new (renamed) domain...rW) rRrYrr>rZr[rr\rr]r^rrUz%Provision OK for renamed domain DN %sN)rrr>rrPrrRrrrrkrrlrmrrorrUr[r^r_r`)rZ non_global_lprbr6r6r7rcs      z&DCCloneAndRenameContext.join_provision) NNNNNNNTN) r8r9r:rr1rmrrrcr;r6r6r4r7ris  r)NNNNNNNNFNFNFFNN)NNNNNNNNFNFNFFNN) NNNNNNFrONN)PZ __future__rZ samba.authrZ samba.samdbrr}rrrrr rcrvZ samba.ndrr r Z samba.dcerpcr r rrrrrrZ samba.dsdbrZsamba.credentialsrrZsamba.provisionrrrrrrZsamba.provision.commonrZ samba.schemarrZ samba.netr Zsamba.provision.sambadnsr!r"r#base64r$r%r&r'Zsamba.dnsserverr(r)r*Zloggingrrrrr collectionsr+Z samba.compatr,r-Z samba.netcmdr.rr/r%r<rrrrrr6r6r6r7s   (                 8 " 8