a cl_m@sddlZddlZddlZddlZddlmZddlmZddlm Z ddl m Z ddl m Z mZmZmZmZddlmZmZmZedZGdd d eZGd d d eZGd d d eZGdddeZGdddeZdS)N)Ldb) ndr_unpack)security) SCOPE_SUBTREESCOPE_ONELEVEL SCOPE_BASEERR_NO_SUCH_OBJECTLdbError)Command CommandErrorOptionz^([^;]+);range=(\d+)-(\d+|\*)$c @seZdZddddddddejejdf ddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZddZddZddZdS)LDAPBaseFsectionSUBTcCsg}|}d|vr.tj|r&d|}nd|}|drBdg}| |_| |_t||||d|_| |_ | |_ ||_ ||_ ||_ ||_| |_||_||_||_t|j|_t|j|_t|j|_t|j|_||_||_t !dd|j"d d |_#|$|_%|&|j r|j s|j'd |j|j'd d |j|j'd d|j|j'd d|j|j'd d|j#dS)Nz://ztdb://%sz ldap://%szldap://zmodules:paged_searches)ZurlZ credentialslpoptionsz [Dd][Cc]=r,.z * Place-holders for %s:  z${DOMAIN_DN} => %s z${DOMAIN_NETBIOS} => %s z${SERVER_NAME} => %s z${DOMAIN_NAME} => %s )(ospathisfilelower startswithoutferrfrldb search_base search_scope two_domainsquiet descriptor sort_acesviewverbosehostskip_missing_dnstrZget_default_basednbase_dnZget_root_basednroot_dnZget_config_basedn config_dnZget_schema_basedn schema_dn find_netbiosdomain_netbios find_servers server_namesresubreplace domain_namefind_domain_sid domain_sid get_sid_mapwrite)selfr&credsrtwor!r"r#r%r$basescoperrr'Z ldb_optionsZ samdb_urlr>6/usr/lib/python3/dist-packages/samba/netcmd/ldapcmp.py__init__-s`         zLDAPBase.__init__cCs,|jj|jdtd}ttj|dddS)Nz(objectClass=*))r< expressionr=r objectSid)rsearchr)rrrdom_sidr9resr>r>r?r5bszLDAPBase.find_domain_sidcCs:|jjd|jtddgd}t|dks,Jdd|DS)z zOU=Domain Controllers,%sz(objectClass=computer)cn)r<r=rAattrsrcSsg|]}t|ddqS)rGrr(.0xr>r>r? lz)LDAPBase.find_servers..)rrCr)rlenrEr>r>r?r/fs zLDAPBase.find_serverscCsP|jjd|jtdgd}t|dks*J|D]}d|vr.|ddSq.dS)NzCN=Partitions,%s nETBIOSNamer<r=rHr)rrCr+rrO)r9rFrLr>r>r?r-nszLDAPBase.find_netbiosc Csld}z|jj|td}WnFty^}z.|j\}}|tkrHWYd}~dSWYd}~n d}~00t|dkS)N)r<r=F)rrCrr argsrrO)r9 object_dnrFZe2enumestrr>r>r? object_existsvs zLDAPBase.object_existsc CsLz|j|Wn6tjyF}zdt|vs2JWYd}~n d}~00dS)NzNo such object)rdeleterr r()r9rTer>r>r? delete_forceszLDAPBase.delete_forcecCs t|}|dur|S|dS)zi Returns the real attribute name It resolved ranged results e.g. member;range=0-1499 NrR)RE_RANGED_RESULTmatchgroup)r9keymr>r>r?get_attribute_names zLDAPBase.get_attribute_namec Cst|}|dur|S|d}t|d}d||df}|jj|t|gd}t|dksbJt|d}|d=d} d} |D]<}t|}|durq|d|krq|} t ||} qq| durʐq| | | ddkrqt| d |dksJt| d}q.|S) zp Returns list with all attribute values It resolved ranged results e.g. member;range=0-1499 NrRz %s;range=%d-*rQrdn*) r[r\r]intrrCrrOdictlistextend) r9rTr^valsr_attrhinrFZfmZfvalsr>r>r?get_attribute_valuess:      zLDAPBase.get_attribute_valuescCst|jj|tdgd}t|dks$Jt|d}|d=i}|D],\}}||}t|}||||||<qB|S)z: Returns dict with all default visible attributes rcrQrRrrb) rrCrrOrfitemsr`sortedrm)r9rTrF attributesr^rinamer>r>r?get_attributess  zLDAPBase.get_attributescCs<|jj|tdgd}|ddd}ttj|}||jS)NZnTSecurityDescriptorrQr)rrCrrrr"Zas_sddlr6)r9rTrFZdescr>r>r?get_descriptor_sddls zLDAPBase.get_descriptor_sddlc Csd|}gd}d}d}d}|t|krd}d}|||krtt||dd} dd| | gt| } d|t|kr| |}n|| 7}|d 7}|d 7}q0||d 7}|d 7}q|t|ksJ|d d S) z Translate binary representation of schemaIDGUID to standard string representation. @gid_blob: binary schemaIDGUID %s)rdrdrdrrZ0xN0rdrR -)rOhexordr3strip) r9Z guid_blobZblobZstopsindexrFrLtmpycr>r>r?guid_as_strings(      zLDAPBase.guid_as_stringc Cspi|_|jj|jdtddgd}|D]F}z.t|dd|jdttj|dd<Wq$t yhYq$0q$dS)za Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. z (objectSid=*)rBsAMAccountName)r<rAr=rHrrtN) sid_maprrCr)rr(rrrDKeyError)r9rFitemr>r>r?r7s  . zLDAPBase.get_sid_mapN)__name__ __module__ __qualname__sysstdoutstderrr@r5r/r-rWrZr`rmrrrsrr7r>r>r>r?r +s  5  4r c@s>eZdZejejfddZddZddZddZ d d Z d S) DescriptorcCsH||_||_||_||_|j|j|_||_|jjrD|j dSN) rrconrbrssddl extract_dacl dacl_listr#sort)r9 connectionrbrrr>r>r?r@s zDescriptor.__init__cCs\z8d|jvr"td|jd}ntd|jd}WntyNgYS0td|S)zG Extracts the DACL as a list of ACE string (with the brakets). zS:zD:(.*?)(\(.*?\))S:rdzD:(.*?)(\(.*\))z (\(.*?\)))rr1rCr]AttributeErrorfindallrEr>r>r?rs   zDescriptor.extract_daclc Csbd|}td|}t|dkr$|S|D]4}z|jj|}|||}Wq(tyZYq(0q(|S)Nrtz S-[-0-9]+r)r1rrOrrr3r)r9acerFZsidsZsidrqr>r>r?fix_sids    zDescriptor.fix_sidc Cs&d}t|jt|jkrL|d7}|ddt|j7}|ddt|j7}d}d}d}d}zd|j|}Wntyd}Yn0zd|j|}Wntyd}Yn0t|t|dkrȐqd||}d||}||kr|d||f7}d }n|d ||f7}|d 7}qT||fS) Nr Difference in ACE count:  => %s rTrtz %60s * %s Fz %60s | %s rR)rOr IndexErrorr) r9otherrFiflagZself_aceZ other_aceZself_ace_fixedZother_ace_fixedr>r>r?diff_1+s6      zDescriptor.diff_1c sd}tjtjkrL|d7}|ddtj7}|ddtj7}g}g}g}fddjD}fddjD}|D]:}z||Wnty||Yq0||qt|}t|dkr|d d jj7}|D]}|d|d 7}q|D]>}z||Wnty8||Yn 0||qt|}t|dkr|d d jj7}|D]}|d|d 7}qvttt |}jj r|d 7}|D]}|d|d 7}q|gko|gk|fS) Nrrrrcsg|]}|qSr>rrKrr9r>r?rMVrNz%Descriptor.diff_2..csg|]}|qSr>rrrr>r?rMWrNrrzACEs found only in %s:  z ACEs found in both: ) rOrr} ValueErrorappendrorr&rgsetr%) r9rrFZ common_acesZ self_acesZ other_acesZself_dacl_list_fixedZother_dacl_list_fixedrr>rr9r?diff_2LsL   zDescriptor.diff_2N) rrrrrrr@rrrrr>r>r>r?rs   !rc@s^eZdZejejfddZddZddZddZ d d Z d d Z d dZ ddZ ddZdS) LDAPObjectcCs||_||_||_|jj|_|jj|_|jj|_||_|d|jj|_ |j dd|jj |_ |jj D]}|j dd||_ qh|j |j |_ gd|_|j|_|jdg7_|r|j|7_g|_g|_g|_g|_g|_|jr|jgd7_gd|_d d |jD|_gd |_d d |jD|_gd |_dd |jD|_gd|_dd |jD|_ddg|_dd |jD|_tdd |jD|_dS)N ${DOMAIN_DN}CN=${DOMAIN_NETBIOS}CN=%sCN=${SERVER_NAME}) ZbadPasswordTime badPwdCountZdSCorePropagationDataZ lastLogoffZ lastLogonZ logonCount modifiedCountzmsDS-Cached-Membershipz!msDS-Cached-Membership-Time-StampzmsDS-EnabledFeatureBLzmsDS-ExecuteScriptPasswordz msDS-NcTypezmsDS-ReplicationEpochzmsDS-RetiredReplNCSignatureszmsDS-USNLastSyncSuccessZpartialAttributeDeletionListZpartialAttributeSetZpekListZ prefixMapZreplPropertyMetaDataZreplUpToDateVectorZrepsFromZrepsToZ rIDNextRIDZrIDPreviousAllocationPoolZ schemaUpdateZ serverStatesubRefsZ uSNChanged uSNCreatedZ uSNLastObjRem whenChangedZmsExchServer1HighestUSN)#ZobjectCategoryZ objectGUIDrBZ whenCreatedrZ pwdLastSetrZ creationTimerZ priorSetTimeZrIDManagerReferenceZgPLinkZipsecNFAReferenceZfRSPrimaryMemberZ fSMORoleOwnerZ masteredByZipsecOwnersReferenceZwellKnownObjectsZotherWellKnownObjectsrZipsecISAKMPReferenceZipsecFilterReferencezmsDs-masteredByZ lastSetTimeZipsecNegotiationPolicyReferencerZgPCFileSysPathZaccountExpiresZ invocationIdZoperatingSystemVersionZoEMInformationZ schemaInfoZ targetAddressZmsExchMailboxGuidZsiteFolderGUID)&distinguishedNameZdefaultObjectCategorymemberZmemberOfZsiteListZnCNameZhomeMDBZhomeMTAinterSiteTopologyGeneratorserverReferencezmsDS-HasInstantiatedNCsZ hasMasterNCszmsDS-hasMasterNCszmsDS-HasDomainNCsZ dMDLocationmsDS-IsDomainForrIDSetReferencesserverReferenceBLZmsExchHomeRoutingGroupZmsExchResponsibleMTAServerZsiteFolderServerZmsExchRoutingMasterDNZmsExchRoutingGroupMembersBLZ homeMDBBLZmsExchHomePublicMDBZmsExchOwningServerZ templateRootsZaddressBookRootsZmsExchPolicyRootsZglobalAddressListZmsExchOwningPFTreeZmsExchResponsibleMTAServerBLZmsExchOwningPFTreeBLz$msDS-MembersOfResourcePropertyListBLzmsDS-ValueTypeReferencez"msDS-MembersOfResourcePropertyListzmsDS-ValueTypeReferenceBLzmsDS-ClaimTypeAppliesToClasscSsg|] }|qSr>upperrJr>r>r?rMrNz'LDAPObject.__init__..)ZproxyAddressesZmailZuserPrincipalNameZ"msExchSmtpFullyQualifiedDomainNameZ dnsHostNameZnetworkAddressZdnsRootservicePrincipalNamecSsg|] }|qSr>rrJr>r>r?rMrN) rrqCNrZ dNSHostNamerrrrrrcSsg|] }|qSr>rrJr>r>r?rMrN)rrrrPrqcSsg|] }|qSr>rrJr>r>r?rMrNrqZDCcSsg|] }|qSr>rrJr>r>r?rMrNcSsg|] }|qSr>rrJr>r>r?rMrN)rrrr r!r%summaryr3r)rbr.r0rrrpZnon_replicated_attributesignore_attributes dn_attributesdomain_attributesservername_attributesnetbios_attributesother_attributesr)r9rrbr filter_listrrrLr>r>r?r@{sF     $     zLDAPObject.__init__cCs|js|j|ddSzE Log on the screen if there is no --quiet option set rNr!rr8r9msgr>r>r?logszLDAPObject.logcCsLd|}|js|S||jjrH|dt|t|jjd}|S)Nrtr)r rendswithrr)rOr9srFr>r>r?fix_dns  zLDAPObject.fix_dncCsFd|}|js|S||jj|jj}||jjd}|S)Nrtz${DOMAIN_NAME})r r3rr4rrrr>r>r?fix_domain_name s zLDAPObject.fix_domain_namecCsFd|}|js|S||jj|jj}||jjd}|S)Nrtz${DOMAIN_NETBIOS})r r3rr.rrrr>r>r?fix_domain_netbioss zLDAPObject.fix_domain_netbioscCsDd|}|jrt|jjdkr"|S|jjD]}||d}q*|S)NrtrRz${SERVER_NAME})r rOrr0rr3)r9rrFrLr>r>r?fix_server_names  zLDAPObject.fix_server_namecCs|jjr||S||Sr)rr"cmp_desc cmp_attrs)r9rr>r>r?__eq__"s zLDAPObject.__eq__cCst|j|j|j|jd}t|j|j|j|jd}|jjdkrH||}n |jjdkr`||}ntd|d|_ |d|_ |dS)N)rrr collisionzUnknown --view option value.rRr) rrrbrrr$rr Exception screen_output)r9rZd1Zd2rFr>r>r?r's      zLDAPObject.cmp_desccs6d}g_tddjD}tddjD}||j}|rr|ddjj7}|D]}|d|d7}q\||j}|r|ddjj7}|D]}|d|d7}q||@}d } jD]}|jvs||vrqtj|tr2tj|tr2t j|j|<t j|j|<j|j|krd} d} d} d} |j vrfd dj|D} fd dj|D} | | kr qnh|j vr | } | } | s| s܈j|} j|} fd d| D} fd d| D} | | kr q|j vrt| } | } | sD| sDj|} j|} fdd| D} fdd| D} | | krtq|j vr| } | } | s| sj|} j|} fdd| D} fdd| D} | | krq|jvrD| } | } | s| sj|} j|} fdd| D} fdd| D} | | krDq| rZ|| d7}d} | r| r|d|d| | fd7}n(|d|dj|j|fd7}j|q|r||ksJjdt|7<jdj7<jdt|7<jdj7<|_|_|dkS)NrcSsg|] }|qSr>rrKrjr>r>r?rM:rNz(LDAPObject.cmp_attrs..cSsg|] }|qSr>rrr>r>r?rM;rNrzAttributes found only in %s:rrz# Difference in attribute values:cs"g|]}jjdd|kqSrrrr4splitrKjrr>r?rMYrNcs"g|]}jjdd|kqSrrrrr>r?rMZrNcsg|]}|qSr>rrrr>r?rMdrNcsg|]}|qSr>rrrr>r?rMerNcsg|]}|qSr>rrrr>r?rMorNcsg|]}|qSr>rrrr>r?rMprNcsg|]}|qSr>rrrr>r?rM{rNcsg|]}|qSr>rrrr>r?rM|rNcsg|]}|qSr>rrrr>r?rMrNcsg|]}|qSr>rrrr>r?rMrNz => %s %s unique_attrsdf_value_attrs)rrrprrr&r isinstancergrorrrrrrrr)r9rrFZ self_attrsZ other_attrsZself_unique_attrsrLZother_unique_attrsZ missing_attrstitlepqr_rlr>rr?r6s $                   (zLDAPObject.cmp_attrsN)rrrrrrr@rrrrrrrrr>r>r>r?rzs rc@sJeZdZddejejfddZddZddZdd Z d d Z d d Z dS) LDAPBundleNc Cs||_||_||_|jj|_|jj|_|jj|_|jj|_|jj|_|jj|_i|_ g|j d<g|j d<g|j d<g|j d<||_ |r||_ n,| dvr| |_ |||_ ntdd}|t|j krZ|jrZ|j |}|dt|t|jjd}|d |jjd }t|jjd krF|jjD]} |d | d }q.||j |<|d 7}qtt|j |_ t|j |_ t|j |_dS) NrrZknown_ignored_dnZabnormal_ignored_dnDOMAIN CONFIGURATIONSCHEMA DNSDOMAIN DNSFORESTz-Unknown initialization data for LDAPBundle().rrrrrRr)rrrr r!r%rrr'rrdn_listrcontext get_dn_listrrOr)r3r.r0rgrrosize) r9rrrrrrZcounterr~rLr>r>r?r@sD                  zLDAPBundle.__init__cCs|js|j|ddSrrrr>r>r?rszLDAPBundle.logcCst|j|_t|j|_dSr)rOrrrorr>r>r? update_sizes zLDAPBundle.update_sizec Csd}|j|jkr0|d|j|jf|js0d}tdd|jD}tdd|jD}|jtkr|js||}|rd}|d|jjt |D]}|d|q||}|rd}|d|jjt |D]}|d|q||@}|d t ||D]} z"t |j| |j |j |j|jd } WnFtyp} z,|d | | fWYd} ~ qWYd} ~ n d} ~ 00z"t |j| |j |j |j|jd } WnFty} z,|d | | fWYd} ~ qWYd} ~ n d} ~ 00| | kr6|jjr|d |d | j| jjf|d | j| jjf|dnT|d |d | j| jjf|d | j| jjf|| j|dd}| j |_ | j |_ q|S)NTz) * DN lists have different size: %s != %sFcSsg|] }|qSr>rrKrr>r>r?rMrNz#LDAPBundle.diff..cSsg|] }|qSr>rrr>r>r?rMrNz * DNs found only in %s:rz * Objects to be compared: %d)rrbrrrrzLdbError for dn %s: %sz Comparing:z '%s' [%s]z OKz FAILED)rrr'rrrrrr&rorOrrrrrr r%rbr) r9rrFZself_dnsZ other_dnsZ self_onlyrLZ other_onlyZ common_dnsrbZobject1rYZobject2r>r>r?diffst     $ $        zLDAPBundle.diffc CsT|dkr|jj}n^|dkr,|jj}nH|dkrB|jj}n2|dkr\d|jj}n|dkrtd|jj}g}|js||_|j|_|jdkrt|_n,|jd krt |_n|jd krt |_nt d z|jj j |j|jd gd }WnDty0}z*|j\}}|jd|jWYd}~n d}~00|D]}||d q6|S)z Query LDAP server about the DNs of certain naming self.con.ext Domain (or Default), Configuration, Schema. Parse all DNs and filter those that are 'strange' or abnormal. rrrrzDC=DomainDnsZones,%srzDC=ForestDnsZones,%srBASEONEz0Wrong 'scope' given. Choose from: SUB, ONE, BASErbrQzFailed search of base=%s N)rrr)r+r,r*rrrrrrrrCr rSrr8rZget_linearized) r9rrrrFZe3rUrVrLr>r>r?rs<              zLDAPBundle.get_dn_listcCstt|jd|jd<tt|jd|jd<|jdrl|d|jj|ddd|jdD|jdr|d|ddd|jdDg|jd<dS) Nrrz Attributes found only in %s:rcSsg|]}td|qSz rIrJr>r>r?rMJrNz,LDAPBundle.print_summary..z" Attributes with different values:cSsg|]}td|qSrrIrJr>r>r?rMNrN)rgrrrrr&joinrr>r>r? print_summaryDs     zLDAPBundle.print_summary) rrrrrrr@rrrrrr>r>r>r?rs 'I%rc@seZdZdZdZejejejdZ gdZ e ddddd d d e d d ddd dd e ddddd dd e dddd dd e dddd dd e dddddgdde d d!d"d#d$e d%d&d"d'd$e d(d)d*gd+d,de d-d.d"d/d$e d0d1dd d2d g Z d6d4d5Z d3S)7 cmd_ldapcmpzCompare two ldap databases.zO%prog (domain|configuration|schema|dnsdomain|dnsforest) [options]) sambaopts versionoptscredopts)URL1URL2z context1?z context2?z context3?z context4?z context5?z-wz--twor; store_trueFz"Hosts are in two different domains)destactiondefaulthelpz-qz--quietr!z1Do not print anything but relay on just exit codez-vz --verboser%z*Print all DN pairs that have been comparedz--sdr"z+Compare nTSecurityDescriptor attibutes onlyz --sort-acesr#z=Sort ACEs before comparison of nTSecurityDescriptor attributez--viewr$rrzUDisplay mode for nTSecurityDescriptor results. Possible values: section or collision.)rrchoicesrz--baser<rz:Pass search base that will build DN list for the first DC.)rrrz--base2base2znPass search base that will build DN list for the second DC. Used when --two or when compare two different DNs.z--scoper=r)rrrz>Pass search scope that builds DN list. Options: SUB, ONE, BASEz--filterfilterz?List of comma separated attributes to ignore in the comparisionz--skip-missing-dnr'zCSkip report and failure due to missing DNs in one server or anotherNc#Cs|}|dp|d}|r0|j|dd}nd}|j|dd}|rP|}n|d|d|rx|sxtdg}|dur|r|rdg}qgd }nD|||||fD]4}|durq| d vrtd || | q| r| rtd |s|s|r|std t ||||| | | | | |||j |j |d }t|jdksLJt ||||| | | | | |||j |j |d }t|jdksJ|d}d}|D]} | s|j d| t|| ||j |j d}!t|| ||j |j d}"|!|"r| sx|j d| nt| st|j d| | stt|!jdt|"jdksBJg|"jd<|j d|j d|!|"d}q|dkrtd|dS)NZldapT)Zfallback_machineF)Zguessrz3You must supply at least one username/password pairrrzIncorrect argument: %sz-You cannot set --verbose and --quiet togetherzr>r?runws          "    zcmd_ldapcmp.run)NNNNNFFFFFrrrrrNNNF)rrr__doc__ZsynopsisrZ SambaOptionsZVersionOptionsZCredentialsOptionsDoubleZtakes_optiongroupsZ takes_argsr Z takes_optionsr r>r>r>r?rRs\      r)rr1rZsambaZ samba.getoptZgetoptrrZ samba.ndrrZ samba.dcerpcrrrrrrr Z samba.netcmdr r r compiler[objectr rrrrr>r>r>r?s&     [u*1