a W×a´Œã0@sXdZdZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlZddlZddlZddlZddlZddlZddlmZmZdd lmZddlZdd lmZdd lmZm Z dd lm!Z"dd lm#Z#ddlm$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,ddl-m.Z.m/Z/ddl0m1Z1m2Z2ddlm3Z3m4Z4m5Z5ddl6m7Z7ddl8m9Z9ddl:m;Z;mm?Z?m@Z@ddlAmBZBddlCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWddlXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_ddl`maZambZbmcZcddldZddleZddlfmgZgddlhmiZiddljmkZkddllmmZmddlhmnZndZod Zpd!Zqd"Zrd#ZsGd$d%„d%etƒZuGd&d'„d'etƒZvd(d)„Zwdœd+d,„Zxd-d.„Zyd/d0„Zzd1d2„Z{Gd3d4„d4etƒZ|d5d6„Z}d7d8„Z~d9d:„Zd;d<„Z€d=d>„Zd?d@„Z‚dAdB„ZƒddCdD„Z„dždEdF„Z…dGdH„Z†dŸdIdJ„Z‡dddddKe2fdLdM„ZˆdNdO„Z‰dPdQ„ZŠdRdS„Z‹dTdU„ZŒdVdW„ZdXdY„ZŽd dZd[„Zd\d]„Zd^d_„Z‘d`da„Z’dbZ“d¡dcdd„Z”d¢dedf„Z•dgZ–dhZ—diZ˜e˜fdjdk„Z™dldm„Zšdndo„Z›dpdq„Zœdrds„Zdtdu„Zždvdw„ZŸd£dxdy„Z dzd{„Z¡dde\ddd|dddddddddddddd*dd*d*ddfd}d~„Z¢dd€dddd€ddd€ddd‚œ Z£dƒd„„Z¤d…d†„Z¥d¤dˆd‰„Z¦d¥dŠd‹„Z§d¦dŒd„Z¨dde\dddddddddddd|ddddddddddddddddddddd*d*dd*d*dddŽdd*ddd*f0dd‘„Z©d§d’d“„Zªd”d•„Z«Gd–d—„d—e¬ƒZ­Gd˜d™„d™e¬ƒZ®Gdšd›„d›e­ƒZ¯dS)¨z/Functions for setting up a Samba configuration.ZrestructuredTexté)Úquote)Ú string_types)Ú binary_type)Ú b64encodeN)Úsystem_sessionÚ admin_session)Úsystem_session_unix)Úauth)ÚsmbdÚpassdb)Úparam)ÚDS_DOMAIN_FUNCTION_2000) ÚLdbÚMAX_NETBIOS_NAME_LENÚcheck_all_substitutedÚis_valid_netbios_charÚ setup_fileÚsubstitute_varÚvalid_netbios_nameÚversionÚis_heimdal_built)ÚsecurityÚmisc)Ú SEC_CHAN_BDCÚSEC_CHAN_WKSTA)ÚDS_DOMAIN_FUNCTION_2003ÚDS_DOMAIN_FUNCTION_2008_R2Ú ENC_ALL_TYPES)ÚIDmapDB)Ú read_ms_ldif)ÚsetntaclÚgetntaclÚ dsacl2fsacl)Úndr_packÚ ndr_unpack)Ú LDBBackend)Úget_empty_descriptorÚget_config_descriptorÚ get_config_partitions_descriptorÚget_config_sites_descriptorÚ!get_config_ntds_quotas_descriptorÚ'get_config_delete_protected1_descriptorÚ)get_config_delete_protected1wd_descriptorÚ'get_config_delete_protected2_descriptorÚget_domain_descriptorÚ$get_domain_infrastructure_descriptorÚget_domain_builtin_descriptorÚget_domain_computers_descriptorÚget_domain_users_descriptorÚ!get_domain_controllers_descriptorÚ'get_domain_delete_protected1_descriptorÚ'get_domain_delete_protected2_descriptorÚget_dns_partition_descriptorÚ'get_dns_forest_microsoft_dns_descriptorÚ'get_dns_domain_microsoft_dns_descriptorÚ'get_managed_service_accounts_descriptor)Ú setup_pathÚsetup_add_ldifÚsetup_modify_ldifÚ FILL_FULLÚFILL_SUBDOMAINÚ FILL_NT4SYNCÚFILL_DRS)Úget_dnsadmins_sidÚ setup_ad_dnsÚcreate_dns_update_list)ÚSchema)ÚSamDB)Údbcheck)Úcreate_kdc_conf)Úget_default_backend_storez$31B2F340-016D-11D2-945F-00C04FB984F9z$6AC1786C-016F-11D2-945F-00C04FB984F9zDefault-First-Site-NameZlastProvisionUSNéc@seZdZdd„ZdS)ÚProvisionPathscCsjd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_dS©N)Ú shareconfÚhklmÚhkcuÚhkcrÚhkuÚhkpdÚhkptÚsamdbÚidmapdbÚsecretsÚkeytabÚ dns_keytabÚdnsÚwinsdbÚ private_dirÚ binddns_dirÚ state_dir©Úself©r_ú:/usr/lib/python3/dist-packages/samba/provision/__init__.pyÚ__init__Šs"zProvisionPaths.__init__N©Ú__name__Ú __module__Ú __qualname__rar_r_r_r`rJˆsrJc@seZdZdd„ZdS)ÚProvisionNamescCsvd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_d|_i|_dSrK)ÚncsÚrootdnÚdomaindnÚconfigdnÚschemadnÚ dnsforestdnÚ dnsdomaindnÚ ldapmanagerdnÚ dnsdomainÚrealmÚ netbiosnameÚdomainÚhostnameÚsitenameÚsmbconfÚ domainsidÚ forestsidÚ domainguidÚname_mapr]r_r_r`ra s&zProvisionNames.__init__Nrbr_r_r_r`rfžsrfcCsštƒ}d|_| d¡ ¡|_| d¡|_|j ¡|_t  |j¡}|j ¡|_|j d|jdt j dgd}t |ddƒ d d ¡|_||_|j d d t jgd ¢d} t | dd dƒ|_t | dddƒ|_t  ||¡t  || ddd d¡¡ks&td|jt | ddd d¡ƒ|j|fƒ‚t | dddƒ|_t | dddƒ|_| dd|_d|_d|_tdt|jƒƒD]X} t |j| ƒ} dt |jƒ} | | kr°| |_q|dt |jƒ} | | kr|| |_q|q||j ddt |jƒt jdgd}t |ddƒ|_ |j d|jd|t jdgd}t|ƒdkrHtd|j|fƒ‚t |ddƒ d|jd ¡|_!|j d|dj"g|jd}t |dj"ƒ|_#|j d d t |j#ƒt jd!d"gd}t t$t%j&|dd#dƒƒ|_'t t$t%j&|dd"dƒƒ|_(|j d |t jgd$¢d}t t$t%j&|dd"dƒƒ|_)t$t*j+|dd%dƒ|_,t$t*j+|dd%dƒ|_-|d d&¡dusŠt.|dd&dƒt/kr’t/|_0nt.|dd&dƒ|_0|j d't1d(|t jdd)gd}t |ddƒ d*d ¡ d+d ¡|_2|j d't3d(|t jdd)gd}t|ƒd,kr<|S)?aÈGet key provision parameters (realm, domain, ...) from a given provision :param samdb: An LDB object connected to the sam.ldb file :param secretsdb: An LDB object connected to the secrets.ldb file :param idmapdb: An LDB object connected to the idmap.ldb file :param paths: A list of path to provision object :param smbconf: Path to the smb.conf file :param lp: A LoadParm object :return: A list of key provision parameters NÚ workgrouprpz (flatname=%s)zCN=Primary DomainsZsAMAccountName©Ú expressionÚbaseÚscopeÚattrsrú$Úz(objectClass=*))ÚdefaultNamingContextÚschemaNamingContextÚconfigurationNamingContextÚrootDomainNamingContextÚnamingContextsr„rƒr‚Úutf8z5basedn in %s (%s) and from %s (%s)is not the same ...r…r†zDC=ForestDnsZones,%szDC=DomainDnsZones,%sz(objectClass=site)z CN=Sites,Úcnz(CN=%s)zOU=Domain Controllers,%sZ dNSHostNamez=Unable to find DC called CN=%s under OU=Domain Controllers,%sÚ.zserverReference=%s)r|rr}úCN=NTDS Settings,%sZ invocationIDÚ objectGUIDZ invocationId)r‹Ú objectSidúmsDS-Behavior-VersionrŒrz (name={%s})zCN=Policies,CN=System,Z displayNameú{ú}éz (cn=%s-%s)Z xidNumberÚtype)r|rz3Unable to find uid/gid for Domain Admins rid (%s-%sZ ID_TYPE_BOTHz(samaccountname=dns)Údnúsearch_options:1:2)r|r~rÚcontrolsTFz(samaccountname=dns-%s)Z BIND9_DLZÚSAMBA_INTERNALZBIND9_FLATFILEZNONEZ DnsAdmins)=rfÚ adminpassÚgetÚupperrrrpÚlowerroÚsambaÚdn_from_dns_nameÚsearchÚldbÚ SCOPE_SUBTREEÚstrÚreplacerqruÚ SCOPE_BASErjrkÚDnÚdecodeÚProvisioningErrorrSrirhrgrlrmÚrangeÚlenÚSCOPE_ONELEVELrtrsr’Úserverdnr$rZGUIDZ invocationÚntdsguidrxrÚdom_sidrvrwÚintr Z domainlevelÚDEFAULT_POLICY_GUIDZpolicyidÚDEFAULT_DC_POLICY_GUIDZ policyid_dcÚDOMAIN_RID_ADMINISTRATORÚroot_gidÚpwdÚgetpwuidÚpw_gidÚ dns_backendrAry)rSÚ secretsdbrTÚpathsruÚlpÚnamesÚbasednÚresZcurrentÚiZncrlrmZres3Zres4Z server_resZres5Zres6Zres7Zres8Zres9Zres10Zhas_legacy_dns_accountZres11Zhas_dns_accountZdns_admins_sidr_r_r`Úfind_provision_key_parameters¶sú     ÿþþÿþÿ  ÿ þ ÿ ý ÿÿ  þ" ý$ÿþþ þ   r»Fc Csðg}|s^|jdtjtdgd}|dtD]2}t dt|ƒ¡sNdt|ƒ|f}| t|ƒ¡q*| d|||f¡t ¡}t |d¡|_ t  |tj t¡|t<|jddtjd gd }t |ƒdksÎt |dƒdkrât  |tj d ¡|d <| |¡d S) a_Update the field provisionUSN in sam.ldb This field is used to track range of USN modified by provision and upgradeprovision. This value is used afterward by next provision to figure out if the field have been modified since last provision. :param samdb: An LDB object connect to sam.ldb :param low: The lowest USN modified by this upgrade :param high: The highest USN modified by this upgrade :param id: The invocation id of the samba's dc :param replace: A boolean indicating if the range should replace any existing one or appended (default) ú @PROVISIONr’)r}r~rrú;z%s;%sú%s-%s;%szprovisionnerID=*ÚprovisionnerIDr{N)rœrr¡ÚLAST_PROVISION_USN_ATTRIBUTEÚrerŸÚappendÚMessager¢r’ÚMessageElementÚFLAG_MOD_REPLACEr¦Ú FLAG_MOD_ADDÚmodify) rSÚlowÚhighÚidr ÚtabÚentryÚeÚdeltar_r_r`Úupdate_provision_usnXs2þþÿþrÏcCsPg}| d|||f¡t ¡}t |d¡|_t |tjt¡|t<| |¡dS)aÔSet the field provisionUSN in sam.ldb This field is used to track range of USN modified by provision and upgradeprovision. This value is used afterward by next provision to figure out if the field have been modified since last provision. :param samdb: An LDB object connect to sam.ldb :param low: The lowest USN modified by this upgrade :param high: The highest USN modified by this upgrade :param id: The invocationId of the provisionr¾r¼N) rÂrrÃr¢r’rÄrÆrÀÚadd)rSrÈrÉrÊrËrÎr_r_r`Úset_provision_usns þÿrÑcCs(|jd|tjdggd¢d}|ddS)a This function return the biggest USN present in the provision :param samdb: A LDB object pointing to the sam.ldb :param basedn: A string containing the base DN of the provision (ie. DC=foo, DC=bar) :return: The biggest USN in the provisionz objectClass=*Z uSNChanged)r“zserver_sort:1:1:uSNChangedzpaged_results:1:1)r|r}r~rr”r)rœrrž)rSr¸r¹r_r_r`Ú get_max_usn™s þrÒc Csdz |jdtdtjtdgd}WnJtjyj}z0|j\}}|tjkrTWYd}~dS‚WYd}~n d}~00t|ƒdkr\g}i}t  d¡}|d  d¡rº|ddD]}|  t |ƒ¡q¦|dtD]} t | ƒ  d¡} t| ƒd krî| d } nd } t|ƒdkr | |vr qÆ|  | d¡} |  | ¡dur2g|| <||   | d¡||   | d ¡qÆ|SdSdS) aGet USNs ranges modified by a provision or an upgradeprovision :param sam: An LDB object pointing to the sam.ldb :return: a dictionary which keys are invocation id and values are an array of integer representing the different ranges z%s=*r¼r¿r{Nrú-r½érÚdefault)rœrÀrr¡ÚLdbErrorÚargsZERR_NO_SUCH_OBJECTr¦rÁÚcompiler—rÂrŸÚsplit) ZsamrÌZe1ZecodeZemsgZmyidsr¥ÚprÍÚrZtab1rÊZtab2r_r_r`Úget_last_provision_usn©s> þ      rÜc@s eZdZdZdd„Zdd„ZdS)ÚProvisionResultz™Result of a provision. :ivar server_role: The server role :ivar paths: ProvisionPaths instance :ivar domaindn: The domain dn, as string cCsFd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ dSrK) Ú server_rolerµrir¶rSÚidmapr·rvÚadminpass_generatedr–Úbackend_resultr]r_r_r`raÚszProvisionResult.__init__cCs€| d¡|jr| d|j¡| d|j¡| d|jj¡| d|jj¡| d|jj¡| d|j¡|j r||j   |¡dS) z)Report this provision result to a logger.zMOnce the above files are installed, your Samba AD server will be ready to usezAdmin password: %szServer Role: %szHostname: %szNetBIOS Domain: %szDNS Domain: %szDOMAIN SID: %sN) Úinforàr–rÞr·rsrrrorvráÚ report_logger)r^Úloggerr_r_r`rãçsÿzProvisionResult.report_loggerN)rcrdreÚ__doc__rarãr_r_r_r`rÝÒs rÝcCsH| d¡dkrtdƒ‚t| ¡|||d}t| d¡ƒdkrDtdƒ‚dS) z¢Check whether the current install seems ok. :param lp: Loadparm context :param session_info: Session information :param credentials: Credentials rprz Realm empty)Ú session_infoÚ credentialsr¶z(cn=Administrator)rzNo administrator account foundN)r—Ú ExceptionrZ samdb_urlr¦rœr¤)r¶rærçrSr_r_r`Ú check_installøs ÿréc Cs<|D]&}z||ƒWSty(Yq0qtd|ƒ‚dS)zÔFind a user or group from a list of possibilities. :param nssfn: NSS Function to try (should raise KeyError if not found) :param names: Names to check. :return: Value return by first names list. zUnable to find user/group in %rN)ÚKeyError)Znssfnr·Únamer_r_r`Úfindnsss  rìcCsttj|ƒdS©NrÔ)rìr°Úgetpwnam©r·r_r_r`Ú findnss_uidsrðcCsttj|ƒdSrí)rìÚgrpZgetgrnamrïr_r_r`Ú findnss_gidsròc CsNz t|ƒ}Wn<tyH}z$| |¡| d¡d}WYd}~n d}~00|S)NzAssuming root user has UID zeror)rðrêrâ)ÚrooträÚroot_uidrÍr_r_r`Ú get_root_uids   rõcCs¨tƒ}| d¡|_| d¡|_| d¡|_d|_d|_tj  |jd¡|_ tj  |jd¡|_ tj  |jd¡|_ tj  |jd ¡|_ tj  |jd ¡|_tj  |jd ¡|_tj  |jd ¡|_tj  |jd ¡|_tj  |jd¡|_tj  |jd¡|_tj  |jd¡|_tj  |jd¡|_tj  |jd|d¡|_tj  |jd¡|_tj  |jd¡|_tj  |jd¡|_d|_d|_d|_d|_d|_d|_| dd¡|_ | dd¡|_!|j"|_#|S) ztSet the default paths for provisioning. :param lp: Loadparm context. :param dnsdomain: DNS Domain name ú private dirú binddns dirústate directoryz dns.keytabúsecrets.keytabz share.ldbzsam.ldbz idmap.ldbz secrets.ldbz privilege.ldbÚdns_update_listÚspn_update_listú krb5.confzkdc.confzwins.ldbZldapizencrypted_secrets.keyrXz.zonez named.confznamed.conf.updatez named.txtzhklm.ldbzhkcr.ldbzhkcu.ldbzhku.ldbzhkpd.ldbzhkpt.ldbÚpathÚsysvolÚnetlogon)$rJr—rZr[r\rWrVÚosrýÚjoinrLrSrTrUÚ privilegerúrûÚkrb5confÚkdcconfrYÚ s4_ldapi_pathÚencrypted_secrets_key_pathrXZ namedconfZnamedconf_updateZnamedtxtrMrOrNrPrQrRrþrÿÚ configfileru)r¶rorµr_r_r`Úprovision_paths_from_lp(sF   þrcCs$d dd„|Dƒ¡}|dt… ¡S)z)Determine a netbios name from a hostname.rcSsg|]}t|ƒr|‘qSr_)r)Ú.0Úxr_r_r`Ú [óz*determine_netbios_name..N)rrr˜)rsrqr_r_r`Údetermine_netbios_nameXsr c Csú|durt ¡ d¡d}| d¡} | dur4t|ƒ} |  ¡} t| ƒsLt| ƒ‚|dur|| d¡}|dusn|dkr|td|j ƒ‚|  ¡}|dur¬| d¡}|dur¬td |j ƒ‚|  ¡}| ¡} | d¡dkrØtd |j ƒ‚| d¡ ¡| kr td | d¡ ¡|j | fƒ‚| d¡  ¡|kr8td | d¡|j |fƒ‚|d krÀ|durV| d¡}| ¡}| d¡ ¡|krtd| d¡ ¡||j fƒ‚|dur¤t   |¡}|| krÖtd|| fƒ‚n| }|durÖd| }t|ƒsèt|ƒ‚| ¡| krtd| |fƒ‚|  ¡| kr$td| | fƒ‚|| krD| sDtd| |fƒ‚|d krZ| } |   ¡}|durh|}|durzd|}|durŒd|}| duršt } tƒ}||_||_||_||_d||_||_||_| |_| |_||_| |_d| | |f|_|S)z$Guess configuration settings to use.Nr‰rú netbios namerprz2guess_names: 'realm' not specified in supplied %s!ú server rolez8guess_names: 'server role' not specified in supplied %s!zwguess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate itzzguess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate itz†guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate itú"active directory domain controllerrzzguess_names: Workgroup '%s' in smb.conf must match chosen domain '%s'! Please remove the %s file and let provision generate itzCguess_names: Domain '%s' must not be equal to short host name '%s'!zDC=z;guess_names: Realm '%s' must not be equal to hostname '%s'!zCguess_names: Realm '%s' must not be equal to NetBIOS hostname '%s'!zDguess_names: Realm '%s' must not be equal to short domain name '%s'!zCN=Configuration,z CN=Schema,z CN=Manager,z"CN=%s,CN=Servers,CN=%s,CN=Sites,%s)ÚsocketÚ gethostnamerÙr—r r˜rÚInvalidNetbiosNamer¤rr™ršr›Ú DEFAULTSITErfrhrirjrkrnrorrrprqrsrtr¨)r¶rsrrroÚ serverrolerhrirjrkr¨rtÚdomain_names_forcedrqrpr·r_r_r`Ú guess_names_sš  ÿÿ               ÿrc  Csz|dus J‚|dur&t ¡ d¡d}t|ƒ} |dur:d}|dusFJ‚| ¡}|dusZJ‚| ¡}| |||dœ} |dur‚tj ¡}tj   |¡r˜|  |¡| durÈ| D]"} | | dur¤d  | | ¡| | <q¤|durŽtj   tj   |d¡¡| d<tj   |¡| d <tj   tj   |d ¡¡| d <tj   tj   |d ¡¡| d <tj   tj   |d¡¡| d<| d tj   |¡¡| d | d ¡| d | d ¡| d| d¡|rt|r|durÒtj   |d¡} | dtj   tj   | d¡¡¡n4| d¡st| d¡} | dtj   tj   | d¡¡¡nl|dur@tj   |d ¡}| dtj   tj   |d¡¡¡n4| d¡st| d ¡}| dtj   tj   |d¡¡¡i}|dkr¸tj   | d ¡d¡|d<tj   |d| ¡d¡|d<nd| d<t|dƒ}zŠ| d¡|  ¡D]\}}| d||f¡qÞ| d¡| ¡D]:\}}| d|¡| d|¡| d ¡| d¡qW| ¡n | ¡0|  |¡| d!|¡dS)"zDCreate a new smb.conf file based on a couple of basic settings. Nr‰rústandalone server)rrzrprú Zprivaterözlock dirÚstaterøÚcachezcache directoryzbind-dnsr÷z posix:eadbzeadb.tdbzxattr_tdb:filez xattr.tdbrrþZscriptsrÿZ samba_dsdbúpassdb backendÚwz [globals] z %s = %s Ú z[%s] z path = %s z read only = no F)rrrÙr r˜ršr ÚLoadParmrrýÚexistsÚloadrÚabspathÚsetr—r™ÚopenÚwriteÚitemsÚcloseÚdump)rursrrrpÚ targetdirrÚeadbÚ use_ntvfsr¶Ú global_paramrqZglobal_settingsZentZprivdirZstatedirZsharesÚfÚkeyÚvalrërýr_r_r`Ú make_smbconfÔs˜   ü      ÿ  ÿ ÿ  ÿ ÿ      r0cCs<| d|j|¡| |d|j|¡| |d|j|¡dS)asetup reasonable name mappings for sam names to unix names. :param samdb: SamDB object. :param idmap: IDmap db object. :param sid: The domain sid. :param domaindn: The domain DN. :param root_uid: uid of the UNIX root user. :param nobody_uid: uid of the UNIX nobody user. :param users_gid: gid of the UNIX users group. :param root_gid: gid of the UNIX root group. zS-1-5-7z-500z-513N)Zsetup_name_mappingZTYPE_UIDZTYPE_GID)rßÚsidrôÚ nobody_uidÚ users_gidr¯r_r_r`Úsetup_name_mappings:s r4c Cs*|dus J‚zt |¡Wnty,Yn0t|||dgd} d} |jdkrXd|j} d} |sdd} | durrtƒ} d| }| d kr | dur”| d 7} nd } | d 7} | dur¬d } |  ¡zR| d¡t | t dƒ| |dœƒt | t dƒ|j|| dœƒ| d¡t | |ƒWn|   ¡‚Yn 0|   ¡dS)akSetup the partitions for the SAM database. Alternatively, provision() may call this, and then populate the database. :note: This will wipe the Sam Database! :note: This function always removes the local SAM LDB file. The erase parameter controls whether to erase the existing data, which may not be stored locally but in LDAP. Nzmodules:)Úurlrær¶Úoptionsz# No LDAP backendrzldapBackend: %sz"requiredFeatures: encryptedSecretszbackendStore: %sÚmdbrrzrequiredFeatures: lmdbLevelOnez# No required featuresz*Setting up sam.ldb partitions and settingszprovision_partitions.ldif)ZLDAP_BACKEND_LINEZ BACKEND_STOREzprovision_init.ldif)Z BACKEND_TYPEZ SERVER_ROLEZREQUIRED_FEATURESzSetting up sam.ldb rootDSE)rÚunlinkÚOSErrorrr‘Zldap_urirHÚtransaction_startrâr;r:Úsetup_samdb_rootdseÚtransaction_cancelÚtransaction_commit)Z samdb_pathrär¶ræÚprovision_backendr·rÚeraseÚplaintext_secretsÚ backend_storeÚbackend_store_sizerSZldap_backend_lineZrequired_featuresZbackend_store_liner_r_r`Úsetup_samdb_partitionsMsT  ÿ     þ ý rCrc  Cs–gd¢} |dur6|dur | ¡}d| ¡| ¡f} nd} | ¡} t t |d|¡¡} t| ƒg| d<ddg| d<| dur¾gd ¢| d<|g| d <d | | ¡fg| d <t|ƒg| d <dg| d<| d¡g| d<d|g| d<t| ƒg| d<|durt|ƒg| d<|jd| d||t|ƒt| j ƒftj d}|D]}|  |j ¡q0|j| j | tj d}t |ƒdkrR|dddg| d<z|dddg| d<WntyªYn0z|dddg| d<WntyÚYn0z|dddg| d<Wnty Yn0| D] }|dkr| | tj¡q| | ¡| |dj | j ¡n@d | g}| tkr€| dur€| d | g¡|| d!<| | ¡dS)"zœAdd domain join-specific bits to a secrets database. :param secretsdb: Ldb Handle to the secrets database :param machinepass: Machine password )Ú whenChangedÚsecretÚ priorSecretZ priorChangedÚ krb5KeytabÚ privateKeytabNú%s.%szflatname=%s,cn=Primary DomainsZsecureChannelTypeÚtopÚ primaryDomainZ objectClass)rJrKZkerberosSecretrpz host/%s@%sZ saltPrincipalzmsDS-KeyVersionNumberrùrHúutf-8rEz%s$ZsamAccountNamerŒzcn=Primary Domainsz_(&(|(flatname=%s)(realm=%s)(objectSid=%s))(objectclass=primaryDomain)(!(distinguishedName=%s)))©r}rr|r~)r}rr~rrrFrDZpriorWhenChangedrGr’zHOST/%sZservicePrincipalName)r™rrÃr¢rŸr˜Úencoder#rœr’r§Údeleter¡r¦rêZ set_flagsrÅrÇÚrenamerÚextendrÐ)r´rrrqÚ machinepassrvrproÚ keytab_pathZkey_version_numberÚsecure_channel_typerZdnsnameZ shortnameÚmsgr¹Zdel_msgZelZspnr_r_r`Úsecretsdb_self_join–sh      þ   rVcCstj |j¡rt |j¡tj |j|j¡}tj |¡rBt |¡tj |j|j ¡}tj |¡rjt |¡tj |j|j ¡}tj |¡r’t |¡|j}t |||d}|  ¡|  t dƒ¡t |||d}| ¡z|  t dƒ¡Wn| ¡‚Yn0|S)arSetup the secrets database. :note: This function does not handle exceptions and transaction on purpose, it's up to the caller to do this job. :param path: Path to the secrets database. :param session_info: Session info. :param credentials: Credentials :param lp: Loadparm context :return: LDB handle for the created secrets database ©rær¶zsecrets_init.ldifz secrets.ldif)rrýr rUr8rrZrVr[rWrr?Úload_ldif_file_addr:r:r<)rµrær¶rSÚbind_dns_keytab_pathZdns_keytab_pathrýÚ secrets_ldbr_r_r`Úsetup_secretsdbðs.        r[cCs>tj |¡rt |¡t|||d}| ¡| tdƒ¡dS)zúSetup the privileges database. :param path: Path to the privileges database. :param session_info: Session info. :param credentials: Credentials :param lp: Loadparm context :return: LDB handle for the created secrets database rWzprovision_privilege.ldifN)rrýr r8rr?rXr:)rýrær¶Z privilege_ldbr_r_r`Úsetup_privilegess  r\c Cs¬tj |¡rt |¡tjtjBtjB}tjtj B}t  d¡}zt  |||¡}Wt  |¡n t  |¡0t  |d¡$}t  d¡}| |¡Wdƒn1sž0YdS)z¦Setup the encrypted secrets key file. Any existing key file will be deleted and a new random key generated. :param path: Path to the secrets key file. rÚwbéN)rrýr r8ÚO_WRONLYÚO_CREATÚO_EXCLÚstatÚS_IRUSRÚS_IWUSRÚumaskr$ÚfdopenršZgenerate_random_bytesr%)rýÚflagsÚmodeZumask_originalÚfdr-r.r_r_r`Úsetup_encrypted_secrets_key*s     rjcCsRtj ¡}tjj|||d}| |tjj¡tdƒ}tj  |¡sDJ‚|  |¡dS)z¹Setup the registry. :param path: Path to the registry database :param session_info: Session information :param credentials: Credentials :param lp: Loadparm context )ræÚlp_ctxz provision.regN) ršÚregistryZRegistryZopen_ldbZ mount_hiveÚHKEY_LOCAL_MACHINEr:rrýr Z diff_apply)rýrær¶ZregZhiveZ provision_regr_r_r`Úsetup_registryCs  rncCs>tj |¡rt |¡t|||d}| ¡| tdƒ¡|S)z¼Setup the idmap database. :param path: path to the idmap database :param session_info: Session information :param credentials: Credentials :param lp: Loadparm context rWzidmap_init.ldif)rrýr r8rr?rXr:)rýrær¶Z idmap_ldbr_r_r`Ú setup_idmapdbSs   roc Cs*t|tdƒ|j|j|j|j|jdœƒdS)zDSetup the SamDB rootdse. :param samdb: Sam Database handle zprovision_rootdse_add.ldif)ÚSCHEMADNÚDOMAINDNZROOTDNÚCONFIGDNÚSERVERDNN)r;r:rkrirhrjr¨)rSr·r_r_r`r;ds ûr;cCsüt| tƒsJ‚| dur d| }nd}|dur0|}t|tdƒ|j|j|j|j| |jd|j |j ft |  d¡ƒ  d¡t|ƒt|ƒt|t| ƒt|dƒt|dd ƒd œƒt|td ƒ| | |j |jd œƒ|tkrpt|td ƒ|j|j|j|j| |jd|j |j ft |  d¡ƒ  d¡t|ƒt|ƒt|t| ƒdœ ƒt|tdƒ|j|jdœddgdt|tdƒ|j|j|j|jdœƒtƒ}| |¡t|tdƒ|j|j|jdœƒ| |¡|dkrøt|tdƒ|j |jt |  d¡ƒ  d¡|j d|j ¡|j  ¡fdœƒdS)zJoin a host to its own domain.NzobjectGUID: %s rzprovision_self_join.ldifrIú utf-16-ler‡édió)rrrprqrsÚ INVOCATIONIDÚ NETBIOSNAMEÚDNSNAMEÚMACHINEPASS_B64Ú DOMAINSIDÚDCRIDÚSAMBA_VERSION_STRINGÚNTDSGUIDÚDOMAIN_CONTROLLER_FUNCTIONALITYZRIDALLOCATIONSTARTZRIDALLOCATIONENDzprovision_group_policy.ldif)Ú POLICYGUIDÚ POLICYGUID_DCÚ DNSDOMAINrqzprovision_self_join_config.ldif) rrrprqrsrvrwrxryrzr{r|r}r~z&provision_self_join_modify_schema.ldif)rprsú provision:0úrelax:0©r”z&provision_self_join_modify_config.ldif)rrrrwrszprovision_self_join_modify.ldif)rqrsrwr•zprovision_dns_add_samba.ldif)rrqZ DNSPASS_B64ÚHOSTNAMErx)Ú isinstancerŸr;r:rjrkrir¨rqrsrorrNr£rr=r<rtrÚset_session_infor™)rSÚadmin_session_infor·ÚfillrRr³ÚdnspassrvÚnext_ridÚ invocationidÚ policyguidÚ policyguid_dcÚdomainControllerFunctionalityr©Údc_ridZ ntdsguid_lineZsystem_session_infor_r_r`Úsetup_self_joinrs¤  ÿ ð ü  ÿóþûüÿ  ý   ÿûr‘cCs*|ddkrd|}tj ||d|¡}|S)aReturn the physical path of policy given its guid. :param sysvolpath: Path to the sysvol folder :param dnsdomain: DNS name of the AD domain :param guid: The GUID of the policy :return: A string with the complete path to the policy folder rrŽz{%s}ÚPolicies)rrýr)Ú sysvolpathroZguidÚ policy_pathr_r_r`Ú getpolicypathÔs r•cCsžtj |¡st |d¡ttj |d¡dƒ}z| d¡W| ¡n | ¡0tj |d¡}tj |¡stt |d¡tj |d¡}tj |¡sšt |d¡dS)NéýzGPT.INIrz[General] Version=0ZMACHINEZUSER)rrýr Úmakedirsr$rr%r')r”r-rÚr_r_r`Úcreate_gpo_structâs      r˜cCs,t|||ƒ}t|ƒt|||ƒ}t|ƒdS)aCreate the default GPO for a domain :param sysvolpath: Physical path for the sysvol folder :param dnsdomain: DNS domain name of the AD domain :param policyguid: GUID of the default domain policy :param policyguid_dc: GUID of the default domain controler policy N)r•r˜)r“rorrŽr”r_r_r`Úcreate_default_gpoòs  r™lc Cs,t|||||||| | | d t}| r(| }g}| dkrF| dt|ƒ¡| rT| d¡| rzt|dƒd}| dt|ƒ¡t|dd |d | |d }| d ¡|j|d d | d |j ¡z|j ||dWnNt j y}z2|j \}}|t jkrtd|ƒ‚n‚WYd}~n d}~00|j|dd |S)zZSetup a complete SAM Database. :note: This will wipe the main SAM database file! ) rär¶r>rær·rr@rArBr7zlmdb_env_size:z batch_mode:1i·¥rztransaction_index_cache_size:NF)rær5Z auto_connectr¶Z global_schemaÚam_rodcr6z%Pre-loading the Samba 4 and AD schema)Zwrite_indices_and_attributesrŠ)r6zr¶r·rär‰rÚschemaršr@rArBÚ batch_modeZ store_sizer6Z cache_sizerSZe2ZnumZ string_errorr_r_r`Ú setup_samdbsB ü þ   rŸc1Cs‚|dur d}|dks|dkr8d|}|dd7}t|ƒ‚t}|durHt}||krXtdƒ‚|}|}| d|j¡| d|¡| d |¡| d |¡| t|jƒ¡| | ¡|  d |j ¡t |t|jƒƒ}|  |¡|j durîd |j }nd }tt|jƒƒ d¡}t|tdƒ|j t|jƒ||dœƒt|tdƒ|j tt tt ¡ƒ¡ƒt|ƒ|j|j|t|ƒtttƒdœ ƒ|tkr"|  d¡tt|jƒƒ d¡}t|tdƒ|j|dœƒdtjj}dd|g}|  d¡|j |j!|d|j"|j#|d| $¡|j |j%|dt|tdƒd|j&i|dt' (t' )||j ¡¡}t' *|jt'j+d¡|d<| |_,|tkr´|  d¡tt-|jƒƒ d¡} tt.|jƒƒ d¡}!tt/|jƒƒ d¡}"tt0|jƒƒ d¡}#tt1|jƒƒ d¡}$tt2|jƒƒ d¡}%d|j3vrðd }&nd }&t|td!ƒ|j|j4|j|j5|j6|j&|j |jt|ƒt|ƒ|"|$|#|$|$|%| |!d"œƒt|td#ƒ|j|&d$œƒ|  d%¡t7td&ƒƒ}'t8|'d'|jiƒ}'t9|'ƒ|  |'¡|  d(¡t|td)ƒ|j|%d*œƒ|  d+¡tt:|jƒƒ d¡}(t|td,ƒ|j |(d-œƒ|  d.¡t|td/ƒd0|j iƒ|  d1¡tt;|jƒƒ d¡})t|td2ƒ|j |)d3œƒ|  d4¡t|td5ƒd0|j iƒ|  d6¡tt<|jƒƒ d¡}*tt=|jƒƒ d¡}+tt>|jƒƒ d¡},tt?|jƒƒ d¡}-tt@|jƒƒ d¡}.t|td7ƒtt tt ¡ƒ¡ƒ|j |j4|j|j|jt|d8ƒ||*|+|,|-|.d9œ ƒ|tkr”ttA|jƒƒ d¡}/t|td:ƒ|j|j&d;œƒ|  d<¡tt1|jƒƒ d¡}$t|td=ƒ|j|$d>œddgd|tks¨|tBkr~t|td?ƒ|j |/d@œƒ|  dA¡t|tdBƒ|j t|jƒt| CdC¡ƒ d¡t| CdC¡ƒ d¡dDœddgd|  dE¡tD||||| | | | |j|||||| dFd|j}0|jE|0dGd t'jFdH d¡|_GtH|jGtIƒs~J‚|S)INéèéÊš;z/You want to run SAMBA 4 with a next_rid of %u, z,the valid range is %u-%u. The default is %u.)r r¡r z’You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!rŠÚdomainFunctionalityÚforestFunctionalityrzAdding DomainDN: %szobjectGUID: %s -rr‡zprovision_basedn.ldif)rqrzÚ DESCRIPTORZ DOMAINGUIDzprovision_basedn_modify.ldif) rqÚ CREATTIMEZNEXTRIDrrrrÚDOMAIN_FUNCTIONALITYr|ZMIN_PWD_LENGTHzAdding configuration containerz#provision_configuration_basedn.ldif)rrr¤zlocal_oid:%s:0r‚rƒzSetting up sam.ldb schemar„zaggregate_schema.ldifrpZsubRefsz%Setting up sam.ldb configuration dataZ2008ú#zprovision_configuration.ldif)rrrwrrZDOMAINrprqrsZFOREST_FUNCTIONALITYr¦ZNTDSQUOTAS_DESCRIPTORÚLOSTANDFOUND_DESCRIPTORZSERVICES_DESCRIPTORZPHYSICALLOCATIONS_DESCRIPTORZFORESTUPDATES_DESCRIPTORZEXTENDEDRIGHTS_DESCRIPTORZPARTITIONS_DESCRIPTORZSITES_DESCRIPTORzextended-rights.ldif)rrZINC2012zSetting up display specifiersz1display-specifiers/DisplaySpecifiers-Win2k8R2.txtrrz0Modifying display specifiers and extended rightsz#provision_configuration_modify.ldif)rrZDISPLAYSPECIFIERS_DESCRIPTORzAdding users containerzprovision_users_add.ldif)rqZUSERS_DESCRIPTORzModifying users containerzprovision_users_modify.ldifrqzAdding computers containerzprovision_computers_add.ldif)rqZCOMPUTERS_DESCRIPTORzModifying computers containerzprovision_computers_modify.ldifzSetting up sam.ldb datazprovision.ldifiX) r¥rqrwrrrrsZRIDAVAILABLESTARTr€ZINFRASTRUCTURE_DESCRIPTORr¨ZSYSTEM_DESCRIPTORZBUILTIN_DESCRIPTORZDOMAIN_CONTROLLERS_DESCRIPTORz'provision_configuration_references.ldif)rrrpz)Setting up well known security principalsz#provision_well_known_sec_princ.ldif)rrZWELLKNOWNPRINCIPALS_DESCRIPTORz provision_basedn_references.ldif)rqZMANAGEDSERVICE_DESCRIPTORz#Setting up sam.ldb users and groupszprovision_users.ldifrt)rqrzZ ADMINPASS_B64ZKRBTGTPASS_B64zSetting up self join) r·r‰rŒr³rŠrRrvr‹rrrŽrr©r‹)r¸Ú attributer|r~)Jr¤rrœr¨Zset_opaque_integerZset_domain_sidrŸrvZset_invocation_idrârirr‡rxrr.r£r;r:r<ršZ unix2nttimer«ÚtimertrjrÚDEFAULT_MIN_PWD_LENGTHr=r'ZdsdbZ&DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OIDZadd_ldifZ schema_dn_addZ modify_ldifZschema_dn_modifyZwrite_prefixes_from_schemaZ schema_datarkrrÃr¢rÄrÆZ invocation_idr(r)r*r+r,r-Ú base_schemarqrorrrrrr2r1r/r5r4r0r3r9r>rNr‘Ú searchoner¡r©r†r)1rSr¶r·rärrŽr‰r–Ú krbtgtpassrRr³rŠrŒr©rršÚdom_for_fun_levelrr‹rrArBÚerrorrr¢r£rˆZdomainguid_lineZdescrZignore_checks_oidZschema_controlsrUZpartitions_descrZ sites_descrZntdsquotas_descrZprotected1_descrZprotected1wd_descrZprotected2_descrZ incl_2012Zdisplay_specifiers_ldifZ users_descZcomputers_descZinfrastructure_descZlostandfound_descZ system_descZ builtin_descZcontrollers_descZmanagedservice_descrZntds_dnr_r_r`Ú fill_samdbFs¶   ÿ     ü ÷   þ ý  þ ÿ    î þ ÿÿ  þÿ  þ  ÿ  þ ÿÿ   ó þÿ  þýþÿ  üû  õ ÿÿr±zkO:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)zƒO:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)rþc Csštƒ}t||||||d||d tj|ddD]f\}} } | D](} t|tj || ¡||||d||d q<| D](} t|tj || ¡||||d||d qjq.dS)NT©r+Zskip_invalid_chownr ÚserviceF©Útopdown)rr rÚwalkrýr) rýÚaclr¶Zdomsidr+r r³ræróÚdirsÚfilesrër_r_r`Ú set_dir_aclSsÿÿrºc Cs¨tj ||d¡}tƒ} t||tt|ƒ| |d|td |jd|ddgdt j d} | D]N} t t j | dd ƒ ¡} t||t| dƒƒ} t| t| |ƒ|t|ƒ||d qTd S) ánSet ACL on the sysvol//Policies folder and the policy folders beneath. :param sysvol: Physical path for the sysvol folder :param dnsdomain: The DNS name of the domain :param domainsid: The SID of the domain :param domaindn: The DN of the domain (ie. DC=...) :param samdb: An LDB object on the SAM db :param lp: an LP object r’Tr²úCN=Policies,CN=System,%srˆÚnTSecurityDescriptorrrMr©r N)rrýrrr Ú POLICIES_ACLrŸÚSYSVOL_SERVICErœrr§r$rÚ descriptorÚas_sddlr•rºr")rþrorvrirSr¶r+r Úroot_policy_pathrær¹Úpolicyr·r”r_r_r`Ú set_gpos_acl_s$ ÿ þ ÿþrÅc  sÒd‰ˆs~t ¡} |  ˆj¡tjtj |¡d} z„zt   | j dt ƒ|¡Wn*t yvt  ¡sjtdƒ‚tdƒ‚Yn0zt  | j ||t ƒ¡Wnt yªtdƒ‚Yn0W|  ¡n |  ¡0t ¡} |  ˆj¡|  dd|j¡t ¡t |  d¡¡‰t ¡ˆkr"td t ¡ˆfƒ‚ˆ ¡} | d ˆkrLtd | d ˆfƒ‚| d  ¡| ¡kr~td | d  ¡| ¡fƒ‚zˆr”t |d|¡Wnt y®d} Yn0d} d ˆtj¡}tjtj Btj!B}tj"|ˆ||d‰tj#ˆˆd||d‡‡‡‡‡fdd„}||ƒtj$|ddD]\}}}|D]<}ˆrZ| rZt tj %||¡d|¡|tj %||¡ƒq2|D]<}ˆrœ| rœt tj %||¡d|¡|tj %||¡ƒqtq$t&||ˆ||ˆˆˆddS)áÝSet the ACL for the sysvol share and the subfolders :param samdb: An LDB object on the SAM db :param netlogon: Physical path for the netlogon folder :param sysvol: Physical path for the sysvol folder :param uid: The UID of the "Administrator" user :param gid: The GID of the "Domain adminstrators" group :param domainsid: The SID of the domain :param dnsdomain: The DNS name of the domain :param domaindn: The DN of the domain (ie. DC=...) N)Údiréíz‘Samba was compiled without the posix ACL support that s3fs requires. Try installing libacl1-dev or libacl-devel, then re-run configure and make.z‚Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.zUUnable to chown a file on your filesystem. You may not be running provision as root.rú samba_dsdb:%súQSID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!rªú[SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!Ú dns_domainú_Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!éÿÿÿÿFTz )rkr’Zsession_info_flagsZ Administrator)rkZ user_nameÚuidÚgidc stˆ|ttˆƒˆˆdˆtd S)zA helper to reuse argsTr²)r Ú SYSVOL_ACLrŸrÀ)rý©rvr¶Ú s4_passdbrær+r_r`Ú _setntacl×s ýzsetsysvolacl.._setntaclr´r¾)'Ús3paramÚ get_contextr!rÚtempfileZNamedTemporaryFilerrýr"r Zset_simple_aclrërr9Zhave_posix_aclsr¤Úchownr'r#r5r Zreload_static_pdbÚPDBr—Úget_global_sam_sidÚ domain_infor˜Úformatrr®r Z AUTH_SESSION_INFO_DEFAULT_GROUPSZAUTH_SESSION_INFO_AUTHENTICATEDZ#AUTH_SESSION_INFO_SIMPLE_PRIVILEGESZ user_sessionZsession_info_set_unixr¶rrÅ)rSrÿrþrÏrÐrvrorir¶r+Ús3confÚfilerÛZcanchownZuserdnrgrÔrór¸r¹rër_rÒr`Ú setsysvolacls|      ÿþ ÿü  rßcCs|rdSdSdS)NZDBZVFSr_)Údirect_db_accessr_r_r`Úacl_typeîsrác Csdtƒ}t||||td}| |¡}||krBtdt|ƒ|||fƒ‚tj|ddD] \}} } | D]z} t|tj  || ¡||td}|dur¦tdt|ƒtj  || ¡fƒ‚| |¡}||kr`tdt|ƒtj  || ¡||fƒ‚q`| D]|} t|tj  || ¡||td}|dur(tdt|ƒtj  || ¡fƒ‚| |¡}||kràtdt|ƒtj  || ¡||fƒ‚qàqPdS)N©ràr³zN%s ACL on GPO directory %s %s does not match expected value %s from GPO objectFr´z %s ACL on GPO file %s not found!zI%s ACL on GPO file %s %s does not match expected value %s from GPO objectz%%s ACL on GPO directory %s not found!) rr!rÀrÂr¤rárr¶rýr) rýr·r¶rvràræÚfsaclÚ fsacl_sddlrór¸r¹rër_r_r`Ú check_dir_aclõs@ ÿ ÿÿ $ÿ  ÿÿ råcCsÚtj ||d¡}tƒ}t||||td} | durDtdt|ƒ|fƒ‚|  |¡} | t krntdt|ƒ|| | fƒ‚|j d|ddgd t j d } | D]F} t tj| dd ƒ ¡} t||t| dƒƒ}t|t| |ƒ|||ƒqŽdS) r»r’râNz&DB ACL on policy root %s %s not found!zK%s ACL on policy root %s %s does not match expected value %s from provisionr¼rˆr½rrMr)rrýrrr!rÀr¤rárÂr¿rœrr§r$rrÁr•rŸrår")rþrorvrirSr¶ràrÃrærãrär¹rÄr·r”r_r_r`Úcheck_gpos_acls,ÿ  þ ÿÿræc CsHt ¡}| |j¡| dd|j¡t | d¡¡}t  ¡|krVt dt  ¡|fƒ‚|  ¡} | d|kr~t d| d|fƒ‚| d  ¡|  ¡kr®t d| d  ¡|  ¡fƒ‚t ƒ} dD]Š} tj ||¡|fD]^} t|| | | td } | d urt d t| ƒ| fƒ‚|  |¡}|tkrÎt d t| ƒ| |tfƒ‚qÎt||||||| ƒq¸d S) rÆrrÉrÊrªrËrÌrÍ)TFrâNz(%s ACL on sysvol directory %s not found!zP%s ACL on sysvol directory %s %s does not match expected value %s from provision)rÕrÖr!rr#r5r rÙr—rÚr¤rÛr˜rrrýrr!rÀrárÂrÑræ)rSrÿrþrvrorir¶rÝrÓrÛræràZdir_pathrãrär_r_r`Úchecksysvolacl7s.     ÿrçcCs6t ||¡}g}|D]}| d¡dkr| |¡q|S)zreturn only IPv4 IPsú:rΩršZ interface_ipsÚfindrÂ)r¶Zall_interfacesÚipsÚretrºr_r_r`Úinterface_ips_v4is   rícCs6t |d¡}g}|D]}| d¡dkr| |¡q|S)zreturn only IPv6 IPsFrèrÎré)r¶rërìrºr_r_r`Úinterface_ips_v6ss   rîr c'CsZ|dur t}| ¡}|dur t}| ¡}|dur|s,t||j|j |j|j|j|j |j||ƒ n | d¡t||j|j|j |j|j|tdttƒ}zPt t ||j dd|jtj!d  "d ¡¡¡}tj#|tj$d d |d <| %|¡Wn@tj&yð} z$| j'\}!}"|!tj(krÜ‚WYd} ~ n d} ~ 00t)|||||||| ||||||d |j | *¡dd "d ¡}t+|t,ƒs>J‚t-|ƒ}#t.|t|j/ƒƒ}$|#durrt0|d|$|dƒnt1|d|$|ƒ| d¡t2|t3dƒd|j4iƒ| d¡t5||ddddd}%|  ¡zpdD]$}&|%j6d|&|j7ftj8dgdqÌ|%j6d|jtj9gd¢d|%j6|j7tj!dd gddkr4t:d!ƒ‚Wn| ¡‚Yn 0| ¡dS)"Né€éÿ)rärrrŽr‰r–r®rŒrRr³rŠr©rr¯ršr‹rrArBrzSetting acl on sysvol skipped)rrrprorqrvrRrTZdistinguishedNamezsamAccountName=%s$)r|r~r‡zmsDS-SupportedEncryptionTypes)Úelementsrgrë)ÚhostipÚhostip6r³rŠZos_levelr)Z fill_levelrAr‹)r¸r©rrz2Setting up sam.ldb rootDSE marking as synchronizedzprovision_rootdse_modify.ldifr}zFixing provision GUIDsFT)Z samdb_schemaÚverboseZfixÚyesÚquiet)z CN=DomainzCN=Organizational-Personz CN=ContactzCN=inetOrgPersonz%s,%sZdefaultObjectCategory)ZDNr~rzCN=IP Security,CN=System,%s)ZipsecOwnersReferenceZipsecFilterReferenceZipsecISAKMPReferenceZipsecNegotiationPolicyReferenceZipsecNFAReferenceZ attributeIdZ governsIdzFDuplicate attributeId or governsId in schema. Must be fixed manually!!);r¬r˜r­rŸÚuuidZuuid4ršZ generate_random_machine_passwordÚgenerate_random_passwordr:r±r™rþror<r=rßrÿrôr¯rvrirârVrrrprqrrrrÃr¢r­ržr£rÄrÅrÇrÖr×ZERR_NO_SUCH_ATTRIBUTErBZget_default_basednr†rrÜrÒrhrÏrÑr<r:r©rFZcheck_databaserkr¡r§r¤)'rSrZrär·rµrr)Ú samdb_fillròrór‹rr–r®rxrrŽrŒrRr©r³rŠrr¯ršr¶r+Úskip_sysvolaclrArBZkerberos_enctypesrUrÍÚenumZestrZlastProvisionUSNsZmaxUSNZchkZ schema_objr_r_r`Úprovision_fill}sâ     ö ÿ  þ ý þþÿþ   ü ÿÿ   ÿ  ÿþ  þ ÿÿ rürú member serverr) ZROLE_STANDALONEZROLE_DOMAIN_MEMBERZROLE_DOMAIN_BDCZROLE_DOMAIN_PDCZdcÚmemberzdomain controllerrrýZ standalonercCs*z t|WSty$t|ƒ‚Yn0dS)zøSanitize a server role name. :param role: Server role :raise ValueError: If the role can not be interpreted :return: Sanitized server role (one of "member server", "active directory domain controller", "standalone server") N)Ú _ROLES_MAPrêÚ ValueError)Zroler_r_r`Úsanitize_server_roles  rcCsR| ¡z&| d¡t|tdƒ|||dœƒWn| ¡‚Yn 0| ¡dS)ztCreate AD entries for the fake ypserver. This is needed for being able to manipulate posix attrs via ADUC. z"Setting up fake yp server settingsz ypServ30.ldif)rqrwZ NISDOMAINN)r:râr;r:r<r=©rärSrirqZ nisdomainÚmaxuidÚmaxgidr_r_r`Úprovision_fake_ypserver(s  ý rrÈc Cshtj |¡sdzt ||¡WnFtyb}z.|jtjfvr| d¡t|ƒ}|r&|d}t|ƒdkr>| d|¡|durP| d¡|S)NzLooking up IPv6 addressesrrz*More than one IPv6 address found. Using %sz No IPv6 address will be assigned)rârîr¦r )rär¶rór r_r_r`Údetermine_host_ip6Ys    r TZ2012_R2c2JCsz t|#ƒ}#Wnty*td|#ƒ‚Yn0|dur@t dd¡}|/durNtƒ}/|dur^t ¡}t|pfdg|ƒ}2t |pvdgƒ}3t | p„dddd gƒ}4t   |2¡j }5zt d d gƒ}6WntyÂd}6Yn0|durÞtj |d d ¡}n|durðtj ¡}tj tj |¡¡st tj |¡¡g}7i}8|)r0dg|8d<|dkrF|7 d¡n|durZ|g|8d<|(r€|7 d¡|7 d¡ddg|8d<t|7ƒdkr–|7|8d<tj |¡rt|dƒ}9z|9 ¡ ¡}:W|9 ¡n |9 ¡0|:dusæ|:dkr t|| | |||#|%|(|'|8d nt|| | |||#|%|(|'|8d |'dur4tj ¡}'|' |¡t |'| | ||#|| || |"||t!kd };t"|'|;j#ƒ}<|6|<_$|2|<_%|5|<_&t'||'| ƒ} t(||'|ƒ}| |;_)||;_*||;_+||;_,||;_-|#durÊ|' .d¡}#t/|t:|<|'|;|d&}?|? ;¡|? <¡tj |d'¡t?|d*¡tB|<||'d(}Azþ| >d+¡tC|d-¡tE|d.¡tG|d0¡tK|||&|.|/|0|1d1}C|#d2kr¼|tU|C|A||;|<|>||| |||||||||||||#|$|&|'|(|,|/|0d;tVƒsrtW|d=|| >d?|d@¡|#d2kr¸t]|'||<ƒ|? ^¡}E|? _¡Wn|A `¡‚Yn0|A a¡tj |dE|dE|G| %s: %srÎZSAMBA_SELFTESTz!Failed to chown %s to bind gid %ui r)zrrr¤ršrørHrZ random_sidrõrðròr°r±r²rêrrýrr Z default_pathr Údirnamer—rÂr¦r$ÚreadÚlstripr'r0rr!rr@rroÚbind_gidrôr¯r r ròrórxrvrwr—r rZr[r\rjrrþÚ urllib_quoterrDrkr%ZinitÚstartrLrârrXr:r[rnrMr\rrorTr4rŸrŸrSrÿÚMissingShareErrorruÚisdirr†rr£r=rürrGrÚcreate_krb5_confrrsrprCZ post_setupZshutdownr<r=rWÚisfiler8r9r°rÚlinkÚchmodrØÚenvironrÝrÞrirµr·r¶rßràr–rárrqrrr™)Jrärærur)rùrprhrirkrjr¨rrrsròrórvr‹rr–Z ldapadminpassr®rxrrŽr³Z dns_forwarderrŠrŒrRr©rórrÚbackuprtrr¯Zuseeadbršr¶r+Z use_rfc2307rrrúr¬r@rArBržrôr2r3r¯rZserver_servicesr,r-Údatar·rµZ ldapi_urlrr>Z share_ldbrZrßrSràráZprivate_dns_keytab_pathrYrÍÚresultr_r_r`Ú provisiongs                 ý þ    ý         ÿþ  ÿ    þ ù           óÿþÿ    ÿ ÿ  ÿ   ÿ    þr$cCs^t d¡}t |¡t|tƒ||t|||||||| d| |d||||d}|j dt |ƒ¡|S)Nr$r)rur)rùrprhrirkrjr¨rrrsròrvrRrrtr³rŠr+Ú debuglevel) ÚloggingZ getLoggerršZset_debug_levelr$rr@r¶r#rŸ)rur)rprhrirkrjr¨rrrsrvr–r®rxrrŽrŒrRrŠr³rórrr!rrtr%r+rär¹r_r_r`Úprovision_become_dc s  ø r'cCsttdƒ||||dœƒdS)zÐWrite out a file containing a valid krb5.conf file :param path: Path of the new krb5.conf file. :param dnsdomain: DNS Domain name :param hostname: Local hostname :param realm: Realm name rü)rr…ZREALMN)rr:)rýrorsrpr_r_r`r§ s  ýrc@s eZdZdZdd„Zdd„ZdS)r¤zA generic provision error.cCs ||_dSrK©Úvalue)r^r)r_r_r`ra¹ szProvisioningError.__init__cCs d|jS)NzProvisioningError: r(r]r_r_r`Ú__str__¼ szProvisioningError.__str__N)rcrdrerårar*r_r_r_r`r¤¶ sr¤cs eZdZdZ‡fdd„Z‡ZS)rz.A specified name was not a valid NetBIOS name.cstt|ƒ d|¡dS)Nz)The name '%r' is not a valid NetBIOS name)Úsuperrra)r^rë©Ú __class__r_r`raà s ÿzInvalidNetbiosName.__init__)rcrdreråraÚ __classcell__r_r_r,r`rÀ srcseZdZ‡fdd„Z‡ZS)rcstt|ƒ d||f¡dS)NzwExisting smb.conf does not have a [%s] share, but you are configuring a DC. Please remove %s or add the share manually.)r+rra)r^rërur,r_r`raÊ s  þÿzMissingShareError.__init__)rcrdrerar.r_r_r,r`rÈ sr)F) NNNNNNNNNNNF)NFFNN)FFNN)NN)FFNNF)FNNNNNN)F)rÈ)N)N)NNNNNNNNNNNNNNNNNNNNNNNNNNrF)°råZ __docformat__Z urllib.parserrZ samba.compatrrÚbase64rrrrbrÁr°rñr&rªr÷rr×Z samba.dsdbršrZ samba.authrrZsamba.auth_utilrr Z samba.samba3r r r rÕr rrrrrrrrrZ samba.dcerpcrrZsamba.dcerpc.miscrrrrrZ samba.idmaprZsamba.ms_display_specifiersrZ samba.ntaclsr r!r"Z samba.ndrr#r$Zsamba.provision.backendr%Zsamba.descriptorr&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9Zsamba.provision.commonr:r;r<r=r>r?r@Zsamba.provision.sambadnsrArBrCZ samba.paramZsamba.registryZ samba.schemarDZ samba.samdbrEZsamba.dbcheckerrFZsamba.provision.kerberosrGrHr¬r­rrÀr«ÚobjectrJrfr»rÏrÑrÒrÜrÝrérìrðròrõrr rr0r4rCrVr[r\rjrnror;r‘r•r˜r™r›rŸr±rÑr¿rÀrºrÅrßrárårærçrírîrürÿrrr r r r$r'rrèr¤rrr_r_r_r`Úsd        ,    X$      # ))& 0ý vþ fý Jû Z*ý bý Dû    o#2  õ õ   ò *ú