a I_OA@sTddlZddlZddlmZddlmZmZddlmZddlm Z ddl m Z ddl m Z mZmZmZmZdZd Zd d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJ@Ze dKedLedMed edNiZe dOedPedQedRedSiZdTgZGdUdVdVeZGdWdXdXeZdS)YN)sd_utils) ndr_unpackndr_pack)security) SECINFO_DACL) setup_path)DS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2DS_DOMAIN_FUNCTION_2016-z$134428a8-0043-48a6-bcda-63310d9ec4ddz$21ae657c-6649-43c4-bbb3-7f184fdf58c1z$dca8f425-baae-47cd-b424-e3f6c76ed08bz$a662b036-dbbe-4166-b4ba-21abea17f9ccz$9d17b863-18c3-497d-9bde-45ddb95fcb65z$11c39bed-4bee-45f5-b195-8da0e05b573az$4664e973-cb20-4def-b3d5-559d6fe123e0z$2972d92d-a07a-44ac-9cb0-bf243356f345z$09a49cb3-6c54-4b83-ab20-8370838ba149z$77283e65-ce02-4dc3-8c1e-bf99b22527c2z$0afb7f53-96bd-404b-a659-89e65c269420z$c7f717ef-fdbe-4b4b-8dfc-fa8b839fbcfaz$00232167-f3a4-43c6-b503-9acb7a81b01cz$73a9515b-511c-44d2-822b-444a33d3bd33z$e0c60003-2ed7-4fd3-8659-7655a7e79397z$ed0c8cca-80ab-4b6b-ac5a-59b1d317e11fz$b6a6c19a-afc9-476b-8994-61f5b14b3f05z$defc28cd-6cb6-4479-8bcb-aabfb41e9713z$d6bd96d4-e66b-4a38-9c6b-e976ff58c56dz$bb8efc40-3090-4fa2-8a3f-7cd1d380e695z$2d6abe1b-4326-489e-920c-76d5337d2dc5z$6b13dfb5-cecc-4fb8-b28d-0505cea24175z$92e73422-c68b-46c9-b0d5-b55f9c741410z$c0ad80b4-8e84-4cc4-9163-2f84649bcc42z$992fe1d0-6591-4f24-a163-c820fcb7f308z$ede85f96-7061-47bf-b11b-0c0d999595b5z$ee0f3271-eb51-414a-bdac-8f9ba6397a39z$587d52e0-507e-440e-9d67-e6129f33bb68z$ce24f0f6-237e-43d6-ac04-1e918ab04aacz$7f77d431-dd6a-434f-ae4d-ce82928e498fz$ba14e1f6-7cd1-4739-804f-57d0ea74edf4z$156ffa2a-e07c-46fb-a5c4-fbd84a4e5ccez$7771d7dd-2231-4470-aa74-84a6f56fc3b6z$49b2ae86-839a-4ea0-81fe-9171c1b98e83z$1b1de989-57ec-4e96-b933-8279a8119da4z$281c63f0-2c9a-4cce-9256-a238c23c0db9z$4c47881a-f15a-4f6c-9f49-2742f7a11f4bz$2aea2dc6-d1d3-4f0c-9994-66c1da21de0fz$ae78240c-43b9-499e-ae65-2b6e0f0e202az$261b5bba-3438-4d5c-a3e9-7b871e5f57f0z$3fb79c05-8ea1-438c-8c7a-81f213aa61c2z$0b2be39a-d463-4c23-8290-32186759d3b1z$f0842b44-bc03-46a1-a860-006e8527fccdz$93efec15-4dd9-4850-bc86-a1f2c8e2ebb9z$9e108d96-672f-40f0-b6bd-69ee1f0b7ac4z$1e269508-f862-4c4a-b01f-420d26c4ff8cz$e1ab17ed-5efb-4691-ad2d-0424592c5755z$0e848bd4-7c70-48f2-b8fc-00fbaa82e360z$016f23f7-077d-41fa-a356-de7cfdb01797z$49c140db-2de3-44c2-a99a-bab2e6d2ba81z$e0b11c80-62c5-47f7-ad0d-3734a71b8312z$2ada1a2d-b02f-4731-b4fe-59f955e24f71z$b83818c1-01a6-4f39-91b7-a3bb581c3ae3z$bbbb9db0-4009-4368-8c40-6674e980d3c3z$f754861c-3692-4a7b-b2c2-d0fa28ed0b0bz$d32f499f-3026-4af0-a5bd-13fe5a331bd2z$38618886-98ee-4e42-8cf1-d9a2cd9edf8bz$328092FB-16E7-4453-9AB8-7592DB56E9C4z$3A1C887F-DF0A-489F-B3F2-2D0409095F6Ez$232E831F-F988-4444-8E3E-8A352E2FD411z$DDDDCF0C-BEC9-4A5A-AE86-3CFE6CC6E110z$A0A45AAC-5550-42DF-BB6A-3CC5C46B52F2z$3E7645F3-3EA5-4567-B35A-87630449C70Cz$E634067B-E2C4-4D79-B6E8-73C619324D5E)@5OPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{}~rNrrBrM |c@s eZdZdS)ForestUpdateExceptionN)__name__ __module__ __qualname__rYrY5/usr/lib/python3/dist-packages/samba/forest_update.pyrUsrUc@seZdZdZd6ddZd7ddZd d Zd8d d ZddZddZ ddZ ddZ ddZ ddZ ddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5ZdS)9 ForestUpdatez2Check and update a SAM database for forest updatesFTcCsddlm}||_||_||_||_d|_|j|_|j |_ |j |_ t ||_ t||_|j|_|jdstd|j|_|jdstdi|_|td|jd d S) a :param samdb: LDB database :param verbose: Show the ldif changes :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise ForestUpdateException: r)read_ms_markdownFzCN=Operations,CN=ForestUpdatesz+Failed to add forest update container childz)CN=ActiveDirectoryUpdate,CN=ForestUpdatesz#Failed to add revision object childz/adprep/WindowsServerDocs/Forest-Wide-Updates.md)Zout_dictN)Z samba.ms_forest_updates_markdownr\samdbfixverboseadd_update_containerZcheck_update_appliedZget_config_basedn config_dn domain_dnZget_schema_basedn schema_dnrZSDUtilsrZdom_sidZget_domain_sid domain_sidforestupdate_containerZ add_childrUrevision_object stored_ldifr)selfr]r_r^r`r\rYrYrZ__init__s*         zForestUpdate.__init__Nc Cs|jj|jdgtjd}t|}|r6t|}|d7}nt}|||t|}t |ddd}|r||kr|j st d||f|j dt |j|fdS)a Apply all updates for a given old and new functional level :param functional_level: constant :param old_functional_level: constant :param update_revision: modify the stored version :raise ForestUpdateException: Zrevision)baseattrsZscoperzERevision is not high enough. Fix is set to False. Expected: %dGot: %dz:dn: %s changetype: modify replace: revision revision: %d N)r]searchrfldbZ SCOPE_BASEfunctional_level_to_max_update MIN_UPDATEcheck_updates_rangefunctional_level_to_versionintr^rU modify_ldifstr) rhZfunctional_levelZold_functional_levelZupdate_revisionresZexpected_updateZ min_updateZexpected_versionZ found_versionrYrYrZcheck_updates_functional_levels*     z+ForestUpdate.check_updates_functional_levelcCs|D]}|tks|tkr tdd|kr4dkrDnn ||qd|krXdkrhnn ||qd|kr|dkrnn ||qt|d||qd S) z Apply a list of updates which must be within the valid range of updates :param iterator: Iterable specifying integer update numbers to apply :raise ForestUpdateException: Update number invalid.rrrr>rCrF operation_%dN)rp MAX_UPDATErUoperation_ldifgetattr)rhiteratoroprYrYrZcheck_updates_iterators   z#ForestUpdate.check_updates_iteratorrcCs|}|tks||ks|tkr$td||kr|tvr6n~d|krJdkrZnn ||nZd|krndkr~nn ||n6d|krdkrnn ||nt|d|||d 7}q$d S) z Apply a range of updates which must be within the valid range of updates :param start: integer update to begin :param end: integer update to end (inclusive) :raise ForestUpdateException: rxrrrr>rCrFryrlN)rprzrUmissing_updatesr{r|)rhstartendr~rYrYrZrqs   z ForestUpdate.check_updates_rangecCsBz|jj|jdt|d}Wntjy4YdS0t|dkS)zd :param op: Integer update number :return: True if update exists else False z(CN=%s))rj expressionFrl)r]rmre update_maprnZLdbErrorlen)rhr~rvrYrYrZ update_existss  zForestUpdate.update_existscCs"|jdt|t|jfdS)zo Add the corresponding container object for the given update :param op: Integer update z$dn: CN=%s,%s objectClass: container N)r]Zadd_ldifrrurerhr~rYrYrZ update_add szForestUpdate.update_addcCs|||rdS|jt|}t|t|jt|jt|jd}|j r\t d|t ||j ||j rx||dS)NT)Z CONFIG_DNZFOREST_ROOT_DOMAINZ SCHEMA_DNz!UPDATE (LDIF) ------ OPERATION %d)rrgrsambaZsubstitute_varrurarbrcr_printr]rtr`r)rhr~ZldifZsub_ldifrYrYrZr{s   zForestUpdate.operation_ldifcCs`|d}|dkr0|d||||d}n||}||vrDdS|jj||dtgddS)a Add an ACE to a DACL, checking if it already exists with a simple string search. :param dn: DN to modify :param existing_sddl: existing sddl as string :param ace: string ace to insert :return: True if modified else False S:NF sd_flags:1:%dcontrolsT)rfindrZmodify_sd_on_dnr)rhdn existing_sddlaceindexnew_sddlrYrYrZinsert_ace_into_dacl)s  z!ForestUpdate.insert_ace_into_daclc Cs|jj||gdgd}t|dks&Jt|d|d}|d}|dkrj|d||||d}n||}||vr~dSt}||_t|tj |||<|jj |d gd d S) aC Insert an ACE into a string attribute like defaultSecurityDescriptor. This also checks if it already exists using a simple string search. :param dn: DN to modify :param ace: string ace to insert :param attr: attribute to modify :return: True if modified else False search_options:1:2)rjrkrrlrrrNFrelax:0rT) r]rmrrurrnZMessagerZMessageElementZFLAG_MOD_REPLACEZmodify) rhrrattrmsgrrrmrYrYrZinsert_ace_into_stringAs&   z#ForestUpdate.insert_ace_into_stringcCs|jstd|dS)z Raises an exception if not set to fix. :param op: Integer operation :raise ForestUpdateException: z3Missing operation %d. Fix is currently set to FalseN)r^rUrrYrYrZraise_if_not_fixdszForestUpdate.raise_if_not_fixcCs||rdS||d}t|jdt|j}|j||dd|jjddgdgd}|D]4}t t j |dd }| |j }||j||q^|jr||dS) NY(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)CN=Sam-Domain,%sdefaultSecurityDescriptorr(objectClass=samDomain)nTSecurityDescriptorrrrkrrrrrnDnr]rurcrrmrr descriptoras_sddlrdrrr`rrhr~rrcrvrZ existing_sdrrYrYrZ operation_88ss$   zForestUpdate.operation_88cCs||rdS||d}t|jdt|j}|j||dd|jjddgddt gd }|D]4}t t j |dd }| |j}||j||qd|jr||dS) NrCN=Domain-DNS,%srr(objectClass=domainDNS)rrrrr)rrrnrr]rurcrrmrrrrrrdrrr`rrrYrYrZ operation_89s(   zForestUpdate.operation_89cCs|jr||s||dSNr`rrrrYrYrZ operation_90szForestUpdate.operation_90cCs|jr||s||dSrrrrYrYrZ operation_127szForestUpdate.operation_127cCs|jr||s||dSrrrrYrYrZ operation_128szForestUpdate.operation_128cCs||rdS||d}t|jdt|j}|j||dd|jjddgdgd}|D]4}t t j |dd }| |j }||j||q^|jr||dS) N7(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)rrrrrrrrrrrYrYrZ operation_129s$   zForestUpdate.operation_129cCs||rdS||d}t|jdt|j}|j||dd|jjddgdgd}|D]4}t t j |dd }| |j }||j||q^|jr||dS) NrrrrrrrrrrrrYrYrZ operation_130s$   zForestUpdate.operation_130cCsF||rdS|||jjd|jddgd|jrB||dS)Nzdn: CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,%s changetype: modify replace: msDS-ClaimIsValueSpaceRestricted msDS-ClaimIsValueSpaceRestricted: FALSE rz provision:0r)rrr]rtrar`rrrYrYrZ operation_135s  zForestUpdate.operation_135cCs|jr||s||dSrrrrYrYrZ operation_53szForestUpdate.operation_53cCs|jr||s||dSrrrrYrYrZ operation_79szForestUpdate.operation_79cCs|jr||s||dSrrrrYrYrZ operation_80szForestUpdate.operation_80cCs|jr||s||dSrrrrYrYrZ operation_81 szForestUpdate.operation_81cCs|jr||s||dSrrrrYrYrZ operation_82szForestUpdate.operation_82cCs|jr||s||dSrrrrYrYrZ operation_83szForestUpdate.operation_83)FFT)NF)rr)rVrWrX__doc__rirwrrqrrr{rrrrrrrrrrrrrrrrrrYrYrYrZr[s: ' $   #r[)rnrrZ samba.ndrrrZ samba.dcerpcrZsamba.dcerpc.securityrZsamba.provision.commonrZ samba.dsdbrr r r r rprzrrorrr ExceptionrUobjectr[rYrYrYrZs    H