a Wad@sddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z m Z ddlmZmZddlmZmZmZddlmZddlmZddlmZdd lmZdd lmZmZd d l m!Z!dd lm"Z"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)m*Z*m+Z+d%ddZ,ddZ-ddZ.ddZ/Gddde(Z0Gddde(Z1Gddde(Z2Gddde(Z3Gdd d e(Z4Gd!d"d"e(Z5Gd#d$d$e*Z6dS)&N)sd_utils) dnsserverdnspsecurity)ARecord AAAARecord) ndr_unpackndr_pack ndr_print)remove_dns_references)system_session)SamDB) get_bytes) check_callCalledProcessError)common) credentialsdsdbLdbwerror WERRORError)Command CommandError SuperCommandOptionc CsL|stjtjg}|D]2}zt||WdStjyDYqYq0qdS)z Check ip string is valid addressTF)socketAF_INETAF_INET6Z inet_ptonerror) ip_stringaddress_familiesZaddress_familyr"7/usr/lib/python3/dist-packages/samba/netcmd/computer.py _is_valid_ip8s   r$cCst|tjgdS)z%Check ip string is valid ipv4 addressr!)r$rrr r"r"r#_is_valid_ipv4Gsr'cCst|tjgdS)z%Check ip string is valid ipv6 addressr%)r$rrr&r"r"r#_is_valid_ipv6Lsr(c Cs|d}tj}tjtjB}|} d} t|} z&||d|| |dt j |dd \} } Wn8t y}z |j dt jkr|d} WYd}~n d}~00| r,| jD]}|jD]}|jt jks|jt jkrt}||_z||d|| |d|Wqt y&}z |j dt jkrWYd}~qd}~00qq|D]}t|r\|d|| |ft|}n6t|r|d|| |ft|}ntd|t}||_||d|| ||dq0t|dkrt|d | }|j!d || f|d \}}| j"||d t#j$t#j%Bgd dS)z3Add DNS A or AAAA records while creating computer. $TrNFz,Adding DNS AAAA record %s.%s for IPv6 IP: %sz)Adding DNS A record %s.%s for IPv4 IP: %szInvalid IP: {}zDC=DomainDnsZones,%sz%s.%s)Z dns_partitionz sd_flags:1:%d)Zcontrols)&rstriprZDNS_CLIENT_VERSION_LONGHORNZDNS_RPC_VIEW_AUTHORITY_DATAZDNS_RPC_VIEW_NO_CHILDRENZdomain_dns_namerZSDUtilsZDnssrvEnumRecords2rZ DNS_TYPE_ALLrargsrZ"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTrecZrecordsZwTypeZ DNS_TYPE_AZ DNS_TYPE_AAAAZDNS_RPC_RECORD_BUFZDnssrvUpdateRecord2r(inforr'r ValueErrorformatlenldbDnZget_default_basednZ dns_lookupZmodify_sd_on_dnrZ SECINFO_OWNERZ SECINFO_GROUP)samdbnamedns_connchange_owner_sdZserverip_address_listZloggerZclient_versionZ select_flagsZzoneZ name_foundZ sd_helperZbuflenreser,recordZ del_rec_buf ip_addressZ add_rec_bufZdomaindns_zone_dnZdns_a_dnZ ldap_recordr"r"r#add_dns_recordsQs               r<c @seZdZdZdZedddeddded d ed ed d ed eddddedddddedddddgZdgZe j e j e j dZ d ddZdS)!cmd_computer_createa?Create a new computer. This command creates a new computer account in the Active Directory domain. The computername specified on the command is the sAMaccountName without the trailing $ (dollar sign). User accounts may represent physical entities, such as workstations. Computer accounts are also referred to as security principals and are assigned a security identifier (SID). Example1: samba-tool computer create Computer1 -H ldap://samba.samdom.example.com \ -Uadministrator%passw1rd Example1 shows how to create a new computer in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The -U option is used to pass the userid and password authorized to issue the command remotely. Example2: sudo samba-tool computer create Computer2 Example2 shows how to create a new computer in the domain against the local server. sudo is used so a user may run the command as root. Example3: samba-tool computer create Computer3 --computerou='OU=OrgUnit' Example3 shows how to create a new computer in the OrgUnit organizational unit. %prog [options]-H--URL%LDB URL for database or target serverURLHhelptypemetavardestz --computerouzDN of alternative location (with or without domainDN counterpart) to default CN=Computers in which new computer object will be created. E.g. 'OU='rErFz --descriptionzComputers's descriptionz--prepare-oldjoinz5Prepare enabled machine account for oldjoin mechanism store_true)rEactionz --ip-addressr7ziIPv4 address for the computer's A record, or IPv6 address for AAAA record, can be provided multiple timesappend)rHrErKz--service-principal-nameservice_principal_name_listzAComputer's Service Principal Name, can be provided multiple times computername sambaoptscredopts versionoptsNFc  Cs| dur g} | durg} | D]} t| std| q|} || } zt|t| | d}|j||||| | d| rNt dd|}| drtd|dt |}|j |t j|d d gd }|d d d }ttj|d d d }td || | }t}||_td|||_t|||||| |Wn4ty}ztd||WYd}~n d}~00|jd|dS)NzInvalid IP address {}ZurlZ session_inforlp) computerou descriptionprepare_oldjoinr7rMz\$$r)zIllegal computername "%s"z-(&(sAMAccountName={}$)(objectclass=computer))ZprimaryGroupIDZ objectSidbasescope expressionattrsrzncacn_ip_tcp:{}[sign]z{}-{}z Failed to create computer '%s': z#Computer '%s' created successfully )r$rr/ get_loadparmget_credentialsr r Z newcomputerresubcountr1 binary_encodesearch domain_dn SCOPE_SUBTREErrZdom_sidrZ host_dns_nameZ descriptorZ owner_sidZget_domain_sidZ group_sidr< get_logger Exceptionoutfwrite)selfrNrQrPrRrCrUrVrWr7rMr;rTcredsr3ZhostnamefiltersZrecsgroupownerr5r6r9r"r"r#runsn    zcmd_computer_create.run) NNNNNNFNN__name__ __module__ __qualname____doc__synopsisrstr takes_optionsZ takes_argsoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsrpr"r"r"r#r=sD r=c@sLeZdZdZdZedddedddgZd gZe j e j e j d Z dd d Zd S)cmd_computer_deleteafDelete a computer. This command deletes a computer account from the Active Directory domain. The computername specified on the command is the sAMAccountName without the trailing $ (dollar sign). Once the account is deleted, all permissions and memberships associated with that account are deleted. If a new computer account is added with the same name as a previously deleted account name, the new computer does not have the previous permissions. The new account computer will be assigned a new security identifier (SID) and permissions and memberships will have to be added. The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool computer delete Computer1 -H ldap://samba.samdom.example.com \ -Uadministrator%passw1rd Example1 shows how to delete a computer in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The --computername= and --password= options are used to pass the computername and password of a computer that exists on the remote server and is authorized to issue the command on that server. Example2: sudo samba-tool computer delete Computer2 Example2 shows how to delete a computer in the domain against the local server. sudo is used so a computer may run the command as root. r>r?r@rArBrCrDrNrONc Csb|}|j|dd}t|t||d}|} |ds>d|} dt| tjf} zd|j | tj | ddgd } | d j } t | d dd } d| d vrt| d dd }nd}Wntytd |Yn0| tj@}|std |z(|| |rt|||dd Wn4tyL}ztd| |WYd}~n d}~00|jd|dS)NTZfallback_machinerSr)%s$)(&(sAMAccountName=%s)(sAMAccountType=%u))ZuserAccountControlZ dNSHostNamerYrUnable to find computer "%s"zNFailed to remove computer "%s": Computer is not a workstation - removal denied)Zignore_no_namezFailed to remove computer "%s"zDeleted computer %s )r^r_r r endswithr1rcrATYPE_WORKSTATION_TRUSTrdrerfdnintrw IndexErrorrZUF_WORKSTATION_TRUST_ACCOUNTdeleter rgrhrirj)rkrNrQrPrRrCrTrlr3samaccountnamefilterr8 computer_dnZ computer_acZcomputer_dns_host_nameZcomputer_is_workstationr9r"r"r#rphs\        zcmd_computer_delete.run)NNNNrqr"r"r"r#r~8s!r~c@sXeZdZdZdZedddeddded d ed gZd gZe j e j e j d Z dddZdS)cmd_computer_editayModify Computer AD object. This command will allow editing of a computer account in the Active Directory domain. You will then be able to add or change attributes and their values. The computername specified on the command is the sAMaccountName with or without the trailing $ (dollar sign). The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool computer edit Computer1 -H ldap://samba.samdom.example.com \ -U administrator --password=passw1rd Example1 shows how to edit a computers attributes in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. Example2: samba-tool computer edit Computer2 Example2 shows how to edit a computers attributes in the domain against a local LDAP server. Example3: samba-tool computer edit Computer3 --editor=nano Example3 shows how to edit a computers attributes in the domain against a local LDAP server using the 'nano' editor. r>r?r@rArBrCrDz--editorzQEditor to use instead of the system default, or 'vi' if no system default is set.rIrNrONc CsD|}|j|dd}t|t||d} |} |ds>d|} dtjt| f} | } z | j | | tj d} | dj }Wnt ytd |Yn0t| d krtd |t| f| d}t| |}|durtjd }|durd }tjdd}|t||zt||jgWn0tyT}ztd|WYd}~n d}~00t|j}|}Wdn1s0YWdn1s0Y| |}t |d }| !||}t|dkr|j"ddSz| #|Wn6t$y.}ztd||fWYd}~n d}~00|j"d|dS)NTrrSr)r)(&(sAMAccountType=%d)(sAMAccountName=%s))rZr\r[rrrz'Invalid number of results: for "%s": %dZEDITORZviz.tmp)suffixzERROR: zNothing to do z Failed to modify computer '%s': z$Modified computer '%s' successfully )%r^r_r r rrrr1rcrerdrfrrrr0rget_ldif_for_editorosenvirongettempfileZNamedTemporaryFilerjrflushrr4ropenreadZ parse_ldifnextZmsg_diffriZmodifyrh)rkrNrQrPrRrCZeditorrTrlr3rrdomaindnr8rmsgZ result_ldifZt_filer9Z edited_fileZedited_messageZ msgs_editedZ msg_editedZ res_msg_diffr"r"r#rpsl        H    zcmd_computer_edit.run)NNNNNrqr"r"r"r#rs"#rc @sdeZdZdZdZedddeddded d d ed ed dddddgZej ej ej dZ dddZ dS)cmd_computer_listzList all computers.z%prog [options]r?r@rArBrCrDz-bz --base-dnzSpecify base DN to userIz --full-dnfull_dnFrJz)Display DN instead of the sAMAccountName.)rHdefaultrKrErONcCs|}|j|dd}t|t||d} dtj} | } |rH| |} | j| t j | dgd} t | dkrndS| D]:} |r|j d| d qr|j d| jddd qrdS) NTrrSz(sAMAccountType=%u)r)r[r\r]rz%s r)idx)r^r_r r rrreZnormalize_dn_in_domainrdr1rfr0rirjr)rkrPrQrRrCZbase_dnrrTrlr3rZ search_dnr8rr"r"r#rp!s*   zcmd_computer_list.run)NNNNNF)rrrsrtrurvrrwrxryrzr{r|r}rpr"r"r"r#r s4 rc@sZeZdZdZdZedddeddded d ed d gZd gZe j e j e j dZ dddZdS)cmd_computer_showaDisplay a computer AD object. This command displays a computer account and it's attributes in the Active Directory domain. The computername specified on the command is the sAMAccountName. The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool computer show Computer1 -H ldap://samba.samdom.example.com \ -U administrator Example1 shows how display a computers attributes in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. Example2: samba-tool computer show Computer2 Example2 shows how to display a computers attributes in the domain against a local LDAP server. Example3: samba-tool computer show Computer2 --attributes=objectSid,operatingSystem Example3 shows how to display a computers objectSid and operatingSystem attribute. r>r?r@rArBrCrDz --attributesz:Comma separated list of attributes, which will be printed.computer_attrs)rErFrHrNrONcCs|}|j|dd}t|t||d} d} |r:|d} |} |dsPd|} dtjt | f} | } z"| j | | tj | d}|d j }Wntytd | Yn0|D]}t| |}|j|qdS) NTrrS,r)rr)rZr\r[r]rr)r^r_r r splitrrrr1rcrerdrfrrrrrrirj)rkrNrQrPrRrCrrTrlr3r]rrrr8rrZ computer_ldifr"r"r#rpws:     zcmd_computer_show.run)NNNNNrqr"r"r"r#rCs$! rc@sNeZdZdZdZedddedddgZd d gZe j e j e j d Z dd dZd S)cmd_computer_movez4Move a computer to an organizational unit/container.z(%prog computername [options]r?r@rArBrCrDrN new_ou_dnrONc CsL|}|j|dd}t|t||d} t| | } |} |dsNd|} dt| t j f} z | j | | tj d} | dj }Wntytd |Yn0t| |}|| s|| t| t|}|t|d ||z| ||Wn4ty2}ztd ||WYd}~n d}~00|jd ||fdS) NTrrSr)rrrrrrzFailed to move computer "%s"zMoved computer "%s" to "%s" )r^r_r r r1r2rerrcrrrdrfrrrZ is_child_ofZadd_baserwZremove_base_componentsr0renamerhrirj)rkrNrrQrPrRrCrTrlr3rerrr8rZfull_new_ou_dnZnew_computer_dnr9r"r"r#rpsF      $zcmd_computer_move.run)NNNNrqr"r"r"r#rsrc@sPeZdZdZiZeed<eed<eed<eed<e ed<e ed<dS) cmd_computerzComputer management.ZcreaterZeditlistZshowZmoveN) rrrsrtruZ subcommandsr=r~rrrrr"r"r"r#rs     r)N)7Z samba.getoptZgetoptryr1rZsambar`rrrZ samba.dcerpcrrrZsamba.dnsserverrrZ samba.ndrrr r Zsamba.remove_dcr Z samba.authr Z samba.samdbr Z samba.compatr subprocessrrrXrrrrrrZ samba.netcmdrrrrr$r'r(r<r=r~rrrrrr"r"r"r#s<        _ _s9W6