a Wa4 @s8ddlmZddlmZddlmZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZddlmZddlmZddlmZmZddlZdd lmZmZdd lmZdd lmZm Z dd l!m"Z"m#Z#dd l$m%Z%ddl$m&Z&ddl$m'Z'ddl$m(Z(ddl$m)Z)ddl$m*Z*ddl$m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1m2Z2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9ddl8m:Z;ddlm?Z?ddlm@Z@mAZAmBZBddlCmDZDddlEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRddlSmTZTmUZUmVZVmWZWdd lXmYZYmZZZm[Z[dd!l\m]Z]dd"l^m_Z_dd#l`maZadd$l`mbZbeJeKeLd%Zce3d&d'd(d)d*e3d+d,d-d.e3d/d0d1d2d3gd4e d5e3d6d7d8d9d*e3d:d;dd?d@d,dAgZee3dBdCeddDe3dEdFeddDe3dGdHd,dAe3dId0dJgdKdLdMdNe3dOdPdQd,dAgZfe3dRdSd,dAgZgdTdUZhz ddliZWnejyjdZkYn0GdVdWdWe0ZkGdXdYdYe0ZlGdZd[d[e0ZmGd\d]d]e0ZnGd^d_d_e0ZoGd`dadae0ZpGdbdcdce0ZqerddZsdedfZtdgdhZuGdidjdje0ZvGdkdldle0ZwGdmdndne2ZxGdodpdpe0ZyGdqdrdreyZzGdsdtdtej{Z|Gdudvdve0Z}Gdwdxdxe}Z~Gdydzdze}ZGd{d|d|e}ZGd}d~d~e}ZGddde}ZGddde}ZGddde0ZGddde2ZGddde2ZGdddZGddde0ZGddde0ZGddde2ZdS))print_function)divisionN)ntstatus) NTSTATUSError)werrorgetpass)NetLIBNET_JOIN_AUTOMATIC) join_RODCjoin_DC)system_session)SamDBget_default_backend_store)ndr_pack ndr_print)drsuapi)drsblobs)lsa)netlogon)security)nbt)misc)DOMAIN_PASSWORD_COMPLEXDOMAIN_PASSWORD_STORE_CLEARTEXT)Command CommandError SuperCommandOption)get_fsmo_roleowner)!netcmd_get_domain_infos_via_cldap)Samba3)param)upgrade_from_samba3)drsuapi_connect) remove_dcarcfour_encryptstring_to_byte_array)system_session_unix) DS_DOMAIN_FUNCTION_2000DS_DOMAIN_FUNCTION_2003DS_DOMAIN_FUNCTION_2003_MIXEDDS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2$DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL#DS_NTDSDSA_OPT_DISABLE_INBOUND_REPLUF_WORKSTATION_TRUST_ACCOUNTUF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONUF_PARTIAL_SECRETS_ACCOUNT) provisionProvisioningErrorDEFAULT_MIN_PWD_LENGTH setup_path) FILL_FULL FILL_NT4SYNCFILL_DRS)cmd_domain_passwordsettings_pso)cmd_domain_backup) binary_type) get_string2008_R220122012_R2z --machinepassstringPASSWORDz*choose machine password (otherwise random)typemetavarhelpz--plaintext-secrets store_truezaStore secret/sensitive values as plain text on disk(default is to encrypt secret/ensitive values)actionrJz--backend-storechoiceZ BACKENDSTOREZtdbZmdbz7Specify the database backend to be used (default is %s))rHrIchoicesrJz--backend-store-sizebytesZSIZEzfSpecify the size of the backend database, currently only supported by lmdb backends (default is 8 Gb). --targetdirDIRz/Set target directory (where to store provision))rIrJrH-q--quietBe quietrJrM--serverz DC to joinrJrH--sitez site to joinz--domain-critical-onlyz&only replicate critical domain objects --dns-backendNAMESERVER-BACKEND)SAMBA_INTERNAL BIND9_DLZNONEzThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (this DC will not be a DNS server)r\rHrIrOrJdefault-v --verbose Be verbose --use-ntvfs+Use NTVFS for the fileserver (default = no)cCsbttjd}tj|ddd||gtj|d}|\}}||d}|r^t |d SdS) Nwz-sz-lz--parameter-name=%s)stdoutstderr r) openosdevnull subprocessPopenPIPE communicateclosesplitr@strip)testparmsmbconfZvarnameZerrfilepouterrlinesr{5/usr/lib/python3/dist-packages/samba/netcmd/domain.pyget_testparm_vars    r}c@sFeZdZdZdZejejejdZ e dde dgZ dgZ d d d ZdS) cmd_domain_export_keytabz/Dump Kerberos keys of the domain into a keytab.z%prog [options] sambaoptscredopts versionoptsz --principalzextract only this principalrXkeytabNcCs$|}td|}|j||ddS)N)r principal) get_loadparmr Z export_keytab)selfrrrrrlpnetr{r{r|runs zcmd_domain_export_keytab.run)NNNN__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsrstr takes_options takes_argsrr{r{r{r|r~s r~c@s:eZdZdZdZgZejejej dZ dgZ dddZ dS) cmd_domain_infoz?Print basic info about a domain and the DC passed as parameter.z%prog [options]raddressNcCs|}zt|d|}Wn"ty:td|dYn0|jd|j|jd|j|jd|j|jd|j |jd|j |jd|j |jd |j dS) NzInvalid IP address 'z'!zForest : %s zDomain : %s zNetbios domain : %s zDC name : %s zDC netbios name : %s zServer site : %s zClient site : %s ) rr RuntimeErrorroutfwriteforest dns_domain domain_name pdc_dns_namepdc_nameZ server_siteZ client_site)rrrrrrresr{r{r|rs zcmd_domain_info.run)NNN) rrrrrrrrrrrrrr{r{r{r|rsrc$@seZdZdZdZejejdZe dddde dd d d d e d d ddd e dd ddd e dd ddd e dd ddd e dd ddd e dd ddd e dd ddd e d d d!d"d e d#d d$d%d e d&d d$d'd e d(d)d*gd+d,d-d.e d/d d$d0d e d1d d2d3d e d4d d2d5d e d6d d7d8d e d9dd:d;e dd?d@d.e dAd)dBgdCdDdEd.e dFd)dGgdHdIdJd.e dKdLdMdNdOdPe dQdRdde dSddTd;gZ e dUd)gdVdWdXdYdZgZ e e ere ee e gZdcd]d^Zd_d`ZdadbZd[S)dcmd_domain_provisionzProvision a domain.%prog [options]rrz --interactivez Ask for namesrKrVz--domainrEZDOMAINzNetBIOS domain name to userGz --domain-guidGUIDz!set domainguid (otherwise random)z --domain-sidZSIDz set domainsid (otherwise random)z --ntds-guidz'set NTDS object GUID (otherwise random)z--invocationidz#set invocationid (otherwise random)z --host-nameZHOSTNAMEz set hostnamez --host-ipZ IPADDRESSzset IPv4 ipaddressz --host-ip6Z IP6ADDRESSzset IPv6 ipaddressrYZSITENAMEz set site namez --adminpassrFz(choose admin password (otherwise random)z --krbtgtpassz)choose krbtgt password (otherwise random)rZrNr[r\ZBIND9_FLATFILEr]r^zThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_FLATFILE uses bind9 text database to store zone information, BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (not recommended)r\r_z --dnspassz&choose dns password (otherwise random)z--rootZUSERNAMEzchoose 'root' unix usernamez--nobodyzchoose 'nobody' userz--usersZ GROUPNAMEzchoose 'users' groupz--blankz.do not add users or groups, just the structurerLz --server-roleZROLE)domain controllerdcz member servermemberZ standalonez^The server role (domain controller | dc | member server | member | standalone). Default is dc.r--function-levelz FOR-FUN-LEVEL)200020032008rBzyThe domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008_R2 Native.rBz --base-schemaz BASE-SCHEMA)rBZ 2008_R2_oldrCrDz;The base schema files to use. Default is (Windows) 2012_R2.rDz --next-ridintZNEXTRIDizGThe initial nextRid value (only needed for upgrades). Default is 1000.)rHrIr`rJz--partitions-onlyzEConfigure Samba's partitions, but do not modify them (ie, join a BDC)z --use-rfc2307z/Use AD to store posix attributes (default = no) --use-xattrsyesnoauto [yes|no|auto]Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl when --use-ntvfs is set. auto tries to make an inteligent guess based on the user rights and system capabilitiesrrHrOrIrJr`NFc%7&Csf|jd|d|_|}%|%j}&|dur,|}'n|}'|'dur@d}'t|jdkrRd}|rddlm}(ddl})d/dd }*z|) d dd }+Wnt yd}+Yn0|*d |+},|,d vrt d z|, d d}+Wnt yd}+Yn0|*d|+}|dur t d|*dd}|*dd}|d vr0t d|dkrZ|*d|'}|dvrZd}'d}|(d}-||-}.|.r|jd|.n(|(d}/|-|/ks|jdn|-} qqZn0|jd},|,durt d |durt d| r|| }.|.rt |.n |jd|dkrt}0n.|dkr.t}0n|dkr>t}0n|d krLt}0|dkrd|durd|'}t}1|rtt}1n |r~t}1|durtj|st|d}2|d!krd"}2n|d#kr|d"krd"}2n|d"krt d$n|d#kr|%d%s|rt j!tj"|d&}3n"t j!tj"tj#|%d'd&}3zPz"t$j%&|%|3j'd(d)t(d*d"}2Wn t)yz|jd+Yn0W|3*n |3*0|2r|jd,|durt+,|}t-}4|#durt.}#zVt/|j|4|&||1|,|||| | | | ||| ||||||||||0|2||%|| d"|!|"|#|$d-$}5Wn0t0yT}6zt d.|6WYd}6~6n d}6~600|51|jdS)0Nr6)namequietnoneTrrcSsN|durtd||fddntd|fddtjtjdpL|S)Nz %s [%s]:  )endz%s:  )printsysrgflushstdinreadlinerstrip)promptr`r{r{r|askms  z%cmd_domain_provision.run..ask.ZRealm)Nrjz No realm set!ZDomainzNo domain set!z$Server Role (dc, member, standalone)rz=DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)r\zNo DNS backend set!z=DNS forwarder IP address (write 'none' to disable forwarding))NrzAdministrator password: z%s. zRetype password: Sorry, passwords do not match. realmz,Administrator password will be set randomly!rrrrBrFrr--use-xattrs=no requires --use-ntvfs (not supported for production use). Please re-run with --use-xattrs omitted. posix:eadbdir private dirO:S-1-5-32G:S-1-5-32S-1-5-32nativezZYou are not root or your system does not support xattr, using tdb backend for attributes. znot using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.)"rv targetdir samdb_fillrdomainZ domainguidZ domainsidZhostnameZhostipZhostip6ZsitenameZntdsguid invocationid adminpass krbtgtpass machinepass dns_backend dns_forwarderdnspassrootnobodyusersZ serverroledom_for_fun_leveluseeadbnext_ridr use_ntvfs use_rfc2307Zskip_sysvolacl base_schemaplaintext_secrets backend_storebackend_store_sizezProvision failed)N)2 get_loggerloggerrZ configfile_get_nameserver_iplenZraw_argvrsocketZgetfqdnrsupper IndexErrorrlower_adminpass_issueerrfrZ_lpgetinfor)r*r,r-r:r;r<rlpathisdirmakedirstempfileNamedTemporaryFileabspathdirnamesambantaclssetntaclrr( Exceptionrrrdom_sidr rr6r7Z report_logger)7rrr interactiverZ domain_guid domain_sid ntds_guidrZ host_nameZhost_ipZhost_ip6rsiterrrrrZ ldapadminpassrrrrZblank server_rolefunction_levelrZpartitions_onlyr use_xattrsrrrrrrrrvZsuggested_forwarderrrrr`rZadminpassplainZissueZadminpassverifyrreadbfileZsessionresulter{r{r|r6s$                                "       zcmd_domain_provision.runcCsddlm}d}||s.|jd|dSd}zXt|d}|D]4}|dsRqB|dW|durv| SW|dur| n|dur| 0|jd |dS) z5Grab the nameserver IP address from /etc/resolv.conf.r)rz/etc/resolv.confzFailed to locate %sNrZ nameserverzNo nameserver found in %s) rlrisfilerwarningrk startswithrtrsrr)rrZ RESOLV_CONFZhandleliner{r{r|rs(      z'cmd_domain_provision._get_nameserver_ipcCs>t|tr|d}t|tkr(dtSt|s6dSdSdS)zTReturns error string for a bad administrator password, or None if acceptableutf8zdAdministrator password does not meet the default minimum password length requirement (%d characters)zBAdministrator password does not meet the default quality standardsN) isinstancer?decoderr8rZcheck_password_quality)rrr{r{r|rs    z%cmd_domain_provision._adminpass_issue)$NNNNNNNNNNNNNNNNNNNNNNNNNNNNNrFNNFNN)rrrrrrrrrrr ntvfs_optionsextendcommon_provision_join_optionsris_ntvfs_fileserver_builtcommon_ntvfs_optionsrrrrr{r{r{r|rs   =      Krc@sbeZdZdZdZejejejdZ gZ e e e e erLe eddgZd dd ZdS) cmd_domain_dcpromoz9Promote an existing domain member or NT4 PDC to an AD DC.z%%prog [DC|RODC] [options]rrrrrole?NFcCs|}||}t|||jd}|j|| d}|d}|durJ|}|dkr|t||||||||| | | | d|||dn>|dkrt||||||||| | | | d|||dn t d|dS) Nserververboser netbios nameDCT)rrcredsrrr netbios_namerdomain_critical_onlyrrrZpromote_existingrrrRODCz-Invalid role '%s' (possible values: DC, RODC)) rget_credentialsr ipaddressrrrr r r)rrrolerrrrrrr$rrrrrrrrrr"rrr#r{r{r|r<s6    zcmd_domain_dcpromo.run)NNNNNNNFNFNFFFNN)rrrrrrrrrrrrcommon_join_optionsrrrrrrr{r{r{r|r's&   rc@sreZdZdZdZejejejdZ e ddddgZ gZ e ee eer\e e dd gZdd d Zd S)cmd_domain_joinz9Join domain as either member or backup domain controller.z,%prog [DC|RODC|MEMBER] [options]rrdrerKrVrrNFcCs|}||}t|||jd}|j|| d}|d}|durJ|}|dusZ|dkr|j||t| d\}}}|j d||fnl|dkrt ||||||||| | | | |||dn<|d krt ||||||||| | | | |||dn t d |dS) Nrrr ZMEMBER)rzJoined domain %s (%s) r!)rrr"rrrr#rr$rrrrrrr%z5Invalid role '%s' (possible values: MEMBER, DC, RODC))rr&r r'rrrZ join_memberr rrr r r)rrr(rrrrrrr$rrrrrrrrrr"rrr#Z join_passwordsidrr{r{r|r|sD      zcmd_domain_join.run)NNNNNNNFNFNFFFNN)rrrrrrrrrrrrrrr)rrrrrr{r{r{r|r*bs2   r*c @szeZdZdZdZeddededdded d d ed d ededddddedddddgZej ej ej dZ dddZ dS)cmd_domain_demotez4Demote ourselves from the role of Domain Controller.rrWz(writable DC to write demotion changes onrX-H--URL%LDB URL for database or target serverURLHrJrHrIdestz--remove-other-dead-serverzMDead DC (name or NTDS GUID) to remove ALL references to (rather than this DC)rSrTrUrKrVrarbrcrNFc 0 Cs |} || } t| | |jd} |j||d} |dur|durXtd|t| | d} nt|t| | d} zt| | |Wn2tjy}zt d|WYd}~n d}~00dS| d}t|t| | d} |sJ| j ddd gd }t |d krt d t |d krt dd}|D].}t |d |kr|d}qJq| }| j t | tjd|dgd}t |d ksd|d vrt d||d j}tt |d d}| j dt |dgd}t |d krt dt ||jd|t|| | \}}}|jdt}|d j|_|t@sp| sp|tO}tt |tjd|d<| ||jd|| | | fD]}t!"}t ||_t!#}||_$t!j%|_&t'(||_)z|*|d |Wnt+yj}zp|j,\}}|t-j.kr nL|jd||tN}tt |tjd|d<| |t dt ||WYd}~n d}~00qzftd|t| | d} |jd| j t | /d|0dgd}|d j}!tt |d d}"Wnzt1yP}z`|t@s2| s2|jd |tN}tt |tjd|d<| |t d!|WYd}~n d}~00t |d kr|t@s| s|jd"|tN}tt |tjd|d<| |t d#|0|"}#|"t2t3Bt4BM}"|"t5O}"t}|!|_td$|"tjd|d<z| |Wnzt1y}z`|t@sh| sh|jd"|tN}tt |tjd|d<| |t d!|WYd}~n d}~00|j6}$|d j7}%d%|%}&d }'t |&}(t8| d&t | /})| j |)|&tj9d'}t |d kr| j |)d(|&|'ftj9d'}t |d krD|'d)krD|'d }'| j |)d(|&|'ftj9d'}q|'d)kr|t@s| s|jd |tN}tt |tjd|d<| |t}|!|_td$|"tjd|d<| |t d*t |!|&|&|'d+fd(|&|'f}(z(t8| d,|(t |)f}*| :|!|*Wnt1y}z|t@st| st|jd |tN}tt |tjd|d<| |t}|!|_td$|"tjd|d<| |t d-t |!t |*f|WYd}~n d}~00| ;}+| },z4t!<}t |+|_=t |,|_/d |_>|?|d |Wnt+y}-z|-j,\}}|t@s~| s~|jd |tN}tt |tjd|d<| |t}|*|_td$|"tjd|d<| || :|*|!|t-j.krt d.|+|-fnt d/|+|-fWYd}-~-n d}-~-00t@| | |%d0d1| d2d3d4fD]R}.z"| At8| d,|.t |*fWn(tjB yp}/z WYd}/~/n d}/~/00 q"tjC| | | Dd5d6|jd7dS)8Nrr ldap://%sZurl session_infoZ credentialsrzDemote failed: %sr z.(&(objectClass=computer)(serverReferenceBL=*))Z dnsHostNamer) expressionattrsrzUnable to search for serversrz%You are the last server in the domainz(objectGUID=%s)rbasescoper7r8zFailed to find options on %sz(fSMORoleOwner=%s)zsearch_options:1:2)r7controlszaCurrent DC is still the owner of %d role(s), use the role command to transfer roles to another DCz,Using %s as partner server for the demotion z!Deactivating inbound replication z0Asking partner server %s to synchronize from us zgError while replicating out last local changes from '%s' for demotion, re-enabling inbound replication z6Error while sending a DsReplicaSync for partition '%s'z#Changing userControl and container z)(&(objectClass=user)(sAMAccountName=%s$))ZuserAccountControlr:r7r8z6Error while demoting, re-enabling inbound replication z$Error while changing account controlz5Error while demoting, re-enabling inbound replicationz@Unable to find object with samaccountName = %s$ in the remote dcz%dzCN=%szCN=Computers,%s)r:r7r;z%s-%ddzOUnable to find a slot for renaming %s, all names from %s-1 to %s-%d seemed used z%s,%szError while renaming %s to %szHThe DC %s is not present on (already removed from) the remote server: %sz.Error while sending a removeDsServer of %s: %sz$CN=Enterprise,CN=NTFRS SubscriptionszCN=%s, CN=NTFRS Subscriptionsrz?CN=Domain system Volumes (SYSVOL Share), CN=NTFRS SubscriptionszCN=NTFRS SubscriptionsT)Zignore_no_namezDemote successful )Err&r r'rrr r%ZDemoteExceptionrrsearchrrrZ get_ntds_GUIDget_config_basednldb SCOPE_SUBTREEdnrrrr$Messager0Zam_rodcr1MessageElementFLAG_MOD_REPLACEmodifyget_schema_basednZget_root_basednrZDsReplicaObjectIdentifierZDsReplicaSyncRequest1Znaming_contextZDRSUAPI_DRS_WRIT_REPrrrZsource_dsa_guidZ DsReplicaSyncrargsrZWERR_DS_DRA_NO_REPLICA domain_dnrrr3r4r5r2parentZ get_rdn_valueDnZSCOPE_ONELEVELrenameZget_serverNameZDsRemoveDSServerRequest1Z server_dnZcommitZDsRemoveDSServerZremove_sysvol_referencesdeleteLdbErrorZremove_dns_referencesZ host_dns_name)0rrrrrZremove_other_dead_serverr1rrrr"rrsamdbryr#rr rmsgZntds_dnZ dsa_optionsZ drsuapiBindZdrsuapi_handleZsupportedExtensionsZnmsgpartncZreq1Ze1ZwerrrEZ remote_samdbZdc_dnZuacZolduacrLZdc_nameZrdniZnewrdnZ computer_dnZnewdnZ server_dsa_dnrZe3slr{r{r|rs "              ,                  0           zcmd_domain_demote.run)NNNNNNFF)rrrrrrrrrrrrrrr{r{r{r|r,s*   r,c @s~eZdZdZdZejejejdZ e ddde ddd e d d d d de ddgddde ddgdddgZ dgZ dddZdS)cmd_domain_levelz(Raise domain and forest function levels.z&%prog (show|raise ) [options]rr-r.r/r0r1r2rSrTrUrKrVz--forest-levelrN)rrrBrCrDzBThe forest function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)rHrOrJz--domain-levelzBThe domain function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2) subcommandNFc  Cs|} |j| dd} t|t| | d} | } | jd| tjdgd} t | dks\J| j| tjddgd}t |dksJ| jd | tj d dgd }t |dksJt }t }d| d vrt | d dd }d|d vrt |d dd }t |d dd }d}|D]L}d|vrT|dusBt |dd |kr^t |dd }n t }qbq|t ksv|t kr~t d |t krt d||krt d||krt d|dkr|d| |t kr|d kr|d|t kr|d kr|d|t kr&|d kr&|d|d|t kr@d}nd|tkrPd}nT|tkr`d}nD|tkrpd}n4|tkrd}n$|tkrd}n|tkrd}nd}|d||t kr|d krd }n~|t kr|d krd}nd|tkrd}nT|tkrd}nD|tkrd}n4|tkr&d}n$|tkr6d}n|tkrFd}nd}|d!||t krhd}nT|tkrxd}nD|tkrd}n4|tkrd}n$|tkrd}n|tkrd}nd}|d"|n*|d#krg}|dur |dkrt}n>|dkrt}n.|d$krt}n|dkr&t}n|d%kr4t}||krP|d krPt d&||krbt d'|d kr0t}t| | |_td(tjd|d<| |t}t| d)| d*d+| |_td(tjd|d<z| |Wn@tjy.}z$|j\}}|tjkrWYd}~n d}~00t}t| | |_tt|tjd|d<| |t}t| d)| d*d+| |_tt|tjd|d<z| |Wn@tjy}z$|j\}}|tjkrWYd}~n d}~00|}| d,|dur|dkr$t}n>|dkr4t}n.|d$krDt}n|dkrTt}n|d%krbt}||krtt d-||krt d.t}t| d| |_tt|tjd|d<| || d/| d0|d1!|n t d2|dS)3NT)Zfallback_machiner5CN=Partitions,%szmsDS-Behavior-Versionr;r8rZ nTMixedDomainz CN=Sites,%sz(objectClass=nTDSDSA))r;r7r8rzSDomain and/or forest function level(s) is/are invalid. Correct them or reprovision!zFLowest function level of a DC is invalid. Correct this or reprovision!zVForest function level is higher than the domain level(s). Correct this or reprovision!zdDomain function level is higher than the lowest function level of a DC. Correct this or reprovision!showz0Domain and forest function level for domain '%s'z| ATTENTION: You run SAMBA 4 on a forest function level lower than Windows 2000 (Native). This isn't supported! Please raise!z| ATTENTION: You run SAMBA 4 on a domain function level lower than Windows 2000 (Native). This isn't supported! Please raise!z ATTENTION: You run SAMBA 4 on a lowest function level of a DC lower than Windows 2003. This isn't supported! Please step-up or upgrade the concerning DC(s)!rjrz02003 with mixed domains/interim (NT4 DC support)rrz2008 R2rCz2012 R2zhigher than 2012 R2z!Forest function level: (Windows) z2000 mixed (NT4 DC support)z!Domain function level: (Windows) z)Lowest function level of a DC: (Windows) raiserBrDzGDomain function level can't be smaller than or equal to the actual one!zMDomain function level can't be higher than the lowest function level of a DC!0zCN=Z workgroupz,CN=Partitions,%szDomain function level changed!zGForest function level can't be smaller than or equal to the actual one!zdForest function level can't be higher than the domain function level(s). Please raise it/them first!zForest function level changed!!All changes applied successfully!rz4invalid argument: '%s' (choose from 'show', 'raise'))"rr&rr rKr@rArB SCOPE_BASErrCr)rrmessager+r*r,r-r.r/rErMrDrFrGrHrrPrJZERR_UNWILLING_TO_PERFORMrappendjoin)rrZr1Z forest_levelZ domain_levelrrrrrr"rQrKZ res_forestZ res_domainZres_dc_sZ level_forestZ level_domainZlevel_domain_mixedZ min_level_dcrRZoutstrmsgsZnew_level_domainmr enumZemsgZe2Znew_level_forestr{r{r|rsl                                           $                     zcmd_domain_level.run)NNNFNNNrr{r{r{r|rXs*    rXlcCs$t|tkrdStt|dSdS)z8Converts a timestamp in -100 nanosecond units to minutesrAN)rNEVER_TIMESTAMPabsZ timestamp_strr{r{r|timestamp_to_minss rlcCs t|dS)z5Converts a timestamp in -100 nanosecond units to daysi)rlrkr{r{r|timestamp_to_dayssrmc@sFeZdZdZdZejejejdZ e ddde ddd gZ d d d Z d S) cmd_domain_passwordsettings_showz1Display current password settings for the domain.rrr-r.r/r0r1r2Nc Cs|}||}t|t||d}|}|j|tjgdd} t| dksRJzt | ddd} t | ddd} t | ddd} t | dd d} t | dd d}t | dd d}t | dd d}t | dd d}Wn0t y&}zt d|WYd}~n d}~00|d||d| t@dkrZ|dn |d| t@dkr~|dn |d|d| |d| |d| |d||d||d||d|dS)Nr5) pwdPropertiespwdHistoryLength minPwdLength minPwdAge maxPwdAgelockoutDurationlockoutThresholdlockOutObservationWindowr\rrrorprqrrrsrurtrvz'Could not retrieve password properties!z$Password information for domain '%s'rjzPassword complexity: onzPassword complexity: offzStore plaintext passwords: onzStore plaintext passwords: offzPassword history length: %dzMinimum password length: %dzMinimum password age (days): %dzMaximum password age (days): %dz#Account lockout duration (mins): %dz(Account lockout threshold (attempts): %dz&Reset account lockout after (mins): %d)rr&rr rKr@rBrarrrmrlrrrbrr)rr1rrrrr"rQrKr pwd_props pwd_hist_lenZcur_min_pwd_lenZcur_min_pwd_ageZcur_max_pwd_ageZcur_account_lockout_thresholdZcur_account_lockout_durationZcur_reset_account_lockout_afterr r{r{r|rsH        z$cmd_domain_passwordsettings_show.run)NNNNrrrrrrrrrrrrrrr{r{r{r|rns rnc@seZdZdZdZejejejdZ e ddde ddd e d d d d de ddgddde ddgddde dde de dde de dde de dde de dd e de d!d"e de d#d$e dg Z d)d'd(Z d%S)*cmd_domain_passwordsettings_seta Set password settings. Password complexity, password lockout policy, history length, minimum password length, the minimum and maximum password age) on a Samba AD DC server. Use against a Windows DC is possible, but group policy will override it. z%prog [options]rr-r.r/r0r1r2rSrTrUrKrVz --complexityrN)onoffr`z=The password complexity (on | off | default). Default is 'on'rYz--store-plaintextzStore plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'z--history-lengthzBThe password history length ( | default). Default is 24.rXz--min-pwd-lengthzAThe minimum password length ( | default). Default is 7.z --min-pwd-agezFThe minimum password age ( | default). Default is 1.z --max-pwd-agezGThe maximum password age ( | default). Default is 43.z--account-lockout-durationzThe the length of time an account is locked out after exeeding the limit on bad password attempts ( | default). Default is 30 mins.z--account-lockout-thresholdzThe number of bad password attempts allowed before locking out the account ( | default). Default is 0 (never lock out).z--reset-account-lockout-afterzuAfter this time is elapsed, the recorded number of attempts restarts from zero ( | default). Default is 30.NFcCs| }| |}t|t||d}|}g}t}t|||_t | }| }| }|dur|dksz|dkr|t B}|dn|dkr|t @}|d|dur|dks|dkr|tB}|dn|dkr|t@}|d|dus|durtt|tjd |d <|dur~|dkr8d }nt |}|d ksT|d kr\td tt|tjd |d <|d|dur|dkrd}nt |}|d ks|dkrtdtt|tjd|d<|d|durL|dkrd}nt |}|d ks|dkrtdt |d }tt|tjd|d<|d|dur|dkrfd}nt |}|d ks|dkrtd|d krt}nt |d }tt|tjd|d<|d| durH| dkrd} nt | } | d ks| d krtd!| d krt}nt | d" }tt|tjd#|d#<|d$| dur| dkrbd } nt | } tt| tjd%|d%<|d&| dur | dkrd} nt | } | d ks| d krtd!| d krt}nt | d" }tt|tjd'|d'<|d(|s|rJt|}t|}|d krJ||krJtd)||ft|d kr`td*|||d+|d,|dS)-Nr5r{r`zPassword complexity activated!r|z Password complexity deactivated!z;Plaintext password storage for changed passwords activated!z=Plaintext password storage for changed passwords deactivated!rorz8Password history length must be in the range of 0 to 24!rpz Password history length changed!z8Minimum password length must be in the range of 0 to 14!rqz Minimum password length changed!riz6Minimum password age must be in the range of 0 to 998!g8M%iBrrzMinimum password age changed!+iz6Maximum password age must be in the range of 0 to 999!rszMaximum password age changed!iz8Maximum password age must be in the range of 0 to 99999!rhrtz!Account lockout duration changed!ruz"Account lockout threshold changed!rvz0Duration to reset account lockout after changed!zIMaximum password age (%d) must be greater than minimum password age (%d)!z7You must specify at least one option to set. Try --helpr`r)rr&rr rKrBrErMrDrZget_pwdPropertiesZ get_maxPwdAgeZ get_minPwdAgerrcrrFrrGrrirmrrHrbrd)rr1Z min_pwd_ageZ max_pwd_agerZ complexityZstore_plaintextZhistory_lengthZmin_pwd_lengthZaccount_lockout_durationZaccount_lockout_thresholdZreset_account_lockout_afterrrrrr"rQrKrerfrwZmax_pwd_age_ticksZmin_pwd_age_ticksrxZ min_pwd_lenZaccount_lockout_duration_ticksZ!reset_account_lockout_after_ticksr{r{r|r:s                                           z#cmd_domain_passwordsettings_set.run)NNNFNNNNNNNNNNryr{r{r{r|rzsX    rzc@s2eZdZdZiZeed<eed<eed<dS)cmd_domain_passwordsettingsz Manage password policy settings.Zpsor]setN)rrrr subcommandsr=rnrzr{r{r{r|rs   rc @seZdZdZdZejejdZe ddddde d dd d de d ddd de ddddde ddddde dddgddddgZ e ddgddd d!d"gZ e re ee e d#gZd(d&d'Zd$S))cmd_domain_classicupgradezUpgrade from Samba classic (NT4-like) database to Samba AD DC database. Specify either a directory with all Samba classic DC databases and state files (with --dbdir) or the testparm utility from your classic installation (with --testparm). z"%prog [options] rz--dbdirrErRz+Path to samba classic DC database directoryrGz --testparmPATHzPath to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followedrQzCPath prefix where the new Samba 4.0 AD domain should be initialisedrSrTrUrKrVrarbrcrZrNr[raThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_FLATFILE uses bind9 text database to store zone information, BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (this DC will not be a DNS server)r\r_rrrrrrrvNFc  Cstj|std||r4tj|s4td||rPtj|sPtd||s`|s`td|j||d} |r|r| dd}|} t}|j r| d|j |durtj |st |d}|d krd }n|d kr| d krd }n| d krtd n|d kr| d s|r4tjtj|d}n"tjtjtj| dd}zNz"tj| |jddtdd }Wnty| dYn0W|n |0i}|r||d<||d<||d<|d|d<n^t||d|d<t||d|d<t||d|d<t||d|d<t|ddkr>|d|d<|D]}| |||qB| d||t||}| dt|| |t|| | ddS)NzFile %s does not existz"Testparm utility %s does not existzDirectory %s does not existz'Please specify either dbdir or testparmrz2both dbdir and testparm specified, ignoring dbdir.rTrFrrrrrrrrzYou are not root or your system does not support xattr, using tdb backend for attributes. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.zstate directoryzlock directoryz /smbpasswdzsmb passwd filerzReading smb.confZ Provisioning)r6rrr) rlrexistsrrrrs3paramZ get_contextrrrmkdirrrrrrrrrrr(rrrrr}rloadr!r#r )rrvrZdbdirrurrrrrrrrrZs3confrZtmpfilepathsrwZsamba3r{r{r|rs~         "       zcmd_domain_classicupgrade.run) NNNNFFrNNNF)rrrrrrrrrrrrrrrrrrr{r{r{r|rsH   rc@seZdZejZdZdS)cmd_domain_samba3upgradeTN)rrrrrZhiddenr{r{r{r|rrsrc@seZdZddZdS)LocalDCCredentialsOptionscCstjj||dddS)Nzlocal-dc)Z special_name)rr__init__)rparserr{r{r|r|sz"LocalDCCredentialsOptions.__init__Nrrrrr{r{r{r|r{src@seZdZdZddZddZddZGdd d eZGd d d eZ Gd d d eZ ddZ ddZ ddZ ddZd?ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd@d,d-ZdAd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Z dBd=d>Z!d|||YS0dSNr)netr_DsRGetDCNameEx2rDS_RETURN_DNS_NAMEdc_uncrZnetr_GetDcName)rrrrrr{r{r|get_netlogon_dc_unc0s  z&DomainTrustCommand.get_netlogon_dc_uncc Cs||dddddtj}|Sr)rrr)rrrrr{r{r|get_netlogon_dc_info9s  z'DomainTrustCommand.get_netlogon_dc_infocCs|jtjkr|jS|jSr) trust_typerLSA_TRUST_TYPE_DOWNLEVELr#Zdns_namertr{r{r|netr_DomainTrust_to_name?s z+DomainTrustCommand.netr_DomainTrust_to_namecCsd}d}|D].}|jtj@r |}|jtj@s6||j}q  $$    zcmd_domain_trust_list.run)NNN) rrrrrrrrrrrrr{r{r{r|rsrc@s8eZdZdZdZejejedZ gZ dgZ dddZ dS) cmd_domain_trust_showzShow trusted domain details.z%prog NAME [options]rrNc Csr|||}z |}Wn2tyJ}z|||dWYd}~n d}~00ztj}|||\} } Wn2ty}z|||dWYd}~n d}~00|jd| j j | j j | j ft } || _ z || | tj} | j} | j}WnPty8}z6||tjrtd||||dWYd}~n d}~00z|| | tj}Wntty}zZ||tjrtd}||tjrd}|dur|||dt}d|_WYd}~n d}~00z&d}| jtj@r|| | tj}Wnztyd}z`||tj rd}||tj!r$d}|dur<|||dt"}d|_#g|_$WYd}~n d}~00|jd |jd | j%j | j%j | j&j kr|jd | j&j |jd | j |jd |'| j(|jd|)| j*|jd|+| jt,-|jj.}t,/|jj.}|jd||f|jd|0|j| jtj@rn|j1|| j&j ddS)Nfailed to connect lsa server#failed to query LSA_POLICY_INFO_DNS(LocalDomain Netbios[%s] DNS[%s] SID[%s] 4trusted domain object does not exist for domain [%s]z.QueryTrustedDomainInfoByName(FULL_INFO) failedz?QueryTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failedrz&lsaRQueryForestTrustInformation failedzTrustedDomain: zNetbiosName: %s zDnsName: %s zSID: %s zType: %s zDirection: %s zAttributes: %s zPosixOffset: 0x%08X (%d) zkerb_EncTypes: %s r)2rrrrr!LSA_POLICY_VIEW_LOCAL_INFORMATIONrrrrrErr+StringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFOZinfo_exZ posix_offsetrrrNT_STATUS_OBJECT_NAME_NOT_FOUNDr-LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPESZNT_STATUS_INVALID_PARAMETERZNT_STATUS_INVALID_INFO_CLASS TrustDomainInfoSupportedEncTypes enc_typesrrlsaRQueryForestTrustInformationrZ"NT_STATUS_RPC_PROCNUM_OUT_OF_RANGEZNT_STATUS_NOT_FOUNDForestTrustInformationcountrr#rrrrtrust_directionrrrrZc_int32rr)rrrrrr local_lsarlocal_policy_access local_policylocal_lsa_info lsaStringZlocal_tdo_fulllocal_tdo_infoZlocal_tdo_posixZlocal_tdo_enctypesZlocal_tdo_forestZposix_offset_u32Zposix_offset_i32r{r{r|rBs  $$  $   zcmd_domain_trust_show.run)NNN) rrrrrrrrrrrrrr{r{r{r|r2src@seZdZdZdZejejeje dZ e dddddgd d dd e d dd gddddd e dddddgdddd e dddddde dddgdd d!d"d e d#dd$d%dde d&dd'd(dde d)d*d+d,d-de d.d*d/d0d-dg Z d1gZ d4d2d3Zd"S)5cmd_domain_trust_createz Create a domain or forest trust.%prog DOMAIN [options]rrrrz--typerNZTYPEexternalrz.The type of the trust: 'external' or 'forest'.rrHrIrOrJr3r`z --directionZ DIRECTION)incomingoutgoingbothz6The trust direction: 'incoming', 'outgoing' or 'both'.rr$z--create-locationLOCATIONlocalz=Where to create the trusted domain object: 'local' or 'both'.create_locationz--cross-organisationrKz=The related domains does not belong to the same organisation.cross_organisationFrMrJr3r`z --quarantinedzyes|no)rrNzSpecial SID filtering rules are applied to the trust. With --type=external the default is yes. With --type=forest the default is no.quarantined_argNz--not-transitivez#The forest trust is not transitive.not_transitivez--treat-as-externalz'The treat the forest trust as external.treat_as_externalz --no-aes-keysZ store_falsez!The trust uses aes kerberos keys. use_aes_keysTz--skip-validationzSkip validation of the trust.validatercC s:t}d}| dur"|dkr.d}n | dkr.d}|dkrN| rBtd| rNtdd}| rvt}tj|_|jtjO_tj}|tj O}|tj O}t }tj |_ d|_|d kr|jtjO_|jtjO_n4|d kr|jtjO_n|d kr|jtjO_d|_| r |jtjO_|r6|jtjO_|dkrP|jtjO_| rf|jtjO_| r||jtjO_fd d }d}d}tj}|dkr|jtj@r|d}t|d}|jtj@r|d}t|d}d}n8dd}|jtj@r|d}|jtj@r$|d}|tj O}|tj O}t }tj |_ d|_|d krz|jtjO_|jtjO_n6|d kr|jtjO_n|d kr|jtjO_d|_| r|jtjO_|r|jtjO_|dkr|jtjO_| r|jtjO_| r(|jtjO_||}z }Wn4tyt}z|dWYd}~n d}~00z||\}} Wn4ty}z|dWYd}~n d}~00jd| j j!| j"j!| j#fz$||}!Wn4ty$}z%|dWYd}~n d}~00z &}"Wn4tyf}z%|dWYd}~n d}~00z|"|\}#}$Wn4ty}z%|dWYd}~n d}~00jd|$j j!|$j"j!|$j#f|$j"j!|j'_!|$j j!|j(_!|$j#|_#|r| j"j!|j'_!| j j!|j(_!| j#|_#z,|j'j!|_!|)||tj*}%td|j!WnJt+y}z0,|t-j.sz|d|j!WYd}~n d}~00z,|j(j!|_!|)||tj*}&td|j!WnJt+y}z0,|t-j.s|d|j!WYd}~n d}~00|rz,|j'j!|_!|")|#|tj*}'td|j!WnJt+y}z0,|t-j.sp%|d|j!WYd}~n d}~00z,|j(j!|_!|")|#|tj*}(td|j!WnJt+y}z0,|t-j.s%|d|j!WYd}~n d}~00z /})Wn4ty>}z|dWYd}~n d}~00z0|)|}*Wn4ty}z|dWYd}~n d}~00|rz 1}+Wn4ty}z%|dWYd}~n d}~00z2|+|!|},Wn4ty}z%|dWYd}~n d}~00dd}-dCd d!}.t34}/|-||/}0|-||/}1d}2d}3|.|j5|0|1d"}4|rr|.|"j5|1|0d"}5z|rڈjd#d$d%d&}6|"6|#||5tj7}3jd'|rڈjd(d$d)d&}6|"8|3tj9|jd*dd%d&}6|6|||4tj7}2jd+| r:jd,dd)d&}6|8|2tj9|Wnt y}zjd-|6d.|6d/f|3 rjd0|":|3d}3|2 rjd1|:|2d}2|6d/d$k rΈ%|d2|6d.|d2|6d.WYd}~n d}~00| r|jtj@ rjd3z|);|*j<|$j"j!t=j>}7Wn4t yh}z|d4WYd}~n d}~00z|?||$j"tj@|7d}8Wn4t y}z|d5WYd}~n d}~00jA|7|$j"j!|8d6| rjd7z|+;|,| j"j!t=j>}9Wn4t y,}z%|d4WYd}~n d}~00z|"?|#| j"tj@|9d}:Wn4t y|}z%|d5WYd}~n d}~00jA|9| j"j!|:d6|jtj@ rjd8z|)B|*jnd=|;jI|;jFd<|;jEd<f}>|njd>|>| r|jtj@ rjd?z|+B|,t=jCd9| j"j!}?Wn4t y}z%|d:WYd}~n d}~00D|?jEd}@D|?jFd}A|?jGt=jH@ rTd@|?jI|?jFd<|?jEd<f}BndA|?jI|?jFd<|?jEd<f}B|@tJjKk s|AtJjKk rt|Bnjd>|B|3du rz|"L|3Wn&t y}z WYd}~n d}~00d}3|2dur*z|L|2Wn&ty$}z WYd}~n d}~00d}2jdBdS)DNFr Trrz'--not-transitive requires --type=forestz*--treat-as-external requires --type=forestrr$r"r#csNd}|dur|dkr|Std|}td|}||ksd}jdqdS)NrjzNew %s Password: zRetype %s Password: r)rrr)rpasswordZpasswordverifyrr{r| get_password s  z1cmd_domain_trust_create.run..get_passwordr&zIncoming Trust utf-16-lezOutgoing TrustcSs"t|d|d}t|dS)Nr1)rZ generate_random_machine_passwordr'encode)ZlengthZpwr{r{r|random_trust_secret/ sz8cmd_domain_trust_create.run..random_trust_secretrrrfailed to locate remote server)RemoteDomain Netbios[%s] DNS[%s] SID[%s] zTrustedDomain %s already exist'z2QueryTrustedDomainInfoByName(%s, FULL_INFO) failedrfailed to get netlogon dc infocSs|durt}d|_|St}t||_||_t}t ||_ t j |_ ||_t}d|_|g|_t}d|_||_|S)Nrr)rZtrustAuthInOutBlobrZ AuthInfoClearrsizer/ZAuthenticationInformationrZ unix2nttimeZLastUpdateTimerZTRUST_AUTH_TYPE_CLEARZAuthTypeZAuthInfoZAuthenticationInformationArrayrZcurrent)Zsecret update_timeZblobclearrrr{r{r|generate_AuthInOutBlob s$  z;cmd_domain_trust_create.run..generate_AuthInOutBlobc Ssdgd}tt|D]}tdd||<qt}||_||_||_t |}t ||}t }t||_ t||_t } || _| S)Nri)rangerrandomZrandintrZtrustDomainPasswords confounderr#r"rr&rZ DATA_BUF2r9r'dataZTrustDomainInfoAuthInfoInternal auth_blob) session_keyr"r#r@rUZ trustpassZtrustpass_blobZencrypted_trustpassrBZ auth_infor{r{r|generate_AuthInfoInternal s    z>cmd_domain_trust_create.run..generate_AuthInfoInternal)r"r#zCreating remote TDO. ZremoteCreateTrustedDomainEx2)locationrzRemote TDO created. z2Setting supported encryption types on remote TDO. SetInformationTrustedDomainzCreating local TDO. zLocal TDO created z1Setting supported encryption types on local TDO. z$Error: %s failed %sly - cleaning up rrFzDeleting remote TDO. zDeleting local TDO. %sz(Setup local forest trust information... *netr_DsRGetForestTrustInformation() failed&lsaRSetForestTrustInformation() failedrrz)Setup remote forest trust information... zValidating outgoing trust... r2!NETLOGON_CONTROL_TC_VERIFY failedGLocalValidation: DC[%s] CONNECTION[%s] TRUST[%s] VERIFY_STATUS_RETURNEDr0LocalValidation: DC[%s] CONNECTION[%s] TRUST[%s]OK: %s zValidating incoming trust... HRemoteValidation: DC[%s] CONNECTION[%s] TRUST[%s] VERIFY_STATUS_RETURNED1RemoteValidation: DC[%s] CONNECTION[%s] TRUST[%s]z Success. )NN)Mrr rrrrrrr LSA_POLICY_TRUST_ADMINLSA_POLICY_CREATE_SECRETZTrustDomainInfoInfoExrrrrrrrrrrrr'r3rrrrrrrrrErr+rrrrr#r rrrrrrrrrrZcurrent_unix_timerCrEZLSA_TRUSTED_DOMAIN_ALL_ACCESSrGr DeleteObject!netr_DsRGetForestTrustInformationrrDS_GFTI_UPDATE_TDOlsaRSetForestTrustInformationrrnetr_LogonControl2ExNETLOGON_CONTROL_TC_VERIFYrpdc_connection_statustc_connection_statusrNETLOGON_VERIFY_STATUS_RETURNEDtrusted_dc_namer WERR_SUCCESSZClose)Crrrrrrrrr'r(r*r+r,r-r.rZ quarantinedrrZlocal_trust_infor0Zincoming_secretZoutgoing_secretremote_policy_accessZincoming_passwordZoutgoing_passwordZremote_trust_infor4rrrrrr remote_lsa remote_policyremote_lsa_infoZlocal_old_netbiosZ local_old_dnsZremote_old_netbiosZremote_old_dnsrlocal_netlogon_inforemote_netlogonZremote_netlogon_dc_uncr<rDr:Z incoming_blobZ outgoing_bloblocal_tdo_handleremote_tdo_handleZlocal_auth_infoZremote_auth_infoZcurrent_requestlocal_forest_infoZlocal_forest_collisionZremote_forest_infoZremote_forest_collisionlocal_trust_verifylocal_trust_statuslocal_conn_statuslocal_validationremote_trust_verifyremote_trust_statusremote_conn_statusremote_validationr{rr|rs               $$$ $$         $$ $$                     $$ $$ $  $    zcmd_domain_trust_create.run) NNNNNNNFNFFFTrrrrrrrrrrrrrrrr{r{r{r|rs-rc @sTeZdZdZdZejejeje dZ e dddddgd d dd gZ d gZ dddZd S)cmd_domain_trust_deletezDelete a domain trust.rrz--delete-locationrNr%r&r$z=Where to delete the trusted domain object: 'local' or 'both'.delete_locationr!rNc Cs4tj}|tjO}|tjO}|dkr(d}ntj}|tjO}|tjO}|||} z |} Wn2ty} z||| dWYd} ~ n d} ~ 00z|| |\} } Wn2ty} z||| dWYd} ~ n d} ~ 00|j d| j j | j j | jfd}d}d}d}t}z||_ | | |tj}WnPtyx} z6|| tjrVtd|||| dWYd} ~ n d} ~ 00|durz|||}Wn4ty} z||| dWYd} ~ n d} ~ 00z |}Wn4ty } z||| dWYd} ~ n d} ~ 00z|||\}}Wn4tyT} z||| dWYd} ~ n d} ~ 00|j d|j j |j j |jf|j|jks|j j |jj ks|j j |jj krtd|jj |jj |jfz| j j |_ |||tj}WnJty,} z0|| tjs||| d |j WYd} ~ n d} ~ 00|dur| j|jksj| j j |jj ksj| j j |jj krtd |jj |jj |jf|durz|jj |_ | | |tj}Wn:ty} z ||| d |j WYd} ~ n d} ~ 00| |d}|dur\z|jj |_ |||tj}Wn:tyZ} z ||| d |j WYd} ~ n d} ~ 00|durz||d}|j d Wn@ty} z&|j d ||| dWYd} ~ n d} ~ 00|dur0z| |d}|j dWn@ty.} z&|j d ||| dWYd} ~ n d} ~ 00dS)Nr&rrrz$Failed to find trust for domain '%s'r6r7z2LocalTDO inconsistend: Netbios[%s] DNS[%s] SID[%s]z QueryTrustedDomainInfoByName(%s)z3RemoteTDO inconsistend: Netbios[%s] DNS[%s] SID[%s]zOpenTrustedDomainByName(%s)zRemoteTDO deleted. z%s zDeleteObject() failedzLocalTDO deleted. ) rr rRrSrrrrrrrrrErr+r r LSA_TRUSTED_DOMAIN_INFO_INFO_EXrrrrrrrrr#rZOpenTrustedDomainByNamerZSEC_STD_DELETErT)rrrrrrrrrr_rrrrrrreZremote_tdo_inforfrrr`rarbr{r{r|r s      $$ $ $ $$            0  0zcmd_domain_trust_delete.run)NNNNNrpr{r{r{r|rq s$rqc @sTeZdZdZdZejejeje dZ e dddddgd d dd gZ d gZ dddZd S)cmd_domain_trust_validatezValidate a domain trust.rrz--validate-locationrNr%r&r$z?Where to validate the trusted domain object: 'local' or 'both'.validate_locationr!rNc Csftj}|||}z |} Wn2tyP} z||| dWYd} ~ n d} ~ 00z|| |\} } Wn2ty} z||| dWYd} ~ n d} ~ 00|jd| j j | j j | j fz"t } || _ | | | tj}WnPty,} z6|| tjr td|||| dWYd} ~ n d} ~ 00|jd|jj |jj |j fz |}Wn4ty} z||| dWYd} ~ n d} ~ 00z||tjd|jj }Wn4ty} z||| d WYd} ~ n d} ~ 00||jd }||jd }|jtj@r,d |j |jd |jd f}nd |j |jd |jd f}|t!j"ks`|t!j"krjt|n|jd|z4|j #dd}d|jj |f}||tj$d|}Wn4ty} z||| dWYd} ~ n d} ~ 00||jd }d|j |jd f}|t!j"krt|n|jd||dkrbz|j%||dd}Wn4ty} z|&|| dWYd} ~ n d} ~ 00z |'}Wn4ty} z|&|| dWYd} ~ n d} ~ 00z||tjd| j j }Wn4ty} z|&|| d WYd} ~ n d} ~ 00||jd }||jd }|jtj@r`d|j |jd |jd f}nd|j |jd |jd f}|t!j"ks|t!j"krt|n|jd|z4|j #dd}d| j j |f}||tj$d|}Wn4ty} z|&|| dWYd} ~ n d} ~ 00||jd }d|j |jd f}|t!j"krRt|n|jd|dS)Nrrrr ,QueryTrustedDomainInfoByName(INFO_EX) failed%LocalTDO Netbios[%s] DNS[%s] SID[%s] rr2rLrrMrrNrO\rjz%s\%sz"NETLOGON_CONTROL_REDISCOVER failedz&LocalRediscover: DC[%s] CONNECTION[%s]r&F)rr6rPrQz'RemoteRediscover: DC[%s] CONNECTION[%s])(rr rrrrrrrrrErr+r r rsrrrrrr#rrrXrrYrrZr[rr\r]rr^replaceZNETLOGON_CONTROL_REDISCOVERrrr) rrrrrrrurrrrrrrrrrhrirjrkrZdomain_and_serverZlocal_trust_rediscoverZlocal_rediscoverrrdrlrmrnroZremote_trust_rediscoverZremote_rediscoverr{r{r|rx s   $$ $ $$ $   $ $$ $  zcmd_domain_trust_validate.run)NNNNNrpr{r{r{r|rtb s$rtc@s\eZdZdZdZejejedZ e dddgddd d d e d d dddde dddddgde dddddgde dddddgde ddddd gde d!dd"d#d$gde d%dd"d&d'gde d(dd)d*d+gde d,dd)d-d.gde d/ddd0d1gde d2ddd3d4gde d5ddd6d7gde d8ddd9d:gdgZ d;gZ d d d d d dggggggggggggfdcmd_domain_trust_namespaceszManage forest trust namespaces.z%prog [DOMAIN] [options]rz --refreshrNz check|store)ZcheckstoreNzLList and maybe store refreshed forest trust information: 'check' or 'store'.refreshNr!z --enable-allrKzATry to update disabled entries, not allowed with --refresh=check. enable_allFr)z --enable-tlnrcZ DNSDOMAINz?Enable a top level name entry. Can be specified multiple times. enable_tln)rMrIrJr3r`z --disable-tlnz@Disable a top level name entry. Can be specified multiple times. disable_tlnz --add-tln-exzAAdd a top level exclusion entry. Can be specified multiple times. add_tln_exz--delete-tln-exzDDelete a top level exclusion entry. Can be specified multiple times. delete_tln_exz --enable-nbZ NETBIOSDOMAINzIEnable a netbios name in a domain entry. Can be specified multiple times. enable_nbz --disable-nbzJDisable a netbios name in a domain entry. Can be specified multiple times. disable_nbz --enable-sidZ DOMAINSIDz@Enable a SID in a domain entry. Can be specified multiple times.enable_sid_strz --disable-sidzADisable a SID in a domain entry. Can be specified multiple times.disable_sid_strz--add-upn-suffixzVAdd a new uPNSuffixes attribute for the local forest. Can be specified multiple times.add_upnz--delete-upn-suffixz^Delete an existing uPNSuffixes attribute of the local forest. Can be specified multiple times. delete_upnz--add-spn-suffixz[Add a new msDS-SPNSuffixes attribute for the local forest. Can be specified multiple times.add_spnz--delete-spn-suffixzcDelete an existing msDS-SPNSuffixes attribute of the local forest. Can be specified multiple times. delete_spnzdomain?cG CsVd}|dur&|dkr"td||r.tdt|dkrBtdt|dkrVtdt| dkrjtdt| dkr~td t| dkrtd t|dkrtd t| dkrtd t| dkrtd t|dkr|D]}|dsqtd|qd}t|dkr<|D]"}|ds(qtd|qd}|D]4}|D](}||krbqHtd|qHq@t|dkr|D]"}|dsqtd|qd}t|dkr|D]"}|ds֐qtd|qd}|D]4}|D](}||krqtd|qqnXt|dkrWYd}~n d}~00g}*d:|)v r<|*,|)d:g}+d;|)v rX|+,|)d;|jd?t|*|*D]},|jd@dA|,f qp|jdBt|+|+D]},|jd@dA|,f q| sdSd}-g}.|.,|*d}/g}0|0,|+|D]J}1t-|.D],\}2},t%|,|1k rtdC|1 q|.|1d}- q|D]f}1d}3t-|.D].\}2},t%|,|1k rt qR|2}3 q qR|3du rtdD|1|..|3d}- qB|D]J}4t-|0D],\}2},t%|,|4k rtdE|4 q|0|4d}/ q|D]f}4d}3t-|0D].\}2},t%|,|4k r0 q|2}3 q> q|3du rTtdF|4|0.|3d}/ q|jdGt|.|.D]},|jd@dA|,f q~|jdHt|0|0D]},|jd@dA|,f qt(/}5|)j0|5_0|- rt(1|.t(j2d:|5d:<|/ rt(1|0t(j2d;|5d;<z|%3|5Wn6t(j* yV}z|+||dIWYd}~n d}~00z|"|#jdd}6Wn4t y}z|||d5WYd}~n d}~00|jdJ|j#|6|!jjd7dSz"t 4}7||7_|5| |7t j6}8WnPt7 y6}z6||t8j9 rtdK||||dLWYd}~n d}~00|jdM|8j:j|8jj|8jf|8j;t j<@ srtdN||durnz |}"Wn4t y}z|||d1WYd}~n d}~00z||"|}#Wn4ty}z|||d2WYd}~n d}~00dO}9|dkr$t=j>}:|r(d}9nd}:z|"|#j|8jj|:};Wn4tyt}z|||d5WYd}~n d}~00z|?| |8jt j@|;|9}|>,|=jBt C}?t|>|?_D|>|?_B|rt-|?jBD]V\}2}@|@jEt jFkrDq*|?jB|2jGdkrZq*d|?jB|2_H|?jB|2jGt jIM_Gq*t-|?jBD]n\}2}@|@jEt j@krq|?jB|2jGdkrqd|?jB|2_H|?jB|2jGt jJM_G|?jB|2jGt jKM_Gq|D]}Ad}3t-|?jBD]@\}2}@|@jEt jFkr,q|@jLj|AkrFq|2}3qTq|3durjtdU|A|?jB|3jGt jI@stdV|Ad|?jB|3_H|?jB|3jGt jIM_Gq|D]}Ad}3t-|?jBD]@\}2}@|@jEt jFkrq|@jLj|Akrq|2}3q q|3dur tdW|A|?jB|3jGt jM@r@tdX|Ad|?jB|3_H|?jB|3jGt jIM_G|?jB|3jGt jMO_Gq| D]N}Bd}3t-|?jBD]@\}2}@|@jEt jNkrq|@jLj|Bkrʐq|2}3qؐq|3durtdY|BdZ|B}Cd}3t-|?jBD]\\}2}@|@jEt jFkr"qdZ|@jLj}D|C|DkrHtd[|B|CO|DsXq|2}3qfq|3dur|td\|Bt P}@t jN|@_Ed|@_Gd|@_H|B|@jL_g}>|>,|?jB|>Q|3dO|@t|>|?_D|>|?_Bq| D]}Bd}3t-|?jBD]@\}2}@|@jEt jNkrq|@jLj|Bkrq|2}3q,q|3durBtd]|Bg}>|>,|?jB|>.|3t|>|?_D|>|?_Bq| D]}Ed}3t-|?jBD]B\}2}@|@jEt j@krq|@jLjRj|Ekrq|2}3qʐq|3durtd^|E|?jB|3jGt jJ@std_|Ed|?jB|3_H|?jB|3jGt jJM_Gqt|D]}Ed}3t-|?jBD]B\}2}@|@jEt j@krXq>|@jLjRj|Ekrtq>|2}3qq>|3durtd`|E|?jB|3jGt jS@rtda|Ed|?jB|3_H|?jB|3jGt jJM_G|?jB|3jGt jSO_Gq,|D]}d}3t-|?jBD]8\}2}@|@jEt j@kr&q |@jLjT|kr8q |2}3qFq |3dur\tdb||?jB|3jGt jK@s|tdc|Ed|?jB|3_H|?jB|3jGt jKM_Gq|D]}d}3t-|?jBD]8\}2}@|@jEt j@krԐq|@jLjT|krq|2}3qq|3dur tdd||?jB|3jGt jU@r*tde|Ed|?jB|3_H|?jB|3jGt jKM_G|?jB|3jGt jUO_Gqz|?| |8jt j@|?d}FWn4ty}z|||dPWYd}~n d}~00|jdf|j#|?|8jj|FdRz&t 4}7|8jj|7_|A| |7t j@}6Wn4ty2}z|||dSWYd}~n d}~00|jdJ|j#|6|8jjd7dS)gNFr{z'--refresh=%s not allowed without DOMAINz'--enable-all not allowed without DOMAINrz'--enable-tln not allowed without DOMAINz(--disable-tln not allowed without DOMAINz'--add-tln-ex not allowed without DOMAINz*--delete-tln-ex not allowed without DOMAINz&--enable-nb not allowed without DOMAINz'--disable-nb not allowed without DOMAINz'--enable-sid not allowed without DOMAINz(--disable-sid not allowed without DOMAINz*.zEvalue[%s] specified for --add-upn-suffix should not include with '*.'TzHvalue[%s] specified for --delete-upn-suffix should not include with '*.'z@value[%s] specified for --add-upn-suffix and --delete-upn-suffixzEvalue[%s] specified for --add-spn-suffix should not include with '*.'zHvalue[%s] specified for --delete-spn-suffix should not include with '*.'z@value[%s] specified for --add-spn-suffix and --delete-spn-suffixz1--add-upn-suffix not allowed together with DOMAINz4--delete-upn-suffix not allowed together with DOMAINz1--add-spn-suffix not allowed together with DOMAINz4--delete-spn-suffix not allowed together with DOMAINz3--enable-all not allowed together with --refresh=%sz0--enable-tln not allowed together with --refreshz1--disable-tln not allowed together with --refreshz0--add-tln-ex not allowed together with --refreshz3--delete-tln-ex not allowed together with --refreshz/--enable-nb not allowed together with --refreshz0--disable-nb not allowed together with --refreshz0--enable-sid not allowed together with --refreshz1--disable-sid not allowed together with --refreshz3--enable-tln not allowed together with --enable-allz2--enable-nb not allowed together with --enable-allz3--enable-sid not allowed together with --enable-allz6value[%s] specified for --enable-tln and --disable-tlnzAvalue[%s] specified for --add-tln-ex should not include with '*.'zDvalue[%s] specified for --delete-tln-ex should not include with '*.'z8value[%s] specified for --add-tln-ex and --delete-tln-exz4value[%s] specified for --enable-nb and --disable-nbz7value[%s] specified for --enable-sid is not a valid SIDz8value[%s] specified for --disable-sid is not a valid SIDz6value[%s] specified for --enable-sid and --disable-sidrrrrr8z1The local domain [%s] is not the forest root [%s]z@LOCAL_DC[%s]: netr_DsRGetForestTrustInformation() not supported.rIz Own forest trust information... r zfailed to connect to SamDBr[Z uPNSuffixeszmsDS-SPNSuffixesz(objectClass=crossRefContainer)r9zfailed to search partition dnz#Stored uPNSuffixes attributes[%d]: zTLN: %-32s DNS[*.%s] rjz(Stored msDS-SPNSuffixes attributes[%d]: zBEntry already present for value[%s] specified for --add-upn-suffixz?Entry not found for value[%s] specified for --delete-upn-suffixzBEntry already present for value[%s] specified for --add-spn-suffixz?Entry not found for value[%s] specified for --delete-spn-suffixz#Update uPNSuffixes attributes[%d]: z(Update msDS-SPNSuffixes attributes[%d]: zfailed to update partition dnz#Stored forest trust information... r rvrwzItrusted domain object for domain [%s] is not marked as FOREST_TRANSITIVE.rrJz"Fresh forest trust information... rKz(lsaRQueryForestTrustInformation() failedz"Local forest trust information... z8Entry not found for value[%s] specified for --enable-tlnzGEntry found for value[%s] specified for --enable-tln is already enabledz9Entry not found for value[%s] specified for --disable-tlnzIEntry found for value[%s] specified for --disable-tln is already disabledz>Entry already present for value[%s] specified for --add-tln-exz.%sz:TLN entry present for value[%s] specified for --add-tln-exz>No TLN parent present for value[%s] specified for --add-tln-exz;Entry not found for value[%s] specified for --delete-tln-exz7Entry not found for value[%s] specified for --enable-nbzFEntry found for value[%s] specified for --enable-nb is already enabledz7Entry not found for value[%s] specified for --delete-nbzHEntry found for value[%s] specified for --disable-nb is already disabledz8Entry not found for value[%s] specified for --enable-sidzGEntry found for value[%s] specified for --enable-sid is already enabledz8Entry not found for value[%s] specified for --delete-sidzIEntry found for value[%s] specified for --disable-sid is already disabledz$Updated forest trust information... )Vrrrrrrr TypeErrorrcrr rRrrrrrrrrrErr+rrrZ forest_namerUrrrrrZWERR_INVALID_FUNCTIONZWERR_NERR_ACFNOTLOADEDrrrrAr@rBrarPrrrpoprErDrFrGrHr r rsrrrr#rrrrVrWrrrrrrHrrtimeZLSA_TLN_DISABLED_MASKZLSA_NB_DISABLED_MASKZLSA_SID_DISABLED_MASKrrrendswithZForestTrustRecordinsertrrrr)Grrrrrr|r}r~rrrrrrrrrrrZrequire_updatenrrr Z enable_sidrVr+rZ disable_sidrrrrrrrcZown_forest_infoZ local_samdbZlocal_partitions_dnr8reZ stored_msgZstored_upn_valsZstored_spn_valsrZ replace_upnZupdate_upn_valsZ replace_spnZupdate_spn_valsZupnrUidxZspnZ update_msgZstored_forest_inforrZlsa_update_checkZnetlogon_update_tdoZfresh_forest_infoZfresh_forest_collisionrgrZupdate_forest_infor rZtln_exZtln_dotZr_dotZnbZupdate_forest_collisionr{r{r|r^ s                    ""    $$  $$$  $ $                $$  $   $$ $$   $  $                                                        $  $ zcmd_domain_trust_namespaces.run)rrrrrrrrrrrrrrr{r{r{r|rz s<rzc@sbeZdZdZdZedddeddded d ed ed d ed gZdgZ e j e j e j dZddZdS)cmd_domain_tombstones_expungezZExpunge tombstones from the database. This command expunges tombstones from the database.z%prog NC [NC [...]] [options]r-r.r/r0r1r2z--current-timezQThe current time to evaluate the tombstone lifetime from, expressed as YYYY-MM-DDrXz--tombstone-lifetimez2Number of days a tombstone should be preserved forznc*rc Os^|d}|d}|d}|d}|d}|}||} t|t| |d} |durzt|d} tt| } n tt} t |dkr| j d d t j d gd } g}| dd D]}| t|qnt|}d }z$| d }| j|| |d\}}Wn>ty<}z$|r| td|WYd}~n d}~00| |jd||fdS)Nrrr1 current_timetombstone_lifetimer5z%Y-%m-%drrjZnamingContexts)r7r:r;r8FT)rrz.Failed to expunge / garbage collect tombstonesz-Removed %d objects and %d links successfully )rrr&rr rstrptimermktimerr@rBrarcrlisttransaction_startZgarbage_collect_tombstonesrtransaction_cancelrtransaction_commitrr)rZncskwargsrrr1Zcurrent_time_stringrrr"rQZcurrent_time_objrrrTZstarted_transactionZremoved_objectsZ removed_linksryr{r{r|rsR           z!cmd_domain_tombstones_expunge.runN)rrrrrrrrrrrrrrrrr{r{r{r|rs"   rc@sPeZdZdZiZeed<eed<eed<eed<e ed<e ed<dS) cmd_domain_trustz#Domain and forest trust management.rr]ZcreaterOr.Z namespacesN) rrrrrrrrrqrtrzr{r{r{r|rFs     rc@seZdZdZiZeed<dS)cmd_domain_tombstonesz0Domain tombstone and recycled object management.ZexpungeN)rrrrrrr{r{r{r|rRsrc@s(eZdZdZddZddZddZdS) ldif_schema_updatez-Helper class for applying LDIF schema updatescCsd|_d|_d|_d|_dS)NFrj) is_defunct unknown_oidrDldifrr{r{r|r\szldif_schema_update.__init__cCsR|j\}}|tjkr,|jr,td|jdS|jdurNtd|j|jfdSdS)z>Checks if we can safely ignore failure to apply an LDIF updatez)Defunct object %s doesn't exist, skippingTNz%Skipping unknown OID %s for object %sF)rJrBZERR_NO_SUCH_OBJECTrrrDr)rrZnumrr{r{r|can_ignore_failurebs  z%ldif_schema_update.can_ignore_failurec Cszpz|j|jdgdWnTtjyl}z:|jdtjkrV||j|jdgdnWYd}~n d}~00Wnjtjy}zP||rWYd}~dStd|tdtdtd|jWYd}~n d}~00d S) z*Applies a single LDIF update to the schemazrelax:0)r<rN Exception: %sz4Encountered while trying to apply the following LDIFz4----------------------------------------------------rHr) Z modify_ldifrrBrPrJZERR_INVALID_ATTRIBUTE_SYNTAXZset_schema_update_nowrr)rrQr r{r{r|applyps"  zldif_schema_update.applyN)rrrrrrrr{r{r{r|rYsrc @seZdZdZdZejejejdZ e ddde ddd e d d d d de dddd de dddddgddde de ddde de dddgZ dd Z d!d"Zd#d$ZdS)%cmd_domain_schema_upgradezDomain schema upgradingrrr-r.r/r0r1r2rSrTrUrKrVrarbrcz--schemarNZSCHEMArCrDrcrlrrrdrrnrorpOSErrorIOErrorrq returncoderrrr)!rrrr rupdates_allowed_overriddenrrrr"r1Z target_schemaZ ldf_filesrZ temp_folderrQown_dnmasterZschema_updatesrrstartZdiff_dirrversionupdateZdiffrwrgrhrerror_encounteredrr{r{r|rs                           zcmd_domain_schema_upgrade.run)rrrrrrrrrrrrrrrrr{r{r{r|rs4 Src @seZdZdZdZejejejdZ e ddde ddd e d d d d de dddd de dddgdddde dd dde dd ddgZ ddZ d S)!cmd_domain_functional_prepz#Domain functional level preparationrrr-r.r/r0r1r2rSrTrUrKrVrarbrcrrNZFUNCTION_LEVELrArrDr_z --forest-prepzJRun the forest prep (by default, both the domain and forest prep are run).rLz --domain-prepzJRun the domain prep (by default, both the domain and forest prep are run).c KsPd}|d}|d}|}||}|d}t|d}|d} |d} t|t||d} |d dur|d d td d }| dur| durd } d } t | | } | rt | t | d } | | krtd| r| }d|}t | |d} | | krtd| r| d}zBddlm}|| d d}|gd|j|td d| Wn>ty}z$td|| d }WYd}~n d}~00| r,| d}z4ddlm}|| d d}|j|td d| Wn>ty*}z$td|| d }WYd}~n d}~00|r>|d d|rLtddS)NFrrr1r forest_prep domain_prepr5rrrTrrzCN=Infrastructure,Zinfrastructurez-This server is not the infrastructure master.r) ForestUpdate)Zfix)5OPQRS)Zupdate_revisionr) DomainUpdaterz!Failed to perform functional prep)rrr&string_version_to_constantrr rrrBrMrrrrIrrKrZsamba.forest_updaterZcheck_updates_iteratorZcheck_updates_functional_levelr-rrrZsamba.domain_updaterr,)rrrrrrr"r1Z target_levelrrrQrrrKZinfrastructure_dnrrrr rrr{r{r|rs                 zcmd_domain_functional_prep.runNryr{r{r{r|rs0 rc@seZdZdZiZeed<edur,eed<eed<eed<e ed<e ed<e ed <e ed <e ed <eed <eed <eed<eed<eed<eed<dS) cmd_domainzDomain management.ZdemoteNZ exportkeytabrr6rdZdcpromolevelZpasswordsettingsZclassicupgradeZ samba3upgradeZtrustZ tombstonesZ schemaupgradeZfunctionalprepZbackup)rrrrrr,r~rrr*rrXrrrrrrrr>r{r{r{r|rs$              r)Z __future__rrZ samba.getoptZgetoptrrBrlrrr?rZloggingrnrrrrrrrZ samba.netr r Z samba.ntaclsZ samba.joinr r Z samba.authr Z samba.samdbrrZ samba.ndrrrZ samba.dcerpcrrrrrrrZsamba.dcerpc.samrrrZ samba.netcmdrrrrZsamba.netcmd.fsmorZsamba.netcmd.commonr Z samba.samba3r!r"rZ samba.upgrader#Zsamba.drs_utilsr$r%r&r'Zsamba.auth_utilr(Z samba.dsdbr)r*r+r,r-r.r/r0r1r2r3r4r5Zsamba.provisionr6r7r8r9Zsamba.provision.commonr:r;r<Zsamba.netcmd.psor=Zsamba.netcmd.domain_backupr>Z samba.compatr?r@rrrr)rr}Zsamba.dckeytabrr~rrrr*r,rXrrirlrmrnrzrrrrrrrrrrqrtrzrrrrrrrr{r{r{r|s                       <         J;H*l @Q   /k("4oG 8~j