o

�/a
O�@s,dd
lZdd
l
Z
ddl
mZ
ddlmZmZ
ddlmZ
ddlm	Z	
ddl
mZ
ddlm
Z
mZmZmZmZ
dZd	Zid
d�
dd
�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
dd�
d d!�
d"d#�
d$d%�
d&d'�
d(d)�
d*d+�
id,d-�
d.d/�
d0d1�
d2d3�
d4d5�
d6d7�
d8d9�
d:d;�
d<d=�
d>d?�
d@dA�
dBdC�
dDdE�
dFdG�
dHdI�
dJdK�
dLdM�
�
idNdO�
dPdQ�
dRdS�
dTdU�
dVdW�
dXdY�
dZd[�
d\d]�
d^d_�
d`da�
dbdc�
ddde�
dfdg�
dhdi�
djdk�
dldm�
dndo�
�
dpdqdrdsdtdudvdwdxdydzd{d|d}�
�
Ze
d~ededed	ed�iZe
d�ed�ed�ed�ed�iZd�g
ZGd�d��d�e�ZGd�d��d�e�Zd
S)��N)
�sd_utils)�
ndr_unpack�ndr_pack)
�security)
�SECINFO_DACL)
�
setup_path)�DS_DOMAIN_FUNCTION_2008�DS_DOMAIN_FUNCTION_2008_R2�DS_DOMAIN_FUNCTION_2012�DS_DOMAIN_FUNCTION_2012_R2�DS_DOMAIN_FUNCTION_2016�-��5z$134428a8-0043-48a6-bcda-63310d9ec4dd�Oz$21ae657c-6649-43c4-bbb3-7f184fdf58c1�Pz$dca8f425-baae-47cd-b424-e3f6c76ed08b�Qz$a662b036-dbbe-4166-b4ba-21abea17f9cc�Rz$9d17b863-18c3-497d-9bde-45ddb95fcb65�Sz$11c39bed-4bee-45f5-b195-8da0e05b573a�Tz$4664e973-cb20-4def-b3d5-559d6fe123e0�Uz$2972d92d-a07a-44ac-9cb0-bf243356f345�Vz$09a49cb3-6c54-4b83-ab20-8370838ba149�Wz$77283e65-ce02-4dc3-8c1e-bf99b22527c2�Xz$0afb7f53-96bd-404b-a659-89e65c269420�Yz$c7f717ef-fdbe-4b4b-8dfc-fa8b839fbcfa�Zz$00232167-f3a4-43c6-b503-9acb7a81b01c�[z$73a9515b-511c-44d2-822b-444a33d3bd33�\z$e0c60003-2ed7-4fd3-8659-7655a7e79397�]z$ed0c8cca-80ab-4b6b-ac5a-59b1d317e11f�^z$b6a6c19a-afc9-476b-8994-61f5b14b3f05�_z$defc28cd-6cb6-4479-8bcb-aabfb41e9713�`z$d6bd96d4-e66b-4a38-9c6b-e976ff58c56d�az$bb8efc40-3090-4fa2-8a3f-7cd1d380e695�bz$2d6abe1b-4326-489e-920c-76d5337d2dc5�cz$6b13dfb5-cecc-4fb8-b28d-0505cea24175�dz$92e73422-c68b-46c9-b0d5-b55f9c741410�ez$c0ad80b4-8e84-4cc4-9163-2f84649bcc42�fz$992fe1d0-6591-4f24-a163-c820fcb7f308�gz$ede85f96-7061-47bf-b11b-0c0d999595b5�hz$ee0f3271-eb51-414a-bdac-8f9ba6397a39�iz$587d52e0-507e-440e-9d67-e6129f33bb68�jz$ce24f0f6-237e-43d6-ac04-1e918ab04aac�kz$7f77d431-dd6a-434f-ae4d-ce82928e498f�lz$ba14e1f6-7cd1-4739-804f-57d0ea74edf4�mz$156ffa2a-e07c-46fb-a5c4-fbd84a4e5cce�nz$7771d7dd-2231-4470-aa74-84a6f56fc3b6�oz$49b2ae86-839a-4ea0-81fe-9171c1b98e83�pz$1b1de989-57ec-4e96-b933-8279a8119da4�qz$281c63f0-2c9a-4cce-9256-a238c23c0db9�rz$4c47881a-f15a-4f6c-9f49-2742f7a11f4b�sz$2aea2dc6-d1d3-4f0c-9994-66c1da21de0f�tz$ae78240c-43b9-499e-ae65-2b6e0f0e202a�uz$261b5bba-3438-4d5c-a3e9-7b871e5f57f0�vz$3fb79c05-8ea1-438c-8c7a-81f213aa61c2�wz$0b2be39a-d463-4c23-8290-32186759d3b1�xz$f0842b44-bc03-46a1-a860-006e8527fccd�yz$93efec15-4dd9-4850-bc86-a1f2c8e2ebb9�zz$9e108d96-672f-40f0-b6bd-69ee1f0b7ac4�{z$1e269508-f862-4c4a-b01f-420d26c4ff8c�}z$e1ab17ed-5efb-4691-ad2d-0424592c5755�~z$0e848bd4-7c70-48f2-b8fc-00fbaa82e360�z$016f23f7-077d-41fa-a356-de7cfdb01797�z$49c140db-2de3-44c2-a99a-bab2e6d2ba81�z$e0b11c80-62c5-47f7-ad0d-3734a71b8312z$2ada1a2d-b02f-4731-b4fe-59f955e24f71z$b83818c1-01a6-4f39-91b7-a3bb581c3ae3z$bbbb9db0-4009-4368-8c40-6674e980d3c3z$f754861c-3692-4a7b-b2c2-d0fa28ed0b0bz$d32f499f-3026-4af0-a5bd-13fe5a331bd2z$38618886-98ee-4e42-8cf1-d9a2cd9edf8bz$328092FB-16E7-4453-9AB8-7592DB56E9C4z$3A1C887F-DF0A-489F-B3F2-2D0409095F6Ez$232E831F-F988-4444-8E3E-8A352E2FD411z$DDDDCF0C-BEC9-4A5A-AE86-3CFE6CC6E110z$A0A45AAC-5550-42DF-BB6A-3CC5C46B52F2z$3E7645F3-3EA5-4567-B35A-87630449C70Cz$E634067B-E2C4-4D79-B6E8-73C619324D5E)
�����r��������NrBrM������|c
@seZ
dZd
S)�ForestUpdateExceptionN)�__name__�
__module__�__qualname__�rYrY�5/usr/lib/python3/dist-packages/samba/forest_update.pyrU�s
rUc@s�eZ
dZd
Z		d6dd�
Z		d7dd�
Zd	d
�Zd8dd
�
Zdd�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�ZdS)9�ForestUpdatez2Check and update a SAM database for forest updatesFTcCs�d
dlm
}
|
|_||_||_||_d|_|j��|_|j�	�|_	|j�
�|_t�
|
�
|_t�|
���
|_|j��|_|j�d�
sEtd�
�
|j��|_|j�d�
sUtd�
�
i|_|td�
|jd	�
d
S)a

        :param samdb: LDB database
        :param verbose: Show the ldif changes
        :param fix: Apply the update if the container is missing
        :param add_update_container: Add the container at the end of the change
        :raise ForestUpdateException:
        r
)
�read_ms_markdownFzCN=Operations,CN=ForestUpdatesz+Failed to add forest update container childz)CN=ActiveDirectoryUpdate,CN=ForestUpdatesz#Failed to add revision object childz/adprep/WindowsServerDocs/Forest-Wide-Updates.md)
�out_dictN)� samba.ms_forest_updates_markdownr\�samdb�fix�verbose�add_update_container�check_update_applied�get_config_basedn�	config_dn�	domain_dn�get_schema_basedn�	schema_dnr�SDUtilsr�dom_sid�get_domain_sid�
domain_sid�forestupdate_container�	add_childrU�revision_object�stored_ldifr)�selfr_rar`rbr\rYrYrZ�__init__�s*	












�zForestUpdate.__init__Nc	Cs�|jj
|jd
g
tjd�}t|
}|rt|}|d7}nt}|�||�
t|
}t	|dd
d�
}|rQ||krS|j
sBtd||f�
�
|j�dt
|j�
|f�

dSdSdS)a

        Apply all updates for a given old and new functional level
        :param functional_level: constant
        :param old_functional_level: constant
        :param update_revision: modify the stored version
        :raise ForestUpdateException:
        �revision)�base�attrs�scope�
r
zERevision is not high enough. Fix is set to False.
Expected: %dGot: %dz:dn: %s
changetype: modify
replace: revision
revision: %d
 N)r_�searchro�ldb�
SCOPE_BASE�functional_level_to_max_update�
MIN_UPDATE�check_updates_range�functional_level_to_version�intr`rU�modify_ldif�str)	rq�functional_level�old_functional_level�update_revision�res�expected_update�
min_update�expected_version�
found_versionrYrYrZ�check_updates_functional_level�s,


�








��
��z+ForestUpdate.check_updates_functional_levelcCs�|
D]M}|tks|t
krtd
�
�
d|k
rdk
r"n
n|�|�

qd|k
r,dk
r4n
n|�|�

qd|k
r>dk
rFn
n|�|�

qt|d|�|�

qd	S)
z�
        Apply a list of updates which must be within the valid range of updates
        :param iterator: Iterable specifying integer update numbers to apply
        :raise ForestUpdateException:
        �Update number invalid.rrrr>rCrF�operation_%dN)r|�
MAX_UPDATErU�operation_ldif�getattr)rq�iterator�oprYrYrZ�check_updates_iterator�s






�z#ForestUpdate.check_updates_iteratorr
cCs�|
}|
tks|
|ks|t
krtd
�
�
||k
rd|tvrn?d|k
r%dk
r-n
n|�|�

n-d|k
r7dk
r?n
n|�|�

nd|k
rIdk
rQn
n|�|�

n	t|d|�|�

|d	7}||k
sd
Sd
S)z�
        Apply a range of updates which must be within the valid range of updates
        :param start: integer update to begin
        :param end: integer update to end (inclusive)
        :raise ForestUpdateException:
        r�rrrr>rCrFr�rwN)r|r�rU�missing_updatesr�r�)rq�start�endr�rYrYrZr}�s










�z ForestUpdate.check_updates_rangecCsBz|jj
|jd
t|
d�}Wntjy


YdSwt|�
dkS)zd
        :param op: Integer update number
        :return: True if update exists else False
        z(CN=%s))rt�
expressionFrw)r_rxrm�
update_mapry�LdbError�len)rqr�r�rYrYrZ�
update_exists�s




�
�zForestUpdate.update_existscCs"|j�
d
t|
t|j�
f�

dS)zo
        Add the corresponding container object for the given update
        :param op: Integer update
        z$dn: CN=%s,%s
objectClass: container
N)r_�add_ldifr�r�rm�rqr�rYrYrZ�
update_add
s
�zForestUpdate.update_addcCs�|�|
�
rd
S|j
t|
}t�|t|j�
t|j�
t|j�
d��}|j	r.t
d|
�

t
|�

|j�|�

|j
r>|�|
�

dSdS)NT)�	CONFIG_DN�FOREST_ROOT_DOMAIN�	SCHEMA_DNz!UPDATE (LDIF) ------ OPERATION %d)r�rpr��samba�substitute_varr�rerfrhra�printr_r�rbr�)rqr��ldif�sub_ldifrYrYrZr�
s


�



�zForestUpdate.operation_ldifcCs`|�d
�
}|dkr|d|�|||d�}n||}||vr"dS|j
j|
|dtg
d�
dS)a

        Add an ACE to a DACL, checking if it already exists with a simple string search.

        :param dn: DN to modify
        :param existing_sddl: existing sddl as string
        :param ace: string ace to insert
        :return: True if modified else False
        �S:���NF�
sd_flags:1:%d�
�controlsT)�rfindr�modify_sd_on_dnr)rq�dn�
existing_sddl�ace�index�new_sddlrYrYrZ�insert_ace_into_dacl)
s
	




�z!ForestUpdate.insert_ace_into_daclc	Cs�|jj
|
|g
d
g
d�}t|�
dksJ�
t|d|d�
}|�d�
}|dkr5|d|�|||d�}n||}||vr?dSt��}|
|_t�|tj	|�||<|jj
|d	g
d
�
dS)aC

        Insert an ACE into a string attribute like defaultSecurityDescriptor.
        This also checks if it already exists using a simple string search.

        :param dn: DN to modify
        :param ace: string ace to insert
        :param attr: attribute to modify
        :return: True if modified else False
        �search_options:1:2)rtrur�rwr
r�r�NF�relax:0r�T)r_rxr�r�r�ry�Messager��MessageElement�FLAG_MOD_REPLACE�modify)	rqr�r��attr�msgr�r�r��
mrYrYrZ�insert_ace_into_stringA
s&


�









�z#ForestUpdate.insert_ace_into_stringcCs|js	t
d
|
�
�
dS)z�
        Raises an exception if not set to fix.
        :param op: Integer operation
        :raise ForestUpdateException:
        z3Missing operation %d. Fix is currently set to FalseN)r`rUr�rYrYrZ�raise_if_not_fixd
s
�zForestUpdate.raise_if_not_fixcC�|�|
�
rdS|�
|
�

d
}t�|jdt|j�
�}|j||dd�
|jjddg
dg
d�}|D]}t	t
j|dd	�}|�|j
�
}|�|j||�
q/|jrT|�|
�

dSdS)
N�Y(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)�CN=Sam-Domain,%s�defaultSecurityDescriptor�
r��(objectClass=samDomain)�nTSecurityDescriptorr��r�rur�r
�r�r�ry�Dnr_r�rhr�rxrr�
descriptor�as_sddlrlr�r�rbr��rqr�r�rhr�r��existing_sdr�rYrYrZ�operation_88s
s&





�

�


�zForestUpdate.operation_88cCs�|�|
�
rdS|�
|
�

d
}t�|jdt|j�
�}|j||dd�
|jjddg
ddt	gd	�}|D]}t
tj|dd
�}|�
|j�
}|�|j||�
q2|jrW|�|
�

dSdS)Nr��CN=Domain-DNS,%sr�r��(objectClass=domainDNS)r�r�r�r�r
)r�r�ryr�r_r�rhr�rxrrrr�r�rlr�r�rbr�r�rYrYrZ�operation_89�
s*






�


��


�zForestUpdate.operation_89cC�&|jr|�
|
�
s|�|
�

dSdSdS�
N�rbr�r�r�rYrYrZ�operation_90�
�

�zForestUpdate.operation_90cCr�r�r�r�rYrYrZ�
operation_127�
r�zForestUpdate.operation_127cCr�r�r�r�rYrYrZ�
operation_128�
r�zForestUpdate.operation_128cCr�)
N�7(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)r�r�r�r�r�r�r�r
r�r�rYrYrZ�
operation_129�
s&






�

�


�zForestUpdate.operation_129cCr�)
Nr�r�r�r�r�r�r�r�r
r�r�rYrYrZ�
operation_130�
s&






�

�


�zForestUpdate.operation_130cCsJ|�|
�
rdS|�
|
�

|jjd
|jddgd�
|jr#|�|
�

dSdS)Nz�dn: CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,%s
changetype: modify
replace: msDS-ClaimIsValueSpaceRestricted
msDS-ClaimIsValueSpaceRestricted: FALSE
r�zprovision:0r�)r�r�r_r�rerbr�r�rYrYrZ�
operation_135�
s




��
�zForestUpdate.operation_135cCr�r�r�r�rYrYrZ�operation_53�
r�zForestUpdate.operation_53cCr�r�r�r�rYrYrZ�operation_79r�zForestUpdate.operation_79cCr�r�r�r�rYrYrZ�operation_80r�zForestUpdate.operation_80cCr�r�r�r�rYrYrZ�operation_81
r�zForestUpdate.operation_81cCr�r�r�r�rYrYrZ�operation_82r�zForestUpdate.operation_82cCr�r�r�r�rYrYrZ�operation_83r�zForestUpdate.operation_83)FFT)NF)r
r
)rVrWrX�__doc__rrr�r�r}r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rYrYrYrZr[�s<


�'

�$

	#r[)ryr�r�	samba.ndrrr�samba.dcerpcr�samba.dcerpc.securityr�samba.provision.commonr�
samba.dsdbrr	r
rrr|r�r�r{r~r��	ExceptionrU�objectr[rYrYrYrZ�<module>
s








������	�
���
������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6









�H



�	



�