HEX

File: //usr/lib/python3/dist-packages/samba/__pycache__/join.cpython-310.pyc
o

�Kya�.�@s*dZddlmZddlmZddlmZmZmZm	Z	m
Z
ddlZddlZddlZddl
mZmZddlmZmZmZmZmZmZmZmZddlmZdd	lmZmZdd
lmZm Z m!Z!m"Z"m#Z#m$Z$ddl%m&Z&ddl'm(Z(dd
lm)Z)ddl*m+Z+ddl,m-Z-ddlm.Z.ddlm/Z/ddl0m1Z1ddlm2Z2m3Z3ddlm4Z4ddl5m6Z6m7Z7m8Z8ddl9Z9ddl:Z:ddl;Z;ddl<Z<ddl=Z=ddl>Z>ddl?m@Z@ddlAmBZBddlCmDZDGdd�deE�ZFGdd�deG�ZH						d)dd�ZI						d)d d!�ZJ				d*d#d$�ZKGd%d&�d&eH�ZLGd'd(�d(eL�ZMdS)+zJoining a domain.�)�system_session)�SamDB)�gensec�Ldb�	drs_utils�arcfour_encrypt�string_to_byte_arrayN)�ndr_pack�
ndr_unpack)�security�drsuapi�misc�nbt�lsa�drsblobs�	dnsserver�dnsp)�DS_DOMAIN_FUNCTION_2003)�Credentials�DONT_USE_KERBEROS)�secretsdb_self_join�	provision�provision_fill�FILL_DRS�FILL_SUBDOMAIN�DEFAULTSITE)�
setup_path)�Schema)�
descriptor)�Net)�setup_bind9_dns)�read_and_sub_file)�werror)�	b64encode)�WERRORError�
NTSTATUSError)�sd_utils)�ARecord�
AAAARecord�CNAMERecord)�OrderedDict)�
get_string)�CommandErrorcseZdZ�fdd�Z�ZS)�DCJoinExceptioncstt|��d|�dS)NzCan't join, error: %s)�superr-�__init__)�self�msg��	__class__��,/usr/lib/python3/dist-packages/samba/join.pyr/9szDCJoinException.__init__)�__name__�
__module__�__qualname__r/�
__classcell__r4r4r2r5r-7sr-c@s@eZdZdZ							dJdd�ZdKdd�ZdKdd	�ZdKd
d�Zdd
�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�ZdLd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#dDdE�Z$dFdG�Z%dHdI�Z&dS)M�
DCJoinContextzPerform a DC join.NFc
Cs||_||_||_||_||_|
|_|
|_||_||_||_	d|_
g|_g|_|j�
|��tjB�t|j|jd�|_||_||_|rL||_|jj|_n5|jr[|durZ|�|j�|_n|j�d|�|�|�|_|j�d|j�td|jt�|j|jd�|_|jdur�t|_z|jjtjgd�Wntj y�}z	|j!\}}t"|��d}~wwt#|j�$��|_%t#|j�&��|_'t#|j�(��|_)t#|j�*��|_+t,�-|j�.��|_/|j/|_0|�1�|_2|�3�|_4t5�6t#t7�8���|_9|j�:�|_;|�<�|_=|�>�|_?|	du�r|	|_@ntA�Bdd�|_@|j�C�|_D|�r�||_Ed|jE|_Fd	|jE|j|j+f|_Gd
|jG|_Hd|jE|j%f|_Id|jE�J�|jDf|_K|j�L�|_Md
|j%}|�N|��r]d|jE|f|_Ond|_Od|jEd|jKd|jK|jMfg|_P|jjtjdg|j%d�}|ddd|_Qd|j%|_Rd|j'|_Sdt�T|jR�}|jjtjUg|j�V�|d�}|du�r�d|_WntX|�dk�r�d|_WtYd�n||_W|jD|_Zd|_[t\j]t\j^Bt\j_Bt\j`Bt\jaB|_bd|_cd|_dd|_ed|_fd|_gd|_\d|_hd|_id|_jd|_kd|_ld|_md|_ndS)N)�creds�lpz&Finding a writeable DC for domain '%s'zFound DC %s�	ldap://%s��url�session_info�credentialsr<��scope�attrs�x�%s$z"CN=%s,CN=Servers,CN=%s,CN=Sites,%szCN=NTDS Settings,%szCN=%s,OU=Domain Controllers,%s�%s.%szGCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%szCN=%s,%szHOST/%szGC/%s/%s�rIDManagerReference)rCrD�baserzDC=DomainDnsZones,%szDC=ForestDnsZones,%s�$(&(objectClass=crossRef)(ncName=%s))�rCrDrI�
expression�NONEzCNO DNS zone information found in source domain, not replicating DNSF)o�loggerr;r<�site�	targetdir�	use_ntvfs�plaintext_secrets�
backend_store�backend_store_size�promote_existing�promote_from_dn�nc_list�full_nc_list�set_gensec_features�get_gensec_featuresr�FEATURE_SEALr�net�server�forced_local_samdb�samdbr?�find_dc_site�info�find_dcrrr�search�ldb�
SCOPE_BASE�LdbError�argsr-�str�get_default_basedn�base_dn�get_root_basedn�root_dn�get_schema_basedn�	schema_dn�get_config_basedn�	config_dnr�dom_sid�get_domain_sid�domsid�	forestsid�get_domain_name�domain_name�get_forest_domain_name�forest_domain_namer
�GUID�uuid�uuid4�
invocation_id�get_dsServiceName�
dc_ntds_dn�get_dnsHostName�dc_dnsHostName�get_behavior_version�behavior_version�	acct_pass�samba� generate_random_machine_password�domain_dns_name�	dnsdomain�myname�samname�	server_dn�ntds_dn�acct_dn�lower�dnshostname�forest_dns_name�	dnsforest�	dn_exists�topology_dn�SPNs�rid_manager_dn�domaindns_zone�forestdns_zone�
binary_encode�SCOPE_ONELEVEL�get_partitions_dn�dns_backend�len�print�realm�	tmp_samdbr�DRSUAPI_DRS_INIT_SYNC�DRSUAPI_DRS_PER_SYNC�DRSUAPI_DRS_GET_ANC�DRSUAPI_DRS_GET_NC_SIZE�DRSUAPI_DRS_NEVER_SYNCED�
replica_flags�never_reveal_sid�
reveal_sid�
connection_dn�RODC�	krbtgt_dn�	managedby�	subdomain�	adminpass�partition_dn�dns_a_dn�dns_cname_dn�
force_all_ips)�ctxrNr]r;r<rO�netbios_namerP�domain�machinepassrQr�rUrRrSrTr^�e�enum�estr�
topology_base�res_rid_manager�expr�
res_domaindnsr4r4r5r/@s��
�

��





�
�
�

����
zDCJoinContext.__init__cCs�|r'z
|jj|tjdgd�}Wn
tyYdSw|D]
}|j|jdd�qz|j�|�td|�WdSty@YdSw)N�dn�rIrCrDT��	recursivez
Deleted %s)	r_rcrdr��	Exception�del_noerrorr��deleter�)r�r�r��res�rr4r4r5r��s��zDCJoinContext.del_noerrorcCs�|jj|j��dt�|j�ddgd�}t|�dkrdS|skt�}|�|j	�z|�
|j	�|�|j�
��td|jt�||j	d�}WnYn!|jtjdd	gd
�}|dd	d|dddkrktd|j��|j|djdd
�|djddd�}|dur�||_|�|j�|jj|j��dt�d|j�t�d|j�fgd�}|r�|j|djdd
�|jj|j��dt�d|j�gd�}|r�tdt�d|j�t�d|j�f��dS)N�sAMAccountName=%s�msDS-krbTgtLink�	objectSID�rIrLrDrr=r>��tokenGroups)rCrIrDz�Not removing account %s which looks like a Samba DC account matching the password we already have.  To override, remove secrets.ldb and secrets.tdbTr��msDS-KrbTgtLink)�idxz/(&(sAMAccountName=%s)(servicePrincipalName=%s))�dns-%szdns/%sz(sAMAccountName=%s)znNot removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s)r_rcrirdr�r�r�r�guessr<�set_machine_account�set_kerberos_stater;�get_kerberos_staterr]rrer-r�r��get�
new_krbtgt_dnr�r�)r��forcer�r;�
machine_samdb�	token_resr�r4r4r5�cleanup_old_accounts�sf�

����������z"DCJoinContext.cleanup_old_accountscCsR|js	|j|d�|jdur|�|j�|jdur|�|j�|�|j�|j|jdd�|jr6|�|j�|jr?|�|j�|jr�d}t	�
d|j|f|j|j
�}t	��}t	��|_|�d|tj�}t	��}|j|_|�||t	j�}|�||jj�t	��}|j|_|�||t	j�}|�||jj�|jr�|�|j�|jr�|�|j�dSdS)z$Remove any DNs from a previous join.)r�NTr��sign�ncacn_ip_tcp:%s[%s]r�)r�r�r�r�r�r�r�r�r�r�lsarpcr]r<r;�ObjectAttribute�QosInfo�sec_qos�OpenPolicy2r�SEC_FLAG_MAXIMUM_ALLOWED�Stringr��string�QueryTrustedDomainInfoByName�!LSA_TRUSTED_DOMAIN_INFO_FULL_INFO�DeleteTrustedDomain�info_ex�sidrxr�r�)r�r��binding_options�lsaconn�
objectAttr�
pol_handle�namerar4r4r5�cleanup_old_joinsH

�
��zDCJoinContext.cleanup_old_joincCs�|jrtd��|jj|j��dt�|j�gd�d�}t|�dkr(td|j��d|dvs:d|dvs:d	|dvrAtd
|j��t	|ddd�t
jjt
jj
B@dkr\td|j��|dj|_d
S)z]confirm that the account is just a bare NT4 BDC or a member server, so can be safely promotedz Can not promote into a subdomainr�)r��userAccountControl�serverReferenceBL�rIDSetReferencesr�rzcCould not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'r�r�r�zhAccount '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this accountr�zZAccount %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'N)r�r�r_rcrirdr�r�r��intr��dsdb�UF_WORKSTATION_TRUST_ACCOUNT�UF_SERVER_TRUST_ACCOUNTr�rV�r�r�r4r4r5�promote_possibleIs"�$��zDCJoinContext.promote_possiblec
Cs�z|jj|tjtjBtjBd�|_Wn#ty)}ztd||j	df��d}~wt
y5td|��w|jjdurG|jjdkrG|jj|_|jj
S)z(find a writeable DC for the given domain)r��flagsz1Failed to find a writeable DC for domain '%s': %s�Nz-Failed to find a writeable DC for domain '%s'r�)r\�finddcr�NBT_SERVER_LDAP�
NBT_SERVER_DS�NBT_SERVER_WRITABLE�	cldap_retr%r,rgr��client_siterO�pdc_dns_name)r�r��errorr4r4r5rb\s$���
zDCJoinContext.find_dccCs:d}|jj|tjtjBd�}|jdur|jdkr|j}|S)N)�addressr�r�)r\r�rr�r�r�)r�r]rOr�r4r4r5r`is
�zDCJoinContext.find_dc_sitecCs@|jj|jtjdgd�}d|dvrt|ddd�StjjS)N�msDS-Behavior-Versionr�r)	r_rcrjrdrer�r�r��DS_DOMAIN_FUNCTION_2000r�r4r4r5r�qsz"DCJoinContext.get_behavior_versioncCs*|jjdtjdgd�}t|ddd�S)Nr��dnsHostNamer�r)r_rcrdrerhr�r4r4r5rxszDCJoinContext.get_dnsHostNamec
C�J|j��}|jj|tjdgdt�t|j����d�}t|ddd�S�z9get netbios name of the domain from the partitions record�nETBIOSNamez	ncName=%s)rIrCrDrLr)r_r�rcrdr�r�rhri�r��
partitions_dnr�r4r4r5ru|�

�zDCJoinContext.get_domain_namec
Crr)r_r�rcrdr�r�rhrkrr4r4r5rw�r	z$DCJoinContext.get_forest_domain_namecCs:|jj|jgdt�|j�tjtjj	fd�}t
|dj�S)z7get the parent domain partition DN from parent DNS namez9(&(objectclass=crossRef)(dnsRoot=%s)(systemFlags:%s:=%u)))rIrDrLr)r_rcrprdr��parent_dnsdomain�OID_COMPARATOR_ANDr�r��SYSTEM_FLAG_CR_NTDS_DOMAINrhr�r�r4r4r5�get_parent_partition_dn�s

���z%DCJoinContext.get_parent_partition_dncCs8|jjdtjdgd�}|ddd}t|j�d|��S)zhget the SID of the connected user. Only works with w2k8 and later,
           so only used for RODC joinr�r�r�rr�)r_rcrdrer+�schema_format_value)r�r��binsidr4r4r5�	get_mysid�szDCJoinContext.get_mysidc
CsZz
|jj|tjgd�}WdStjy,}z|j\}}|tjkr'WYd}~dS�d}~ww)zcheck if a DN existsr�NFT)r_rcrdrerfrg�ERR_NO_SUCH_OBJECT)r�r�r��e5r�r�r4r4r5r��s�

��zDCJoinContext.dn_existscCs�td|j�|jdttjjtjjB�dd|jd�}|j�	|dg�|jj
|jtjdgd�}|d	dd	|_
td
|j
�t��}t�|j|j�|_t�|jtjd�|d<|j�|�d|j
|jf|_td
|j|jf�|j�|j|j�dS)z#RODCs need a special krbtgt account�	Adding %s�user�TRUEz
krbtgt for %s)r��objectclass�useraccountcontrol�showinadvancedviewonly�description�
rodc_join:1:1�samAccountNamer�rzGot krbtgt_name=%sr�zCN=%s,CN=Users,%szRenaming %s to %sN)r�r�rhr�r��UF_NORMAL_ACCOUNT�UF_ACCOUNTDISABLEr�r_�addrcrdre�krbtgt_name�Message�Dnr�r��MessageElement�FLAG_MOD_REPLACE�modifyrjr��rename)r��recr��mr4r4r5�add_krbtgt_account�s,���z DCJoinContext.add_krbtgt_accountcCsTd}|j��dkr
|d7}d|j|f}t�||j|j�|_t�|j�\|_|_dS)z.make a DRSUAPI connection to the naming master�seal�	�,printr�N)	r<�	log_levelr]rr;r�
drs_DsBind�drsuapi_handle�bind_supported_extensions)r�r��binding_stringr4r4r5�drsuapi_connect�szDCJoinContext.drsuapi_connectc	CsBt|j|jd�|_tt�dd|j|jddd�|_|j�	|j�dS)z2create a temporary samdb object for schema queries)�schemadnNF)r@r?�auto_connectrAr<�
global_schema�am_rodc)
rrsrn�
tmp_schemarrr;r<r��
set_schema�r�r4r4r5�create_tmp_samdb�s�

�zDCJoinContext.create_tmp_samdbcCs t��}|j�|�|_d|_dS)z$build a DsReplicaAttributeCtr objectr�N)r�DsReplicaAttributer��get_attid_from_lDAPDisplayName�attid�	value_ctr)r��attrname�	attrvaluer�r4r4r5�build_DsReplicaAttribute�s
z&DCJoinContext.build_DsReplicaAttributecCs8|jdur	|��|jdur|��g}|D]_}t��}|d|_g}|D]-}|dkr,q%t||t�s9||g}n||}dd�|D�}|j�|j||�}|�	|�q%t�
�}	t|�|	_||	_
t��}
||
_|	|
_t��}|
|_|�	|�qt��}|d|_|j}
|dd�D]}||
_|}
q�|j�|jd|�\}}|dkr�|jtjkr�td|j�td	��|jdtjkr�td
|j�td	��|dk�r|jdkr�td|j��|j j!dtjk�r|j j"dur�td
|j j!d�td	��td
|j j!d|j j"jf�td	��|j jtjk�rtd|j j�td	��|j#S)z,add a record via the DRSUAPI DsAddEntry callNr�cSs$g|]}t|t�r|�d�n|�qS)�utf8)�
isinstancerh�encode)�.0�xr4r4r5�
<listcomp>�s$z,DCJoinContext.DsAddEntry.<locals>.<listcomp>rr��z!DsAddEntry failed with dir_err %uzDsAddEntry failedz(DsAddEntry failed with status %s info %s�zexpected err_ver 1, got %uz.DsAddEntry failed with status %s, info omitted)$rr1r�r9�DsReplicaObjectIdentifierr�rB�list�dsdb_DsReplicaAttribute�append�DsReplicaAttributeCtrr��num_attributes�
attributes�DsReplicaObject�
identifier�
attribute_ctr�DsReplicaObjectListItem�object�DsAddEntryRequest2�first_object�next_object�
DsAddEntryr.�dir_err�DRSUAPI_DIRERR_OKr��RuntimeError�extended_errr"�WERR_SUCCESS�err_ver�err_data�statusra�objects)r��recsrar&�idrD�a�v�rattrrRrT�list_object�req2�prev�o�level�ctrr4r4r5rX�sp






��zDCJoinContext.DsAddEntrycCstd|j�td|jfddttjj�fd|jfg�}|j|j	|jg}|j
tjjkr2ttjj�|d<|j
tjjkr>|j|d<|j
rSd|j|d	<|j|d
<d|d<|Sd
|j|d	<|j
tjjkrf|j|d<g|d<|D]}||jvrz|d�|�qld|d<t|j�|d<|S)z return the ntdsdsa object to addrr�)r�nTDSDSA�systemFlags�dMDLocationrzmsDS-HasDomainNCszCN=NTDS-DSA-RO,%s�objectCategoryzmsDS-HasFullReplicaNCs�37�optionszCN=NTDS-DSA,%szmsDS-HasMasterNCs�HasMasterNCs�1�invocationId)r�r�r*rhr�r��#SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETErnrjrpr�r�DS_DOMAIN_FUNCTION_2008_R2r�rXrLr	r|)r�r&rW�ncr4r4r5�join_ntdsdsa_objs8�

�

�zDCJoinContext.join_ntdsdsa_objcCs�|��}|jr|jj|dgd�n|jr|j�|dg�n|�|g�|jj|jtj	dgd�}t
�|j�d|ddd��|_
dS)zadd the ntdsdsa object�relax:0��controlsr�
objectGUIDr�rN)ryr^r_rr�rXrcr�rdrer
ryr�	ntds_guid)r�r&r�r4r4r5�join_add_ntdsdsaGs&zDCJoinContext.join_add_ntdsdsacCs�|jr�td|j�|jd|j|jt|jtjjB�|jd�}|j	tjj
kr.ttjj�|d<n|jr5g|d<|j
r>|j
|d<n|jrEg|d<|jrN|j|d<n|jrUg|d<|jr^|j|d<n|jreg|d<|rmt|�|d<|jr�|j|jkr|j�|j|j�|j�tj�|j|tj��nd	}|d	ur�d
g}|jj||d�|jr�|��|jr�td|j�|jdttjjtjjBtjjB�|jd
�}|jr�|j|d<|j�|�|j r�d	|_!d	S|j"�rQ|�#�dt�$|j%�}|jj&tj'g|j�(�|d�|j%f}dt�$|j)�}|jj&tj'g|j�(�|d�|j)f}||fD]7\}}||j*v�r%�qt+|�dk�rOt��}	|dj,|	_,d}
|j-�r>d}
t�.|j"tj/|
�|	|
<|j�|	��q|j0d	u�rntd|j0�|j0ddd|j1d�}|j�|�|j�rMtd|j�t��}	t�2|j|j�|	_,t3t+|j4��D]}|j4|�5dt|j!��|j4|<�q�t�.|j4tjd�|	d<|j�|	�td|j�z|jj6dt�$|j�|j7d|jd�Wn,tj8�y�}z|j9\}
}|
tj:k�r�|j;j<|j|j=|j7d �WYd	}~nd	}~ww|jj&|jtj>d!d"gd#�}d!|dv�rt?|dd!d�|_@nd	|_@tAtBjC|ddd�|_Dtd$�t��}	t�2|j|j�|	_,t�.t|j�tjd%�|	d%<|j�|	�|jE�Fd&��r>t�Gd'd(�|_H|j�ItJtKd)�|jL|jM|jNtO|jH�Pd*���Qd+�|jd,���}|D]T\}}|tjRk�s�J�|d-}td.|d-�|d/=|d0=ttjjStjjB�|d%<z	|j�|�W�q{tj8�y�}z|j9\}
}|
tjTk�rĂWYd	}~�q{d	}~wwtd1|jN�z|jj6d2t�$|jN�|jHd|jd�Wn.tj8�y}z |j9\}
}|
tj:k�r�|j;j<d3|jN|j=|jHd �WYd	}~nd	}~ww|jj&|tj>d!gd#�}d!|dv�r9t?|dd!d�|_Ud	Sd	|_Ud	Sd	S)4z+add the various objects needed for the joinr�computer)r��objectClass�displayname�samaccountnamer�r�zmsDS-SupportedEncryptionTypesr�zmsDS-NeverRevealGroupzmsDS-RevealOnDemandGroup�	objectSidNrzr{r])r�rrnr�serverReferencerJrKr�rzmsDS-NC-Replica-LocationszmsDS-NC-RO-Replica-Locations�nTDSConnectionr�65)r�r�enabledconnectionrr�
fromServerzAdding SPNs to %sz	$NTDSGUID�servicePrincipalNamezSetting account password for %sz((&(objectClass=user)(sAMAccountName=%s))F)�force_change_at_next_login�username)�account_namerv�newpasswordzmsDS-KeyVersionNumberr�r�zEnabling accountr��BIND9_��zprovision_dns_add_samba.ldif�	utf-16-lerA)�	DNSDOMAIN�DOMAINDN�HOSTNAME�DNSPASS_B64�DNSNAMEr�z#Adding DNS account %s with dns/ SPN�clearTextPassword�isCriticalSystemObjectz#Setting account password for dns-%sz,(&(objectClass=user)(samAccountName=dns-%s))r�)Vr�r�r�rhr�r�r�rr�r��DS_DOMAIN_FUNCTION_2008�
ENC_ALL_TYPESrUr�r�r�r	rVr_r%r$rdr �	from_dictr#rr�r(r��SYSTEM_FLAG_CONFIG_ALLOW_RENAME�%SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVErvr�r~r�rr�r�rcr�r�r�rWr�r�r�r"�FLAG_MOD_ADDr�r~r!�ranger��replace�setpasswordr�rfrg�ERR_UNWILLING_TO_PERFORMr\�set_passwordrvrer��key_version_numberr
rrq�new_dc_account_sidr��
startswith�generate_random_password�dnspass�
parse_ldifr!rr�rjr�r#rC�decode�CHANGETYPE_NONEr�ERR_ENTRY_ALREADY_EXISTS�dns_key_version_number)r��
specified_sidr&r|r�r��forest�part�zoner'�attr�i�e2�num�_r�rb�
changetyper1�dns_acct_dnr��e3r4r4r5�join_add_objectsVs�����


��
�����"�
�
�

���������
�
���

�
�
����
�zDCJoinContext.join_add_objectsc
Cstd|j�ddt|j�tjfi}tj|j|d�}|jdd|j	|j
|j|j|j
ttjjtjjB�|d�	}|jtjjkrEt|j�|d<|��}|�||g�}t|�d	krZtd
��|dj|_td�|jj|jt�d
�|jtjtj d�td�|jj|j!t�d
�|jtjtj d�dS)zLadd the various objects needed for the join, for subdomains post replicationr�SubdomainAdminsz%s-%s)�name_map�crossRefzCN=Cross-Ref,%s)	r�rrp�nCNamer�dnsRoot�trustParentrn�ntSecurityDescriptorrrGz"Expected 2 objects from DsAddEntryr�zReplicating partition DN�$00000000-0000-0000-0000-000000000000)�exopr�zReplicating NTDS DNN)"r�r�rhrsr�DOMAIN_RID_ADMINSr�+get_paritions_crossref_subdomain_descriptorrtrnrjrvr��parent_partition_dnr�r��SYSTEM_FLAG_CR_NTDS_NCrr�rryrXr�r-�guidr~�repl�	replicater
ryr�DRSUAPI_EXOP_REPL_OBJ�DRSUAPI_DRS_WRIT_REPr�)r�r��	sd_binaryr&�rec2rar4r4r5�join_add_objects2-sD�
�

�zDCJoinContext.join_add_objects2cCstd�|jj}t|jt�fid|�d|j�dt�d|j�d|j	�d|j
�d|j�d	|j�d
|j
�d|j�d|j�d
|j�d|j�dd�d|j�d|j�d|j�d|j�d|j�d|j�d|j�d|j�dd��}td|j�|j|_|j|_|j|_|j|_|j|j_dS)�Provision the local SAM.zCalling bare provision�smbconfrP�
samdb_fillr��rootdn�domaindnr2�configdn�serverdnr��hostname�	domainsidr��
serverrole�"active directory domain controller�sitenamer<�ntdsguidrQr�rRrSrT�
batch_modeTzProvision OK for domain DN %sN)r�r<�
configfilerrNrrPrr�rlrjrnrpr�rvr�rsr�rOr~rQr�rRrSrTr�r_�local_samdb�paths�namesrt)r�r��presultr4r4r5�join_provisionXsj������������������	�
���
zDCJoinContext.join_provisioncCsxtd�t|jjdgt�|jjdd�|_|j�t|j	��|j|_|j
�d�|jj|j
tjdgddgd	�}d
|dvrGtd|j
|jjf��ztt�t�|j|ddd�d
���d���|j_Wntyvtd|ddd��w|j
�d|jj�|j
�d�t|jjt�|jd�}t|j||j
|j|jt|jt|j d|j|jj!|jj"|j#|j$d�td|jj%�dS)r�zReconnecting to local samdbz#transaction_index_cache_size:200000F)r?rrr@r<r4zFinding domain GUID from ncName�ncNamezextended_dn:1:1zreveal_internals:0)rIrCrDr|r�rz2Can't find naming context on partition DN %s in %srAryz3Can't find GUID in naming master on partition DN %szGot domain GUID %szCalling own domain provision�r@r<r�)
�dom_for_fun_levelrPr�r�r�r<�hostip�hostip6r�r�zProvision OK for domain %sN)&r�rr�r?rr<r_�set_invocation_idrhr|rNrarcr�rdrer-r
ryr!r��get_extended_componentr��
domainguid�KeyErrorrr��secretsrrrPrr�r�r�r�r�r�)r�r��secrets_ldbr4r4r5�join_provision_own_domainusB���8��z'DCJoinContext.join_provision_own_domaincCs"t�d|j|f|j||j|j�S�z2Creates a new DRS object for managing replicationsr�)r�
drs_Replicater]r<r�r|)r��
repl_credsr�r4r4r5�create_replicator�s�zDCJoinContext.create_replicatorc

Cs�td�|j���z2t�|j���}|jdur#td�t�tj	�}n|j}|j
rDt�}|�|j
�|�t�|�|j�|�|j�n|j}d}|j
��dkrT|d7}|�||�}|j|j||d|j
|jd�|j|j|||j
|jd	�|js�|jtj@s�td
�|jtjO_|j|j|||j
|jd	�|jtjN_|j|j|||j
|jd	�td�|j|j fD]}||j!vr�tdt"|��|j||||j
|jd	�q�|j
r�|j|j#||tj$dd
�|j|j%||tj$dd
�n@|j&du�r.z
|j|j&||tj'd�Wn,t(j)�y-}z|j*\}}	|tj+k�r"td|j,�td�n�WYd}~nd}~ww||_-||_.||_/td�Wn	|j�0��|j�1�|�2�dS)zReplicate the SAM.zStarting replicationNzUsing DS_BIND_GUID_W2K3r)r*r+T)�schema�rodcr�)r�r�z;Replicating critical objects from the base DN of the domainz5Done with always replicated NC (base, config, schema)zReplicating %s)r�r�)r�zdWARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master.zxNOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.zCommitting SAM database)3r�r��transaction_startr
ryr_�get_invocation_idr~r�DRSUAPI_DS_BIND_GUID_W2K3r�rr�r<r�r�set_usernamer�r�r�r;r,r�r�rnr�rpr��domain_replica_flags�DRSUAPI_DRS_CRITICAL_ONLYrjr�r�rWrhr��DRSUAPI_EXOP_REPL_SECRETr�r��DRSUAPI_EXOP_FSMO_RID_ALLOCr��DsExtendedErrorrg�DRSUAPI_EXOP_ERR_FSMO_NOT_OWNERr]r��source_dsa_invocation_id�destination_dsa_guid�transaction_cancel�transaction_commit�refresh_ldb_connection)
r�rrr�r�r�rx�e1r�r�r4r4r5�join_replicate�s�



�
�
�
�
��
�
�

�

���

zDCJoinContext.join_replicatec
Cs�z|jjtjgd�WdStjyL}z3|j\}}|tjkr=d|vs'd|vr=|j�d�t	d|j
t�|j|j
d�|_nt|��WYd}~dSd}~ww)NrB�!NT_STATUS_CONNECTION_DISCONNECTED�NT_STATUS_CONNECTION_RESETz)LDB connection disconnected. Reconnectingr=r>)r_rcrdrerfrg�ERR_OPERATIONS_ERRORrN�warningrr]rr;r<r-)r�r�r�r�r4r4r5rs 



����z$DCJoinContext.refresh_ldb_connectioncCs�t��}t��|_t|�|j_t�d�|j_t	�
d�|j_|j|_
dt|j�|jf|_tjtjB|_|js>|jtjO_|jdurG|��|j�|jd|�dS)Nr�zS-0-0z%s._msdcs.%sr�)r�DsReplicaUpdateRefsRequest1rI�naming_contextrhr�r
ryr�rrqr�r~�
dest_dsa_guidr��dest_dsa_dns_name�DRSUAPI_DRS_ADD_REF�DRSUAPI_DRS_DEL_REFrrr�r�r1�DsReplicaUpdateRefsr.)r�r�r�r4r4r5�send_DsReplicaUpdateRefss

z&DCJoinContext.send_DsReplicaUpdateRefscCs:tj}tjtjB}|j}d|j}|j}t|j�}d||f}t	�
|j|j�}|j
�dt|�||f�d}	t�d|j|	f|j|j�}
d}t�|j�}t��}
|j|
_t�dt|j�tjf�|
_z|
�|d|j||d	tj|d	d	�
\}}Wnt y�}z|j!dt"j#kr�d
}	WYd	}~nd	}~ww|r�|j$D]F}|j%D]@}|j&tj'ks�|j&tj(kr�t�)�}||_$z|
�*|d|j||d	|�Wq�t y�}z|j!dt"j#kr�n�WYd	}~q�d	}~wwq�q�|D];}|�+d�dkr�|j
�d
|||f�t,|�}n|j
�d|||f�t-|�}t�)�}||_$|
�*|d|j|||d	�q�t|�dk�r�t.�/|j|j0�}|jj1d||f|d�\|_2}|j3|j2|
dtj4tj5Bgd�|j
�d|||f�t�)�}t6|�}||_$|
�*|d|j|||d	�t.�/|j|j7�}|jj1d||f|d�\|_8}|j3|j8|
dtj4tj5Bgd�|j
�d�d	S)a�Remotely Add a DNS record to the target DC.  We assume that if we
           replicate DNS that the server holds the DNS roles and can accept
           updates.

           This avoids issues getting replication going after the DC
           first starts as the rest of the domain does not have to
           wait for samba_dnsupdate to run successfully.

           Specifically, we add the records implied by the DsReplicaUpdateRefs
           call above.

           We do not just run samba_dnsupdate as we want to strictly
           operate against the DC we just joined:
            - We do not want to query another DNS server
            - We do not want to obtain a Kerberos ticket
              (as the KDC we select may not be the DC we just joined,
              and so may not be in sync with the password we just set)
            - We do not wish to set the _ldap records until we have started
            - We do not wish to use NTLM (the --use-samba-tool mode forces
              NTLM)

        z	_msdcs.%srGz&Adding %d remote DNS records for %s.%sr�r�Tz%s-%drNF�:���z,Adding DNS AAAA record %s.%s for IPv6 IP: %sz)Adding DNS A record %s.%s for IPv4 IP: %s)�
dns_partitionz
sd_flags:1:%dr{z$Adding DNS CNAME record %s.%s for %sz_All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup)9r�DNS_CLIENT_VERSION_LONGHORN�DNS_RPC_VIEW_AUTHORITY_DATA�DNS_RPC_VIEW_NO_CHILDRENr�r�r�rhr~r��
interface_ipsr<r�rNrar�r]r;r&�SDUtilsr_rrr��	owner_sidrqrs�DOMAIN_RID_DCS�	group_sid�DnssrvEnumRecords2r�DNS_TYPE_ALLr$rgr"�"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTr&�records�wType�
DNS_TYPE_A�
DNS_TYPE_AAAA�DNS_RPC_RECORD_BUF�DnssrvUpdateRecord2�findr(r'rdr!r��
dns_lookupr��modify_sd_on_dn�
SECINFO_OWNER�
SECINFO_GROUPr)r�r�)r��client_version�select_flagsr��
msdcs_zoner��msdcs_cname�cname_target�IPsr��dns_conn�
name_found�	sd_helper�change_owner_sd�buflenr�r�r&�record�del_rec_buf�IP�add_rec_buf�domaindns_zone_dn�ldap_record�forestdns_zone_dnr4r4r5�join_add_dns_records)s�

�����
���

�������
����
�������
���z"DCJoinContext.join_add_dns_recordsc	CsT|j|jfD]!}||jvr'|j�dt|��|jj||j|j	|j
|jdd�qdS)Nz!Replicating new DNS records in %sF)r�r��	full_sync)r�r�rWrNrarhr�r�rr~r�r�)r�rxr4r4r5�join_replicate_new_dns_records�s
���z,DCJoinContext.join_replicate_new_dns_recordsc
Cs�|j�d�|jD]}|�|�q	|jrTtd�|j�t|j	��|j�
d|j�t�
�}t�|jd|j�|_t�t|j	�tjd�|d<|j�|�|j�|jdd�|j�d�t�
�}t�|jd�|_t�d	tjd
�|d
<|j}t�dt|�tjd�|d<|j�|�|jr�d
St|jjt�|jd�}|j�d�t||j|j|j |j!|j"|j#|j$|j%d�	|j&�'d�r�t(|j||j)|j|j|j|j&|j*|j|j+|j,d�d
Sd
S)z=Finalise the join, mark us synchronised and setup secrets db.z=Sending DsReplicaUpdateRefs for all the replicated partitionszSetting RODC invocationId�domainFunctionalityz%srur�(Setting isSynchronized and dsServiceName�@ROOTDSEr�isSynchronized�	<GUID=%s>�
dsServiceNameNr�zSetting up secrets database)r�r�r��netbiosnamer�r��secure_channel_typer�r�)r�r��os_levelrPr�)-rNrarWrr�r�r�r�rhr|�set_opaque_integerr�rdr r!r�r�r"r	r#r$�"set_attribute_replmetadata_versionr~r�rr�r�rr<rrvr�r�r�rsr�rIr�r�r�r r�r�rPr�)r�rxr'r�r�r4r4r5�
join_finalise�sf	
��
���	
��zDCJoinContext.join_finalisecCs�td|j�d}t�d|j|f|j|j�}t��}t��|_|�	d�
d�|tj�}t�
�}|j|j_|j|j_|j|_tjtjB|_tj|_tj|_z%t��}|j|_|�||tj�}td|j|jjf�|�||jj�Wn	t yzYnwt!|j"�#d��}t$�%�}	t&|�|	_'||	_(t$�)�}
t*�+t,t-�-���|
_.tj/|
_0|	|
_1t$�2�}d|_3|
g|_4t$�5�}d|_3||_6t$�7�}
dgd	}t8d	�D]
}t9�:d
d�||<q�||
_;||
_<||
_=t>|
�}t?|j@|�}t�A�}t&|�|_'t!|�|_Bt�C�}||_D|�E|||tjF�}d|jG|jHfd
tI|j�tI|j�tI|j�|jJ|jGt>|�t>|�t>|jK�d�
}|jL�M|�d|jJ|jHfdtIt*jNjO�|j"�#d�d|jJd�}|jL�M|�dS)zprovision the local SAM.z"Setup domain trusts with server %sr�zncacn_np:%s[%s]zutf-8z)Removing old trust record for %s (SID %s)r�r�rHirr�zcn=%s,cn=system,%s�
trustedDomain)
r�r�	trustType�trustAttributes�trustDirection�flatname�trustPartner�trustAuthIncoming�trustAuthOutgoing�securityIdentifierzcn=%s$,cn=users,%srrF)r�rr�r�rN)Pr�r]rr�r<r;r�r�r�r�r�rr��TrustDomainInfoInfoExr�rvr�r�rsr��LSA_TRUST_DIRECTION_INBOUND�LSA_TRUST_DIRECTION_OUTBOUND�trust_direction�LSA_TRUST_TYPE_UPLEVEL�
trust_type�!LSA_TRUST_ATTRIBUTE_WITHIN_FOREST�trust_attributesr�r�r�r�r�r[r�
trustdom_passrCr�
AuthInfoClearr��size�password�AuthenticationInformationr��unix2nttimer��time�LastUpdateTime�TRUST_AUTH_TYPE_CLEAR�AuthType�AuthInfo�AuthenticationInformationArray�count�array�trustAuthInOutBlob�current�trustDomainPasswordsr��random�randint�
confounder�outgoing�incomingr	r�session_key�	DATA_BUF2�data�TrustDomainInfoAuthInfoInternal�	auth_blob�CreateTrustedDomainEx2�SEC_STD_DELETEr�rjrhrxrtr�rr��UF_INTERDOMAIN_TRUST_ACCOUNT)r�r�r�r�r�ra�oldname�oldinfo�
password_blob�clear_value� clear_authentication_information� authentication_information_arrayrs�	trustpassrrr��trustpass_blob�encrypted_trustpassry�	auth_info�trustdom_handler&r4r4r5�join_setup_trustss��
�

��



��

�zDCJoinContext.join_setup_trustscCs�|j|jg|_|j|j|jg|_|jr#|jdkr#|j|jg7_dS|jsZ|j|jg7_|jdkr\|j|jg7_|j|jg7_|j|jg7_|j|jg7_dSdSdS)NrM)	rprnrWrjrXr�r�r�r�r8r4r4r5�build_nc_listsys
�zDCJoinContext.build_nc_listscCs�|��|jr|��n|��z/|��|��|��|jr,|��|�	�|�
�|jdkr9|��|�
�|��WdSztd�Wn	tyRYnw|��|���)NrMzJoin failed - cleaning up)r�rUr�r�r�r�rr�r�r�r�r�r?rArMr��IOErrorrr8r4r4r5�do_join�s2

�zDCJoinContext.do_join)NNNNNNNNNFNFFNNN)F�N)'r6r7r8�__doc__r/r�r�r�r�rbr`r�rrurwr
rr�r(r1r9r@rXryrr�r�r�r�r�rrrr?rArMr�r�r�r4r4r4r5r:=s^
�


5/
		C+
X+-^	Her:FcCstt|||||||||	|
|||
||d�}|�d|j�|�d|j�|�d|j�|�d|j�d|j|jf|_d|jt	j
fdt	jdt	jdt	j
dt	jg|_d|jt	jf|_|��}d|}||_tjjtjjBtjjB|_|j�d	|jd	|jg�d
|j|_tj |_!d|_"|j#t$j%t$j&BO_#|j#|_'|r�|j't$j(O_'|�)�|�d|j|jf�d
S)zJoin as a RODC.�rSrT�	workgroup�workgroup is %sr��realm is %szCN=krbtgt_%s,CN=Users,%sz<SID=%s-%s>z<SID=%s>zRestrictedKrbHost/%szCN=RODC Connection (FRS),%sTz$Joined domain %s (SID %s) as an RODCN)*r:�setrvrar�r�rjr�rsr�DOMAIN_RID_RODC_DENY�SID_BUILTIN_ADMINISTRATORS�SID_BUILTIN_SERVER_OPERATORS�SID_BUILTIN_BACKUP_OPERATORS�SID_BUILTIN_ACCOUNT_OPERATORSr��DOMAIN_RID_RODC_ALLOWr�rr�r�r�r��)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION�UF_PARTIAL_SECRETS_ACCOUNTr�r��extendr�r�r�r
�
SEC_CHAN_RODCrIr�r�r�%DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING�$DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIPr�r�r�)rNr]r;r<rOr�rPr��domain_critical_onlyr�rQr�rUrRrSrTr��mysid�admin_dnr4r4r5�	join_RODC�sP
�����
�r�cCs�t|||||||||	|
|||
||d�}|�d|j�|�d|j�|�d|j�|�d|j�tjjtjjB|_	|j
�d|j�t
j|_|jtjtjBO_|j|_|r`|jtjO_|��|�d|j|jf�dS)	z
Join as a DC.r�r�r�r�r�z1E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%sz!Joined domain %s (SID %s) as a DCN)r:r�rvrar�r�r�r��UF_TRUSTED_FOR_DELEGATIONr�r�rLr�r
�SEC_CHAN_BDCrIr�rr��!DRSUAPI_DRS_FULL_SYNC_IN_PROGRESSr�r�r�rs)rNr]r;r<rOr�rPr�r�r�rQr�rUrRrSrTr�r4r4r5�join_DC�s*
�
�r�rMc
Cszt||||||||||	d�
}
|�d|
j�|�d|
j�|�d|
j�|�d|
j�|
��|�d|
j|
jf�|
S)z%Creates a local clone of a remote DC.)rPr�r��include_secretsrSrTr�r�r�r�zCloned domain %s (SID %s))�DCCloneContextr�rvrar�r�rs)rNr]r;r<rPr�r�r�rSrTr�r4r4r5�
join_clones�r�cs:eZdZdZ				d
�fdd�	Zdd�Zdd	�Z�ZS)r�zClones a remote DC.NFcs�tt|�j||||||||	|
d�	d|_d|_d|_|j�d�d|_d|_	d|_
|j��|_
|jtjtjBO_|sD|jtjO_|j|_dS)N)rPr�r�rSrT�.r)r.r�r/r�r�r�r]�splitr�r~r�r_�
get_ntds_GUID�remote_dc_ntds_guidr�rr�r�r�r�)r�rNr]r;r<rPr�r�r�rSrTr2r4r5r/$s&�
�zDCCloneContext.__init__cCsj|j�d�t��}t�|jd�|_t�dtjd�|d<|j	}t�dt
|�tjd�|d<|j�|�dS)NrCrDrrErFrG)rNrardr r!r�r�r"r#r�rhr$)r�r'r�r4r4r5rM?s
��zDCCloneContext.join_finalisecCs$|��|��|��|��dSr�)r�r�rrMr8r4r4r5r�MszDCCloneContext.do_join)
NNNNNNNFNN)r6r7r8r�r/rMr�r9r4r4r2r5r�!s�r�csHeZdZdZ			d�fdd�	Zdd�Zdd	�Zd
d�Zdd
�Z�Z	S)�DCCloneAndRenameContextz6Clones a remote DC, renaming the domain along the way.NTc

s8tt|�j||||||	|
||d�	||_||_||_dS)N)rPr�r�r�rS)r.r�r/�new_base_dn�new_domain_name�	new_realm)
r�r�r�r�rNr]r;r<rPr�r�r�rSr2r4r5r/\s�
z DCCloneAndRenameContext.__init__c	Cs.d|j|f}t�||j||j|j|j|j�Sr�)r]r�drs_ReplicateRenamerr<r�r|rjr�)r�r�r��binding_strr4r4r5r�js�z)DCCloneAndRenameContext.create_replicatorcCs4t��\}}|�d|�tjj|d�}t�|�|S)z?Creates a non-global LoadParm based on the global LP's settingsF)�filename_for_non_global_lp)�tempfile�mkstemp�dumpr��param�LoadParm�os�remove)r��	global_lp�fd�tmp_file�local_lpr4r4r5�create_non_global_lpvs
	
z,DCCloneAndRenameContext.create_non_global_lpcCs|j}t�d||j|�S)z/Uses string substitution to replace the base DNrF)rj�re�subr�)r��dn_str�old_base_dnr4r4r5�	rename_dn�sz!DCCloneAndRenameContext.rename_dncCs�td�|�|j�}t|jt�|jt|j||�	|j
�|j|�	|j�|�	|j
�|j|jd|j|jd�}td|j�|j|_|j|_dS)z"Provision the local (renamed) SAM.z(Provisioning the new (renamed) domain...r�)
rPr�r�r<r�r�r2r�r�r�r�r�rSz%Provision OK for renamed domain DN %sN)r�r�r<rrNrrPrr�r�rlr�rnrpr�rsr�rSr�r_r�r�)r��
non_global_lpr�r4r4r5r��s 



�z&DCCloneAndRenameContext.join_provision)	NNNNNNNTN)
r6r7r8r�r/r�r�r�r�r9r4r4r2r5r�Ys�
r�)NNNNNNNNFNFNFFNN)
NNNNNNFrMNN)Nr��
samba.authr�samba.samdbrr�rrrrrrdrz�	samba.ndrr	r
�samba.dcerpcrrr
rrrrr�
samba.dsdbr�samba.credentialsrr�samba.provisionrrrrrr�samba.provision.commonr�samba.schemarr�	samba.netr�samba.provision.sambadnsr r!r"�base64r#r$r%r&�samba.dnsserverr'r(r)�loggingrprer�r�r��collectionsr*�samba.commonr+�samba.netcmdr,r�r-rTr:r�r�r�r�r�r4r4r4r5�<module>s�( ~
�8
�"
�8