IdAOddlZddlZddlmZddlmZddlmZmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZd Zd Zd d d dddddddddddddZededededed iZededed ed!ed"iZgZGd#d$eZGd%d&eZy)'N) b64encode)sd_utils) ndr_unpackndr_pack)security) SECINFO_DACL)'get_managed_service_accounts_descriptor)DS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2DS_DOMAIN_FUNCTION_2016KYz$5e1574f6-55df-493e-a671-aaeffca6a100z$d262aae8-41f7-48ed-9f35-56bbb677573dz$82112ba0-7e4c-4a44-89d9-d46c9612bf91z$c3c927a6-cc1d-47c0-966b-be8f9b63d991z$54afcfb9-637a-4251-9f47-4d50e7021211z$f4728883-84dd-483c-9897-274f2ebcf11ez$ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ffz$83c53da7-427e-47a4-a07a-a324598b88f7z$c81fc9cc-0130-4fd1-b272-634d74818133z$e5f9e791-d96d-4fc9-93c9-d53e1dc439baz$e6d5fd00-385d-4e65-b02d-9da3493ed850z$3a6b3fbf-3168-4312-a10d-dd5b3393952dz$7f950403-0ab3-47f9-9730-5d7b0269f9bdz$434bb40d-dbc9-4fe7-81d4-d57229f7b080z$a0c238ba-9e30-4ee6-80a6-43f731e9a5cd)rLMNOPQRSTUVWXrJrr c eZdZy)DomainUpdateExceptionN)__name__ __module__ __qualname__5/usr/lib/python3/dist-packages/samba/domain_update.pyr%r%Zsr*r%ceZdZdZ ddZ ddZdZddZdZdZ d Z d Z d Z d Z d ZdZdZdZdZdZdZdZdZdZdZdZy) DomainUpdatez2Check and update a SAM database for domain updatesc||_||_||_d|_|jj |_|jj |_|jj|_tj||_ tj|j|_|jj|_ |j j#d|jj|_ |j*j#dy#t$j&$r t)dwxYw#t$j&$r t)dwxYw)z :param samdb: LDB database :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise DomainUpdateException: Fz(CN=Operations,CN=DomainUpdates,CN=Systemz+Failed to add domain update container childz3CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=Systemz#Failed to add revision object childN)samdbfixadd_update_containercheck_update_appliedget_config_basedn config_dn domain_dnget_schema_basedn schema_dnrSDUtilsrdom_sidget_domain_sid domain_sidget_root_basedndomainupdate_container add_childldbLdbErrorr%revision_object)selfr/r0r1s r+__init__zDomainUpdate.__init__as2 $8!$)!557--/557 ((/ "**5+?+?+AB&*jj&@&@&B# W  ' ' 1 12\ ] $zz99; O  * *+` a || W'(UV V W || O'(MN N OsD3E3EE4Nc|jj|jdgtj}t |}|rt |}|dz }nt }|j||t|}t|ddd}|rV||krP|jstd||fz|jjdt|j|fzyyy)a Apply all updates for a given old and new functional level :param functional_level: constant :param old_functional_level: constant :param update_revision: modify the stored version :raise DomainUpdateException: revision)baseattrsscoperzERevision is not high enough. Fix is set to False. Expected: %dGot: %dz9dn: %s changetype: modify replace: revision revision: %d N)r/searchrAr? SCOPE_BASEfunctional_level_to_max_update MIN_UPDATEcheck_updates_rangefunctional_level_to_versionintr0r% modify_ldifstr) rBfunctional_levelold_functional_levelupdate_revisionresexpected_update min_updateexpected_version found_versions r+check_updates_functional_levelz+DomainUpdate.check_updates_functional_levelsjjT%9%9'1l#.. J99IJ 78LMJ !OJ#J   _=67GHCF:.q12 }/??88+-DGWGTGV-VWW JJ " "$ 4   "23 $4 5 @?r*cv|D]4}|tks |tkDr tdt|d|z|6y)z Apply a list of updates which must be within the valid range of updates :param iterator: Iterable specifying integer update numbers to apply :raise DomainUpdateException: Update number invalid. operation_%dN)rM MAX_UPDATEr%getattr)rBiteratorops r+check_updates_iteratorz#DomainUpdate.check_updates_iteratorsD  3BJ"z/+,DEE /GD.2- .r 2  3r*c|}|tks||kDs |tkDr td||kr)|tvrt |d|z||dz }||kr(yy)z Apply a range of updates which must be within the valid range of updates :param start: integer update to begin :param end: integer update to end (inclusive) :raise DomainUpdateException: r]r^rIN)rMr_r%missing_updatesr`)rBstartendrbs r+rNz DomainUpdate.check_updates_rangesa : j0@'(@A ACi(2nr1226 !GB Cir*cddt|d|j} |jj|tj g}t|dk(sJtd|t|fzy#tj $r-}|j\}}|tjk7rYd}~yd}~wwxYw) zd :param op: Integer update number :return: True if update exists else False zCN=,)rFrHrGNFrIzSkip Domain Update %u: %sT) update_mapr=r/rJr?rKr@argsERR_NO_SUCH_OBJECTlenprint)rBrb update_dnrVenummsgs r+ update_existszDomainUpdate.update_existss #-R.$2M2MN  **##*-..*,$.C3x1}} )RB,@@A|| JS#c,,,  s,A//B/#B**B/c|jjdt|dt|jdt d|t|fzy)zo Add the corresponding container object for the given update :param op: Integer update zdn: CN=riz objectClass: container zApplied Domain Update %u: %sN)r/add_ldifrjrRr=rnrBrbs r+ update_addzDomainUpdate.update_addsH "~s46679 : ,JrN/CCDr*c8|jstd|zy)z Raises an exception if not set to fix. :param op: Integer operation :raise DomainUpdateException: z3Missing operation %d. Fix is currently set to FalseN)r0r%rvs r+raise_if_not_fixzDomainUpdate.raise_if_not_fixs" xx'(]`b(bc cr*c|j|ry|j||jjd|jzddg|j r|j |yy)NzVdn: CN=TPM Devices,%s objectClass: top objectClass: msTPM-InformationObjectsContainer relax:0 provision:0controls)rsryr/rur5r1rwrvs r+ operation_78zDomainUpdate.operation_78sr   b !  b!  nn'0%?  A  $ $ OOB  %r*c|j|ry|j|d}|jj|j|g|j r|j |yy)NzY(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)add_acesrsryrupdate_aces_in_daclr5r1rwrBrbaces r+ operation_79zDomainUpdate.operation_79s]   b !  b!i ))$..C5)I  $ $ OOB  %r*c|j|ry|j|d}|jj|j|g|j r|j |yy)Nz1(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;CN)rrrs r+ operation_80zDomainUpdate.operation_80s]   b !  b!A ))$..C5)I  $ $ OOB  %r*c|j|ry|j|d}|jj|j|g|j r|j |yy)Nz7(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)rrrs r+ operation_81zDomainUpdate.operation_81s]   b !  b!G ))$..C5)I  $ $ OOB  %r*c^|j|ry|j|t|j}t |j d}dt |jz}|jjd|d|ddg|jr|j|yy)Nutf8CN=Managed Service Accounts,%sdn: z changetype: add objectClass: container description: Default container for managed service accounts showInAdvancedViewOnly: FALSE nTSecurityDescriptor:: r{r|r}) rsryr r;rdecoderRr5r/rQr1rw)rBrb descriptormanagedservice_descrmanaged_service_dns r+ operation_75zDomainUpdate.operation_75's   b !  b!>.  0  @  $ $ OOB  %r*c>|j|ry|j|dt|jz}d}|dz }|dz }|dz }|dz }|dz }|dz }d |d |d }|jj ||j r|j|yy) N CN=Keys,%szO:DAzD:z&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)z&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DA)z&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)z&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;DD)z&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;ED) dn: z objectClass: container description: Default container for key credential objects ShowInAdvancedViewOnly: TRUE nTSecurityDescriptor: r)rsryrRr5r/rur1rw)rBrbkeys_dnsddlldifs r+ operation_82zDomainUpdate.operation_82rs   b !  b!T^^!44   88 88 88 88 88  D!  $ $ OOB  %r*c|j|ry|j|dt|jz}dg}|dgz }|jj |||j r|j|yy)Nrz&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;KA)&(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EK)r)rsryrRr5rrr1rw)rBrbracess r+ operation_83zDomainUpdate.operation_83s{   b !  b!T^^!449: 9:: ))'D)A  $ $ OOB  %r*c$|j|ry|j|dt|jz}dt|jd|d}|jj ||j r|j|yy)Nrrzl changetype: modify add: otherWellKnownObjects otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:rr)rBrbrrs r+ operation_84zDomainUpdate.operation_84sy   b !  b!T^^!44 4>>G % t$  $ $ OOB  %r*c|j|ry|j|dg}|dt|jzgz }|jj |j ||jr|j|yy)Nz5(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;KA)z9(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;%s-527)r rsryrRr;rrr5r1rwrBrbrs r+ operation_85zDomainUpdate.operation_85s   b !  b!HI LT__%&' ' ))$..4)H  $ $ OOB  %r*c|j|ry|j|dg}|dgz }|jj|j||j r|j |yy)NzY(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)zY(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)rrrs r+ operation_86zDomainUpdate.operation_86sl   b !  b!lm lmm ))$..4)H  $ $ OOB  %r*c|j|ry|j|dt|jzg}dg}|jj |j |||jr|j|yy)Nz*(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;%s-527)rdel_acesrrrBrbrrs r+ operation_87zDomainUpdate.operation_87s   b !  b!A()*<= ))$..3;3; * =  $ $ OOB  %r*c|j|ry|j|dt|jz}|jj ||j r|j|yy)Nz dn: %s changetype: modify add: msDS-ExpirePasswordsOnSmartCardOnlyAccounts msDS-ExpirePasswordsOnSmartCardOnlyAccounts: FALSE r)rBrbrs r+ operation_88zDomainUpdate.operation_88si   b !  b!  $..  t$  $ $ OOB  %r*c|j|ry|j|dg}dg}|jj|j|||j r|j |yy)Nrz5(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;EK)rrrs r+ operation_89zDomainUpdate.operation_890sr   b !  b! ==KL ))$..3;3; * =  $ $ OOB  %r*)FT)NF)rr)r&r'r(__doc__rCr[rcrNrsrwryrrrrrrrrrrrrrrrr)r*r+r-r-^s<"'&*OD=A7<"5H 3"(Ed        " , &  D H  * >  .  , 4 > r*r-)r?sambabase64rr samba.ndrrr samba.dcerpcrsamba.dcerpc.securityrsamba.descriptorr samba.dsdbr r r r rrMr_rjrLrOre Exceptionr%objectr-r)r*r+rs& *!.   /...... / /......5 >RRR "QQR  I b 6b r*