Id@LdZddlmZddlmZddlmZmZmZm Z m Z ddl Z ddlZddl Z ddl mZmZddlmZmZmZmZmZmZmZmZddlmZdd lmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$dd l%m&Z&dd l'm(Z(dd lm)Z)ddl*m+Z+ddl,m-Z-ddlm.Z.ddlm/Z/ddl0m1Z1ddlm2Z2m3Z3ddlm4Z4ddl5m6Z6m7Z7m8Z8ddl9Z9ddl:Z:ddl;Z;ddlZ>ddl?m@Z@ddlAmBZBddlCmDZDddlmEZEmFZFGddeGZHGddeIZJ d%dZK d%dZL d&d ZMGd!d"eJZNGd#d$eNZOy)'zJoining a domain.)system_session)SamDB)gensecLdb drs_utilsarcfour_encryptstring_to_byte_arrayN)ndr_pack ndr_unpack)securitydrsuapimiscnbtlsadrsblobs dnsserverdnsp)DS_DOMAIN_FUNCTION_2003) CredentialsDONT_USE_KERBEROS)secretsdb_self_join provisionprovision_fillFILL_DRSFILL_SUBDOMAIN DEFAULTSITE) setup_path)Schema) descriptor)Net)setup_bind9_dns)read_and_sub_file)werror) b64encode) WERRORError NTSTATUSError)sd_utils)ARecord AAAARecord CNAMERecord) OrderedDict) get_string) CommandError)dsdbfunctional_levelceZdZfdZxZS)DCJoinExceptionc2tt| d|zy)NzCan't join, error: %s)superr1__init__)selfmsg __class__s ,/usr/lib/python3/dist-packages/samba/join.pyr4zDCJoinException.__init__:s ot-.E.KL)__name__ __module__ __qualname__r4 __classcell__r7s@r8r1r18sMMr9r1ceZdZdZ d&dZd'dZd'dZd'dZdZdZ d Z d Z d Z d Z d ZdZdZdZdZdZdZdZdZdZdZd(dZdZdZdZdZdZdZdZ d Z!d!Z"d"Z#d#Z$d$Z%d%Z&y)) DCJoinContextzPerform a DC join.Nc<||_||_||_||_||_| |_| |_||_||_| |_ d|_ g|_ g|_ |jj|jtj zt#|j|j|_||_||_|r#||_|j*j,|_n|j&r#|}|j/|j&|_n\|jj1d|z|j3||_|jj1d|j&zt5d|j&zt7|j|j|_|j t8|_ |j*j;t<j>gtG|j*jI|_%tG|j*jM|_'tG|j*jQ|_)tG|j*jU|_+tYjZ|j*j]|_/|j^|_0|jc|_2|jg|_4tkjltGtojp|_9|j*ju|_;|jy|_=|j}|_?| | |_@ntjdd|_@|j*j|_D|r||_Ed|jz|_Fd |jd |jd |jV|_Gd |jz|_Hd |jd |jJ|_I|jjd|j|_K|j*j|_Md|jJz}|j|rd |jd||_Ond|_Od|jzd|jzd|jd|jg|_P|j*j;t<j>dg|jJ}|ddd|_Qd|jJz|_Rd|jNz|_Sdt=j|jz}|j*j;t<jg|j*j|}| d|_Wn(t|dk(rd|_Wtdn| |_W|j|_Zd|_[tjtjztjztjztjz|_bd|_cd|_dd|_ed|_fd|_gd|_\d|_hd|_id|_jd|_kd|_ld|_md|_ny#t<j@$r}|jB\}}tE|d}~wwxYw)N)credslpz&Finding a writeable DC for domain '%s'z Found DC %s ldap://%surl session_info credentialsrCscopeattrsx%s$CN=z,CN=Servers,CN=z ,CN=Sites,zCN=NTDS Settings,%sz,OU=Domain Controllers,.zGCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%s,zHOST/%szGC//rIDManagerReference)rJrKbaserzDC=DomainDnsZones,%szDC=ForestDnsZones,%s$(&(objectClass=crossRef)(ncName=%s))rJrKrS expressionNONEzCNO DNS zone information found in source domain, not replicating DNSF)ologgerrBrCsite targetdir use_ntvfsplaintext_secrets backend_storebackend_store_sizepromote_existingpromote_from_dnnc_list full_nc_listset_gensec_featuresget_gensec_featuresr FEATURE_SEALr netserverforced_local_samdbsamdbrF find_dc_siteinfofind_dcrrrsearchldb SCOPE_BASELdbErrorargsr1strget_default_basednbase_dnget_root_basednroot_dnget_schema_basedn schema_dnget_config_basedn config_dnr dom_sidget_domain_siddomsid forestsidget_domain_name domain_nameget_forest_domain_nameforest_domain_namerGUIDuuiduuid4 invocation_idget_dsServiceName dc_ntds_dnget_dnsHostNamedc_dnsHostNameget_behavior_versionbehavior_version acct_passsamba generate_random_machine_passworddomain_dns_name dnsdomainmynamesamname server_dnntds_dnacct_dnlower dnshostnameforest_dns_name dnsforest dn_exists topology_dnSPNsrid_manager_dndomaindns_zoneforestdns_zone binary_encodeSCOPE_ONELEVELget_partitions_dn dns_backendlenprintrealm tmp_samdbr DRSUAPI_DRS_INIT_SYNCDRSUAPI_DRS_PER_SYNCDRSUAPI_DRS_GET_ANCDRSUAPI_DRS_GET_NC_SIZEDRSUAPI_DRS_NEVER_SYNCED replica_flagsnever_reveal_sid reveal_sid connection_dnRODC krbtgt_dn managedby subdomain adminpass partition_dndns_a_dn dns_cname_dn force_all_ips)ctxrXrgrBrCrY netbios_namerZdomain machinepassr[rr_r\r]r^rheenumestr topology_baseres_rid_managerexpr res_domaindnss r8r4zDCJoinContext.__init__As  ! ! 1)!3/"  %%e&?&?&AFDWDW&WXCII#&&1 !3 *CICJzz<"// ;CH  H6 QR [[0    :;+ ":+9+;*-))@CI 88 "CH ( II  3>>  < #))6689 #))3356 CII779: CII779: %%cii&>&>&@A   --/!$!;!;!= IIc$**,&78446 002"779  "'CM!BB3LCM 113  %CJ#**,CKDGJJPSPXPXZ]ZgZghCM/#--?CK>Ajj#++VCK),)9)9);S]]KCOII557CMehkhshssM}}]+03 M"J"&!CJJ.!COO3&)oos}}EGCH"ii..S^^6K5L47KK/AO"1!34I!J1!MC 3ckkA3ckkA58I8I#J\J\8]] ((s/A/A/1.1ii.I.I.K48):   $CO=!Q&"([\"-MM  $::$99:$889%<<=%== > $       "A|| (66LT4!$' ' (s+[))\<\\c<|rR |jj|tjdg}|D]}|j |j d! |jj|td|zy#t$rYywxYw#t$rYywxYw)NdnrSrJrKT recursivez Deleted %s) rirmrnr Exception del_noerrorrdeleter)rrrresrs r8rzDCJoinContext.del_noerrors  ii&&Bc6H6HQUPV&W 65 6  II  R ,# $      s#-B)B B  B  BBc |jj|jjdtj|j zddg}t |dk(ry|st}|j|j |j|j|j|jjtd|jzt!||j}|jtj"dd g }|dd d|dddk(rt%d |j z|j'|dj(d |dj+dd}|"||_|j'|j,|jj|jjdtjd|j.zdtjd|j0zdg}|r |j'|dj(d |jj|jjdtjd|j.zzg}|rQt%dtjd|j.zdtjd|j0zy#YxYw)NsAMAccountName=%smsDS-krbTgtLink objectSIDrSrVrKrrDrE tokenGroups)rJrSrKzNot removing account %s which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdbTrmsDS-KrbTgtLink)idxz(&(sAMAccountName=dns-%sz)(servicePrincipalName=zdns/%sz))z(sAMAccountName=%s)zNot removing account zU which looks like a Samba DNS service account but does not have servicePrincipalName=)rirmrsrnrrrrguessrCset_machine_accountset_kerberos_staterBget_kerberos_staterrgrror1rrget new_krbtgt_dnrr)rforcerrB machine_samdb token_resrs r8cleanup_old_accountsz"DCJoinContext.cleanup_old_accountssiiCII$@$@$B*=@Q@QRUR]R]@^*^&7%EG s8q= ME KK  9))#&&1(()E)E)GH %+ *B3A3C27CFF!D *00s~~BWdVe0f Q< .q1!f[)!,-)+\-0KK +899 A T2FJJ0aJ8  )C  OOC-- .iiCII$@$@$B # 1 1(SZZ2G H # 1 1(S__2L M+O&( )  OOCFIIO 6iiCII$@$@$B*?#BSBST\_b_i_iTiBj*j%') !$'#4#4X 5J#K##4X5O#P #RS S = s A2K::K?ch|js|j||j|j|j|j|j|j|j|j |j|j d|jr|j|j|jr|j|j|jrdd}tjd|jd|d|j|j}tj}tj|_|j#d |t$j&}tj(}|j*|_|j/||tj0}|j3||j4j6tj(}|j8|_|j/||tj0}|j3||j4j6|j:r|j|j:|j<r|j|j<yy) z$Remove any DNs from a previous join.)rNTrsign ncacn_ip_tcp:[]r)rrrrrrrrrrlsarpcrgrCrBObjectAttributeQosInfosec_qos OpenPolicy2r SEC_FLAG_MAXIMUM_ALLOWEDStringrstringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFODeleteTrustedDomaininfo_exsidrrr)rrbinding_optionslsaconn objectAttr pol_handlenamerks r8cleanup_old_joinzDCJoinContext.cleanup_old_joins}}  $ $5 $ 1    ( OOC-- . == $ OOCMM *  $  6 ?? OOCOO ,    OOC,, - ==$Ojj#**o!V!$4G,,.J!$J  ,,R-7-5-N-NPJ::? ?iiCII$@$@$B*=@Q@QRUR]R]@^*^%wy s8q=BEHEPEPPQ Q A &*=Q*GK]adefagKgGJMJUJUUV V A+,Q/ 0EJJ4[4[49JJ4V4V5W X[\ ]x{~|G|GGH H!!fiir9c |jj|tjtjztj z|_|j j4|j jdk7r|j j|_ |j jS#t$r#}td|d|jdd}~wt$rtd|zwxYw)z(find a writeable DC for the given domain)rflagsz*Failed to find a writeable DC for domain 'z': Nz-Failed to find a writeable DC for domain '%s'r)rffinddcrNBT_SERVER_LDAP NBT_SERVER_DSNBT_SERVER_WRITABLE cldap_retr&r-rqr client_siterY pdc_dns_name)rrerrors r8rlzDCJoinContext.find_dc]s YGGNN&@S@SVYVgVg@gjmkBkBABNCCM == $ $ 0S]]5N5NRT5T}}00CH}}))) 8 & 1  78 8 YNQWWX X YsAB44 C6=CC6cd}|jj|tjtjz}|j |j dk7r |j }|S)N)addressrr)rfrrr r r )rrgrYr s r8rjzDCJoinContext.find_dc_sitejs^GGNN6),)<)G>R>RSVS^S^>_; S:r9c t|j|j|_t t dd|j |jdd|_|jj|jy)z2create a temporary samdb object for schema queries)schemadnNF)rGrF auto_connectrHrC global_schemaam_rodc) rr}rx tmp_schemarrrBrCr set_schemars r8create_tmp_samdbzDCJoinContext.create_tmp_samdbs[ ),8>+;TY*-))e&+-    0r9cztj}|jj||_d|_y)z$build a DsReplicaAttributeCtr objectrN)r DsReplicaAttributerget_attid_from_lDAPDisplayNameattid value_ctr)rattrname attrvaluers r8build_DsReplicaAttributez&DCJoinContext.build_DsReplicaAttributes-  & & (-->>xH r9c f|j|j|j|jg}|D]0}tj}|d|_g}|D]}|dk(r t ||ts||g}n||}|Dcgc]%}t |tr|jdn|'}}|jj|j||} |j| tj} t|| _|| _tj } || _| | _tj&} | | _|j| 3tj*} |d| _| j,}|ddD] }||_|} |jj1|j2d| \}}|dk(r|j4tj6k7r#t9d|j4zt;d|j<dt>j@k7r#t9d |j<zt;d|d k(r<|jBdk7rt;d |jBz|jDjFdt>j@k7r|jDjH0t9d |jDjFdzt;dt9d |jDjFdd|jDjHj<t;d|jDj4tj6k7r-t9d|jDj4zt;d|jJScc}w)z,add a record via the DRSUAPI DsAddEntry callNrutf8rrz!DsAddEntry failed with dir_err %uzDsAddEntry failedz(DsAddEntry failed with status %s info %szexpected err_ver 1, got %uz.DsAddEntry failed with status %s, info omittedzDsAddEntry failed with status z info )&r rJrrSDsReplicaObjectIdentifierr isinstancelistrrencodedsdb_DsReplicaAttributeappendDsReplicaAttributeCtrrnum_attributes attributesDsReplicaObject identifier attribute_ctrDsReplicaObjectListItemobjectDsAddEntryRequest2 first_object next_object DsAddEntryrGdir_errDRSUAPI_DIRERR_OKr RuntimeError extended_errr# WERR_SUCCESSerr_vererr_datastatusrkobjects)rrecsrzr>idrKavxrattrrkrm list_objectreq2prevolevelctrs r8rqzDCJoinContext.DsAddEntrys? ;;     ! ==  " (C224BIBEE $9!#a&$/QAAALMNqAs);QXXf%BNN ==cmmQPQR U# $$99;M+.u:M (',M $,,.F "F #0F !99;K!'K  NN; '5 (8))+#AJ   A D D {{--c.@.@!TJ  A:{{g7779CKKGH"#677"f&9&99@CDTDTUV"#677 A:{{a"#?#++#MNN||""1%)<)<<<<$$,JcllNaNabcNdef##677 H[H[\]H^HK HYHYHfHfhi"#677||##w'@'@@9CLLradomainControllerFunctionalityncs r8join_ntdsdsa_objzDCJoinContext.join_ntdsdsa_objs kCKK'( 3;;  & C N NO P CMM * ,- ;; s}}=   5::#E#E E -=,M,Mcff,U )+./L+MC' (   5::#E#E E'*{{C# $ 88$7#--$GC !,/,<,rs r8join_add_ntdsdsazDCJoinContext.join_add_ntdsdsaMs""$  ! ! IIMM# M 4 XX IIMM#0 1 NNC5 !iiCKKs~~l^\ #))"?"? cRSfUaNbcdNe"fg r9c |jr9td|jz|jd|j|jt|jt j jz|jd}|jt j jk\r'tt j j|d<n|jrg|d<|jr|j|d<n|jrg|d<|jr|j|d<n|jrg|d<|jr|j|d<n|jrg|d<|rt!||d<|jr|j"|jk7r0|j$j'|j"|j|j$j)t*j,j/|j$|t*j0n$d }|d g}|j$j3|| |j4r|j7|j8rtd|j8z|j8d tt j j:t j j<zt j j>z|jd }|jr|j|d<|j$j3||j@rd |_!y |jDr|jGdt+jH|jJz}|j$jMt*jNg|j$jQ||jJf}dt+jH|jRz}|j$jMt*jNg|j$jQ||jRf}||fD]\}}||jTvrtW|dk(s$t+j,} |djX| _,d} |jZrd} t+j\|jDt*j^| | | <|j$j)| |j`Otd|j`z|j`ddd|jbd}|j$j3||jrtd|jzt+j,} t+jd|j$|j| _,tgtW|jhD]A} |jh| jkdt|jB|jh| <Ct+j\|jht*j0d| d<|j$j)| td|jz |j$jmdt+jH|jz|jnd|j|j$jM|jt*j|d!d"g#}d!|dvrt|dd!d|_@nd |_@ttj|ddd|_Dtd$t+j,} t+jd|j$|j| _,t+j\t|jt*j0d%| d%<|j$j)| |jjd&rt jd'd(|_H|j$jttd)|j|j|jt|jjd*jd+|jd,}|D]\}}|t*jk(sJ|d-}td.|d-z|d/=|d0=tt j jt j jz|d%< |j$j3|td1|jz |j$jmd2t+jH|jz|jd|j|j$jMt*j|d!g#}d!|dvrt|dd!d|_Uy d |_Uy y #t*jp$rj} | jr\} }| t*jtk7r|jvjy|j|jz|jn Yd } ~ d } ~ wwxYw#t*jp$r.}|jr\} }| t*jk7rYd }~d }~wwxYw#t*jp$rm}|jr\} }| t*jtk7r|jvjyd3|jz|jz|j Yd }~d }~wwxYw)4z+add the various objects needed for the joinr*computer)r objectClass displaynamesamaccountnamerrzmsDS-SupportedEncryptionTypesrzmsDS-NeverRevealGroupzmsDS-RevealOnDemandGroup objectSidNrrrg)rr-rrserverReferencerTrUrrzmsDS-NC-Replica-LocationszmsDS-NC-RO-Replica-LocationsnTDSConnectionr,65)rr-enabledconnectionr fromServerzAdding SPNs to %sz $NTDSGUIDservicePrincipalNamezSetting account password for %sz((&(objectClass=user)(sAMAccountName=%s))F)force_change_at_next_loginusername) account_namer newpasswordzmsDS-KeyVersionNumberrrzEnabling accountrBIND9_zprovision_dns_add_samba.ldif utf-16-ler]) DNSDOMAINDOMAINDNHOSTNAME DNSPASS_B64DNSNAMErz#Adding DNS account %s with dns/ SPNclearTextPasswordisCriticalSystemObjectz#Setting account password for dns-%sz,(&(objectClass=user)(samAccountName=dns-%s))r)Vrrrrrrrr.r5rrDS_DOMAIN_FUNCTION_2008 ENC_ALL_TYPESr_rrrr r`rir=r<rnr8 from_dictr;r6rr@rSYSTEM_FLAG_CONFIG_ALLOW_RENAME%SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVErrrrrrrrmrrrrarrrr: FLAG_MOD_ADDrrr9rangerreplace setpasswordrrprqERR_UNWILLING_TO_PERFORMrf set_passwordrrorkey_version_numberr r r{new_dc_account_sidr startswithgenerate_random_passworddnspass parse_ldifr"rrrtrr$rcdecodeCHANGETYPE_NONEr4ERR_ENTRY_ALREADY_EXISTSdns_key_version_number)r specified_sidr>rrrforestpartzoner?attrie2num_rr{ changetyper6 dns_acct_dnre3s r8join_add_objectszDCJoinContext.join_add_objects\se ;; + + ,kk)"{{"%++&)#*@*@5::C_C_*_&`" 0C##uzz'I'II7:5::;S;S7T34%%7934}}#&==K %%#%K ##/2/C/C+,%%/1+,~~25.../%%24./#+M#:K ##&&#++5II$$S%8%8#++F   !6!6syy#sG[G[!\] , ){H cH 5 ==  " " $ == + - .mm'"5::#M#M#(::#S#S$T#(::#Q#Q$R S #0C{{),%& IIMM#  == CM  ;;  ":C A7::AD6Dxx=!00141A1A4IAdGII$$Q' (    ( + 1 11 2''/%+!nn .C IIMM#  ;; % 3 4 A66#))S[[1AD3sxx=) S!hhqk11+s3==?QR  S(+(:(:388;>;O;O;Q)SA$ % II  Q  3ckkA B @ %%&P(+(9(9#++(F'G&)mmAF/2{{ &<))"" 3>>*A*5*7#8C'#a&0),SV4K-LQ-O)P&)-&%/0@0@03A{0CA0F&HC " $ % A66#))S[[1AD&)&8&8S=S=S9T9<9M9M9M'OA" # II  Q  ?? % %h /88cBCK99''(9*Ec:dHK GJ{{GJzzJSTWT_T_TfTfgrTsJtJ{J{}CKDFIoo ;W)XYD $(  C!S%8%8888!$i ;c$iGH+,01,/ 0L0L05 0L0L1M-N()IIMM#& 0 7#**D E > %%&T(+(9(9#**(E'F&)kkAF/2{{ &<))"" 3>>*A)B#DC&#a&0-0Q8O1PQR1S-T*-1*k 07<< @77a#666$$#++1414%@@  @d|| vvHS!c:::;"<< >77a#666$$(SZZ2G1414%>>  >sLAh>j4Ak"j1Ajjk1#kk"m"5A"mm"c td|jzdt|jdtj i}t j|j|}|jdd|jz|j|j|j|jttjj tjj"z|d }|j$tjj&k\rt|j$|d<|j)}|j+||g}t-|d k7r t/d |d j0|_td |j4j7|jt9j:d |j2t<j>t<j@td|j4j7|jBt9j:d |j2t<j>t<j@y)zLadd the various objects needed for the join, for subdomains post replicationr*SubdomainAdmins-)name_mapcrossRefzCN=Cross-Ref,%s) rr-rnCNamerdnsRoot trustParentrntSecurityDescriptorrr^z"Expected 2 objects from DsAddEntryrzReplicating partition DN$00000000-0000-0000-0000-000000000000)exoprzReplicating NTDS DNN)"rrrrr}r DOMAIN_RID_ADMINSr+get_paritions_crossref_subdomain_descriptorr~rxrtrrparent_partition_dnrr.SYSTEM_FLAG_CR_NTDS_NCr rrrrqrr1guidrrepl replicaterrr DRSUAPI_EXOP_REPL_OBJDRSUAPI_DRS_WRIT_REPr)rr sd_binaryr>rec2rzs r8join_add_objects2zDCJoinContext.join_add_objects23s kC,,,-%#cjj/8C]C]'^_JJ3==ckl ""%/#--?kk??}}22uzz@@%**BgBggh$-     5::#E#E E+.s/C/C+DC' (##%..#t- w<1 !"FG G   () 3++99%KL== ' = =)0)E)E  G #$ 3;;99%KL== ' = =)0)E)E  Gr9c|td|jj}t|jt fid|d|j dtd|jd|jd|jd|jd |jd |jd |jd |jd |j d|j"ddd|j$d|jd|j&d|j(d|j*d|j,d|j.d|j0dd}td|j2z|j4|_|j|_|j8|_|j:|_|j<|j:_y)Provision the local SAM.zCalling bare provisionsmbconfrZ samdb_fillrrootdndomaindnrLconfigdnserverdnrhostname domainsidr serverrole"active directory domain controllersitenamerCntdsguidr[rr\r]r^ batch_modeTzProvision OK for domain DN %sN)rrC configfilerrXrrZrrrvrtrxrzrrrr}rrYrr[rr\r]r^rri local_samdbpathsnamesr~)rrpresults r8join_provisionzDCJoinContext.join_provision^s &'&&##CJJ(8 -' -&)mm -@H -PSPYPY -#&;; -9< -&)]] ->A]] -&)]] -|j@d|j |j,jB|j,jD|jF|jH|j:tJjLjNk\r|j:}d}t jQd#t jSddtdd}t jU d dl+m,}||jd}|j[|tJjLj\dt j_|rt jSddtd |j,jdzy#t0$rt!d|d dd zwxYw#t`$r'}t jct!d|zd}~wwxYw)!rzReconnecting to local samdbz#transaction_index_cache_size:200000F)rFrrGrCrNzFinding domain GUID from ncNamencNamezextended_dn:1:1zreveal_internals:0)rSrJrKrrrz*Can't find naming context on partition DN z in r]rz3Can't find GUID in naming master on partition DN %szGot domain GUID %szCalling own domain provisionrGrCr) dom_for_fun_levelrZrrrrChostiphostip6rrzdsdb:schema update allowedNyesz;Temporarily overriding 'dsdb:schema update allowed' settingT) DomainUpdate)fix)update_revisionzDomainUpdate() failed: %snozProvision OK for domain %s)3rrrrFrrCriset_invocation_idrrrrXrkrmrrnror1rrr9rget_extended_componentr domainguidKeyErrorrrsecretsrrrZrrr r rrrr.DS_DOMAIN_FUNCTION_2012rsettransaction_startsamba.domain_updater check_updates_functional_levelrtransaction_commitrtransaction_cancelr)rr secrets_ldb adprep_levelupdates_allowed_overriddenr rrs r8join_provision_own_domainz'DCJoinContext.join_provision_own_domain{sP +,coo11B"D'5'7 __//(- / ##C(9(9$:;)) 9:oo$$#*:*:#..YaXb/@BV.W%Y 3q6 !!Z]ZjZjlolululyly"z{ { o#&tyy 3q6(CSTUCVC]C]^dCe1f1}1}E2F(G$HCII  ,syy/C/CCD 67#))++.:JsvvV s zz399cii),)=)=!$>#&===a&&)9)9399CTCT#&??cmm  M   5::#E#E E//L). &vv23;3U;ST-1*  # # % G<%coo4@55l6;jj6X6XFJ6L((* *3T: *SYY-@-@@AW o!"WZ]^_Z`aiZjklZm"mn n oH G((*%&AA&EFF Gs&A2O"P  P%ctjd|jd|d|j||j|j Sz2Creates a new DRS object for managing replicationsrrr)r drs_ReplicatergrCrr)r repl_credsrs r8create_replicatorzDCJoinContext.create_replicators:&&),_E COOS5F5FH Hr9c |jjd|jj t j |j j}|j/tdt j tj}n |j}|jrqt}|j|j|j!t"|j%|j&|j)|j*n |j,}d}|jj/dk\r|dz }|j1||}|j3|j4||d|j|j6|j3|j8|||j|j6 |j:std  |j3|j<|||j|j>tj@z |j>tj@zs5 |j3|j<|||j|j> td|jL|jNfD]R}||jPvstdtS|z|j3||||j|j6 T|jr]|j3|jT||tjVd|j3|jX||tjVdn:|jZ. |j3|jZ||tj\||_3||_4||_5|jjd|j>tj@zs*|jjmtnjpd|jjs|jjmtnjpd |jjd|jwy#tB$rH}|jDd tFjHk(r|jjKd nYd}~d}~wwxYw#tB$r^}|jDd tFjHk(r8|j>tj@zr|jjKd d}~wwxYw#t^j`$rR}|jD\} } | tjbk(r$td|jdztdnYd}~d}~wwxYw#|jjuxYw)zReplicate the SAM.zStarting replicationNzUsing DS_BIND_GUID_W2K3rBrCrDT)schemarodcr)r(rz;Replicating critical objects from the base DN of the domainrzFirst pass of replication with DRSUAPI_DRS_CRITICAL_ONLY not possible due to a missing parent object. This is typical of a Samba 4.5 or earlier server. We will replicate all the objects instead.zReplication with DRSUAPI_DRS_CRITICAL_ONLY failed due to a missing parent object. This may be a Samba 4.5 or earlier server and is not compatible with --critical-onlyz5Done with always replicated NC (base, config, schema)zReplicating %s)rr()rzdWARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master.zxNOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.z1Committing SAM database - this may take some timerzCommitted SAM database) D$*c"g67NN2'?#7chh141B1B#D Dxxs{{,D3$+$D$D4Qs002J3$+$D$D4Q##/ NN3#5#57O#7(/(K(K#MCH+CC (';C $ JJOOO P++g.O.OO2243h3h346 OO . . 0 OO . .t/d/d/0 2 JJOO4 5 ""$C# vvayF$E$EE **,XYY 4'66!9(I(II33g6W6WWJJ..0\]F,,#%77LT4wFFFEHKHRHRRSYZZ   OO . . 0 sF3V*+AR0V*4S4V*7B8V*0-U0V* S =S V*SV* T?!AT::T??V*V'AV"V*"V''V**Wc |jjtjgy#tj$r}|j \}}|tj k(rad|vsd|vrY|jjdtd|jzt|j|j|_n t|Yd}~yd}~wwxYw)NrI!NT_STATUS_CONNECTION_DISCONNECTEDNT_STATUS_CONNECTION_RESETz)LDB connection disconnected. ReconnectingrDrE)rirmrnrorprqERR_OPERATIONS_ERRORrXr/rrgrrBrCr1)rrrrs r8r8z$DCJoinContext.refresh_ldb_connection^s , II  3>>  <|| ,66LT40004<-5 ""#NO!kCJJ&>/=/?.1iiCFFD &d++  ,s+.CBCCctj}tj|_t ||j_t jd|j_tjd|j_ |j|_ t |jd|j|_tj tj"z|_|j&s#|xj$tj(zc_|j|j+|jj-|j.d|y)NrzS-0-0z._msdcs.r)r DsReplicaUpdateRefsRequest1r`naming_contextrrrrrrr r{rr dest_dsa_guidrdest_dsa_dns_nameDRSUAPI_DRS_ADD_REFDRSUAPI_DRS_DEL_REFrrrrJDsReplicaUpdateRefsrG)rrrs r8send_DsReplicaUpdateRefsz&DCJoinContext.send_DsReplicaUpdateRefsps  / / 1"<<>!"g $ *P Q'//8--03CMM0BCMMR//'2M2MM xx II55 5I ;;     ! ''(:(:AqAr9c  tj}tjtjz}|j}d|j z}|j }t|j}|d|}tj|j|j}|jjdt|||fzd} tjd|j d| d|j|j"} d} t%j&|j(} t+j,} |j.| _t+j2d t|j4t*j6fz| _ | j;|d |j ||d t<j>|d d \}}| rjHD]}|jJD]z}|jLt<jNk(s|jLt<jPk(s>tjR}||_$ | jU|d |j ||d |||D]}|jWd dk7r0|jjd|d|d|tY|}n/|jjd|d|d|t[|}tjR}||_$| jU|d |j |||d t|d kDrt]j^|j(|j`}|j(jc|d||\|_2}| jg|jd| dt*jht*jjzzg|jjd|d|d|tjR}tm|}||_$| jU|d |j |||d t]j^|j(|jn}|j(jc|d||\|_8}| jg|jp| dt*jht*jjzzg|jjdy #t@$r-}|jBd tDjFk(rd } Yd }~Cd }~wwxYw#t@$r-}|jBd tDjFk(rnYd }~_d }~wwxYw)aRemotely Add a DNS record to the target DC. We assume that if we replicate DNS that the server holds the DNS roles and can accept updates. This avoids issues getting replication going after the DC first starts as the rest of the domain does not have to wait for samba_dnsupdate to run successfully. Specifically, we add the records implied by the DsReplicaUpdateRefs call above. We do not just run samba_dnsupdate as we want to strictly operate against the DC we just joined: - We do not want to query another DNS server - We do not want to obtain a Kerberos ticket (as the KDC we select may not be the DC we just joined, and so may not be in sync with the password we just set) - We do not wish to set the _ldap records until we have started - We do not wish to use NTLM (the --use-samba-tool mode forces NTLM) z _msdcs.%srOz&Adding %d remote DNS records for %s.%srrrrTz%s-%drNF:zAdding DNS AAAA record z for IPv6 IP: zAdding DNS A record z for IPv4 IP: ) dns_partitionz sd_flags:1:%drzAdding DNS CNAME record z for z_All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup)9rDNS_CLIENT_VERSION_LONGHORNDNS_RPC_VIEW_AUTHORITY_DATADNS_RPC_VIEW_NO_CHILDRENrrrrrrr interface_ipsrCrrXrkrrgrBr'SDUtilsrir rr owner_sidr{r}DOMAIN_RID_DCS group_sidDnssrvEnumRecords2r DNS_TYPE_ALLr%rqr#"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTr>recordswType DNS_TYPE_A DNS_TYPE_AAAADNS_RPC_RECORD_BUFDnssrvUpdateRecord2findr)r(rnr9r dns_lookuprmodify_sd_on_dn SECINFO_OWNER SECINFO_GROUPr*rr)rclient_version select_flagsr msdcs_zoner msdcs_cname cname_targetIPsrdns_conn name_found sd_helperchange_owner_sdbuflenrrr>record del_rec_bufIP add_rec_bufdomaindns_zone_dn ldap_recordforestdns_zone_dns r8join_add_dns_recordsz"DCJoinContext.join_add_dns_recordss0#>> <<  . ./ }} 3==0 zz#--( "&- !!#&&#*;*;< @S4./ 0!&& O'\'*vvsyy: $$SYY/ "--/$'$:$:!$,$4$4W69#**o6>6M6M6O6O%P!  #--n./.1jj.2.2.2.2.?.?.:.2.2 4 VS ww &!kk&F||t6||t'9'99&/&B&B&D *0  &$889:9<9=9=9=9D F& &* /Bwws|r! #'r!34 n #'r!34bk$668K!KO  ( ()*),)-)-)4)-  / /* HqL #syy#2D2D E ))&&$'=5F'H (S\;  % %cllO0?3;3I3I5=5K5K4L1M0N & O JJOO*J F G$668Kl+C!KO  ( ()*),)3)4)4)-  /!$syy#2D2D E ))&&+z'J5F'H ,S {  % %c&6&60?3;3I3I5=5K5K4L1M0N & O K Lk #vvayFEEE"  #( +& vvayF,U,UU $ %!%&s05S:!T T "TT  U"T??Uc <|j|jfD]}||jvs|jj dt |z|j j||j|j|j|jdy)Nz!Replicating new DNS records in %sF)r(r full_sync) rrrarXrkrrrrr4rrr)rrs r8join_replicate_new_dns_recordsz,DCJoinContext.join_replicate_new_dns_recordss%%s'9'9: 4BS[[   Cs2w OP""2s'C'C#&==sxx141B1B-2#4 4r9c 6|jjd|jD]}|j||jr"t d|j jt|j|j jd|jtj}tj|j d|jz|_tj"t%|jtj&d|d<|j j)||j j+|j dd|jjdtj}tj|j d|_tj"d tj&d |d <|j,}tj"d t|ztj&d |d <|j j)||j.ry t1|j2j4t7|j8}|jjdt;||j<|j>|j@|jB|jD|jF|jH|jJ |jLjOdr{tQ|j ||jR|j2|j8|j|jL|jT|j|jV|jX y y )z=Finalise the join, mark us synchronised and setup secrets db.z=Sending DsReplicaUpdateRefs for all the replicated partitionszSetting RODC invocationIddomainFunctionalityz%srr(Setting isSynchronized and dsServiceName@ROOTDSEr,isSynchronized dsServiceNameNrzSetting up secrets database)rrr netbiosnamerrsecure_channel_typerr)rros_levelrZr)-rXrkrarGrrrrrrrr6rrnr8r9rrr:r r;r<"set_attribute_replmetadata_versionrrrrrrrCrrrrrr}rrrrrr!rrrZr)rrr?rrs r8 join_finalisezDCJoinContext.join_finalise#s WX++ -B  ( ( , - 88 - . OO - -c#2C2C.D E OO . ./D/2/C/C E A66#//4#+++=>AD # 2 28C >qtt?M?@ B BC KKMvvcooz2!009M9MO_` }} // c$i0G030D0DoW/ q! == #))++.:JsvvV  56K"%))&)mm(+ &)jj(+ 030G0G/2/E/E G ?? % %h / COO[IIsyy#&&#**(+$'KK#:N:N&)mm/2/I/I  K 0r9c P td|jzd}tjd|jd|d|j|j }tj }tj|_|jdjd|tj}tj}|j|j_|j|j"_|j$|_tj(tj*z|_tj.|_tj2|_ tj6}|j|_|j9||tj:}td|jd|j<j&d |j?||j<j&tC|jDjGd }tIjJ} tM|| _'|| _(tIjR} tUjVtYt[jZ| _.tj^| _0| | _1tIjd} d | _3| g| _4tIjj} d | _3| | _6tIjn} d gd z}tqd D]}tsjtdd||<|| _;| | _<| | _=t}| }t|j|}tj}tM||_'tC||_Btj}||_D|j|||tj}d|jd|jdt|j0t|j4t|j,|j|jt}| t}| t}|jd }|jj|d|jd|jdttTjj|jDjGd d|jzd}|jj|y#t@$rY(wxYw)zprovision the local SAM.z"Setup domain trusts with server %srz ncacn_np:rrzutf-8zRemoving old trust record for  (SID )rrr_irrzcn=z ,cn=system, trustedDomain) rr- trustTypetrustAttributestrustDirectionflatname trustPartnertrustAuthIncomingtrustAuthOutgoingsecurityIdentifierz $,cn=users,r+rM)rr-rrr2N)PrrgrrrCrBrrrrrr rTrustDomainInfoInfoExrrrrr}rLSA_TRUST_DIRECTION_INBOUNDLSA_TRUST_DIRECTION_OUTBOUNDtrust_directionLSA_TRUST_TYPE_UPLEVEL trust_type!LSA_TRUST_ATTRIBUTE_WITHIN_FORESTtrust_attributesrrrrrrtr trustdom_passrcr AuthInfoClearrsizepasswordAuthenticationInformationr unix2nttimertimeLastUpdateTimeTRUST_AUTH_TYPE_CLEARAuthTypeAuthInfoAuthenticationInformationArraycountarraytrustAuthInOutBlobcurrenttrustDomainPasswordsrrandomrandint confounderoutgoingincomingr r session_key DATA_BUF2dataTrustDomainInfoAuthInfoInternal auth_blobCreateTrustedDomainEx2SEC_STD_DELETErrtrrrr~rr6r.UF_INTERDOMAIN_TRUST_ACCOUNT)rrrrrrkoldnameoldinfo password_blob clear_value clear_authentication_information authentication_information_arrayr trustpassrrtrustpass_blobencrypted_trustpassr auth_infotrustdom_handler>s r8join_setup_trustszDCJoinContext.join_setup_trustsks 2SZZ?@**#**oN VVSYY0((*  [[] ((7);)3X5V5VX ((*"%--#&?? ::">>AaAaa44 # E E jjlG ]]GN:::w;>;`;`bG PWP_P_PcPcd e  ' ' GOO4G4G H-S->->-E-Ek-RS ,,. }- , +3+M+M+O(:?:K:KCPTPYPYP[L\:](7474M4M(14?(1+3+R+R+T(12(.2R1S(...0;113 S3Y s 3A"NN1c2JqM 3 * % % !),-g.A.A>RMMO 01 -.AB 779 ' !889=9B9A9P9PR +.--E*T__-"4#8#89!$"6"67..MM!)(!3!)(!3"*3=="9   C +.*@*@#++N!"%ejj&M&M"N!$!2!2!9!9+!F#c&<&<<   C M   s BT T%$T%c|j|jg|_|j|j|jg|_|j r0|j dk7r!|xj|jgz c_y|j s|xj|jgz c_|j dk7r|xj|jgz c_|xj|jgz c_|xj|jgz c_|xj|jgz c_yyy)NrW) rzrxrartrbrrrrrRs r8build_nc_listszDCJoinContext.build_nc_listss }}cmm4 KK F ==S__6   !3!3 4 4  KKCKK= (K&(  2 233   2 233   S%7%7$88   S%7%7$88 )r9cZ|j|jr|jn|j |j |j |j |jr0|j|j|j|jdk7r |j|j|jy# tdn#t $rYnwxYw|j#|jxYw)NrWzJoin failed - cleaning up)rr_rrrrr:rrr rrrtrwrrIOErrorr8rRs r8do_joinzDCJoinContext.do_joins      "  "   "       }}%%'--/%%'&(((*224      12    & & (  " s0B+C++D*. C:9D*: DD*D$D*)NNNNNNNNNFNFFNNN)FN)'r:r;r<__doc__r4rrrrrlrjrrrrr!r%rr@rJrSr[rqrrrrrr r%r:r8rGrtrwrrrrr9r8r@r@>sJN;?@D;@#$($( U"n 3Sj-.^(& *6---N ;:`1 AF.` hU2n)GV,:FBPH S%j,$B"WLr4FKPc!J9* r9r@ct||||||||| | | | | ||}|jd|j|jd|jz|jd|j|jd|jzd|j d|j |_d|jd tjd d tjzd tjzd tjzd tjzg|_d|jd tj d |_|j%}d |z}||_t(j*j,t(j*j.zt(j*j0z|_|j4j7d |j zd |j8zgd |j:z|_t>j@|_!d|_"|xjFtHjJtHjLzzc_#|jF|_'|r#|xjNtHjPzc_'|jS|jd|jd|jdy)zJoin as a RODC.r]r^ workgroupworkgroup is %sr realm is %sz CN=krbtgt_r3zzzRestrictedKrbHost/%szCN=RODC Connection (FRS),%sTJoined domain rz ) as an RODCN)*r@rrrkrrrtrr}r DOMAIN_RID_RODC_DENYSID_BUILTIN_ADMINISTRATORSSID_BUILTIN_SERVER_OPERATORSSID_BUILTIN_BACKUP_OPERATORSSID_BUILTIN_ACCOUNT_OPERATORSrDOMAIN_RID_RODC_ALLOWrr%rrr.r)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONUF_PARTIAL_SECRETS_ACCOUNTrrextendrrrr SEC_CHAN_RODCrrrr %DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING$DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIPr,r-r)rXrgrBrCrYrrZrdomain_critical_onlyrr[rr_r\r]r^rmysidadmin_dns r8 join_RODCrs# r4!6; ;(*;&3+=  ?C FF;( KK!COO34FF7CII KK  )*25**ckkJCMX%B%BCX888X:::X:::X;;; =C '*jj(2P2PQCN MMOEE!HCM#jjEE#jjRRS#jjCCDCHHOO+cjj8+coo=?@6 CC"00CCH'GG!FFGH"00C   G$E$EE KKM KK#//3::VWr9cZt||||||||| | | | | ||}|jd|j|jd|jz|jd|j|jd|jzt j jt j jz|_ |jjd|jztj|_|xj t"j$t"j&zzc_|j |_|r#|xj(t"j*zc_|j-|jd|jd|j.d y ) z Join as a DC.rrrrrz1E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%srrz ) as a DCN)r@rrrkrrr.rUF_TRUSTED_FOR_DELEGATIONrrrerr SEC_CHAN_BDCrrr r!DRSUAPI_DRS_FULL_SYNC_IN_PROGRESSr,r-rr})rXrgrBrCrYrrZrrrr[rr_r\r]r^rs r8join_DCr@s> r4!6; ;(*;&3+=  ?C FF;( KK!COO34FF7CII KK  )*"ZZ??%**BfBffCHHOOG#--WX"//C'66!CCDE"00C   G$E$EE KKM KKs STr9c t||||||||||  } |jd| j|jd| jz|jd| j|jd| jz| j |jd| jd| j d| S) z%Creates a local clone of a remote DC.)rZrrinclude_secretsr]r^rrrrzCloned domain rr)DCCloneContextrrrkrrr}) rXrgrBrCrZrrrr]r^rs r8 join_clonerbs i &K)8'4,>  @C FF;( KK!COO34FF7CII KK  )*KKM KKs KL Jr9c8eZdZdZ dfd ZdZdZxZS)rzClones a remote DC.c tt| |||||||| |  d|_d|_d|_|j jdd|_d|_ d|_ |jj|_ |xjtj tj"zzc_|s#|xjtj$zc_|j|_y)N)rZrrr]r^rOr)r3rr4rrrrgsplitrrrri get_ntds_GUIDremote_dc_ntds_guidrr rrrr,) rrXrgrBrCrZrrrr]r^r7s r8r4zDCCloneContext.__init__{s nc+FFE26?8C:G?Q , S   ZZ%%c*1-  !#&))"9"9"; g::%GGH I   !N!N N ##4 r9c|jjdtj}tj|j d|_tjdtjd|d<|j}tjdt|ztjd|d<|j j|y)Nrzr{r,r|r}r~) rXrkrnr8r9rrr:r;rrrr<)rr?rs r8rzDCCloneContext.join_finalises BC KKMvvcooz2!009M9M1AC && // c$i0G030D0D0?A/ q!r9c|j|j|j|jyr)rrr:rrRs r8rzDCCloneContext.do_joins4    r9) NNNNNNNFNN)r:r;r<rr4rrr=r>s@r8rrxs!?C:>6:$(56 "r9rcBeZdZdZ dfd ZdZdZdZdZxZ S)DCCloneAndRenameContextz6Clones a remote DC, renaming the domain along the way.c htt| |||||| | | |  ||_||_||_y)N)rZrrrr])r3rr4 new_base_dnnew_domain_name new_realm)rrrrrXrgrBrCrZrrrr]r7s r8r4z DCCloneAndRenameContext.__init__sJ %s4VVUB?Hs@r8rrs*@FJJNGK " L D"r9r)NNNNNNNNFNFNFFNN) NNNNNNFrWNN)Pr samba.authr samba.samdbrrrrrrr rnr samba.ndrr r samba.dcerpcr r rrrrrr samba.dsdbrsamba.credentialsrrsamba.provisionrrrrrrsamba.provision.commonr samba.schemarr samba.netr samba.provision.sambadnsr!r"r#base64r$r%r&r'samba.dnsserverr(r)r*loggingrrr rr collectionsr+ samba.commonr, samba.netcmdr-r.r/rr1rmr@rrrrrrr9r8r!s&%OO *UUU.<DD-4#,<< ##%(MiM GFGT.VZ@E=A8= !% 5XpTX>C;?6;# UD9=