2018-12-11 02:23:17 +03:00
#!/usr/bin/env python3
2011-11-03 21:39:53 +04:00
#
# Compute our KCC topology
#
# Copyright (C) Dave Craft 2011
2015-03-13 06:40:11 +03:00
# Copyright (C) Andrew Bartlett 2015
#
# Andrew Bartlett's alleged work performed by his underlings Douglas
# Bagnall and Garming Sam.
2011-11-03 21:39:53 +04:00
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import sys
import random
# ensure we get messages out immediately, so they get in the samba logs,
# and don't get swallowed by a timeout
os.environ['PYTHONUNBUFFERED'] = '1'
# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
# heimdal can get mutual authentication errors due to the 24 second difference
# between UTC and GMT when using some zone files (eg. the PDT zone from
# the US)
os.environ["TZ"] = "GMT"
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import optparse
2015-06-04 02:19:56 +03:00
import time
2015-03-13 04:36:05 +03:00
2015-06-04 02:19:56 +03:00
from samba import getopt as options
2015-04-01 03:46:32 +03:00
2015-06-04 02:16:15 +03:00
from samba.kcc.graph_utils import verify_and_dot, list_verify_tests
from samba.kcc.graph_utils import GraphError
2015-03-13 04:36:05 +03:00
2015-06-04 02:19:56 +03:00
import logging
2015-06-04 02:16:15 +03:00
from samba.kcc.debug import logger, DEBUG, DEBUG_FN
2015-06-04 02:19:56 +03:00
from samba.kcc import KCC
2015-03-13 04:36:05 +03:00
2015-06-17 07:38:29 +03:00
# If DEFAULT_RNG_SEED is None, /dev/urandom or system time is used.
DEFAULT_RNG_SEED = None
2015-03-13 04:36:05 +03:00
2015-06-23 07:38:29 +03:00
def test_all_reps_from(kcc, dburl, lp, creds, unix_now, rng_seed=None,
ldif_file=None):
2015-05-07 01:33:29 +03:00
"""Run the KCC from all DSAs in read-only mode
The behaviour depends on the global opts variable which contains
command line variables. Usually you will want to run it with
opt.dot_file_dir set (via --dot-file-dir) to see the graphs that
would be created from each DC.
:param lp: a loadparm object.
:param creds: a Credentials object.
:param unix_now: the unix epoch time as an integer
:param rng_seed: a seed for the random number generator
:return None:
"""
2015-06-04 02:19:56 +03:00
# This implies readonly and attempt_live_connections
2015-03-19 04:26:16 +03:00
dsas = kcc.list_dsas()
2015-06-17 07:38:29 +03:00
samdb = kcc.samdb
2015-03-26 07:50:42 +03:00
needed_parts = {}
current_parts = {}
guid_to_dnstr = {}
for site in kcc.site_table.values():
guid_to_dnstr.update((str(dsa.dsa_guid), dnstr)
for dnstr, dsa in site.dsa_table.items())
dot_edges = []
dot_vertices = []
colours = []
2015-03-27 05:37:17 +03:00
vertex_colours = []
2015-03-26 07:50:42 +03:00
2015-03-27 05:38:04 +03:00
for dsa_dn in dsas:
2015-06-17 07:38:29 +03:00
if rng_seed is not None:
2015-04-08 04:40:53 +03:00
random.seed(rng_seed)
2015-06-04 02:19:56 +03:00
kcc = KCC(unix_now, readonly=True,
verify=opts.verify, debug=opts.debug,
2015-04-30 01:39:54 +03:00
dot_file_dir=opts.dot_file_dir)
2015-06-23 07:38:29 +03:00
if ldif_file is not None:
try:
# The dburl in this case is a temporary database.
# Its non-existence is ensured at the script startup.
# If it exists, it is from a previous iteration of
# this loop -- unless we're in an unfortunate race.
# Because this database is temporary, it lacks some
# detail and needs to be re-created anew to set the
# local dsa.
os.unlink(dburl)
except OSError:
pass
kcc.import_ldif(dburl, lp, ldif_file, dsa_dn)
else:
kcc.samdb = samdb
kcc.run(dburl, lp, creds, forced_local_dsa=dsa_dn,
2015-03-25 07:47:59 +03:00
forget_local_links=opts.forget_local_links,
2015-06-04 02:19:56 +03:00
forget_intersite_links=opts.forget_intersite_links,
attempt_live_connections=opts.attempt_live_connections)
2015-04-10 07:17:28 +03:00
2015-03-19 04:26:16 +03:00
current, needed = kcc.my_dsa.get_rep_tables()
2015-04-10 07:17:28 +03:00
for dsa in kcc.my_site.dsa_table.values():
if dsa is kcc.my_dsa:
continue
kcc.translate_ntdsconn(dsa)
c, n = dsa.get_rep_tables()
current.update(c)
needed.update(n)
2015-05-20 03:28:17 +03:00
for name, rep_table, rep_parts in (
('needed', needed, needed_parts),
('current', current, current_parts)):
2015-03-26 07:50:42 +03:00
for part, nc_rep in rep_table.items():
edges = rep_parts.setdefault(part, [])
for reps_from in nc_rep.rep_repsFrom:
source = guid_to_dnstr[str(reps_from.source_dsa_obj_guid)]
dest = guid_to_dnstr[str(nc_rep.rep_dsa_guid)]
edges.append((source, dest))
for site in kcc.site_table.values():
for dsa in site.dsa_table.values():
2015-03-27 05:37:17 +03:00
if dsa.is_ro():
vertex_colours.append('#cc0000')
else:
vertex_colours.append('#0000cc')
2015-03-26 07:50:42 +03:00
dot_vertices.append(dsa.dsa_dnstr)
2015-04-02 01:15:58 +03:00
if dsa.connect_table:
DEBUG_FN("DSA %s %s connections:\n%s" %
(dsa.dsa_dnstr, len(dsa.connect_table),
2015-04-09 06:02:00 +03:00
[x.from_dnstr for x in
dsa.connect_table.values()]))
2015-03-26 07:50:42 +03:00
for con in dsa.connect_table.values():
if con.is_rodc_topology():
colours.append('red')
else:
colours.append('blue')
dot_edges.append((con.from_dnstr, dsa.dsa_dnstr))
2015-03-27 05:37:17 +03:00
verify_and_dot('all-dsa-connections', dot_edges, vertices=dot_vertices,
label="all dsa NTDSConnections", properties=(),
2015-04-30 01:39:54 +03:00
debug=DEBUG, verify=opts.verify,
dot_file_dir=opts.dot_file_dir,
2015-04-01 03:46:32 +03:00
directed=True, edge_colors=colours,
vertex_colors=vertex_colours)
2015-03-27 05:37:17 +03:00
2015-04-01 03:46:32 +03:00
for name, rep_parts in (('needed', needed_parts),
('current', current_parts)):
2015-03-26 07:50:42 +03:00
for part, edges in rep_parts.items():
2015-04-14 05:35:15 +03:00
verify_and_dot('all-repsFrom_%s__%s' % (name, part), edges,
2015-04-01 03:46:32 +03:00
directed=True, label=part,
2015-03-26 07:50:42 +03:00
properties=(), debug=DEBUG, verify=opts.verify,
2015-04-30 01:39:54 +03:00
dot_file_dir=opts.dot_file_dir)
2015-03-26 07:50:42 +03:00
2011-11-03 21:39:53 +04:00
##################################################
2011-11-07 02:55:01 +04:00
# samba_kcc entry point
2011-11-03 21:39:53 +04:00
##################################################
2015-06-04 02:19:56 +03:00
2012-03-04 04:05:23 +04:00
parser = optparse.OptionParser("samba_kcc [options]")
2011-11-03 21:39:53 +04:00
sambaopts = options.SambaOptions(parser)
2012-03-04 04:05:23 +04:00
credopts = options.CredentialsOptions(parser)
2011-11-03 21:39:53 +04:00
parser.add_option_group(sambaopts)
parser.add_option_group(credopts)
parser.add_option_group(options.VersionOptions(parser))
2015-03-12 00:25:03 +03:00
parser.add_option("--readonly", default=False,
2012-03-04 04:05:23 +04:00
help="compute topology but do not update database",
2011-12-04 21:08:56 +04:00
action="store_true")
2012-01-11 18:11:35 +04:00
2012-03-04 04:05:23 +04:00
parser.add_option("--debug",
help="debug output",
2012-01-11 18:11:35 +04:00
action="store_true")
2015-03-11 03:53:38 +03:00
parser.add_option("--verify",
help="verify that assorted invariants are kept",
action="store_true")
2015-03-12 00:19:51 +03:00
parser.add_option("--list-verify-tests",
2015-04-01 03:46:32 +03:00
help=("list what verification actions are available "
"and do nothing else"),
2015-03-12 00:19:51 +03:00
action="store_true")
2015-04-30 01:39:54 +03:00
parser.add_option("--dot-file-dir", default=None,
help="Write Graphviz .dot files to this directory")
2015-03-11 03:53:38 +03:00
2012-03-04 04:05:23 +04:00
parser.add_option("--seed",
help="random number seed",
2015-06-17 07:38:29 +03:00
type=int, default=DEFAULT_RNG_SEED)
2012-01-11 18:11:35 +04:00
2012-03-04 04:05:23 +04:00
parser.add_option("--importldif",
help="import topology ldif file",
2012-01-11 18:11:35 +04:00
type=str, metavar="<file>")
2012-03-04 04:05:23 +04:00
parser.add_option("--exportldif",
help="export topology ldif file",
2012-01-11 18:11:35 +04:00
type=str, metavar="<file>")
2015-04-01 03:46:32 +03:00
parser.add_option("-H", "--URL",
2012-03-04 04:05:23 +04:00
help="LDB URL for database or target server",
2012-01-11 18:11:35 +04:00
type=str, metavar="<URL>", dest="dburl")
2012-03-04 04:05:23 +04:00
parser.add_option("--tmpdb",
help="schemaless database file to create for ldif import",
2012-01-11 18:11:35 +04:00
type=str, metavar="<file>")
2011-11-03 21:39:53 +04:00
2015-03-05 01:40:55 +03:00
parser.add_option("--now",
2015-04-01 03:46:32 +03:00
help=("assume current time is this ('YYYYmmddHHMMSS[tz]',"
" default: system time)"),
2015-03-05 01:40:55 +03:00
type=str, metavar="<date>")
2015-04-23 02:44:12 +03:00
parser.add_option("--forced-local-dsa",
help="run calculations assuming the DSA is this DN",
type=str, metavar="<DSA>")
2015-03-18 04:24:07 +03:00
parser.add_option("--attempt-live-connections", default=False,
help="Attempt to connect to other DSAs to test links",
action="store_true")
2015-03-18 08:24:52 +03:00
parser.add_option("--list-valid-dsas", default=False,
2015-04-01 03:46:32 +03:00
help=("Print a list of DSA dnstrs that could be"
" used in --forced-local-dsa"),
2015-03-18 08:24:52 +03:00
action="store_true")
2015-03-19 04:26:16 +03:00
parser.add_option("--test-all-reps-from", default=False,
help="Create and verify a graph of reps-from for every DSA",
action="store_true")
2015-03-25 07:47:59 +03:00
parser.add_option("--forget-local-links", default=False,
help="pretend not to know the existing local topology",
action="store_true")
parser.add_option("--forget-intersite-links", default=False,
help="pretend not to know the existing intersite topology",
action="store_true")
2015-03-19 04:26:16 +03:00
2011-11-03 21:39:53 +04:00
opts, args = parser.parse_args()
2015-03-19 00:42:37 +03:00
2015-03-12 00:19:51 +03:00
if opts.list_verify_tests:
list_verify_tests()
sys.exit(0)
2012-01-11 18:11:35 +04:00
2015-06-17 07:38:29 +03:00
if opts.test_all_reps_from:
opts.readonly = True
2011-11-03 21:39:53 +04:00
if opts.debug:
logger.setLevel(logging.DEBUG)
2012-01-11 18:11:35 +04:00
elif opts.readonly:
logger.setLevel(logging.INFO)
2011-11-03 21:39:53 +04:00
else:
logger.setLevel(logging.WARNING)
2015-06-17 07:38:29 +03:00
random.seed(opts.seed)
2011-11-03 21:39:53 +04:00
2015-03-05 01:40:55 +03:00
if opts.now:
for timeformat in ("%Y%m%d%H%M%S%Z", "%Y%m%d%H%M%S"):
try:
now_tuple = time.strptime(opts.now, timeformat)
break
except ValueError:
pass
else:
# else happens if break doesn't --> no match
2018-09-27 20:15:49 +03:00
print("could not parse time '%s'" % (opts.now), file = sys.stderr)
2015-03-05 01:40:55 +03:00
sys.exit(1)
unix_now = int(time.mktime(now_tuple))
else:
unix_now = int(time.time())
2015-03-19 00:42:37 +03:00
lp = sambaopts.get_loadparm()
2019-06-06 02:40:08 +03:00
# only log warnings/errors by default, unless the user has specified otherwise
if opts.debug is None:
lp.set('log level', '1')
2015-03-19 00:42:37 +03:00
creds = credopts.get_credentials(lp, fallback_machine=True)
if opts.dburl is None:
2015-06-23 07:38:29 +03:00
if opts.importldif:
opts.dburl = opts.tmpdb
else:
opts.dburl = lp.samdb_url()
elif opts.importldif:
logger.error("Don't use -H/--URL with --importldif, use --tmpdb instead")
sys.exit(1)
2015-03-19 00:42:37 +03:00
2015-03-19 04:22:42 +03:00
# Instantiate Knowledge Consistency Checker and perform run
2015-06-04 02:19:56 +03:00
kcc = KCC(unix_now, readonly=opts.readonly, verify=opts.verify,
2015-04-30 01:39:54 +03:00
debug=opts.debug, dot_file_dir=opts.dot_file_dir)
2015-06-04 02:19:56 +03:00
2012-01-11 18:11:35 +04:00
if opts.exportldif:
rc = kcc.export_ldif(opts.dburl, lp, creds, opts.exportldif)
sys.exit(rc)
if opts.importldif:
if opts.tmpdb is None or opts.tmpdb.startswith('ldap'):
2015-04-01 03:46:32 +03:00
logger.error("Specify a target temp database file with --tmpdb option")
2012-01-11 18:11:35 +04:00
sys.exit(1)
2015-06-23 07:38:29 +03:00
if os.path.exists(opts.tmpdb):
logger.error("The temp database file (%s) specified with --tmpdb "
"already exists. We refuse to clobber it." % opts.tmpdb)
sys.exit(1)
2012-01-11 18:11:35 +04:00
2015-06-23 07:38:29 +03:00
rc = kcc.import_ldif(opts.tmpdb, lp, opts.importldif,
2015-04-30 05:35:18 +03:00
forced_local_dsa=opts.forced_local_dsa)
2012-01-11 18:11:35 +04:00
if rc != 0:
sys.exit(rc)
2011-12-04 21:08:56 +04:00
2015-06-22 07:38:29 +03:00
kcc.load_samdb(opts.dburl, lp, creds, force=False)
2015-06-17 07:38:29 +03:00
if opts.test_all_reps_from:
2015-06-23 07:38:29 +03:00
test_all_reps_from(kcc, opts.dburl, lp, creds, unix_now,
rng_seed=opts.seed,
ldif_file=opts.importldif)
2015-06-17 07:38:29 +03:00
sys.exit()
2015-03-18 08:24:52 +03:00
if opts.list_valid_dsas:
2018-09-27 20:15:49 +03:00
print('\n'.join(kcc.list_dsas()))
2015-03-18 08:24:52 +03:00
sys.exit()
2015-03-18 04:23:21 +03:00
try:
2015-03-25 07:47:59 +03:00
rc = kcc.run(opts.dburl, lp, creds, opts.forced_local_dsa,
2015-06-04 02:19:56 +03:00
opts.forget_local_links, opts.forget_intersite_links,
attempt_live_connections=opts.attempt_live_connections)
2015-03-18 04:23:21 +03:00
sys.exit(rc)
2018-02-14 00:33:06 +03:00
except GraphError as e:
2018-09-27 20:15:49 +03:00
print( e)
2015-03-18 04:23:21 +03:00
sys.exit(1)