2018-12-11 12:23:17 +13:00
#!/usr/bin/env python3
2010-04-27 18:25:55 +10:00
#
# update our servicePrincipalName names from spn_update_list
#
# Copyright (C) Andrew Tridgell 2010
2012-04-19 01:44:14 -07:00
# Copyright (C) Matthieu Patou <mat@matws.net> 2012
2010-04-27 18:25:55 +10:00
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2012-04-19 01:44:14 -07:00
import os, sys, re
2010-04-27 18:25:55 +10:00
# ensure we get messages out immediately, so they get in the samba logs,
# and don't get swallowed by a timeout
2011-02-21 16:46:58 +11:00
os.environ['PYTHONUNBUFFERED'] = '1'
2010-04-27 18:25:55 +10:00
2010-09-28 20:43:58 -07:00
# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
# heimdal can get mutual authentication errors due to the 24 second difference
# between UTC and GMT when using some zone files (eg. the PDT zone from
# the US)
2011-02-21 16:46:58 +11:00
os.environ["TZ"] = "GMT"
2010-09-28 20:43:58 -07:00
2010-04-27 18:25:55 +10:00
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba, ldb
import optparse
2010-06-28 11:13:03 -05:00
from samba import Ldb
2010-04-27 18:25:55 +10:00
from samba import getopt as options
from samba.auth import system_session
from samba.samdb import SamDB
2010-06-28 11:13:03 -05:00
from samba.credentials import Credentials, DONT_USE_KERBEROS
2020-09-11 14:29:46 -06:00
from samba.common import get_string
2010-04-27 18:25:55 +10:00
parser = optparse.OptionParser("samba_spnupdate")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
parser.add_option("--verbose", action="store_true")
2010-06-28 11:13:03 -05:00
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
2010-04-27 18:25:55 +10:00
ccachename = None
opts, args = parser.parse_args()
if len(args) != 0:
parser.print_usage()
sys.exit(1)
lp = sambaopts.get_loadparm()
2010-06-28 11:13:03 -05:00
creds = credopts.get_credentials(lp)
2010-04-27 18:25:55 +10:00
domain = lp.get("realm")
host = lp.get("netbios name")
# get the list of substitution vars
def get_subst_vars(samdb):
global lp
vars = {}
2011-08-22 17:41:08 +10:00
vars['DNSDOMAIN'] = samdb.domain_dns_name()
vars['DNSFOREST'] = samdb.forest_dns_name()
vars['HOSTNAME'] = samdb.host_dns_name()
2010-04-27 18:25:55 +10:00
vars['NETBIOSNAME'] = lp.get('netbios name').upper()
vars['WORKGROUP'] = lp.get('workgroup')
vars['NTDSGUID'] = samdb.get_ntds_GUID()
2011-08-19 17:32:44 +10:00
res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=["objectGUID"])
2010-04-27 18:25:55 +10:00
guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
2018-10-02 14:45:53 +01:00
vars['DOMAINGUID'] = get_string(guid)
2010-04-27 18:25:55 +10:00
return vars
try:
2010-06-28 11:13:03 -05:00
private_dir = lp.get("private dir")
2011-06-02 15:47:44 +10:00
secrets_path = os.path.join(private_dir, "secrets.ldb")
2010-06-28 11:13:03 -05:00
secrets_db = Ldb(url=secrets_path, session_info=system_session(),
credentials=creds, lp=lp)
res = secrets_db.search(base=None,
expression="(&(objectclass=ldapSecret)(cn=SAMDB Credentials))",
attrs=["samAccountName", "secret"])
if len(res) == 1:
credentials = Credentials()
credentials.set_kerberos_state(DONT_USE_KERBEROS)
if "samAccountName" in res[0]:
credentials.set_username(res[0]["samAccountName"][0])
if "secret" in res[0]:
credentials.set_password(res[0]["secret"][0])
else:
credentials = None
2011-06-02 15:43:40 +10:00
samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), credentials=credentials, lp=lp)
2018-09-28 16:49:27 +01:00
except ldb.LdbError as e:
(num, msg) = e.args
2011-06-02 15:43:40 +10:00
print("Unable to open sam database %s : %s" % (lp.samdb_url(), msg))
2010-04-27 18:25:55 +10:00
sys.exit(1)
2010-09-25 17:52:43 -07:00
2010-04-27 18:25:55 +10:00
# get the substitution dictionary
sub_vars = get_subst_vars(samdb)
# get the list of SPN entries we should have
spn_update_list = lp.private_path('spn_update_list')
spn_list = []
2012-04-19 01:44:14 -07:00
has_forest_dns = False
has_domain_dns = False
# check if we "are DNS server"
res = samdb.search(base=samdb.get_config_basedn(),
expression='(objectguid=%s)' % sub_vars['NTDSGUID'],
attrs=["msDS-hasMasterNCs"])
basedn = str(samdb.get_default_basedn())
if len(res) == 1:
2012-08-01 15:09:00 +02:00
if "msDS-hasMasterNCs" in res[0]:
for e in res[0]["msDS-hasMasterNCs"]:
if str(e) == "DC=DomainDnsZones,%s" % basedn:
has_domain_dns = True
if str(e) == "DC=ForestDnsZones,%s" % basedn:
has_forest_dns = True
2012-04-19 01:44:14 -07:00
2010-04-27 18:25:55 +10:00
# build the spn list
2023-02-21 11:44:07 +13:00
with open(spn_update_list, "r") as file:
for line in file:
line = line.strip()
if line == '' or line[0] == "#":
continue
if re.match(r".*/DomainDnsZones\..*", line) and not has_domain_dns:
continue
if re.match(r".*/ForestDnsZones\..*", line) and not has_forest_dns:
continue
line = samba.substitute_var(line, sub_vars)
spn_list.append(line)
2010-04-27 18:25:55 +10:00
# get the current list of SPNs in our sam
2011-08-19 17:32:44 +10:00
res = samdb.search(base=samdb.get_default_basedn(),
2010-04-27 18:25:55 +10:00
expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'],
attrs=["servicePrincipalName"])
if not res or len(res) != 1:
print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME'])
sys.exit(1)
2010-09-28 20:47:03 -07:00
machine_dn = res[0]["dn"]
2010-04-27 18:25:55 +10:00
old_spns = []
2010-10-31 14:07:52 +01:00
if "servicePrincipalName" in res[0]:
for s in res[0]["servicePrincipalName"]:
2018-10-30 12:51:54 +00:00
old_spns.append(str(s))
2010-04-27 18:25:55 +10:00
if opts.verbose:
print("Existing SPNs: %s" % old_spns)
add_list = []
# work out what needs to be added
for s in spn_list:
in_list = False
for s2 in old_spns:
if s2.upper() == s.upper():
in_list = True
break
if not in_list:
add_list.append(s)
if opts.verbose:
print("New SPNs: %s" % add_list)
if add_list == []:
if opts.verbose:
print("Nothing to add")
sys.exit(0)
2010-09-28 20:47:03 -07:00
def local_update(add_list):
'''store locally'''
global res
msg = ldb.Message()
msg.dn = res[0]['dn']
msg[""] = ldb.MessageElement(add_list,
ldb.FLAG_MOD_ADD, "servicePrincipalName")
res = samdb.modify(msg)
def call_rodc_update(d):
'''RODCs need to use the writeSPN DRS call'''
global lp, sub_vars
from samba import drs_utils
from samba.dcerpc import drsuapi, nbt
from samba.net import Net
if opts.verbose:
print("Using RODC SPN update")
creds = credopts.get_credentials(lp)
creds.set_machine_account(lp)
net = Net(creds=creds, lp=lp)
try:
2011-11-22 22:26:06 +01:00
cldap_ret = net.finddc(domain=domain, flags=nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
2018-02-14 10:33:06 +13:00
except Exception as reason:
2010-09-28 20:47:03 -07:00
print("Unable to find writeable DC for domain '%s' to send DRS writeSPN to : %s" % (domain, reason))
sys.exit(1)
server = cldap_ret.pdc_dns_name
try:
2010-11-18 15:26:48 +11:00
binding_options = "seal"
2016-09-13 10:49:47 +02:00
if lp.log_level() >= 5:
2010-11-18 15:26:48 +11:00
binding_options += ",print"
drs = drsuapi.drsuapi('ncacn_ip_tcp:%s[%s]' % (server, binding_options), lp, creds)
2010-11-07 13:55:20 +11:00
(drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)
2018-02-14 10:33:06 +13:00
except Exception as reason:
2010-09-28 20:47:03 -07:00
print("Unable to connect to DC '%s' for domain '%s' : %s" % (server, domain, reason))
sys.exit(1)
req1 = drsuapi.DsWriteAccountSpnRequest1()
req1.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD
req1.object_dn = str(machine_dn)
req1.count = 0
spn_names = []
for n in add_list:
if n.find('E3514235-4B06-11D1-AB04-00C04FC2DCD2') != -1:
# this one isn't allowed for RODCs, but we don't know why yet
continue
ns = drsuapi.DsNameString()
ns.str = n
spn_names.append(ns)
req1.count = req1.count + 1
2010-09-30 15:02:50 -07:00
if spn_names == []:
return
2010-09-28 20:47:03 -07:00
req1.spn_names = spn_names
(level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1)
2012-04-19 01:44:14 -07:00
if (res.status != (0, 'WERR_OK')):
2018-09-27 18:15:49 +01:00
print("WriteAccountSpn has failed with error %s" % str(res.status))
2010-09-28 20:47:03 -07:00
if samdb.am_rodc():
call_rodc_update(add_list)
else:
local_update(add_list)