2010-08-23 11:31:48 +10:00
# python join code
# Copyright Andrew Tridgell 2010
# Copyright Andrew Bartlett 2010
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
2018-03-09 13:53:45 +00:00
from __future__ import print_function
2010-11-28 14:09:30 +01:00
""" Joining a domain. """
2010-08-23 11:31:48 +10:00
from samba . auth import system_session
from samba . samdb import SamDB
2016-01-28 14:00:38 +01:00
from samba import gensec , Ldb , drs_utils , arcfour_encrypt , string_to_byte_array
2018-07-30 18:21:38 +12:00
import ldb
import samba
import uuid
2017-02-17 18:23:23 +13:00
from samba . ndr import ndr_pack , ndr_unpack
from samba . dcerpc import security , drsuapi , misc , nbt , lsa , drsblobs , dnsserver , dnsp
2013-09-09 11:54:23 +12:00
from samba . dsdb import DS_DOMAIN_FUNCTION_2003
2010-08-23 11:31:48 +10:00
from samba . credentials import Credentials , DONT_USE_KERBEROS
2018-09-19 10:21:12 +12:00
from samba . provision import ( secretsdb_self_join , provision , provision_fill ,
FILL_DRS , FILL_SUBDOMAIN , DEFAULTSITE )
2012-12-24 08:56:50 +11:00
from samba . provision . common import setup_path
2010-11-05 14:09:49 +11:00
from samba . schema import Schema
2014-08-22 14:16:30 +12:00
from samba import descriptor
2010-08-24 15:42:54 +10:00
from samba . net import Net
2012-06-24 21:10:34 +10:00
from samba . provision . sambadns import setup_bind9_dns
2012-12-24 08:56:50 +11:00
from samba import read_and_sub_file
2017-02-13 11:12:54 +13:00
from samba import werror
2012-12-24 08:56:50 +11:00
from base64 import b64encode
2018-03-12 14:44:58 +13:00
from samba import WERRORError , NTSTATUSError
2017-02-17 18:23:23 +13:00
from samba import sd_utils
2018-10-11 13:06:16 +13:00
from samba . dnsserver import ARecord , AAAARecord , CNameRecord
2010-08-24 15:42:54 +10:00
import logging
2011-08-26 13:23:41 +10:00
import random
2011-09-07 17:21:07 +10:00
import time
2018-06-11 16:50:28 +12:00
import re
import os
import tempfile
2018-05-17 13:34:00 +01:00
from samba . compat import text_type
2018-06-15 17:55:46 +01:00
from samba . compat import get_string
2010-08-23 11:31:48 +10:00
2018-07-30 18:20:39 +12:00
2011-05-13 16:04:07 +04:00
class DCJoinException ( Exception ) :
def __init__ ( self , msg ) :
super ( DCJoinException , self ) . __init__ ( " Can ' t join, error: %s " % msg )
2011-01-06 14:39:40 +01:00
2018-06-25 17:21:00 +12:00
class DCJoinContext ( object ) :
2012-09-16 14:18:51 +02:00
""" Perform a DC join. """
2010-11-05 14:09:49 +11:00
2013-09-09 09:53:37 +12:00
def __init__ ( ctx , logger = None , server = None , creds = None , lp = None , site = None ,
2012-07-06 15:38:06 +10:00
netbios_name = None , targetdir = None , domain = None ,
machinepass = None , use_ntvfs = False , dns_backend = None ,
2018-06-29 10:40:58 +12:00
promote_existing = False , plaintext_secrets = False ,
2018-05-01 11:11:01 +12:00
backend_store = None , forced_local_samdb = None ) :
2017-06-06 15:21:50 +12:00
2013-09-09 09:53:37 +12:00
ctx . logger = logger
2010-11-05 14:09:49 +11:00
ctx . creds = creds
ctx . lp = lp
ctx . site = site
ctx . targetdir = targetdir
2012-06-05 01:32:42 +03:00
ctx . use_ntvfs = use_ntvfs
2017-12-15 07:24:14 +13:00
ctx . plaintext_secrets = plaintext_secrets
2018-05-14 11:23:24 +12:00
ctx . backend_store = backend_store
2012-06-21 23:46:21 +10:00
2012-07-06 15:38:06 +10:00
ctx . promote_existing = promote_existing
ctx . promote_from_dn = None
2012-06-21 23:46:21 +10:00
ctx . nc_list = [ ]
2013-10-16 14:34:43 +13:00
ctx . full_nc_list = [ ]
2010-11-05 14:09:49 +11:00
ctx . creds . set_gensec_features ( creds . get_gensec_features ( ) | gensec . FEATURE_SEAL )
ctx . net = Net ( creds = ctx . creds , lp = ctx . lp )
2018-05-01 11:11:01 +12:00
ctx . server = server
ctx . forced_local_samdb = forced_local_samdb
2010-11-05 14:09:49 +11:00
2018-05-01 11:11:01 +12:00
if forced_local_samdb :
ctx . samdb = forced_local_samdb
ctx . server = ctx . samdb . url
else :
2018-09-19 10:44:48 +12:00
if ctx . server :
# work out the DC's site (if not already specified)
if site is None :
ctx . site = ctx . find_dc_site ( ctx . server )
else :
# work out the Primary DC for the domain (as well as an
# appropriate site for the new DC)
2018-05-01 11:11:01 +12:00
ctx . logger . info ( " Finding a writeable DC for domain ' %s ' " % domain )
ctx . server = ctx . find_dc ( domain )
ctx . logger . info ( " Found DC %s " % ctx . server )
ctx . samdb = SamDB ( url = " ldap:// %s " % ctx . server ,
session_info = system_session ( ) ,
credentials = ctx . creds , lp = ctx . lp )
2010-11-05 14:09:49 +11:00
2018-09-19 10:44:48 +12:00
if ctx . site is None :
ctx . site = DEFAULTSITE
2011-05-13 16:04:07 +04:00
try :
2018-10-18 16:50:19 +13:00
ctx . samdb . search ( scope = ldb . SCOPE_BASE , attrs = [ ] )
except ldb . LdbError as e :
( enum , estr ) = e . args
2011-05-13 16:04:07 +04:00
raise DCJoinException ( estr )
2010-11-05 14:09:49 +11:00
ctx . base_dn = str ( ctx . samdb . get_default_basedn ( ) )
ctx . root_dn = str ( ctx . samdb . get_root_basedn ( ) )
ctx . schema_dn = str ( ctx . samdb . get_schema_basedn ( ) )
ctx . config_dn = str ( ctx . samdb . get_config_basedn ( ) )
2014-08-11 11:23:57 +12:00
ctx . domsid = security . dom_sid ( ctx . samdb . get_domain_sid ( ) )
2014-08-08 18:43:47 +12:00
ctx . forestsid = ctx . domsid
2010-11-05 14:09:49 +11:00
ctx . domain_name = ctx . get_domain_name ( )
2011-10-01 10:58:52 +10:00
ctx . forest_domain_name = ctx . get_forest_domain_name ( )
2011-09-02 15:12:11 +10:00
ctx . invocation_id = misc . GUID ( str ( uuid . uuid4 ( ) ) )
2010-11-05 14:09:49 +11:00
2011-12-04 14:23:34 +01:00
ctx . dc_ntds_dn = ctx . samdb . get_dsServiceName ( )
2010-11-05 14:09:49 +11:00
ctx . dc_dnsHostName = ctx . get_dnsHostName ( )
2010-11-07 13:55:20 +11:00
ctx . behavior_version = ctx . get_behavior_version ( )
2011-11-28 20:03:11 +01:00
if machinepass is not None :
ctx . acct_pass = machinepass
else :
2016-08-23 12:37:37 +02:00
ctx . acct_pass = samba . generate_random_machine_password ( 128 , 255 )
2010-11-05 14:09:49 +11:00
2015-08-17 15:33:31 +12:00
ctx . dnsdomain = ctx . samdb . domain_dns_name ( )
2018-06-29 10:40:58 +12:00
# the following are all dependent on the new DC's netbios_name (which
# we expect to always be specified, except when cloning a DC)
if netbios_name :
2015-08-17 15:33:31 +12:00
# work out the DNs of all the objects we will be adding
ctx . myname = netbios_name
ctx . samname = " %s $ " % ctx . myname
ctx . server_dn = " CN= %s ,CN=Servers,CN= %s ,CN=Sites, %s " % ( ctx . myname , ctx . site , ctx . config_dn )
ctx . ntds_dn = " CN=NTDS Settings, %s " % ctx . server_dn
ctx . acct_dn = " CN= %s ,OU=Domain Controllers, %s " % ( ctx . myname , ctx . base_dn )
ctx . dnshostname = " %s . %s " % ( ctx . myname . lower ( ) , ctx . dnsdomain )
ctx . dnsforest = ctx . samdb . forest_dns_name ( )
topology_base = " CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System, %s " % ctx . base_dn
if ctx . dn_exists ( topology_base ) :
ctx . topology_dn = " CN= %s , %s " % ( ctx . myname , topology_base )
else :
ctx . topology_dn = None
2018-07-30 18:16:43 +12:00
ctx . SPNs = [ " HOST/ %s " % ctx . myname ,
2018-09-04 01:05:48 +12:00
" HOST/ %s " % ctx . dnshostname ,
" GC/ %s / %s " % ( ctx . dnshostname , ctx . dnsforest ) ]
2010-11-05 14:09:49 +11:00
2016-10-31 16:48:33 +13:00
res_rid_manager = ctx . samdb . search ( scope = ldb . SCOPE_BASE ,
attrs = [ " rIDManagerReference " ] ,
base = ctx . base_dn )
ctx . rid_manager_dn = res_rid_manager [ 0 ] [ " rIDManagerReference " ] [ 0 ]
2012-09-06 10:37:18 +10:00
ctx . domaindns_zone = ' DC=DomainDnsZones, %s ' % ctx . base_dn
2013-10-11 09:36:53 +13:00
ctx . forestdns_zone = ' DC=ForestDnsZones, %s ' % ctx . root_dn
2012-09-06 10:37:18 +10:00
2016-07-20 13:37:47 +12:00
expr = " (&(objectClass=crossRef)(ncName= %s )) " % ldb . binary_encode ( ctx . domaindns_zone )
2012-09-06 10:37:18 +10:00
res_domaindns = ctx . samdb . search ( scope = ldb . SCOPE_ONELEVEL ,
attrs = [ ] ,
base = ctx . samdb . get_partitions_dn ( ) ,
2016-07-20 13:37:47 +12:00
expression = expr )
2012-09-06 10:37:18 +10:00
if dns_backend is None :
ctx . dns_backend = " NONE "
else :
if len ( res_domaindns ) == 0 :
ctx . dns_backend = " NONE "
2018-03-09 13:53:45 +00:00
print ( " NO DNS zone information found in source domain, not replicating DNS " )
2012-09-06 10:37:18 +10:00
else :
ctx . dns_backend = dns_backend
2010-11-05 14:09:49 +11:00
ctx . realm = ctx . dnsdomain
2010-11-07 13:55:20 +11:00
2010-11-05 14:09:49 +11:00
ctx . tmp_samdb = None
2016-11-29 14:27:57 +01:00
ctx . replica_flags = ( drsuapi . DRSUAPI_DRS_INIT_SYNC |
drsuapi . DRSUAPI_DRS_PER_SYNC |
drsuapi . DRSUAPI_DRS_GET_ANC |
2016-11-29 14:29:59 +01:00
drsuapi . DRSUAPI_DRS_GET_NC_SIZE |
2016-11-29 14:27:57 +01:00
drsuapi . DRSUAPI_DRS_NEVER_SYNCED )
2010-11-05 14:09:49 +11:00
# these elements are optional
ctx . never_reveal_sid = None
ctx . reveal_sid = None
ctx . connection_dn = None
ctx . RODC = False
ctx . krbtgt_dn = None
ctx . drsuapi = None
ctx . managedby = None
2011-09-05 16:43:26 +10:00
ctx . subdomain = False
2013-09-06 15:46:05 +12:00
ctx . adminpass = None
2016-05-31 14:54:45 +12:00
ctx . partition_dn = None
2010-11-05 14:09:49 +11:00
2017-02-17 18:23:23 +13:00
ctx . dns_a_dn = None
ctx . dns_cname_dn = None
# Do not normally register 127. addresses but allow override for selftest
ctx . force_all_ips = False
2010-11-05 14:09:49 +11:00
def del_noerror ( ctx , dn , recursive = False ) :
if recursive :
try :
res = ctx . samdb . search ( base = dn , scope = ldb . SCOPE_ONELEVEL , attrs = [ " dn " ] )
2010-11-29 14:10:57 +11:00
except Exception :
2010-11-05 14:09:49 +11:00
return
for r in res :
ctx . del_noerror ( r . dn , recursive = True )
2010-08-23 11:31:48 +10:00
try :
2010-11-05 14:09:49 +11:00
ctx . samdb . delete ( dn )
2018-03-09 13:53:45 +00:00
print ( " Deleted %s " % dn )
2010-11-29 14:10:57 +11:00
except Exception :
2010-08-23 11:31:48 +10:00
pass
2017-06-06 15:22:35 +12:00
def cleanup_old_accounts ( ctx , force = False ) :
2016-05-31 14:54:45 +12:00
res = ctx . samdb . search ( base = ctx . samdb . get_default_basedn ( ) ,
expression = ' sAMAccountName= %s ' % ldb . binary_encode ( ctx . samname ) ,
attrs = [ " msDS-krbTgtLink " , " objectSID " ] )
if len ( res ) == 0 :
return
2017-06-06 15:22:35 +12:00
if not force :
creds = Credentials ( )
creds . guess ( ctx . lp )
try :
creds . set_machine_account ( ctx . lp )
creds . set_kerberos_state ( ctx . creds . get_kerberos_state ( ) )
machine_samdb = SamDB ( url = " ldap:// %s " % ctx . server ,
session_info = system_session ( ) ,
2018-07-30 18:16:12 +12:00
credentials = creds , lp = ctx . lp )
2017-06-06 15:22:35 +12:00
except :
pass
else :
token_res = machine_samdb . search ( scope = ldb . SCOPE_BASE , base = " " , attrs = [ " tokenGroups " ] )
if token_res [ 0 ] [ " tokenGroups " ] [ 0 ] \
== res [ 0 ] [ " objectSID " ] [ 0 ] :
raise DCJoinException ( " Not removing account %s which "
2018-07-30 18:16:12 +12:00
" looks like a Samba DC account "
" matching the password we already have. "
" To override, remove secrets.ldb and secrets.tdb "
% ctx . samname )
2016-05-31 14:54:45 +12:00
ctx . del_noerror ( res [ 0 ] . dn , recursive = True )
if " msDS-Krbtgtlink " in res [ 0 ] :
new_krbtgt_dn = res [ 0 ] [ " msDS-Krbtgtlink " ] [ 0 ]
2017-03-09 14:50:14 +13:00
ctx . del_noerror ( ctx . new_krbtgt_dn )
2016-05-31 14:54:45 +12:00
res = ctx . samdb . search ( base = ctx . samdb . get_default_basedn ( ) ,
expression = ' (&(sAMAccountName= %s )(servicePrincipalName= %s )) ' %
( ldb . binary_encode ( " dns- %s " % ctx . myname ) ,
ldb . binary_encode ( " dns/ %s " % ctx . dnshostname ) ) ,
attrs = [ ] )
if res :
ctx . del_noerror ( res [ 0 ] . dn , recursive = True )
res = ctx . samdb . search ( base = ctx . samdb . get_default_basedn ( ) ,
expression = ' (sAMAccountName= %s ) ' % ldb . binary_encode ( " dns- %s " % ctx . myname ) ,
2018-07-30 18:16:12 +12:00
attrs = [ ] )
2016-05-31 14:54:45 +12:00
if res :
raise DCJoinException ( " Not removing account %s which looks like "
2018-07-30 18:16:12 +12:00
" a Samba DNS service account but does not "
" have servicePrincipalName= %s " %
( ldb . binary_encode ( " dns- %s " % ctx . myname ) ,
ldb . binary_encode ( " dns/ %s " % ctx . dnshostname ) ) )
2016-05-31 14:54:45 +12:00
2017-06-06 15:22:35 +12:00
def cleanup_old_join ( ctx , force = False ) :
2012-09-16 14:18:51 +02:00
""" Remove any DNs from a previous join. """
2016-05-31 14:54:45 +12:00
# find the krbtgt link
if not ctx . subdomain :
2017-06-06 15:22:35 +12:00
ctx . cleanup_old_accounts ( force = force )
2016-05-31 14:54:45 +12:00
if ctx . connection_dn is not None :
ctx . del_noerror ( ctx . connection_dn )
if ctx . krbtgt_dn is not None :
ctx . del_noerror ( ctx . krbtgt_dn )
ctx . del_noerror ( ctx . ntds_dn )
ctx . del_noerror ( ctx . server_dn , recursive = True )
if ctx . topology_dn :
ctx . del_noerror ( ctx . topology_dn )
if ctx . partition_dn :
ctx . del_noerror ( ctx . partition_dn )
if ctx . subdomain :
binding_options = " sign "
lsaconn = lsa . lsarpc ( " ncacn_ip_tcp: %s [ %s ] " % ( ctx . server , binding_options ) ,
ctx . lp , ctx . creds )
objectAttr = lsa . ObjectAttribute ( )
objectAttr . sec_qos = lsa . QosInfo ( )
pol_handle = lsaconn . OpenPolicy2 ( ' ' . decode ( ' utf-8 ' ) ,
objectAttr , security . SEC_FLAG_MAXIMUM_ALLOWED )
name = lsa . String ( )
name . string = ctx . realm
info = lsaconn . QueryTrustedDomainInfoByName ( pol_handle , name , lsa . LSA_TRUSTED_DOMAIN_INFO_FULL_INFO )
lsaconn . DeleteTrustedDomain ( pol_handle , info . info_ex . sid )
name = lsa . String ( )
name . string = ctx . forest_domain_name
info = lsaconn . QueryTrustedDomainInfoByName ( pol_handle , name , lsa . LSA_TRUSTED_DOMAIN_INFO_FULL_INFO )
lsaconn . DeleteTrustedDomain ( pol_handle , info . info_ex . sid )
2011-08-26 13:23:41 +10:00
2017-02-17 18:23:23 +13:00
if ctx . dns_a_dn :
ctx . del_noerror ( ctx . dns_a_dn )
if ctx . dns_cname_dn :
ctx . del_noerror ( ctx . dns_cname_dn )
2012-07-06 15:38:06 +10:00
def promote_possible ( ctx ) :
2012-09-16 14:18:51 +02:00
""" confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted """
2012-07-06 15:38:06 +10:00
if ctx . subdomain :
# This shouldn't happen
raise Exception ( " Can not promote into a subdomain " )
res = ctx . samdb . search ( base = ctx . samdb . get_default_basedn ( ) ,
expression = ' sAMAccountName= %s ' % ldb . binary_encode ( ctx . samname ) ,
attrs = [ " msDS-krbTgtLink " , " userAccountControl " , " serverReferenceBL " , " rIDSetReferences " ] )
if len ( res ) == 0 :
raise Exception ( " Could not find domain member account ' %s ' to promote to a DC, use ' samba-tool domain join ' instead ' " % ctx . samname )
if " msDS-krbTgtLink " in res [ 0 ] or " serverReferenceBL " in res [ 0 ] or " rIDSetReferences " in res [ 0 ] :
raise Exception ( " Account ' %s ' appears to be an active DC, use ' samba-tool domain join ' if you must re-create this account " % ctx . samname )
2018-08-22 17:06:23 +12:00
if ( int ( res [ 0 ] [ " userAccountControl " ] [ 0 ] ) & ( samba . dsdb . UF_WORKSTATION_TRUST_ACCOUNT |
samba . dsdb . UF_SERVER_TRUST_ACCOUNT ) == 0 ) :
2012-07-06 15:38:06 +10:00
raise Exception ( " Account %s is not a domain member or a bare NT4 BDC, use ' samba-tool domain join ' instead ' " % ctx . samname )
2012-09-16 14:18:51 +02:00
2012-07-06 15:38:06 +10:00
ctx . promote_from_dn = res [ 0 ] . dn
2010-09-14 18:22:13 +10:00
def find_dc ( ctx , domain ) :
2012-09-16 14:18:51 +02:00
""" find a writeable DC for the given domain """
2010-11-05 14:09:49 +11:00
try :
2011-11-22 22:26:06 +01:00
ctx . cldap_ret = ctx . net . finddc ( domain = domain , flags = nbt . NBT_SERVER_LDAP | nbt . NBT_SERVER_DS | nbt . NBT_SERVER_WRITABLE )
2018-01-09 12:41:01 +01:00
except NTSTATUSError as error :
raise Exception ( " Failed to find a writeable DC for domain ' %s ' : %s " %
( domain , error [ 1 ] ) )
2010-11-29 14:10:57 +11:00
except Exception :
raise Exception ( " Failed to find a writeable DC for domain ' %s ' " % domain )
2010-09-19 13:20:33 -07:00
if ctx . cldap_ret . client_site is not None and ctx . cldap_ret . client_site != " " :
ctx . site = ctx . cldap_ret . client_site
2010-09-29 04:31:02 +03:00
return ctx . cldap_ret . pdc_dns_name
2010-09-14 18:22:13 +10:00
2018-09-19 10:44:48 +12:00
def find_dc_site ( ctx , server ) :
site = None
cldap_ret = ctx . net . finddc ( address = server ,
flags = nbt . NBT_SERVER_LDAP | nbt . NBT_SERVER_DS )
if cldap_ret . client_site is not None and cldap_ret . client_site != " " :
site = cldap_ret . client_site
return site
2010-11-07 13:55:20 +11:00
def get_behavior_version ( ctx ) :
res = ctx . samdb . search ( base = ctx . base_dn , scope = ldb . SCOPE_BASE , attrs = [ " msDS-Behavior-Version " ] )
if " msDS-Behavior-Version " in res [ 0 ] :
return int ( res [ 0 ] [ " msDS-Behavior-Version " ] [ 0 ] )
else :
return samba . dsdb . DS_DOMAIN_FUNCTION_2000
2010-11-05 14:09:49 +11:00
def get_dnsHostName ( ctx ) :
res = ctx . samdb . search ( base = " " , scope = ldb . SCOPE_BASE , attrs = [ " dnsHostName " ] )
2018-04-17 16:48:03 +01:00
return str ( res [ 0 ] [ " dnsHostName " ] [ 0 ] )
2010-08-23 11:31:48 +10:00
2010-11-05 14:09:49 +11:00
def get_domain_name ( ctx ) :
2010-09-09 18:02:08 +10:00
''' get netbios name of the domain from the partitions record '''
2010-11-05 14:09:49 +11:00
partitions_dn = ctx . samdb . get_partitions_dn ( )
res = ctx . samdb . search ( base = partitions_dn , scope = ldb . SCOPE_ONELEVEL , attrs = [ " nETBIOSName " ] ,
2016-07-20 13:37:47 +12:00
expression = ' ncName= %s ' % ldb . binary_encode ( str ( ctx . samdb . get_default_basedn ( ) ) ) )
2018-04-17 16:48:03 +01:00
return str ( res [ 0 ] [ " nETBIOSName " ] [ 0 ] )
2010-09-09 18:02:08 +10:00
2011-10-01 10:58:52 +10:00
def get_forest_domain_name ( ctx ) :
''' get netbios name of the domain from the partitions record '''
partitions_dn = ctx . samdb . get_partitions_dn ( )
res = ctx . samdb . search ( base = partitions_dn , scope = ldb . SCOPE_ONELEVEL , attrs = [ " nETBIOSName " ] ,
2016-07-20 13:37:47 +12:00
expression = ' ncName= %s ' % ldb . binary_encode ( str ( ctx . samdb . get_root_basedn ( ) ) ) )
2018-04-17 16:48:03 +01:00
return str ( res [ 0 ] [ " nETBIOSName " ] [ 0 ] )
2011-10-01 10:58:52 +10:00
2011-08-26 13:23:41 +10:00
def get_parent_partition_dn ( ctx ) :
''' get the parent domain partition DN from parent DNS name '''
res = ctx . samdb . search ( base = ctx . config_dn , attrs = [ ] ,
expression = ' (&(objectclass=crossRef)(dnsRoot= %s )(systemFlags: %s := %u )) ' %
2016-07-20 13:37:47 +12:00
( ldb . binary_encode ( ctx . parent_dnsdomain ) ,
ldb . OID_COMPARATOR_AND , samba . dsdb . SYSTEM_FLAG_CR_NTDS_DOMAIN ) )
2011-08-26 13:23:41 +10:00
return str ( res [ 0 ] . dn )
2011-10-01 10:58:52 +10:00
def get_naming_master ( ctx ) :
''' get the parent domain partition DN from parent DNS name '''
res = ctx . samdb . search ( base = ' CN=Partitions, %s ' % ctx . config_dn , attrs = [ ' fSMORoleOwner ' ] ,
scope = ldb . SCOPE_BASE , controls = [ " extended_dn:1:1 " ] )
2018-07-30 18:22:34 +12:00
if ' fSMORoleOwner ' not in res [ 0 ] :
2013-09-04 13:03:37 +12:00
raise DCJoinException ( " Can ' t find naming master on partition DN %s in %s " % ( ctx . partition_dn , ctx . samdb . url ) )
2013-09-03 17:41:42 +12:00
try :
2018-04-25 20:01:49 +01:00
master_guid = str ( misc . GUID ( ldb . Dn ( ctx . samdb , res [ 0 ] [ ' fSMORoleOwner ' ] [ 0 ] . decode ( ' utf8 ' ) ) . get_extended_component ( ' GUID ' ) ) )
2013-09-03 17:41:42 +12:00
except KeyError :
raise DCJoinException ( " Can ' t find GUID in naming master on partition DN %s " % res [ 0 ] [ ' fSMORoleOwner ' ] [ 0 ] )
2011-10-01 10:58:52 +10:00
master_host = ' %s ._msdcs. %s ' % ( master_guid , ctx . dnsforest )
return master_host
2010-11-05 14:09:49 +11:00
def get_mysid ( ctx ) :
2010-11-07 13:55:20 +11:00
''' get the SID of the connected user. Only works with w2k8 and later,
so only used for RODC join '''
2010-11-05 14:09:49 +11:00
res = ctx . samdb . search ( base = " " , scope = ldb . SCOPE_BASE , attrs = [ " tokenGroups " ] )
2010-08-23 11:31:48 +10:00
binsid = res [ 0 ] [ " tokenGroups " ] [ 0 ]
2018-06-15 17:55:46 +01:00
return get_string ( ctx . samdb . schema_format_value ( " objectSID " , binsid ) )
2010-08-24 23:37:25 +10:00
2010-11-07 13:55:20 +11:00
def dn_exists ( ctx , dn ) :
''' check if a DN exists '''
try :
res = ctx . samdb . search ( base = dn , scope = ldb . SCOPE_BASE , attrs = [ ] )
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e5 :
( enum , estr ) = e5 . args
2010-11-29 14:10:57 +11:00
if enum == ldb . ERR_NO_SUCH_OBJECT :
return False
raise
2010-11-07 13:55:20 +11:00
return True
2010-11-05 14:09:49 +11:00
def add_krbtgt_account ( ctx ) :
''' RODCs need a special krbtgt account '''
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . krbtgt_dn )
2010-08-24 23:37:25 +10:00
rec = {
2018-07-30 18:17:14 +12:00
" dn " : ctx . krbtgt_dn ,
" objectclass " : " user " ,
" useraccountcontrol " : str ( samba . dsdb . UF_NORMAL_ACCOUNT |
2018-09-04 01:05:48 +12:00
samba . dsdb . UF_ACCOUNTDISABLE ) ,
2018-07-30 18:17:14 +12:00
" showinadvancedviewonly " : " TRUE " ,
" description " : " krbtgt for %s " % ctx . samname }
2010-08-24 23:37:25 +10:00
ctx . samdb . add ( rec , [ " rodc_join:1:1 " ] )
# now we need to search for the samAccountName attribute on the krbtgt DN,
# as this will have been magically set to the krbtgt number
res = ctx . samdb . search ( base = ctx . krbtgt_dn , scope = ldb . SCOPE_BASE , attrs = [ " samAccountName " ] )
ctx . krbtgt_name = res [ 0 ] [ " samAccountName " ] [ 0 ]
2018-03-09 13:53:45 +00:00
print ( " Got krbtgt_name= %s " % ctx . krbtgt_name )
2010-08-24 23:37:25 +10:00
m = ldb . Message ( )
m . dn = ldb . Dn ( ctx . samdb , ctx . acct_dn )
m [ " msDS-krbTgtLink " ] = ldb . MessageElement ( ctx . krbtgt_dn ,
ldb . FLAG_MOD_REPLACE , " msDS-krbTgtLink " )
ctx . samdb . modify ( m )
ctx . new_krbtgt_dn = " CN= %s ,CN=Users, %s " % ( ctx . krbtgt_name , ctx . base_dn )
2018-03-09 13:53:45 +00:00
print ( " Renaming %s to %s " % ( ctx . krbtgt_dn , ctx . new_krbtgt_dn ) )
2010-08-24 23:37:25 +10:00
ctx . samdb . rename ( ctx . krbtgt_dn , ctx . new_krbtgt_dn )
2010-11-05 14:09:49 +11:00
def drsuapi_connect ( ctx ) :
2011-10-01 10:58:52 +10:00
''' make a DRSUAPI connection to the naming master '''
2010-11-17 11:08:59 +11:00
binding_options = " seal "
2017-09-06 16:40:05 +12:00
if ctx . lp . log_level ( ) > = 9 :
2010-11-17 11:08:59 +11:00
binding_options + = " ,print "
binding_string = " ncacn_ip_tcp: %s [ %s ] " % ( ctx . server , binding_options )
2010-11-05 14:09:49 +11:00
ctx . drsuapi = drsuapi . drsuapi ( binding_string , ctx . lp , ctx . creds )
2010-11-07 13:55:20 +11:00
( ctx . drsuapi_handle , ctx . bind_supported_extensions ) = drs_utils . drs_DsBind ( ctx . drsuapi )
2010-11-05 14:09:49 +11:00
def create_tmp_samdb ( ctx ) :
''' create a temporary samdb object for schema queries '''
2014-08-11 11:23:57 +12:00
ctx . tmp_schema = Schema ( ctx . domsid ,
2010-11-05 14:09:49 +11:00
schemadn = ctx . schema_dn )
ctx . tmp_samdb = SamDB ( session_info = system_session ( ) , url = None , auto_connect = False ,
credentials = ctx . creds , lp = ctx . lp , global_schema = False ,
am_rodc = False )
ctx . tmp_samdb . set_schema ( ctx . tmp_schema )
def build_DsReplicaAttribute ( ctx , attrname , attrvalue ) :
''' build a DsReplicaAttributeCtr object '''
r = drsuapi . DsReplicaAttribute ( )
r . attid = ctx . tmp_samdb . get_attid_from_lDAPDisplayName ( attrname )
r . value_ctr = 1
2011-08-24 15:39:51 +10:00
def DsAddEntry ( ctx , recs ) :
2010-11-05 14:09:49 +11:00
''' add a record via the DRSUAPI DsAddEntry call '''
if ctx . drsuapi is None :
ctx . drsuapi_connect ( )
if ctx . tmp_samdb is None :
ctx . create_tmp_samdb ( )
2011-08-24 15:39:51 +10:00
objects = [ ]
for rec in recs :
id = drsuapi . DsReplicaObjectIdentifier ( )
id . dn = rec [ ' dn ' ]
attrs = [ ]
for a in rec :
if a == ' dn ' :
continue
if not isinstance ( rec [ a ] , list ) :
v = [ rec [ a ] ]
else :
v = rec [ a ]
2018-05-17 13:34:00 +01:00
v = [ x . encode ( ' utf8 ' ) if isinstance ( x , text_type ) else x for x in v ]
2011-08-24 15:39:51 +10:00
rattr = ctx . tmp_samdb . dsdb_DsReplicaAttribute ( ctx . tmp_samdb , a , v )
attrs . append ( rattr )
attribute_ctr = drsuapi . DsReplicaAttributeCtr ( )
attribute_ctr . num_attributes = len ( attrs )
attribute_ctr . attributes = attrs
object = drsuapi . DsReplicaObject ( )
object . identifier = id
object . attribute_ctr = attribute_ctr
list_object = drsuapi . DsReplicaObjectListItem ( )
list_object . object = object
objects . append ( list_object )
2010-11-05 14:09:49 +11:00
req2 = drsuapi . DsAddEntryRequest2 ( )
2011-08-24 15:39:51 +10:00
req2 . first_object = objects [ 0 ]
prev = req2 . first_object
for o in objects [ 1 : ] :
prev . next_object = o
prev = o
2010-11-05 14:09:49 +11:00
( level , ctr ) = ctx . drsuapi . DsAddEntry ( ctx . drsuapi_handle , 2 , req2 )
2011-11-09 09:32:55 +01:00
if level == 2 :
if ctr . dir_err != drsuapi . DRSUAPI_DIRERR_OK :
print ( " DsAddEntry failed with dir_err %u " % ctr . dir_err )
raise RuntimeError ( " DsAddEntry failed " )
2017-02-13 11:12:54 +13:00
if ctr . extended_err [ 0 ] != werror . WERR_SUCCESS :
2011-11-09 09:32:55 +01:00
print ( " DsAddEntry failed with status %s info %s " % ( ctr . extended_err ) )
raise RuntimeError ( " DsAddEntry failed " )
if level == 3 :
if ctr . err_ver != 1 :
raise RuntimeError ( " expected err_ver 1, got %u " % ctr . err_ver )
2017-02-13 11:12:54 +13:00
if ctr . err_data . status [ 0 ] != werror . WERR_SUCCESS :
2017-02-11 19:34:09 +13:00
if ctr . err_data . info is None :
print ( " DsAddEntry failed with status %s , info omitted " % ( ctr . err_data . status [ 1 ] ) )
else :
print ( " DsAddEntry failed with status %s info %s " % ( ctr . err_data . status [ 1 ] ,
ctr . err_data . info . extended_err ) )
2011-11-09 09:32:55 +01:00
raise RuntimeError ( " DsAddEntry failed " )
if ctr . err_data . dir_err != drsuapi . DRSUAPI_DIRERR_OK :
print ( " DsAddEntry failed with dir_err %u " % ctr . err_data . dir_err )
raise RuntimeError ( " DsAddEntry failed " )
2011-08-24 15:39:51 +10:00
return ctr . objects
2011-09-07 17:21:07 +10:00
2013-10-16 14:34:43 +13:00
def join_ntdsdsa_obj ( ctx ) :
''' return the ntdsdsa object to add '''
2012-10-07 21:52:25 -07:00
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . ntds_dn )
2011-08-26 13:23:41 +10:00
rec = {
2018-07-30 18:17:14 +12:00
" dn " : ctx . ntds_dn ,
" objectclass " : " nTDSDSA " ,
" systemFlags " : str ( samba . dsdb . SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE ) ,
" dMDLocation " : ctx . schema_dn }
2011-08-26 13:23:41 +10:00
2018-07-30 18:17:02 +12:00
nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
2011-08-26 13:23:41 +10:00
if ctx . behavior_version > = samba . dsdb . DS_DOMAIN_FUNCTION_2003 :
2011-12-12 12:44:33 +01:00
rec [ " msDS-Behavior-Version " ] = str ( samba . dsdb . DS_DOMAIN_FUNCTION_2008_R2 )
2011-08-26 13:23:41 +10:00
2011-08-24 15:39:51 +10:00
if ctx . behavior_version > = samba . dsdb . DS_DOMAIN_FUNCTION_2003 :
2011-08-26 13:23:41 +10:00
rec [ " msDS-HasDomainNCs " ] = ctx . base_dn
if ctx . RODC :
rec [ " objectCategory " ] = " CN=NTDS-DSA-RO, %s " % ctx . schema_dn
2013-10-16 14:34:43 +13:00
rec [ " msDS-HasFullReplicaNCs " ] = ctx . full_nc_list
2011-08-26 13:23:41 +10:00
rec [ " options " ] = " 37 "
else :
rec [ " objectCategory " ] = " CN=NTDS-DSA, %s " % ctx . schema_dn
2013-10-16 14:34:43 +13:00
rec [ " HasMasterNCs " ] = [ ]
for nc in nc_list :
if nc in ctx . full_nc_list :
rec [ " HasMasterNCs " ] . append ( nc )
2011-08-26 13:23:41 +10:00
if ctx . behavior_version > = samba . dsdb . DS_DOMAIN_FUNCTION_2003 :
2013-10-16 14:34:43 +13:00
rec [ " msDS-HasMasterNCs " ] = ctx . full_nc_list
2011-08-26 13:23:41 +10:00
rec [ " options " ] = " 1 "
2011-09-02 15:12:11 +10:00
rec [ " invocationId " ] = ndr_pack ( ctx . invocation_id )
2013-10-16 14:34:43 +13:00
return rec
def join_add_ntdsdsa ( ctx ) :
''' add the ntdsdsa object '''
rec = ctx . join_ntdsdsa_obj ( )
2018-05-01 11:11:01 +12:00
if ctx . forced_local_samdb :
ctx . samdb . add ( rec , controls = [ " relax:0 " ] )
elif ctx . RODC :
2013-10-16 14:34:43 +13:00
ctx . samdb . add ( rec , [ " rodc_join:1:1 " ] )
else :
2011-08-24 15:39:51 +10:00
ctx . DsAddEntry ( [ rec ] )
2011-08-26 13:23:41 +10:00
# find the GUID of our NTDS DN
res = ctx . samdb . search ( base = ctx . ntds_dn , scope = ldb . SCOPE_BASE , attrs = [ " objectGUID " ] )
ctx . ntds_guid = misc . GUID ( ctx . samdb . schema_format_value ( " objectGUID " , res [ 0 ] [ " objectGUID " ] [ 0 ] ) )
2018-05-01 11:11:01 +12:00
def join_add_objects ( ctx , specified_sid = None ) :
2010-11-05 14:09:49 +11:00
''' add the various objects needed for the join '''
2011-08-24 15:39:51 +10:00
if ctx . acct_dn :
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . acct_dn )
2011-08-24 15:39:51 +10:00
rec = {
2018-07-30 18:17:14 +12:00
" dn " : ctx . acct_dn ,
2011-08-24 15:39:51 +10:00
" objectClass " : " computer " ,
" displayname " : ctx . samname ,
2018-07-30 18:17:14 +12:00
" samaccountname " : ctx . samname ,
" userAccountControl " : str ( ctx . userAccountControl | samba . dsdb . UF_ACCOUNTDISABLE ) ,
" dnshostname " : ctx . dnshostname }
2011-08-24 15:39:51 +10:00
if ctx . behavior_version > = samba . dsdb . DS_DOMAIN_FUNCTION_2008 :
rec [ ' msDS-SupportedEncryptionTypes ' ] = str ( samba . dsdb . ENC_ALL_TYPES )
2012-07-06 15:38:06 +10:00
elif ctx . promote_existing :
rec [ ' msDS-SupportedEncryptionTypes ' ] = [ ]
2011-08-24 15:39:51 +10:00
if ctx . managedby :
rec [ " managedby " ] = ctx . managedby
2012-07-06 15:38:06 +10:00
elif ctx . promote_existing :
rec [ " managedby " ] = [ ]
2011-08-24 15:39:51 +10:00
if ctx . never_reveal_sid :
rec [ " msDS-NeverRevealGroup " ] = ctx . never_reveal_sid
2012-07-06 15:38:06 +10:00
elif ctx . promote_existing :
rec [ " msDS-NeverRevealGroup " ] = [ ]
2012-09-16 14:18:51 +02:00
2011-08-24 15:39:51 +10:00
if ctx . reveal_sid :
rec [ " msDS-RevealOnDemandGroup " ] = ctx . reveal_sid
2012-07-06 15:38:06 +10:00
elif ctx . promote_existing :
rec [ " msDS-RevealOnDemandGroup " ] = [ ]
2018-05-01 11:11:01 +12:00
if specified_sid :
rec [ " objectSid " ] = ndr_pack ( specified_sid )
2012-07-06 15:38:06 +10:00
if ctx . promote_existing :
if ctx . promote_from_dn != ctx . acct_dn :
ctx . samdb . rename ( ctx . promote_from_dn , ctx . acct_dn )
ctx . samdb . modify ( ldb . Message . from_dict ( ctx . samdb , rec , ldb . FLAG_MOD_REPLACE ) )
else :
2018-05-01 11:11:01 +12:00
controls = None
if specified_sid is not None :
controls = [ " relax:0 " ]
ctx . samdb . add ( rec , controls = controls )
2010-11-05 14:09:49 +11:00
if ctx . krbtgt_dn :
ctx . add_krbtgt_account ( )
2015-08-17 15:33:31 +12:00
if ctx . server_dn :
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . server_dn )
2015-08-17 15:33:31 +12:00
rec = {
" dn " : ctx . server_dn ,
2018-07-30 18:17:14 +12:00
" objectclass " : " server " ,
2015-08-17 15:33:31 +12:00
# windows uses 50000000 decimal for systemFlags. A windows hex/decimal mixup bug?
2018-07-30 18:17:14 +12:00
" systemFlags " : str ( samba . dsdb . SYSTEM_FLAG_CONFIG_ALLOW_RENAME |
2018-09-04 01:05:48 +12:00
samba . dsdb . SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE |
samba . dsdb . SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE ) ,
2015-08-17 15:33:31 +12:00
# windows seems to add the dnsHostName later
2018-07-30 18:17:14 +12:00
" dnsHostName " : ctx . dnshostname }
2015-08-17 15:33:31 +12:00
if ctx . acct_dn :
rec [ " serverReference " ] = ctx . acct_dn
2011-08-24 15:39:51 +10:00
2015-08-17 15:33:31 +12:00
ctx . samdb . add ( rec )
2010-08-24 23:37:25 +10:00
2011-08-26 16:07:05 +10:00
if ctx . subdomain :
2011-08-26 13:23:41 +10:00
# the rest is done after replication
ctx . ntds_guid = None
return
2011-08-26 16:07:05 +10:00
2015-08-17 15:33:31 +12:00
if ctx . ntds_dn :
ctx . join_add_ntdsdsa ( )
2010-08-24 23:37:25 +10:00
2016-07-18 13:09:59 +12:00
# Add the Replica-Locations or RO-Replica-Locations attributes
# TODO Is this supposed to be for the schema partition too?
expr = " (&(objectClass=crossRef)(ncName= %s )) " % ldb . binary_encode ( ctx . domaindns_zone )
2016-07-21 16:01:20 +12:00
domain = ( ctx . samdb . search ( scope = ldb . SCOPE_ONELEVEL ,
2018-07-30 18:16:12 +12:00
attrs = [ ] ,
base = ctx . samdb . get_partitions_dn ( ) ,
expression = expr ) , ctx . domaindns_zone )
2016-07-18 13:09:59 +12:00
expr = " (&(objectClass=crossRef)(ncName= %s )) " % ldb . binary_encode ( ctx . forestdns_zone )
2016-07-21 16:01:20 +12:00
forest = ( ctx . samdb . search ( scope = ldb . SCOPE_ONELEVEL ,
2018-07-30 18:16:12 +12:00
attrs = [ ] ,
base = ctx . samdb . get_partitions_dn ( ) ,
expression = expr ) , ctx . forestdns_zone )
2016-07-21 16:01:20 +12:00
for part , zone in ( domain , forest ) :
if zone not in ctx . nc_list :
continue
2016-07-18 13:09:59 +12:00
if len ( part ) == 1 :
m = ldb . Message ( )
m . dn = part [ 0 ] . dn
attr = " msDS-NC-Replica-Locations "
if ctx . RODC :
attr = " msDS-NC-RO-Replica-Locations "
m [ attr ] = ldb . MessageElement ( ctx . ntds_dn ,
ldb . FLAG_MOD_ADD , attr )
ctx . samdb . modify ( m )
2010-11-05 14:09:49 +11:00
if ctx . connection_dn is not None :
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . connection_dn )
2010-11-05 14:09:49 +11:00
rec = {
2018-07-30 18:17:14 +12:00
" dn " : ctx . connection_dn ,
" objectclass " : " nTDSConnection " ,
" enabledconnection " : " TRUE " ,
" options " : " 65 " ,
" fromServer " : ctx . dc_ntds_dn }
2010-11-05 14:09:49 +11:00
ctx . samdb . add ( rec )
2010-08-24 23:37:25 +10:00
2011-08-24 15:39:51 +10:00
if ctx . acct_dn :
2018-03-09 13:53:45 +00:00
print ( " Adding SPNs to %s " % ctx . acct_dn )
2011-08-24 15:39:51 +10:00
m = ldb . Message ( )
m . dn = ldb . Dn ( ctx . samdb , ctx . acct_dn )
for i in range ( len ( ctx . SPNs ) ) :
ctx . SPNs [ i ] = ctx . SPNs [ i ] . replace ( " $NTDSGUID " , str ( ctx . ntds_guid ) )
m [ " servicePrincipalName " ] = ldb . MessageElement ( ctx . SPNs ,
2012-07-06 15:38:06 +10:00
ldb . FLAG_MOD_REPLACE ,
2011-08-24 15:39:51 +10:00
" servicePrincipalName " )
ctx . samdb . modify ( m )
2011-11-14 17:53:39 +01:00
# The account password set operation should normally be done over
# LDAP. Windows 2000 DCs however allow this only with SSL
# connections which are hard to set up and otherwise refuse with
# ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
# over SAMR.
2018-03-09 13:53:45 +00:00
print ( " Setting account password for %s " % ctx . samname )
2011-11-14 17:53:39 +01:00
try :
ctx . samdb . setpassword ( " (&(objectClass=user)(sAMAccountName= %s )) "
% ldb . binary_encode ( ctx . samname ) ,
ctx . acct_pass ,
force_change_at_next_login = False ,
username = ctx . samname )
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e2 :
( num , _ ) = e2 . args
2011-11-14 17:53:39 +01:00
if num != ldb . ERR_UNWILLING_TO_PERFORM :
pass
ctx . net . set_password ( account_name = ctx . samname ,
domain_name = ctx . domain_name ,
2018-11-28 14:06:54 +00:00
newpassword = ctx . acct_pass )
2011-11-14 17:53:39 +01:00
2012-01-30 17:20:28 +01:00
res = ctx . samdb . search ( base = ctx . acct_dn , scope = ldb . SCOPE_BASE ,
2017-02-17 18:23:23 +13:00
attrs = [ " msDS-KeyVersionNumber " ,
" objectSID " ] )
2012-01-30 17:20:28 +01:00
if " msDS-KeyVersionNumber " in res [ 0 ] :
ctx . key_version_number = int ( res [ 0 ] [ " msDS-KeyVersionNumber " ] [ 0 ] )
else :
ctx . key_version_number = None
2011-08-24 15:39:51 +10:00
2017-02-17 18:23:23 +13:00
ctx . new_dc_account_sid = ndr_unpack ( security . dom_sid ,
res [ 0 ] [ " objectSid " ] [ 0 ] )
2011-08-24 15:39:51 +10:00
print ( " Enabling account " )
m = ldb . Message ( )
m . dn = ldb . Dn ( ctx . samdb , ctx . acct_dn )
m [ " userAccountControl " ] = ldb . MessageElement ( str ( ctx . userAccountControl ) ,
ldb . FLAG_MOD_REPLACE ,
" userAccountControl " )
ctx . samdb . modify ( m )
2010-08-24 23:37:25 +10:00
2012-12-24 08:56:50 +11:00
if ctx . dns_backend . startswith ( " BIND9_ " ) :
ctx . dnspass = samba . generate_random_password ( 128 , 255 )
recs = ctx . samdb . parse_ldif ( read_and_sub_file ( setup_path ( " provision_dns_add_samba.ldif " ) ,
2018-07-30 18:15:34 +12:00
{ " DNSDOMAIN " : ctx . dnsdomain ,
" DOMAINDN " : ctx . base_dn ,
2018-07-30 18:17:14 +12:00
" HOSTNAME " : ctx . myname ,
2018-07-30 18:15:34 +12:00
" DNSPASS_B64 " : b64encode ( ctx . dnspass . encode ( ' utf-16-le ' ) ) . decode ( ' utf8 ' ) ,
2018-07-30 18:17:14 +12:00
" DNSNAME " : ctx . dnshostname } ) )
2012-12-24 08:56:50 +11:00
for changetype , msg in recs :
assert changetype == ldb . CHANGETYPE_NONE
2013-10-24 17:37:06 +02:00
dns_acct_dn = msg [ " dn " ]
2018-03-09 13:53:45 +00:00
print ( " Adding DNS account %s with dns/ SPN " % msg [ " dn " ] )
2012-12-24 08:56:50 +11:00
# Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP)
del msg [ " clearTextPassword " ]
# Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP
del msg [ " isCriticalSystemObject " ]
2013-10-24 17:37:06 +02:00
# Disable account until password is set
msg [ " userAccountControl " ] = str ( samba . dsdb . UF_NORMAL_ACCOUNT |
samba . dsdb . UF_ACCOUNTDISABLE )
2012-12-24 08:56:50 +11:00
try :
ctx . samdb . add ( msg )
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e :
( num , _ ) = e . args
2012-12-24 08:56:50 +11:00
if num != ldb . ERR_ENTRY_ALREADY_EXISTS :
raise
# The account password set operation should normally be done over
# LDAP. Windows 2000 DCs however allow this only with SSL
# connections which are hard to set up and otherwise refuse with
# ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
# over SAMR.
2018-03-09 13:53:45 +00:00
print ( " Setting account password for dns- %s " % ctx . myname )
2012-12-24 08:56:50 +11:00
try :
ctx . samdb . setpassword ( " (&(objectClass=user)(samAccountName=dns- %s )) "
% ldb . binary_encode ( ctx . myname ) ,
ctx . dnspass ,
force_change_at_next_login = False ,
username = ctx . samname )
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e3 :
( num , _ ) = e3 . args
2012-12-24 08:56:50 +11:00
if num != ldb . ERR_UNWILLING_TO_PERFORM :
2013-10-24 17:37:06 +02:00
raise
ctx . net . set_password ( account_name = " dns- %s " % ctx . myname ,
2012-12-24 08:56:50 +11:00
domain_name = ctx . domain_name ,
newpassword = ctx . dnspass )
res = ctx . samdb . search ( base = dns_acct_dn , scope = ldb . SCOPE_BASE ,
attrs = [ " msDS-KeyVersionNumber " ] )
if " msDS-KeyVersionNumber " in res [ 0 ] :
ctx . dns_key_version_number = int ( res [ 0 ] [ " msDS-KeyVersionNumber " ] [ 0 ] )
else :
ctx . dns_key_version_number = None
2011-08-26 13:23:41 +10:00
def join_add_objects2 ( ctx ) :
2012-09-16 14:18:51 +02:00
""" add the various objects needed for the join, for subdomains post replication """
2011-08-26 13:23:41 +10:00
2018-03-09 13:53:45 +00:00
print ( " Adding %s " % ctx . partition_dn )
2014-08-22 14:16:30 +12:00
name_map = { ' SubdomainAdmins ' : " %s - %s " % ( str ( ctx . domsid ) , security . DOMAIN_RID_ADMINS ) }
sd_binary = descriptor . get_paritions_crossref_subdomain_descriptor ( ctx . forestsid , name_map = name_map )
2011-08-26 13:23:41 +10:00
rec = {
2018-07-30 18:17:14 +12:00
" dn " : ctx . partition_dn ,
" objectclass " : " crossRef " ,
" objectCategory " : " CN=Cross-Ref, %s " % ctx . schema_dn ,
" nCName " : ctx . base_dn ,
" nETBIOSName " : ctx . domain_name ,
2011-08-26 13:23:41 +10:00
" dnsRoot " : ctx . dnsdomain ,
2018-07-30 18:17:14 +12:00
" trustParent " : ctx . parent_partition_dn ,
2018-07-30 18:18:32 +12:00
" systemFlags " : str ( samba . dsdb . SYSTEM_FLAG_CR_NTDS_NC | samba . dsdb . SYSTEM_FLAG_CR_NTDS_DOMAIN ) ,
2018-07-30 18:17:14 +12:00
" ntSecurityDescriptor " : sd_binary ,
2014-08-22 14:16:30 +12:00
}
2011-09-02 15:12:11 +10:00
if ctx . behavior_version > = samba . dsdb . DS_DOMAIN_FUNCTION_2003 :
rec [ " msDS-Behavior-Version " ] = str ( ctx . behavior_version )
2011-08-26 13:23:41 +10:00
2013-10-16 14:34:43 +13:00
rec2 = ctx . join_ntdsdsa_obj ( )
2011-08-24 15:39:51 +10:00
objects = ctx . DsAddEntry ( [ rec , rec2 ] )
if len ( objects ) != 2 :
raise DCJoinException ( " Expected 2 objects from DsAddEntry " )
ctx . ntds_guid = objects [ 1 ] . guid
print ( " Replicating partition DN " )
ctx . repl . replicate ( ctx . partition_dn ,
misc . GUID ( " 00000000-0000-0000-0000-000000000000 " ) ,
ctx . ntds_guid ,
exop = drsuapi . DRSUAPI_EXOP_REPL_OBJ ,
replica_flags = drsuapi . DRSUAPI_DRS_WRIT_REP )
print ( " Replicating NTDS DN " )
ctx . repl . replicate ( ctx . ntds_dn ,
misc . GUID ( " 00000000-0000-0000-0000-000000000000 " ) ,
ctx . ntds_guid ,
exop = drsuapi . DRSUAPI_EXOP_REPL_OBJ ,
replica_flags = drsuapi . DRSUAPI_DRS_WRIT_REP )
2011-08-26 13:23:41 +10:00
2010-08-24 23:37:25 +10:00
def join_provision ( ctx ) :
2012-09-16 14:18:51 +02:00
""" Provision the local SAM. """
2010-08-24 23:37:25 +10:00
2018-03-09 13:53:45 +00:00
print ( " Calling bare provision " )
2010-08-24 23:37:25 +10:00
2010-11-05 14:09:49 +11:00
smbconf = ctx . lp . configfile
2010-08-24 23:37:25 +10:00
2013-09-26 10:19:18 -07:00
presult = provision ( ctx . logger , system_session ( ) , smbconf = smbconf ,
2018-07-30 18:16:12 +12:00
targetdir = ctx . targetdir , samdb_fill = FILL_DRS , realm = ctx . realm ,
rootdn = ctx . root_dn , domaindn = ctx . base_dn ,
schemadn = ctx . schema_dn , configdn = ctx . config_dn ,
serverdn = ctx . server_dn , domain = ctx . domain_name ,
hostname = ctx . myname , domainsid = ctx . domsid ,
machinepass = ctx . acct_pass , serverrole = " active directory domain controller " ,
sitename = ctx . site , lp = ctx . lp , ntdsguid = ctx . ntds_guid ,
use_ntvfs = ctx . use_ntvfs , dns_backend = ctx . dns_backend ,
plaintext_secrets = ctx . plaintext_secrets ,
backend_store = ctx . backend_store
2018-07-30 18:14:43 +12:00
)
2018-03-09 13:53:45 +00:00
print ( " Provision OK for domain DN %s " % presult . domaindn )
2010-08-24 23:37:25 +10:00
ctx . local_samdb = presult . samdb
ctx . lp = presult . lp
2010-08-25 12:34:15 +10:00
ctx . paths = presult . paths
2011-08-24 15:39:51 +10:00
ctx . names = presult . names
2014-08-08 18:43:47 +12:00
# Fix up the forestsid, it may be different if we are joining as a subdomain
ctx . names . forestsid = ctx . forestsid
2011-08-24 15:39:51 +10:00
def join_provision_own_domain ( ctx ) :
2012-09-16 14:18:51 +02:00
""" Provision the local SAM. """
2011-08-24 15:39:51 +10:00
2011-09-02 15:12:11 +10:00
# we now operate exclusively on the local database, which
# we need to reopen in order to get the newly created schema
print ( " Reconnecting to local samdb " )
ctx . samdb = SamDB ( url = ctx . local_samdb . url ,
session_info = system_session ( ) ,
lp = ctx . local_samdb . lp ,
global_schema = False )
ctx . samdb . set_invocation_id ( str ( ctx . invocation_id ) )
ctx . local_samdb = ctx . samdb
2011-08-26 13:23:41 +10:00
2013-09-09 09:53:37 +12:00
ctx . logger . info ( " Finding domain GUID from ncName " )
2011-08-24 15:39:51 +10:00
res = ctx . local_samdb . search ( base = ctx . partition_dn , scope = ldb . SCOPE_BASE , attrs = [ ' ncName ' ] ,
2013-09-16 10:23:07 -07:00
controls = [ " extended_dn:1:1 " , " reveal_internals:0 " ] )
2013-09-06 15:38:36 +12:00
if ' nCName ' not in res [ 0 ] :
raise DCJoinException ( " Can ' t find naming context on partition DN %s in %s " % ( ctx . partition_dn , ctx . samdb . url ) )
try :
2018-04-25 20:01:49 +01:00
ctx . names . domainguid = str ( misc . GUID ( ldb . Dn ( ctx . samdb , res [ 0 ] [ ' ncName ' ] [ 0 ] . decode ( ' utf8 ' ) ) . get_extended_component ( ' GUID ' ) ) )
2013-09-06 15:38:36 +12:00
except KeyError :
raise DCJoinException ( " Can ' t find GUID in naming master on partition DN %s " % res [ 0 ] [ ' ncName ' ] [ 0 ] )
2014-08-08 18:43:47 +12:00
ctx . logger . info ( " Got domain GUID %s " % ctx . names . domainguid )
2011-09-07 17:21:07 +10:00
2013-09-09 09:53:37 +12:00
ctx . logger . info ( " Calling own domain provision " )
2011-08-24 15:39:51 +10:00
secrets_ldb = Ldb ( ctx . paths . secrets , session_info = system_session ( ) , lp = ctx . lp )
presult = provision_fill ( ctx . local_samdb , secrets_ldb ,
2014-08-08 18:43:47 +12:00
ctx . logger , ctx . names , ctx . paths ,
2013-09-09 11:54:23 +12:00
dom_for_fun_level = DS_DOMAIN_FUNCTION_2003 ,
2011-08-24 15:39:51 +10:00
targetdir = ctx . targetdir , samdb_fill = FILL_SUBDOMAIN ,
2013-09-09 12:15:36 +12:00
machinepass = ctx . acct_pass , serverrole = " active directory domain controller " ,
2011-10-15 13:54:45 +02:00
lp = ctx . lp , hostip = ctx . names . hostip , hostip6 = ctx . names . hostip6 ,
2013-09-09 09:53:37 +12:00
dns_backend = ctx . dns_backend , adminpass = ctx . adminpass )
2011-08-26 13:23:41 +10:00
print ( " Provision OK for domain %s " % ctx . names . dnsdomain )
2010-08-24 23:37:25 +10:00
2018-06-11 16:50:28 +12:00
def create_replicator ( ctx , repl_creds , binding_options ) :
''' Creates a new DRS object for managing replications '''
return drs_utils . drs_Replicate (
" ncacn_ip_tcp: %s [ %s ] " % ( ctx . server , binding_options ) ,
ctx . lp , repl_creds , ctx . local_samdb , ctx . invocation_id )
2010-08-24 23:37:25 +10:00
def join_replicate ( ctx ) :
2012-09-16 14:18:51 +02:00
""" Replicate the SAM. """
2010-08-24 23:37:25 +10:00
2018-03-09 13:53:45 +00:00
print ( " Starting replication " )
2010-08-24 23:37:25 +10:00
ctx . local_samdb . transaction_start ( )
2010-12-15 16:40:59 +01:00
try :
source_dsa_invocation_id = misc . GUID ( ctx . samdb . get_invocation_id ( ) )
2011-08-26 13:23:41 +10:00
if ctx . ntds_guid is None :
2011-08-24 15:39:51 +10:00
print ( " Using DS_BIND_GUID_W2K3 " )
2011-08-26 13:23:41 +10:00
destination_dsa_guid = misc . GUID ( drsuapi . DRSUAPI_DS_BIND_GUID_W2K3 )
else :
destination_dsa_guid = ctx . ntds_guid
2010-12-15 16:40:59 +01:00
if ctx . RODC :
repl_creds = Credentials ( )
repl_creds . guess ( ctx . lp )
repl_creds . set_kerberos_state ( DONT_USE_KERBEROS )
repl_creds . set_username ( ctx . samname )
2018-11-28 13:58:49 +00:00
repl_creds . set_password ( ctx . acct_pass )
2010-12-15 16:40:59 +01:00
else :
repl_creds = ctx . creds
binding_options = " seal "
2017-09-06 16:40:05 +12:00
if ctx . lp . log_level ( ) > = 9 :
2010-12-15 16:40:59 +01:00
binding_options + = " ,print "
2018-06-11 16:50:28 +12:00
repl = ctx . create_replicator ( repl_creds , binding_options )
2010-12-15 16:40:59 +01:00
repl . replicate ( ctx . schema_dn , source_dsa_invocation_id ,
2018-07-30 18:16:12 +12:00
destination_dsa_guid , schema = True , rodc = ctx . RODC ,
replica_flags = ctx . replica_flags )
2010-12-15 16:40:59 +01:00
repl . replicate ( ctx . config_dn , source_dsa_invocation_id ,
2018-07-30 18:16:12 +12:00
destination_dsa_guid , rodc = ctx . RODC ,
replica_flags = ctx . replica_flags )
2011-08-24 15:39:51 +10:00
if not ctx . subdomain :
2011-10-25 20:13:00 +02:00
# Replicate first the critical object for the basedn
if not ctx . domain_replica_flags & drsuapi . DRSUAPI_DRS_CRITICAL_ONLY :
2018-03-09 13:53:45 +00:00
print ( " Replicating critical objects from the base DN of the domain " )
2016-11-29 14:27:57 +01:00
ctx . domain_replica_flags | = drsuapi . DRSUAPI_DRS_CRITICAL_ONLY
2011-10-25 20:13:00 +02:00
repl . replicate ( ctx . base_dn , source_dsa_invocation_id ,
2018-07-30 18:16:12 +12:00
destination_dsa_guid , rodc = ctx . RODC ,
replica_flags = ctx . domain_replica_flags )
2015-12-09 17:04:14 +13:00
ctx . domain_replica_flags ^ = drsuapi . DRSUAPI_DRS_CRITICAL_ONLY
2011-08-24 15:39:51 +10:00
repl . replicate ( ctx . base_dn , source_dsa_invocation_id ,
destination_dsa_guid , rodc = ctx . RODC ,
replica_flags = ctx . domain_replica_flags )
2018-03-09 13:53:45 +00:00
print ( " Done with always replicated NC (base, config, schema) " )
2012-06-21 23:46:21 +10:00
2016-07-18 13:09:59 +12:00
# At this point we should already have an entry in the ForestDNS
# and DomainDNS NC (those under CN=Partions,DC=...) in order to
# indicate that we hold a replica for this NC.
2012-09-29 10:15:05 -07:00
for nc in ( ctx . domaindns_zone , ctx . forestdns_zone ) :
2012-10-11 17:23:13 +02:00
if nc in ctx . nc_list :
2018-03-09 13:53:45 +00:00
print ( " Replicating %s " % ( str ( nc ) ) )
2012-09-29 10:15:05 -07:00
repl . replicate ( nc , source_dsa_invocation_id ,
2018-07-30 18:15:34 +12:00
destination_dsa_guid , rodc = ctx . RODC ,
replica_flags = ctx . replica_flags )
2012-06-21 23:46:21 +10:00
2010-12-15 16:40:59 +01:00
if ctx . RODC :
repl . replicate ( ctx . acct_dn , source_dsa_invocation_id ,
2018-07-30 18:16:12 +12:00
destination_dsa_guid ,
exop = drsuapi . DRSUAPI_EXOP_REPL_SECRET , rodc = True )
2010-12-15 16:40:59 +01:00
repl . replicate ( ctx . new_krbtgt_dn , source_dsa_invocation_id ,
2018-07-30 18:16:12 +12:00
destination_dsa_guid ,
exop = drsuapi . DRSUAPI_EXOP_REPL_SECRET , rodc = True )
2018-07-30 18:22:15 +12:00
elif ctx . rid_manager_dn is not None :
2016-10-31 16:48:33 +13:00
# Try and get a RID Set if we can. This is only possible against the RID Master. Warn otherwise.
try :
repl . replicate ( ctx . rid_manager_dn , source_dsa_invocation_id ,
destination_dsa_guid ,
exop = drsuapi . DRSUAPI_EXOP_FSMO_RID_ALLOC )
2018-02-23 14:29:05 +00:00
except samba . DsExtendedError as e1 :
( enum , estr ) = e1 . args
2016-10-31 16:48:33 +13:00
if enum == drsuapi . DRSUAPI_EXOP_ERR_FSMO_NOT_OWNER :
2018-03-09 13:53:45 +00:00
print ( " WARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master. " % ctx . server )
print ( " NOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup. " )
2016-10-31 16:48:33 +13:00
else :
raise
2011-08-24 15:39:51 +10:00
ctx . repl = repl
ctx . source_dsa_invocation_id = source_dsa_invocation_id
ctx . destination_dsa_guid = destination_dsa_guid
2010-12-15 16:40:59 +01:00
2018-03-09 13:53:45 +00:00
print ( " Committing SAM database " )
2012-02-25 15:56:25 +01:00
except :
2010-12-15 16:40:59 +01:00
ctx . local_samdb . transaction_cancel ( )
raise
2010-11-07 13:55:20 +11:00
else :
2010-12-15 16:40:59 +01:00
ctx . local_samdb . transaction_commit ( )
2010-08-24 23:37:25 +10:00
2018-10-17 14:41:12 +13:00
# A large replication may have caused our LDB connection to the
# remote DC to timeout, so check the connection is still alive
ctx . refresh_ldb_connection ( )
def refresh_ldb_connection ( ctx ) :
try :
# query the rootDSE to check the connection
ctx . samdb . search ( scope = ldb . SCOPE_BASE , attrs = [ ] )
except ldb . LdbError as e :
( enum , estr ) = e . args
# if the connection was disconnected, then reconnect
if ( enum == ldb . ERR_OPERATIONS_ERROR and
2018-11-05 14:30:14 +13:00
( ' NT_STATUS_CONNECTION_DISCONNECTED ' in estr or
' NT_STATUS_CONNECTION_RESET ' in estr ) ) :
2018-10-17 14:41:12 +13:00
ctx . logger . warning ( " LDB connection disconnected. Reconnecting " )
ctx . samdb = SamDB ( url = " ldap:// %s " % ctx . server ,
session_info = system_session ( ) ,
credentials = ctx . creds , lp = ctx . lp )
else :
raise DCJoinException ( estr )
2011-10-25 20:16:38 +02:00
def send_DsReplicaUpdateRefs ( ctx , dn ) :
r = drsuapi . DsReplicaUpdateRefsRequest1 ( )
r . naming_context = drsuapi . DsReplicaObjectIdentifier ( )
r . naming_context . dn = str ( dn )
r . naming_context . guid = misc . GUID ( " 00000000-0000-0000-0000-000000000000 " )
r . naming_context . sid = security . dom_sid ( " S-0-0 " )
r . dest_dsa_guid = ctx . ntds_guid
r . dest_dsa_dns_name = " %s ._msdcs. %s " % ( str ( ctx . ntds_guid ) , ctx . dnsforest )
r . options = drsuapi . DRSUAPI_DRS_ADD_REF | drsuapi . DRSUAPI_DRS_DEL_REF
if not ctx . RODC :
r . options | = drsuapi . DRSUAPI_DRS_WRIT_REP
2017-03-28 14:29:26 +13:00
if ctx . drsuapi is None :
ctx . drsuapi_connect ( )
ctx . drsuapi . DsReplicaUpdateRefs ( ctx . drsuapi_handle , 1 , r )
2010-08-24 23:37:25 +10:00
2017-02-17 18:23:23 +13:00
def join_add_dns_records ( ctx ) :
""" Remotely Add a DNS record to the target DC. We assume that if we
replicate DNS that the server holds the DNS roles and can accept
updates .
This avoids issues getting replication going after the DC
first starts as the rest of the domain does not have to
wait for samba_dnsupdate to run successfully .
Specifically , we add the records implied by the DsReplicaUpdateRefs
call above .
We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined :
- We do not want to query another DNS server
- We do not want to obtain a Kerberos ticket
( as the KDC we select may not be the DC we just joined ,
and so may not be in sync with the password we just set )
- We do not wish to set the _ldap records until we have started
- We do not wish to use NTLM ( the - - use - samba - tool mode forces
NTLM )
"""
client_version = dnsserver . DNS_CLIENT_VERSION_LONGHORN
select_flags = dnsserver . DNS_RPC_VIEW_AUTHORITY_DATA | \
2018-09-04 01:05:26 +12:00
dnsserver . DNS_RPC_VIEW_NO_CHILDREN
2017-02-17 18:23:23 +13:00
zone = ctx . dnsdomain
msdcs_zone = " _msdcs. %s " % ctx . dnsforest
name = ctx . myname
msdcs_cname = str ( ctx . ntds_guid )
cname_target = " %s . %s " % ( name , zone )
IPs = samba . interface_ips ( ctx . lp , ctx . force_all_ips )
2018-07-30 18:22:01 +12:00
ctx . logger . info ( " Adding %d remote DNS records for %s . %s " %
2017-02-17 18:23:23 +13:00
( len ( IPs ) , name , zone ) )
binding_options = " sign "
dns_conn = dnsserver . dnsserver ( " ncacn_ip_tcp: %s [ %s ] " % ( ctx . server , binding_options ) ,
2018-07-30 18:16:12 +12:00
ctx . lp , ctx . creds )
2017-02-17 18:23:23 +13:00
name_found = True
2018-10-26 18:38:27 +13:00
sd_helper = sd_utils . SDUtils ( ctx . samdb )
2017-02-17 18:23:23 +13:00
change_owner_sd = security . descriptor ( )
change_owner_sd . owner_sid = ctx . new_dc_account_sid
change_owner_sd . group_sid = security . dom_sid ( " %s - %d " %
( str ( ctx . domsid ) ,
security . DOMAIN_RID_DCS ) )
# TODO: Remove any old records from the primary DNS name
try :
( buflen , res ) \
= dns_conn . DnssrvEnumRecords2 ( client_version ,
0 ,
ctx . server ,
zone ,
name ,
None ,
dnsp . DNS_TYPE_ALL ,
select_flags ,
None ,
None )
except WERRORError as e :
if e . args [ 0 ] == werror . WERR_DNS_ERROR_NAME_DOES_NOT_EXIST :
name_found = False
pass
if name_found :
for rec in res . rec :
for record in rec . records :
if record . wType == dnsp . DNS_TYPE_A or \
record . wType == dnsp . DNS_TYPE_AAAA :
# delete record
del_rec_buf = dnsserver . DNS_RPC_RECORD_BUF ( )
del_rec_buf . rec = record
try :
dns_conn . DnssrvUpdateRecord2 ( client_version ,
0 ,
ctx . server ,
zone ,
name ,
None ,
del_rec_buf )
except WERRORError as e :
if e . args [ 0 ] == werror . WERR_DNS_ERROR_NAME_DOES_NOT_EXIST :
pass
else :
raise
for IP in IPs :
if IP . find ( ' : ' ) != - 1 :
ctx . logger . info ( " Adding DNS AAAA record %s . %s for IPv6 IP: %s "
% ( name , zone , IP ) )
rec = AAAARecord ( IP )
else :
ctx . logger . info ( " Adding DNS A record %s . %s for IPv4 IP: %s "
% ( name , zone , IP ) )
rec = ARecord ( IP )
# Add record
add_rec_buf = dnsserver . DNS_RPC_RECORD_BUF ( )
add_rec_buf . rec = rec
dns_conn . DnssrvUpdateRecord2 ( client_version ,
0 ,
ctx . server ,
zone ,
name ,
add_rec_buf ,
None )
if ( len ( IPs ) > 0 ) :
domaindns_zone_dn = ldb . Dn ( ctx . samdb , ctx . domaindns_zone )
( ctx . dns_a_dn , ldap_record ) \
= ctx . samdb . dns_lookup ( " %s . %s " % ( name , zone ) ,
dns_partition = domaindns_zone_dn )
# Make the DC own the DNS record, not the administrator
sd_helper . modify_sd_on_dn ( ctx . dns_a_dn , change_owner_sd ,
controls = [ " sd_flags:1: %d "
% ( security . SECINFO_OWNER
| security . SECINFO_GROUP ) ] )
# Add record
ctx . logger . info ( " Adding DNS CNAME record %s . %s for %s "
% ( msdcs_cname , msdcs_zone , cname_target ) )
add_rec_buf = dnsserver . DNS_RPC_RECORD_BUF ( )
rec = CNameRecord ( cname_target )
add_rec_buf . rec = rec
dns_conn . DnssrvUpdateRecord2 ( client_version ,
0 ,
ctx . server ,
msdcs_zone ,
msdcs_cname ,
add_rec_buf ,
None )
forestdns_zone_dn = ldb . Dn ( ctx . samdb , ctx . forestdns_zone )
( ctx . dns_cname_dn , ldap_record ) \
= ctx . samdb . dns_lookup ( " %s . %s " % ( msdcs_cname , msdcs_zone ) ,
dns_partition = forestdns_zone_dn )
# Make the DC own the DNS record, not the administrator
sd_helper . modify_sd_on_dn ( ctx . dns_cname_dn , change_owner_sd ,
controls = [ " sd_flags:1: %d "
% ( security . SECINFO_OWNER
| security . SECINFO_GROUP ) ] )
ctx . logger . info ( " All other DNS records (like _ldap SRV records) " +
" will be created samba_dnsupdate on first startup " )
def join_replicate_new_dns_records ( ctx ) :
for nc in ( ctx . domaindns_zone , ctx . forestdns_zone ) :
if nc in ctx . nc_list :
ctx . logger . info ( " Replicating new DNS records in %s " % ( str ( nc ) ) )
ctx . repl . replicate ( nc , ctx . source_dsa_invocation_id ,
ctx . ntds_guid , rodc = ctx . RODC ,
replica_flags = ctx . replica_flags ,
full_sync = False )
2010-08-25 12:34:15 +10:00
def join_finalise ( ctx ) :
2012-09-16 14:18:51 +02:00
""" Finalise the join, mark us synchronised and setup secrets db. """
2010-08-25 12:34:15 +10:00
2012-10-07 21:52:25 -07:00
# FIXME we shouldn't do this in all cases
2015-08-17 15:33:31 +12:00
2012-10-07 21:52:25 -07:00
# If for some reasons we joined in another site than the one of
# DC we just replicated from then we don't need to send the updatereplicateref
# as replication between sites is time based and on the initiative of the
# requesting DC
2018-06-11 16:33:19 +12:00
ctx . logger . info ( " Sending DsReplicaUpdateRefs for all the replicated partitions " )
for nc in ctx . nc_list :
ctx . send_DsReplicaUpdateRefs ( nc )
2011-10-25 20:16:38 +02:00
2018-06-11 16:33:19 +12:00
if ctx . RODC :
2018-03-09 13:53:45 +00:00
print ( " Setting RODC invocationId " )
2012-08-03 12:47:11 +02:00
ctx . local_samdb . set_invocation_id ( str ( ctx . invocation_id ) )
ctx . local_samdb . set_opaque_integer ( " domainFunctionality " ,
ctx . behavior_version )
m = ldb . Message ( )
m . dn = ldb . Dn ( ctx . local_samdb , " %s " % ctx . ntds_dn )
m [ " invocationId " ] = ldb . MessageElement ( ndr_pack ( ctx . invocation_id ) ,
ldb . FLAG_MOD_REPLACE ,
" invocationId " )
ctx . local_samdb . modify ( m )
# Note: as RODC the invocationId is only stored
# on the RODC itself, the other DCs never see it.
#
# Thats is why we fix up the replPropertyMetaData stamp
# for the 'invocationId' attribute, we need to change
# the 'version' to '0', this is what windows 2008r2 does as RODC
#
# This means if the object on a RWDC ever gets a invocationId
# attribute, it will have version '1' (or higher), which will
# will overwrite the RODC local value.
ctx . local_samdb . set_attribute_replmetadata_version ( m . dn ,
" invocationId " ,
0 )
2013-09-09 09:53:37 +12:00
ctx . logger . info ( " Setting isSynchronized and dsServiceName " )
2010-08-25 12:34:15 +10:00
m = ldb . Message ( )
2011-08-11 16:05:11 +10:00
m . dn = ldb . Dn ( ctx . local_samdb , ' @ROOTDSE ' )
2010-08-25 12:34:15 +10:00
m [ " isSynchronized " ] = ldb . MessageElement ( " TRUE " , ldb . FLAG_MOD_REPLACE , " isSynchronized " )
2015-08-17 15:33:31 +12:00
2018-06-11 16:33:19 +12:00
guid = ctx . ntds_guid
2015-08-17 15:33:31 +12:00
m [ " dsServiceName " ] = ldb . MessageElement ( " <GUID= %s > " % str ( guid ) ,
2011-08-11 16:05:11 +10:00
ldb . FLAG_MOD_REPLACE , " dsServiceName " )
ctx . local_samdb . modify ( m )
2010-08-25 12:34:15 +10:00
2018-06-11 16:33:19 +12:00
if ctx . subdomain :
2011-08-26 13:23:41 +10:00
return
2010-08-25 12:34:15 +10:00
secrets_ldb = Ldb ( ctx . paths . secrets , session_info = system_session ( ) , lp = ctx . lp )
2013-09-09 09:53:37 +12:00
ctx . logger . info ( " Setting up secrets database " )
2010-08-25 12:34:15 +10:00
secretsdb_self_join ( secrets_ldb , domain = ctx . domain_name ,
realm = ctx . realm ,
dnsdomain = ctx . dnsdomain ,
netbiosname = ctx . myname ,
2014-08-11 11:23:57 +12:00
domainsid = ctx . domsid ,
2010-08-25 12:34:15 +10:00
machinepass = ctx . acct_pass ,
2010-11-05 19:09:45 +11:00
secure_channel_type = ctx . secure_channel_type ,
2010-09-30 12:44:39 -07:00
key_version_number = ctx . key_version_number )
2010-08-25 12:34:15 +10:00
2012-06-24 21:10:34 +10:00
if ctx . dns_backend . startswith ( " BIND9_ " ) :
2014-08-08 18:43:47 +12:00
setup_bind9_dns ( ctx . local_samdb , secrets_ldb ,
2013-09-09 09:53:37 +12:00
ctx . names , ctx . paths , ctx . lp , ctx . logger ,
2012-06-24 21:10:34 +10:00
dns_backend = ctx . dns_backend ,
2012-12-24 08:56:50 +11:00
dnspass = ctx . dnspass , os_level = ctx . behavior_version ,
targetdir = ctx . targetdir ,
key_version_number = ctx . dns_key_version_number )
2012-06-24 21:10:34 +10:00
2011-08-26 13:23:41 +10:00
def join_setup_trusts ( ctx ) :
2012-09-16 14:18:51 +02:00
""" provision the local SAM. """
2011-08-26 13:23:41 +10:00
2018-03-09 13:53:45 +00:00
print ( " Setup domain trusts with server %s " % ctx . server )
2011-11-13 21:13:59 +01:00
binding_options = " " # why doesn't signing work here? w2k8r2 claims no session key
2011-08-26 13:23:41 +10:00
lsaconn = lsa . lsarpc ( " ncacn_np: %s [ %s ] " % ( ctx . server , binding_options ) ,
ctx . lp , ctx . creds )
objectAttr = lsa . ObjectAttribute ( )
objectAttr . sec_qos = lsa . QosInfo ( )
pol_handle = lsaconn . OpenPolicy2 ( ' ' . decode ( ' utf-8 ' ) ,
objectAttr , security . SEC_FLAG_MAXIMUM_ALLOWED )
info = lsa . TrustDomainInfoInfoEx ( )
info . domain_name . string = ctx . dnsdomain
info . netbios_name . string = ctx . domain_name
2014-08-11 11:23:57 +12:00
info . sid = ctx . domsid
2011-08-26 13:23:41 +10:00
info . trust_direction = lsa . LSA_TRUST_DIRECTION_INBOUND | lsa . LSA_TRUST_DIRECTION_OUTBOUND
info . trust_type = lsa . LSA_TRUST_TYPE_UPLEVEL
info . trust_attributes = lsa . LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
try :
oldname = lsa . String ( )
oldname . string = ctx . dnsdomain
oldinfo = lsaconn . QueryTrustedDomainInfoByName ( pol_handle , oldname ,
lsa . LSA_TRUSTED_DOMAIN_INFO_FULL_INFO )
print ( " Removing old trust record for %s (SID %s ) " % ( ctx . dnsdomain , oldinfo . info_ex . sid ) )
lsaconn . DeleteTrustedDomain ( pol_handle , oldinfo . info_ex . sid )
except RuntimeError :
pass
2016-01-28 14:00:38 +01:00
password_blob = string_to_byte_array ( ctx . trustdom_pass . encode ( ' utf-16-le ' ) )
2011-08-26 13:23:41 +10:00
clear_value = drsblobs . AuthInfoClear ( )
clear_value . size = len ( password_blob )
clear_value . password = password_blob
clear_authentication_information = drsblobs . AuthenticationInformation ( )
2011-09-07 17:22:49 +10:00
clear_authentication_information . LastUpdateTime = samba . unix2nttime ( int ( time . time ( ) ) )
2011-08-26 13:23:41 +10:00
clear_authentication_information . AuthType = lsa . TRUST_AUTH_TYPE_CLEAR
clear_authentication_information . AuthInfo = clear_value
authentication_information_array = drsblobs . AuthenticationInformationArray ( )
2011-09-07 17:22:49 +10:00
authentication_information_array . count = 1
authentication_information_array . array = [ clear_authentication_information ]
2011-08-26 13:23:41 +10:00
outgoing = drsblobs . trustAuthInOutBlob ( )
outgoing . count = 1
outgoing . current = authentication_information_array
trustpass = drsblobs . trustDomainPasswords ( )
confounder = [ 3 ] * 512
for i in range ( 512 ) :
confounder [ i ] = random . randint ( 0 , 255 )
trustpass . confounder = confounder
trustpass . outgoing = outgoing
trustpass . incoming = outgoing
trustpass_blob = ndr_pack ( trustpass )
encrypted_trustpass = arcfour_encrypt ( lsaconn . session_key , trustpass_blob )
auth_blob = lsa . DATA_BUF2 ( )
auth_blob . size = len ( encrypted_trustpass )
2016-01-28 14:00:38 +01:00
auth_blob . data = string_to_byte_array ( encrypted_trustpass )
2011-08-26 13:23:41 +10:00
auth_info = lsa . TrustDomainInfoAuthInfoInternal ( )
auth_info . auth_blob = auth_blob
trustdom_handle = lsaconn . CreateTrustedDomainEx2 ( pol_handle ,
info ,
auth_info ,
security . SEC_STD_DELETE )
rec = {
2018-07-30 18:17:14 +12:00
" dn " : " cn= %s ,cn=system, %s " % ( ctx . dnsforest , ctx . base_dn ) ,
" objectclass " : " trustedDomain " ,
" trustType " : str ( info . trust_type ) ,
" trustAttributes " : str ( info . trust_attributes ) ,
" trustDirection " : str ( info . trust_direction ) ,
" flatname " : ctx . forest_domain_name ,
" trustPartner " : ctx . dnsforest ,
" trustAuthIncoming " : ndr_pack ( outgoing ) ,
" trustAuthOutgoing " : ndr_pack ( outgoing ) ,
" securityIdentifier " : ndr_pack ( ctx . forestsid )
2018-07-30 18:14:37 +12:00
}
2011-08-26 13:23:41 +10:00
ctx . local_samdb . add ( rec )
rec = {
2018-07-30 18:17:14 +12:00
" dn " : " cn= %s $,cn=users, %s " % ( ctx . forest_domain_name , ctx . base_dn ) ,
" objectclass " : " user " ,
" userAccountControl " : str ( samba . dsdb . UF_INTERDOMAIN_TRUST_ACCOUNT ) ,
" clearTextPassword " : ctx . trustdom_pass . encode ( ' utf-16-le ' ) ,
" samAccountName " : " %s $ " % ctx . forest_domain_name
2018-07-30 18:14:37 +12:00
}
2011-08-26 13:23:41 +10:00
ctx . local_samdb . add ( rec )
2018-06-11 16:33:19 +12:00
def build_nc_lists ( ctx ) :
2013-10-16 14:34:43 +13:00
# nc_list is the list of naming context (NC) for which we will
# replicate in and send a updateRef command to the partner DC
# full_nc_list is the list of naming context (NC) we hold
# read/write copies of. These are not subsets of each other.
2018-07-30 18:17:02 +12:00
ctx . nc_list = [ ctx . config_dn , ctx . schema_dn ]
ctx . full_nc_list = [ ctx . base_dn , ctx . config_dn , ctx . schema_dn ]
2012-06-21 23:46:21 +10:00
2013-10-16 14:34:43 +13:00
if ctx . subdomain and ctx . dns_backend != " NONE " :
ctx . full_nc_list + = [ ctx . domaindns_zone ]
elif not ctx . subdomain :
2012-06-21 23:46:21 +10:00
ctx . nc_list + = [ ctx . base_dn ]
2013-10-16 14:34:43 +13:00
2012-06-21 23:46:21 +10:00
if ctx . dns_backend != " NONE " :
2012-09-06 10:37:18 +10:00
ctx . nc_list + = [ ctx . domaindns_zone ]
2013-10-16 14:34:43 +13:00
ctx . nc_list + = [ ctx . forestdns_zone ]
ctx . full_nc_list + = [ ctx . domaindns_zone ]
ctx . full_nc_list + = [ ctx . forestdns_zone ]
2012-06-21 23:46:21 +10:00
2018-06-11 16:33:19 +12:00
def do_join ( ctx ) :
ctx . build_nc_lists ( )
if ctx . promote_existing :
ctx . promote_possible ( )
else :
ctx . cleanup_old_join ( )
2012-09-16 14:18:51 +02:00
2010-11-05 14:09:49 +11:00
try :
2018-06-11 16:33:19 +12:00
ctx . join_add_objects ( )
2010-11-05 14:09:49 +11:00
ctx . join_provision ( )
2011-09-02 15:12:11 +10:00
ctx . join_replicate ( )
2018-06-11 16:33:19 +12:00
if ctx . subdomain :
2011-08-24 15:39:51 +10:00
ctx . join_add_objects2 ( )
2011-08-24 15:39:51 +10:00
ctx . join_provision_own_domain ( )
2011-08-26 13:23:41 +10:00
ctx . join_setup_trusts ( )
2017-02-17 18:23:23 +13:00
2018-06-11 16:33:19 +12:00
if ctx . dns_backend != " NONE " :
2017-02-17 18:23:23 +13:00
ctx . join_add_dns_records ( )
ctx . join_replicate_new_dns_records ( )
2011-08-26 13:23:41 +10:00
ctx . join_finalise ( )
2012-02-25 15:56:25 +01:00
except :
2016-05-05 09:39:58 +12:00
try :
2018-03-09 13:53:45 +00:00
print ( " Join failed - cleaning up " )
2016-05-05 09:39:58 +12:00
except IOError :
pass
2018-10-18 13:07:20 +13:00
# cleanup the failed join (checking we still have a live LDB
# connection to the remote DC first)
ctx . refresh_ldb_connection ( )
2018-06-11 16:33:19 +12:00
ctx . cleanup_old_join ( )
2010-11-05 14:09:49 +11:00
raise
2010-08-25 12:34:15 +10:00
2013-09-09 09:53:37 +12:00
def join_RODC ( logger = None , server = None , creds = None , lp = None , site = None , netbios_name = None ,
2011-11-28 20:03:11 +01:00
targetdir = None , domain = None , domain_critical_only = False ,
2012-07-06 15:38:06 +10:00
machinepass = None , use_ntvfs = False , dns_backend = None ,
2018-05-14 11:23:24 +12:00
promote_existing = False , plaintext_secrets = False ,
backend_store = None ) :
2012-09-16 14:18:51 +02:00
""" Join as a RODC. """
2010-09-15 18:52:11 +10:00
2018-06-25 17:21:00 +12:00
ctx = DCJoinContext ( logger , server , creds , lp , site , netbios_name ,
targetdir , domain , machinepass , use_ntvfs , dns_backend ,
promote_existing , plaintext_secrets ,
backend_store = backend_store )
2010-08-23 11:31:48 +10:00
2011-08-24 15:39:51 +10:00
lp . set ( " workgroup " , ctx . domain_name )
2013-09-09 09:53:37 +12:00
logger . info ( " workgroup is %s " % ctx . domain_name )
2011-08-24 15:39:51 +10:00
lp . set ( " realm " , ctx . realm )
2013-09-09 09:53:37 +12:00
logger . info ( " realm is %s " % ctx . realm )
2011-08-24 15:39:51 +10:00
2010-08-24 15:42:54 +10:00
ctx . krbtgt_dn = " CN=krbtgt_ %s ,CN=Users, %s " % ( ctx . myname , ctx . base_dn )
2010-08-23 11:31:48 +10:00
2010-08-24 23:37:25 +10:00
# setup some defaults for accounts that should be replicated to this RODC
2012-09-16 14:18:51 +02:00
ctx . never_reveal_sid = [
" <SID= %s - %s > " % ( ctx . domsid , security . DOMAIN_RID_RODC_DENY ) ,
" <SID= %s > " % security . SID_BUILTIN_ADMINISTRATORS ,
" <SID= %s > " % security . SID_BUILTIN_SERVER_OPERATORS ,
" <SID= %s > " % security . SID_BUILTIN_BACKUP_OPERATORS ,
" <SID= %s > " % security . SID_BUILTIN_ACCOUNT_OPERATORS ]
2010-08-25 12:34:15 +10:00
ctx . reveal_sid = " <SID= %s - %s > " % ( ctx . domsid , security . DOMAIN_RID_RODC_ALLOW )
2010-08-23 11:31:48 +10:00
2010-11-07 13:55:20 +11:00
mysid = ctx . get_mysid ( )
admin_dn = " <SID= %s > " % mysid
ctx . managedby = admin_dn
2010-08-23 11:31:48 +10:00
2010-11-05 14:09:49 +11:00
ctx . userAccountControl = ( samba . dsdb . UF_WORKSTATION_TRUST_ACCOUNT |
samba . dsdb . UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |
samba . dsdb . UF_PARTIAL_SECRETS_ACCOUNT )
2010-08-23 11:31:48 +10:00
2018-07-30 18:16:43 +12:00
ctx . SPNs . extend ( [ " RestrictedKrbHost/ %s " % ctx . myname ,
2018-09-04 01:05:48 +12:00
" RestrictedKrbHost/ %s " % ctx . dnshostname ] )
2010-08-24 23:37:25 +10:00
2010-11-05 14:09:49 +11:00
ctx . connection_dn = " CN=RODC Connection (FRS), %s " % ctx . ntds_dn
2010-11-05 19:09:45 +11:00
ctx . secure_channel_type = misc . SEC_CHAN_RODC
2010-11-05 14:09:49 +11:00
ctx . RODC = True
2018-07-30 18:16:43 +12:00
ctx . replica_flags | = ( drsuapi . DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
2018-09-04 01:05:48 +12:00
drsuapi . DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP )
2011-08-08 11:01:21 +02:00
ctx . domain_replica_flags = ctx . replica_flags
if domain_critical_only :
ctx . domain_replica_flags | = drsuapi . DRSUAPI_DRS_CRITICAL_ONLY
2010-11-05 14:09:49 +11:00
ctx . do_join ( )
2010-11-07 13:55:20 +11:00
2013-09-09 09:53:37 +12:00
logger . info ( " Joined domain %s (SID %s ) as an RODC " % ( ctx . domain_name , ctx . domsid ) )
2010-08-23 11:31:48 +10:00
2010-11-05 14:09:49 +11:00
2013-09-09 09:53:37 +12:00
def join_DC ( logger = None , server = None , creds = None , lp = None , site = None , netbios_name = None ,
2011-11-28 20:03:11 +01:00
targetdir = None , domain = None , domain_critical_only = False ,
2012-07-06 15:38:06 +10:00
machinepass = None , use_ntvfs = False , dns_backend = None ,
2018-05-14 11:23:24 +12:00
promote_existing = False , plaintext_secrets = False ,
backend_store = None ) :
2012-09-16 14:18:51 +02:00
""" Join as a DC. """
2018-06-25 17:21:00 +12:00
ctx = DCJoinContext ( logger , server , creds , lp , site , netbios_name ,
targetdir , domain , machinepass , use_ntvfs , dns_backend ,
promote_existing , plaintext_secrets ,
backend_store = backend_store )
2010-11-05 14:09:49 +11:00
2011-08-24 15:39:51 +10:00
lp . set ( " workgroup " , ctx . domain_name )
2013-09-09 09:53:37 +12:00
logger . info ( " workgroup is %s " % ctx . domain_name )
2011-08-24 15:39:51 +10:00
lp . set ( " realm " , ctx . realm )
2013-09-09 09:53:37 +12:00
logger . info ( " realm is %s " % ctx . realm )
2011-08-24 15:39:51 +10:00
2010-11-05 14:09:49 +11:00
ctx . userAccountControl = samba . dsdb . UF_SERVER_TRUST_ACCOUNT | samba . dsdb . UF_TRUSTED_FOR_DELEGATION
ctx . SPNs . append ( ' E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/ %s ' % ctx . dnsdomain )
2010-11-05 19:09:45 +11:00
ctx . secure_channel_type = misc . SEC_CHAN_BDC
2010-11-05 14:09:49 +11:00
2016-11-29 14:27:57 +01:00
ctx . replica_flags | = ( drsuapi . DRSUAPI_DRS_WRIT_REP |
drsuapi . DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS )
2011-08-08 11:01:21 +02:00
ctx . domain_replica_flags = ctx . replica_flags
if domain_critical_only :
ctx . domain_replica_flags | = drsuapi . DRSUAPI_DRS_CRITICAL_ONLY
2010-11-07 13:55:20 +11:00
2010-11-05 14:09:49 +11:00
ctx . do_join ( )
2013-09-09 09:53:37 +12:00
logger . info ( " Joined domain %s (SID %s ) as a DC " % ( ctx . domain_name , ctx . domsid ) )
2011-08-24 15:39:51 +10:00
2018-07-30 18:20:39 +12:00
2015-08-17 15:33:31 +12:00
def join_clone ( logger = None , server = None , creds = None , lp = None ,
2018-05-01 11:10:11 +12:00
targetdir = None , domain = None , include_secrets = False ,
2018-10-25 09:03:53 +13:00
dns_backend = " NONE " , backend_store = None ) :
2018-06-11 16:33:19 +12:00
""" Creates a local clone of a remote DC. """
ctx = DCCloneContext ( logger , server , creds , lp , targetdir = targetdir ,
domain = domain , dns_backend = dns_backend ,
2018-10-25 09:03:53 +13:00
include_secrets = include_secrets ,
backend_store = backend_store )
2015-08-17 15:33:31 +12:00
lp . set ( " workgroup " , ctx . domain_name )
logger . info ( " workgroup is %s " % ctx . domain_name )
lp . set ( " realm " , ctx . realm )
logger . info ( " realm is %s " % ctx . realm )
ctx . do_join ( )
logger . info ( " Cloned domain %s (SID %s ) " % ( ctx . domain_name , ctx . domsid ) )
2018-05-01 11:10:11 +12:00
return ctx
2015-08-17 15:33:31 +12:00
2018-07-30 18:20:39 +12:00
2013-09-09 09:53:37 +12:00
def join_subdomain ( logger = None , server = None , creds = None , lp = None , site = None ,
2018-07-30 18:16:12 +12:00
netbios_name = None , targetdir = None , parent_domain = None , dnsdomain = None ,
netbios_domain = None , machinepass = None , adminpass = None , use_ntvfs = False ,
dns_backend = None , plaintext_secrets = False ,
backend_store = None ) :
2012-09-16 14:18:51 +02:00
""" Join as a DC. """
2018-06-25 17:21:00 +12:00
ctx = DCJoinContext ( logger , server , creds , lp , site , netbios_name ,
targetdir , parent_domain , machinepass , use_ntvfs ,
dns_backend , plaintext_secrets ,
backend_store = backend_store )
2011-08-24 15:39:51 +10:00
ctx . subdomain = True
2013-09-06 15:46:05 +12:00
if adminpass is None :
ctx . adminpass = samba . generate_random_password ( 12 , 32 )
else :
ctx . adminpass = adminpass
2011-08-26 13:23:41 +10:00
ctx . parent_domain_name = ctx . domain_name
2011-08-24 15:39:51 +10:00
ctx . domain_name = netbios_domain
ctx . realm = dnsdomain
2011-08-26 13:23:41 +10:00
ctx . parent_dnsdomain = ctx . dnsdomain
ctx . parent_partition_dn = ctx . get_parent_partition_dn ( )
2011-08-24 15:39:51 +10:00
ctx . dnsdomain = dnsdomain
2011-08-26 16:07:05 +10:00
ctx . partition_dn = " CN= %s ,CN=Partitions, %s " % ( ctx . domain_name , ctx . config_dn )
2011-10-01 10:58:52 +10:00
ctx . naming_master = ctx . get_naming_master ( )
if ctx . naming_master != ctx . server :
2013-09-09 09:53:37 +12:00
logger . info ( " Reconnecting to naming master %s " % ctx . naming_master )
2011-10-01 10:58:52 +10:00
ctx . server = ctx . naming_master
ctx . samdb = SamDB ( url = " ldap:// %s " % ctx . server ,
session_info = system_session ( ) ,
credentials = ctx . creds , lp = ctx . lp )
2013-09-25 17:09:30 -07:00
res = ctx . samdb . search ( base = " " , scope = ldb . SCOPE_BASE , attrs = [ ' dnsHostName ' ] ,
controls = [ ] )
ctx . server = res [ 0 ] [ " dnsHostName " ]
logger . info ( " DNS name of new naming master is %s " % ctx . server )
2011-10-01 10:58:52 +10:00
2011-08-24 15:39:51 +10:00
ctx . base_dn = samba . dn_from_dns_name ( dnsdomain )
2014-08-08 18:43:47 +12:00
ctx . forestsid = ctx . domsid
2014-08-11 11:23:57 +12:00
ctx . domsid = security . random_sid ( )
2011-08-24 15:39:51 +10:00
ctx . acct_dn = None
2014-08-19 10:33:11 +02:00
ctx . dnshostname = " %s . %s " % ( ctx . myname . lower ( ) , ctx . dnsdomain )
2016-08-23 12:27:19 +02:00
# Windows uses 240 bytes as UTF16 so we do
ctx . trustdom_pass = samba . generate_random_machine_password ( 120 , 120 )
2011-08-24 15:39:51 +10:00
ctx . userAccountControl = samba . dsdb . UF_SERVER_TRUST_ACCOUNT | samba . dsdb . UF_TRUSTED_FOR_DELEGATION
ctx . SPNs . append ( ' E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/ %s ' % ctx . dnsdomain )
ctx . secure_channel_type = misc . SEC_CHAN_BDC
2016-11-29 14:27:57 +01:00
ctx . replica_flags | = ( drsuapi . DRSUAPI_DRS_WRIT_REP |
drsuapi . DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS )
2011-08-24 15:39:51 +10:00
ctx . domain_replica_flags = ctx . replica_flags
ctx . do_join ( )
2013-09-09 09:53:37 +12:00
ctx . logger . info ( " Created domain %s (SID %s ) as a DC " % ( ctx . domain_name , ctx . domsid ) )
2018-06-11 16:33:19 +12:00
class DCCloneContext ( DCJoinContext ) :
""" Clones a remote DC. """
def __init__ ( ctx , logger = None , server = None , creds = None , lp = None ,
targetdir = None , domain = None , dns_backend = None ,
2018-10-25 09:03:53 +13:00
include_secrets = False , backend_store = None ) :
2018-06-11 16:33:19 +12:00
super ( DCCloneContext , ctx ) . __init__ ( logger , server , creds , lp ,
targetdir = targetdir , domain = domain ,
2018-10-25 09:03:53 +13:00
dns_backend = dns_backend ,
backend_store = backend_store )
2018-06-11 16:33:19 +12:00
# As we don't want to create or delete these DNs, we set them to None
ctx . server_dn = None
ctx . ntds_dn = None
ctx . acct_dn = None
ctx . myname = ctx . server . split ( ' . ' ) [ 0 ]
ctx . ntds_guid = None
ctx . rid_manager_dn = None
# Save this early
ctx . remote_dc_ntds_guid = ctx . samdb . get_ntds_GUID ( )
ctx . replica_flags | = ( drsuapi . DRSUAPI_DRS_WRIT_REP |
drsuapi . DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS )
if not include_secrets :
ctx . replica_flags | = drsuapi . DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
ctx . domain_replica_flags = ctx . replica_flags
def join_finalise ( ctx ) :
ctx . logger . info ( " Setting isSynchronized and dsServiceName " )
m = ldb . Message ( )
m . dn = ldb . Dn ( ctx . local_samdb , ' @ROOTDSE ' )
m [ " isSynchronized " ] = ldb . MessageElement ( " TRUE " , ldb . FLAG_MOD_REPLACE ,
" isSynchronized " )
# We want to appear to be the server we just cloned
guid = ctx . remote_dc_ntds_guid
m [ " dsServiceName " ] = ldb . MessageElement ( " <GUID= %s > " % str ( guid ) ,
ldb . FLAG_MOD_REPLACE ,
" dsServiceName " )
ctx . local_samdb . modify ( m )
def do_join ( ctx ) :
ctx . build_nc_lists ( )
# When cloning a DC, we just want to provision a DC locally, then
# grab the remote DC's entire DB via DRS replication
ctx . join_provision ( )
ctx . join_replicate ( )
ctx . join_finalise ( )
2018-06-11 16:50:28 +12:00
# Used to create a renamed backup of a DC. Renaming the domain means that the
# cloned/backup DC can be started without interfering with the production DC.
class DCCloneAndRenameContext ( DCCloneContext ) :
""" Clones a remote DC, renaming the domain along the way. """
def __init__ ( ctx , new_base_dn , new_domain_name , new_realm , logger = None ,
server = None , creds = None , lp = None , targetdir = None , domain = None ,
2018-10-25 09:03:53 +13:00
dns_backend = None , include_secrets = True , backend_store = None ) :
2018-06-11 16:50:28 +12:00
super ( DCCloneAndRenameContext , ctx ) . __init__ ( logger , server , creds , lp ,
targetdir = targetdir ,
domain = domain ,
dns_backend = dns_backend ,
2018-10-25 09:03:53 +13:00
include_secrets = include_secrets ,
backend_store = backend_store )
2018-06-11 16:50:28 +12:00
# store the new DN (etc) that we want the cloned DB to use
ctx . new_base_dn = new_base_dn
ctx . new_domain_name = new_domain_name
ctx . new_realm = new_realm
def create_replicator ( ctx , repl_creds , binding_options ) :
""" Creates a new DRS object for managing replications """
# We want to rename all the domain objects, and the simplest way to do
# this is during replication. This is because the base DN of the top-
# level replicated object will flow through to all the objects below it
binding_str = " ncacn_ip_tcp: %s [ %s ] " % ( ctx . server , binding_options )
return drs_utils . drs_ReplicateRenamer ( binding_str , ctx . lp , repl_creds ,
ctx . local_samdb ,
ctx . invocation_id ,
ctx . base_dn , ctx . new_base_dn )
def create_non_global_lp ( ctx , global_lp ) :
''' Creates a non-global LoadParm based on the global LP ' s settings '''
# the samba code shares a global LoadParm by default. Here we create a
# new LoadParm that retains the global settings, but any changes we
# make to it won't automatically affect the rest of the samba code.
# The easiest way to do this is to dump the global settings to a
# temporary smb.conf file, and then load the temp file into a new
# non-global LoadParm
fd , tmp_file = tempfile . mkstemp ( )
global_lp . dump ( False , tmp_file )
local_lp = samba . param . LoadParm ( filename_for_non_global_lp = tmp_file )
os . remove ( tmp_file )
return local_lp
def rename_dn ( ctx , dn_str ) :
''' Uses string substitution to replace the base DN '''
old_base_dn = ctx . base_dn
return re . sub ( ' %s $ ' % old_base_dn , ctx . new_base_dn , dn_str )
# we want to override the normal DCCloneContext's join_provision() so that
# use the new domain DNs during the provision. We do this because:
# - it sets up smb.conf/secrets.ldb with the new realm/workgroup values
# - it sets up a default SAM DB that uses the new Schema DNs (without which
# we couldn't apply the renamed DRS objects during replication)
def join_provision ( ctx ) :
""" Provision the local (renamed) SAM. """
print ( " Provisioning the new (renamed) domain... " )
# the provision() calls make_smbconf() which uses lp.dump()/lp.load()
# to create a new smb.conf. By default, it uses the global LoadParm to
# do this, and so it would overwrite the realm/domain values globally.
# We still need the global LoadParm to retain the old domain's details,
# so we can connect to (and clone) the existing DC.
# So, copy the global settings into a non-global LoadParm, which we can
# then pass into provision(). This generates a new smb.conf correctly,
# without overwriting the global realm/domain values just yet.
non_global_lp = ctx . create_non_global_lp ( ctx . lp )
# do the provision with the new/renamed domain DN values
presult = provision ( ctx . logger , system_session ( ) ,
2018-07-30 18:16:12 +12:00
targetdir = ctx . targetdir , samdb_fill = FILL_DRS ,
realm = ctx . new_realm , lp = non_global_lp ,
rootdn = ctx . rename_dn ( ctx . root_dn ) , domaindn = ctx . new_base_dn ,
schemadn = ctx . rename_dn ( ctx . schema_dn ) ,
configdn = ctx . rename_dn ( ctx . config_dn ) ,
domain = ctx . new_domain_name , domainsid = ctx . domsid ,
serverrole = " active directory domain controller " ,
2018-10-25 09:03:53 +13:00
dns_backend = ctx . dns_backend ,
backend_store = ctx . backend_store )
2018-06-11 16:50:28 +12:00
print ( " Provision OK for renamed domain DN %s " % presult . domaindn )
ctx . local_samdb = presult . samdb
ctx . paths = presult . paths