mirror of
https://github.com/samba-team/samba.git
synced 2025-07-29 15:42:04 +03:00
samba-tool domain join subdomain: Rework sambadns.py to allow setup of DomainDNSZone only
This skips handling the ForestDNSZone when we are setting up a subdomain. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Oct 11 10:27:49 CEST 2013 on sn-devel-104
This commit is contained in:
Andrew Bartlett
committed by
Stefan Metzmacher
Stefan Metzmacher
parent
d5077baee2
commit
af3138e9b6
@ -24,6 +24,7 @@ from samba import gensec, Ldb, drs_utils
|
||||
import ldb, samba, sys, uuid
|
||||
from samba.ndr import ndr_pack
|
||||
from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
|
||||
from samba.dsdb import DS_DOMAIN_FUNCTION_2003
|
||||
from samba.credentials import Credentials, DONT_USE_KERBEROS
|
||||
from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
|
||||
from samba.provision.common import setup_path
|
||||
@ -765,6 +766,7 @@ class dc_join(object):
|
||||
presult = provision_fill(ctx.local_samdb, secrets_ldb,
|
||||
ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
|
||||
domainguid=domguid,
|
||||
dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
|
||||
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
|
||||
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
|
||||
lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6,
|
||||
|
||||
@ -67,11 +67,14 @@ from samba.dsdb import (
|
||||
from samba.credentials import DONT_USE_KERBEROS
|
||||
from samba.provision import (
|
||||
provision,
|
||||
ProvisioningError
|
||||
)
|
||||
|
||||
from samba.provision.common import (
|
||||
FILL_FULL,
|
||||
FILL_NT4SYNC,
|
||||
FILL_DRS,
|
||||
ProvisioningError,
|
||||
)
|
||||
FILL_DRS
|
||||
)
|
||||
|
||||
def get_testparm_var(testparm, smbconf, varname):
|
||||
cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
|
||||
|
||||
@ -101,7 +101,11 @@ from samba.provision.common import (
|
||||
setup_path,
|
||||
setup_add_ldif,
|
||||
setup_modify_ldif,
|
||||
)
|
||||
FILL_FULL,
|
||||
FILL_SUBDOMAIN,
|
||||
FILL_NT4SYNC,
|
||||
FILL_DRS
|
||||
)
|
||||
from samba.provision.sambadns import (
|
||||
get_dnsadmins_sid,
|
||||
setup_ad_dns,
|
||||
@ -1462,10 +1466,6 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
return samdb
|
||||
|
||||
|
||||
FILL_FULL = "FULL"
|
||||
FILL_SUBDOMAIN = "SUBDOMAIN"
|
||||
FILL_NT4SYNC = "NT4SYNC"
|
||||
FILL_DRS = "DRS"
|
||||
SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
|
||||
POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
|
||||
SYSVOL_SERVICE="sysvol"
|
||||
@ -1795,7 +1795,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
|
||||
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
|
||||
dnspass=dnspass, os_level=dom_for_fun_level,
|
||||
targetdir=targetdir, site=DEFAULTSITE)
|
||||
targetdir=targetdir, site=DEFAULTSITE, fill_level=samdb_fill)
|
||||
|
||||
domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
|
||||
attribute="objectGUID")
|
||||
|
||||
@ -31,6 +31,11 @@ import os
|
||||
from samba import read_and_sub_file
|
||||
from samba.param import setup_dir
|
||||
|
||||
FILL_FULL = "FULL"
|
||||
FILL_SUBDOMAIN = "SUBDOMAIN"
|
||||
FILL_NT4SYNC = "NT4SYNC"
|
||||
FILL_DRS = "DRS"
|
||||
|
||||
|
||||
def setup_path(file):
|
||||
"""Return an absolute path to the provision tempate file specified by file"""
|
||||
|
||||
@ -48,7 +48,11 @@ from samba.provision.common import (
|
||||
setup_path,
|
||||
setup_add_ldif,
|
||||
setup_modify_ldif,
|
||||
setup_ldb
|
||||
setup_ldb,
|
||||
FILL_FULL,
|
||||
FILL_SUBDOMAIN,
|
||||
FILL_NT4SYNC,
|
||||
FILL_DRS,
|
||||
)
|
||||
|
||||
|
||||
@ -230,13 +234,18 @@ class AgingEnabledTimeProperty(dnsp.DnsProperty):
|
||||
|
||||
|
||||
def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
|
||||
serverdn):
|
||||
serverdn, fill_level):
|
||||
domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
|
||||
forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
|
||||
descriptor = get_dns_partition_descriptor(domainsid)
|
||||
|
||||
setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
|
||||
"DOMAINZONE_DN": domainzone_dn,
|
||||
"FORESTZONE_DN": forestzone_dn,
|
||||
"ZONE_DN": domainzone_dn,
|
||||
"SECDESC" : b64encode(descriptor)
|
||||
})
|
||||
if fill_level != FILL_SUBDOMAIN:
|
||||
setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
|
||||
"ZONE_DN": forestzone_dn,
|
||||
"SECDESC" : b64encode(descriptor)
|
||||
})
|
||||
|
||||
@ -252,23 +261,34 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
|
||||
protected1_desc = get_domain_delete_protected1_descriptor(domainsid)
|
||||
protected2_desc = get_domain_delete_protected2_descriptor(domainsid)
|
||||
setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
|
||||
"DOMAINZONE_DN": domainzone_dn,
|
||||
"FORESTZONE_DN": forestzone_dn,
|
||||
"DOMAINZONE_GUID": domainzone_guid,
|
||||
"FORESTZONE_GUID": forestzone_guid,
|
||||
"DOMAINZONE_DNS": domainzone_dns,
|
||||
"FORESTZONE_DNS": forestzone_dns,
|
||||
"ZONE_DN": domainzone_dn,
|
||||
"ZONE_GUID": domainzone_guid,
|
||||
"ZONE_DNS": domainzone_dns,
|
||||
"CONFIGDN": configdn,
|
||||
"SERVERDN": serverdn,
|
||||
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
|
||||
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
|
||||
})
|
||||
|
||||
setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
|
||||
"CONFIGDN": configdn,
|
||||
"SERVERDN": serverdn,
|
||||
"DOMAINZONE_DN": domainzone_dn,
|
||||
"FORESTZONE_DN": forestzone_dn,
|
||||
"ZONE_DN": domainzone_dn,
|
||||
})
|
||||
|
||||
if fill_level != FILL_SUBDOMAIN:
|
||||
setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
|
||||
"ZONE_DN": forestzone_dn,
|
||||
"ZONE_GUID": forestzone_guid,
|
||||
"ZONE_DNS": forestzone_dns,
|
||||
"CONFIGDN": configdn,
|
||||
"SERVERDN": serverdn,
|
||||
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
|
||||
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
|
||||
})
|
||||
setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
|
||||
"CONFIGDN": configdn,
|
||||
"SERVERDN": serverdn,
|
||||
"ZONE_DN": forestzone_dn,
|
||||
})
|
||||
|
||||
|
||||
@ -928,21 +948,23 @@ def fill_dns_data_legacy(samdb, domainsid, forestdn, dnsdomain, site, hostname,
|
||||
|
||||
|
||||
def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
|
||||
dnsadmins_sid):
|
||||
dnsadmins_sid, fill_level):
|
||||
# Set up additional partitions (DomainDnsZones, ForstDnsZones)
|
||||
setup_dns_partitions(samdb, domainsid, domaindn, forestdn,
|
||||
names.configdn, names.serverdn)
|
||||
names.configdn, names.serverdn, fill_level)
|
||||
|
||||
# Set up MicrosoftDNS containers
|
||||
add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid,
|
||||
dnsadmins_sid)
|
||||
if fill_level != FILL_SUBDOMAIN:
|
||||
add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid,
|
||||
dnsadmins_sid, forest=True)
|
||||
|
||||
|
||||
def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
dnsdomain, dnsforest, hostname, hostip, hostip6,
|
||||
domainguid, ntdsguid, dnsadmins_sid, autofill=True):
|
||||
domainguid, ntdsguid, dnsadmins_sid, autofill=True,
|
||||
fill_level=FILL_FULL):
|
||||
"""Fill data in various AD partitions
|
||||
|
||||
:param samdb: LDB object connected to sam.ldb file
|
||||
@ -974,7 +996,8 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
add_dc_domain_records(samdb, domaindn, "DC=DomainDnsZones", site,
|
||||
dnsdomain, hostname, hostip, hostip6)
|
||||
|
||||
##### Set up DC=ForestDnsZones,<DOMAINDN>
|
||||
if fill_level != FILL_SUBDOMAIN:
|
||||
##### Set up DC=ForestDnsZones,<FORESTDN>
|
||||
# Add _msdcs record
|
||||
add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest)
|
||||
|
||||
@ -987,7 +1010,7 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
|
||||
def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
dns_backend, os_level, site, dnspass=None, hostip=None, hostip6=None,
|
||||
targetdir=None):
|
||||
targetdir=None, fill_level=FILL_FULL):
|
||||
"""Provision DNS information (assuming GC role)
|
||||
|
||||
:param samdb: LDB object connected to sam.ldb file
|
||||
@ -1062,13 +1085,14 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
# Create DNS partitions
|
||||
logger.info("Creating DomainDnsZones and ForestDnsZones partitions")
|
||||
create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
|
||||
dnsadmins_sid)
|
||||
dnsadmins_sid, fill_level)
|
||||
|
||||
# Populating dns partitions
|
||||
logger.info("Populating DomainDnsZones and ForestDnsZones partitions")
|
||||
fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
dnsdomain, dnsforest, hostname, hostip, hostip6,
|
||||
domainguid, names.ntdsguid, dnsadmins_sid)
|
||||
domainguid, names.ntdsguid, dnsadmins_sid,
|
||||
fill_level=fill_level)
|
||||
|
||||
if dns_backend.startswith("BIND9_"):
|
||||
setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
|
||||
@ -26,7 +26,8 @@ import pwd
|
||||
|
||||
from samba import Ldb, registry
|
||||
from samba.param import LoadParm
|
||||
from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
|
||||
from samba.provision import provision, ProvisioningError, setsysvolacl
|
||||
from samba.provision.common import FILL_FULL
|
||||
from samba.samba3 import passdb
|
||||
from samba.samba3 import param as s3param
|
||||
from samba.dcerpc import lsa, samr, security
|
||||
|
||||
@ -31,8 +31,9 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
|
||||
import ldb
|
||||
from samba.provision import (provision_paths_from_lp,
|
||||
getpolicypath, set_gpos_acl, create_gpo_struct,
|
||||
FILL_FULL, provision, ProvisioningError,
|
||||
provision, ProvisioningError,
|
||||
setsysvolacl, secretsdb_self_join)
|
||||
from samba.provision.common import FILL_FULL
|
||||
from samba.dcerpc import xattr, drsblobs, security
|
||||
from samba.dcerpc.misc import SEC_CHAN_BDC
|
||||
from samba.ndr import ndr_unpack
|
||||
|
||||
@ -46,7 +46,8 @@ from samba.provision import (
|
||||
interface_ips_v6 )
|
||||
from samba.provision.common import (
|
||||
setup_path,
|
||||
setup_add_ldif )
|
||||
setup_add_ldif,
|
||||
FILL_FULL)
|
||||
from samba.provision.sambadns import (
|
||||
ARecord,
|
||||
AAAARecord,
|
||||
@ -339,7 +340,7 @@ if __name__ == '__main__':
|
||||
logger.debug("IPv6 addresses: %s" % hostip6)
|
||||
|
||||
create_dns_partitions(ldbs.sam, domainsid, names, domaindn, forestdn,
|
||||
dnsadmins_sid)
|
||||
dnsadmins_sid, FILL_FULL)
|
||||
|
||||
logger.info("Populating DNS partitions")
|
||||
fill_dns_data_partitions(ldbs.sam, domainsid, site, domaindn, forestdn,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#################################
|
||||
# Required objectclasses
|
||||
#################################
|
||||
dn: CN=Deleted Objects,${DOMAINZONE_DN}
|
||||
dn: CN=Deleted Objects,${ZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
description: Deleted objects
|
||||
@ -9,71 +9,34 @@ isDeleted: TRUE
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
|
||||
dn: CN=LostAndFound,${DOMAINZONE_DN}
|
||||
dn: CN=LostAndFound,${ZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: lostAndFound
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
|
||||
|
||||
dn: CN=Infrastructure,${DOMAINZONE_DN}
|
||||
dn: CN=Infrastructure,${ZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: infrastructureUpdate
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
|
||||
|
||||
dn: CN=NTDS Quotas,${DOMAINZONE_DN}
|
||||
dn: CN=NTDS Quotas,${ZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: msDS-QuotaContainer
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
|
||||
|
||||
dn: CN=Deleted Objects,${FORESTZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
description: Deleted objects
|
||||
isDeleted: TRUE
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
|
||||
dn: CN=LostAndFound,${FORESTZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: lostAndFound
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
|
||||
|
||||
dn: CN=Infrastructure,${FORESTZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: infrastructureUpdate
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
|
||||
|
||||
dn: CN=NTDS Quotas,${FORESTZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: msDS-QuotaContainer
|
||||
isCriticalSystemObject: TRUE
|
||||
systemFlags: -1946157056
|
||||
|
||||
#################################
|
||||
# Configure partitions
|
||||
#################################
|
||||
dn: CN=${DOMAINZONE_GUID},CN=Partitions,${CONFIGDN}
|
||||
dn: CN=${ZONE_GUID},CN=Partitions,${CONFIGDN}
|
||||
objectClass: top
|
||||
objectClass: crossRef
|
||||
nCName: ${DOMAINZONE_DN}
|
||||
dnsRoot: ${DOMAINZONE_DNS}
|
||||
nCName: ${ZONE_DN}
|
||||
dnsRoot: ${ZONE_DNS}
|
||||
systemFlags: 5
|
||||
msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN}
|
||||
|
||||
dn: CN=${FORESTZONE_GUID},CN=Partitions,${CONFIGDN}
|
||||
objectClass: top
|
||||
objectClass: crossRef
|
||||
nCName: ${FORESTZONE_DN}
|
||||
dnsRoot: ${FORESTZONE_DNS}
|
||||
systemFlags: 5
|
||||
msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN}
|
||||
|
||||
|
||||
@ -1,36 +1,21 @@
|
||||
dn: ${DOMAINZONE_DN}
|
||||
dn: ${ZONE_DN}
|
||||
changetype: modify
|
||||
add: wellKnownObjects
|
||||
wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${DOMAINZONE_DN}
|
||||
wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${DOMAINZONE_DN}
|
||||
wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${DOMAINZONE_DN}
|
||||
wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${DOMAINZONE_DN}
|
||||
wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${ZONE_DN}
|
||||
wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${ZONE_DN}
|
||||
wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${ZONE_DN}
|
||||
wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${ZONE_DN}
|
||||
|
||||
dn: CN=Infrastructure,${DOMAINZONE_DN}
|
||||
dn: CN=Infrastructure,${ZONE_DN}
|
||||
changetype: modify
|
||||
add: fSMORoleOwner
|
||||
fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
|
||||
|
||||
dn: CN=Infrastructure,${FORESTZONE_DN}
|
||||
changetype: modify
|
||||
add: fSMORoleOwner
|
||||
fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
|
||||
|
||||
dn: ${FORESTZONE_DN}
|
||||
changetype: modify
|
||||
add: wellKnownObjects
|
||||
wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${FORESTZONE_DN}
|
||||
wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${FORESTZONE_DN}
|
||||
wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${FORESTZONE_DN}
|
||||
wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${FORESTZONE_DN}
|
||||
|
||||
dn: CN=NTDS Settings,${SERVERDN}
|
||||
changetype: modify
|
||||
add: msDS-HasInstantiatedNCs
|
||||
msDS-HasInstantiatedNCs: B:8:0000000D:${DOMAINZONE_DN}
|
||||
msDS-HasInstantiatedNCs: B:8:0000000D:${FORESTZONE_DN}
|
||||
msDS-HasInstantiatedNCs: B:8:0000000D:${ZONE_DN}
|
||||
-
|
||||
add: msDS-hasMasterNCs
|
||||
msDS-hasMasterNCs: ${DOMAINZONE_DN}
|
||||
msDS-hasMasterNCs: ${FORESTZONE_DN}
|
||||
msDS-hasMasterNCs: ${ZONE_DN}
|
||||
-
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
################################
|
||||
## DNSZones Naming Context
|
||||
################################
|
||||
dn: ${DOMAINZONE_DN}
|
||||
dn: ${ZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: domainDNS
|
||||
description: Microsoft DNS Directory
|
||||
@ -9,10 +9,3 @@ msDS-NcType: 0
|
||||
instanceType: 13
|
||||
ntSecurityDescriptor:: ${SECDESC}
|
||||
|
||||
dn: ${FORESTZONE_DN}
|
||||
objectClass: top
|
||||
objectClass: domainDNS
|
||||
description: Microsoft DNS Directory
|
||||
msDS-NcType: 0
|
||||
instanceType: 13
|
||||
ntSecurityDescriptor:: ${SECDESC}
|
||||
|
||||
Reference in New Issue
Block a user