b; ddlZddlZddlmZddlmZddlmZmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZd Zd Zd d d dddddZededed ed ediZededededediZgZGddeZGddeZdS)N) b64encode)sd_utils) ndr_unpackndr_pack)security) SECINFO_DACL)'get_managed_service_accounts_descriptor)DS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2DS_DOMAIN_FUNCTION_2016KQz$5e1574f6-55df-493e-a671-aaeffca6a100z$d262aae8-41f7-48ed-9f35-56bbb677573dz$82112ba0-7e4c-4a44-89d9-d46c9612bf91z$c3c927a6-cc1d-47c0-966b-be8f9b63d991z$54afcfb9-637a-4251-9f47-4d50e7021211z$f4728883-84dd-483c-9897-274f2ebcf11ez$ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff)rLMNOPrJrX ceZdZdS)DomainUpdateExceptionN)__name__ __module__ __qualname__5/usr/lib/python3/dist-packages/samba/domain_update.pyrrJsDr#rceZdZdZ ddZ ddZdZdd Zd Zd Z d Z d Z dZ dZ dZdZdZdZdZdZdS) DomainUpdatez2Check and update a SAM database for domain updatesFTc||_||_||_d|_|j|_|j|_|j|_tj ||_ tj | |_|j|_|jdst%d|j|_|jdst%ddS)z :param samdb: LDB database :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise DomainUpdateException: Fz(CN=Operations,CN=DomainUpdates,CN=Systemz+Failed to add domain update container childz3CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=Systemz#Failed to add revision object childN)samdbfixadd_update_containercheck_update_appliedget_config_basedn config_dn domain_dnget_schema_basedn schema_dnrSDUtilsrdom_sidget_domain_sid domain_sidget_root_basedndomainupdate_container add_childrrevision_object)selfr(r)r*s r$__init__zDomainUpdate.__init__Qs $8!$)!5577--//5577 (// "*5+?+?+A+ABB&*j&@&@&B&B#*445_`` W'(UVV V#z99;;#--.cdd O'(MNN N O Or#Nc|j|jdgtj}t |}|rt |}|dz }nt }|||t|}t|ddd}|rT||krP|j std||fz|j dt|j|fzdSdSdS)a Apply all updates for a given old and new functional level :param functional_level: constant :param old_functional_level: constant :param update_revision: modify the stored version :raise DomainUpdateException: revision)baseattrsscoperzERevision is not high enough. Fix is set to False. Expected: %dGot: %dz9dn: %s changetype: modify replace: revision revision: %d N)r(searchr8ldb SCOPE_BASEfunctional_level_to_max_update MIN_UPDATEcheck_updates_rangefunctional_level_to_versionintr)r modify_ldifstr) r9functional_levelold_functional_levelupdate_revisionresexpected_update min_updateexpected_version found_versions r$check_updates_functional_levelz+DomainUpdate.check_updates_functional_levelns?jT%9'1l#. JJ99IJ  $78LMJ !OJJ#J   _===67GHCF:.q122  5}/???8 W+-DGWGTGV-VWWW J " "$ 4   "23 $4 5 5 5 5 5 5 5??r#c|D]C}|tks |tkrtdt|d|z|DdS)z Apply a list of updates which must be within the valid range of updates :param iterator: Iterable specifying integer update numbers to apply :raise DomainUpdateException: Update number invalid. operation_%dN)rE MAX_UPDATErgetattr)r9iteratorops r$check_updates_iteratorz#DomainUpdate.check_updates_iteratorsa  3 3BJ"z//+,DEEE /GD.2- . .r 2 2 2 2  3 3r#rc|}|tks||ks |tkrtd||kr2|tvrt |d|z||dz }||k0dSdS)z Apply a range of updates which must be within the valid range of updates :param start: integer update to begin :param end: integer update to end (inclusive) :raise DomainUpdateException: rUrVr@N)rErWrmissing_updatesrX)r9startendrZs r$rFz DomainUpdate.check_updates_ranges :  j0@0@'(@AA ACii((2nr1222666 !GB Ciiiiiir#c |j|jdt|z}n#tj$rYdSwxYwt |dkS)zd :param op: Integer update number :return: True if update exists else False z(CN=%s))r= expressionFr@)r(rAr6 update_maprBLdbErrorlen)r9rZrNs r$ update_existszDomainUpdate.update_existssn  *##)D/8:b>/I$KKCC|   55 3xx1}s/2AAc|jdt|dt|jddS)zo Add the corresponding container object for the given update :param op: Integer update zdn: CN=,z objectClass: container N)r(add_ldifrbrJr6r9rZs r$ update_addzDomainUpdate.update_addsN "~~~s4677779 : : : : :r#c|d}|dkr|d||z||dz}n||z}||vrdS|j||dtzgdS)a Add an ACE to a DACL, checking if it already exists with a simple string search. :param dn: DN to modify :param existing_sddl: existing sddl as string :param ace: string ace to insert :return: True if modified else False S:NF sd_flags:1:%dcontrolsT)rfindrmodify_sd_on_dnr)r9dn existing_sddlaceindexnew_sddls r$insert_ace_into_daclz!DomainUpdate.insert_ace_into_dacls##D)) B;;$VeV,s2]5665JJHH%s*H -  5 %%b(0?,0N/O & Q Q Qtr#c|j||gdg}t|dksJ|d|d}|d}|dkr|d||z||dz}n||z}||vrdSt j}||_t j|tj|||<|j |d g d S) aC Insert an ACE into a string attribute like defaultSecurityDescriptor. This also checks if it already exists using a simple string search. :param dn: DN to modify :param ace: string ace to insert :param attr: attribute to modify :return: True if modified else False search_options:1:2)r=r>rpr@rrlrmNFrelax:0roT) r(rArdrqrBMessagersMessageElementFLAG_MOD_REPLACEmodify) r9rsruattrmsgrtrvrwms r$insert_ace_into_stringz#DomainUpdate.insert_ace_into_stringsjR'+f*>)? AA3xx1}}}}At Q ##D)) B;;$VeV,s2]5665JJHH%s*H -  5 KMM$Xs/C%)++$ !yk222tr#c8|jstd|zdS)z Raises an exception if not set to fix. :param op: Integer operation :raise DomainUpdateException: z3Missing operation %d. Fix is currently set to FalseN)r)rris r$raise_if_not_fixzDomainUpdate.raise_if_not_fixs0 x d'(]`b(bcc c d dr#c||rdS|||jd|jzddg|jr||dSdS)NzVdn: CN=TPM Devices,%s objectClass: top objectClass: msTPM-InformationObjectsContainer r{ provision:0ro)rerr(rhr.r*rjris r$ operation_78zDomainUpdate.operation_78 s   b ! !  F b!!!  n'0%?  A A A  $ OOB       r#c||rdS||d}|jddgdg}|D]^}t t j|dd}||j}| |j ||_|jddgdg}|D]^}t t j|dd}||j}| |j ||_|j r| |dSdS)NzY(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(objectClass=samDomain)nTSecurityDescriptorrzrar>rpr(objectClass=domainDNS) rerr(rArr descriptoras_sddlr4rxrsr*rjr9rZrurNr existing_sdrts r$ operation_79zDomainUpdate.operation_79s   b ! !  F b!!!ij+D'=&>*>)? AA B BC$X%8%()?%@%CEEK'//@@M  % %cfmS A A A Aj+D'=&>*>)? AA B BC$X%8%()?%@%CEEK'//@@M  % %cfmS A A A A  $ OOB       r#c||rdS||dt|jz}|j|jtjdgddtzg}|d}ttj |dd}| |j}||j|||jr||dSdS)Nz5(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;%s-522)rrzrn)r=r?r>rpr)rerrJr4r(rAr.rBrCrrrrrrxrsr*rjrs r$ operation_80zDomainUpdate.operation_809s   b ! !  F b!!!EDOH\H\\jT^&)n'=&>*>*9L*H*J KK !f !4!$%;!*>)? AA B BC$X%8%()?%@%CEEK'//@@M  % %cfmS A A A Aj+D'=&>*>)? AA B BC$X%8%()?%@%CEEK'//@@M  % %cfmS A A A A  $ OOB       r#c|||rdS||t|j}t |d}dt |jz}|j d|d|ddg|j r| |dSdS)Nutf8CN=Managed Service Accounts,%sdn: z changetype: add objectClass: container description: Default container for managed service accounts showInAdvancedViewOnly: FALSE nTSecurityDescriptor:: r{rro) rerr r4rdecoderJr.r(rIr*rj)r9rZrmanagedservice_descrmanaged_service_dns r$ operation_75zDomainUpdate.operation_75vs   b ! !  F b!!!...  0  @ @ @  $ OOB       r#)FT)NF)rr)rr r!__doc__r:rSr[rFrerjrxrrrrrrrrrr"r#r$r&r&Ns2<<"'&*OOOO<=A7<"5"5"5"5H 3 3 3"   :::0!!!Fddd       >   2   H   ,   &      r#r&)rBsambabase64rr samba.ndrrr samba.dcerpcrsamba.dcerpc.securityrsamba.descriptorr samba.dsdbr r r r rrErWrbrDrGr] Exceptionrobjectr&r"r#r$rs& ********!!!!!!......   /......   RRR "QQR      I   \ \ \ \ \ 6\ \ \ \ \ r#