bOFddlZddlZddlmZddlmZmZddlmZddlm Z ddl m Z ddl m Z mZmZmZmZdZd Zid d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+id,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJdKdLdMidNdOdPdQdRdSdTdUdVdWdXdYdZd[d\d]d^d_d`dadbdcdddedfdgdhdidjdkdldmdndodpdqdrdsdtdudvdwdxdydzd{d|d} Ze d~ededed ediZe dedededediZdgZGddeZGddeZdS)N)sd_utils) ndr_unpackndr_pack)security) SECINFO_DACL) setup_path)DS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2DS_DOMAIN_FUNCTION_2016-5z$134428a8-0043-48a6-bcda-63310d9ec4ddOz$21ae657c-6649-43c4-bbb3-7f184fdf58c1Pz$dca8f425-baae-47cd-b424-e3f6c76ed08bQz$a662b036-dbbe-4166-b4ba-21abea17f9ccRz$9d17b863-18c3-497d-9bde-45ddb95fcb65Sz$11c39bed-4bee-45f5-b195-8da0e05b573aTz$4664e973-cb20-4def-b3d5-559d6fe123e0Uz$2972d92d-a07a-44ac-9cb0-bf243356f345Vz$09a49cb3-6c54-4b83-ab20-8370838ba149Wz$77283e65-ce02-4dc3-8c1e-bf99b22527c2Xz$0afb7f53-96bd-404b-a659-89e65c269420Yz$c7f717ef-fdbe-4b4b-8dfc-fa8b839fbcfaZz$00232167-f3a4-43c6-b503-9acb7a81b01c[z$73a9515b-511c-44d2-822b-444a33d3bd33\z$e0c60003-2ed7-4fd3-8659-7655a7e79397]z$ed0c8cca-80ab-4b6b-ac5a-59b1d317e11f^z$b6a6c19a-afc9-476b-8994-61f5b14b3f05_z$defc28cd-6cb6-4479-8bcb-aabfb41e9713`z$d6bd96d4-e66b-4a38-9c6b-e976ff58c56daz$bb8efc40-3090-4fa2-8a3f-7cd1d380e695bz$2d6abe1b-4326-489e-920c-76d5337d2dc5cz$6b13dfb5-cecc-4fb8-b28d-0505cea24175dz$92e73422-c68b-46c9-b0d5-b55f9c741410ez$c0ad80b4-8e84-4cc4-9163-2f84649bcc42fz$992fe1d0-6591-4f24-a163-c820fcb7f308gz$ede85f96-7061-47bf-b11b-0c0d999595b5hz$ee0f3271-eb51-414a-bdac-8f9ba6397a39iz$587d52e0-507e-440e-9d67-e6129f33bb68jz$ce24f0f6-237e-43d6-ac04-1e918ab04aackz$7f77d431-dd6a-434f-ae4d-ce82928e498flz$ba14e1f6-7cd1-4739-804f-57d0ea74edf4mz$156ffa2a-e07c-46fb-a5c4-fbd84a4e5ccenz$7771d7dd-2231-4470-aa74-84a6f56fc3b6oz$49b2ae86-839a-4ea0-81fe-9171c1b98e83pz$1b1de989-57ec-4e96-b933-8279a8119da4qz$281c63f0-2c9a-4cce-9256-a238c23c0db9rz$4c47881a-f15a-4f6c-9f49-2742f7a11f4bsz$2aea2dc6-d1d3-4f0c-9994-66c1da21de0ftz$ae78240c-43b9-499e-ae65-2b6e0f0e202auz$261b5bba-3438-4d5c-a3e9-7b871e5f57f0vz$3fb79c05-8ea1-438c-8c7a-81f213aa61c2wz$0b2be39a-d463-4c23-8290-32186759d3b1xz$f0842b44-bc03-46a1-a860-006e8527fccdyz$93efec15-4dd9-4850-bc86-a1f2c8e2ebb9zz$9e108d96-672f-40f0-b6bd-69ee1f0b7ac4{z$1e269508-f862-4c4a-b01f-420d26c4ff8c}z$e1ab17ed-5efb-4691-ad2d-0424592c5755~z$0e848bd4-7c70-48f2-b8fc-00fbaa82e360z$016f23f7-077d-41fa-a356-de7cfdb01797z$49c140db-2de3-44c2-a99a-bab2e6d2ba81z$e0b11c80-62c5-47f7-ad0d-3734a71b8312z$2ada1a2d-b02f-4731-b4fe-59f955e24f71z$b83818c1-01a6-4f39-91b7-a3bb581c3ae3z$bbbb9db0-4009-4368-8c40-6674e980d3c3z$f754861c-3692-4a7b-b2c2-d0fa28ed0b0bz$d32f499f-3026-4af0-a5bd-13fe5a331bd2z$38618886-98ee-4e42-8cf1-d9a2cd9edf8bz$328092FB-16E7-4453-9AB8-7592DB56E9C4z$3A1C887F-DF0A-489F-B3F2-2D0409095F6Ez$232E831F-F988-4444-8E3E-8A352E2FD411z$DDDDCF0C-BEC9-4A5A-AE86-3CFE6CC6E110z$A0A45AAC-5550-42DF-BB6A-3CC5C46B52F2z$3E7645F3-3EA5-4567-B35A-87630449C70Cz$E634067B-E2C4-4D79-B6E8-73C619324D5E) rNrCrN |ceZdZdS)ForestUpdateExceptionN)__name__ __module__ __qualname__5/usr/lib/python3/dist-packages/samba/forest_update.pyrWrWsDr\rWceZdZdZ ddZ ddZdZd d Zd Zd Z d Z d Z dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZdS)! ForestUpdatez2Check and update a SAM database for forest updatesFTcddlm}||_||_||_||_d|_|j|_|j |_ |j |_ tj ||_ tj||_|j|_|jdst)d|j|_|jdst)di|_|t/d|j d S) a :param samdb: LDB database :param verbose: Show the ldif changes :param fix: Apply the update if the container is missing :param add_update_container: Add the container at the end of the change :raise ForestUpdateException: r)read_ms_markdownFzCN=Operations,CN=ForestUpdatesz+Failed to add forest update container childz)CN=ActiveDirectoryUpdate,CN=ForestUpdatesz#Failed to add revision object childz/adprep/WindowsServerDocs/Forest-Wide-Updates.md)out_dictN) samba.ms_forest_updates_markdownrasamdbfixverboseadd_update_containercheck_update_appliedget_config_basedn config_dn domain_dnget_schema_basedn schema_dnrSDUtilsrdom_sidget_domain_sid domain_sidforestupdate_container add_childrWrevision_object stored_ldifr)selfrdrfrergras r]__init__zForestUpdate.__init__sj FEEEEE  $8!$)!5577--//5577 (// "*5+?+?+A+ABB&*j&B&B&D&D#*445UVV W'(UVV V#z;;==#--.YZZ O'(MNN N$UVV"&"2 4 4 4 4 4 4r\Nc|j|jdgtj}t |}|rt |}|dz }nt }|||t|}t|ddd}|rT||krP|j std||fz|j dt|j|fzdSdSdS)a Apply all updates for a given old and new functional level :param functional_level: constant :param old_functional_level: constant :param update_revision: modify the stored version :raise ForestUpdateException: revision)baseattrsscoperzERevision is not high enough. Fix is set to False. Expected: %dGot: %dz:dn: %s changetype: modify replace: revision revision: %d N)rdsearchrtldb SCOPE_BASEfunctional_level_to_max_update MIN_UPDATEcheck_updates_rangefunctional_level_to_versionintrerW modify_ldifstr) rvfunctional_levelold_functional_levelupdate_revisionresexpected_update min_updateexpected_version found_versions r]check_updates_functional_levelz+ForestUpdate.check_updates_functional_levels?jT%9'1l#. JJ99IJ  $78LMJ !OJJ#J   _===67GHCF:.q122  6}/???8 W+-DGWGTGV-VWWW J " "$ D !!#34 $5 6 6 6 6 6 6 6??r\cv|D]}|tks |tkrtdd|cxkrdkrnn||Md|cxkrdkrnn||sd|cxkrdkrnn||t |d|z|d S) z Apply a list of updates which must be within the valid range of updates :param iterator: Iterable specifying integer update numbers to apply :raise ForestUpdateException: Update number invalid.rrrr?rDrG operation_%dN)r MAX_UPDATErWoperation_ldifgetattr)rviteratorops r]check_updates_iteratorz#ForestUpdate.check_updates_iterators  7 7BJ"z//+,DEEER~~~~2~~~~~##B''''rS##B''''!!!!c!!!!!##B''''3nr12226666 7 7r\rc|}|tks||ks |tkrtd||kr|tvrnd|cxkrdkrnn||nhd|cxkrdkrnn||nBd|cxkrdkrnn||nt |d|z||d z }||kd Sd S) z Apply a range of updates which must be within the valid range of updates :param start: integer update to begin :param end: integer update to end (inclusive) :raise ForestUpdateException: rrrrr?rDrGrr}N)rrrWmissing_updatesrr)rvstartendrs r]rz ForestUpdate.check_updates_ranges" :  j0@0@'(@AA ACii_$$rR##B''''rS##B''''!!!!c!!!!!##B''''3nr1222666 !GBCiiiiiir\c |j|jdt|z}n#tj$rYdSwxYwt |dkS)zd :param op: Integer update number :return: True if update exists else False z(CN=%s))rz expressionFr})rdr~rr update_maprLdbErrorlen)rvrrs r] update_existszForestUpdate.update_existssn  *##)D/8:b>/I$KKCC|   55 3xx1}s/2AAc|jdt|dt|jddS)zo Add the corresponding container object for the given update :param op: Integer update zdn: CN=,z objectClass: container N)rdadd_ldifrrrrrvrs r] update_addzForestUpdate.update_add sN "~~~s4677779 : : : : :r\c||rdS|jt|}tj|t |jt |jt |jd}|j r!td|zt||j ||j r||dSdS)NT) CONFIG_DNFOREST_ROOT_DOMAIN SCHEMA_DNz!UPDATE (LDIF) ------ OPERATION %d)rrursambasubstitute_varrrjrkrmrfprintrdrrgr)rvrldifsub_ldifs r]rzForestUpdate.operation_ldifs   b ! ! 4 2/'/24>/B/B/24>/B/B/24>/B/B /D/DEE <  5: ; ; ; (OOO x(((  $ OOB       r\c|d}|dkr|d||z||dz}n||z}||vrdS|j||dtzgdS)a Add an ACE to a DACL, checking if it already exists with a simple string search. :param dn: DN to modify :param existing_sddl: existing sddl as string :param ace: string ace to insert :return: True if modified else False S:NF sd_flags:1:%dcontrolsT)rfindrmodify_sd_on_dnr)rvdn existing_sddlaceindexnew_sddls r]insert_ace_into_daclz!ForestUpdate.insert_ace_into_dacl)s##D)) B;;$VeV,s2]5665JJHH%s*H -  5 %%b(0?,0N/O & Q Q Qtr\c|j||gdg}t|dksJt|d|d}|d}|dkr|d||z||dz}n||z}||vrdSt j}||_t j|t j |||<|j |d g d S) aC Insert an ACE into a string attribute like defaultSecurityDescriptor. This also checks if it already exists using a simple string search. :param dn: DN to modify :param ace: string ace to insert :param attr: attribute to modify :return: True if modified else False search_options:1:2)rzr{rr}rrrNFrelax:0rT) rdr~rrrrMessagerMessageElementFLAG_MOD_REPLACEmodify) rvrrattrmsgrrrms r]insert_ace_into_stringz#ForestUpdate.insert_ace_into_stringAsjR'+f*>)? AA3xx1}}}}CF4LO,, ##D)) B;;$VeV,s2]5665JJHH%s*H -  5 KMM$Xs/C%)++$ !yk222tr\c8|jstd|zdS)z Raises an exception if not set to fix. :param op: Integer operation :raise ForestUpdateException: z3Missing operation %d. Fix is currently set to FalseN)rerWrs r]raise_if_not_fixzForestUpdate.raise_if_not_fixds0 x d'(]`b(bcc c d dr\c,||rdS||d}tj|jdt |jz}|||d|jddgdg}|D]^}ttj |dd }| |j }||j||_|jr||dSdS) NY(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)CN=Sam-Domain,%sdefaultSecurityDescriptorr(objectClass=samDomain)nTSecurityDescriptorrrr{rrrrrDnrdrrmrr~rr descriptoras_sddlrqrrrgrrvrrrmrr existing_sdrs r] operation_88zForestUpdate.operation_88ss?   b ! !  F b!!!iF4:'9C*>)? AA B BC$X%8#>T:UVW:XYYK'//@@M  % %cfmS A A A A  $ OOB       r\c>||rdS||d}tj|jdt |jz}|||d|jddgddtzg }|D]^}ttj |dd }| |j}||j||_|jr||dSdS) NrCN=Domain-DNS,%srr(objectClass=domainDNS)rrrrr)rrrrrdrrmrr~rrrrrrqrrrgrrs r] operation_89zForestUpdate.operation_89sJ   b ! !  F b!!!iF4:'9C*>*9L*H*J KK  B BC$X%8#>T:UVW:XYYK'//@@M  % %cfmS A A A A  $ OOB       r\cp|jr,||s||dSdSdSNrgrrrs r] operation_90zForestUpdate.operation_90N  $ T-?-?-C-C OOB         r\cp|jr,||s||dSdSdSrrrs r] operation_127zForestUpdate.operation_127rr\cp|jr,||s||dSdSdSrrrs r] operation_128zForestUpdate.operation_128rr\c,||rdS||d}tj|jdt |jz}|||d|jddgdg}|D]^}ttj |dd }| |j }||j||_|jr||dSdS) N7(OA;CIOI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)rrrrrrrrrrs r] operation_129zForestUpdate.operation_129s?   b ! !  F b!!!GF4:'9C*>)? AA B BC$X%8#>T:UVW:XYYK'//@@M  % %cfmS A A A A  $ OOB       r\c,||rdS||d}tj|jdt |jz}|||d|jddgdg}|D]^}ttj |dd }| |j }||j||_|jr||dSdS) Nrrrrrrrrrrrs r] operation_130zForestUpdate.operation_130s?   b ! !  F b!!!GF4:'9C*>)? AA B BC$X%8#>T:UVW:XYYK'//@@M  % %cfmS A A A A  $ OOB       r\c||rdS|||jd|jzddg|jr||dSdS)Nzdn: CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,%s changetype: modify replace: msDS-ClaimIsValueSpaceRestricted msDS-ClaimIsValueSpaceRestricted: FALSE rz provision:0r)rrrdrrjrgrrs r] operation_135zForestUpdate.operation_135s   b ! !  F b!!!   n   *3M(B  D D D  $ OOB       r\cp|jr,||s||dSdSdSrrrs r] operation_53zForestUpdate.operation_53rr\cp|jr,||s||dSdSdSrrrs r] operation_79zForestUpdate.operation_79rr\cp|jr,||s||dSdSdSrrrs r] operation_80zForestUpdate.operation_80rr\cp|jr,||s||dSdSdSrrrs r] operation_81zForestUpdate.operation_81 rr\cp|jr,||s||dSdSdSrrrs r] operation_82zForestUpdate.operation_82rr\cp|jr,||s||dSdSdSrrrs r] operation_83zForestUpdate.operation_83rr\)FFT)NF)rr)rXrYrZ__doc__rwrrrrrrrrrrrrrrrrrrrrrrrr[r\r]r_r_s<<16&*$4$4$4$4N=A7<"6"6"6"6H777(2   :::   *0!!!Fddd   <   4            0   2    &                    r\r_)rrr samba.ndrrr samba.dcerpcrsamba.dcerpc.securityrsamba.provision.commonr samba.dsdbr r r r r rrrrrr ExceptionrWobjectr_r[r\r]rs& ********!!!!!!......------  E.E.E. E . E . E.E.E.E.E.E.E.E.E .!E".#E$.%E&.'EE(.)E*.+E,.-E../E0.1E2 /3E4 /5E6 /7E8 /9E: /;E< /=E> /?E@ /AEB /CED /EEF /GEH /IEEEJ /KEL /MEN /OEP /QER /SET /UEV /WEX /YEZ /[E\ /]E^ /_E` /aEb /cEd /eEf /gEh /iEj /kEEl 0 / / / / / / / / / / / /IEEE PRSS "QRR %     I   P P P P P 6P P P P P r\