'\d:bdZddlmZddlmZddlmZmZmZm Z m Z ddl Z ddlZddl Z ddl mZmZddlmZmZmZmZmZmZmZmZddlmZdd lmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$dd l%m&Z&dd l'm(Z(dd lm)Z)ddl*m+Z+ddl,m-Z-ddlm.Z.ddlm/Z/ddl0m1Z1ddlm2Z2m3Z3ddlm4Z4ddl5m6Z6m7Z7m8Z8ddl9Z9ddl:Z:ddl;Z;ddlZ>ddl?m@Z@ddlAmBZBddlCmDZDddlmEZEGddeFZGGddeHZI d'dZJ d'd ZK d(d"ZLGd#d$eIZMGd%d&eMZNdS))zJoining a domain.)system_session)SamDB)gensecLdb drs_utilsarcfour_encryptstring_to_byte_arrayN)ndr_pack ndr_unpack)securitydrsuapimiscnbtlsadrsblobs dnsserverdnsp)DS_DOMAIN_FUNCTION_2003) CredentialsDONT_USE_KERBEROS)secretsdb_self_join provisionprovision_fillFILL_DRSFILL_SUBDOMAIN DEFAULTSITE) setup_path)Schema) descriptor)Net)setup_bind9_dns)read_and_sub_file)werror) b64encode) WERRORError NTSTATUSError)sd_utils)ARecord AAAARecord CNAMERecord) OrderedDict) get_string) CommandError)dsdbceZdZfdZxZS)DCJoinExceptionc^tt|d|zdS)NzCan't join, error: %s)superr0__init__)selfmsg __class__s ,/usr/lib/python3/dist-packages/samba/join.pyr3zDCJoinException.__init__:s- ot$$--.E.KLLLLL)__name__ __module__ __qualname__r3 __classcell__r6s@r7r0r08sAMMMMMMMMMr8r0ceZdZdZ d'dZd(dZd(dZd(dZdZd Z d Z d Z d Z d Z dZdZdZdZdZdZdZdZdZdZdZd)dZdZdZdZdZdZdZd Z d!Z!d"Z"d#Z#d$Z$d%Z%d&Z&dS)* DCJoinContextzPerform a DC join.NFc4 ||_||_||_||_||_| |_| |_||_||_| |_ d|_ g|_ g|_ |j |tjzt#|j|j|_||_||_|r||_|jj|_n|jr"|||j|_nY|jd|z|||_|jd|jzt5d|jzt7|j|j|_|j t8|_ |jt<jgn0#t<j $r}|j!\}}tE|d}~wwxYwtG|j$|_%tG|j&|_'tG|j(|_)tG|j*|_+tYj-|j.|_/|j/|_0|1|_2|3|_4tkj6tGtoj8|_9|j:|_;|<|_=|>|_?| | |_@ntjBdd|_@|jC|_D|rJ||_Ed|jEz|_Fd |jEd |jd |j+|_Gd |jGz|_Hd |jEd |j%|_I|jEJd|jD|_K|jL|_Md|j%z}|N|rd |jEd||_Ond|_Od|jEzd|jKzd|jKd|jMg|_P|jt<jdg|j%}|ddd|_Qd|j%z|_Rd|j'z|_Sdt=jT|jRz}|jt<jUg|jV|}| d|_Wn1t|dkrd|_Wtdn| |_W|jD|_Zd|_[tj]tj^ztj_ztj`ztjaz|_bd|_cd|_dd|_ed|_fd|_gd|_\d|_hd|_id|_jd|_kd|_ld|_md|_ndS)N)credslpz&Finding a writeable DC for domain '%s'z Found DC %s ldap://%surl session_info credentialsrBscopeattrsx%s$CN=z,CN=Servers,CN=z ,CN=Sites,zCN=NTDS Settings,%sz,OU=Domain Controllers,.zGCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%s,zHOST/%szGC//rIDManagerReference)rIrJbaserzDC=DomainDnsZones,%szDC=ForestDnsZones,%s$(&(objectClass=crossRef)(ncName=%s))rIrJrR expressionNONEzCNO DNS zone information found in source domain, not replicating DNSF)ologgerrArBsite targetdir use_ntvfsplaintext_secrets backend_storebackend_store_sizepromote_existingpromote_from_dnnc_list full_nc_listset_gensec_featuresget_gensec_featuresr FEATURE_SEALr netserverforced_local_samdbsamdbrE find_dc_siteinfofind_dcrrrsearchldb SCOPE_BASELdbErrorargsr0strget_default_basednbase_dnget_root_basednroot_dnget_schema_basedn schema_dnget_config_basedn config_dnr dom_sidget_domain_siddomsid forestsidget_domain_name domain_nameget_forest_domain_nameforest_domain_namerGUIDuuiduuid4 invocation_idget_dsServiceName dc_ntds_dnget_dnsHostNamedc_dnsHostNameget_behavior_versionbehavior_version acct_passsamba generate_random_machine_passworddomain_dns_name dnsdomainmynamesamname server_dnntds_dnacct_dnlower dnshostnameforest_dns_name dnsforest dn_exists topology_dnSPNsrid_manager_dndomaindns_zoneforestdns_zone binary_encodeSCOPE_ONELEVELget_partitions_dn dns_backendlenprintrealm tmp_samdbr DRSUAPI_DRS_INIT_SYNCDRSUAPI_DRS_PER_SYNCDRSUAPI_DRS_GET_ANCDRSUAPI_DRS_GET_NC_SIZEDRSUAPI_DRS_NEVER_SYNCED replica_flagsnever_reveal_sid reveal_sid connection_dnRODC krbtgt_dn managedby subdomain adminpass partition_dndns_a_dn dns_cname_dn force_all_ips)ctxrWrfrArBrX netbios_namerYdomain machinepassrZrr^r[r\r]rgeenumestr topology_baseres_rid_managerexpr res_domaindnss r7r3zDCJoinContext.__init__As  ! ! 1)!3/"  %%e&?&?&A&AFDW&WXXXCI#&111 !3  @*CICJJz <<"// ;;CH  H6 QRRR [[00    :;;;+ ":+9+;+;*-)@@@CI 8 "CH ( I  3>  < < < <| ( ( (6LT4!$'' ' (#)668899 #)335566 CI7799:: CI7799:: %ci&>&>&@&@AA   --//!$!;!;!=!= Ic$*,,&7&7884466 0022"7799  "'CMM!B3LLCM 1133   N%CJ#*,CKKDGJJJPSPXPXPXZ]ZgZghCM/#-?CKK>Ajjj#++VCK),)9)9););););S]]KCOI5577CMehkhssM}}]++ ' '03 MM"J"&!CJ.!CO33&)ooos}}EGCH"i..S^6K5L47K/AAO"1!34I!J1!MC 3ckA3ckA58I#J\8]8]] ((s/A/1.1i.I.I.K.K48)::   $COO=!!Q&&"([\\\\"-M  $:$9:$89%<=%= > $       "s*&GG> G99G>c>|r\ |j|tjdg}n#t$rYdSwxYw|D]}||jd |j|td|zdS#t$rYdSwxYw)NdnrRrIrJT recursivez Deleted %s) rhrlrmr Exception del_noerrorrdeleter)rrrresrs r7rzDCJoinContext.del_noerrors  6 i&&Bc6HQUPV&WW     6 65555  I  R ,# $ $ $ $ $    DD s(- ;; ,B BBc |j|jdtj|jzddg}t |dkrdS|st}||j  | |j | |j td|jzt!||j }|tjdd g }|dd d|dddkrt%d |jzn#YnxYw||djd |ddd}|!||_||j|j|jdtjd|jzdtjd|jzdg}|r"||djd |j|jdtjd|jzzg}|rIt%dtjd|jzdtjd|jzdS)NsAMAccountName=%smsDS-krbTgtLink objectSIDrRrUrJrrCrD tokenGroups)rIrRrJzNot removing account %s which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdbTrmsDS-KrbTgtLink)idxz(&(sAMAccountName=dns-%sz)(servicePrincipalName=zdns/%sz))z(sAMAccountName=%s)zNot removing account zU which looks like a Samba DNS service account but does not have servicePrincipalName=)rhrlrrrmrrrrguessrBset_machine_accountset_kerberos_staterAget_kerberos_staterrfrrnr0rrget new_krbtgt_dnrr)rforcerrA machine_samdb token_resrs r7cleanup_old_accountsz"DCJoinContext.cleanup_old_accountss"iCI$@$@$B$B*=@QRUR]@^@^*^&7%EGG s88q== F 9MME KK    9))#&111(()E)E)G)GHHH %+ *B3A3C3C27CF!D!D!D *00s~BWdVe0ff Q< .q1!f[)!,--)+\-0K +8999-   A T222FJJ0aJ88  )C  OOC- . . .iCI$@$@$B$B$B # 1(SZ2G H H H H # 1(S_2L M M M M+O&( ))  7 OOCFIO 6 6 6iCI$@$@$B$B*?#BST\_b_iTiBjBj*j%'))  S!/$'#4X 5J#K#K#K#K#X5O#P#P#P #RSS S S Ss A2E))E-c|js|||j||j|j||j||j||jd|jr||j|jr||j|jr:d}tj d|j d|d|j |j }tj}tj|_|d |t$j}tj}|j|_|||tj}|||jjtj}|j|_|||tj}|||jj|jr||j|jr||jdSdS) z$Remove any DNs from a previous join.)rNTrsign ncacn_ip_tcp:[]r)rrrrrrrrrrlsarpcrfrBrAObjectAttributeQosInfosec_qos OpenPolicy2r SEC_FLAG_MAXIMUM_ALLOWEDStringrstringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFODeleteTrustedDomaininfo_exsidrrr)rrbinding_optionslsaconn objectAttr pol_handlenamerjs r7cleanup_old_joinzDCJoinContext.cleanup_old_joins)} 2  $ $5 $ 1 1 1   ( OOC- . . . = $ OOCM * * *  $$$  666 ? - OOCO , , ,   . OOC, - - - = F$Ojj#***ooo!V!$44G,..J!$J  ,,R-7-5-NPPJ:<?? ?iCI$@$@$B$B*=@QRUR]@^@^*^%w%w%wyy s88q==BEHEPPQQ Q A & &*=Q*G*GK]adefagKgKgGJMJUUVV V A+,Q/ 0 0EJ4[49J4V5W X[\ ] ]x{~|GGHH H!!fir8c |j|tjtjztjz|_nM#t$r%}td|d|j dd}~wt$rtd|zwxYw|jj !|jj dkr|jj |_ |jj S)z(find a writeable DC for the given domain)rflagsz*Failed to find a writeable DC for domain 'z': Nz-Failed to find a writeable DC for domain '%s'r)refinddcrNBT_SERVER_LDAP NBT_SERVER_DSNBT_SERVER_WRITABLE cldap_retr&r-rpr client_siterX pdc_dns_name)rrerrors r7rkzDCJoinContext.find_dc]s YGNN&@SVYVg@gjmkBABNCCCMM 8 8 8, & 1  788 8 Y Y YNQWWXX X Y = $ 0S]5NRT5T5T}0CH}))sAA B A22 Bcd}|j|tjtjz}|j|jdkr|j}|S)N)addressrr)rerrrr r )rrfrXr s r7rizDCJoinContext.find_dc_sitejsVGNN6),)iBcn]OTT3q6-(+,,,r8c :|j}|j|tjdgdtjt |jz}t |dddSz9get netbios name of the domain from the partitions record nETBIOSNamez ncName=%s)rRrIrJrUr)rhrrlrmrrrqrrr partitions_dnrs r7r~zDCJoinContext.get_domain_name}s 3355 iM9KTaSb*58I#ciNjNjNlNlJmJm8n8n*npp3q6-(+,,,r8c :|j}|j|tjdgdtjt |jz}t |dddSr)rhrrlrmrrrqrtrs r7rz$DCJoinContext.get_forest_domain_names 3355 iM9KTaSb*58I#ciNgNgNiNiJjJj8k8k*kmm3q6-(+,,,r8c|j|jgdtj|jtjtjj fz}t|dj S)z7get the parent domain partition DN from parent DNS namez9(&(objectclass=crossRef)(dnsRoot=%s)(systemFlags:%s:=%u)))rRrJrUr) rhrlryrmrparent_dnsdomainOID_COMPARATOR_ANDrr.SYSTEM_FLAG_CR_NTDS_DOMAINrqrrs r7get_parent_partition_dnz%DCJoinContext.get_parent_partition_dnsgiCM*e # 1#2F G G # 6 8] _+_``3q69~~r8c|jdtjdg}|ddd}t |jd|S)zhget the SID of the connected user. Only works with w2k8 and later, so only used for RODC joinrrrrr)rhrlrmrnr,schema_format_value)rrbinsids r7 get_mysidzDCJoinContext.get_mysidsWiBcn]OTTQ &q)#)77 VLLMMMr8c |j|tjg}n8#tj$r&}|j\}}|tjkrYd}~dSd}~wwxYwdS)zcheck if a DN existsrNFT)rhrlrmrnrorpERR_NO_SUCH_OBJECT)rrre5rrs r7rzDCJoinContext.dn_existssx )""#."KKCC|   7LT4s---uuuuu    ts'*AAAAcTtd|jz|jdttjjtjjzdd|jzd}|j |dg|j |jtj dg}|d dd |_ td |j ztj}tj|j|j|_tj|jtjd |d <|j|d |j d |j|_td|jd|j|j|j|jdS)z#RODCs need a special krbtgt account Adding %suserTRUEz krbtgt for %s)r objectclassuseraccountcontrolshowinadvancedviewonly description rodc_join:1:1samAccountNamerrzGot krbtgt_name=%srrM ,CN=Users,z Renaming z to N)rrrqrr.UF_NORMAL_ACCOUNTUF_ACCOUNTDISABLErrhaddrlrmrn krbtgt_nameMessageDnrrMessageElementFLAG_MOD_REPLACEmodifyrsrrename)rrecrms r7add_krbtgt_accountz DCJoinContext.add_krbtgt_accounts kCM)***-!"%ej&B&+j&B'C#D#D&,*S[8 :: cO,---iCMP`Oabba&!1215 "S_4555 KMMvci--"1#-252FHY [ [  36???CKKP S]]]C4E4EFGGG (9:::::r8cd}|jdkr|dz }d|jd|d}tj||j|j|_t j|j\|_|_dS)z.make a DRSUAPI connection to the naming masterseal ,printrrrN) rB log_levelrfr rAr drs_DsBinddrsuapi_handlebind_supported_extensions)rrbinding_strings r7drsuapi_connectzDCJoinContext.drsuapi_connects}  6     " " x 'O25***oooNoncfciHH >G>RSVS^>_>_; S:::r8c t|j|j|_t t dd|j|jdd|_|j |jdS)z2create a temporary samdb object for schema queries)schemadnNF)rFrE auto_connectrGrB global_schemaam_rodc) rr|rw tmp_schemarrrArBr set_schemars r7create_tmp_samdbzDCJoinContext.create_tmp_samdbsr ),888>+;+;TY*-)e&+---    00000r8cxtj}|j||_d|_dS)z$build a DsReplicaAttributeCtr objectrN)r DsReplicaAttributerget_attid_from_lDAPDisplayNameattid value_ctr)rattrname attrvaluers r7build_DsReplicaAttributez&DCJoinContext.build_DsReplicaAttributes2  & ( (->>xHH r8c|j||j|g}|D]}tj}|d|_g}|D]x}|dkr t ||ts ||g}n||}d|D}|j|j||}| |ytj } t|| _ || _ tj} || _| | _tj} | | _| |  tj} |d| _| j} |ddD] }|| _|} |j|jd| \}}|dkr||jtjkr&t5d|jzt7d|jdt:jkr&t5d |jzt7d|d kr|jdkrt7d |jz|j j!dt:jkrr|j j"#t5d |j j!dzn4t5d |j j!dd|j j"jt7d|j jtjkr+t5d|j jzt7d|j#S)z,add a record via the DRSUAPI DsAddEntry callNrcfg|].}t|tr|dn|/S)utf8) isinstancerqencode).0xs r7 z,DCJoinContext.DsAddEntry..s8NNNqAs););BQXXf%%%NNNr8rrz!DsAddEntry failed with dir_err %uzDsAddEntry failedz(DsAddEntry failed with status %s info %szexpected err_ver 1, got %uz.DsAddEntry failed with status %s, info omittedzDsAddEntry failed with status z info )$r rIrrRDsReplicaObjectIdentifierrr^listdsdb_DsReplicaAttributeappendDsReplicaAttributeCtrrnum_attributes attributesDsReplicaObject identifier attribute_ctrDsReplicaObjectListItemobjectDsAddEntryRequest2 first_object next_object DsAddEntryrFdir_errDRSUAPI_DIRERR_OKr RuntimeError extended_errr# WERR_SUCCESSerr_vererr_datastatusrjobjects)rrecsr}r=idrJavrattrrnrp list_objectreq2prevolevelctrs r7rtzDCJoinContext.DsAddEntrysC ;     ! ! ! =  " " " ( (C244BIBEE $ $99!#a&$//QAAAANNANNN ==cmQPQRR U#####9;;M+.u::M (',M $,..F "F #0F !9;;K!'K  NN; ' ' ' ')++#AJ   A D DD{--c.@!TJJ  A::{g7779CKGHHH"#6777"f&999@CDTUVVV"#6777 A::{a"#?#+#MNNN|"1%)<<<<$,JclNabcNdeffffE H[\]H^H^H^HK HYHfHfhiii"#6777|#w'@@@9CL$7#-$GC !,/,t+j.|j4t*jd| d<|j| td|jz |j6dt+j$|jz|j7d|jnc#t*j8$rQ} | j9\} }| t*j:kr|j;<|j|j=|j7 Yd } ~ nd } ~ wwxYw|j&|jt*j>d!d"g#}d!|dvr't|dd!d|_@nd |_@ttjC|ddd|_Dtd$t+j} t+j2|j|j| _,t+j.t|jt*jd%| d%<|j| |jEFd&rt jGd'd(|_H|jIttd)|jL|jM|jNt|jHPd*Qd+|jd,}|D]\}}|t*jRksJ|d-}td.|d-z|d/=|d0=tt jjSt jjz|d%< |j|#t*j8$r%}|j9\} }| t*jTkrYd }~d }~wwxYwtd1|jNz |j6d2t+j$|jNz|jHd|jnf#t*j8$rT}|j9\} }| t*j:kr|j;<d3|jNz|j=|jH Yd }~nd }~wwxYw|j&|t*j>d!g#}d!|dvr(t|dd!d|_Ud Sd |_Ud Sd S)4z+add the various objects needed for the joinr)computer)r objectClass displaynamesamaccountnamerrzmsDS-SupportedEncryptionTypesrzmsDS-NeverRevealGroupzmsDS-RevealOnDemandGroup objectSidNrrrf)rr,rrserverReferencerSrTrrzmsDS-NC-Replica-LocationszmsDS-NC-RO-Replica-LocationsnTDSConnectionr+65)rr,enabledconnectionr fromServerzAdding SPNs to %sz $NTDSGUIDservicePrincipalNamezSetting account password for %sz((&(objectClass=user)(sAMAccountName=%s))F)force_change_at_next_loginusername) account_namer newpasswordzmsDS-KeyVersionNumberrrzEnabling accountrBIND9_zprovision_dns_add_samba.ldif utf-16-ler]) DNSDOMAINDOMAINDNHOSTNAME DNSPASS_B64DNSNAMErz#Adding DNS account %s with dns/ SPNclearTextPasswordisCriticalSystemObjectz#Setting account password for dns-%sz,(&(objectClass=user)(samAccountName=dns-%s))r)Vrrrrqrrr.r4rrDS_DOMAIN_FUNCTION_2008 ENC_ALL_TYPESr^rrrr r_rhr<r;rmr7 from_dictr:r5rr?rSYSTEM_FLAG_CONFIG_ALLOW_RENAME%SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVErrrrrrrrlrrrr`rrrr9 FLAG_MOD_ADDrrr8rangerreplace setpasswordrrorpERR_UNWILLING_TO_PERFORMre set_passwordrrnrkey_version_numberr r rznew_dc_account_sidr startswithgenerate_random_passworddnspass parse_ldifr"rrrsrr$r_decodeCHANGETYPE_NONEr3ERR_ENTRY_ALREADY_EXISTSdns_key_version_number)r specified_sidr=rrrforestpartzoner>attrie2num_rr~ changetyper5 dns_acct_dnre3s r7join_add_objectszDCJoinContext.join_add_objectsWsl ;' 6 + + , , ,k)"{"%+&)#*@5:C_*_&`&`" 00C#uz'III7:5:;S7T7T344% :7934} &#&=K  % &#%K # 2/2/C+,,% 2/1+,~ 525..//% 524./ ;#+M#:#:K # 6&#+55I$$S%8#+FFF   !6!6sy#sG[!\!\]]]] , ){H cH 555 = %  " " $ $ $ =  + - . . .m'"5:#M#(:#S$T#(:#Q$R S S #00C{ 5),%& IMM#    =  CM F ; (  " " ":C> A7:AD6Dx>=!0141A4IIAdGI$$Q'''   ( + 11 2 2 2'/%+!n ..C IMM#    ;0 % 3 4 4 4 A6#)S[11AD3sx==)) S S!hqk11+s3=?Q?QRR (+(:38;>;O;Q)S)SA$ % I  Q    3ckA B B B @ %%&P(+(9#+(F(F'G&)mAF/2{ &<<<< < @ @ @7a#666$$#+1414%@@@@@@@@  @)"" 3>*A*5*7#88C'#a&00),SV4K-LQ-O)P)P&&)-&%/0@03A{0CA0F&H&HC " $ % % % A6#)S[11AD&)&8S=S9T9T9<9M9M'O'OA" # I  Q    ? % %h / /5 28cBBCK9''(9*Ec:d:dHK GJ{GJzJSTWT_TfTfgrTsTsJtJtJ{J{}CKDKDFIo ;W;W)X)XYYD $(   C!S%88888!$i ;c$iGHHH+,01,/ 0L05 0L1M-N-N()IMM#&&&&| vHS!c:::;:::: 7#*D E E E > %%&T(+(9#*(E(E'F&)kAF/2{ &<<<< < > > >7a#666$$(SZ2G1414%>>>>>>>>  >)"" 3>*A)B#DDC&#a&00-0Q8O1PQR1S-T-T***-1***k5 25 2sLAVW9(AW44W9a22b&b!!b&Ade'A e""e'c td|jzdt|jdtji}t j|j|}|jdd|j z|j |j |j |j ttjjtjjz|d }|jtjjkrt|j|d<|}|||g}t-|d krt/d |d j|_td |j|jt9jd |jt<jt<j td|j|j!t9jd |jt<jt<j dS)zLadd the various objects needed for the join, for subdomains post replicationr)SubdomainAdmins-)name_mapcrossRefzCN=Cross-Ref,%s) rr,rnCNamerdnsRoot trustParentrntSecurityDescriptorrrcz"Expected 2 objects from DsAddEntryrzReplicating partition DN$00000000-0000-0000-0000-000000000000)exoprzReplicating NTDS DNN)"rrrqr|r DOMAIN_RID_ADMINSr+get_paritions_crossref_subdomain_descriptorr}rwrsrrparent_partition_dnrr.SYSTEM_FLAG_CR_NTDS_NCrrrrrtrr0guidrrepl replicaterrr DRSUAPI_EXOP_REPL_OBJDRSUAPI_DRS_WRIT_REPr)rr sd_binaryr=rec2r}s r7join_add_objects2zDCJoinContext.join_add_objects2.s kC,,---%#cj////8C]C]'^_J3=cklll "%/#-?k?}2uz@%*Bgghh$-     5:#E E E+.s/C+D+DC' (##%%..#t-- w<<1  !"FGG G   ())) 3+9%KLL= ' =)0)E  G G G #$$$ 3;9%KLL= ' =)0)E  G G G G Gr8cxtd|jj}t|jt fid|d|jdtd|jd|j d|j d|j d |j d |j d |jd |jd |jd|jddd|jd|jd|jd|jd|jd|jd|jd|jdd}td|jz|j|_|j|_|j|_|j|_|j|j_dS)Provision the local SAM.zCalling bare provisionsmbconfrY samdb_fillrrootdndomaindnrKconfigdnserverdnrhostname domainsidr serverrole"active directory domain controllersitenamerBntdsguidrZrr[r\r] batch_modeTzProvision OK for domain DN %sN)rrB configfilerrWrrYrrrursrwryrrrr|rrXrrZrr[r\r]rrh local_samdbpathsnamesr})rrpresults r7join_provisionzDCJoinContext.join_provisionYs &'''&#CJ(8(8 - - -'' -&)mm -@H -PSPYPY -#&;; -9< -&)]] ->A]] -&)]] -|j d|j|jj!|jj"|j#|j$td|jj%zdS)rzReconnecting to local samdbz#transaction_index_cache_size:200000F)rErrFrBrMzFinding domain GUID from ncNamencNamezextended_dn:1:1zreveal_internals:0)rRrIrJrrrz*Can't find naming context on partition DN z in r]rz3Can't find GUID in naming master on partition DN %szGot domain GUID %szCalling own domain provisionrFrBr) dom_for_fun_levelrYrrrrBhostiphostip6rrzProvision OK for domain %sN)&rrrrErrBrhset_invocation_idrqrrWrjrlrrmrnr0rrr8rget_extended_componentr domainguidKeyErrorrrsecretsrrrYrrr r rrr)rr secrets_ldbs r7join_provision_own_domainz'DCJoinContext.join_provision_own_domainvs +,,,co1B"D'5'7'7 _/(- /// ##C(9$:$:;;;) 9:::o$$#*:#.YaXb/@BV.W%YY 3q6 ! !!/Z]ZjZjZjlolulyly"z{{ { o#&ty 3q6(CSTUCVC]C]^dCeCe1f1f1}1}E2F2F(G(G$H$HCI  o o o!"WZ]^_Z`aiZjklZm"mnn n o ,sy/CCDDD 6777#)+.:J:JsvVVV s z39ci)@!$>#&==a&)939CT#&?cm  M M M M *SY-@@AAAAAs ;A;E77/F&chtjd|jd|d|j||j|jSz2Creates a new DRS object for managing replicationsrrr)r drs_ReplicaterfrBrr)r repl_credsrs r7create_replicatorzDCJoinContext.create_replicators?&&),___E COS5FHH Hr8cb |jd|j t j|j}|j.tdt jtj }n|j}|j rwt}||j|t"||j||jn|j}d}|jdkr|dz }|||}||j||d|j |j||j|||j |j |js0td  ||j|||j |jtj z nN#tB$rA}|j"d tFj$kr|j%d nYd}~nd}~wwxYw|jtj zs ||j|||j |j n\#tB$rO}|j"d tFj$kr.|jtj zr|j%d d}~wwxYwtd|j&|j'fD]N}||j(vrCtdtS|z|||||j |j O|j rS||j*||tj+d||j,||tj+dn|j- ||j-||tj.n^#t^j0$rL}|j"\} } | tj1kr'td|j2ztdnYd}~nd}~wwxYw||_3||_4||_5|jd|jtj zs%|j6tnj8d|j9|j6tnj8d |jdn#|j:xYw|;dS)zReplicate the SAM.zStarting replicationNzUsing DS_BIND_GUID_W2K3rArBrCT)schemarodcr)rrz;Replicating critical objects from the base DN of the domainrzFirst pass of replication with DRSUAPI_DRS_CRITICAL_ONLY not possible due to a missing parent object. This is typical of a Samba 4.5 or earlier server. We will replicate the all objects instead.zReplication with DRSUAPI_DRS_CRITICAL_ONLY failed due to a missing parent object. This may be a Samba 4.5 or earlier server and is not compatible with --critical-onlyz5Done with always replicated NC (base, config, schema)zReplicating %s)rr)rzdWARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master.zxNOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.z1Committing SAM database - this may take some timerzCommitted SAM database) D D$$*c"gg6777NN2'?#7ch141B#DDDx s{,D3$+$D4QQQs02J3$+$D4QQQQ#/ NN3#57O#7(/(K#MMMM,#%7LT4wFFFEHKHRRSSSYZZZZZZZZZ CH+CC (';C $ JOOO P P P+g.OO 62243h34666 O . . 0 0 0 O . .t/d/0 2 2 2 JOO4 5 5 5 5'  O . . 0 0 0 * ""$$$$$sFS<6G=<S<= I7I>S<IS< )J S< K#A KK##CS<4(OS<P8,AP3.S<3P882S<<Tc |jtjgdS#tj$r}|j\}}|tjkrYd|vsd|vrQ|jdtd|j zt|j |j |_nt|Yd}~dSd}~wwxYw)NrH!NT_STATUS_CONNECTION_DISCONNECTEDNT_STATUS_CONNECTION_RESETz)LDB connection disconnected. ReconnectingrCrD)rhrlrmrnrorpERR_OPERATIONS_ERRORrWr#rrfrrArBr0)rrrrs r7r.z$DCJoinContext.refresh_ldb_connection>s , I  3>  < < < < <| , , ,6LT40004<<-55 ""#NOOO!kCJ&>/=/?/?.1iCFDDD &d+++   ,s&*CBCCcZtj}tj|_t ||j_t jd|j_tj d|j_ |j |_ t |j d|j|_tjtjz|_|js|xjtjzc_|j||j|jd|dS)NrzS-0-0z._msdcs.r)r DsReplicaUpdateRefsRequest1renaming_contextrqrrrrr rzrr dest_dsa_guidrdest_dsa_dns_nameDRSUAPI_DRS_ADD_REFDRSUAPI_DRS_DEL_REFrrrrIDsReplicaUpdateRefsrF)rrrs r7send_DsReplicaUpdateRefsz&DCJoinContext.send_DsReplicaUpdateRefsPs  / 1 1"<>>!"gg $ *P Q Q'/88-03CM0B0B0B0BCMMR/'2MM x 6 II5 5II ;     ! ! ! ''(:AqAAAAAr8c l tj}tjtjz}|j}d|jz}|j}t|j}|d|}tj |j |j }|j dt|||fzd} tjd|jd| d|j |j} d} t%j|j} t+j} |j| _t+jd t|jt*jfz| _ | |d |j||d t<j|d d \}}n4#t@$r'}|j!d tDj#krd } Yd }~nd }~wwxYw| r|j$D]}|j%D]}|j&t<j'ks|j&t<j(krptj)}||_$ | *|d |j||d |h#t@$r'}|j!d tDj#krnYd }~d }~wwxYw|D]}|+d dkr3|j d|d|d|tY|}n2|j d|d|d|t[|}tj)}||_$| *|d |j|||d t|d krlt]j/|j|j0}|j1|d||\|_2}| 3|j2| dt*j4t*j5zzg|j d|d|d|tj)}tm|}||_$| *|d |j|||d t]j/|j|j7}|j1|d||\|_8}| 3|j8| dt*j4t*j5zzg|j dd S)aRemotely Add a DNS record to the target DC. We assume that if we replicate DNS that the server holds the DNS roles and can accept updates. This avoids issues getting replication going after the DC first starts as the rest of the domain does not have to wait for samba_dnsupdate to run successfully. Specifically, we add the records implied by the DsReplicaUpdateRefs call above. We do not just run samba_dnsupdate as we want to strictly operate against the DC we just joined: - We do not want to query another DNS server - We do not want to obtain a Kerberos ticket (as the KDC we select may not be the DC we just joined, and so may not be in sync with the password we just set) - We do not wish to set the _ldap records until we have started - We do not wish to use NTLM (the --use-samba-tool mode forces NTLM) z _msdcs.%srNz&Adding %d remote DNS records for %s.%srrrrTz%s-%drNF:zAdding DNS AAAA record z for IPv6 IP: zAdding DNS A record z for IPv4 IP: ) dns_partitionz sd_flags:1:%drzAdding DNS CNAME record z for z_All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup)9rDNS_CLIENT_VERSION_LONGHORNDNS_RPC_VIEW_AUTHORITY_DATADNS_RPC_VIEW_NO_CHILDRENrrrrqrr interface_ipsrBrrWrjrrfrAr'SDUtilsrhr rr owner_sidrzr|DOMAIN_RID_DCS group_sidDnssrvEnumRecords2r DNS_TYPE_ALLr%rpr#"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTr=recordswType DNS_TYPE_A DNS_TYPE_AAAADNS_RPC_RECORD_BUFDnssrvUpdateRecord2findr)r(rmr8r dns_lookuprmodify_sd_on_dn SECINFO_OWNER SECINFO_GROUPr*rr)rclient_version select_flagsr msdcs_zoner msdcs_cname cname_targetIPsrdns_conn name_found sd_helperchange_owner_sdbuflenrrr=record del_rec_bufIP add_rec_bufdomaindns_zone_dn ldap_recordforestdns_zone_dns r7join_add_dns_recordsz"DCJoinContext.join_add_dns_recordsas0#> <  ./ } 3=0 z#-(( "&$$- !#&#*;<< @S4./ 0 0 0!&& OOO'\'*vsy:: $SY// "-//$'$:!$,$4W69#*oo6>6M6O6O%P%P!  #--n./.1j.2.2.2.2.?.:.2.2 4 4 VSS # # #vayFEEE"  #  &w & &!k&&F|t66|t'999&/&B&D&D *0  &$889:9<9=9=9=9D FFFF +&&& vayF,UUU $ %!%&:&( / /Bwws||r!! #'44rr!3444 nn #'44rr!3444bkk$688K!KO  ( ()*),)-)-)4)-  / / / / HHqLL #sy#2D E E )&&$$$'=5F'HH (S\;  % %clO0?3;3I5=5K4L1M0N & O O O JOOO*{{JJJ F G G G$688Kl++C!KO  ( ()*),)3)4)4)-  / / /!$sy#2D E E )&&+++zz'J5F'HH ,S {  % %c&60?3;3I5=5K4L1M0N & O O O K L L L L Ls00E99 F*F%%F* H'' I1IIc |j|jfD]i}||jvr^|jdt |z|j||j|j |j |j djdS)Nz!Replicating new DNS records in %sF)rr full_sync) rrr`rWrjrqrrr(rrr)rrs r7join_replicate_new_dns_recordsz,DCJoinContext.join_replicate_new_dns_recordss%s'9: 4 4BS[    Cs2ww OPPP""2s'C#&=sx141B-2#444 4 4r8c |jd|jD]}|||jrt d|jt|j |j d|j tj }tj|jd|jz|_tjt%|j tjd|d<|j||j|jdd|jdtj }tj|jd|_tjd tjd |d <|j}tjd t|ztjd |d <|j||jrd St1|jjt7|j}|jdt;||j|j|j |j!|j"|j#|j$|j% |j&'drNtQ|j||j)|j|j|j|j&|j*|j |j+|j, d Sd S)z=Finalise the join, mark us synchronised and setup secrets db.z=Sending DsReplicaUpdateRefs for all the replicated partitionszSetting RODC invocationIddomainFunctionalityz%srr(Setting isSynchronized and dsServiceName@ROOTDSEr+isSynchronized dsServiceNameNr zSetting up secrets database)rrr netbiosnamerrsecure_channel_typerr)rros_levelrYr)-rWrjr`r=rrrr rqrr*rrmr7r8rrr9r r:r;"set_attribute_replmetadata_versionrrrrrrrBrrrrrr|rrvrrrr!rrrYr)rrr>rrs r7 join_finalisezDCJoinContext.join_finalises WXXX+ - -B  ( ( , , , , 8 B - . . . O - -c#2C.D.D E E E O . ./D/2/C E E E A6#/4#++=>>AD # 28C >qt?M?@ B B B BCCC KMMvcoz22!09MO_`` } / c$ii0G030DoWW/ q!!! =  F#)+.:J:JsvVVV  5666K"%)&)m(+ &)j(+ 030G/2/E G G G G ? % %h / / K CO[Isy#&#*(+$'K#:N&)m/2/I  K K K K K K K Kr8c z td|jzd}tjd|jd|d|j|j}tj}tj|_| d d|tj }tj }|j|j_|j|j_|j|_tjtjz|_tj|_tj|_ tj}|j|_|||tj}td|jd|jjd |||jjn#t@$rYnwxYwtC|j"#d }tIj%} tM|| _'|| _(tIj)} tUj+tYt[j-| _.tj/| _0| | _1tIj2} d | _3| g| _4tIj5} d | _3| | _6tIj7} d gd z}tqd D]}tsj:dd||<|| _;| | _<| | _=t}| }t|j@|}tjA}tM||_'tC||_BtjC}||_D|E|||tjF}d|jGd|jHdt|jt|jt|j|jJ|jGt}| t}| t}|jKd }|jLM|d|jJd|jHdttTjNjO|j"#d d|jJzd}|jLM|dS)zprovision the local SAM.z"Setup domain trusts with server %srz ncacn_np:rrzutf-8zRemoving old trust record for  (SID )rrrdirrzcn=z ,cn=system, trustedDomain) rr, trustTypetrustAttributestrustDirectionflatname trustPartnertrustAuthIncomingtrustAuthOutgoingsecurityIdentifierz $,cn=users,r*rL)rr,rrr1N)PrrfrrrBrArrrrrr rTrustDomainInfoInfoExrrrrr|rLSA_TRUST_DIRECTION_INBOUNDLSA_TRUST_DIRECTION_OUTBOUNDtrust_directionLSA_TRUST_TYPE_UPLEVEL trust_type!LSA_TRUST_ATTRIBUTE_WITHIN_FORESTtrust_attributesrrrrrrwr trustdom_passr_r AuthInfoClearrsizepasswordAuthenticationInformationr unix2nttimertimeLastUpdateTimeTRUST_AUTH_TYPE_CLEARAuthTypeAuthInfoAuthenticationInformationArraycountarraytrustAuthInOutBlobcurrenttrustDomainPasswordsrrandomrandint confounderoutgoingincomingr r session_key DATA_BUF2dataTrustDomainInfoAuthInfoInternal auth_blobCreateTrustedDomainEx2SEC_STD_DELETErrsrqrr}rr5r.UF_INTERDOMAIN_TRUST_ACCOUNT)rrrrrrjoldnameoldinfo password_blob clear_value clear_authentication_information authentication_information_arrayr trustpassrrtrustpass_blobencrypted_trustpassr auth_infotrustdom_handler=s r7join_setup_trustszDCJoinContext.join_setup_trustsKsP 2SZ?@@@**#***oooN VSY00(**  []] ((7););)3X5VXX (**"%-#&? :">Aaa4 # E jllG ]GN:::w;>;`bbG EPWP_PcPcPcd e e e  ' ' GO4G H H H H    D -S->-E-Ek-R-RSS ,.. }-- , +3+M+O+O(:?:KCPTPYP[P[L\L\:]:](7474M(14?(1+3+R+T+T(12(.2R1S(..00;133 S3Y s 3 3A"N1c22JqMM) % % !),,-g.A>RRMOO 011 -.ABB 799 ' !889=9B9A9PRR +.---E*T_--"4#899!$"677.M!)(!3!3!)(!3!3"*3="9"9    C    +.*@*@*@#++N!"%ej&M"N"N!$!2!9!9+!F!F#c&<<    C     s'BF-- F:9F:c|j|jg|_|j|j|jg|_|jr#|jdkr|xj|jgz c_dS|js{|xj|jgz c_|jdkr\|xj|jgz c_|xj|jgz c_|xj|jgz c_|xj|jgz c_dSdSdS)NrV) ryrwr`rsrarrrrrQs r7build_nc_listszDCJoinContext.build_nc_listss }cm4 K F = 9S_66   !3 4 4     9 KKCK= (KK&((  233   233   S%7$88    S%7$88     9 9)(r8c||jr|n| ||||jr<|| | |j dkr(| | |dS# tdn#t $rYnwxYw||xYw)NrVzJoin failed - cleaning up)rr^rrrrr0rrrrrrjrmryrIOErrorr.rQs r7do_joinzDCJoinContext.do_joinss    #  " " " "  " " "   " " "       } (%%'''--///%%'''&((((***22444          12222      & & ( ( (  " " " s1CDED! E! D.+E-D..,E)NNNNNNNNNFNFFNNN)FN)'r9r:r;__doc__r3rrrrrkrirrr~rr r$rr?rIrRrZrtrrrrrrrr0r.r=rjrmryrrrr8r7r?r?>sJN;?@D;@#$($( U"U"U"U"n    3S3S3S3Sj-.-.-.-.^(((& * * *666---------NNN   ;;;:```111 AAAF)))V h h hU2U2U2U2n)G)G)GV,,,:+B+B+BZHHH S%S%S%j,,,$BBB"WLWLWLr444FKFKFKPc!c!c!J999*     r8r?Fct||||||||| | | | | ||}|d|j|d|jz|d|j|d|jzd|jd|j|_d|jd tj d d tj zd tj zd tj zd tjzg|_d|jd tjd |_|}d |z}||_t(jjt(jjzt(jjz|_|jd |jzd |jzgd |jz|_t>j |_!d|_"|xj#tHj%tHj&zzc_#|j#|_'|r|xj'tHj(zc_'|)|d|jd|jddS)zJoin as a RODC.r\r] workgroupworkgroup is %sr realm is %sz CN=krbtgt_r2zzzRestrictedKrbHost/%szCN=RODC Connection (FRS),%sTJoined domain r{z ) as an RODCN)*r?setrrjrrrsrr|r DOMAIN_RID_RODC_DENYSID_BUILTIN_ADMINISTRATORSSID_BUILTIN_SERVER_OPERATORSSID_BUILTIN_BACKUP_OPERATORSSID_BUILTIN_ACCOUNT_OPERATORSrDOMAIN_RID_RODC_ALLOWrr$rrr.r)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONUF_PARTIAL_SECRETS_ACCOUNTrrextendrrrr SEC_CHAN_RODCrvrrr %DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING$DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIPr r!r)rWrfrArBrXrrYrdomain_critical_onlyrrZrr^r[r\r]rmysidadmin_dns r7 join_RODCrsO r4!6; ;(*;&3+=  ? ? ?C FF;((( KK!CO3444FF7CI KK  )****25***ckkJCMMX%B%B%BCX88X::X::X;; =C '*jjj(2P2P2PQCN MMOOEE!HCM#jE#jRS#jCDCHOO+cj8+co=?@@@6 CC"0CCH'G!FGH"0CF   G$EE  KKMMM KKK#///3:::VWWWWWr8ct||||||||| | | | | ||}|d|j|d|jz|d|j|d|jzt jjt jjz|_ |j d|j ztj|_|xjt"jt"jzzc_|j|_|r|xjt"jzc_||d|jd|jd d S) z Join as a DC.rrrrrz1E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%srr{z ) as a DCN)r?rrrjrrr.rUF_TRUSTED_FOR_DELEGATIONrrrhrr SEC_CHAN_BDCrvrr r!DRSUAPI_DRS_FULL_SYNC_IN_PROGRESSr r!rr|)rWrfrArBrXrrYrrrrZrr^r[r\r]rs r7join_DCr sc r4!6; ;(*;&3+=  ? ? ?C FF;((( KK!CO3444FF7CI KK  )***"Z?%*BffCHOOG#-WXXX"/C'6!CDE"0CF   G$EE  KKMMM KKKs STTTTTr8rVc t||||||||||  } |d| j|d| jz|d| j|d| jz| |d| jd| jd| S) z%Creates a local clone of a remote DC.)rYrrinclude_secretsr\r]rrrrzCloned domain r{r|)DCCloneContextrrrjrrr|) rWrfrArBrYrrrr\r]rs r7 join_clonerBs i &K)8'4,>  @ @ @C FF;((( KK!CO3444FF7CI KK  )***KKMMM KKKs KLLL Jr8c8eZdZdZ dfd ZdZdZxZS)rzClones a remote DC.NFc tt||||||||| |  d|_d|_d|_|jdd|_d|_ d|_ |j |_ |xjtjtjzzc_|s|xjtjzc_|j|_dS)N)rYrrr\r]rNr)r2rr3rrrrfsplitrrrrh get_ntds_GUIDremote_dc_ntds_guidrr rrrr ) rrWrfrArBrYrrrr\r]r6s r7r3zDCCloneContext.__init__[s nc""++FFE26?8C:G?Q , S S S   Z%%c**1-  !#&)"9"9";"; g:%GH I O   !N N  #   r8c|jdtj}tj|jd|_tjdtjd|d<|j }tjdt|ztjd|d<|j |dS)Nrprqr+rrrsrt) rWrjrmr7r8rrr9r:rrqr;)rr>rs r7ryzDCCloneContext.join_finalisevs BCCC KMMvcoz22!09M1ACC & / c$ii0G030D0?AA/ q!!!!!r8c||||dSr)rrr0ryrQs r7rzDCCloneContext.do_joinsR    r8) NNNNNNNFNN)r9r:r;rr3ryrr<r=s@r7rrXsm?C:>6:$(5555556 " " "r8rcBeZdZdZ d fd ZdZdZdZdZxZ S) DCCloneAndRenameContextz6Clones a remote DC, renaming the domain along the way.NTc tt||||||| | | |  ||_||_||_dS)N)rYrrrr\)r2rr3 new_base_dnnew_domain_name new_realm)rrrrrWrfrArBrYrrrr\r6s r7r3z DCCloneAndRenameContext.__init__sc %s++44VVUB?Hrs&%%%%%%OOOOOOOOOOOOOO ********UUUUUUUUUUUUUUUUUUUU......<<<<<<<<DDDDDDDDDDDDDDDD------444444######,,,,,,,,<<<<<<<<<< ############%%%%%%MMMMMiMMM gggggFgggT-VZ@E=A8= !% 5X5X5X5XpTX>C;?6;# UUUUD9=