bZddlZddlZddlmZddlZddlmZmZddlmZm Z m Z ddl m Z ddl mZddlmZmZddlmZmZmZmZdd lmZmZmZmZdd lmZmZmZdd lmZdd l m!Z!dd l"m#Z#ddl$m%Z%ddlm&Z&m'Z'ddlm(Z(ddl)m*Z*m+Z+m,Z,ddl$m-Z-ddl.m/Z/dZ0dZ1Gdde2Z3dS)N) cmp_to_key) unix2nttime nttime2unix)ldbdsdb drs_utils)system_session)SamDB)drsuapimisc)Site Partition TransportSiteLink) NCReplicaNCType nctype_lut GraphNode) RepsFromToKCCErrorKCCFailedObject)convert_schedule_to_repltimes)ndr_pack)verify_and_dot)ldif_import_export) setup_graphget_spanning_tree_edges)Vertex)DEBUGDEBUG_FNlogger)debug)cmpc|r|sdS|s|rdStt|jt|jS)aHelper to sort DSAs by guid global catalog status GC DSAs come before non-GC DSAs, other than that, the guids are sorted in NDR form. :param dsa1: A DSA object :param dsa2: Another DSA :return: -1, 0, or 1, indicating sort order. )is_gcr#rdsa_guid)dsa1dsa2s 4/usr/lib/python3/dist-packages/samba/kcc/__init__.pysort_dsa_by_gc_and_guidr,2sp zz||DJJLLr ::<<DJJLLr x &&(?(? @ @@cdS)zCan the KCC use SMTP replication? Currently always returns false because Samba doesn't implement SMTP transfer for NC changes between DCs. :return: Boolean (always False) Fr/r-r+is_smtp_replication_availabler0Cs  5r-ceZdZdZ d.dZdZdZdZdZd Z d Z d Z d/d Z d Z dZdZdZdZdZdZdZdZdZd/dZd/dZdZdZdZdZdZdZdZd Z d!Z!d0d#Z"d$Z#d%Z$d&Z%d'Z&d1d(Z'd2d*Z( d3d+Z)d/d,Z*d-Z+dS)4KCCa;The Knowledge Consistency Checker class. A container for objects and methods allowing a run of the KCC. Produces a set of connections in the samdb for which the Distributed Replication Service can then utilize to replicate naming contexts :param unix_now: The putative current time in seconds since 1970. :param readonly: Don't write to the database. :param verify: Check topological invariants for the generated graphs :param debug: Write verbosely to stderr. :param dot_file_dir: write diagnostic Graphviz files in this directory FNci|_i|_d|_i|_i|_i|_|jj|_|jj|_i|_ t|_ t|_ d|_ d|_d|_d|_d|_||_t'||_||_||_||_||_dS)zInitializes the partitions class which can hold our local DCs partitions or all the partitions in the forest N) part_table site_table ip_transportsitelink_table dsa_by_dnstr dsa_by_guidgetget_dsa_by_guidstrget_dsakcc_failed_linkssetkcc_failed_connectionskept_connections my_dsa_dnstrmy_dsa my_site_dnstrmy_sitesamdbunix_nowrnt_nowreadonlyverifyr" dot_file_dir)selfrFrHrIr"rJs r+__init__z KCC.__init__[s   "&"2"6(, !#&)ee# !$  !    !(++     (r-cB |jd|jztjd}n3#tj$r!}|j\}}td|zd}~wwxYw|D]}t|j }t|}| |j|j dkr||_ R|j dkrtjdrtjd |j d |j td dS) zLoads the inter-site transport objects for Sites :return: None :raise KCCError: if no IP transport is found $CN=Inter-Site Transports,CN=Sites,%sz (objectClass=interSiteTransport)scope expressionz+Unable to find inter-site transports - (%s)NIPSMTPz2Samba KCC is ignoring the obsolete SMTP transport.z0Samba KCC does not support the transport called .z(there doesn't seem to be an IP transport)rEsearchget_config_basednr SCOPE_SUBTREELdbErrorargsrstrdnrload_transportnamer6r!r"warning)rKrese2enumestrmsgdnstr transports r+load_ip_transportzKCC.load_ip_transportsm  !*##$J$(J$@$@$B$B%C*-*;/Q$SSCC| ! ! !7LT4H !! ! !  A ACKKE!%((I  $ $TZ 0 0 0~%%$-!!6)) /0000/8~~~ @AAAA   $EFF F % $AAA4A//A4c |jd|jztjd}n3#tj$r!}|j\}}td|zd}~wwxYw|D]S}t|j }||j vr t|}| |j||j |<TdS)zyLoads the inter-site siteLink objects :return: None :raise KCCError: if site-links aren't found rNz(objectClass=siteLink)rOz*Unable to find inter-site siteLinks - (%s)N) rErUrVrrWrXrYrrZr[r7r load_sitelink)rKr_e3rarbrcrdsitelinks r+load_all_sitelinkszKCC.load_all_sitelinkss  P*##$J$(J$@$@$B$B%C*-*;/G$IICC| P P P7LT4G$NOO O P 2 2CKKE+++H  " "4: . . .*2D  & & 2 2rgc|t||j}||jt |j}||jvrd||j|<|j|j |j d|j D|j|S)zHelper for load_my_site and load_all_sites. Put all the site's DSAs into the KCC indices. :param dn_str: a site dn_str :return: the Site object pertaining to the dn_str c3BK|]}t|j|fVdSNrZr(.0xs r+ z KCC.load_site..sK$F$F()&)__a$8$F$F$F$F$F$Fr-) r rF load_siterErZ site_guidr5r8update dsa_tabler9values)rKdn_strsiteguids r+ruz KCC.load_sitesFDM** tz""" 4>"" t & &$(DOD !   $ $T^ 4 4 4   # #$F$F-1^-B-B-D-D$F$F$F F F Ft$$r-cd|jd|j|_||j|_dS)zGLoad the Site object for the local DSA. :return: None zCN=z ,CN=Sites,N)rEserver_site_namerVrCrurDrKs r+ load_my_sitezKCC.load_my_sitesW J ' ' ) ) ) ) J ( ( * * *,~~d&899 r-cN |jd|jztjd}n3#tj$r!}|j\}}td|zd}~wwxYw|D]+}t|j }| |,dS)z|Discover all sites and create Site objects. :return: None :raise: KCCError if sites can't be found z CN=Sites,%sz(objectClass=site)rOzUnable to find sites - (%s)N) rErUrVrrWrXrYrrZr[ru)rKr_e4rarbrcsitestrs r+load_all_siteszKCC.load_all_sitess  A*##M$(J$@$@$B$B%C*-*;/C$EECC| A A A7LT484?@@ @ A $ $C#&kkG NN7 # # # # $ $rgc Vd|jz}tj|j|} |j|tjdg}n#tj$r}|j\}}td|d|d|d |jdtjd g}tj|j|d d d  d }|j|tjdg}n3#tj$r!}|j\}}td |zd }~wwxYwYd }~nd }~wwxYwt|dkr$td| ztj|j} tj|d dd | krtdt|d j|_|j|j|_|j|jvrXt-jd|jz|j|j|j<|j|jt|jj<d Sd S)z|Discover my nTDSDSA dn thru the rootDSE entry :return: None :raise: KCCError if DSA can't be found z objectGUID)baserPattrszSearch for dn 'z' [from z ] failed: zL. This typically happens in --importldif mode due to lack of module support. dsServiceNamerutf8z Unable to find my nTDSDSA - (%s)Nr&zUnable to find my nTDSDSA at %sz>Did not find the GUID we expected, perhaps due to --importldifzmy_dsa %s isn't in self.dsas_by_dnstr: it must be RODC. Let's add it, because my_dsa is special! (likewise for self.dsa_by_guid))rE get_ntds_GUIDrDnrU SCOPE_BASErXrYr decoderlen extended_strr GUIDrZr[rArDr<rBr8r"DEBUG_DARK_YELLOWr9r() rKdn_queryr[r_e5rarbservice_name_rese ntds_guids r+ load_my_dsazKCC.load_my_dsas !9!9!;!;; VDJ ) ) J*##3>+7.$::CC| J J J7LT4 H57RR444I J J J J$(:#4#4";>>>< J J J v tADHIII J% J0 s88q==<??,,-.. .Idj668899 9SVL)!, - - : ::;; ; A NNl**4+<==  D$5 5 5  #%H%)$5 %6 7 7 7 48;D d/ 0:>+D S!566 7 7 7 6 5s<(A""E"1#EBD%$E%E4EEEE"c |jd|jztjd}n3#tj$r!}|j\}}td|zd}~wwxYw|D]S}t|j }||j vr t|}| |j||j |<TdS)zDiscover and load all partitions. Each NC is inserted into the part_table by partition dn string (not the nCName dn string) :return: None :raise: KCCError if partitions can't be found zCN=Partitions,%sz(objectClass=crossRef)rOz Unable to find partitions - (%s)N) rErUrVrrWrXrYrrZr[r4rload_partition)rKr_e6rarbrcpartstrparts r+load_all_partitionszKCC.load_all_partitions5s F*##$6$(J$@$@$B$B%C*-*;/G$IICC| F F F7LT4=DEE E F , ,C#&kkG$/))W%%D    + + +'+DOG $ $ , ,rgc i|_|j\}}|D]}|jD]}|j}|dkrt |j}|j}|j } |j } |j |} | t|||| | } | |j|<st| j|| _t| j|| _| | _t%} |Pt'd|jD]8} || jr| | (| xjdz c_9nt'd|j| dS)zEnsure the failed links list is up to date Based on MS-ADTS 6.2.2.1 :param ping: An oracle function of remote site availability :return: None rNz6refresh_failed_links: checking if links are still downr&zdrefresh_failed_links: not checking live links because we weren't asked to --attempt-live-connections)r=rBget_rep_tablesry rep_repsFromconsecutive_sync_failuresrZsource_dsa_obj_guid last_success last_attempt dns_name1r:rmax failure_countmintime_first_failure last_resultr>rr?dns_nameadddifference_update)rKpingcurrentneededreplica reps_fromrr(rrrfrestore_connections connections r+ refresh_failed_links_connectionsz$KCC.refresh_failed_links_connectionsSs!#+4466~~'' 0 0G$1 0 0 ) C  A%%y<==%.%;"'4 $.)--h779'-(:K(022A78D)(33&)!/=&I&IAO+.q/C/A,C,CA($/AMM) 0."ee   J K K K"9 2 2 4 +,,2'++J7777,,1,,,  2 @ A A A #556IJJJJJr-c|jt|j}|rN|jdkrCt |j}||jkrtj d|j|z dkrdSdS)aLCheck whether a link to a remote DSA is stale Used in MS-ADTS 6.2.2.2 Intrasite Connection Creation Returns True if the remote seems to have been down for at least two hours, otherwise False. :param target_dsa: the remote DSA object :return: True if link is stale, otherwise False rz_The last success time attribute for repsFrom is in the future!i TF) r=r:rZr(rrrrFr!error)rK target_dsa failed_linkunix_first_failures r+is_stale_link_connectionzKCC.is_stale_link_connections+//J4G0H0HII  (1,, >??#& 55L"=>>>M$66+EE4 ur-cdSror/rs r+(remove_unneeded_failed_links_connectionsz,KCC.remove_unneeded_failed_links_connectionss r-c|D]n}|je|jrDtjt t j|_|j|_T| |j odS)aTLoad or fake-load NTDSConnections lacking GUIDs New connections don't have GUIDs and created times which are needed for sorting. If we're in read-only mode, we make fake GUIDs, otherwise we ask SamDB to do it for us. :param connections: an iterable of NTDSConnection objects. :return: None N) r|rHr rrZuuiduuid4rG whenCreatedload_connectionrE)rK connectionscn_conns r+_ensure_connections_are_loadedz"KCC._ensure_connections_are_loadedsr# 8 8G|#=8#'9S->->#?#?GL*.+G''++DJ777  8 8r-c|jjD]8}|}| t |jd|d|_9dS)zFind NTDS Connections that lack a remote I'm not sure how they appear. Let's be rid of them by marking them with the to_be_deleted attribute. :return: None Nz has phantom connection T)rB connect_tableryget_from_dnstrr to_be_deleted)rKrs_dnstrs r+_mark_broken_ntdsconnzKCC._mark_broken_ntdsconnsu{07799 - -G,,..G4;;;;B7DEEE(,%  - -r-c4|jrtd|jzdS|j} ||jn'#t$r|rYdSYnwxYwg}|jD]z}| }||jj vrV| p| }t|j}|||||f{t!|dkrdSt#j|dD]H\}}|\}}}}|\} } } } |r|| kr|j| jks|j| jkr || krd|_IdS)aFind unneeded intrasite NTDS Connections for removal Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. Every DC removes its own unnecessary intrasite connections. This function tags them with the to_be_deleted attribute. :return: None z>not doing ntdsconn cleanup for site %s, because it is disabledNT)rDis_cleanup_ntdsconn_disabledr rBrrryris_rorrx is_generatedis_rodc_topologyrr|appendr itertools permutationsrr) rKmydsalocal_connectionsrr removable packed_guidabcn_conn2s_dnstr2 packed_guid2 removable2s r+_mark_unneeded_local_ntdsconnz!KCC._mark_unneeded_local_ntdsconns < 4 4 6 6  .04 = > > > F    / /0C0J0J0L0L M M M M   {{}}     *1133 C CG,,..G$,000!(!5!5!7!7".'s&+O+OQAaD+O+O+O+O+O+Or-)rBrrDrxryrrrr<r!inforrrrr@is_bridgehead_failed dsa_dnstrr5 rw_dsa_table) rK local_dsasconnections_and_dsasdsacnrfrom_dsato_dsa from_dnstrr{cn2to_dsa2 from_dsa2s r+!_mark_unneeded_intersite_ntdsconnz%KCC._mark_unneeded_intersite_ntdsconns1 ;      F\+ !$$&& E EC'..00 E E#++--?*,,#||G44H'9+?+? $Q&-%.///+/( (//S(0CDDD E +++O+O:N+O+O+OOOO$8 4 4 B??$$ (;(;(=(= d+++..vt<<,..x>>, "+J..00 4 4!2223G44/WicMM%):::/3B,  4 4 4r-c|s|jr|jD]\}|jrt jd|z|jrt jd|z|jrt jd|z]| |j ddS| |j dS)NTO BE DELETED: %sTO BE ADDED: %sTO BE MODIFIED: %sTro) rrHrryrr!r to_be_addedto_be_modifiedcommit_connectionsrE)rKrconnects r+_commit_changeszKCC._commit_changes>s 99;; /$- /,3355 A A(@K 4w >???&>K 2W <===)AK 5 ?@@@  " "4:$ " 7 7 7 7 7  " "4: . . . . .r-c |||jr|r||jjD]}||dS)zRemove unneeded NTDS Connections once topology is calculated Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections :param all_connected: indicates whether all sites are connected :return: None N) rrrBis_istgrrDrxryr)rK all_connectedrs r+remove_unneeded_ntdsconnzKCC.remove_unneeded_ntdsconnOs ""$$$ **,,, ;    5] 5  2 2 4 4 4<)0022 & &C   % % % % & &r-c|j}||jjv}t|j}||jkr||_|jt jzdkr|xjt jzc_|r2|jt j zdkr|xjt j zc_|s| |r2|jt j zdkr|xjt j zc_|j tjzdkrK|j tjzdkr2|jt jzdkr|xjt jzc_n4|s2|jt jzdkr|xjt jzc_|sJ|j tjzdkr2|jt jzdkr|xjt jzc_|j tjzdkr2|jt jzdkr|xjt jzc_|sd|jt jzdkr|xjt jzc_|jt jzdkr|xjt jzc_|jd|j} |jt jzdkr|xjt jzc_t9j|_|j| kr| |_|j dkr|j!| kr| |_!|"rtGd|zdSdS)a$Update an repsFrom object if required. Part of MS-ADTS 6.2.2.5. Update t_repsFrom if necessary to satisfy requirements. Such updates are typically required when the IDL_DRSGetNCChanges server has moved from one site to another--for example, to enable compression when the server is moved from the client's site to another site. The repsFrom.update_flags bit field may be modified auto-magically if any changes are made here. See kcc_utils.RepsFromTo for gory details. :param n_rep: NC replica we need :param t_repsFrom: repsFrom tuple to modify :param s_rep: NC replica at source DSA :param s_dsa: source DSA :param cn_conn: Local DSA NTDSConnection child :return: None rz._msdcs.r&zmodify_repsFrom(): %sN)$rrDrxrschedule replica_flagsr DRSUAPI_DRS_ADD_REF!is_schedule_minimum_once_per_weekDRSUAPI_DRS_PER_SYNCis_fsmo_role_ownerDRSUAPI_DRS_INIT_SYNCoptionsr$NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULTNTDSCONN_OPT_USE_NOTIFYDRSUAPI_DRS_NEVER_NOTIFY*NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSIONDRSUAPI_DRS_USE_COMPRESSIONNTDSCONN_OPT_TWOWAY_SYNCDRSUAPI_DRS_TWOWAY_SYNC is_enabledDRSUAPI_DRS_DISABLE_AUTO_SYNC!DRSUAPI_DRS_DISABLE_PERIODIC_SYNCr(rEforest_dns_nameDRSUAPI_DRS_MAIL_REPr rtransport_guidrversion dns_name2 is_modifiedr ) rKn_rep t_repsFroms_reps_dsarr same_sitetimesnastrs r+modify_repsFromzKCC.modify_repsFromas0/t|55 .g.>?? J' ' '"'J  %  ()-0 1 1  $ $(C C $ $  4 4 6 6 I)-.2566((G,HH((  J0099 J)./3677((G,II((_  67;> ? ?$">>3FF -56:=>>,,89,, M)1269::((G,LL(( P _  <=AD E E)459<==((G,OO(( Od; ; C C)015899((G,KK((!!## >)67;>??((9:(():;?BCC((=>((~#(...$*2L2L2N2N2NO  %  )*.1 2 2  $ $)E(E E $ $$(IKK !  5 ( (#(J   # # (<(E(E#(J  ! ! # # ; ,z9 : : : : : ; ;r-ch|r|rdS|}||}|dS||j}|>|r*|r|r|SdS)aIf a connection imply a replica, find the relevant DSA Given a NC replica and NTDS Connection, determine if the connection implies a repsFrom tuple should be present from the source DSA listed in the connection to the naming context. If it should be, return the DSA; otherwise return None. Based on part of MS-ADTS 6.2.2.5 :param n_rep: NC replica :param cn_conn: NTDS Connection :return: source DSA or None N) rrrr<get_current_replicanc_dnstr is_presentr is_partial)rKrrrr rs r+get_dsa_for_implied_replicazKCC.get_dsa_for_implied_replica0s*!!## w'?'?'A'A 4((** W%% =4))%.99         "'"2"2"4"4 Ltr-c  d}||j}|rd}|rtddStd|\}}t }|D]}|r||}||j|jD]T}tj tj ztj ztj ztjz} |j| kr| |_U||j|j||vr||tdt'|t'|t'|fz|rt)d|z|D]}||=|D]} | |j| |j| jD]}t/|j} || } | t5jd | zd|_M| j} || }|D]}|sn d|_| | j!}|<|"r(| s|#rd|_|$| ||| ||j%D]}|&| |} | | jD]1}t/|j} | || urd} n2| WtO| j!}| j(|_| | j!}|$| ||| ||)r| j*||js|rx| +}|rt5j,d |z| -}|rt5j,d |z| |jd| |j|rdS|D]7} | .|j| j/D]}t/|j} || } | t5jd | zd|_L| j} d | vrt5jd| zd|_v| |j0}t'|dkrd|_|jrF| j/D] }|jrt5j,d|z!| 1|jd| 1|j9dS)a[Adjust repsFrom to match NTDSConnections This function adjusts values of repsFrom abstract attributes of NC replicas on the local DC to match those implied by nTDSConnection objects. Based on [MS-ADTS] 6.2.2.5 :param current_dsa: optional DSA on whose behalf we are acting. :return: None FNTz;skipping translate_ntdsconn() because disabling flag is setztranslate_ntdsconn(): enterrzcurrent %d needed %d delete %dzdeleting these reps: %sz'repsFrom source DSA guid (%s) not foundrrz%repsTo source DSA guid (%s) not foundrz+repsTo source DSA guid (%s) appears deletedrzREMOVING REPS-TO: %s)2rBris_translate_ntdsconn_disabledr rr> load_repsFromrErr r r r%DRSUAPI_DRS_SPECIAL_SECRET_PROCESSINGDRSUAPI_DRS_NONGC_RO_REPrcommit_repsFromrHrrrryload_fsmo_rolesrZrr;r!r^rrget_connection_by_from_dnstrrr&r'r(r)r$rr*rr(rrdumpstr_to_be_deletedrdumpstr_to_be_modified load_repsTo rep_repsTorA commit_repsTo)rK current_dsarcurrent_rep_tableneeded_rep_table delete_repsrdc_reprrrguidstrr rrrrtextt_repsTorts r+translate_ntdsconnzKCC.translate_ntdsconnWs  +K      B  5 5 7 7  5 6 6 6 F.///.9.H.H.J.J++ee "' + +E +)%0##DJ///"'"4AAJ%,%B%,%A&B%,%@&A&-%R&S&-%E &FM "/=@@3@ 0%%djT]%CCCC 000OOE***1S9J5K5K%&&K(8(85:: ; ; ;  - +k9 : : :$ - -%e,,&,,..k 2k 2E    + + +  ! !$* - - - $0- O- O j<==//88=N#L#*$+,,,/3J,  /)FFwOO *G"335504J,11%.AA=(8(8(:(:= !*/*:*:*<*<!04J,$$UJugNNNN '4;;== : :88HH= #("4J!*"@AAG 7 7 @ @@@ $A=(77 16 .11%.AA$$UJugNNN))++:&--j999} 2 22244=K 4t ;<<<3355>K 5 <===%%djT%::::%%dj1111   F%,,..5 05 0E   dj ) ) ) ", 2 2h:;;//88=N#J#*$+,,,-1H*  /''N#P#*$+,,,-1H*#@@ARSS {##a''.2H**} 0*AAB'A $:R$?@@@##DJ4#8888##DJ////k5 05 0r-cT|tjddStddS)aMerge of kCCFailedLinks and kCCFailedLinks from bridgeheads. The KCC on a writable DC attempts to merge the link and connection failure information from bridgehead DCs in its own site to help it identify failed bridgehead DCs. Based on MS-ADTS 6.2.2.3.2 "Merge of kCCFailedLinks and kCCFailedLinks from Bridgeheads" :param ping: An oracle of current bridgehead availability :return: None Nz'merge_failed_links() is NOT IMPLEMENTEDz}skipping merge_failed_links() because it requires real network connections and we weren't asked to --attempt-live-connections)r" DEBUG_REDr )rKrs r+merge_failed_linkszKCC.merge_failed_linksVsH$   OE F F F F F J K K K K Kr-c |jjdzdk}t|jj}t ||j||j|}|js|j g}|j D]M}tj |j dD]0\}}||jj|jjf1Nd} d|jz} t%| |d|j| t(|j|j |S) aSet up an intersite graph An intersite graph has a Vertex for each site object, a MultiEdge for each SiteLink object, and a MutliEdgeSet for each siteLinkBridge object (or implied siteLinkBridge). It reflects the intersite topology in a slightly more abstract graph form. Roughly corresponds to MS-ADTS 6.2.2.3.4.3 :param part: a Partition object :returns: an InterSiteGraph object irNrr/z site_edges_%sFdirectedlabel propertiesr"rIrJ)rD site_optionsrZr6r|rr5r7rIrJedgesr combinationsverticesrr{ site_dnstrrrrAr) rKrbridges_requiredrg dot_edgesedgerrverify_propertiesr]s r+rzKCC.setup_graphos& <4zAQFT.344 do~+-= ? ? ; ;$+7I M M%24=!DDMMDAq$$af&79J%KLLLLM " "T\1D 4U!%!2&7u"&+(,(9  ; ; ; ; r-c||||||}|stjd|jzdStjd|jd|dj|dS)aGet a bridghead DC for a site. Part of MS-ADTS 6.2.2.3.4.4 :param site: site object representing for which a bridgehead DC is desired. :param part: crossRef for NC to replicate. :param transport: interSiteTransport object for replication traffic. :param partial_ok: True if a DC containing a partial replica or a full replica will suffice, False if only a full replica will suffice. :param detect_failed: True to detect failed DCs and route replication traffic around them, False to assume no DC has failed. :return: dsa object for the bridgehead DC or None z"get_bridgehead FAILED: sitedn = %sNzget_bridgehead: sitedn = z bhdn = r)get_all_bridgeheadsr" DEBUG_MAGENTArN DEBUG_GREENr)rKr{rre partial_ok detect_failedbhss r+get_bridgeheadzKCC.get_bridgeheads&&&tT9'1=BB    E $!0 1 1 14 ???CF,<,<> ? ? ?1v r-c>g}|jdkrtd|jt|j|jD]d}|}t |jdkr ||jvr9|j |r;| |\} } } | r| r|ss| |j } n3| |j } | | r|s|jr7| 5| r!|t$js|||rt+d8td|jz||f|r)|t5t6nt9j|t=j||S)aGet all bridghead DCs on a site satisfying the given criteria Part of MS-ADTS 6.2.2.3.4.4 :param site: site object representing the site for which bridgehead DCs are desired. :param part: partition for NC to replicate. :param transport: interSiteTransport object for replication traffic. :param partial_ok: True if a DC containing a partial replica or a full replica will suffice, False if only a full replica will suffice. :param detect_failed: True to detect failed DCs and route replication traffic around them, FALSE to assume no DC has failed. :return: list of dsa object for available bridgehead DCs rRz5get_all_bridgeheads has run into a non-IP transport! rNzbridgehead is failedzfound a bridgehead: %skey) r]rr rryget_parent_dnstrrbridgehead_listrDr!should_be_presentr&r'r)rBr is_defaultis_minimum_behaviorrDS_DOMAIN_FUNCTION_2008rrrris_random_bridgehead_disabledsortrr,randomshuffler" DEBUG_YELLOW) rKr{rrerXrYrZrpdnstrrrpartialreps r+rUzKCC.get_all_bridgeheadss+& >T ! !('nn/00 0 "###$++--/ / C))++F Y.//144y888|%%c** &*&<&>#3#3;J; {  "" s3>>;K;K..t/KLL((m<< ,--- - = > > > JJsOOOO  - - / / HH$;< 1, and the current time - z.TimeFirstFailure > 2 hours RETURN TRUE ELSE RETURN detectFailedDCs ENDIF } where you will see detectFailedDCs is not behaving as advertised -- it is acting as a default return code in the event that a failure is not detected, not a switch turning detection on or off. Elsewhere the documentation seems to concur with the comment rather than the code. F)rDrJr)rKrrYs r+rzKCC.is_bridgehead_faileds?P 5 < $z 1 5,,S111r-c , ||||| d} td| D} tjdt | dd| D||||| d} |r| |tjdt | dd| D| D]G}|jD])}| |j }| tj d |j z| r|s|j|jkr|s1||s||_|d |re|rQ|t.jzd kr=|xjt.jt.jzzc_|d nO|t.jzd kr<|xjt.jt.jzzc_|d |rD|t.jzd kr0|xjt.jzc_|d nB|t.jzd kr/|xjt.jzc_|d |rD|t.j zd kr0|xjt.j!zc_|d nB|t.j zd kr/|xjt.j!zc_|d |j"s|r<|j#rtIj%d |z|&|j'd |&|j'+Id }| D]}|jD]}| |j }|tj d|j z| r|j|jkr_|sK|(|| s|(|| s|dz }|j)*|tj+d|ztYd|j)|d kr^t.j-}|t.jzd kr|t.jt.jzz}|t.jzd kr|t.jz}|t.j zd kr|t.j!z}t]d|j/j zt.j0t.j1z}|2||||j |}|j"s|r;|j3rtIj%d|z|&|j'd n|&|j'|j)*|dSdS)aCreate an nTDSConnection object as specified if it doesn't exist. Part of MS-ADTS 6.2.2.3.4.5 :param part: crossRef object for the NC to replicate. :param rbh: nTDSDSA object for DC to act as the IDL_DRSGetNCChanges server (which is in a site other than the local DC's site). :param rsite: site of the rbh :param transport: interSiteTransport object for the transport to use for replication traffic. :param lbh: nTDSDSA object for DC to act as the IDL_DRSGetNCChanges client (which is in the local DC's site). :param lsite: site of the lbh :param link_opt: Replication parameters (aggregated siteLink options, etc.) :param link_sched: Schedule specifying the times at which to begin replicating. :partial_ok: True if bridgehead DCs containing partial replicas of the NC are acceptable. :param detect_failed: True to detect failed DCs and route replication traffic around them, FALSE to assume no DC has failed. Fc3(K|] }|j|fVdSrorrqs r+rtz(KCC.create_connection..^s)<z)KCC.create_connection..a.M.M.Mqq{.M.M.Mr-z lbhs_all: cg|] }|j Sr/rqrqs r+rtz)KCC.create_connection..mrur-Nz rdsa is %sTrrrzround 2: rdsa is %sr&zvalid connections %dzkept_connections: znew connection, KCC dsa: %sr)4rUdictr" DEBUG_GREYrrrrryr:rrrrrrr|is_user_owned_scheduleis_equivalent_scheduler set_modifiedis_override_notify_default is_use_notifyrNTDSSITELINK_OPT_USE_NOTIFYr r ris_twoway_syncNTDSSITELINK_OPT_TWOWAY_SYNCr!is_intersite_compression_disabled$NTDSSITELINK_OPT_DISABLE_COMPRESSIONrrHrr!rrrErr@rrCrNTDSCONN_OPT_IS_GENERATEDr rBSYSTEM_FLAG_CONFIG_ALLOW_RENAMESYSTEM_FLAG_CONFIG_ALLOW_MOVEnew_connectionr)rKrrbhrsiterelbhlsitelink_opt link_schedrXrYrbhs_all rbh_tablelbhs_allldsarrdsavalid_connectionsopt system_flagss r+create_connectionzKCC.create_connectionAs6++E4,6??<<8<<<<<  c(mmmm.M.MH.M.M.M.MO P P P++E4,6?? 99;; ! OOC  c(mmmm.M.MH.M.M.M.MO P P Po <o #?!@@JJOOD111%t'GGAMMJJ!%!J!%!=">?JJOOD111((**2 %t'HHQNNJJ4+H*HHJJOOD111%t'HHQNNJJ$*GGJJOOD111;;==2&!FGKLMMJJ!%!P PQJJOOD111&!FGKLMMJJ $ OPJJOOD111}< <,D"K(=(BCCC// t/DDDD// ;;;]n 99,,..:"66t]KK/!66t]KK/)Q.))--b1119 2> .1BBCCC )>)>@AAA  ! !0C 4;;AAA456 4<<BBt44 :;?@AAtFF 2T[5JJ K K K @ >?L##Cy$'M:??B} 3  3>9K 2R 7888&&tzd&;;;;&&tz222  ! % %b ) ) ) ) )[ " !r-c g|_g|_d}||jvrt|jj}||j|j|j| |}|7|j r|j |n7d}n4|j ||j ||j d|j d|S)a~Build a Vertex's transport lists Each vertex has accept_red_red and accept_black lists that list what transports they accept under various conditions. The only transport that is ever accepted is IP, and a dummy extra transport called "EDGE_TYPE_ALL". Part of MS-ADTS 6.2.2.3.4.3 -- ColorVertices :param vertex: the remote vertex we are thinking about :param local_vertex: the vertex relating to the local site. :param graph: the intersite graph :param detect_failed: whether to detect failed links :return: True if some bridgeheads were not found FNT EDGE_TYPE_ALL) accept_red_red accept_blackconnected_verticesrZr6r|r[r{ris_black is_rodc_siter)rKvertex local_vertexgraphrY found_failedt_guidbhs r+add_transportszKCC.add_transports=s2!#  U- - -*/00F$$V[&+%)%6%+__%6%6 GGBz;++--()008888#'LL%,,V444#**6222 $$_555""?333r-c d}d}td|jd|t|j|}||jD]0}||||||rd}1|r||fSt||j|j \}} td|j| fz| dkrd}| } |j } td|z|D]{} | j r| jd j|jur$| jd j|jur| jdj} n| jd j} | |jurtd {|| || | |}||jr|j}|j}n |j}|||| | |}|t%jd d Std|d| td| jt%jd|d|dd| j}|d }d }n|j}|j}|||| | ||||| | }||fS)a1Create intersite NTDSConnections as needed by a partition Construct an NC replica graph for the NC identified by the given crossRef, then create any additional nTDSConnection objects required. :param graph: site graph. :param part: crossRef object for NC. :param detect_failed: True to detect failed DCs and route replication traffic around them, False to assume no DC has failed. Modifies self.kept_connections by adding any connections deemed to be "in use". :return: (all_connected, found_failed_dc) (all_connected) True if the resulting NC replica graph connects all sites that need to be connected. (found_failed_dc) True if one or more failed DCs were detected. TFz$create_connections(): enter partdn=z detect_failed=)rHz%s Number of components: %dr&z edge_list %srzrsite is my_siteNzDISASTER! lbh is None)FTzlsite: z rsite: z vertices z bridgeheads  zF----------------------------------------------------------------------)r r'rrD color_vertexrMris_whiterrrr6rrGr{r[rBrr"rC DEBUG_BLUE site_linkr rr)rKrrrYrr my_vertexv edge_list n_componentsrXrerrrrrrkrrs r+create_connectionszKCC.create_connectionsos.,  ---0 1 1 14<..     $ $A NN   ""1i FF $#       / ,. ."9%:>,@D #N#N#N < .-./ 0 0 0 !  !M'')) %  ny()))6 >6 >Az ajm0DL@@z!}!T\11 1 * 1 * $$()))%%eT9&0-AAC{{  "" E k ))%y*4mEE{ 7888"{{ Huuuee< = = = Hajj2 3 3 3   ###sssHHM N N N{H! #+%.  " "4eY#&x#-} > > > >l**r-cd}t|_|jD]}|s|r,||}d}|||d\}}td|d||sd}|r|||d|S)aCreate NTDSConnections as necessary for all partitions. Computes an NC replica graph for each NC replica that "should be present" on the local DC or "is present" on any DC in the same site as the local DC. For each edge directed to an NC replica on such a DC from an NC replica on a DC in another site, the KCC creates an nTDSConnection object to imply that edge if one does not already exist. Modifies self.kept_connections - A set of nTDSConnection objects for edges that are directed to the local DC's site in one or more NC replica graphs. :return: True if spanning trees were created for all NC replica graphs, otherwise False. TFzwith detect_failed: connected z Found failed ) r>r@r4ryr is_foreignrrr)rKrrrr connecteds r+create_intersite_connectionsz KCC.create_intersite_connectionss" #O**,, @ @D??$$    $$T**E!L&*&=&=e>BD'J'J #I| E99ll, - - - @ % @++E4???r-c|j}|j}d}td|jr||j|dn||j|d|rtd|z|S|std|z|S||| }td|z|S)amGenerate the inter-site KCC replica graph and nTDSConnections As per MS-ADTS 6.2.2.3. If self.readonly is False, the connections are added to self.samdb. Produces self.kept_connections which is a set of NTDS Connections that should be kept during subsequent pruning process. After this has run, all sites should be connected in a minimum spanning tree. :param ping: An oracle function of remote site availability :return (True or False): (True) if the produced NC replica graph connects all sites that need to be connected Tzintersite(): enterrFz+intersite(): exit disabled all_connected=%dz+intersite(): exit not istg all_connected=%dz"intersite(): exit all_connected=%d) rBrDr rH select_istgrEis_intersite_topology_disabledrrDr)rKrrmysiters r+ intersitez KCC.intersite%s(  %&&& = <   tz5T  : : : :   tz5U  ; ; ;  0 0 2 2 ! B"# $ $ $ }} ! B"# $ $ $  %%%99;; 5 EFFFr-TcX|jsdS|jj}d|Dfd|D}|rQrQD])}|d}|j|_|j|_d|_*|j|j|dSdSdS)zoUpdates the RODC NTFRS connection object. If the local DSA is not an RODC, this does nothing. Nc:g|]}||Sr/)rrqs r+rtz.KCC.update_rodc_connection..ts)MMM8J8J8L8LM!MMMr-cg|]}|v| Sr/r/)rrrsro_connectionss r+rtz.KCC.update_rodc_connection..us-666n44444r-rTr) rBrrryrrrrrE)rKrall_connectionsrw_connectionsconrrs @r+update_rodc_connectionzKCC.update_rodc_connection`s {  ""  F+3::<<MM_MMM6666_666  >n >% * *$Q'!$"| %)"" K * *4:" * = = = = = > > > >r-c^d} |d||zzd|zzdzkrn|dz}|dz}|dkr|SdS)amFind the maximum number of edges directed to an intrasite node The KCC does not create more than 50 edges directed to a single DC. To optimize replication, we compute that each node should have n+2 total edges directed to it such that (n) is the smallest non-negative integer satisfying (node_count <= 2*(n*n) + 6*n + 7) (If the number of edges is m (i.e. n + 2), that is the same as 2 * m*m - 2 * m + 3). We think in terms of n because that is the number of extra connections over the double directed ring that exists by default. edges n nodecount 2 0 7 3 1 15 4 2 27 5 3 43 ... 50 48 4903 :param node_count: total number of nodes in the replica graph The intention is that there should be no more than 3 hops between any two DSAs at a site. With up to 7 nodes the 2 edges of the ring are enough; any configuration of extra edges with 8 nodes will be enough. It is less clear that the 3 hop guarantee holds at e.g. 15 nodes in degenerate cases, but those are quite unlikely given the extra edges are randomly arranged. :param node_count: the number of nodes in the site "return: The desired maximum number of connections rTrr&2r/)rK node_countns r+intrasite_max_node_edgeszKCC.intrasite_max_node_edgess_F  a1q5kQU3a788AA  E r66Hrr-c "#||\}}}tjdd|zzd|zzd|zzd|zzd|zzd|zz|stjd|jzd St ||j} | j|| _|| _ | | g} j j D]} |j| jvr| j|j} | r8| sM| s| |urf|r| s}|r7|s5|jt&jkr | t,js|r| r| | |rɉj j D]} |j| jvr| j|j} | s8| sM| s| |urf|r| s}|r| r| | | | | d t9| }|}g}| D],}t=|j|}||-d }||d z kr| |r| |d zr)||d z | |j| |d zr| |r)|| | |d zj|d z}||d z k| |d z r| d r)|d  | |d z j| d r| |d z r)||d z  | d jtCdt9| ztCd"d| Dj#d uoj}j$s|r)g}tK}|D]W}|&|j'|j(D]3}|||j'f|&|4Xd}tSd|||j*dtV|jd|j|tBj$j#d tKfd|D""fd|D}d}tSd|"|j*dtV|jd|j|tBj$j#d |D]_}j j |j'}|j, D],}|j-}|j j vr| |-`tCdd"d| DztCdd"d|Dz|D]#|dkr#.s#fd |D} tj/d!#j'|t9|t9| fztCd"d#| Dz| r#.staj1| }!tCd$|!j'z# |!j'stjd%|!j'z| 2|!| r#.n7tgd&#j'd'|d(t9#j(d)#j4tgd*#z#j'|j'kr#5|j6j$s|r+g}tK}|D]W}|&|j'|j(D]3}|||j'f|&|4Xd}tSd+|||j*dtV|jd|j|tBj$j#d tKfd,|D""fd-|D}d}tSd.|"|j*dtV|jd|j|tBj$j#d d Sd S)/aTCreate an intrasite graph using given parameters This might be called a number of times per site with different parameters. Based on [MS-ADTS] 6.2.2.2 :param site_local: site for which we are working :param dc_local: local DC that potentially needs a replica :param nc_x: naming context (x) that we are testing if it "should be present" on the local DC :param gc_only: Boolean - only consider global catalog servers :param detect_stale: Boolean - check whether links seems down :return: None z"construct_intrasite_graph(): enterz gc_only=%dz detect_stale=%dz needed=%sz ro=%sz partial=%sz %szH%s lacks 'should be present' status, aborting construct_intrasite_graph!Nc*t|jSro)r rep_dsa_guid)rls r+z/KCC.construct_intrasite_graph..sHS-=$>$>r-r]rr&zr_list is length %src3LK|]}t|j|jfV dSro)rZr rep_dsa_dnstrrqs r+rtz0KCC.construct_intrasite_graph..sG))Q^Q_=>>))))))r-rintrasite_pre_ntdscon__T)rHrIr"rIrJrGc3jK|]-}|)|V.dSror<rrrrsrKs r+rtz0KCC.construct_intrasite_graph..Z"B"B)-a)>)>)@)@"B!"B"B"B"B"B"Br-c.g|]\}}|v |v ||fSr/r/rrrrrw_dot_verticess r+rtz1KCC.construct_intrasite_graph..BKKKtq!00Q/5I5IF5I5I5Ir-)rdirected_double_ring_or_smallintrasite_rw_pre_ntdsconz reps are: %sz c3$K|] }|jV dSro)rrqs r+rtz0KCC.construct_intrasite_graph..s$*K*Kq1?*K*K*K*K*K*Kr-z dsas are: %sc3$K|] }|jV dSrorqrqs r+rtz0KCC.construct_intrasite_graph..s$*K*K11;*K*K*K*K*K*Kr-c8g|]}|ur|jjv|Sr/)r edge_from)rrrstnodes r+rtz1KCC.construct_intrasite_graph..s=DDDA ~~ {%/AA AAAr-zDlooking for random link for %s. r_len %d, graph len %d candidates %dz candidates %scg|] }|j Sr/rqrqs r+rtz1KCC.construct_intrasite_graph..s(I(I(I(I(I(Ir-ztrying to add candidate %szcould not add %sznot adding links to z: nodes z , links is /z%sintrasite_post_ntdsconc3jK|]-}|)|V.dSrorrs r+rtz0KCC.construct_intrasite_graph..' rr-c.g|]\}}|v |v ||fSr/r/rs r+rtz1KCC.construct_intrasite_graph..) rr-intrasite_rw_post_ntdscon)7rar"rirCr'ridentify_by_basednrE rep_partialrep_roadd_needed_replicarDrxryr9rr(r'nc_typerdomainrcrrdrrr)rfrrrr add_edge_fromrjoinrJrIr>rrrrrNrrrhas_sufficient_edgesrrgchoiceremover max_edgesadd_connections_from_edgesr6)$rK site_localdc_localnc_xgc_only detect_stalerrrkl_of_xr_listdc_sf_of_xp_of_xr_lenmax_node_edges graph_listrlnodei do_dot_filesrQ dot_verticesv1v2rS rw_dot_edgesrw_verify_propertiesrrrremote candidatesotherrrs$` @@r+construct_intrasite_graphzKCC.construct_intrasite_graphs F#44X>>G ?+g560<?@+V34'+ , ,g5 6 "D= ) * * *  OB M* + + + F8T]33!!$*---$  ##F+++0 L*1133> "> "D}D$:::+DM:F||~~  $$&&  zz|| tx//  tzz|| ( ' dlfm&C&C//0LMM   = =d C C  MM& ! ! ! ! . & .5577* &* & =(>>>/ >((** ((** ::<<48#3#3 4::<<  D$A$A$$G$G f%%%%  f >> ???F 66u==  $ $CS.??D   d # # # # 519oo!9'')) IVAqD\-D-D-F-F I1q5!//q 0GHHH!a%=++-- I1E1E1G1G I1 ++F1q5M,GHHHAA519ooeai ++-- I1E1E1G1G I qM ' 'uqy(9(G H H Hay##%% Iq)9)D)D)F)F I uqy ! / /q 0G H H H #c&kk1222 dii))!'))))) * * *(4C ;! *,! *I55L  ) )  ...,))B$$b",%7888 $$R(((()!/  2I|1;1F1F1F1;DL1I1I1I15"@'8u"&+(,(9$( * * * *""B"B"B"B\"B"B"BBBOKKKKyKKKL$E 5|*1;1F1F1F1;DL1I1I1I15"@';%"&+(,(9$( * * * *! 1 1F,()9:C,3355 1 1 +T\333((000 1 o *K*KF*K*K*K K KKLLL o *K*K *K*K*K K KKLLL, N, NEzz%"<"<">">zDDDDDDD  ">$)OUC OO$' OO$5"5666 o(I(Ij(I(I(IIJJJ -)C)C)E)E-"M*55E6HIII ..u??N(:U_(LMMM%%e,,, !-)C)C)E)E-///555#eo2F2F2F2F//+,,, TE\ " " " ("444004;LMMM ;! *,! *I55L  ) )  ...,))B$$b",%7888 $$R(((()!/  3Y 1;1F1F1F1;DL1I1I1I15"@'8u"&+(,(9$( * * * *""B"B"B"B\"B"B"BBBOKKKKyKKKL$E 6 *1;1F1F1F1;DL1I1I1I15"@';%"&+(,(9$( * * * * * *3! *! *r-c|j}td|j}|rdS| }|jD] }|jrtj d|z!|j D]X\}}| |||d||jD] }|jrtj d|z!Y|jD] }|jrtjd|z!|j D]2\}}|r| |||d|3|jD] }|jrtj d|z!|j D]\}}| |||dd|jD] }|jrtjd|z!|j D]2\}}|r| |||dd3||dS)aGenerate the intrasite KCC connections As per MS-ADTS 6.2.2.2. If self.readonly is False, the connections are added to self.samdb. After this call, all DCs in each site with more than 3 DCs should be connected in a bidirectional ring. If a site has 2 DCs, they will bidirectionally connected. Sites with many DCs may have arbitrary extra connections. :return: None zintrasite(): enterNrFT)rBr rDis_intrasite_topology_disabledis_detect_stale_disabledrryrr" DEBUG_CYANr4itemsr rri is_configrCr)rKrrrrpartdnrs r+ intrasitez KCC.intrasite7 s %&&&  0 0 2 2  F";;=== *1133 ? ?G" ? !3g!=>>>!O1133 C CLFD  * *65$+7 9 9 9 .5577 C C&C$%7'%ABBB C*1133 A AG" A"#5#?@@@!O1133 = =LFD~~ =..vudD/;===*1133 ? ?G" ? !3g!=>>>!O1133 2 2LFD  * *65$+0 2 2 2 2*1133 > >G" > 2W <=== O1133 6 6LFD~~ 6..vudD/4666 U#####r-c||||||g}|jD]8}|d|j D9|S)aCompile a comprehensive list of DSA DNs These are all the DSAs on all the sites that KCC would be dealing with. This method is not idempotent and may not work correctly in sequence with KCC.run(). :return: a list of DSA DN strings. cFg|]}|jdddS)zCN=NTDS Settings,rr&)rreplace)rrrs r+rtz!KCC.list_dsas.. s==== ../BBJJ===r-) rrrrrfrlr5ryextendrx)rKdsasr{s r+ list_dsasz KCC.list_dsas s      """     !!!O**,, > >D KK==$(N$9$9$;$;=== > > > > r-c|s|j] t|t|||_dS#tj$r$}|j\}}t d|d|d}~wwxYwdS)aSLoad the database using an url, loadparm, and credentials If force is False, the samdb won't be reloaded if it already exists. :param dburl: a database url. :param lp: a loadparm object. :param creds: a Credentials object. :param force: a boolean indicating whether to overwrite. N)url session_info credentialslpzUnable to open sam database z : )rEr r rrXrYr)rKdburlrcredsforcee1numrcs r+ load_samdbzKCC.load_samdb s  -DJ& -"u0>0@0@/4=== < - - -W ch %ss ,--- - '&s$1A$AA$r/c r|o|j}|s |jdSg}g}g}g}|jD]}||j|r|dn|d|jD]b} | r|dn|d|| j |jfct||||j |t||jd|| dS)zHelper function to plot and verify NTDSConnections :param basename: an identifying string to use in filenames and logs. :param verify_properties: properties to verify (default empty) Nz#cc0000z#0000ccredblueT) rMrHrIr"rIrJrG edge_colors vertex_colors) rIrJr8ryrrrrrrrrAr) rKbasenamerSrIrQr edge_coloursvertex_coloursrrs r+plot_all_connectionszKCC.plot_all_connections ss #2t{ $+3 F   $++-- B BC    . . .yy{{ 1%%i0000%%i000(//11 B B''))0 ''.... ''///  #.#-!@AAAA  B x\!."35$43D $,%3  5 5 5 5 5 5r-c "j+td||||d|rjd|z  j sj i}j D]8"|d"jD9dg} j\} } | D]8\} } t)d| z| jj| f9t/d | d jd t(j j g} j D]""j D]}|\} } | D]Y\}}|jD]L}t)d |zt5|j}||}| |j|fMZt/d| d jd t(j j g} g}j D]}ddlm}|j d}d||!ddz}tEj#|j$dD]=\}}| |d|df||>d}t/d| dj|t(j j | |rmj%j D]9}tMfd|j'D|_':d|rj D]V""j D]:}tM"fd|j'D|_';Wd|rd}nd}(|)*|}+|,-.j sj ddt_j0dtc|zg} g}jj}j\} } | D]r\} } | jD]e}t5|j}!| |||!f|dt5| j2ddzfst/d | d jd t(j j | g} j D]""j D]r}|\} } | D]D} | jD]:}t5|j}||}| |j|f;Est/d!| d jd t(j j n#xYwdS)"aPerform a KCC run, possibly updating repsFrom topology :param dburl: url of the database to work with. :param lp: a loadparm object. :param creds: a Credentials object. :param forced_local_dsa: pretend to be on the DSA with this dn_str :param forget_local_links: calculate as if no connections existed (boolean, default False) :param forget_intersite_links: calculate with only intrasite connection (boolean, default False) :param attempt_live_connections: attempt to connect to remote DSAs to determine link availability (boolean, default False) :return: 1 on error, 0 otherwise Nz"samdb is None; let's load it from F)r!zCN=NTDS Settings,%sc3HK|]\}}t|j|fVdSrorp)rrrdrs r+rtzKCC.run.. sQ)D)D-7UC+.cl*;*;U)C)D)D)D)D)D)Dr- dsa_initialzc_rep %sdsa_repsFrom_initialTr/rFzrep %sdsa_repsFrom_initial_allr)md5r#rrr&rdsa_sitelink_initial)rGrHrIr"rIrJr(c3tK|]2\}}|s|jjjv,||fV3dSro)rrrDrx)rrkrrKs r+rtzKCC.run..2 sv-G-G1010B0B0D0D-G/0l.2l.D/E/E/0V/E/E/E/E-G-Gr-dsa_forgotten_localc3`K|](\}}ju|"||fV)dSro)rDr)rrr7rrKr{s r+rtzKCC.run..< s\1G1GDAq48DL4H4H121C1C1E1E5I34Q4H4H4H4H1G1Gr-dsa_forgotten_allcv tj||j|jn#tj$rYdSwxYwdS)NFT)rdrsuapi_connectrr  drsException)rKdnsnames r+rzKCC.run..pingF sM%!1'47DJOOOO$1%%%$uu%4s #66 dsa_finalzthere are %d dsa guidsdsa_repsFrom_finaldsa_repsFrom_final_all)3rEr r$set_ntds_settings_dnrrrrrfrlrIrJr5ryrwrxrr-rBrrrrrrArrZrr7hashlibr3rdencode hexdigestrrL site_listrDrwrrrrrrArrr"rVrnc_guid)#rKrrr forced_local_dsaforget_local_linksforget_intersite_linksattempt_live_connections guid_to_dnstrrQ current_reps needed_repsrdr<rrzrlrr(dsa_dn dot_colourslinkr3tmp_strcolourrrrIrrr(my_dnstrrguid_strr{s#` @r+runzKCC.run s" :  HuuF G G G OOE2uEO : : :  > J + +,A,<-= > > >]                 ! ! !  $ $ & & &  " " $ $ $  # # % % %{3 8d/; "  O2244DDD!(()D)D,0N,@,@,B,B)D)D)DDDDD))-888 ,0K,F,F,H,H) k$0$6$6$8$8EELE5*u,---$$dk&;U%CDDDD5y(,D4E*,E$+,0,=????   O2244JJD#~4466JJ474F4F4H4H1 k+7+=+=+?+?JJKFC-0-=JJ %hn 5 5 5+.y/L+M+M)6x)@ ) 0 0#-1H I I I I JJJ99(,D4E*,E$+,0,=????    /668833D++++++"j//77G 33w<<#9#9#;#;BQB#??F ) 6t~q I I331!((!A$!666#**622223, 5y(-%)%6:%*4;,0,=+6 8888" A<188::GGC(,-G-G-G-G-0->-D-D-F-F-G-G-G)G)GC%% ))*?@@@% ? O2244GGD#~4466GG,01G1G1G1G1G141B1H1H1J1J1G1G1G-G-G))G ))*=>>>'       1 1$ 7 7 7 NN   !NN400M  ) )- 8 8 8  # # % % %  9 9 ; ; ;  ' ' ) ) ){% ?d/;))+*8:::#$<$' $6$6%7888  ;0,0K,F,F,H,H) k$/$5$5$7$7IILE5%*%7II #&y'D#E#E!(((M(4K)LMMM#**3U]1C1CBQB1G+GHHHHI 3Y%)%6*,E$+,0,=+6 8888   O2244JJD#~4466JJ474F4F4H4H1 k%0%7%7%9%9JJE-2-?JJ +.y/L+M+M)6x)@ ) 0 0#-1H I I I IJJJ7(,D4E*,E$+,0,=????   qs [(\>>]c tj|||||_n1#tj$r}t j|Yd}~dSd}~wwxYwdS)aIImport relevant objects and attributes from an LDIF file. The point of this function is to allow a programmer/debugger to import an LDIF file with non-security relevent information that was previously extracted from a DC database. The LDIF file is used to create a temporary abbreviated database. The KCC algorithm can then run against this abbreviated database for debug or test verification that the topology generated is computationally the same between different OSes and algorithms. :param dburl: path to the temporary abbreviated db to create :param lp: a loadparm object. :param ldif_file: path to the ldif file to import :param forced_local_dsa: perform KCC from this DSA's point of view :return: zero on success, 1 on error Nr&r)r ldif_to_samdbrE LdifErrorr!critical)rKrr ldif_filerHrs r+ import_ldifzKCC.import_ldif sn" +9%Y:JLLDJJ!+    OA   11111 qsA AA c tj|j||||n1#tj$r}t j|Yd}~dSd}~wwxYwdS)a-Save KCC relevant details to an ldif file The point of this function is to allow a programmer/debugger to extract an LDIF file with non-security relevent information from a DC database. The LDIF file can then be used to "import" via the import_ldif() function this file into a temporary abbreviated database. The KCC algorithm can then run against this abbreviated database for debug or test verification that the topology generated is computationally the same between different OSes and algorithms. :param dburl: LDAP database URL to extract info from :param lp: a loadparm object. :param cred: a Credentials object. :param ldif_file: output LDIF file name to create :return: zero on success, 1 on error Nr&r)rsamdb_to_ldif_filerErYr!rZ)rKrrr r[rs r+ export_ldifzKCC.export_ldif st"   1$*eR2; = = = =!+    OA   11111 qs AA  A)FFFNro)T)F)r/)NFFF),__name__ __module__ __qualname____doc__rLrfrlrurrrrrrrrrrrrrr$r*rArDrr[rUrrrrrrrrr rrr$r-rVr\r_r/r-r+r2r2Ns  FK"()()()()T!G!G!GF222<%%%. : : :$$$&8F8F8Ft,,,<2K2K2K2KhB   888$ - - -2-2-2-h747474r///"&&&$M;M;M;^%%%Nz0z0z0z0~KKKK2&&&P">">">H+++ZD*D*D*L N$N$N$`0----,!5!5!5!5F6:=B%*xxxxt2r-r2)4rgr functoolsrrsambarrrrr samba.authr samba.samdbr samba.dcerpcr r samba.kcc.kcc_utilsr rrrrrrrrrrsamba.kcc.graphr samba.ndrrsamba.kcc.graph_utilsr samba.kccrrrrsamba.kcc.debugrr r!r" samba.commonr#r,r0objectr2r/r-r+rqs", ********&&&&&&&&&&%%%%%%&&&&&&&&DDDDDDDDDDDDHHHHHHHHHHHHEEEEEEEEEE999999000000((((((@@@@@@@@""""""3333333333AAA"t)t)t)t)t)&t)t)t)t)t)r-