ph ddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl mZddl mZddl mZddlmZddlmZmZddl mZddlZ ddlmZmZdd lmZdd lmZmZdd lm Z m!Z!dd l"m#Z#dd l"m$Z$ddl"m%Z%ddl"m&Z&ddl"m'Z'ddl"m(Z(ddl"m)Z)ddl*m+Z+m,Z,ddl-m.Z.m/Z/m0Z0m1Z1ddl2m3Z3ddl4m5Z5ddl4m6Z6m7Z7m8Z8ddl9m:Z:ddl9m;Z<ddl=m>Z>ddl?m@Z@ddl mAZAmBZBmCZCddlDmEZEddlFmZGddlHmIZIdd l mJZJdd!lKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXdd"lYmZZZm[Z[m\Z\m]Z]dd#l^m_Z_m`Z`maZadd$lbmcZcdd%ldmeZedd&lfmgZgdd'lhmiZidd(l mjZjePeQeRd)Zke1d*d+d,d-.e1d/d0d12e1d3d4d5d6d7gd8ez9e1d:d;dd?d@elAe1dBdCdDd0EgZme1dFdGelHe1dIdJelHe1dKdLd0Ee1dMd4dNgdOdPdQRe1dSdTdUd0EgZne1dVdWd0EgZodXZp eGdYdZe.Zqn #er$rdZqYnwxYwGd[d\e.ZsGd]d^e.ZtGd_d`e.ZuGdadbe.ZvGdcdde.ZwGdedfe.ZxGdgdhe.ZyGdidje.ZzGdkdle.Z{Gdmdne0Z|Gdodpe.Z}Gdqdre}Z~GdsdtejZGdudve.ZGdwdxeZGdydzeZGd{d|eZGd}d~eZGddeZGddeZGddeZGdde.ZGdde0ZGdde0ZGddZGdde.ZGdde.ZGdde0ZdS)N)ntstatus) NTSTATUSError)werrorgetpass)NetLIBNET_JOIN_AUTOMATIC)enable_net_export_keytab) join_RODCjoin_DC)system_session)SamDBget_default_backend_store)ndr_pack ndr_print)drsuapi)drsblobs)lsa)netlogon)security)nbt)misc)DOMAIN_PASSWORD_COMPLEXDOMAIN_PASSWORD_STORE_CLEARTEXT)Command CommandError SuperCommandOption)get_fsmo_roleowner)!netcmd_get_domain_infos_via_cldap)NEVER_TIMESTAMPtimestamp_to_minstimestamp_to_days)Samba3)param)upgrade_from_samba3)drsuapi_connect) remove_dcarcfour_encryptstring_to_byte_array)system_session_unix)r) default_path)is_ad_dc_built) DS_DOMAIN_FUNCTION_2000DS_DOMAIN_FUNCTION_2003DS_DOMAIN_FUNCTION_2003_MIXEDDS_DOMAIN_FUNCTION_2008DS_DOMAIN_FUNCTION_2008_R2DS_DOMAIN_FUNCTION_2012DS_DOMAIN_FUNCTION_2012_R2$DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL#DS_NTDSDSA_OPT_DISABLE_INBOUND_REPLUF_WORKSTATION_TRUST_ACCOUNTUF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONUF_PARTIAL_SECRETS_ACCOUNT) provisionProvisioningErrorDEFAULT_MIN_PWD_LENGTH setup_path) FILL_FULL FILL_NT4SYNCFILL_DRS)cmd_domain_passwordsettings_pso)cmd_domain_backup) get_string)CreateTrustedDomainRelax)dsdb2008_R220122012_R2z --machinepassstringPASSWORDz*choose machine password (otherwise random)typemetavarhelpz--plaintext-secrets store_truezbStore secret/sensitive values as plain text on disk(default is to encrypt secret/sensitive values)actionrPz--backend-storechoice BACKENDSTOREtdbmdbz7Specify the database backend to be used (default is %s))rNrOchoicesrPz--backend-store-sizebytesSIZEzfSpecify the size of the backend database, currently only supported by lmdb backends (default is 8 Gb). --targetdirDIRz/Set target directory (where to store provision))rOrPrN-q--quietBe quietrPrS--serverz DC to joinrPrN--sitez site to joinz--domain-critical-onlyz&only replicate critical domain objects --dns-backendNAMESERVER-BACKEND)SAMBA_INTERNAL BIND9_DLZNONEzThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (this DC will not be a DNS server)rfrNrOrXrPdefault-v --verbose Be verbose --use-ntvfs+Use NTVFS for the fileserver (default = no)c^ttjd}tj|ddd|z|gtj|}|\}}||d}|r't|d SdS) Nwz-sz-lz--parameter-name=%s)stdoutstderr r) openosdevnull subprocessPopenPIPE communicateclosesplitrDstrip)testparmsmbconfvarnameerrfilepouterrliness 5/usr/lib/python3/dist-packages/samba/netcmd/domain.pyget_testparm_varrs2:s##G(D$/'97D * A A AAJS# MMOOO IIe  E ,%(##))+++ 2cleZdZdZdZejejejdZ e dde gZ dgZ d d ZdS) cmd_domain_export_keytabz/Dump Kerberos keys of the domain into a keytab.z%prog [options] sambaoptscredopts versionoptsz --principalzextract only this principalrbkeytabNc||}td|}|||dS)N)r principal) get_loadparmr export_keytab)selfrrrrrlpnets rrunzcmd_domain_export_keytab.runs?''))BdB--C   Vy  A A A A ArNNNN__name__ __module__ __qualname____doc__synopsisoptions SambaOptionsCredentialsOptionsVersionOptionstakes_optiongroupsrstr takes_options takes_argsrrrrrs==-!-2"1   F='D3 O O O Z  B B B B B BrrcReZdZdZdZgZejejej dZ dgZ ddZ dS)cmd_domain_infoz?Print basic info about a domain and the DC passed as parameter.z%prog [options]raddressNcv|} t|d|}n##t$rtd|zdzwxYw|jd|jz|jd|jz|jd|jz|jd|j z|jd|j z|jd|j z|jd |j zdS) NzInvalid IP address 'z'!zForest : %s zDomain : %s zNetbios domain : %s zDC name : %s zDC netbios name : %s zServer site : %s zClient site : %s ) rr RuntimeErrorroutfwriteforest dns_domain domain_name pdc_dns_namepdc_name server_site client_site)rrrrrrress rrzcmd_domain_info.runs/  # # % % H3BgFFCC H H H5?$FGG G H 1CJ>??? 1CNBCCC 1COCDDD 1C4DDEEE 1CL@AAA 1COCDDD 1COCDDDDDs ( ANNN) rrrrrrrrrrrrrrrrrrsjII-HM).- J E E E E E ErrceZdZdZdZejejdZe ddde dd d d e d d dd e dd dd e dd dd e dd dd e dd dd e dd dd e dd dd e d d d!d" e d#d d$d% e d&d d$d' e d(d)d*gd+d,d-.e d/d d$d0 e d1d d2d3 e d4d d2d5 e d6d d7d8 e d9dd:;e dd?d@.e dAd)dBgdCdDdE.e dFd)dGgdHdIdJ.e dKdLdMdNdOPe dQdRde dSddT;gZ e dUd)gdVdWdXdYZgZ e e ejr*e ee e gZ d`d]Zd^Zd_Zd[S)acmd_domain_provisionzProvision a domain.%prog [options]rrz --interactivez Ask for namesrQr`z--domainrKDOMAINzNetBIOS domain name to userMz --domain-guidGUIDz!set domainguid (otherwise random)z --domain-sidSIDz set domainsid (otherwise random)z --ntds-guidz'set NTDS object GUID (otherwise random)z--invocationidz#set invocationid (otherwise random)z --host-nameHOSTNAMEz set hostnamez --host-ip IPADDRESSzset IPv4 ipaddressz --host-ip6 IP6ADDRESSzset IPv6 ipaddressrcSITENAMEz set site namez --adminpassrLz(choose admin password (otherwise random)z --krbtgtpassz)choose krbtgt password (otherwise random)rdrTrerfBIND9_FLATFILErgrhzThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_FLATFILE uses bind9 text database to store zone information, BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (not recommended)rfriz --dnspassz&choose dns password (otherwise random)z--rootUSERNAMEzchoose 'root' unix usernamez--nobodyzchoose 'nobody' userz--users GROUPNAMEzchoose 'users' groupz--blankz.do not add users or groups, just the structurerRz --server-roleROLE)domain controllerdc member servermember standalonez^The server role (domain controller | dc | member server | member | standalone). Default is dc.r--function-levelz FOR-FUN-LEVEL)200020032008rHzyThe domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008_R2 Native.rHz --base-schemaz BASE-SCHEMA)rH 2008_R2_oldrIrJz;The base schema files to use. Default is (Windows) 2012_R2.rJz --next-ridintNEXTRIDizGThe initial nextRid value (only needed for upgrades). Default is 1000.)rNrOrjrPz--partitions-onlyzEConfigure Samba's partitions, but do not modify them (ie, join a BDC)z --use-rfc2307z/Use AD to store posix attributes (default = no) --use-xattrsyesnoauto [yes|no|auto]Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl when --use-ntvfs is set. auto tries to make an inteligent guess based on the user rights and system capabilitiesrrNrXrOrPrjNFc% * |d||_|}%|%j}&||}'n|}'|'d}'t |jdkrd}|rddlm}(ddl})dNd}* |) d dd }+n#t$rd}+YnwxYw|*d |+},|,d vrtd  |, d d}+n#t$rd}+YnwxYw|*d |+}|td|*dd}|*dd}|d vrtd|dkr&|*d|'}|dvrd}'d} |(d}-||-}.|.r|jd|.zn/|(d}/|-|/ks|jdn|-} npn<|jd},|,td |td| r'|| }.|.rt|.n|jd|dkrt*}0n)|dkrt,}0n|dkrt.}0n |dkrt0}0|dkr||'}t2}1|rt4}1n |rt6}1|3t8j|st9j|d}2|d krd!}2nk|d"kr |d!krd!}2n[|d!krtd#|d"kr?|%d$s)|r3tAj!t8j"|%}3nbtAj!t8j"t8j#|%d&%}3 tHj%&|%|3j'd'd(tQd)d!}2n*#tR$r|jd*YnwxYw|3*n#|3*wxYw|2r|jd+|tWj,|}t[}4|#t]}# t_|j|4fid,|&d-|d.|1d|,d/|d0|d1|d2| d3| d4| d5| d6|d7|d8| d9|d:|d;|d<|d=|d>|d?|d@|dA|dB|0dC|2dD|dE|%dF|dG| dHd!dI|!dJ|"dK|#dL|$}5n"#t`$r}6tdM|6d}6~6wwxYw|51|jdS)ONr;)namequietnoneTrrc|t|d|ddnt|ddtjtjdp|S)Nz [z]:  )end:  )printsysrrflushstdinreadlinerstrip)promptrjs raskz%cmd_domain_provision.run..askss&9sCCCCCFFF,#6666   """y))++22488CGCr.Realm)Nruz No realm set!DomainzNo domain set!z$Server Role (dc, member, standalone)rz=DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)rfzNo DNS backend set!z=DNS forwarder IP address (write 'none' to disable forwarding))NrzAdministrator password: z%s. zRetype password: Sorry, passwords do not match. realmz,Administrator password will be set randomly!rrrrHrFrr--use-xattrs=no requires --use-ntvfs (not supported for production use). Please re-run with --use-xattrs omitted. posix:eadbdir private dirO:S-1-5-32G:S-1-5-32S-1-5-32nativezZYou are not root or your system does not support xattr, using tdb backend for attributes. znot using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.r targetdir samdb_filldomain domainguid domainsidhostnamehostiphostip6sitenamentdsguid invocationid adminpass krbtgtpass machinepass dns_backend dns_forwarderdnspassrootnobodyusers serverroledom_for_fun_leveluseeadbnext_ridr use_ntvfs use_rfc2307skip_sysvolacl base_schemaplaintext_secrets backend_storebackend_store_sizezProvision failedN)2 get_loggerloggerr configfile_get_nameserver_iplenraw_argvrsocketgetfqdnr~upper IndexErrorrlower_adminpass_issueerrfr_lpgetinfor.r/r1r2r?r@rArwpathisdirmakedirstempfileNamedTemporaryFileabspathdirnamesambantaclssetntaclrr+ Exceptionr}rdom_sidr rr;r< report_logger)7rrr interactiver domain_guid domain_sid ntds_guidr host_namehost_iphost_ip6rsiter r r r r  ldapadminpassrrrrblank server_rolefunction_levelrpartitions_onlyr use_xattrsrrrrrrrrsuggested_forwarderrr#rrjradminpassplainissueadminpassverifyrreadbfilesessionresultes7 rrzcmd_domain_provision.run<s#Hoo;eoDD  # # % %-  $"/  "&"9"9";"; "*&,# t}   " "K : 5 ' ' ' ' ' ' MMM D D D D  ..**00a88;AACC    C))E """?333 ++c**1-    S7++F~"#3444#DdKKK#]_oppKj(("#8999... #$cex y y  &&((N::*.'$(M !()C!D!D--n==IOOGeO4444&-g.A&B&BO)_<< (JKKKK$2  M%%g..E}"?333~"#3444  M)))44E *"5))) * K  K L L L V # # 7   v % % 7   v % % 7   y ( ( :  * * *}/D/M  "%JJ  "!J  7==++ ' I&&&   DD 6 ! !i5&8&8DD %   JKK K 6 ! !"&&*>*> ! p2rwy7Q7QRRR2rwrwWYW]W]^kWlWlGmGm7n7nooo CL))"di*@*4*=*?*?*2 444 !DD CCCK$$&BCCCCCC   K K  J K K K  !!)*55J ""  577M 6t{&FFF07FCL9F*4*F7P65Q56$QQ5QQ55R A7U U6!U11U6cddlm}d}||s|jd|zdSd} t |d}|D]\}|ds|dc|| SS || n#|| wwxYw|jd |zdS) z5Grab the nameserver IP address from /etc/resolv.conf.r)r-z/etc/resolv.confzFailed to locate %sNr nameserverzNo nameserver found in %s) rwr-isfilerwarningrv startswithrr~r})rr- RESOLV_CONFhandlelines rr z'cmd_domain_provision._get_nameserver_ips(( {{;''  K   5 C D D D4 +s++F 0 0|44zz||))++B///! "  0 ! ! " 7+EFFFFFs ACC ct|tr|d}t|tkr dtzSt j|sdSdS)zTReturns error string for a bad administrator password, or None if acceptableutf8zdAdministrator password does not meet the default minimum password length requirement (%d characters)zBAdministrator password does not meet the default quality standardsN) isinstancerYdecoder!r=r4check_password_quality)rrs rr(z%cmd_domain_provision._adminpass_issuess i ' ' 1!((00I y>>2 2 2?() )-i88 %%4r)$NNNNNNNNNNNNNNNNNNNNNNNNNNNNNrFNNFNN)rrrrrrrrrrr ntvfs_optionsextendcommon_provision_join_optionsr4is_ntvfs_fileserver_builtcommon_ntvfs_optionsrrr r(rrrrrsr H)- _\JJJz(0 2 2 2Xv7 9 9 9~He6 8 8 8}8V= ? ? ?h9 ; ; ;}8Z" $ $ ${;( * * *|(L( * * *xh # % % %}8Z> @ @ @~Hj? A A AX7KPPPE(  ) ) ) {:< > > >xh 1 3 3 3z** , , ,yx* , , ,yD F F FXv[[[t* , , , !/:::P  " " " X}DDDQ  " " " |%D] _ _ _"[dp r r r|:kllls:Mz ~H6K6K6K&i    M6777&u&((,1222]+++J.2 ##EH*H*H*H*TGGG.     rrceZdZdZdZejejejdZ gZ e e e e ejre eddgZ d dZdS) cmd_domain_dcpromoz9Promote an existing domain member or NT4 PDC to an AD DC.z%%prog [DC|RODC] [options]rrrrrole?NFc2|}||}t|||j}||| }|d}||}|dkr>vvn--  ::<O=N  ; #0-  ;(:'9 ; ; ; ;V^^  = = =VV =FF =%% =BB =vv =4 =.:l =FOi =+?+? =#.+ =:C =Q\P[ =(,t  =@Q?P  = %2M  = *<);  = = = =NQUUVV Vr)NNNNNNNFNFNFFFNN)rrrrrrrrrrrracommon_join_optionsrbr4rcrdrrrrrrfrf-sCC6H)-. M,---6777&u&((31222G$J>B@D48)-:?37 #W#W#W#W#W#WrrfceZdZdZdZejejejdZ e dddgZ e ddd gZ e d dd gZ e ee eejre e ejre e d dgZ ddZdS)cmd_domain_joinz9Join domain as either member or backup domain controller.z,%prog [DC|RODC|MEMBER] [options]rgrnrorQr`z--experimental-s4-memberzfPerform member joins using the s4 Net join_member. Don't choose this unless you know what you're doingrRz--no-dns-updateszDisable DNS updatesrrhNFc>|}||}t|||j}|||}|d}||}||dkr| r$|||t| \}}}n| d||ddkrG| d| |tj tj z j| d d |jr|jn t!}t#jd t&j| 5}|d |jt&j|r3t'j|j}t'j|j|t'j|j|dddn #1swxYwYt;j}||tA|||} | || ||\}}|j!"d|d|ddS|dkr.tGr tI||||||||| | | | |||dS|dkr.tGr tK||||||||| | | | |||dStMd|z)NrjrlrnMEMBER)r r workgroup WORKGROUP)rflagsz server rolerF)deleter)r debug noDnsUpdateszJoined domain z (z) ro)rrkrprrrArqrrrr rr rrrrtz5Invalid role '%s' (possible values: MEMBER, DC, RODC))'rrurrvrr+r% join_memberr setfinddcrNBT_SERVER_LDAP NBT_SERVER_DSrrr,r0r1rwr-r3dumprexistsstatst_modechmodrenames3param get_contextloads3_Netr)rr-r r r)!rrrwrrrrkrArrrr rexperimental_s4_memberr rrmno_dns_updatesrrrrrprrrq join_passwordsidrsmb_conffmodes3_lps3_nets! rrzcmd_domain_join.runs # # % %((,,%H$6777>>vvn--  ::<@@@}o666,.MM2==|~~0GOOH557770:;GGE16***w~~h///!wx008...Iafh/// 000000000000000 +-- 8$$$uV<<<%+%7%7 DO>EES&8&U&U"k IOOOcccJ K K K K K T\\n..\ 6&"VLI)= +y +&7"/'9 ; ; ; ; ; ;V^^ 0 0^ VF%Bvli+?"-"-(9$1); = = = = = =VY]]^^ ^s BH!!H%(H%)NNNNNNNFNFFNFFFFNN)rrrrrrrrrrrr`selftest_optionsrrarxrbr4rcis_selftest_enabledrrrrrrzrzhsqCC=H)-.   M ! ! !M ),J K K K !,) + + +M,---6777&u&((,]+++ u ""/-...G$J>B@D48GK7<#37 B_B_B_B_B_B_rrzcneZdZdZdZejejejdZ e dddgZ gZ d d Z dS) cmd_domain_leavez1Cause a domain member to leave the joined domain.rrgz--keep-accountrQz3Disable the machine account instead of deleting it.rRNFc*|}||}tj}|jr|jn t }||t||} | |dSr) rrurrrr,rrleave) rrrr keep_accountrrprrrs rrzcmd_domain_leave.runs  # # % %((,,#%%$&ME2==|~~ 8u%% \"""""r)NNNF)rrrrrrrrrrrrrrrrrrrs;; H)-.  I K K KM J=A # # # # # #rrc eZdZdZdZeddeeddded d ed d eeddddeddddgZej ej ej dZ ddZ dS)cmd_domain_demotez4Demote ourselves from the role of Domain Controller.rraz(writable DC to write demotion changes onrb-H--URL%LDB URL for database or target serverURLHrPrNrOdestz--remove-other-dead-serverzMDead DC (name or NTDS GUID) to remove ALL references to (rather than this DC)r]r^r_rQr`rkrlrmrNFc |} || } t| | |j} |||} ||#t d|zt | | } nt |t | | } tj| | |n)#tj$r}td|zd}~wwxYwdS| d}t |t | | } |s| ddd g }t|d krtd t|d krtdd}|D]I}t|d |kr |d}nJ| }| t| t"jd|zdg}t|d ks d|d vrtd|z|d j}t)t|d d}| dt|zdg}t|d krtdt|z|jd|zt/|| | \}}}|jdt#j}|d j|_|t2zs| s|t6z}t#jt|t"jd|d<| ||jd|z| | | fD]D}tCj"}t||_tCj#}||_$tBj%|_&tOj(||_) |*|d |#tV$r}|j,\}}|tZj.krn|jd|z|t6z}t#jt|t"jd|d<| |tdt|z|Yd}~>d}~wwxYw t d|zt | | } |jd| t| /d|0zdg}|d j}!t)t|d d}"n#tb$r}|t2zs}| si|jd |t6z}t#jt|t"jd|d<| |td!|d}~wwxYwt|d kr|t2zs}| si|jd"|t6z}t#jt|t"jd|d<| |td#|0z|"}#|"tdtfzthzz}"|"tjz}"t#j}|!|_t#jd$|"zt"jd|d< | |n#tb$r}|t2zs}| si|jd"|t6z}t#jt|t"jd|d<| |td!|d}~wwxYw|j6}$|d j7}%d%|%z}&d }'t|&}(| 8| 9ttj;})| |)|&t"j<&}t|d kr| |)d'|&|'fzt"j<&}t|d krK|'d(krE|'d z}'| |)d'|&|'fzt"j<&}t|d kr|'d(kE|'d(kr|t2zs}| si|jd |t6z}t#jt|t"jd|d<| |t#j}|!|_t#jd$|"zt"jd|d<| |td)t|!|&|&|'d*z fzd'|&|'fz}( t#j=| |(d+t|)}*| >|!|*n#tb$r}|t2zs}| si|jd |t6z}t#jt|t"jd|d<| |t#j}|!|_t#jd$|"zt"jd|d<| |td,t|!d-t|*|d}~wwxYw| ?}+| }, tCj@}t|+|_At|,|_/d |_B|C|d |nI#tV$r;}-|-j,\}}|t2zs}| si|jd |t6z}t#jt|t"jd|d<| |t#j}|*|_t#jd$|"zt"jd|d<| || >|*|!|tZj.krtd.|+d/|-td0|+d1|-d}-~-wwxYwtjD| | |%d2d3| d4zd5d6fD]Y}. | Et#j=| |.d+t|*>#t"jF$r }/Yd}/~/Rd}/~/wwxYwtjG| | | Hd78|jd9dS):Nrjrl ldap://%surl session_info credentialsrzDemote failed: %srnz.(&(objectClass=computer)(serverReferenceBL=*)) dnsHostNamer) expressionattrsrzUnable to search for serversrz%You are the last server in the domainz(objectGUID=%s)rbasescoperrzFailed to find options on %sz(fSMORoleOwner=%s)zsearch_options:1:2)rcontrolszaCurrent DC is still the owner of %d role(s), use the role command to transfer roles to another DCz,Using %s as partner server for the demotion z!Deactivating inbound replication z0Asking partner server %s to synchronize from us zgError while replicating out last local changes from '%s' for demotion, re-enabling inbound replication z6Error while sending a DsReplicaSync for partition '%s'z#Changing userControl and container z)(&(objectClass=user)(sAMAccountName=%s$))userAccountControlrrrz6Error while demoting, re-enabling inbound replication z$Error while changing account controlz5Error while demoting, re-enabling inbound replicationz@Unable to find object with samaccountName = %s$ in the remote dcz%dzCN=%s)rrrz%s-%ddzOUnable to find a slot for renaming %s, all names from %s-1 to %s-%d seemed used ,zError while renaming z to zThe DC z= is not present on (already removed from) the remote server: z(Error while sending a removeDsServer of rz$CN=Enterprise,CN=NTFRS SubscriptionszCN=%s, CN=NTFRS Subscriptionsrz?CN=Domain system Volumes (SYSVOL Share), CN=NTFRS SubscriptionszCN=NTFRS SubscriptionsT)ignore_no_namezDemote successful )Irrurrvrrr r(DemoteExceptionrr+searchr!rr' get_ntds_GUIDget_config_basednldb SCOPE_SUBTREEdnrr)rr'Messager5am_rodcr6MessageElementFLAG_MOD_REPLACEmodifyget_schema_basednget_root_basednrDsReplicaObjectIdentifierDsReplicaSyncRequest1naming_contextDRSUAPI_DRS_WRIT_REPrrrsource_dsa_guid DsReplicaSyncrargsrWERR_DS_DRA_NO_REPLICA domain_dnr%r7r8r9r:r7parent get_rdn_valueget_wellknown_dnget_default_basednrFDS_GUID_COMPUTERS_CONTAINERSCOPE_ONELEVELDnrget_serverNameDsRemoveDSServerRequest1 server_dncommitDsRemoveDSServerremove_sysvol_referencesrLdbErrorremove_dns_references host_dns_name)0rrrrrkremove_other_dead_serverrrmrrrprrsamdbrrqrrPr=msgntds_dn dsa_options drsuapiBinddrsuapi_handlesupportedExtensionsnmsgpartncreq1e1werrrK remote_samdbdc_dnuacolduacrdc_namerdninewrdn computer_dnnewdn server_dsa_dnre3sls0 rrzcmd_domain_demote.runs # # % %((,,%H$6777>> # /!+"6+9+;+;*/B888!.2B2BPUZ\]]] >#E63KLLLL, > > >"#6#<=== > Fvvn-- !.*:*:RTUUU ,,*Zcprxby,zzCCA "#ABBBCA "#JKKKF  qy>>''))\-?-?-A-AAA}-FEB'')) llE$;$;$=$= > >!$!2?PS\?\"+.. s88q==ISV33= IJJ Ja&)#c!fY/0011 ll&:S\\&I%9$:<< s88q== , #3xx ()) ) G   =LVUWY^=_=_:n&9 <==={}}a&)BB yEMMOO y > >K!0[1A1A3CWYbccDO LL    IOOO$% & & &00220022..002 y y688D 466&(#&; '+y';';$ y--naFFFF# y y y%'WNT6v<<< @BFGHHH$'JJ *-*.>-2r;;;L IOOB C C C%%3|/E/E/G/G+H+H1\&2&8&8&:&:2;-A,B&DDCFIEc#a&!567788CC J J J"FF #PUP]P]P_P_ # MOOOBB "%"4S5E5EsG[]f"g"gY T"""EqII I J HHMM"FF #PUP]P]P_P_ # KMMMBB "%"4S5E5EsG[]f"g"gY T""" 35A5G5G5I5I JKK K (*++,- - ++kmm$'$6tcz7:7K7K%M%M ! J    $ $ $ $ J J J"FF #PUP]P]P_P_ # KMMMBB "%"4S5E5EsG[]f"g"gY T"""EqII I Ja&)))++ S"33  + + - -  ,.. !!{s#J\!]] HHMM%%;7cSTXCU,/,>&@@Cc((a--AGGE")){wRUWXQYGY030B*DDc((a--AGG Cxx#&JJ'TYTaTaTcTc'IOOQSSS#FFK&)&8[9I9I3K_aj&k&kDOLL&&&kmm,/,>tcz?B?S?S-U-U()##C((("$O$'JJS!a%#@$ABBBQx'F ^F;O;O)Q)QC$ %    $ $ $,#e****cRWjjjY[\]] ]! ^$,,.. --// 8355D //DN [[DNDK  ( (D A A A A 8 8 8WNT6"FF #PUP]P]P_P_ # MOOOBB "%"4S5E5EsG[]f"g"gY T"""+--CCF(+(:4#:;>;O;O)Q)QC$ %    $ $ $   u - - -v444"l$1MM22$7888#l$1MM22$7888- 84 *<III91BFF7OOCS*,  A ##CF<67aaU+D%F%FGGGG<     ' fe>Q>Q>S>S7; = = = = -.....sB66CCCR U#B'UUB>X Z>"BZ99Z>'_== b#Bbb#2=l11 q > H z JQTUUUtW#JQT3 ( ( (+3CIL N N NtYZ EEEt[|LIIIM).- ,0%)-1!&R/R/R/R/R/R/rrc eZdZdZdZejejejdZ e ddde dd e d d d d e ddgdde ddgddgZ dgZ ddZdS)cmd_domain_levelz(Raise domain and forest function levels.z&%prog (show|raise ) [options]rrrrrrrr]r^r_rQr`z--forest-levelrT)rrrHrIrJzBThe forest function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)rNrXrPz--domain-levelzBThe domain function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2) subcommandNFc $|} || d} t|t| | } | } | d| ztjdg} t| dksJ| | tjddg}t|dksJ| d | ztj d dg }t|dksJt}t}d| d vr!t| d dd }d|d vr!t|d dd }t|d dd }d}|D]J}d|vr=|t|dd |krt|dd }Ct}|tks |tkrtd |tkrtd||krtd||krtd|dkr!|d| z|tkr|d kr|d|tkr|d kr|d|tkr|d kr|d|d|tkrd}nV|tkrd}nH|t krd}n:|t"krd}n,|t$krd}n|t&krd}n|t(krd}nd}|d|z|tkr |d krd }nj|tkr |d krd}nV|tkrd}nH|t krd}n:|t"krd}n,|t$krd}n|t&krd}n|t(krd}nd}|d!|z|tkrd}nH|t krd}n:|t"krd}n,|t$krd}n|t&krd}n|t(krd}nd}|d"|zdS|d#krag}||dkrt }n7|dkrt"}n)|d$krt$}n|dkrt&}n |d%krt(}||kr|d krtd&||krtd'|d kr1tj}tj| | |_tjd(tjd|d<| |tj}tj| d)| d*zd+| zz|_tjd(tjd|d< | |n7#tj$r%}|j\}}|tjkrYd}~nd}~wwxYwtj}tj| | |_tjt?|tjd|d<| |tj}tj| d)| d*zd+| zz|_tjt?|tjd|d< | |n7#tj$r%}|j\}}|tjkrYd}~nd}~wwxYw|}| d,| |dkrt }n7|dkrt"}n)|d$krt$}n|dkrt&}n |d%krt(}||krtd-||krtd.tj}tj| d| z|_tjt?|tjd|d<| || d/| d0|d1!|dStd2|z)3NT)fallback_machinerCN=Partitions,%szmsDS-Behavior-Versionrrr nTMixedDomainz CN=Sites,%sz(objectClass=nTDSDSA))rrrrzSDomain and/or forest function level(s) is/are invalid. Correct them or reprovision!zFLowest function level of a DC is invalid. Correct this or reprovision!zVForest function level is higher than the domain level(s). Correct this or reprovision!zdDomain function level is higher than the lowest function level of a DC. Correct this or reprovision!showz0Domain and forest function level for domain '%s'z| ATTENTION: You run SAMBA 4 on a forest function level lower than Windows 2000 (Native). This isn't supported! Please raise!z| ATTENTION: You run SAMBA 4 on a domain function level lower than Windows 2000 (Native). This isn't supported! Please raise!z ATTENTION: You run SAMBA 4 on a lowest function level of a DC lower than Windows 2003. This isn't supported! Please step-up or upgrade the concerning DC(s)!rurz02003 with mixed domains/interim (NT4 DC support)rrz2008 R2rIz2012 R2zhigher than 2012 R2z!Forest function level: (Windows) z2000 mixed (NT4 DC support)z!Domain function level: (Windows) z)Lowest function level of a DC: (Windows) raiserHrJzGDomain function level can't be smaller than or equal to the actual one!zMDomain function level can't be higher than the lowest function level of a DC!0zCN=r}z,CN=Partitions,%szDomain function level changed!zGForest function level can't be smaller than or equal to the actual one!zdForest function level can't be higher than the domain function level(s). Please raise it/them first!zForest function level changed!!All changes applied successfully!rz4invalid argument: '%s' (choose from 'show', 'raise'))"rrurr rrrr SCOPE_BASEr!rr.rrmessager0r/r1r2r3r4rrrrrrr+rrERR_UNWILLING_TO_PERFORMrappendjoin)rrr forest_level domain_levelrrrrrrprr res_forest res_domainres_dc_s level_forest level_domainlevel_domain_mixed min_level_dcroutstrmsgsnew_level_domainmrPenumemsge2new_level_forests rrzcmd_domain_level.run2s/  # # % %((d(CC!.*:*:"'B000OO%% \\"4u7N7N7P7P"P(+?V>W"YY :!####\\)3>)@/(R"TT :!####<< 0G0G0I0I I&)&7D['>&? AA8}}!!!!/ . "jm 3 3z!}-DEaHIIL "jm 3 3z!}-DEaHIIL A!?!BCC   C&#--'3s3J/KA/N+O+OR^+^+^#&s+B'CA'F#G#GL6  1 1 1\D[5[5[tuu u 1 1 1ghh h , & &wxx x , & & FGG G    LLKiW X X X666;MQR;R;R ]^^^666;MQR;R;R ]^^^666;MQR;R;R ~ LL   666!>>>K!888!888!;;;"!888!;;;". LL>>K!888!888!;;;"!888!;;;". LL$$!V++'>$$!Y..'A$$!V++'>$$!Y..'A$#|338Ja8O8O&'pqqq#l22&'vwww&** A6%33AD),);C$$!V++'>$$!Y..'A$$!V++'>$$!Y..'A$#|33&'pqqq#l22&(NOOOKMMve%7%:Q:Q:S:S%STT-0-?())3+?+.-.-)* Q <=== KK; < < < LL4 ) ) ) ) )UXbbcc cs0XY)Y  Y]%%^4^^)NNNFNNNrrrrrrs227H).- tW#JQT3 ( ( (tYZ EEEh8f8f8fX Z Z Zh8f8f8fX Z Z Z MJFJDHPdPdPdPdPdPdrrcleZdZdZdZejejejdZ e ddde dd gZ d d Z d S) cmd_domain_passwordsettings_showz1Display current password settings for the domain.rrgrrrrrrNc|}||}t|t||}|}||t jgd} t| dksJ t| ddd} t| ddd} t| ddd} t| dd d} t| dd d}t| dd d}t| dd d}t| dd d}n"#t$r}td|d}~wwxYw|d|z|d| tzdkr|dn|d| t zdkr|dn|d|d| z|d| z|d| z|d|z|d|z|d|z|d|zdS)Nr) pwdPropertiespwdHistoryLength minPwdLength minPwdAge maxPwdAgelockoutDurationlockoutThresholdlockOutObservationWindowrrrr'r(r)r*r+r-r,r.z'Could not retrieve password properties!z$Password information for domain '%s'ruzPassword complexity: onzPassword complexity: offzStore plaintext passwords: onzStore plaintext passwords: offzPassword history length: %dzMinimum password length: %dzMinimum password age (days): %dzMaximum password age (days): %dz#Account lockout duration (mins): %dz(Account lockout threshold (attempts): %dz&Reset account lockout after (mins): %d)rrurr rrrrr!rr#r"r7rrrr)rrrrrrrprrr pwd_props pwd_hist_lencur_min_pwd_lencur_min_pwd_agecur_max_pwd_agecur_account_lockout_thresholdcur_account_lockout_durationcur_reset_account_lockout_afterrPs rrz$cmd_domain_passwordsettings_show.runs   # # % %((,,!.*:*:"'B000OO%% ll9CN">">">??3xx1}}}} MCF?3A677Is1v&89!<==L!#a&"8";< [options]rgrrrrrrr]r^r_rQr`z --complexityrT)onoffrjz=The password complexity (on | off | default). Default is 'on'rz--store-plaintextzStore plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'z--history-lengthzBThe password history length ( | default). Default is 24.rbz--min-pwd-lengthzAThe minimum password length ( | default). Default is 7.z --min-pwd-agezFThe minimum password age ( | default). Default is 1.z --max-pwd-agezGThe maximum password age ( | default). Default is 43.z--account-lockout-durationzThe the length of time an account is locked out after exeeding the limit on bad password attempts ( | default). Default is 30 mins.z--account-lockout-thresholdzThe number of bad password attempts allowed before locking out the account ( | default). Default is 0 (never lock out).z--reset-account-lockout-afterzuAfter this time is elapsed, the recorded number of attempts restarts from zero ( | default). Default is 30.NFc4 | }| |}t|t||}|}g}t j}t j|||_t| }| }| }|R|dks|dkr |tz}|dn&|dkr |tz}|d|R|dks|dkr |tz}|dn&|dkr |tz}|d||0t jt#|t jd |d <|x|dkrd }nt|}|d ks|d krt'd t jt#|t jd |d <|d|x|dkrd}nt|}|d ks|dkrt'dt jt#|t jd|d<|d||dkrd}nt|}|d ks|dkrt'dt|dz }t jt#|t jd|d<|d||dkrd}nt|}|d ks|dkrt'd|d krt(}nt|dz }t jt#|t jd|d<|d| | dkrd} nt| } | d ks| d krt'd!| d krt(}nt| d"z }t jt#|t jd#|d#<|d$| ]| dkrd } nt| } t jt#| t jd%|d%<|d&| | dkrd} nt| } | d ks| d krt'd!| d krt(}nt| d"z }t jt#|t jd'|d'<|d(|s|r>t+|}t+|}|d kr||krt'd)||fzt-|d krt'd*|||d+|d,|dS)-Nrr:rjzPassword complexity activated!r;z Password complexity deactivated!z;Plaintext password storage for changed passwords activated!z=Plaintext password storage for changed passwords deactivated!r'rz8Password history length must be in the range of 0 to 24!r(z Password history length changed!z8Minimum password length must be in the range of 0 to 14!r)z Minimum password length changed!riz6Minimum password age must be in the range of 0 to 998!g8M%iBr*zMinimum password age changed!+iz6Maximum password age must be in the range of 0 to 999!r+zMaximum password age changed!iz8Maximum password age must be in the range of 0 to 99999!gAr,z!Account lockout duration changed!r-z"Account lockout threshold changed!r.z0Duration to reset account lockout after changed!zIMaximum password age (%d) must be greater than minimum password age (%d)!z7You must specify at least one option to set. Try --helpr r)rrurr rrrrrrget_pwdProperties get_maxPwdAge get_minPwdAgerrrrrrrr!r#r!rrr)rr min_pwd_age max_pwd_ager complexitystore_plaintexthistory_lengthmin_pwd_lengthaccount_lockout_durationaccount_lockout_thresholdreset_account_lockout_afterrrrrrprrrrr/max_pwd_age_ticksmin_pwd_age_ticksr0 min_pwd_lenaccount_lockout_duration_ticks!reset_account_lockout_after_tickss rrz#cmd_domain_passwordsettings_set.runos  # # % %((,,!.*:*:"'B000OO%%  KMMveY''//1122 "//11!//11  !T!!Z9%<%<%(??  <====u$$%*A)AB  >???  &$&&/Y*F*F%(GG  YZZZZ E))%*I)IJ  [\\\  !_%@!$!3C NN474H/"["[Ao   %**! ">22 a<"#4#4"#]^^^$'$6s<7H7H7:7KM_%a%aA ! KK: ; ; ;  %** !.11 Q+"2"2"#]^^^ # 23{3C3C363G!Y!YAn  KK: ; ; ;  "i'' !+.. Q+"3"3"#[\\\"%[4F%G!H!H H  /4E0F0F030DkSSAkN KK7 8 8 8  "i'' !+.. Q+"3"3"#[\\\a$3!!%(8J)K%L%L$L! /4E0F0F030DkSSAkN KK7 8 8 8 # /'944+-((+./G+H+H('!++/G%/O/O"#]^^^(1,,1@..256NRZ6[2\2\1\.#c:X6Y6Y696JL]$_$_A KK; < < < $ 0(I55,-)),/0I,J,J)$'$6s;T7U7U7:7KM_%a%aA ! KK< = = = & 2*i77.0++.12M.N.N+*Q..2MPU2U2U"#]^^^+a//4C11589TX`9a5b5b4b1,/,>sCd?e?e?B?SUo-q-qA( ) KKJ K K K  M+ M,,=>>K+,=>>KaK;$>$>"#nr}@KrL$LMMM q66Q;;XYY Y Q 7888 TYYt__%%%%%r)NNNFNNNNNNNNNNr7rrrr9r9Es+H)-. tW#JQT3 ( ( (tYZ EEE~H6N6N6NS U U U";S;S;S[ \ \ \!X_b d d d!W^a c c c\cf h h h]dg i i i+lsv w w w,X_b c c c.LSV W W W)M09=OSZ^GK c&c&c&c&c&c&rr9cdeZdZdZiZeed<eed<eed<dS)cmd_domain_passwordsettingsz Manage password policy settings.psor rN)rrrr subcommandsrBr%r9rrrrTrTsT**K88::K::<rz--dbdirrKr\z+Path to samba classic DC database directoryrMz --testparmPATHzPath to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followedr[zCPath prefix where the new Samba 4.0 AD domain should be initialisedr]r^r_rQr`rkrlrmrdrTreraThe DNS server backend. SAMBA_INTERNAL is the builtin name server (default), BIND9_FLATFILE uses bind9 text database to store zone information, BIND9_DLZ uses samba4 AD to store zone information, NONE skips the DNS setup entirely (this DC will not be a DNS server)rfrirrrrrrrNFc tj|std|z|r1tj|std|z|r1tj|std|z|s|std|||} |r|r| dd}|} tj}|j r| d|j |3tj |stj |d}|d krd }nf|d kr | d krd }nV| d krtd |d kr:| d s$|r3tjtj|}nbtjtjtj| d} t$j| |jddt-dd }n%#t.$r| dYnwxYw|n#|wxYwi}|r||d<||d<||d<|dz|d<ntt5||d|d<t5||d|d<t5||d|d<t5||d|d<t7|ddkr |d|d<|D]}| |||| d||t;||}| dt=|| |t?|| | dS)NzFile %s does not existz"Testparm utility %s does not existzDirectory %s does not existz'Please specify either dbdir or testparmrlz2both dbdir and testparm specified, ignoring dbdir.rTrFrrrrrrrrzYou are not root or your system does not support xattr, using tdb backend for attributes. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.zstate directoryzlock directoryz /smbpasswdzsmb passwd filerzReading smb.conf Provisioning)rrr r) rwr-rrrrVrrrrrr.mkdirr+r0r1r2r3r4r5r6rr+r7r,r}rr!rr$r&r )rrrdbdirrrrmrGrrr rrrs3confrLtmpfilepathsrsamba3s rrzcmd_domain_classicupgrade.runLsjw~~g&& C7'ABB B  PBGNN844 PChNOO O  F.. F>  X  NNO P P PE  # # % %$&& ? 1 JJw  0 0 0  7==++ $###   DD 6 ! !i5&8&8DD %   JKK K 6 ! !&**\*B*B ! s"5"'//):T:TUUU"5"'//"'//Z\Z`Z`anZoZoJpJp:q:qrrr  NL))"gl*@*4*=*?*?*2 444 !DD NNNKK!MNNNNNN     C',E# $#(E- &+E" #',|';E# $ $'7'K\']']E# $#3Hg}#U#UE- '7'K\']']E# $&6xJZ&[&[E" #5*+,,11+01A+B'( $ $A JJq%( # # # #  &''' G(( N###FFINDTDT$(kY X X X X X Xs*7I:9J4:JJ4JJ44K ) NNNNFFrNNNF)rrrrrrrrrrrr`r4rcrardrrrrrrXrXs 4H)- yxA C C C|(Fk l l l}8UY [ [ [tYZ EEEt[|LIIIX7KPPPV(  ) ) )M& ~H6K6K6K&i    M'u&((,1222]+++JEIW[(-XXXXXXXXXXXXrrXc eZdZejZdZdS)cmd_domain_samba3upgradeTN)rrrrXrhiddenrrrrcrcs'/G FFFrrcceZdZdZdS)LocalDCCredentialsOptionscJtj||ddS)Nzlocal-dc) special_name)rr__init__)rparsers rriz"LocalDCCredentialsOptions.__init__s&"++D&z+RRRRRrNrrrrirrrrfrfs(SSSSSrrfceZdZdZdZdZdZGddeZGddeZ Gd d eZ d Z d Z d Z dZ d%dZdZdZdZdZdZdZdZdZdZd&dZd&dZdZdZdZd Zd!Zd"Z d'd$Z!d#S)(DomainTrustCommandList domain trusts.ctj|d|_d|_d|_d|_d|_d|_d|_dSr) rrilocal_lp local_serverlocal_binding_string local_creds remote_serverremote_binding_string remote_credsrs rrizDomainTrustCommand.__init__sP  $(!!%)" rc4tj|jSr)ctypesc_uint32value)rvs r_uint32zDomainTrustCommand._uint32sq!!''rc^|dS||jd}||krdSdS)NFrT)r}r)rruntimevalerr32s rcheck_runtime_errorz&DomainTrustCommand.check_runtime_errors6 ?5 W\!_-- C<<4urceZdZdZdS)$DomainTrustCommand.LocalRuntimeErrorc||jd}|jd}d|j|||fz}tj||dS)Nrrz%LOCAL_DC[%s]: %s - ERROR(0x%08X) - %s)r}rrqrriexception_selfrrrrerrstrrs rriz-DomainTrustCommand.LocalRuntimeError.__init__sXLLa11E\!_F9#WeV===C  !.# 6 6 6 6 6rNrkrrrLocalRuntimeErrorr# 7 7 7 7 7rrceZdZdZdS)%DomainTrustCommand.RemoteRuntimeErrorc||jd}|jd}d|j|||fz}tj||dS)Nrrz&REMOTE_DC[%s]: %s - ERROR(0x%08X) - %s)r}rrtrrirs rriz.DomainTrustCommand.RemoteRuntimeError.__init__sXLLa11E\!_F:$guf>>>C  !.# 6 6 6 6 6rNrkrrrRemoteRuntimeErrorrrrrceZdZdZdS) DomainTrustCommand.LocalLdbErrorc|jd}|jd}d|j|||fz}tj||dS)Nrrz!LOCAL_DC[%s]: %s - ERROR(%d) - %s)rrqrri)rr ldb_errorrerrvalrrs rriz)DomainTrustCommand.LocalLdbError.__init__sN^A&F^A&F5#Wff9>>C  !.# 6 6 6 6 6rNrkrrr LocalLdbErrorrrrrc|j|jS|}|j}|O|}|dkrt d|z|d}d}d}|dz }d}d} nd}d}d|z}||} ||_||_|d |d |d |_||_ | |_ |jS) NROLE_ACTIVE_DIRECTORY_DCzInvalid server_role %srnncalrpcruz,auth_type=ncalrpc_as_systemncacn_npr:[]) rqrrvrDrr+rurprrlocal_ldap_urlrs) rr localdcoptsrrqrDlocal_transportlocal_binding_optionsrrss rsetup_local_serverz%DomainTrustCommand.setup_local_servers   ($ $  # # % %",  ..**K888"#;{#KLLL66.11L'O$& ! !%C C !!NKK(O$& !(<7N%55b99K (3B??LLLRgRgRg$h!,&  rcLtj|j|j|jSr)rlsarpcrrrprsrws rnew_local_lsa_connectionz+DomainTrustCommand.new_local_lsa_connectionsz$3T]DDTUUUrcLtj|j|j|jSr)rrrrprsrws rnew_local_netlogon_connectionz0DomainTrustCommand.new_local_netlogon_connection s !:DM4K[\\\rc^t|jt|j|jS)Nr)rrr rsrprws rnew_local_ldap_connectionz,DomainTrustCommand.new_local_ldap_connections2,"0"2"2!%!1 ''' 'rTc |r|sJ|j|jSd|z|_|jJ||j}|j}d} t ||j|}t jt jz} |r| t j z} |r| t j z} | | ||} nM#t$r%} td|d| jdd} ~ wt$rtd|zwxYwit j d t jd t jd t jd t jd t jdt jdt j dt jdt jdt jdt jdt jdt jdt jdt jdt jd} || | jd} |j d| j!d| j"d| d| j"|_d |jd!|d"|_#||_$|jS)#Nz__unknown__remote_server__.%srurj)rrrz*Failed to find a writeable DC for domain 'z': rz-Failed to find a writeable DC for domain '%s'PDCGCLDAPDSKDCTIMESERVCLOSESTWRITABLE GOOD_TIMESERVNDNCSELECT_SECRET_DOMAIN_6FULL_SECRET_DOMAIN_6ADS_WEB_SERVICEDS_8 HAS_DNS_NAME IS_DEFAULT_NC FOREST_ROOTT names_onlyzRemoteDC Netbios[] DNS[z ] ServerType[] z ncacn_np:rr)%rtrqrurprvrrrrNBT_SERVER_WRITABLENBT_SERVER_PDCrrrrr7 NBT_SERVER_GCNBT_SERVER_KDCNBT_SERVER_TIMESERVNBT_SERVER_CLOSESTNBT_SERVER_GOOD_TIMESERVNBT_SERVER_NDNC!NBT_SERVER_SELECT_SECRET_DOMAIN_6NBT_SERVER_FULL_SECRET_DOMAIN_6NBT_SERVER_ADS_WEB_SERVICENBT_SERVER_DS_8NBT_SERVER_HAS_DNS_NAMENBT_SERVER_IS_DEFAULT_NCNBT_SERVER_FOREST_ROOTgeneric_bitmap_to_string server_typerrrrrurv)rrr require_pdcrequire_writablervrtremote_binding_options remote_net remote_flags remote_infoerrorflag_mapserver_type_strings rsetup_remote_serverz&DomainTrustCommand.setup_remote_servers  $# # # #   )% %>  * !# Y\4=OOOJ.1BBL 8 77  3 22 $++,vWd+eeKK 8 8 8, & 1  788 8 Y Y YNQWWXX X Y    t      t      #Z    "I   #Z   (/      13K   /1G   *,=      '  (/! "  & # &"::8;F;R_c;ee #,,,#000***, - - - )5:>:L:L:LNdNdNd%e"(!!s A*B77 D C!! DcLtj|j|j|jSr)rrrurprvrws rnew_remote_lsa_connectionz,DomainTrustCommand.new_remote_lsa_connectionTsz$4dmTEVWWWrcLtj|j|j|jSr)rrurprvrws rnew_remote_netlogon_connectionz1DomainTrustCommand.new_remote_netlogon_connectionWs !;T]DL]^^^rctj}tj|_|dd||}||tj}||fS)Nrzutf-8)rObjectAttributeQosInfosec_qos OpenPolicy2r^QueryInfoPolicy2LSA_POLICY_INFO_DNS)rconn policy_access objectAttrpolicyr,s r get_lsa_infozDomainTrustCommand.get_lsa_infoZsj(**  []] !!#**W"5"5",m==$$VS-DEE~rc  ||dddddtj}|jS#t$r|||cYSwxYwNr)netr_DsRGetDCNameEx2rDS_RETURN_DNS_NAMEdc_uncrnetr_GetDcName)rrrkrr,s rget_netlogon_dc_uncz&DomainTrustCommand.get_netlogon_dc_uncesr 7,,V-11dD$-5-HJJD;  7 7 7&&vv66 6 6 6 7s+. AAc P||dddddtj}|Sr)rrr)rrrkr,s rget_netlogon_dc_infoz'DomainTrustCommand.get_netlogon_dc_infons3(()-q$d)1)DFF rcH|jtjkr|jS|jSr) trust_typerLSA_TRUST_TYPE_DOWNLEVELrqdns_namerts rnetr_DomainTrust_to_namez+DomainTrustCommand.netr_DomainTrust_to_namets" <37 7 7> !zrc@d}d}|D];}|jtjzr%|}|jtjzs ||j}n<|jtjzr1||urdS|jtjzrdS||j}||urdSdS|jtjzrdSdS)NParentTreeRootChildShortcutForestExternal) trust_flagsrNETR_TRUST_FLAG_PRIMARYNETR_TRUST_FLAG_TREEROOT parent_indexNETR_TRUST_FLAG_IN_FORESTtrust_attributesr%LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)rarprimaryprimary_parent_trs rnetr_DomainTrust_to_typez+DomainTrustCommand.netr_DomainTrust_to_typezs  B~ @@ ~(II8%&r%7N   =8= = N""x}x@@ "!zq~&F  w:  I I 8zrc|jtjzrdS|jtjzrdS|jtjzrdSdS)NYesNo)rrrrr"LSA_TRUST_ATTRIBUTE_NON_TRANSITIVErrs rnetr_DomainTrust_to_transitivez1DomainTrustCommand.netr_DomainTrust_to_transitivesN =8= = 5  F F 4  I I 5trc|jtjzr|jtjzrdS|jtjzrdS|jtjzrdSdS)NBOTHINCOMINGOUTGOINGINVALID)rrNETR_TRUST_FLAG_INBOUNDNETR_TRUST_FLAG_OUTBOUNDrs rnetr_DomainTrust_to_directionz0DomainTrustCommand.netr_DomainTrust_to_directions^ =8; ;  =8< < 6 =8; ; : =8< < :yrFc| ||}n*#t$r||}d|z}YnwxYwd||fz}|S)Nz__unknown__%08X__ 0x%x (%s))KeyErrorr})re_dictr|rrqv32rRs rgeneric_enum_to_stringz)DomainTrustCommand.generic_enum_to_strings_ *q AA * * *,,q//C#c)AAA * 1a& s  $22cg}|}t|D]}||zs||z}|||gz }|dkr||}|d|zgz }d|}|r|Sd||fz} | S)Nrz__unknown_%08X__rr)sortedkeysr}r) rb_dictr|rrcbc32rqrRs rrz+DomainTrustCommand.generic_bitmap_to_strings   &&  AE  !GA &) AA 66,,q//C $s*+ +A HHQKK  H 1a& rctjdtjdtjdtjdi}|||S)N DOWNLEVELUPLEVELMITDCE)rrLSA_TRUST_TYPE_UPLEVELLSA_TRUST_TYPE_MITLSA_TRUST_TYPE_DCEr)rr|typess rtrustType_stringz#DomainTrustCommand.trustType_stringsA  (+  &  "E  "E   **5!444rctjtjzdtjdtjdi}|||S)NrINBOUNDOUTBOUND)rLSA_TRUST_DIRECTION_INBOUNDLSA_TRUST_DIRECTION_OUTBOUNDr)rr| directionss rtrustDirection_stringz(DomainTrustCommand.trustDirection_stringsE  +  , -.4  +Y  ,j  **:q999rctjdtjdtjdtjdtjdtjdtjdtjdi}| ||S) NNON_TRANSITIVE UPLEVEL_ONLYQUARANTINED_DOMAINFOREST_TRANSITIVECROSS_ORGANIZATION WITHIN_FORESTTREAT_AS_EXTERNALUSES_RC4_ENCRYPTION) rr LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY&LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAINr&LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION!LSA_TRUST_ATTRIBUTE_WITHIN_FOREST%LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL'LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTIONr)rr| attributess rtrustAttributes_stringz)DomainTrustCommand.trustAttributes_stringsg  24D  0.  68L  57J  68L  1?  57J  79N  ,,Z;;;rc"tjdtjdtjdtjdtjdtjdtjdtjdtj d tj d i }| ||S) N DES_CBC_CRC DES_CBC_MD5 RC4_HMAC_MD5AES128_CTS_HMAC_SHA1_96AES256_CTS_HMAC_SHA1_96zAES256_CTS_HMAC_SHA1_96-SKFAST_SUPPORTEDCOMPOUND_IDENTITY_SUPPORTEDCLAIMS_SUPPORTED!RESOURCE_SID_COMPRESSION_DISABLED) rKERB_ENCTYPE_DES_CBC_CRCKERB_ENCTYPE_DES_CBC_MD5KERB_ENCTYPE_RC4_HMAC_MD5$KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96$KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96'KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SKKERB_ENCTYPE_FAST_SUPPORTED(KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTEDKERB_ENCTYPE_CLAIMS_SUPPORTED.KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLEDr)rr|enctypess rkerb_EncTypes_stringz'DomainTrustCommand.kerb_EncTypes_stringsx  -}  -}  .  9;T  9;T  <>Z  02B  =?\  24F  CEh  ,,Xq999rc|dkrdStjdtjdtjdi}d|||dzS) NrStatus[Enabled]z Disabled-NewDisabledzDisabled-Conflicting Status[%s]Tr)rLSA_TLN_DISABLED_NEWLSA_TLN_DISABLED_ADMINLSA_TLN_DISABLED_CONFLICTrre_flagsrs rentry_tln_statusz#DomainTrustCommand.entry_tln_statussV a<<$$  $n  &  )+A  d;;E7W[;\\\\rc|dkrdStjdtjdtjdtjdi}d|||d zS) Nrr_z Disabled-SIDzDisabled-SID-Conflictingz Disabled-NBzDisabled-NB-ConflictingraTr)rLSA_SID_DISABLED_ADMINLSA_SID_DISABLED_CONFLICTLSA_NB_DISABLED_ADMINLSA_NB_DISABLED_CONFLICTrres rentry_dom_statusz#DomainTrustCommand.entry_dom_statuss_ a<<$$  &  )+E  %}  (*C   d;;E7W[;\\\\rNc(|d|z}nd}|jdt|j|fzt |jD]@\}}|j}d}|,|jD]$} | j|kr| j}d| jjz}%|j } |j tj kr>|jd| |dd| jd|d |j tjkr(|jd dd d| jd |j tjkrW|jd ||dd| jjd| jjd| jd|d BdS)Nz TDO[%s]ruzNamespaces[%d]%s: z Collision[%s]TLN: 32 DNS[*.rrzTLN_EX: 29rzDOM: z DNS[z ] Netbios[] SID[)rrr!entries enumeraterindexrrKforest_trust_datarNrLSA_FOREST_TRUST_TOP_LEVEL_NAMErg"LSA_FOREST_TRUST_TOP_LEVEL_NAME_EXLSA_FOREST_TRUST_DOMAIN_INFOrmdns_domain_namenetbios_domain_namer<) rftitln collisions tln_stringrrPrcollision_stringr#ds rwrite_forest_trust_infoz*DomainTrustCommand.write_forest_trust_infos ?#c)JJJ -CK((*166 7 7 7ck** A ADAqGE! %#+JJAw!|| GE'716='I$$#Av<<<  $ 5 5e < < < < < !*:*:*:!<====3AAA  "AHHH!.////3;;;  $ 5 5e < < < < < ! 1 8 8 8 ! 5 < < < ! .>.>.> !@AAA r)TT)F)NN)"rrrrrir}rrrrrrrrrrrrrrrrr rrrrr/r6rGr]rgrmrrrrrmrmsM ! ! !(((77777L77777777\77777777 777!!!>VVV]]]''')--1>">">">"@XXX___   777  8      *555::: < < < : : : ] ] ] ] ] ]######rrmcBeZdZdZdZejejedZ gZ ddZ dS)cmd_domain_trust_listrnrrrrNc .|||} |}n)#t$r}|||dd}~wwxYw ||t jt jzt jz}n`#t$rS}| |tj rtd|j z|||dd}~wwxYw|j}|D]} | jt jzr|jd||| zddd|| zddd || zd dd || zd dS) N!failed to connect netlogon serverz:LOCAL_DC[%s]: netr_DsrEnumerateDomainTrusts not supported.z$netr_DsrEnumerateDomainTrusts failedzType[%s]14rzTransitive[%s]15z Direction[%s]19zName[%s]r)rrrrnetr_DsrEnumerateDomainTrustsrrrrrrWERR_RPC_S_PROCNUM_OUT_OF_RANGErrqarrayrrrrr rrr) rrrrrqlocal_netlogonrlocal_netlogon_trustsrrs rrzcmd_domain_trust_list.runGs..y+FF  [!??AANN [ [ [((u6YZZ Z [ ^<<\=E=_=E=^>_=E=]>^__ " !  ^ ^ ^''v/UVV 7"#_#'#4$6777((u6\]] ]  ^ " ' L LA}x??  IOO&)F)Fq!)L)LLLLL,t/R/RST/U/UUUUU+d.P.PQR.S.SSSSS&)F)Fq)I)IIII K L L L L s-- AAA:B C/AC**C/r) rrrrrrrrrfrrrrrrrr9sX H)-0 MrrcHeZdZdZdZejejedZ gZ dgZ ddZ dS)cmd_domain_trust_showShow trusted domain details.%prog NAME [options]rrNc $ |||} |}n)#t$r}|||dd}~wwxYw tj}|||\} } n)#t$r}|||dd}~wwxYw|jd| j j d| j j d| j dt j } || _ || | tj} | j} | j}n[#t$$rN}||t(jrt-d|z|||dd}~wwxYw || | tj}n#t$$r}||t(jrd}||t(jrd}||||d t j}d |_Yd}~nd}~wwxYw d}| jtjzr!|| | tj}n#t$r}||t(j rd}||t(j!rd}||||d t j"}d |_#g|_$Yd}~nd}~wwxYw|jd |jd | j%j z| j%j | j&j kr'|jd| j&j z|jd| j z|jd|'| j(z|jd|)| j*z|jd|+| jztYj-|jj.}tYj/|jj.}|jd||fz|jd|0|jz| jtjzr!|1|| j&j dS)Nfailed to connect lsa server#failed to query LSA_POLICY_INFO_DNSLocalDomain Netbios[rrsr4trusted domain object does not exist for domain [%s]z.QueryTrustedDomainInfoByName(FULL_INFO) failed?QueryTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failedrz&lsaRQueryForestTrustInformation failedzTrustedDomain: zNetbiosName: %s zDnsName: %s zSID: %s zType: %s zDirection: %s zAttributes: %s zPosixOffset: 0x%08X (%d) zkerb_EncTypes: %s r~)2rrrrr!LSA_POLICY_VIEW_LOCAL_INFORMATIONrrrrrKrrStringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFOinfo_ex posix_offsetrrrNT_STATUS_OBJECT_NAME_NOT_FOUNDr-LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPESNT_STATUS_INVALID_PARAMETERNT_STATUS_INVALID_INFO_CLASS TrustDomainInfoSupportedEncTypes enc_typesrrlsaRQueryForestTrustInformationrz"NT_STATUS_RPC_PROCNUM_OUT_OF_RANGENT_STATUS_NOT_FOUNDForestTrustInformationcountrtrqrr/rr6trust_directionrGryrzr{c_int32r]r)rrrrrrq local_lsarlocal_policy_access local_policylocal_lsa_info lsaStringlocal_tdo_fulllocal_tdo_infolocal_tdo_posixlocal_tdo_enctypeslocal_tdo_forestposix_offset_u32posix_offset_i32s rrzcmd_domain_trust_show.runxs..y+FF  V5577II V V V((u6TUU U V ]"%"G -1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - - JLL !  h66|7@7:7\^^ ,3N,9OO h h h''x/WXX d"#Y\b#bccc((u6fgg g  h  -66|7@7:7hjj   - - -''x/STT ''x/TUU  ,,T5-nppp"%!E!G!G +,  ( ( ( ( ( ( - *# .1ZZ `==l>G>A>^``! * * *''x/Z[[ ''x/KLL  ,,T5:bccc"9;; %&  "')  $ $ $ $ $ $ * ,--- .1L1SSTTT  & -1K1R R R IOO2^5O5VV W W W .1CCDDD .1F1F~G`1a1aabbb .1K1KNLj1k1kklll .1L1L^Ml1m1mmnnn!??+GHHN!>/*FGGM 7;KM]:^^___ .1J1JK]Kg1h1hhiii  *S-V V P  ( ()9-;-G-N ) P P P sw- AAA%A== B#BB#>/D.. F8A FF !F,, H76A7H22H7;7I33 L=A>LLr) rrrrrrrrrfrrrrrrrrrhsg&&%H)-0 MJXXXXXXrrc eZdZdZdZejejedZ e ddddd e d dd d d e d dddd gZ dgZ ddZ dS)cmd_domain_trust_modifyrrrz--use-aes-keysrQz!The trust uses AES kerberos keys. use_aes_keysNrSrPrrj --no-aes-keysz:The trust does not have any support for AES kerberos keys.disable_aes_keysz--raw-kerb-enctypesstorezThe raw kerberos enctype bits kerb_enctypesrc d}d} || dz } || dz } || dz } | dkrtd| dkr|dz }|dkrtd|||} |} n)#t$r} ||| dd} ~ wwxYw t j} | t jz} || | \}}n)#t$r} ||| dd} ~ wwxYw|j d|j j d|j j d |jd | dkr0t j}||_ | ||t j}n#t$$r} || t(jrd} || t(jrd} | ||| d t j}d|_Yd} ~ nd} ~ wwxYw|j d ||jzt j}|t5|d |_nQ|,t6j|_|xjt6jzc_n#|t6j|_ntd|j|jkr | ||t j|}|j d||jznJ#t$$r#} | ||| dYd} ~ n"d} ~ wwxYw|j ddS)NrrzL--no-aes-keys, --use-aes-keys and --raw-kerb-enctypes are mutually exclusivez/modification arguments are required, try --helpzfailed to connect to lsa serverrrrrsrrzOld kerb_EncTypes: %s )rz&Internal error should be checked abovezNew kerb_EncTypes: %s z=SetTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failedzNo kerb_EncTypes update needed ) rrrrrrrLSA_POLICY_TRUST_ADMINrrrrrKrrrrrrrrrrrrr]rrrUrVrTSetTrustedDomainInfoByName)rrrrrrrrnum_modifications enctype_argsrqrrrrrrrrs rrzcmd_domain_trust_modify.runsF  $ A L  # A L  ' A L !  mnn n 1    "   ! !PQQ Q..y+FF  Y5577II Y Y Y((u6WXX X Y ]"%"G  3#= = -1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - - 1   I%I  1::<;D;>;lnn#"! 1 1 1++E83WXX! E++E83XYY! E$00u1rttt&)%I%K%K"/0",,,,,, 1 IOO69R9RSeSo9p9pp q q q<>>I(&)-a&@&@&@ ##)&.&S ###x'TT###!-'/&H ##"#KLLL"&8&BBB v!<<\=F=@=n=FHH' IOO$>AZAZ[d[nAoAo$opppp$vvv("44T55tvvv)((((v   BCCCsb&A;; B!BB!%4C D$C;;D"!F HA7H  HAL-- M7MM)NNNNNNrrrrrrrrrfrrrrrrrrrrs&&%H)-0  7"    |P&    $W3#    MJHLDHZZZZZZrrceZdZdZdZejejeje dZ e dddddgd d d e d dd gdddd e dddddgddd e ddddde dddgdd d!d" e d#dd$d%de d&dd'd(de d)d*d+d,d-e d.d*d/d0d-g Z d1gZ d3d2Zd"S)4cmd_domain_trust_createz Create a domain or forest trust.%prog DOMAIN [options]rrrrz--typerTTYPEexternalrz.The type of the trust: 'external' or 'forest'.rrNrOrXrPrrjz --direction DIRECTION)incomingoutgoingbothz6The trust direction: 'incoming', 'outgoing' or 'both'.rrz--create-locationLOCATIONlocalz=Where to create the trusted domain object: 'local' or 'both'.create_locationz--cross-organisationrQz=The related domains does not belong to the same organisation.cross_organisationFrz --quarantinedzyes|no)rrNzSpecial SID filtering rules are applied to the trust. With --type=external the default is yes. With --type=forest the default is no.quarantined_argNz--not-transitivez#The forest trust is not transitive.not_transitivez--treat-as-externalz'The treat the forest trust as external.treat_as_externalr store_falsez)The trust does not use AES kerberos keys.rTz--skip-validationzSkip validation of the trust.validaterc #tj}d}| |dkrd}n| dkrd}|dkr"| rtd| rtdtj}| r,tj|_|xjtjzc_ntj|_tj }|tj z}|tj z}tj }tj |_d|_|d kr5|xjtjzc_|xjtjzc_nA|d kr|xjtjzc_n |d kr|xjtjzc_d|_| r|xjtjzc_|r|xjtjzc_|dkr|xjtjzc_| r|xjtjzc_| r|xjtjzc_fd }d}d}tj }|d kr|jtjzr-|d}t1|d}|jtjzr-|d}t1|d}d}nd}|jtjzr |d}|jtjzr |d}|tj z}|tj z}tj }tj |_d|_|d kr5|xjtjzc_|xjtjzc_nA|d kr|xjtjzc_n |d kr|xjtjzc_d|_| r|xjtjzc_|r|xjtjzc_|dkr|xjtjzc_| r|xjtjzc_| r|xjtjzc_||} }n)#t8$r}|dd}~wwxYw ||\}} n)#t8$r}|dd}~wwxYwj d| j!j"d| j#j"d| j$d %||}!n)#t8$r}&|dd}~wwxYw '}"n)#t8$r}&|dd}~wwxYw |"|\}#}$n)#t8$r}&|dd}~wwxYwj d|$j!j"d|$j#j"d|$j$d|$j#j"|j(_"|$j!j"|j)_"|$j$|_$|r8| j#j"|j(_"| j!j"|j)_"| j$|_$ |j(j"|_"|*||tj+}%td|j"z#tX$rI}-|t\j/s|d|j"zYd}~nd}~wwxYw |j)j"|_"|*||tj+}&td|j"z#tX$rI}-|t\j/s|d|j"zYd}~nd}~wwxYw|r@ |j(j"|_"|"*|#|tj+}'td|j"z#tX$rI}-|t\j/s&|d|j"zYd}~nd}~wwxYw |j)j"|_"|"*|#|tj+}(td|j"z#tX$rI}-|t\j/s&|d|j"zYd}~nd}~wwxYw 0})n)#t8$r}|dd}~wwxYw 1|)|}*n)#t8$r}|dd}~wwxYw|r 2}+n)#t8$r}&|dd}~wwxYw 3|+|!|},n)#t8$r}&|dd}~wwxYwd}-tij5}.|-||.}/|-||.}0 |rj d d!d"d#}1tm|"|#|tj7|0|/}2j d$|r@j d%d!d&d#}1|"8|2tj9|j d'd d"d#}1tm|||tj7|/|0}3j d(|r@j d)d d&d#}1|8|3tj9|n#t8$r}j d*|1d+d,|1d-d.|2r1j d/|":|2d}2|3r1j d0|:|3d}3|1d-d!kr &|d1|1d+z|d1|1d+zd}~wwxYw|r|jtjzrщj d2 |);|*j<|$j#j"tzj>}4n)#t8$r}|d3d}~wwxYw |?||$j#tj@|4d}5n)#t8$r}|d4d}~wwxYwA|4|$j#j"|55|rj d6 |+;|,| j#j"tzj>}6n)#t8$r}&|d3d}~wwxYw |"?|#| j#tj@|6d}7n)#t8$r}&|d4d}~wwxYwA|6| j#j"|75|jtjzrej d7 |)B|*j<tzjCd8|$j#j"}8n)#t8$r}|d9d}~wwxYwD|8jEd}9D|8jFd}:|8jGtzjHzr(d:|8jId;|8jFd<d=|8jEd<d>};n'd:|8jId;|8jFd<d=|8jEd<d?};|9tjKks|:tjKkrt|;j d@|;z|ru|jtjzr`j dA |+B|,tzjCd8| j#j"}|}?n'dB|tjKkrt|?j d@|?z|20 |"L|2n#t8$r }Yd}~nd}~wwxYwd}2|30 |L|3n#t8$r }Yd}~nd}~wwxYwd}3j dCdS)DNFrTrrz'--not-transitive requires --type=forestz*--treat-as-external requires --type=forestrrrrcd} ||dkr|Std|z}td|z}||ksd}jdQ)NTruzNew %s Password: zRetype %s Password: r)rrr)rpasswordpasswordverifyrs r get_passwordz1cmd_domain_trust_create.run..get_password srH H'HNN#O"#6#=>>!()?$)F!G!G>11#HIOO$FGGG HrrzIncoming Trust utf-16-lezOutgoing Trustc|tj|dz|dz}t|dS)Nr)r4 generate_random_machine_passwordr*encode)lengthpws rrandom_trust_secretz8cmd_domain_trust_create.run..random_trust_secret s7;FaKSTUU+BIIk,B,BCCCrrrrrrsrfailed to locate remote serverRemoteDomain Netbios[zTrustedDomain %s already exist'z2QueryTrustedDomainInfoByName(%s, FULL_INFO) failedrfailed to get netlogon dc infoc|tj}d|_|Stj}t ||_||_tj}tj ||_ tj |_ ||_tj}d|_|g|_tj}d|_||_|S)Nrr)rtrustAuthInOutBlobr AuthInfoClearr!sizerAuthenticationInformationr4 unix2nttimeLastUpdateTimerTRUST_AUTH_TYPE_CLEARAuthTypeAuthInfoAuthenticationInformationArrayrcurrent)secret update_timeblobclearr,rs rgenerate_AuthInOutBlobz;cmd_domain_trust_create.run..generate_AuthInOutBloby s~244  *,,EVEJ#EN577D"'"3K"@"@D 5DM!DM;==EEK&EK.00DDJ DLKrzCreating remote TDO. remoteCreateTrustedDomainEx2)locationrzRemote TDO created. z2Setting supported encryption types on remote TDO. SetInformationTrustedDomainzCreating local TDO. zLocal TDO created z1Setting supported encryption types on local TDO. zError: rz failed rzly - cleaning up zDeleting remote TDO. zDeleting local TDO. %sz(Setup local forest trust information... *netr_DsRGetForestTrustInformation() failed&lsaRSetForestTrustInformation() failedr~rz)Setup remote forest trust information... zValidating outgoing trust... r!NETLOGON_CONTROL_TC_VERIFY failedLocalValidation: DC[ ] CONNECTION[r] TRUST[] VERIFY_STATUS_RETURNEDrOK: %s zValidating incoming trust... RemoteValidation: DC[z Success. )MrrrrrrUrrVrTrrLSA_POLICY_CREATE_SECRETTrustDomainInfoInfoExr+rrr3r4rrBrArrrDr*rrrrrrrrrrKrrrrrrrqrrrrrrrrrrr4current_unix_timerELSA_TRUSTED_DOMAIN_ALL_ACCESSrr DeleteObject!netr_DsRGetForestTrustInformationrrDS_GFTI_UPDATE_TDOlsaRSetForestTrustInformationrzrnetr_LogonControl2ExNETLOGON_CONTROL_TC_VERIFYr}pdc_connection_statustc_connection_statusrNETLOGON_VERIFY_STATUS_RETURNEDtrusted_dc_namer WERR_SUCCESSClose)@rrrrrrrrrrrrrrrr quarantinedrrlocal_trust_inforincoming_secretoutgoing_secretremote_policy_accessincoming_passwordoutgoing_passwordremote_trust_inforrqrrrrrt remote_lsa remote_policyremote_lsa_infolocal_old_netbios local_old_dnsremote_old_netbiosremote_old_dnsrlocal_netlogon_inforemote_netlogonremote_netlogon_dc_uncrr incoming_blob outgoing_blobcurrent_requestremote_tdo_handlelocal_tdo_handlelocal_forest_infolocal_forest_collisionremote_forest_inforemote_forest_collisionlocal_trust_verifylocal_trust_statuslocal_conn_statuslocal_validationremote_trust_verifyremote_trust_statusremote_conn_statusremote_validations@` rrzcmd_domain_trust_create.run sY JLL   "Z''"  % %K  ! ! N"#LMMM  Q"#OPPP8::  E"*"OI    8#P P   #+"DI !Cs99s;;466&)&@#+,( f $ $  , ,0O O , ,  , ,0P P , , ,  * *  , ,0O O , , ,  * *  , ,0P P , ,,-)  \  - -1[ [ - -  \  - -1[ [ - -  ! !  - -1Z Z - -  X  - -1W W - -  [  - -1Z Z - - H H H H H"D g % %/#2QQ ^$0L1A$B$B!"67H7O7OP[7\7\"]"]/#2RR ^$0L1A$B$B!"67H7O7OP[7\7\"]"] $   D D D /#2QQ ;"5"5c":":/#2RR ;"5"5c":": C$> > C$@ @ # 9 ; ; +.+E  (01  -&((!11S5TT11!11S5UU111 J..!11S5UU111 J..!11S5TT1112  .! a!22c6``22 a!22c6``22X%%!22c6__22 ]!22c6\\22  `!22c6__22..y+FF  V5577II V V V((u6TUU U V ]-1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - -  Y 44XvFFMM Y Y Y))$7WXX X Y W7799JJ W W W))$7UVV V W ^/3/@/@Ma/b/b ,]OO ^ ^ ^))$7\]] ] ^ ',333'2999'+++- . . . />.H.O$+/>/C/J%,.2  73A3L3S  ) 04B4G4N  * 1$2$6  ! D/;BI 66|7@7:7\^^ @9CSSTT T D D D++E83[\\ D,,T5-a1:1A.CDDD D D D D D D D/<CI 66|7@7:7\^^ @9CSSTT T D D D++E83[\\ D,,T5-a1:1A.CDDD D D D D D D  I I#4#@#G  ;;M;l;DFFF IOO3 4 4 4+2jkkkl h"?? @O@Z@C@`@Q@A CC+* $hhh00u>fgggh,,->1@1K1R8N-PPP%UIOO$PQQQ q ,MMNdN\NgNnNVNikk+*(qqq"55dECopppq m'DD]ESE^EHEeEWEF HH0/ (mmm"55dECklllm001C5C5N5Uabbbc&*\\2D2Z[\2]%^%^"$(LL1C1XYZ1[$\$\!%+h.VV T T'9'I'I'I'9'Nq'Q'Q'Q'9'OPQ'R'R'R(T$$ T(:'I'I'I'9'Nq'Q'Q'Q'9'OPQ'R'R'R(T$ &)<<<@QU[Uh@h@h&'7888IOOJ1A$ABBB  H$4s7WWHIOO$DEEEh+@@AWAIAdABAOAZAacc,+ (hhh"55dECfgggh+/,,7J7`ab7c*d*d')-6I6^_`6a)b)b&*083[[ Y Y+>+N+N+N+>+STU+V+V+V+>+TUV+W+W+W-Y)) Y,?+N+N+N+>+STU+V+V+V+>+TUV+W+W+W-Y) +f.AAAEW[a[nEnEn*+<===  5F(FGGG  (   !23333     $   '  01111    #   %%%s!Q66 RRR R:: S SS !T88 UUU"U77 VVV!V;; W!WW!A [ \0'?\++\04A ]== _?_  _A ` a3*?a..a37A c d ?ddd,, e6e  ee-- f7fff.. g8ggg00 h:hhD4m== q+Cq&&q+!0s s8s33s8<(t%% u /uu  +v99 www#(x x2x--x21z99 {{{@,A@1@1 AA@;AAAAAE AE"E" AE6E1AE6E>AFF AF(F#AF() NNNNNNNFNFFFTrrrrrrrrrrfrrrrrrrrrrJ s**'H)-.0  xh"H-D !  # # # }8[777L%     ":(S%     %lS(    Xx***<&     !,9$    $\='    }?"    "=3   O+MZJW[CG6:49)- IIIIIIrrc ~eZdZdZdZejejeje dZ e dddddgd d d gZ d gZ ddZd S)cmd_domain_trust_deletezDelete a domain trust.rrz--delete-locationrTrrrz=Where to delete the trusted domain object: 'local' or 'both'.delete_locationrrNc j tj}|tjz}|tjz}|dkrd}n*tj}|tjz}|tjz}|||} |} n)#t $r} ||| dd} ~ wwxYw || |\} } n)#t $r} ||| dd} ~ wwxYw|j d| j j d| j j d| jdd}d}d}d}tj} ||_ | | |tj}n[#t$$rN} || t(jrt-d|z||| d d} ~ wwxYw|y |||}n)#t $r} ||| d d} ~ wwxYw |}n)#t $r} ||| dd} ~ wwxYw |||\}}n)#t $r} ||| dd} ~ wwxYw|j d |j j d|j j d|jd|j|jks4|j j |jj ks|j j |jj kr2t-d |jj d|jj d|jd  | j j |_ |||tj}nV#t$$rI} || t(js||| d |j zYd} ~ nd} ~ wwxYw|v| j|jks4| j j |jj ks| j j |jj kr2t-d|jj d|jj d|jd || |jj |_ | | |t:j}n1#t $r$} ||| d|j zd} ~ wwxYw| |d}|e |jj |_ |||t:j}n1#t $r$} ||| d|j zd} ~ wwxYw|| ||d}|j dnI#t $r<} |j d||| dzYd} ~ nd} ~ wwxYwdS)Nrrrrrrsrz$Failed to find trust for domain '%s'rrzLocalTDO inconsistend: Netbios[rz QueryTrustedDomainInfoByName(%s)z RemoteTDO inconsistend: Netbios[zOpenTrustedDomainByName(%s)zRemoteTDO deleted. z%s zDeleteObject() failed) rrrrrrrrrrrrrKrrrrLSA_TRUSTED_DOMAIN_INFO_INFO_EXrrrrrrrrrqrOpenTrustedDomainByNamerSEC_STD_DELETEr)rrrrrrrDrr"rqrrrrrr4remote_tdo_infor3rrtr&r'r(s rrzcmd_domain_trust_delete.rung s["Cs99s;; g % %#' #&#H C$> > C$@ @ ..y+FF  V5577II V V V((u6TUU U V ]-1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - -  JLL  Y%I &CCLDMsOrttNN Y Y Y''x/WXX T"#IF#RSSS))$7WXX X Y + ] $ 8 86 J J  ] ] ]--dE;[\\\ ] [!;;==  [ [ [--dE;YZZZ [ b373D3DZQe3f3f0 b b b--dE;`aaa b IOOO+0777+6===+///1 2 2 2 "n&888#*n.I.PPP)0N4N4UUU"l#1#>#E#E#E#1#=#D#D#D#1#5#5#5$7888 E#1#<#C  ;;M6MOO!   @ @ @,,T5:W-6-=;?@@@ @  " "#3 4 4 4#   & A#2#>#E  66}7@7?7NPP"!  A A A--dE;X.7.><@AAA A  ( h''(9:::$(!  67777 h h h )@)@uNe)f)f fgggggggg h s5B B0B++B04C C4C//C4(E99 GA G  GG// H9HHH.. I8III22 J<JJ2N O ?OO2R R4R//R42T T2T--T281U** V042V++V0NNNNNrArrrrCrCQ s  'H)-.0  ":(S%    MJW[ rrCc ~eZdZdZdZejejeje dZ e dddddgd d d gZ d gZ ddZd S)cmd_domain_trust_validatezValidate a domain trust.rrz--validate-locationrTrrrz?Where to validate the trusted domain object: 'local' or 'both'.validate_locationrrNc  tj}|||} |} n)#t$r} ||| dd} ~ wwxYw || |\} } n)#t$r} ||| dd} ~ wwxYw|jd| j j d| j j d| j d tj } || _ | | | tj}n[#t $rN} || t$jrt)d|z||| dd} ~ wwxYw|jd |jj d|jj d|j d |}n)#t$r} ||| d d} ~ wwxYw ||t2jd |jj }n)#t$r} ||| d d} ~ wwxYw||jd }||jd }|jt2jzr(d|j d|jdd|jdd}n'd|j d|jdd|jdd}|tBj"ks|tBj"krt)||jd|z |j #dd}|jj d|}||t2j$d |}n)#t$r} ||| dd} ~ wwxYw||jd }d|j d|jdd}|tBj"krt)||jd|z|dkr |%||d}n)#t$r} |&|| dd} ~ wwxYw |'}n)#t$r} |&|| d d} ~ wwxYw ||t2jd | j j }n)#t$r} |&|| d d} ~ wwxYw||jd }||jd }|jt2jzr(d|j d|jdd|jdd}n'd|j d|jdd|jdd}|tBj"ks|tBj"krt)||jd|z |j #dd}| j j d|}||t2j$d |}n)#t$r} |&|| dd} ~ wwxYw||jd }d|j d|jdd}|tBj"krt)||jd|zdS)Nrrrrrsrr,QueryTrustedDomainInfoByName(INFO_EX) failedLocalTDO Netbios[rrrrrr rr r rr \ruz"NETLOGON_CONTROL_REDISCOVER failedzLocalRediscover: DC[rF)rrr zRemoteRediscover: DC[)(rrrrrrrrrrrKrrrrrFrrrrrrqrrrrrr}rrrrrrrreplaceNETLOGON_CONTROL_REDISCOVERrrr) rrrrrrrMrrqrrrrrrrr9r:r;r<rkdomain_and_serverlocal_trust_rediscoverlocal_rediscoverrtr.r=r>r?r@remote_trust_rediscoverremote_rediscovers rrzcmd_domain_trust_validate.run s"C..y+FF  V5577II V V V((u6TUU U V ]-1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - - f I%I 66|7@7:7Z\\ N f f f''x/WXX d"#Y\b#bccc((u6dee e  f &3:::&2999&***, - - -  [!??AANN [ [ [((u6YZZ Z [ [33L4<4W454B4N4UWW    [ [ [((u6YZZ Z ["\\*<*RST*UVV LL);)PQR)STT  #h&N N L L1AAA1FqIII1GJJJ L   L 2AAA1FqIII1GJJJ L  !4 4 48IVM`8`8`/00 0 IOOJ)99 : : : \'7??bIIF,:,F,M,M,Mvv V 33L4<4X454EGG # "  \ \ \((u6Z[[ [ \!LL)?)TUV)WXX5EEE5J1MMMO  3 3 3/00 0 IOOJ)99 : : :  ' ' ] $ 8 86W\ 8 ] ]  ] ] ]--dE;[\\\ ] `"&"E"E"G"G ` ` `--dE;^___ ` `#889A9\9:9G9R9Y[[$#   ` ` `--dE;^___ `#',,/B/XYZ/["\"\ !%.A.VWX.Y!Z!Z "(8+SS Q Q#6#F#F#F#6#KA#N#N#N#6#LQ#O#O#O%Q!! Q$7#F#F#F#6#KA#N#N#N#6#LQ#O#O#O%Q! #f&999=OSYSf=f=f"#4555  -> >??? a,<DDT2NN0>0I0P0P0PRXRX$Y!#889A9]9:9JLL('   a a a--dE;_``` a"&.E.Z[\.]!^!^  $;#J#J#J#:#OPQ#R#R#R!T "V%888"#4555  -> >???s9 AAA#A== B#BB#$;D E8*A E33E89G G4G//G48,H%% I /II >AN N3N..N33Q Q2Q--Q26R R1R,,R15,S"" T,TT;AY Y0Y++Y0rJrArrrrLrL s""'H)-.0  $8Z(U'    MJW["ZZZZZZrrLc0eZdZdZdZejejedZ e dddgddd d e d d ddde dddddge dddddge dddddge ddddd ge d!dd"d#d$ge d%dd"d&d'ge d(dd)d*d+ge d,dd)d-d.ge d/ddd0d1ge d2ddd3d4ge d5ddd6d7ge d8ddd9d:ggZ d;gZ d d d d d dggggggggggggfd<Z d S)=cmd_domain_trust_namespaceszManage forest trust namespaces.z%prog [DOMAIN] [options]rz --refreshrTz check|store)checkrNzLList and maybe store refreshed forest trust information: 'check' or 'store'.refreshNrz --enable-allrQzATry to update disabled entries, not allowed with --refresh=check. enable_allFrz --enable-tlnr DNSDOMAINz?Enable a top level name entry. Can be specified multiple times. enable_tln)rSrOrPrrjz --disable-tlnz@Disable a top level name entry. Can be specified multiple times. disable_tlnz --add-tln-exzAAdd a top level exclusion entry. Can be specified multiple times. add_tln_exz--delete-tln-exzDDelete a top level exclusion entry. Can be specified multiple times. delete_tln_exz --enable-nb NETBIOSDOMAINzIEnable a netbios name in a domain entry. Can be specified multiple times. enable_nbz --disable-nbzJDisable a netbios name in a domain entry. Can be specified multiple times. disable_nbz --enable-sid DOMAINSIDz@Enable a SID in a domain entry. Can be specified multiple times.enable_sid_strz --disable-sidzADisable a SID in a domain entry. Can be specified multiple times.disable_sid_strz--add-upn-suffixzVAdd a new uPNSuffixes attribute for the local forest. Can be specified multiple times.add_upnz--delete-upn-suffixz^Delete an existing uPNSuffixes attribute of the local forest. Can be specified multiple times. delete_upnz--add-spn-suffixz[Add a new msDS-SPNSuffixes attribute for the local forest. Can be specified multiple times.add_spnz--delete-spn-suffixzcDelete an existing msDS-SPNSuffixes attribute of the local forest. Can be specified multiple times. delete_spnzdomain?c =d}||dkrtd|z|rtdt|dkrtdt|dkrtdt| dkrtdt| dkrtd t| dkrtd t|dkrtd t| dkrtd t| dkrtd t|dkr.|D])}|dstd|zd}t|dkr.|D])}|dstd|zd}|D]C}|D]>}||kr-td|zDt|dkr.|D])}|dstd|zd}t|dkr.|D])}|dstd|zd}|D]C}|D]>}||kr-td|zDnt|dkrtdt|dkrtdt|dkrtdt|dkrtd|4|dkrd}|r|dkrtd|zt|dkrtdt|dkrtdt| dkrtdt| dkrtdt| dkrtdt|dkrtd t| dkrtd!t| dkrtd"n |rhd}t|dkrtd#t| dkrtd$t| dkrtd%t|dkrd}t|dkrd}|D]C}|D]>}||kr-td&|zDt| dkr.| D])}|dstd'|zd}t| dkr.| D])}|dstd(|zd}| D]C}| D]>}||kr-td)|zDt| dkrd}t|dkrd}| D]C}|D]>}||kr-td*|zDg}| D]Q} t j|}n$#t$r}td+|zd}~wwxYw||Rg}| D]Q} t j|}n$#t$r}td,|zd}~wwxYw||Rt|dkrd}t|dkrd}|D]}|D]}||kr td-|z tj }|r|tj z}| ||} | }n)#t$r}|||d.d}~wwxYw |||\} }!n)#t$r}|||d/d}~wwxYw|jd0|!jjd1|!jjd2|!jd3|} |}"n)#t$r}|||d4d}~wwxYw ||"|}#n)#t$r}|||d5d}~wwxYw|#j|#jkr td6|#jd7|#jd8 |"|#jdd}$n#t$r}||t<jrtd9|j z||t<j!rtd9|j z||t<j"rtd9|j z|||d:d}~wwxYw|jd;|#|$|!jj< |$}%n)#t$r}|||d=d}~wwxYwd>tK|%&z}&d?d@g}' |%'|&tPj)dA|'B}(|(d})n.#tPj*$r}|+||dCd}~wwxYwg}*d?|)vr|*,|)d?g}+d@|)vr|+,|)d@|jdDt|*z|*D]$},|jdEdFdGdH|,d3%|jdIt|+z|+D]$},|jdEdFdGdH|,d3%|sdSd}-g}.|.,|*d}/g}0|0,|+|D]w}1t[|.D]N\}2},tK|,|1krtdJ|1zO|.|1d}-x|D]~}1d}3t[|.D]?\}2},tK|,|1kr=|2}3|3tdK|1z|..|3d}-|D]w}4t[|0D]N\}2},tK|,|4krtdL|4zO|0|4d}/x|D]~}4d}3t[|0D]?\}2},tK|,|4kr=|2}3|3tdM|4z|0.|3d}/|jdNt|.z|.D]$},|jdEdFdGdH|,d3%|jdOt|0z|0D]$},|jdEdFdGdH|,d3%tQj/}5|)j0|5_0|-r#tQj1|.tPj2d?|5d?<|/r#tQj1|0tPj2d@|5d@< |%3|5n.#tPj*$r}|+||dPd}~wwxYw |"|#jdd}6n)#t$r}|||d:d}~wwxYw|jdQ|#|6|!jj<dS tj4}7||7_|5| |7tj6}8n[#tn$rN}||tpj9rtdR|z|||dSd}~wwxYw|jdT|8j:jd1|8jjd2|8jd3|8j;tj<zstdU|z|. |}"n)#t$r}|||d4d}~wwxYw ||"|}#n)#t$r}|||d5d}~wwxYwdV}9|dkrtzj>}:|rd}9nd}: |"|#j|8jj|:};n)#t$r}|||d:d}~wwxYw |?| |8jtj@|;|9}|>,|=jBtjC}?t|>|?_D|>|?_B|r$t[|?jBD]j\}2}@|@jEtjFkr|?jB|2jGdkr2d|?jB|2_H|?jB|2xjGtjIzc_Gkt[|?jBD]\}2}@|@jEtj@kr|?jB|2jGdkr2d|?jB|2_H|?jB|2xjGtjJzc_G|?jB|2xjGtjKzc_G|D]}Ad}3t[|?jBD]R\}2}@|@jEtjFkr|@jLj|AkrP|2}3|3td\|Az|?jB|3jGtjIzstd]|Azd|?jB|3_H|?jB|3xjGtjIzc_G|D]}Ad}3t[|?jBD]R\}2}@|@jEtjFkr|@jLj|AkrP|2}3|3td^|Az|?jB|3jGtjMzrtd_|Azd|?jB|3_H|?jB|3xjGtjIzc_G|?jB|3xjGtjMzc_G| D]}Bd}3t[|?jBD]R\}2}@|@jEtjNkr|@jLj|BkrP|2}3|3td`|Bzda|Bz}Cd}3t[|?jBD]l\}2}@|@jEtjFkrda|@jLjz}D|C|Dkrtdb|Bz|CO|Dsj|2}3|3tdc|BztjP}@tjN|@_Ed|@_Gd|@_H|B|@jL_g}>|>,|?jB|>Q|3dVz|@t|>|?_D|>|?_B| D]}Bd}3t[|?jBD]R\}2}@|@jEtjNkr|@jLj|BkrP|2}3|3tdd|Bzg}>|>,|?jB|>.|3t|>|?_D|>|?_B| D]}Ed}3t[|?jBD]W\}2}@|@jEtj@kr|@jLjRj|EkrU|2}3|3tde|Ez|?jB|3jGtjJzstdf|Ezd|?jB|3_H|?jB|3xjGtjJzc_G|D]}Ed}3t[|?jBD]W\}2}@|@jEtj@kr|@jLjRj|EkrU|2}3|3tdg|Ez|?jB|3jGtjSzrtdh|Ezd|?jB|3_H|?jB|3xjGtjJzc_G|?jB|3xjGtjSzc_G|D]}d}3t[|?jBD].\}2}@|@jEtj@kr|@jLjT|kr,|2}3|3tdi|z|?jB|3jGtjKzstdj|Ezd|?jB|3_H|?jB|3xjGtjKzc_G|D]}d}3t[|?jBD].\}2}@|@jEtj@kr|@jLjT|kr,|2}3|3tdk|z|?jB|3jGtjUzrtdl|Ezd|?jB|3_H|?jB|3xjGtjKzc_G|?jB|3xjGtjUzc_G |?| |8jtj@|?d}Fn)#t$r}|||dWd}~wwxYw|jdm|#|?|8jj|FY tj4}7|8jj|7_|A| |7tj@}6n)#t$r}|||dZd}~wwxYw|jdQ|#|6|8jj<dS)nNFrz'--refresh=%s not allowed without DOMAINz'--enable-all not allowed without DOMAINrz'--enable-tln not allowed without DOMAINz(--disable-tln not allowed without DOMAINz'--add-tln-ex not allowed without DOMAINz*--delete-tln-ex not allowed without DOMAINz&--enable-nb not allowed without DOMAINz'--disable-nb not allowed without DOMAINz'--enable-sid not allowed without DOMAINz(--disable-sid not allowed without DOMAINz*.zEvalue[%s] specified for --add-upn-suffix should not include with '*.'TzHvalue[%s] specified for --delete-upn-suffix should not include with '*.'z@value[%s] specified for --add-upn-suffix and --delete-upn-suffixzEvalue[%s] specified for --add-spn-suffix should not include with '*.'zHvalue[%s] specified for --delete-spn-suffix should not include with '*.'z@value[%s] specified for --add-spn-suffix and --delete-spn-suffixz1--add-upn-suffix not allowed together with DOMAINz4--delete-upn-suffix not allowed together with DOMAINz1--add-spn-suffix not allowed together with DOMAINz4--delete-spn-suffix not allowed together with DOMAINz3--enable-all not allowed together with --refresh=%sz0--enable-tln not allowed together with --refreshz1--disable-tln not allowed together with --refreshz0--add-tln-ex not allowed together with --refreshz3--delete-tln-ex not allowed together with --refreshz/--enable-nb not allowed together with --refreshz0--disable-nb not allowed together with --refreshz0--enable-sid not allowed together with --refreshz1--disable-sid not allowed together with --refreshz3--enable-tln not allowed together with --enable-allz2--enable-nb not allowed together with --enable-allz3--enable-sid not allowed together with --enable-allz6value[%s] specified for --enable-tln and --disable-tlnzAvalue[%s] specified for --add-tln-ex should not include with '*.'zDvalue[%s] specified for --delete-tln-ex should not include with '*.'z8value[%s] specified for --add-tln-ex and --delete-tln-exz4value[%s] specified for --enable-nb and --disable-nbz7value[%s] specified for --enable-sid is not a valid SIDz8value[%s] specified for --disable-sid is not a valid SIDz6value[%s] specified for --enable-sid and --disable-sidrrrrrsrrrzThe local domain [z] is not the forest root [rz@LOCAL_DC[%s]: netr_DsRGetForestTrustInformation() not supported.rz Own forest trust information... rzfailed to connect to SamDBr uPNSuffixeszmsDS-SPNSuffixesz(objectClass=crossRefContainer)rzfailed to search partition dnz#Stored uPNSuffixes attributes[%d]: rorurprqz(Stored msDS-SPNSuffixes attributes[%d]: zBEntry already present for value[%s] specified for --add-upn-suffixz?Entry not found for value[%s] specified for --delete-upn-suffixzBEntry already present for value[%s] specified for --add-spn-suffixz?Entry not found for value[%s] specified for --delete-spn-suffixz#Update uPNSuffixes attributes[%d]: z(Update msDS-SPNSuffixes attributes[%d]: zfailed to update partition dnz#Stored forest trust information... rrOrPzItrusted domain object for domain [%s] is not marked as FOREST_TRANSITIVE.rrz"Fresh forest trust information... rz(lsaRQueryForestTrustInformation() failedz"Local forest trust information... z8Entry not found for value[%s] specified for --enable-tlnzGEntry found for value[%s] specified for --enable-tln is already enabledz9Entry not found for value[%s] specified for --disable-tlnzIEntry found for value[%s] specified for --disable-tln is already disabledz>Entry already present for value[%s] specified for --add-tln-exz.%sz:TLN entry present for value[%s] specified for --add-tln-exz>No TLN parent present for value[%s] specified for --add-tln-exz;Entry not found for value[%s] specified for --delete-tln-exz7Entry not found for value[%s] specified for --enable-nbzFEntry found for value[%s] specified for --enable-nb is already enabledz7Entry not found for value[%s] specified for --delete-nbzHEntry found for value[%s] specified for --disable-nb is already disabledz8Entry not found for value[%s] specified for --enable-sidzGEntry found for value[%s] specified for --enable-sid is already enabledz8Entry not found for value[%s] specified for --delete-sidzIEntry found for value[%s] specified for --disable-sid is already disabledz$Updated forest trust information... )Vrr!rWr'r%rr8 TypeErrorrrrrrrrrrrrrrKrrrrr forest_namerrrrrrqWERR_INVALID_FUNCTIONWERR_NERR_ACFNOTLOADEDrrrrrrrrrrarupoprrrrrrrrFrrrrqrrrrrrzrrtrrrNrxrtimeLSA_TLN_DISABLED_MASKLSA_NB_DISABLED_MASKLSA_SID_DISABLED_MASKrwrcryendswithForestTrustRecordinsertr|rkr<ri)Grrrrrr\r]r_r`rarbrgrhrdrerirjrkrlrequire_updatenrrrP enable_sidrrr disable_sidrrqrrrrr-own_forest_info local_samdblocal_partitions_dnrr stored_msgstored_upn_valsstored_spn_valsr| replace_upnupdate_upn_vals replace_spnupdate_spn_valsupnridxspn update_msgstored_forest_inforrlsa_update_checknetlogon_update_tdofresh_forest_infofresh_forest_collisionr5rtupdate_forest_inforRr~tln_extln_dotr_dotnbupdate_forest_collisionsG rrzcmd_domain_trust_namespaces.run s$  >'!!"#Lw#VWWW N"#LMMM:"""#LMMM;!##"#MNNN:"""#LMMM=!!A%%"#OPPP9~~!!"#KLLL:"""#LMMM>""Q&&"#LMMM?##a''"#MNNN7||a ttA<<--! &'nqr'rsss!%:""#wwA<<--! &'qtu'uvvv!% o o#ooAwwyyAGGII-- &'ilm'mnnno 7||a ttA<<--! &'nqr'rsss!%:""#wwA<<--! &'qtu'uvvv!% o o#ooAwwyyAGGII-- &'ilm'mnnno o 7||a"#VWWW:"""#YZZZ7||a"#VWWW:"""#YZZZ  '!!!% dg00"#X[b#bccc:"""#UVVV;!##"#VWWW:"""#UVVV=!!A%%"#XYYY9~~!!"#TUUU:"""#UVVV>""Q&&"#UVVV?##a''"#VWWW( ^!%z??Q&&&'\]]]y>>A%%&'[\\\~&&**&'\]]]:""!%;!##!% e e$eeAwwyyAGGII-- &'_bc'cddde :""#ppA<<--! &'jmn'nooo!%=!!A%%&ssA<<--! &'mpq'qrrr!% g g&ggAwwyyAGGII-- &'ade'efffg 9~~!!!%:""!% c c#ccAwwyyAGGII-- &']`a'abbbc J# ' 'f"*1--CC fff&'`cd'deeef!!#&&&&K$ ( (g"*1--CC ggg&'ade'efffg""3'''':""!%;!##!% e e$eeAAvv &'_bc'cddde "C  > 3#= = ..y+FF  V5577II V V V((u6TUU U V ]-1->->yJ]-^-^ *\>> ] ] ]((u6[\\ \ ] &+222&1888&***, - - - > _!%!C!C!E!E _ _ _,,T5:]^^^ _ \&*&?&?P\&]&]## \ \ \,,T5:Z[[[ \#.2E2QQQ"l#6#B#B#B#6#B#B#B$DEEE h"0"R"RSfSmSWYZ#\#\ h h h++E63YZZ;&'i'+'8(:;;;++E63OPP;&'i'+'8(:;;;++E63PQQ;&'i'+'8(:;;;,,T5:fggg h IOO? @ @ @  ( (-;-F-M ) O O O X"<<>>  X X X,,T5:VWWW X#5s;;X;X;Z;Z7[7["[ "$67E W"))/B035V05*77"!W < W W W((u6UVVV W!O **&&z-'@AAA O!Z//&&z2D'EFFF IOOBSEYEYY Z Z Z$ D D BBBB BCCCC IOOG#oJ^J^^ _ _ _$ D D BBBB BCCCC! K O  " "? 3 3 3K O  " "? 3 3 3 # #%o66EEDAq1vv||~~44*,>@C,DEEE5 &&s+++" ! # #%o66DAq1vv||~~44 C;&'hkn'nooo##C((("  # #%o66EEDAq1vv||~~44*,>@C,DEEE5 &&s+++" ! # #%o66DAq1vv||~~44 C;&'hkn'nooo##C(((" IOOBSEYEYY Z Z Z$ D D BBBB BCCCC IOOG#oJ^J^^ _ _ _$ D D BBBB BCCCCJ&MJM N,/,>?B?S?L-N-N =) X141CODGDXDV2X2X -. W"":....< W W W((u6UVVV W h%3%U%UViVpVZ\]&_&_"" h h h,,T5:fggg h IOOB C C C  ( ();-;-F-M ) O O O F f I%I 66|7@7:7Z\\ N f f f''x/WXX d"#Y\b#bccc((u6dee e  f &3:::&2999&***, - - - .1ZZ ujmsstt t   _!%!C!C!E!E _ _ _,,T5:]^^^ _ \&*&?&?P\&]&]## \ \ \,,T5:Z[[[ \ ! '!!&.&A#)'($&'# h #DDEXE_ESE_EfEXZZ"!  h h h,,T5:fggg h d;;Lhiiij  FGGG,,-?1?1K1R-TTT F  b I-9@I 99,:C:=:Z\\   b b b((u6`aa a b =>>> $$%6)7)C)J % L L L  F(0111 799#&w<< %,"  R!"4"<== R R16S@@@%-a06!;;56"*1-2"*1-338Q7QQ333!"4"<== R R16S===%-a06!;;56"*1-2"*1-338P7PP33"*1-338Q7QQ333 P PCC!"4"<==  16S@@@&-3355DD{"#]`c#cddd%-c283;TT t"#lor#rsss34  &s + 0  &s + 1 1c6O5O O 1 1 1 P PCC!"4"<==  16S@@@&-3355DD{"#^ad#deee!)#.4s7QQ v"#nqt#tuuu34  &s + 0  &s + 1 1c6O5O O 1 1  &s + 1 1S5O O 1 1 1 & 1& 1FC!"4"<==  16SCCC&-3355GG"#cfl#lmmmfllnn,GC!"4"<==  16S@@@ 3 : @ @ B BBe##&'cfl'lmmm''..{"#cfl#lmmm%''A;AFAGAF)/A  &G NN-5 6 6 6 NN37A & & &'*7||  $)0  & &# 1 1FC!"4"<==  16SCCC&-3355GG{"#`ci#ijjjG NN-5 6 6 6 KK   '*7||  $)0  & & O OBC!"4"<==  16S===&:AGGIIRXXZZWW{"#\_a#abbb%-c283;SS r"#knp#pqqq34  &s + 0  &s + 1 1c6N5N N 1 1 1 O OBC!"4"<==  16S===&:AGGIIRXXZZWW{"#\_a#abbb!)#.4s7PP t"#mpr#rsss34  &s + 0  &s + 1 1c6N5N N 1 1  &s + 1 1S5N N 1 1 1 P PCC!"4"<==  16S===&1S88{"#]`c#cddd%-c283;TT s"#loq#qrrr34  &s + 0  &s + 1 1c6O5O O 1 1 1 P PCC!"4"<==  16S===&1S88{"#]`c#cddd!)#.4s7QQ u"#nqs#sttt34  &s + 0  &s + 1 1c6O5O O 1 1  &s + 1 1S5O O 1 1 1 `&/&M&MlN\NhNQNnN`bc'e'e # # ` ` `((u6^__ _ ` ?@@@ $$%7)7)C)J0G % I I I b I-9@I !*!J!J??? $$%7)7)C)J % L L Ls-(Z== [[[>\ \4\//\4 _"" `,`` `&& a 0aa b%% c /cc c&& d 0dd e h('B>sLXRd?ff _ ] V V V" +((***OQTUU U V   """ H*M:; < < < < d|_d|_d|_d|_dS)NFru) is_defunct unknown_oidrldifrws rrizldif_schema_update.__init__s# rc|j\}}|tjkr |jrt d|jzdS|j!t d|jd|jdSdS)z>Checks if we can safely ignore failure to apply an LDIF updatez)Defunct object %s doesn't exist, skippingTNzSkipping unknown OID z for object F)rrERR_NO_SUCH_OBJECTrrrr)rrnumrs rcan_ignore_failurez%ldif_schema_update.can_ignore_failurest f #( ( (T_ ( =G H H H4   ) ET=M=M=MtwwW X X X4urc ||jdgnj#tj$rX}|jdtjkr2|||jdgnYd}~nd}~wwxYwnz#tj$rh}||rYd}~dStd|ztdtdtd|jzd}~wwxYwd S) z*Applies a single LDIF update to the schemazrelax:0)rrN Exception: %sz4Encountered while trying to apply the following LDIFz4----------------------------------------------------rr) modify_ldifrrrrERR_INVALID_ATTRIBUTE_SYNTAXset_schema_update_nowrr)rrrPs rapplyzldif_schema_update.applysA  !!$)yk!BBBB<   6!9 @@@//111%%di9+%FFFFGFFFF |   &&q)) qqqqqo)***LMMMLMMMdTY&''' qs?!B BAB>B BB DC>6AC>>DN)rrrrrirrrrrrrsG77   rrc eZdZdZdZejejejdZ e ddde dd e d d d d e dddd e dddddgdde de dde de ddgZ dZ d Zd!ZdS)"cmd_domain_schema_upgradezDomain schema upgradingrrgrrrrrrr]r^r_rQr`rkrlrmz--schemarTSCHEMArIrJ#t$r1}|jd|zt dd}~wwxYwddlm}d}|d}|d}| }| |} |d } |d } |d } |d } d}t| t| | }|d'| ddtdd}tj||}t%|t'|d }||krt d| r| d}ng}|| }||tjdg}t3|dkrt dt5|ddddz}t7d}| yt9j}t7d} |||nG#t<$r:}td|zt?j |t dd}~wwxYw|} tC||dzD]S}d|z}|"|tFj$%tFj$&||dz}|rtFj$'|r tQj)d|d|gtPj*tPj*| }n8#tVtXf$r$t?j |t d!wxYw|-\}}|j.r8td"|d#|t?j |t dtd$|d%|U| t7d&} |/d}d} |D]} ||0|| | z }|dkr$|1td'n#td(|2nN#t<$rA}td)|ztd*|2d}Yd}~nd}~wwxYw|r| dd+|rt?j ||rt ddS),Nr)read_ms_markdownz$Exception in importing markdown: %s zIFailed to import module markdown, please install python3-markdown package)SchemaFrrrschemaldf_filerrdsdb:schema update allowedr;Temporarily overriding 'dsdb:schema update allowed' settingT%This server is not the schema master.r objectVersion)rrrrz*Could not determine current schema versionzadprep/WindowsServerDocsz*adprep/WindowsServerDocs/Schema-Updates.mdz!Exception in markdown parsing: %szFailed to upgrade schemaz Sch%d.ldfz.diffpatchz-i)rrrscwdz6Failed to upgrade schema. Is '/usr/bin/patch' missing?zException in patch: rzPatched z using adprepzSchema successfully updatedzNo changes applied to schemarz*Error encountered, aborting schema upgrader)3samba.ms_schema_markdownr ImportErrorrrr samba.schemarr+rrurr rrrrget_dsServiceNamerrrr~ get_versionrrr!rr>r0mkdtempr7shutilrmtreerangerrwr-r2rrryrzr{OSErrorIOErrorr| returncoderrrr)!rrrrPrupdates_allowed_overriddenrrrrpr target_schema ldf_filesr temp_folderrown_dnmasterschema_updatesrrstartdiff_dirrversionupdatediffrrrrsrerror_encounteredrs! rrzcmd_domain_schema_upgrade.runs l A A A A A A A l l l IOOCaG H H Hjkk k l ('''''%*"JJ{++ ::j))  # # % %((,, JJsOO 8,, JJz** ::j)) !.*:*:RTUUU 66. / / 7 FF/ 7 7 7 O P P P)- &u668899#E3u/F/F/H/H+I+I$,.. V  FGG G 7 B&__S11NNN$$]33C,,E$;$;$=$=%(^O;LNNC3xx1}}"#OPPPA/233a7E!"<==H&.00 ()UVV C$$[+>>>> CCC=ABBBM+...&'ABBBC ' a00 B B$w.%%f---wrw||Hfw>N'O'OPPB27>>$#7#7BK&,gvtT-J4>O4>OVVV$W-KKK k222*,JKKKK &']]__NFF|GfffffMNNN k222*+EFFFE66644@AAA  !(++H !!!! %+ H H ++E9hGGGqyy((***344444555((*** % % % /A% & & & > ? ? ?  $ $ & & & $        % & 7 FF/ 6 6 6  ' M+ & & &  ;9:: : ; ;sO A,?A J++ K/55K**K/0N775O,A,S33 T>=7T99T>)rrrrrrrrrrrrrrrrrrrrr s8!! H)-. tW#JQT3 ( ( (tYZ EEEt[|LIIIz( *R  " " " |#tX Z Z Z|#tJ L L L MQQQf&{;{;{;{;{;rrc eZdZdZdZejejejdZ e ddde dd e d d d d e dddd e dddgddde dd de dd dgZ dZ dS) cmd_domain_functional_prepz#Domain functional level preparationrrgrrrrrrr]r^r_rQr`rkrlrmrrTFUNCTION_LEVELrGrrJriz --forest-prepzJRun the forest prep (by default, both the domain and forest prep are run).rRz --domain-prepzJRun the domain prep (by default, both the domain and forest prep are run).c d}|d}|d}|}||}|d}t|d}|d} |d} t |t ||} |d '|d d td d }| | d } d } tj | | } | rEt| t| d } | | krtd| r?| }d|z}t| |d} | | krtd| r| d} ddlm}|| d }|gd||t*d | n?#t.$r2}td|z| d }Yd}~nd}~wwxYw| r| d} ddlm}|| d }||t6d | n?#t.$r2}td|z| d }Yd}~nd}~wwxYw|r|d d|rtddS)NFrrrrE forest_prep domain_preprrrrTrrzCN=Infrastructure,infrastructurez-This server is not the infrastructure master.r) ForestUpdate)fix)5OPQRS)update_revisionr) DomainUpdaterz!Failed to perform functional prep)r+rrustring_version_to_constantrr rrrrrrrrrrrsamba.forest_updater check_updates_iteratorcheck_updates_functional_levelr2rr7rsamba.domain_updaterr1)rrrrrrrpr target_levelrrrrrrinfrastructure_dnrr rrPrrs rrzcmd_domain_functional_prep.run8s%*"JJ{++ ::j))  # # % %((,, JJsOO1&**=M2N2NO jj// jj// !.*:*:RTUUU 66. / / 7 FF/ 7 7 7 O P P P)- &  ;#6KKu668899  L's53J3J3L3L/M/M(022F"#JKKK  T))I 4y @ '/@(8::F"#RSSS  )  # # % % % %  )<<<<<<%e666--.F.F.FGGG55l6PFJ6LLL((**** ) ) )o)***((***$(!!!!!! )  )  # # % % % %  )<<<<<<%e66655l6MFJ6LLL((**** ) ) )o)***((***$(!!!!!! ) & 7 FF/ 6 6 6  DBCC C D Ds2 AH<< I8(I33I8AK L#(LLNr7rrrrrs-- H)-. tW#JQT3 ( ( (tYZ EEEt[|LIII!:J555R  " " " |` b b b|` b b b MMDMDMDMDMDrrceZdZdZiZe eed<eed<eed<eed<e re ed<e ed<e ed <e ed <eed <eed <eed <eed<eed<eed<eed<eed<dSdS) cmd_domainzDomain management.N exportkeytabr,rrdemoter;dcpromolevelpasswordsettingsclassicupgrade samba3upgradetrust tombstones schemaupgradefunctionalprepbackup)rrrrrVrrrzrr-rrrfrrTrXrcrrrrrCrrrrrslK+&>&>&@&@ N#)/++K)/++K++--K~ 4 1 1 3 3 H#7#7#9#9 K !3!3!5!5 I//11 G*E*E*G*G &'(A(A(C(C $%'?'?'A'A O$//11 G$9$9$;$; L!'@'@'B'B O$(B(B(D(D $% 1 1 3 3 H 4 4rr) samba.getoptgetoptrrrwrryrandomr0loggingryrtrr4rrrr samba.netrr r samba.ntacls samba.joinr r samba.authr samba.samdbrr samba.ndrrr samba.dcerpcrrrrrrrsamba.dcerpc.samrrr samba.netcmdrrrrsamba.netcmd.fsmorsamba.netcmd.commonr r!r"r# samba.samba3r$r%r samba.upgrader&samba.drs_utilsr'r(r)r*samba.auth_utilr+ samba.net_s3r samba.paramr,r- samba.dsdbr.r/r0r1r2r3r4r5r6r7r8r9r:samba.provisionr;r<r=r>samba.provision.commonr?r@rAsamba.netcmd.psorBsamba.netcmd.domain_backuprC samba.commonrDsamba.trust_utilsrErFrrrbrxrdrrrrrrfrzrrrr%r9rTrXrcrrfrmrrrrrCrLrZrrrrrrrrrrrDs? 2  00000000******))))))))%%%%%%88888888)))))))) !!!!!!!!!!!!!!!!!!VVVVVVVV 100000AAAAAA4444444444 ))))))------++++++BBBBBBBBBB//////&&&&&&$$$$$$   =<<<<<888888######666666* #) F?:<>>> F =>>> F 8^5>88::;<<< F !@AAA F=%AMMM F4LAAA!& F:Ls333 F8.s333 F #8    F?3G:::R$ %%%  F4< EEE   F=L      BBBBBB7BBBB$$$#$4EEEEEgEEE>EEEEE7EEEP 8W8W8W8W8W8W8W8Wvh_h_h_h_h_gh_h_h_V#####w### > > > >| > > >=====L===55555555p{;{;{;{;{;{;{;{;|gDgDgDgDgDgDgDgDT4444444444s H55H?>H?