bӃ0LdZdZddlmZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZmZddlmZddlZddlmZddlmZmZdd lmZdd lmZdd lmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&dd l'm(Z(m)Z)dd l*m+Z+m,Z,ddlm-Z-m.Z.m/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5m6Z6m7Z7ddl8m9Z9m:Z:ddl;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQddlRmSZSmTZTmUZUmVZVmWZWmXZXmYZYddlZm[Z[m\Z\m]Z]m^Z^ddl_Zddl`ZddlambZbddlcmdZdddlemfZfddlgmhZhddlcmiZidZjdZkdZldZmd ZnGd!d"eoZpGd#d$eoZqd%Zrdid'Zsd(Ztd)Zud*ZvGd+d,eoZwd-Zxd.Zyd/Zzd0Z{d1Z|d2Z} djd3Z~ dkd4Zd5Z dld6Zddddd7e,fd8Zd9Zd:Zd;Zd<Zd=Zd>Z dmd?Zd@ZdAZdBZdCZ dndDZ dodEZdFZdGZdHZefdIZdJZdKZdLZdMZdNZdOZdidPZdQZddeVdddRdddddddddddddd&dd&d&ddfdSZdTdUdVdVdVdUdVdVdUdTdTdW ZdXZdYZdpd[Zdqd\Zdqd]ZddeVddddddddddddRddddddddddddddddddddd&d&dd&d&ddd^d_d&ddd&f0d`Z drdaZdbZGdcddeZGdedfeZGdgdheZdS)sz/Functions for setting up a Samba configuration.restructuredText) b64encodeN)system_session admin_session)system_session_unix)auth)smbdpassdb)param)DS_DOMAIN_FUNCTION_2000) LdbMAX_NETBIOS_NAME_LENcheck_all_substitutedis_valid_netbios_char setup_filesubstitute_varvalid_netbios_nameversionis_heimdal_built)securitymisc) SEC_CHAN_BDCSEC_CHAN_WKSTA)DS_DOMAIN_FUNCTION_2003DS_DOMAIN_FUNCTION_2008_R2 ENC_ALL_TYPES)IDmapDB) read_ms_ldif)setntaclgetntacl dsacl2fsacl)ndr_pack ndr_unpack) LDBBackend)get_empty_descriptorget_config_descriptor get_config_partitions_descriptorget_config_sites_descriptor!get_config_ntds_quotas_descriptor'get_config_delete_protected1_descriptor)get_config_delete_protected1wd_descriptor'get_config_delete_protected2_descriptorget_domain_descriptor$get_domain_infrastructure_descriptorget_domain_builtin_descriptorget_domain_computers_descriptorget_domain_users_descriptor!get_domain_controllers_descriptor'get_domain_delete_protected1_descriptor'get_domain_delete_protected2_descriptorget_dns_partition_descriptor'get_dns_forest_microsoft_dns_descriptor'get_dns_domain_microsoft_dns_descriptor'get_managed_service_accounts_descriptor) setup_pathsetup_add_ldifsetup_modify_ldif FILL_FULLFILL_SUBDOMAIN FILL_NT4SYNCFILL_DRS)get_dnsadmins_sid setup_ad_dnscreate_dns_dir_keytab_linkcreate_dns_update_list)Schema)SamDB)dbcheck)create_kdc_conf)get_default_backend_storez$31B2F340-016D-11D2-945F-00C04FB984F9z$6AC1786C-016F-11D2-945F-00C04FB984F9zDefault-First-Site-NamelastProvisionUSNceZdZdZdS)ProvisionPathscd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_dSN) shareconfhklmhkcuhkcrhkuhkpdhkptsamdbidmapdbsecretskeytab dns_keytabdnswinsdb private_dir binddns_dir state_dirselfs :/usr/lib/python3/dist-packages/samba/provision/__init__.py__init__zProvisionPaths.__init__s          N__name__ __module__ __qualname__rcrdrbrLrLs#rdrLceZdZdZdS)ProvisionNamescd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_d|_i|_dSrN)ncsrootdndomaindnconfigdnschemadn dnsforestdn dnsdomaindn ldapmanagerdn dnsdomainrealm netbiosnamedomainhostnamesitenamesmbconf domainsid forestsid domainguidname_mapr`s rbrczProvisionNames.__init__s    !      rdNrerirdrbrkrks#rdrkc t}d|_|d|_|d|_|j|_tj |j}|j|_| d|jzdtj dg}t|ddd d |_||_| d d tjgd } t| dd d|_t| ddd|_tj||tj|| ddddksXt-d|jdt| ddddd|jd|d t| ddd|_t| ddd|_| dd|_d|_d|_t;dt=|jD]f} t|j| } dt|jz} | | kr| |_Adt|jz} | | kr| |_fg| ddt|jztjdg}t|dd|_ | d|jzd|ztjdg}t=|dkrt-d|jd |t|ddd!|jzd |_!| d"|dj"zg|j#}t|dj"|_#| d d$t|j#ztjd%d&g}ttItJj&|dd'd|_'ttItJj&|dd&d|_(| d |tjgd(}ttItJj&|dd&d|_)tItTj+|dd)d|_,tItTj+|dd)d|_-|dd**t]|dd*dt^kr t^|_0n&t]|dd*d|_0| d+tbzd,|ztjdd-g}t|ddd.d d/d |_2| d+tfzd,|ztjdd-g}t=|d0krIt|ddd.d d/d |_4nd|_4| d1t|j,d2tTj5d3d4d5g6}t=|d0kr1t-d7t|j,d2tTj5t|dd5dd8kr't]|dd4d|_6n=toj8t]|dd4dj9|_6| d9tj d:gd;g<}t=|dkrd=}nd>}| d?|jztj d:gd;g<}t=|dkrd=}nd>}|j|rd@|_:ndA|_:n|s|rdB|_:ndC|_:tw||j}t||j<dD<|S)EaGet key provision parameters (realm, domain, ...) from a given provision :param samdb: An LDB object connected to the sam.ldb file :param secretsdb: An LDB object connected to the secrets.ldb file :param idmapdb: An LDB object connected to the idmap.ldb file :param paths: A list of path to provision object :param smbconf: Path to the smb.conf file :param lp: A LoadParm object :return: A list of key provision parameters N workgrouprvz (flatname=%s)zCN=Primary DomainssAMAccountName expressionbasescopeattrsr$z(objectClass=*))defaultNamingContextschemaNamingContextconfigurationNamingContextrootDomainNamingContextnamingContextsrrrutf8z basedn in z (z ) and from z)is not the same ...rrzDC=ForestDnsZones,%szDC=DomainDnsZones,%sz(objectClass=site)z CN=Sites,cnz(CN=%s)zOU=Domain Controllers,%s dNSHostNamezUnable to find DC called CN=z under OU=Domain Controllers,.zserverReference=%s)rrrCN=NTDS Settings,%s invocationID objectGUID invocationId)r objectSidmsDS-Behavior-Versionrrz (name={%s})zCN=Policies,CN=System, displayName{}z(cn=-) xidNumbertype)rrz.Unable to find uid/gid for Domain Admins rid ( ID_TYPE_BOTHz(samaccountname=dns)dnsearch_options:1:2)rrrcontrolsTFz(samaccountname=dns-%s) BIND9_DLZSAMBA_INTERNALBIND9_FLATFILENONE DnsAdmins)=rk adminpassgetupperrxrvlowerrusambadn_from_dns_namesearchldb SCOPE_SUBTREEstrreplacerwr{ SCOPE_BASErprqDndecodeProvisioningErrorrVrornrmrrrsrangelenSCOPE_ONELEVELrzryrserverdnr#rGUID invocationntdsguidr~rdom_sidr|r}intr domainlevelDEFAULT_POLICY_GUIDpolicyidDEFAULT_DC_POLICY_GUID policyid_dcDOMAIN_RID_ADMINISTRATORroot_gidpwdgetpwuidpw_gid dns_backendr@r)rV secretsdbrWpathsr{lpnamesbasednrescurrentincrrrsres3res4 server_resres5res6res7res8res9res10has_legacy_dns_accountres11has_dns_accountdns_admins_sids rbfind_provision_key_parametersrs   EEO66+&&,,..EL&&//EKk''))EO  #EO 4 4F+##%%EK   o <'(.B!$!2;K:L  N NCCF#3455==c2FFEEMll&7 "#."4"4"455G $@A!DEEEN$9:1=>>EN F5& ! !cfU-4QZ8N-OPQ-R-Y-YZ`-a-a'c'c d d:?+++:=gajI_>`ab>c>j>jkq>r>r:s:s:s:s:?---"QSS S $:;A>??ENwqz";+>>cFXae`f  h hDa''EN <<9u/@#@7&@!0  I ID 4yyA~~chctctctv|v| }~~~a/0088u9NPRSSEN)=Q )J$&U^==JA)**EN <<#42S5H5HH!n-|<  > >D:dia1H1KLLMMEDItAw|/DQ/GHHIIEN <<#46!n5[5[5[  \ \D:dia1Fq1IJJKKE !147;3G3JKKEO !147;3G3JKKEO Aw{{*++3 Q/03 4 47N N N3Q(? @ CDD <<=3F#F5>!0}8M  O ODa''//R88@@bIIEN <<=3I#I5>!0#]3  5 5D 4yyA~~Q ..66sB??GGRPP  >>>u////1R1R1R&T!,f 5  7 7D 4yyA~~Y\]b]lYmYmYmYmowpQpQ!RSS S 476?1 .00T!W[1!455c$q'+*>q*A&B&BCCJ LL$:"0#7"8  : :E E Q!%!& LL$=@Q$Q"0#7"8  : :E E Q $  1 +E   0E   #2#,"&uen==N"%n"5"5EN; LrdFc:g}|s|dtjtdg}|dtD]Z}t jdt |st |d|}|t |[||d|d|tj}tj|d|_ tj |tj t|t<|ddtjdg }t|dkst|ddkr#tj |tj d|d<||d S) a_Update the field provisionUSN in sam.ldb This field is used to track range of USN modified by provision and upgradeprovision. This value is used afterward by next provision to figure out if the field have been modified since last provision. :param samdb: An LDB object connect to sam.ldb :param low: The lowest USN modified by this upgrade :param high: The highest USN modified by this upgrade :param id: The invocation id of the samba's dc :param replace: A boolean indicating if the range should replace any existing one or appended (default) @PROVISIONr)rrrr;rzprovisionnerID=*provisionnerIDrN)rrrLAST_PROVISION_USN_ATTRIBUTErerappendMessagerrMessageElementFLAG_MOD_REPLACEr FLAG_MOD_ADDmodify) rVlowhighidrtabentryedeltas rbupdate_provision_usnrVs C  ,#&>$@$#GIIq67  A9S#a&&)) +"1vvvvrr* JJs1vv    JJSSS$$$+,,, KMMEve\**EH 3/7 9 9 &' LL$6*#. 01  3 3E 5zzQ#eAh--1,,"%"4R9IK["\"\ LLrdc"g}||d|d|tj}tj|d|_tj|tjt|t<||dS)aSet the field provisionUSN in sam.ldb This field is used to track range of USN modified by provision and upgradeprovision. This value is used afterward by next provision to figure out if the field have been modified since last provision. :param samdb: An LDB object connect to sam.ldb :param low: The lowest USN modified by this upgrade :param high: The highest USN modified by this upgrade :param id: The invocationId of the provisionrrrN) rrrrrrrradd)rVrrrrrs rbset_provision_usnrs CJJSSS$$$+,,, KMMEve\**EH 3+7 9 9 &' IIerdcl|d|tjdggd}|ddS)a This function return the biggest USN present in the provision :param samdb: A LDB object pointing to the sam.ldb :param basedn: A string containing the base DN of the provision (ie. DC=foo, DC=bar) :return: The biggest USN in the provisionz objectClass=* uSNChanged)rzserver_sort:1:1:uSNChangedzpaged_results:1:1)rrrrrr)rrr)rVrrs rb get_max_usnrsJ ,,/ .|n!6!6!6  7 7C q6, rdc |dtzdtjtdg}n8#tj$r&}|j\}}|tjkrYd}~dSd}~wwxYwt|dkrMg}i}tj d}|d dr3|ddD]$}| t|%|dtD]} t|  d} t| d kr | d } nd } t|dkr| |vrZ| | d} | | g|| <||  | d||  | d |SdS) aGet USNs ranges modified by a provision or an upgradeprovision :param sam: An LDB object pointing to the sam.ldb :return: a dictionary which keys are invocation id and values are an array of integer representing the different ranges z%s=*rrrNrrrrdefault)rrrrLdbErrorargsERR_NO_SUCH_OBJECTrrcompilerrrsplit) samre1ecodeemsgmyidsrprrtab1rtab2s rbget_last_provision_usnrs f/K&K ,CN">@P!QSS <  C* * *44444   5zzA~~ Jt   8<<( ) ) %1X./ % % SVV$$$$q67 & &Aq66<<$$D4yyA~~!WE Q2U??7747##Dyy}}$b "I  T!W % % % "I  T!W % % % % ts25A*A%$A%%A*ceZdZdZdZdZdS)ProvisionResultzResult of a provision. :ivar server_role: The server role :ivar paths: ProvisionPaths instance :ivar domaindn: The domain dn, as string cd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ dSrN) server_rolerrorrVidmaprr|adminpass_generatedrbackend_resultr`s rbrczProvisionResult.__init__sX     #' "rdc|d|jr|d|j|d|j|d|jj|d|jj|d|jj|d|j|j r|j |dSdS) z)Report this provision result to a logger.zMOnce the above files are installed, your Samba AD server will be ready to usezAdmin password: %szServer Role: %szHostname: %szNetBIOS Domain: %szDNS Domain: %szDOMAIN SID: %sN) inforrrrryrxrur|r report_logger)raloggers rbrzProvisionResult.report_loggers       # E KK3T^ D D D /1ABBB /1DEEE /1BCCC /1EFFF /@@@   6   - -f 5 5 5 5 5 6 6rdN)rfrgrh__doc__rcrrirdrbrrs< # # #66666rdrcj|D]} ||cS#t$rYwxYwtd|z)zFind a user or group from a list of possibilities. :param nssfn: NSS Function to try (should raise KeyError if not found) :param names: Names to check. :return: Value return by first names list. zUnable to find user/group in %r)KeyError)nssfnrnames rbfindnssr s` 5;;       D  4u< = ==s   cBttj|dSNr)r rgetpwnamrs rb findnss_uidr% 3< ' ' **rdcBttj|dSr")r grpgetgrnamr$s rb findnss_gidr* r&rdc t|}nC#t$r6}|||dd}Yd}~nd}~wwxYw|S)NzAssuming root user has UID zeror)r%rr)rootrroot_uidrs rb get_root_uidr. smt$$  A 5666 Os A,A  Act}|d|_|d|_|d|_d|_d|_tj |jd|_ tj |jd|_ tj |jd|_ tj |jd |_ tj |jd |_tj |jd |_tj |jd |_tj |jd |_tj |jd|_tj |jd|_tj |jd|_tj |jd|_tj |jd|dz|_tj |jd|_tj |jd|_tj |jd|_d|_d|_d|_d|_d|_d|_|dd|_ |dd|_!|j"|_#|S) ztSet the default paths for provisioning. :param lp: Loadparm context. :param dnsdomain: DNS Domain name private dir binddns dirstate directoryz dns.keytabsecrets.keytabz share.ldbzsam.ldbz idmap.ldbz secrets.ldbz privilege.ldbdns_update_listspn_update_list krb5.confzkdc.confzwins.ldbldapizencrypted_secrets.keyr[z.zonez named.confznamed.conf.updatez named.txtzhklm.ldbzhkcr.ldbzhkcu.ldbzhku.ldbzhkpd.ldbzhkpt.ldbpathsysvolnetlogon)$rLrr]r^r_rZrYosr8joinrOrVrWrX privileger4r5krb5confkdcconfr\ s4_ldapi_pathencrypted_secrets_key_pathr[ namedconfnamedconf_updatenamedtxtrPrRrQrSrTrUr9r: configfiler{)rrurs rbprovision_paths_from_lprFsu   E}--E}--Eff.//EO$E#ELgll5#4kBBEO',,u0)<>EL',,u'8'BBE')w|| (!(!E$ U.y77JKKEIgll5#4lCCEOW\\%*;=PQQEW\\%"3[AAENEJEJEJEIEJEJ66&(++ELVVFJ//ENMEM Lrdcdd|D}|dtS)z)Determine a netbios name from a hostname.rc0g|]}t||Sri)r).0xs rb z*determine_netbios_name..Js&KKK2G2J2JK1KKKrdN)r<rr)ryrws rbdetermine_netbios_namerLGsB''KKhKKKLLK ,,, - 3 3 5 55rdc z|,tjdd}|d} | t |} | } t | st| |4|d}||dkrtd|j z| }|.|d}|td |j z| }|} |ddkrtd |j z|d| krCtd |dd |j d | d|d |kr1td|dd |j d|d|dkr||d}|}|d|krCtd|dd|d|j d|tj |}|| krtd|d| dn | }|d| z}t |st||| krtd| d|d| | krtd| d| d|| kr| std| d|d|dkr| } | }||}|d|z}|d |z}| t} t}||_||_||_||_d!|z|_||_||_| |_| |_||_| |_d"| d#| d$||_|S)%z$Guess configuration settings to use.Nrr netbios namervrz2guess_names: 'realm' not specified in supplied %s! server rolez8guess_names: 'server role' not specified in supplied %s!zwguess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate itzguess_names: 'realm=z' in z must match chosen realm 'zA'! Please remove the smb.conf file and let provision generate itzguess_names: 'server role=z must match chosen server role '"active directory domain controllerrzguess_names: Workgroup 'z(' in smb.conf must match chosen domain 'z'! Please remove the z# file and let provision generate itzguess_names: Domain 'z(' must not be equal to short host name 'z'!zDC=zguess_names: Realm 'z!' must not be equal to hostname 'z)' must not be equal to NetBIOS hostname 'z*' must not be equal to short domain name 'zCN=Configuration,z CN=Schema,z CN=Manager,zCN=z,CN=Servers,CN=z ,CN=Sites,)socket gethostnamerrrLrrInvalidNetbiosNamerrErrr DEFAULTSITErkrnrorprqrtrurxrvrwryrzr)rryrxru serverrolernrorprqrrzdomain_names_forcedrwrvrs rb guess_namesrWNs %''--c2215&&((K,X66 ##%%K k * *. ---FF7OO   R#D  !!IVVM**  #$^acan$noo o!!##J OO  E vvg"!Z]_]j!jkk k vvg%''acagaghoapapavavaxaxaxaxz|zGzGzGINININ!OPP P vvm""$$ 22momsmstAmBmBmBmBDFDQDQDQS]S]S]!^__ _999 >VVK((F 66+   $ $ & && 0 0##jljpjpq|j}j}jCjCjEjEjEjEGMGMGMOQO\O\O\%]^^ ^  -i88H [ ##msmsmsvAvAvA%BCC C !  {*H f % %) (((~~5  afafafhphphp qrrre##inininp{p{p{ |}}} 2jojojoqwqwqw xyyy999%%''  ~&/(*   EELENENEN'&0EEOELEK#EENENN XXXxx)EN Lrdc  |J|,tjdd}t|} |d}|J|}|J|}| |||d} |t j}tj |r| || +| D](} | | d | | | | <)|tj tj |d| d<tj || d <tj tj |d | d <tj tj |d | d <tj tj |d| d<|d tj ||d | d |d | d |d| d|r|r|stj |d} |dtj tj | dnk|dsf|d} |dtj tj | dn|rtj |d }|dtj tj |dn{|dsf|d }|dtj tj |di}|dkrstj |d d|d<tj |d|d|d<nd| d<t#|d} |d| D]!\}}|d|d|d"|d|D]_\}}|d|z|d |z|d!|d` |n#|wxYw| ||d"|dS)#zDCreate a new smb.conf file based on a couple of basic settings. Nrrstandalone server)rNrrvrO privater0zlock dirstater2cachezcache directoryzbind-dnsr1z posix:eadbzeadb.tdbzxattr_tdb:filez xattr.tdbrPr9scriptsr: samba_dsdbpassdb backendwz [globals]  z =  z[%s] z path = %s z read only = no F)rQrRrrLrrr LoadParmr;r8existsloadr<abspathsetrropenwriteitemsclosedump)r{ryrxrv targetdirrUeadb use_ntvfsr global_paramrwglobal_settingsentprivdirstatedirsharesfkeyvalrr8s rb make_smbconfrzs    %''--c2215(22K(     \\^^F     KKMME$! O z [ ! ! # # w~~g  C CCC ,'*xx S0A'B'B$)+iQZ9[9[)\)\ &&(gooi&@&@ #-/W__RW\\)U\=]=]-^-^)*-/W__RW\\)U\=]=]-^-^)*)+iQ[9\9\)])] & z27??955666  /2C"DEEE  /2C"DEEE }om<=== M  M$',,y)<<|wrw||GZ'H'HIIKKKKVVL)) K&&//|wrw||GZ'H'HIIKKK$7<< 7;;'wrw||Hk'J'JKKMMMMVV,-- M66"344'wrw||Hk'J'JKKMMMF9997<</@(A(A8LLxW\\&*:EKKMM*355z-9() WcA   '--// 0 0HC GGGSSS###. / / / /   ,,..  JD$ GGHtO $ $ $ GGOd* + + + GG( ) ) ) GGDMMMM     GGG GGE7s CX X c|d|j|||dz|j|||dz|j|dS)asetup reasonable name mappings for sam names to unix names. :param samdb: SamDB object. :param idmap: IDmap db object. :param sid: The domain sid. :param domaindn: The domain DN. :param root_uid: uid of the UNIX root user. :param nobody_uid: uid of the UNIX nobody user. :param users_gid: gid of the UNIX users group. :param root_gid: gid of the UNIX root group. zS-1-5-7z-500z-513N)setup_name_mappingTYPE_UIDTYPE_GID)rsidr- nobody_uid users_gidrs rbsetup_name_mappingsr)s` Y CCC S6\5>8DDD S6\5>9EEEEErdc |J tj|n#t$rYnwxYwt|||dg} d} |jdkr d|jz} d} |sd} | t } d| z}| d kr| | d z } nd } | d z } | d } |  |dt| td| |dt| td|j|| d|dt| || dS#| xYw)akSetup the partitions for the SAM database. Alternatively, provision() may call this, and then populate the database. :note: This will wipe the Sam Database! :note: This function always removes the local SAM LDB file. The erase parameter controls whether to erase the existing data, which may not be stored locally but in LDAP. Nzmodules:)url session_inforoptionsz# No LDAP backendrzldapBackend: %sz"requiredFeatures: encryptedSecretszbackendStore: %smdbrcrzrequiredFeatures: lmdbLevelOnez# No required featuresz*Setting up sam.ldb partitions and settingszprovision_partitions.ldif)LDAP_BACKEND_LINE BACKEND_STOREzprovision_init.ldif) BACKEND_TYPE SERVER_ROLEREQUIRED_FEATURESzSetting up sam.ldb rootDSE)r;unlinkOSErrorr rldap_urirHtransaction_startrr:r9setup_samdb_rootdsetransaction_committransaction_cancel) samdb_pathrrrprovision_backendrrUeraseplaintext_secrets backend_storebackend_store_sizerVldap_backend_linerequired_featuresbackend_store_lines rbsetup_samdb_partitionsr<s  # # #   *       J\ | - - -E,&&-0A0JJ A@133 +m;  (  %   " == 4 # @AAAuj)DEE%6!3H H    uj)>?? 1 6)%6BB     0111E5)))   """""    """ s ((BD77Erc Ngd} |B||}|d|} nd} |} tjtj|d|z} t | g| d<ddg| d<| Dgd | d<|g| d <d | d |g| d <t |g| d<dg| d<|dg| d<d|zg| d<t | g| d<|t|g| d<|d| d|d|dt |dt | j d tj }|D]}| |j || j | tj }t|dkr|dddg| d < |dd!dg| d"<n#t$rYnwxYw |dddg| d<n#t$rYnwxYw |dd#dg| d#<n#t$rYnwxYw| D]-}|d$kr%| |tj.|| ||dj | j dSd%| zg}| t&kr| |d%| zg|| d&<|| dS)'zAdd domain join-specific bits to a secrets database. :param secretsdb: Ldb Handle to the secrets database :param machinepass: Machine password ) whenChangedsecret priorSecret priorChanged krb5Keytab privateKeytabNrzflatname=%s,cn=Primary DomainssecureChannelTypetop primaryDomain objectClass)rrkerberosSecretrvzhost/@ saltPrincipalzmsDS-KeyVersionNumberr3rutf-8rz%s$samAccountNamerzcn=Primary Domainsz(&(|(flatname=z)(realm=z )(objectSid=z2))(objectclass=primaryDomain)(!(distinguishedName=z)))rrrr)rrrrrrrpriorWhenChangedrrzHOST/%sservicePrincipalName)rrrrrrencoder"rrrdeleterrr set_flagsrrrenamerextendr)rrxrw machinepassr|rvru keytab_pathkey_version_numbersecure_channel_typerdnsname shortnamemsgrdel_msgelspns rbsecretsdb_self_joinrs8   E    I(..0000)//2C2C2CD!!##I +cfY(H6(QRR S SC #$7 8 89C1C GGGMwG 07 GHO(+,>(?(?'@ #$ 01O ''001CM"[01C #$7 8 89C$Y//0K    4EEMSMSMSUZUZUZ\_`i\j\j\j\jlopspvlwlwlwlw(x!$!3  5 5C%%$$$$   e3>  J JC 3xx1}}!!fX.q12M '*1vm'#?C     D  !$Q !5a!8 9C      D  8 8BTzzB!!#"6777QCF+++++9$% , . .73F JJ G+, - - -&) "# cs65H HHH88 II I"" I/.I/ctj|jrtj|jtj|j|j}tj|rtj|tj|j|j }tj|rtj|tj|j|j }tj|rtj||j}t|||}| | tdt|||}| | tdn#|xYw|S)arSetup the secrets database. :note: This function does not handle exceptions and transaction on purpose, it's up to the caller to do this job. :param path: Path to the secrets database. :param session_info: Session info. :param credentials: Credentials :param lp: Loadparm context :return: LDB handle for the created secrets database rrzsecrets_init.ldifz secrets.ldif)r;r8rerXrr<r]rYr^rZr rload_ldif_file_addr9rr)rrrrbind_dns_keytab_pathdns_keytab_pathr8 secrets_ldbs rbsetup_secretsdbrs w~~em$$! %-   ',,u0%,??K w~~k"" +7<<(95;KLL w~~*++( &'''gll5#4e6FGGO w~~o&&# /""" =Dd"===K"":.A#B#BCCCd"===K!!###&&z.'A'ABBBB&&((( s "G..Hctj|rtj|t |||}||tddS)zSetup the privileges database. :param path: Path to the privileges database. :param session_info: Session info. :param credentials: Credentials :param lp: Loadparm context :return: LDB handle for the created secrets database rzprovision_privilege.ldifN)r;r8rerr rrr9)r8rr privilege_ldbs rbsetup_privilegesr sp w~~d $ " "4l2 " N NDNN4:;;;//M 7>>- ( ((((NN=!!!!!rdctj|rtj|t |||}||td|S)zSetup the idmap database. :param path: path to the idmap database :param session_info: Session information :param credentials: Credentials :param lp: Loadparm context rzidmap_init.ldif)r;r8rerrrrr9)r8rr idmap_ldbs rb setup_idmapdbrBsn w~~d $!>??? rdc t|td|j|j|j|j|jddS)zDSetup the SamDB rootdse. :param samdb: Sam Database handle zprovision_rootdse_add.ldif)SCHEMADNDOMAINDNROOTDNCONFIGDNSERVERDNN)r:r9rqrornrpr)rVrs rbrrSsR 5*%ABBNN,NN EErdct| tsJ| d| z}nd}||}t|td|j|j|j|j| |j|j d|j t| d dt|t|t|t| t|dzt|dzd zd t|td | | |j |jd |tkrt|td |j|j|j|j| |j|j d|j t| d dt|t|t|t| d t!|td|j|jdddgt!|td|j|j|j|jdt%}||t!|td|j|j|jd|||dkrt|td|j |jt| d d|j |jd|j ddSdS)zJoin a host to its own domain.NzobjectGUID: %s rzprovision_self_join.ldifr utf-16-lerdi)rrrr INVOCATIONID NETBIOSNAMEDNSNAMEMACHINEPASS_B64 DOMAINSIDDCRIDSAMBA_VERSION_STRINGNTDSGUIDDOMAIN_CONTROLLER_FUNCTIONALITYRIDALLOCATIONSTARTRIDALLOCATIONENDzprovision_group_policy.ldif) POLICYGUID POLICYGUID_DC DNSDOMAINrzprovision_self_join_config.ldif) rrrrrrrrrrrrrz&provision_self_join_modify_schema.ldif)rr provision:0relax:0rz&provision_self_join_modify_config.ldif)rrTrrzprovision_self_join_modify.ldif)rrrrzprovision_dns_add_samba.ldif)rr DNSPASS_B64HOSTNAMEr) isinstancerr:r9rprqrorrwryrurrrrr<r;rzrset_session_infor)rVadmin_session_inforfillrrdnspassr|next_rid invocationid policyguid policyguid_dcdomainControllerFunctionalityrdc_rid ntdsguid_linesystem_session_infos rbsetup_self_joinras lC ( ((((*X5   ~5*%?@@....*".$)NNNEOOD!*;+=+=k+J+J!K!K!R!RSY!Z!Zy>>6{{&-'14/2121$'3$7$7"%hns&:";";!C=C=>>>$5*%BCC&, ?. F*F*+++ yuj)JKK!N!N!N!N ,$0&+nnneooF#,[-?-? -L-L#M#M#T#TU[#\#\ ^^V(/)3614343N4N4 5 5 5" %$%MNN*/.*/.QQ%29#=  ? ? ? ? %$%MNN*/.-2^-2->*/. QQ   )** .///eZ(IJJ..".MM  -...&&& uj)GHH ?.&w~~k'B'BCCJJ6RR.#))++++U_-B-B-D-D-DF KK     '&rdcl|ddkrd|z}tj||d|}|S)aReturn the physical path of policy given its guid. :param sysvolpath: Path to the sysvol folder :param dnsdomain: DNS name of the AD domain :param guid: The GUID of the policy :return: A string with the complete path to the policy folder rrz{%s}Policies)r;r8r<) sysvolpathruguid policy_paths rb getpolicypathrs9 Aw#~~}',,z9j$GGK rdctj|stj|dt tj|dd} |d|n#|wxYwtj|d}tj|stj|dtj|d}tj|stj|ddSdS)NzGPT.INIraz[General] Version=0MACHINEUSER)r;r8remakedirsrir<rjrl)rrwr s rbcreate_gpo_structr s  7>>+ & &( K''' RW\\+y 1 1377A ()))     [),,A 7>>!   Au  [&))A 7>>!   Aus $BB$ct|||}t|t|||}t|dS)aCreate the default GPO for a domain :param sysvolpath: Physical path for the sysvol folder :param dnsdomain: DNS domain name of the AD domain :param policyguid: GUID of the default domain policy :param policyguid_dc: GUID of the default domain controler policy N)rr )rrurrrs rbcreate_default_gpor"sH IzBBKk""" I}EEKk"""""rdlc t|||||||| | |  t}| r| }g}| dkr%|dt|z| r|d| r:t |dz dz}|dt|zt |dd |d | | }|d ||d |d |j z | ||nD#tj $r2}|j \}}|tjkrtd|zd}~wwxYw||d |S)zZSetup a complete SAM Database. :note: This will wipe the main SAM database file! ) rrrrrrUrrrrzlmdb_env_size:z batch_mode:1irztransaction_index_cache_size:NF)rr auto_connectr global_schemaam_rodcrz%Pre-loading the Samba 4 and AD schema)write_indices_and_attributesr)rz\!&:Qb)6.@ BBBB &J(' G'#j//9:::'~&&&Je+,,q0 6ZHIII |E %w I I IE KK7888 V%@@@ 4u~EFFF dG ,,,, < gl 35 5 5#$bei$ijj j   V$??? LsDE,-EEcj|d}|dks|dkrd|z}|ddzz }t|t}|t}||krtd|}|}|d|jz|d||d ||d ||t |j|| | d |j zt|t |j}| ||j d |j z}nd }tt|jd}t#|t%d|j t |j||dt'|t%d|j t t)jt-t/jt ||j|j|t |t4t t6d |t8kr,| dtt;|jd}t#|t%d|j|ddt(jjz}dd|g}| d| |j!||"|j#||$| |j%|t#|t%dd|j&i|tOj(tOj)||j }tOj*|jtNj+d|d<| |_,|t8kr| dtt[|jd} tt]|jd}!tt_|jd}"tta|jd}#ttc|jd}$tte|jd}%d|j3vrd }&nd }&t#|t%d!id"|jd#|j4d$|jd%|j5d&|j6d|j&d'|j d(|jd)t |d*t |d+|"d,|$d-|#d.|$d/|$d0|%d1| d2|!it#|t%d3|j|&d4| d5tot%d6}'tq|'d"|ji}'ts|'| |'| d7t'|t%d8|j|%d9| d:ttu|jd}(t#|t%d;|j |(d<| d=t'|t%d>d'|j i| d?ttw|jd})t#|t%d@|j |)dA| dBt'|t%dCd'|j i| dDtty|jd}*tt{|jd}+tt}|jd},tt|jd}-tt|jd}.t#|t%dEt t)jt-t/j|j |j4|j|j|jt |dFz||*|+|,|-|.dG |t8krtt|jd}/t'|t%dH|j|j&dI| dJttc|jd}$t#|t%dK|j|$dLddg|t8ks |tkrxt'|t%dM|j |/dN| dOt#|t%dP|j t |jt|CdQdt|CdQddRddg| dSt||||| | | | |j|||||| Td|jz}0|E|0dUd tNjFVd|_Gt|jGt sJ|S)WNʚ;z/You want to run SAMBA 4 with a next_rid of %u, z,the valid range is %u-%u. The default is %u.)r6r7r6zYou want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!rdomainFunctionalityforestFunctionalityrzAdding DomainDN: %szobjectGUID: %s -rrzprovision_basedn.ldif)rr DESCRIPTOR DOMAINGUIDzprovision_basedn_modify.ldif) r CREATTIMENEXTRIDrTrrDOMAIN_FUNCTIONALITYrMIN_PWD_LENGTHzAdding configuration containerz#provision_configuration_basedn.ldif)rr:zlocal_oid:%s:0rrzSetting up sam.ldb schemarzaggregate_schema.ldifrsubRefsz%Setting up sam.ldb configuration data2008#zprovision_configuration.ldifrrrTrDOMAINrrFOREST_FUNCTIONALITYr>NTDSQUOTAS_DESCRIPTORLOSTANDFOUND_DESCRIPTORSERVICES_DESCRIPTORPHYSICALLOCATIONS_DESCRIPTORFORESTUPDATES_DESCRIPTOREXTENDEDRIGHTS_DESCRIPTORPARTITIONS_DESCRIPTORSITES_DESCRIPTORzextended-rights.ldif)rINC2012zSetting up display specifiersz1display-specifiers/DisplaySpecifiers-Win2k8R2.txtz0Modifying display specifiers and extended rightsz#provision_configuration_modify.ldif)rDISPLAYSPECIFIERS_DESCRIPTORzAdding users containerzprovision_users_add.ldif)rUSERS_DESCRIPTORzModifying users containerzprovision_users_modify.ldifzAdding computers containerzprovision_computers_add.ldif)rCOMPUTERS_DESCRIPTORzModifying computers containerzprovision_computers_modify.ldifzSetting up sam.ldb datazprovision.ldifiX) r<rrrTrrRIDAVAILABLESTARTrINFRASTRUCTURE_DESCRIPTORrFSYSTEM_DESCRIPTORBUILTIN_DESCRIPTORDOMAIN_CONTROLLERS_DESCRIPTORz'provision_configuration_references.ldif)rrz)Setting up well known security principalsz#provision_well_known_sec_princ.ldif)rWELLKNOWNPRINCIPALS_DESCRIPTORz provision_basedn_references.ldif)rMANAGEDSERVICE_DESCRIPTORz#Setting up sam.ldb users and groupszprovision_users.ldifr)rr ADMINPASS_B64KRBTGTPASS_B64zSetting up self join) rr r rr rr|r rrrrrr)r attributerr)Irrr*rset_opaque_integerset_domain_sidrr|set_invocation_idrrorrr~rr-rr:r9r;r unix2nttimertimerzrprDEFAULT_MIN_PWD_LENGTHr<r&dsdb&DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OIDadd_ldif schema_dn_add modify_ldifschema_dn_modifywrite_prefixes_from_schema schema_datarqrrrrr invocation_idr'r(r)r*r+r, base_schemarwrurxrrrr1r0r.r4r3r/r2r8r=rr searchonerrr)1rVrrrrrr r krbtgtpassrrr r rrUr&dom_for_fun_levelr-r rrrerrorrr8r9r domainguid_linedescrignore_checks_oidschema_controlsrpartitions_descr sites_descrntdsquotas_descrprotected1_descrprotected1wd_descrprotected2_descr incl_2012display_specifiers_ldif users_desccomputers_descinfrastructure_desclostandfound_desc system_desc builtin_desccontrollers_descmanagedservice_descrntds_dns1 rb fill_samdbr5s  $(Z//AXN ?C$$ $&&&%?! 6888!uvv v++ 4u~EFFF 24GHHH 24GHHH <:<<< U_--... L))) KK%6777'r3u+?+?@@ -... #-0@@ +EO<< = = D DV L LE5*%<==U_--) @@eZ(FGGN*3ty{{+;+;<<==x==~N #$7 8 8 '455 J J    y 4555/@@AAHHPPuj)NOO!N#RR    -uz/``      /000 v+oFFF &1OLLL ((*** v)ODDDuj)@AA"EN3 / 1 1 1 1 +cfUEN33 4 4C'8H(133C N'E y ;<<<$%Eeo%V%VWW^^_eff ;EO L LMMTTU[\\ $%Fu%W%WXX__`fgg$%LU_%]%]^^eeflmm&'PQVQ`'a'abbiijpqq$%LU_%]%]^^eeflmm V' ' 'IIIuj)GHHKENKu0Ku~KU_ K %, K EN KENKENK',?(@(@K',?(@(@K()9K*+=K&'7K/0BK+,>K ,-=!K"()9#K$#K%KK   * uj)?@@!N$CC     3444". J K K#M#M"01H2NNN     KK()))6uGGHHOOPVWWJ5*%?@@ *CC KK+,,,eZ(EFF I())) KK,--->uOOPPWWX^__N5*%CDD$2GG KK/000e !BCC$enF6777 KK)***#$H$Y$YZZaabhii!"I%/"Z"Z[[bbcijjCEOTTUU\\]cddK:5?KKLLSSTZ[[L !B5?!S!STT[[\bcc5*%566*3ty{{+;+;<<==N(~NN C00&%8#4(*)999" y()PQVQ`)a)abbiijpqq%$%NOO*/.*/.R:R: ; ; ;  ?@@@&'PQVQ`'a'abbiijpqquj)NOO.@R R  . 0 0 0 0  yDN22%$%GHH*/.;OKK     9:::uj)?@@U_--&y'7'7 'D'DEELLVTT' (9(9+(F(FGGNNvVV C C  .  0 0 0 0  *+++1T%1$/ '$/"'/!)%#-&36S!) + + + +(%.83?BVYVd)ffflflmsftft %.#..... LrdzkO:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)zO:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)r9c xt}t||||||d|| tj|dD]|\}} } | D]8} t|tj|| ||||d|| 9| D]8} t|tj|| ||||d|| 9}dS)NTrpskip_invalid_chownr serviceFtopdown)rrr;walkr8r<) r8aclrdomsidrpr rrr,dirsfilesrs rb set_dir_aclrBs&((L RsFLIZ^gmw~WT5999ccdE c cD RdD113 (T&Za c c c c c c cD RdD113 (T&Za c c c c c c ccrdc 4tj||d}t} t ||t t || |d|t |d|zddgdtj } | D]} ttj | dd } t||t | d} t!| t#| ||t ||| d S) nSet ACL on the sysvol//Policies folder and the policy folders beneath. :param sysvol: Physical path for the sysvol folder :param dnsdomain: The DNS name of the domain :param domainsid: The SID of the domain :param domaindn: The DN of the domain (ie. DC=...) :param samdb: An LDB object on the SAM db :param lp: an LP object rTrCN=Policies,CN=System,%srnTSecurityDescriptorrrrr N)r;r8r<rr POLICIES_ACLrSYSVOL_SERVICErrrr#r descriptoras_sddlrrr!)r9rur|rorVrrpr root_policy_pathrrpolicyrrs rb set_gpos_aclrNs2w||FIzBB&((L R!<Y T&R`bbbb ,,6B"$:;"$C,>  @ @C##, 67:<<)rrsession_info_flags Administrator)r user_nameuidgidc bt|ttdt S)zA helper to reuse argsTr)r SYSVOL_ACLrr)r8r|r s4_passdbrrps rb _setntaclzsetsysvolacl.._setntacls5 j#i..,D"$$$ $rdrr)'s3param get_contextrfrEtempfileNamedTemporaryFiler;r8rgr set_simple_aclrrrhave_posix_aclsrchownrlrhrr reload_static_pdbPDBrget_global_sam_sid domain_inforformatrrr AUTH_SESSION_INFO_DEFAULT_GROUPSAUTH_SESSION_INFO_AUTHENTICATED#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES user_sessionsession_info_set_unixrr<r)rVr:r9rrr|rurorrps3conffilercanchownuserdnrrr,rrrrrs ` `` @@rb setsysvolaclrnsI /@$&& BM"""*rwv/F/FGGG  b#DIu6I6K6KSQQQQ b b b+--{,-z{{{()abbb b U 49c30C0E0EFFFF U U U')TUUU UG JJLLLLDJJLLLL$&& BM""" #_uy%@AAA """Jvzz*:;;<<   $ & &) 3 3##|B|U|W|W|W|WYbYbYb%cdd d++-- y !Y . .##FQR[F\F\F\^g^g^g%hii i | $ * * , , 0A0A A A##JUVbJcJiJiJkJkJkJkmvm|m|m~m~m~m~%@@ @  & HVR % % %  ! !)X-N O OF  2  12  56E$U2&8=???L|&()8#&#& (((( $$$$$$$$$IfWVU;;;00dE 0 0D =D1>DD11E:K K$#K$c|rdSdS)NDBVFSri)direct_db_accesss rbacl_typersturdc t}t||||t}||}||kr(t t |d|d|d|dt j|dD]\}} } | D]} t|t j || ||t}|@t t |dt j || d ||}||krFt t |dt j || d|d|d| D]} t|t j || ||t}|@t t |dt j || d ||}||krFt t |dt j || d|d|dݐdS) Nrrz ACL on GPO directory rZ does not match expected value z from GPO objectFrz ACL on GPO file not found!) rr rrrrr;rr8r<) r8rrr|rrfsacl fsacl_sddlr,rrrs rb check_dir_aclrs&((L R|>NXf g g gEy))JSt|~NuOuOuOuOQUQUQUWaWaWacfcfcf!ghh hWT5999DDdE  DRdD!9!9<.>XXXE}')12B)C)C)C)C)+dD)A)A)A)A)CDDDy11JS  'wAQxRxRxRxRTVT[T`T`aegkTlTlTlTlnxnxnxz}z}z})~! D DDRdD!9!9<.>XXXE}'+34D+E+E+E+E+-7<<d+C+C+C+C)EFFFy11JS  '}EFV}W}W}W}WY[Y`YeYefjlpYqYqYqYqs}s}s}BBB)CDDD! DDDrdc tj||d}t}t ||||t } | #t dt|d|d| |} | tkr(t t|d|d| d| d | d |zd d gd tj } | D]} ttj| d d} t!||t#| d }t%|t'| ||||dS)rrrNzDB ACL on policy root rZrz ACL on policy root r from provisionrrrrrr)r;r8r<rr rrrrrrrrr#rrrrrr!)r9rur|rorVrrrrrrrrrrs rbcheck_gpos_aclrsw||FIzBB&((L R)<&6 P P PE }HUeLfLfLfLfhxhxhx yzzzy))J\!!qy{KrLrLrLrLN^N^N^`j`j`jlqlqlq!rss s ,,6B"$:;"$C,>  @ @C33, 67:<<#>!1 3 3 3 3 33rdc ltj}||j|dd|jzt j|d}t j |kr'tdt j d|d| } | d|krtd| dd|d| d | kr@td | d d | dt} d D]} tj|||fD]} t#|| | | t$ } | "tt'| d| d| |}|t*kr-tt'| d| d|dt*dt-||||||| d S)rr`rrrrrrrrr)TFrNz ACL on sysvol directory rrZrr)rrrfrErhrr rrrrrrrr;r8r<r rrrrr)rVr:r9r|rurorrrrrrdir_pathrrs rbchecksysvolaclr&s[ " "F KK  JJ59!<=== 6::&67788I ""i//w}xQxSxSxSxSU^U^U^!_`` `''))K9**BMNWBXBXBXZcZcZc!dee e< &&((IOO,=,===FQR^F_FeFeFgFgFgFgirixixiziziziz!{|| |'((L) ) )fi88(C } }HR BIP B%-H B6;L&5&N&NNTfU[nn^^__C473E*#2F4464646C/ 0 LL    |   6LT4s00010000  UKr6"G$/@(Z#0  2 2 2 2 __E,D,D,F,F/;%===CVF^^ *c*****.u55 EL 1 1 2 2F$UAv|Q????%FL999 KKDEEEeZ(GHH!5>2444 KK())) %eU$   C #f @ @J   ZZZ"H%(^&=%>  @ @ @ @ ;enL!$!3"7"7"7  8 8 8   s7H%2K$@  B BEF G G#$lmm m G   """""    """ s37A(D44E 2BJKJ==KBR88SrY member serverrP) ROLE_STANDALONEROLE_DOMAIN_MEMBERROLE_DOMAIN_BDCROLE_DOMAIN_PDCdcmemberzdomain controllerrPr standalonerYcX t|S#t$rt|wxYw)zSanitize a server role name. :param role: Server role :raise ValueError: If the role can not be interpreted :return: Sanitized server role (one of "member server", "active directory domain controller", "standalone server") ) _ROLES_MAPr ValueError)roles rbsanitize_server_roler s;$ s )c| |dt|td|||d|dS#|xYw)ztCreate AD entries for the fake ypserver. This is needed for being able to manipulate posix attrs via ADUC. z"Setting up fake yp server settingsz ypServ30.ldif)rr NISDOMAINN)rrr:r9rrrrVrorw nisdomainmaxuidmaxgids rbprovision_fake_ypserverr#s   # 8999uj99 &"< <       """""    """ s 7A##A:rctj|s_ tj||dS#t$r:}|jt jfvrntd|d|jYd}~dSd}~wwxYwdS)NzFailed to create directory z: ) r;r8remkdirrerrnoEEXISTrstrerror)r8rrs rbdirectory_create_or_existsr)/s 7>>$  b b HT4  b b bw5<.((''tttUVU_U_(`aaa bbbs8 A</A77A<c|h|dt|}t|dkr1|d}t|dkr|d||dkrd}||d|S)NzLooking up IPv4 addressesrrz*More than one IPv4 address found. Using %sz 127.0.0.1z No IPv4 address will be assigned)rrrwarning)rrrhostipss rbdetermine_host_ipr-:s ~ /000"2&& w<tj||>9|>:tj|td'|<d(t|<||'&}@ |<d)t||'|;||#|=||&|.|/|0|1/}B|#d0krv||d?|d@|dA|dB|dC|dD|dE|dF|dG|dH|dI|#dJ|$dK|&dL|'dM|(dN|,dO|/dP|0tsbt|\}D|>]n#|@^xYw|@_t||<t}E|#|E_b||E_c|<|E_d|;|E_e|'|E_f|B|E_J|A|E_gt||E_,|tkr|C|E_h||E_ind8|E_hd|E_i|D|E_j|)r7t||B|;jc|;jl|;jmn|*|+V|ES)WzHProvision samba4 :note: caution, this wipes all existing data! zlserver role (%s) should be one of "active directory domain controller", "member server", "standalone server"Nrrr,nobodyusersotherstaffbindnamedetczsmb.confrzidmap_ldb:use rfc2307rz-dnsz dns forwarderz+smbz-s3fsz+winregz+srvsvczdcerpc endpoint serversrzserver servicesr r)rUrorprrq) rryrxrurUrorprqrrzrnrVrOiitlsr)r rqrj)rrrrzSetting up share.ldbrz share.ldifzSetting up secrets.ldbzSetting up the registry)rz"Setting up the privileges databasezSetting up idmap db)rr-rrrzSetting up SAM db) rrUr-r r&rrrr.rPr:r9r TrFr-rnrrrr rrrlrrr rrrr rUrmr&rrprrrzlog filezryrvrC post_setupshutdownrrrBrrrorrrrrrrr#rwrxr)Frrr{rnrrvrnrorqrprrxryrrr|r rr ldapadminpassrlr~rrr dns_forwarderr r rrr,r2r3backuprzrUrmuseeadbr&rrp use_rfc2307r!r"rrjrrrr.r-rrrrAserver_servicesrqrwdatarrr-r share_ldbrrrVrrresultsF rb provisionrSYs (])*55 ]]]!OR\!\]] ]]6sC@@ 133 ')) T^V,f55Hf0122JU-gwIJJI|H%%,H011 ',,y%<< +**,, 7>>"'//'22 3 3. BGOOG,,---OL816 ,-&&&v&&&&  $-:OL )Iv&&&w'''3>%/ * *? *+++lrJJJ $$Z %=%=>>> KK()))!%/;DDDKP -...uz>>> )***em,2NNNEs9~~%-*&/( D D D D  '(((EK-r5'1#) G.?*7/A'1333 = = =~%' EMBBB|#'%-@@@7==00 3 ENE222  6r2>>I"&  )U++ 6%,,W55 "'   " " 5+vue B B B"(& B4=I BJT* B"(& B29' B%-H B6 BIP B!b B-6I B+9. B*7 B/A.@ B B !! 8 EM5&"'//"&&Q[J\J\:]:] ^ ^ ^ KK(). 8 8 8 #(?U^${ , , , ,  &',~ 7 7 7     = = = "2vu 5 5 5*5577""$$$$&&((( ""$$$vu---   F#FFOFLFLFIFLFL9~~FY%8"$%*"*F^vU).UEV*/,*<*<*>*>vV\ ^ ^ ^ ^ Ms3/C C#"C#&I==J(La00bcRtjd}tj|t |t fid|d|dt d|d|d|d|d |d |d |d | d dd| d| ddd|d| d| d|}|jdt||S)NrSr{rnrrvrnrorqrprrxryrr|rrUrPrzrr rp debuglevel) logging getLoggerrset_debug_levelrSrr?rrhr)r{rnrvrnrorqrprrxryr|rr rrzrUrprrs rbprovision_become_dcrY] sC { + +F *%%% FN,, ) ) )#G )/8y )EMX )% )(. )9A )LTH )&X )19 )BH )&X  )/3d  )?Hi  ) !,  ) DC  )&X )4?; )IP )(i )CFJJ|S__--- JrdcJttd||||ddS)zWrite out a file containing a valid krb5.conf file :param path: Path of the new krb5.conf file. :param dnsdomain: DNS Domain name :param hostname: Local hostname :param realm: Realm name r6)rrREALMN)rr9)r8ruryrvs rbrGrGu s?z+&&" //rdceZdZdZdZdZdS)rzA generic provision error.c||_dSrNvalue)rar_s rbrczProvisioningError.__init__ s  rdcd|jzS)NzProvisioningError: r^r`s rb__str__zProvisioningError.__str__ s$tz11rdN)rfrgrhrrcrarirdrbrr s8$$22222rdrc"eZdZdZfdZxZS)rSz.A specified name was not a valid NetBIOS name.c^tt|d|zdS)Nz)The name '%r' is not a valid NetBIOS name)superrSrc)rar __class__s rbrczInvalidNetbiosName.__init__ s=  $''00 7$ > @ @ @ @ @rd)rfrgrhrrc __classcell__res@rbrSrS sG88@@@@@@@@@rdrSceZdZfdZxZS)rDcftt|d|d|ddS)Nz#Existing smb.conf does not have a [z5] share, but you are configuring a DC. Please remove z or add the share manually.)rdrDrc)rarr{res rbrczMissingShareError.__init__ sG &&///TT777      rd)rfrgrhrcrfrgs@rbrDrD s8rdrD)F) NNNNNNNNNNNF)NFFNN)FFNN)NN)FFNNF)FNNNNNN)rrN)NNNNNNNNNNNNNNNrF)r __docformat__base64rr&r;rrrr(rVr_rrQr samba.dsdbrr samba.authrrsamba.auth_utilrr samba.samba3r r r rr r rrrrrrrr samba.dcerpcrrsamba.dcerpc.miscrrrrr samba.idmaprsamba.ms_display_specifiersr samba.ntaclsrr r! samba.ndrr"r#samba.provision.backendr$samba.descriptorr%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8samba.provision.commonr9r:r;r<r=r>r?samba.provision.sambadnsr@rArBrC samba.paramsamba.registry samba.schemarD samba.samdbrEsamba.dbcheckerrFsamba.provision.kerberosrGrHrrrTrr`objectrLrkrrrrrrr r%r*r.rFrLrWrzrrrrrrrrrrrr r"r(r4rrrrrrrrrrrrrrrrr#r)r-r/rSrYrG ExceptionrrSrDrirdrbrsO 265"    44444444////// %%%%%%%%))))))......                      ('''''''  4444448888888888********,######444444111111<?' 1V,V0___D&&&&R0    &&&R#6#6#6#6#6f#6#6#6L > > >++++++---`666@DFJ7;$)rrrrlCG"ccccLFFF*;@AEF#F#F#F#T=A"d$(+,,: WWWWt'''T M M M 2 " " " "   "JN____D       # # # -;@7;49????HEJJN!"& EEEEP{ U CQ c c c c###@lalala^DDD> 3 3 3F/)/)/)d!i $"t4 $$#T"d TU"'t&*N#N#N#N#d+);; .=*N$%,      ###*bbbb"    -1$tdTDDttDD$4tdDTDDUtuT$# %T!%%AAAAH=A=A=A1526DE"' 0   22222 222@@@@@@@@)rd