CommandError,
SuperCommand,
Option
- )
+)
from samba.netcmd.fsmo import get_fsmo_roleowner
from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
from samba.samba3 import Samba3
UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_FOR_DELEGATION,
UF_PARTIAL_SECRETS_ACCOUNT
- )
+)
from samba.provision import (
provision,
ProvisioningError,
DEFAULT_MIN_PWD_LENGTH,
setup_path
- )
+)
from samba.provision.common import (
FILL_FULL,
)
from samba.netcmd.pso import cmd_domain_passwordsettings_pso
+from samba.netcmd.domain_backup import cmd_domain_backup
string_version_to_constant = {
"2008_R2" : DS_DOMAIN_FUNCTION_2008_R2,
"(default is %s)" % get_default_backend_store()),
Option("--targetdir", metavar="DIR",
help="Set target directory (where to store provision)", type=str),
- Option("--quiet", help="Be quiet", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"),
]
common_join_options = [
"BIND9_DLZ uses samba4 AD to store zone information, "
"NONE skips the DNS setup entirely (this DC will not be a DNS server)",
default="SAMBA_INTERNAL"),
- Option("--verbose", help="Be verbose", action="store_true")
+ Option("-v", "--verbose", help="Be verbose", action="store_true")
]
common_ntvfs_options = [
return ""
try:
- import samba.dckeytab
+ import samba.dckeytab
except ImportError:
- cmd_domain_export_keytab = None
+ cmd_domain_export_keytab = None
else:
- class cmd_domain_export_keytab(Command):
- """Dump Kerberos keys of the domain into a keytab."""
+ class cmd_domain_export_keytab(Command):
+ """Dump Kerberos keys of the domain into a keytab."""
- synopsis = "%prog <keytab> [options]"
+ synopsis = "%prog <keytab> [options]"
- takes_optiongroups = {
- "sambaopts": options.SambaOptions,
- "credopts": options.CredentialsOptions,
- "versionopts": options.VersionOptions,
- }
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
- takes_options = [
- Option("--principal", help="extract only this principal", type=str),
- ]
+ takes_options = [
+ Option("--principal", help="extract only this principal", type=str),
+ ]
- takes_args = ["keytab"]
+ takes_args = ["keytab"]
- def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
- lp = sambaopts.get_loadparm()
- net = Net(None, lp)
- net.export_keytab(keytab=keytab, principal=principal)
+ def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
+ lp = sambaopts.get_loadparm()
+ net = Net(None, lp)
+ net.export_keytab(keytab=keytab, principal=principal)
class cmd_domain_info(Command):
synopsis = "%prog <ip_address> [options]"
takes_options = [
- ]
+ ]
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
takes_args = ["address"]
Option("--partitions-only",
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true"),
Option("--use-rfc2307", action="store_true", help="Use AD to store posix attributes (default = no)"),
- ]
+ ]
openldap_options = [
Option("--ldapadminpass", type="string", metavar="PASSWORD",
Option("--ldap-backend-forced-uri", type="string", metavar="LDAP-BACKEND-FORCED-URI",
help="Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDA"),
Option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true"),
- ]
+ ]
ntvfs_options = [
Option("--use-xattrs", type="choice", choices=["yes","no","auto"],
takes_options.extend(common_provision_join_options)
if samba.is_ntvfs_fileserver_built():
- takes_options.extend(common_ntvfs_options)
+ takes_options.extend(common_ntvfs_options)
takes_args = ["domain", "role?"]
netbios_name = lp.get("netbios name")
- if not role is None:
+ if role is not None:
role = role.upper()
if role == "DC":
Option("--parent-domain", help="parent domain to create subdomain under", type=str),
Option("--adminpass", type="string", metavar="PASSWORD",
help="choose adminstrator password when joining as a subdomain (otherwise random)"),
- ]
+ ]
ntvfs_options = [
Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
netbios_name = lp.get("netbios name")
- if not role is None:
+ if role is not None:
role = role.upper()
if role is None or role == "MEMBER":
metavar="URL", dest="H"),
Option("--remove-other-dead-server", help="Dead DC (name or NTDS GUID) "
"to remove ALL references to (rather than this DC)", type=str),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true"),
- ]
+ Option("-q", "--quiet", help="Be quiet", action="store_true"),
+ Option("-v", "--verbose", help="Be verbose", action="store_true"),
+ ]
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
def run(self, sambaopts=None, credopts=None,
versionopts=None, server=None,
raise CommandError("Unable to search for servers")
if (len(res) == 1):
- raise CommandError("You are the latest server in the domain")
+ raise CommandError("You are the last server in the domain")
server = None
for e in res:
controls=["search_options:1:2"])
if len(res) != 0:
- raise CommandError("Current DC is still the owner of %d role(s), use the role command to transfer roles to another DC" % len(res))
+ raise CommandError("Current DC is still the owner of %d role(s), "
+ "use the role command to transfer roles to "
+ "another DC" %
+ len(res))
self.errf.write("Using %s as partner server for the demotion\n" %
server)
remote_samdb.modify(msg)
remote_samdb.rename(newdn, dc_dn)
if werr == werror.WERR_DS_DRA_NO_REPLICA:
- raise CommandError("The DC %s is not present on (already removed from) the remote server: " % server_dsa_dn, e)
+ raise CommandError("The DC %s is not present on (already "
+ "removed from) the remote server: %s" %
+ (server_dsa_dn, e3))
else:
- raise CommandError("Error while sending a removeDsServer of %s: " % server_dsa_dn, e)
+ raise CommandError("Error while sending a removeDsServer "
+ "of %s: %s" %
+ (server_dsa_dn, e3))
remove_dc.remove_sysvol_references(remote_samdb, logger, dc_name)
except ldb.LdbError as l:
pass
+ # get dns host name for target server to demote, remove dns references
+ remove_dc.remove_dns_references(remote_samdb, logger, samdb.host_dns_name(),
+ ignore_no_name=True)
+
self.errf.write("Demote successful\n")
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
- Option("--quiet", help="Be quiet", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"), # unused
Option("--forest-level", type="choice", choices=["2003", "2008", "2008_R2", "2012", "2012_R2"],
help="The forest function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)"),
Option("--domain-level", type="choice", choices=["2003", "2008", "2008_R2", "2012", "2012_R2"],
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
# Under partitions
m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
+ ",CN=Partitions,%s" % samdb.get_config_basedn())
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
try:
samdb.modify(m)
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_forest), ldb.FLAG_MOD_REPLACE,
+ str(new_level_forest), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
msgs.append("Forest function level changed!")
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
- Option("--quiet", help="Be quiet", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"), # unused
Option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'"),
Option("--store-plaintext", type="choice", choices=["on","off","default"],
ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
msgs.append("Duration to reset account lockout after changed!")
- if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
+ if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
if len(m) == 0:
help="Path to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followed"),
Option("--targetdir", type="string", metavar="DIR",
help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"),
+ Option("-v", "--verbose", help="Be verbose", action="store_true"),
Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
if runtime is None:
return False
- err32 = self._uint32(runtime[0])
+ err32 = self._uint32(runtime.args[0])
if err32 == val:
return True
class LocalRuntimeError(CommandError):
def __init__(exception_self, self, runtime, message):
- err32 = self._uint32(runtime[0])
- errstr = runtime[1]
+ err32 = self._uint32(runtime.args[0])
+ errstr = runtime.args[1]
msg = "LOCAL_DC[%s]: %s - ERROR(0x%08X) - %s" % (
self.local_server, message, err32, errstr)
CommandError.__init__(exception_self, msg)
class RemoteRuntimeError(CommandError):
def __init__(exception_self, self, runtime, message):
- err32 = self._uint32(runtime[0])
- errstr = runtime[1]
+ err32 = self._uint32(runtime.args[0])
+ errstr = runtime.args[1]
msg = "REMOTE_DC[%s]: %s - ERROR(0x%08X) - %s" % (
self.remote_server, message, err32, errstr)
CommandError.__init__(exception_self, msg)
class LocalLdbError(CommandError):
def __init__(exception_self, self, ldb_error, message):
- errval = ldb_error[0]
- errstr = ldb_error[1]
+ errval = ldb_error.args[0]
+ errstr = ldb_error.args[1]
msg = "LOCAL_DC[%s]: %s - ERROR(%d) - %s" % (
self.local_server, message, errval, errstr)
CommandError.__init__(exception_self, msg)
return (policy, info)
+ def get_netlogon_dc_unc(self, conn, server, domain):
+ try:
+ info = conn.netr_DsRGetDCNameEx2(server,
+ None, 0, None, None, None,
+ netlogon.DS_RETURN_DNS_NAME)
+ return info.dc_unc
+ except RuntimeError:
+ return conn.netr_GetDcName(server, domain)
+
def get_netlogon_dc_info(self, conn, server):
info = conn.netr_DsRGetDCNameEx2(server,
None, 0, None, None, None,
def netr_DomainTrust_to_name(self, t):
if t.trust_type == lsa.LSA_TRUST_TYPE_DOWNLEVEL:
- return t.netbios_name
+ return t.netbios_name
return t.dns_name
primary = None
primary_parent = None
for _t in a:
- if _t.trust_flags & netlogon.NETR_TRUST_FLAG_PRIMARY:
- primary = _t
- if not _t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
- primary_parent = a[_t.parent_index]
- break
+ if _t.trust_flags & netlogon.NETR_TRUST_FLAG_PRIMARY:
+ primary = _t
+ if not _t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
+ primary_parent = a[_t.parent_index]
+ break
if t.trust_flags & netlogon.NETR_TRUST_FLAG_IN_FOREST:
if t is primary_parent:
}
takes_options = [
- ]
+ ]
def run(self, sambaopts=None, versionopts=None, localdcopts=None):
}
takes_options = [
- ]
+ ]
takes_args = ["domain"]
help="Skip validation of the trust.",
dest='validate',
default=True),
- ]
+ ]
takes_args = ["domain"]
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.LocalRuntimeError(self, error,
"QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ lsaString.string))
try:
lsaString.string = local_trust_info.netbios_name.string
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.LocalRuntimeError(self, error,
"QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ lsaString.string))
if remote_trust_info:
try:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.RemoteRuntimeError(self, error,
"QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ lsaString.string))
try:
lsaString.string = remote_trust_info.netbios_name.string
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.RemoteRuntimeError(self, error,
"QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ lsaString.string))
try:
local_netlogon = self.new_local_netlogon_connection()
raise self.RemoteRuntimeError(self, error, "failed to connect netlogon server")
try:
- remote_netlogon_info = self.get_netlogon_dc_info(remote_netlogon, remote_server)
+ remote_netlogon_dc_unc = self.get_netlogon_dc_unc(remote_netlogon,
+ remote_server, domain)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "failed to get netlogon dc info")
# this triggers netr_GetForestTrustInformation to our domain.
# and lsaRSetForestTrustInformation() remotely, but new top level
# names are disabled by default.
- remote_forest_info = remote_netlogon.netr_DsRGetForestTrustInformation(remote_netlogon_info.dc_unc,
- local_lsa_info.dns_domain.string,
- netlogon.DS_GFTI_UPDATE_TDO)
+ remote_forest_info = remote_netlogon.netr_DsRGetForestTrustInformation(remote_netlogon_dc_unc,
+ local_lsa_info.dns_domain.string,
+ netlogon.DS_GFTI_UPDATE_TDO)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "netr_DsRGetForestTrustInformation() failed")
if remote_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_OUTBOUND:
self.outf.write("Validating incoming trust...\n")
try:
- remote_trust_verify = remote_netlogon.netr_LogonControl2Ex(remote_netlogon_info.dc_unc,
- netlogon.NETLOGON_CONTROL_TC_VERIFY,
- 2,
- local_lsa_info.dns_domain.string)
+ remote_trust_verify = remote_netlogon.netr_LogonControl2Ex(remote_netlogon_dc_unc,
+ netlogon.NETLOGON_CONTROL_TC_VERIFY,
+ 2,
+ local_lsa_info.dns_domain.string)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "NETLOGON_CONTROL_TC_VERIFY failed")
help="Where to delete the trusted domain object: 'local' or 'both'.",
dest='delete_location',
default="both"),
- ]
+ ]
takes_args = ["domain"]
help="Where to validate the trusted domain object: 'local' or 'both'.",
dest='validate_location',
default="both"),
- ]
+ ]
takes_args = ["domain"]
help="Delete an existing msDS-SPNSuffixes attribute of the local forest. Can be specified multiple times.",
dest='delete_spn',
default=[]),
- ]
+ ]
takes_args = ["domain?"]
self.outf.write("Stored uPNSuffixes attributes[%d]:\n" % len(stored_upn_vals))
for v in stored_upn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
self.outf.write("Stored msDS-SPNSuffixes attributes[%d]:\n" % len(stored_spn_vals))
for v in stored_spn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
if not require_update:
return
self.outf.write("Update uPNSuffixes attributes[%d]:\n" % len(update_upn_vals))
for v in update_upn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
self.outf.write("Update msDS-SPNSuffixes attributes[%d]:\n" % len(update_spn_vals))
for v in update_spn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
update_msg = ldb.Message()
update_msg.dn = stored_msg.dn
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
def run(self, *ncs, **kwargs):
sambaopts = kwargs.get("sambaopts")
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"), #unused
+ Option("-v", "--verbose", help="Be verbose", action="store_true"),
Option("--schema", type="choice", metavar="SCHEMA",
choices=["2012", "2012_R2"],
help="The schema file to upgrade to. Default is (Windows) 2012_R2.",
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
- Option("--quiet", help="Be quiet", action="store_true"),
- Option("--verbose", help="Be verbose", action="store_true"),
+ Option("-q", "--quiet", help="Be quiet", action="store_true"),
+ Option("-v", "--verbose", help="Be verbose", action="store_true"),
Option("--function-level", type="choice", metavar="FUNCTION_LEVEL",
choices=["2008_R2", "2012", "2012_R2"],
help="The schema file to upgrade to. Default is (Windows) 2012_R2.",
subcommands["tombstones"] = cmd_domain_tombstones()
subcommands["schemaupgrade"] = cmd_domain_schema_upgrade()
subcommands["functionalprep"] = cmd_domain_functional_prep()
+ subcommands["backup"] = cmd_domain_backup()