CommandError,
SuperCommand,
Option
- )
+)
from samba.netcmd.fsmo import get_fsmo_roleowner
from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
from samba.samba3 import Samba3
UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_FOR_DELEGATION,
UF_PARTIAL_SECRETS_ACCOUNT
- )
+)
from samba.provision import (
provision,
ProvisioningError,
DEFAULT_MIN_PWD_LENGTH,
setup_path
- )
+)
from samba.provision.common import (
FILL_FULL,
]
common_ntvfs_options = [
- Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
- action="store_true")
+ Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
+ action="store_true")
]
def get_testparm_var(testparm, smbconf, varname):
return ""
try:
- import samba.dckeytab
+ import samba.dckeytab
except ImportError:
- cmd_domain_export_keytab = None
+ cmd_domain_export_keytab = None
else:
- class cmd_domain_export_keytab(Command):
- """Dump Kerberos keys of the domain into a keytab."""
+ class cmd_domain_export_keytab(Command):
+ """Dump Kerberos keys of the domain into a keytab."""
- synopsis = "%prog <keytab> [options]"
+ synopsis = "%prog <keytab> [options]"
- takes_optiongroups = {
- "sambaopts": options.SambaOptions,
- "credopts": options.CredentialsOptions,
- "versionopts": options.VersionOptions,
- }
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
- takes_options = [
- Option("--principal", help="extract only this principal", type=str),
- ]
+ takes_options = [
+ Option("--principal", help="extract only this principal", type=str),
+ ]
- takes_args = ["keytab"]
+ takes_args = ["keytab"]
- def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
- lp = sambaopts.get_loadparm()
- net = Net(None, lp)
- net.export_keytab(keytab=keytab, principal=principal)
+ def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
+ lp = sambaopts.get_loadparm()
+ net = Net(None, lp)
+ net.export_keytab(keytab=keytab, principal=principal)
class cmd_domain_info(Command):
synopsis = "%prog <ip_address> [options]"
takes_options = [
- ]
+ ]
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
takes_args = ["address"]
}
takes_options = [
- Option("--interactive", help="Ask for names", action="store_true"),
- Option("--domain", type="string", metavar="DOMAIN",
- help="NetBIOS domain name to use"),
- Option("--domain-guid", type="string", metavar="GUID",
- help="set domainguid (otherwise random)"),
- Option("--domain-sid", type="string", metavar="SID",
- help="set domainsid (otherwise random)"),
- Option("--ntds-guid", type="string", metavar="GUID",
- help="set NTDS object GUID (otherwise random)"),
- Option("--invocationid", type="string", metavar="GUID",
- help="set invocationid (otherwise random)"),
- Option("--host-name", type="string", metavar="HOSTNAME",
- help="set hostname"),
- Option("--host-ip", type="string", metavar="IPADDRESS",
- help="set IPv4 ipaddress"),
- Option("--host-ip6", type="string", metavar="IP6ADDRESS",
- help="set IPv6 ipaddress"),
- Option("--site", type="string", metavar="SITENAME",
- help="set site name"),
- Option("--adminpass", type="string", metavar="PASSWORD",
- help="choose admin password (otherwise random)"),
- Option("--krbtgtpass", type="string", metavar="PASSWORD",
- help="choose krbtgt password (otherwise random)"),
- Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
- choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
- help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
- "BIND9_FLATFILE uses bind9 text database to store zone information, "
- "BIND9_DLZ uses samba4 AD to store zone information, "
- "NONE skips the DNS setup entirely (not recommended)",
- default="SAMBA_INTERNAL"),
- Option("--dnspass", type="string", metavar="PASSWORD",
- help="choose dns password (otherwise random)"),
- Option("--root", type="string", metavar="USERNAME",
- help="choose 'root' unix username"),
- Option("--nobody", type="string", metavar="USERNAME",
- help="choose 'nobody' user"),
- Option("--users", type="string", metavar="GROUPNAME",
- help="choose 'users' group"),
- Option("--blank", action="store_true",
- help="do not add users or groups, just the structure"),
- Option("--server-role", type="choice", metavar="ROLE",
- choices=["domain controller", "dc", "member server", "member", "standalone"],
- help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
- default="domain controller"),
- Option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
- choices=["2000", "2003", "2008", "2008_R2"],
- help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008_R2 Native.",
- default="2008_R2"),
- Option("--base-schema", type="choice", metavar="BASE-SCHEMA",
- choices=["2008_R2", "2008_R2_old", "2012", "2012_R2"],
- help="The base schema files to use. Default is (Windows) 2008_R2.",
- default="2008_R2"),
- Option("--next-rid", type="int", metavar="NEXTRID", default=1000,
- help="The initial nextRid value (only needed for upgrades). Default is 1000."),
- Option("--partitions-only",
- help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true"),
- Option("--use-rfc2307", action="store_true", help="Use AD to store posix attributes (default = no)"),
- ]
+ Option("--interactive", help="Ask for names", action="store_true"),
+ Option("--domain", type="string", metavar="DOMAIN",
+ help="NetBIOS domain name to use"),
+ Option("--domain-guid", type="string", metavar="GUID",
+ help="set domainguid (otherwise random)"),
+ Option("--domain-sid", type="string", metavar="SID",
+ help="set domainsid (otherwise random)"),
+ Option("--ntds-guid", type="string", metavar="GUID",
+ help="set NTDS object GUID (otherwise random)"),
+ Option("--invocationid", type="string", metavar="GUID",
+ help="set invocationid (otherwise random)"),
+ Option("--host-name", type="string", metavar="HOSTNAME",
+ help="set hostname"),
+ Option("--host-ip", type="string", metavar="IPADDRESS",
+ help="set IPv4 ipaddress"),
+ Option("--host-ip6", type="string", metavar="IP6ADDRESS",
+ help="set IPv6 ipaddress"),
+ Option("--site", type="string", metavar="SITENAME",
+ help="set site name"),
+ Option("--adminpass", type="string", metavar="PASSWORD",
+ help="choose admin password (otherwise random)"),
+ Option("--krbtgtpass", type="string", metavar="PASSWORD",
+ help="choose krbtgt password (otherwise random)"),
+ Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
+ choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
+ help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
+ "BIND9_FLATFILE uses bind9 text database to store zone information, "
+ "BIND9_DLZ uses samba4 AD to store zone information, "
+ "NONE skips the DNS setup entirely (not recommended)",
+ default="SAMBA_INTERNAL"),
+ Option("--dnspass", type="string", metavar="PASSWORD",
+ help="choose dns password (otherwise random)"),
+ Option("--root", type="string", metavar="USERNAME",
+ help="choose 'root' unix username"),
+ Option("--nobody", type="string", metavar="USERNAME",
+ help="choose 'nobody' user"),
+ Option("--users", type="string", metavar="GROUPNAME",
+ help="choose 'users' group"),
+ Option("--blank", action="store_true",
+ help="do not add users or groups, just the structure"),
+ Option("--server-role", type="choice", metavar="ROLE",
+ choices=["domain controller", "dc", "member server", "member", "standalone"],
+ help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
+ default="domain controller"),
+ Option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
+ choices=["2000", "2003", "2008", "2008_R2"],
+ help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008_R2 Native.",
+ default="2008_R2"),
+ Option("--base-schema", type="choice", metavar="BASE-SCHEMA",
+ choices=["2008_R2", "2008_R2_old", "2012", "2012_R2"],
+ help="The base schema files to use. Default is (Windows) 2008_R2.",
+ default="2008_R2"),
+ Option("--next-rid", type="int", metavar="NEXTRID", default=1000,
+ help="The initial nextRid value (only needed for upgrades). Default is 1000."),
+ Option("--partitions-only",
+ help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true"),
+ Option("--use-rfc2307", action="store_true", help="Use AD to store posix attributes (default = no)"),
+ ]
openldap_options = [
Option("--ldapadminpass", type="string", metavar="PASSWORD",
help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
choices=["fedora-ds", "openldap"]),
Option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
- help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\""),
+ help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\""),
Option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE",
action="store_true"),
Option("--slapd-path", type="string", metavar="SLAPD-PATH",
Option("--ldap-backend-forced-uri", type="string", metavar="LDAP-BACKEND-FORCED-URI",
help="Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDA"),
Option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true"),
- ]
+ ]
ntvfs_options = [
Option("--use-xattrs", type="choice", choices=["yes","no","auto"],
backend_store = get_default_backend_store()
try:
result = provision(self.logger,
- session, smbconf=smbconf, targetdir=targetdir,
- samdb_fill=samdb_fill, realm=realm, domain=domain,
- domainguid=domain_guid, domainsid=domain_sid,
- hostname=host_name,
- hostip=host_ip, hostip6=host_ip6,
- sitename=site, ntdsguid=ntds_guid,
- invocationid=invocationid, adminpass=adminpass,
- krbtgtpass=krbtgtpass, machinepass=machinepass,
- dns_backend=dns_backend, dns_forwarder=dns_forwarder,
- dnspass=dnspass, root=root, nobody=nobody,
- users=users,
- serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
- backend_type=ldap_backend_type,
- ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls, slapd_path=slapd_path,
- useeadb=eadb, next_rid=next_rid, lp=lp, use_ntvfs=use_ntvfs,
- use_rfc2307=use_rfc2307, skip_sysvolacl=False,
- ldap_backend_extra_port=ldap_backend_extra_port,
- ldap_backend_forced_uri=ldap_backend_forced_uri,
- nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode,
- base_schema=base_schema,
- plaintext_secrets=plaintext_secrets,
- backend_store=backend_store)
+ session, smbconf=smbconf, targetdir=targetdir,
+ samdb_fill=samdb_fill, realm=realm, domain=domain,
+ domainguid=domain_guid, domainsid=domain_sid,
+ hostname=host_name,
+ hostip=host_ip, hostip6=host_ip6,
+ sitename=site, ntdsguid=ntds_guid,
+ invocationid=invocationid, adminpass=adminpass,
+ krbtgtpass=krbtgtpass, machinepass=machinepass,
+ dns_backend=dns_backend, dns_forwarder=dns_forwarder,
+ dnspass=dnspass, root=root, nobody=nobody,
+ users=users,
+ serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
+ backend_type=ldap_backend_type,
+ ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls, slapd_path=slapd_path,
+ useeadb=eadb, next_rid=next_rid, lp=lp, use_ntvfs=use_ntvfs,
+ use_rfc2307=use_rfc2307, skip_sysvolacl=False,
+ ldap_backend_extra_port=ldap_backend_extra_port,
+ ldap_backend_forced_uri=ldap_backend_forced_uri,
+ nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode,
+ base_schema=base_schema,
+ plaintext_secrets=plaintext_secrets,
+ backend_store=backend_store)
except ProvisioningError as e:
raise CommandError("Provision failed", e)
takes_options.extend(common_provision_join_options)
if samba.is_ntvfs_fileserver_built():
- takes_options.extend(common_ntvfs_options)
+ takes_options.extend(common_ntvfs_options)
takes_args = ["domain", "role?"]
netbios_name = lp.get("netbios name")
- if not role is None:
+ if role is not None:
role = role.upper()
if role == "DC":
Option("--parent-domain", help="parent domain to create subdomain under", type=str),
Option("--adminpass", type="string", metavar="PASSWORD",
help="choose adminstrator password when joining as a subdomain (otherwise random)"),
- ]
+ ]
ntvfs_options = [
Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
netbios_name = lp.get("netbios name")
- if not role is None:
+ if role is not None:
role = role.upper()
if role is None or role == "MEMBER":
"to remove ALL references to (rather than this DC)", type=str),
Option("-q", "--quiet", help="Be quiet", action="store_true"),
Option("-v", "--verbose", help="Be verbose", action="store_true"),
- ]
+ ]
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
def run(self, sambaopts=None, credopts=None,
versionopts=None, server=None,
ntds_guid = samdb.get_ntds_GUID()
msg = samdb.search(base=str(samdb.get_config_basedn()),
- scope=ldb.SCOPE_SUBTREE, expression="(objectGUID=%s)" % ntds_guid,
- attrs=['options'])
+ scope=ldb.SCOPE_SUBTREE, expression="(objectGUID=%s)" % ntds_guid,
+ attrs=['options'])
if len(msg) == 0 or "options" not in msg[0]:
raise CommandError("Failed to find options on %s" % ntds_guid)
dsa_options = int(str(msg[0]['options']))
res = samdb.search(expression="(fSMORoleOwner=%s)" % str(ntds_dn),
- controls=["search_options:1:2"])
+ controls=["search_options:1:2"])
if len(res) != 0:
raise CommandError("Current DC is still the owner of %d role(s), "
self.errf.write("Asking partner server %s to synchronize from us\n"
% server)
for part in (samdb.get_schema_basedn(),
- samdb.get_config_basedn(),
- samdb.get_root_basedn()):
+ samdb.get_config_basedn(),
+ samdb.get_root_basedn()):
nc = drsuapi.DsReplicaObjectIdentifier()
nc.dn = str(part)
raise CommandError("Error while sending a DsReplicaSync for partition '%s'" % str(part), string)
try:
remote_samdb = SamDB(url="ldap://%s" % server,
- session_info=system_session(),
- credentials=creds, lp=lp)
+ session_info=system_session(),
+ credentials=creds, lp=lp)
self.errf.write("Changing userControl and container\n")
res = remote_samdb.search(base=str(remote_samdb.domain_dn()),
- expression="(&(objectClass=user)(sAMAccountName=%s$))" %
- netbios_name.upper(),
- attrs=["userAccountControl"])
+ expression="(&(objectClass=user)(sAMAccountName=%s$))" %
+ netbios_name.upper(),
+ attrs=["userAccountControl"])
dc_dn = res[0].dn
uac = int(str(res[0]["userAccountControl"]))
msg.dn = dc_dn
msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
- ldb.FLAG_MOD_REPLACE,
- "userAccountControl")
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
try:
remote_samdb.modify(msg)
except Exception as e:
if (len(res) != 0):
res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
- scope=ldb.SCOPE_ONELEVEL)
+ scope=ldb.SCOPE_ONELEVEL)
while(len(res) != 0 and i < 100):
i = i + 1
res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
- scope=ldb.SCOPE_ONELEVEL)
+ scope=ldb.SCOPE_ONELEVEL)
if i == 100:
if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
msg.dn = dc_dn
msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
- ldb.FLAG_MOD_REPLACE,
- "userAccountControl")
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
remote_samdb.modify(msg)
raise CommandError("Unable to find a slot for renaming %s,"
- " all names from %s-1 to %s-%d seemed used" %
- (str(dc_dn), rdn, rdn, i - 9))
+ " all names from %s-1 to %s-%d seemed used" %
+ (str(dc_dn), rdn, rdn, i - 9))
newrdn = "%s-%d" % (rdn, i)
msg.dn = dc_dn
msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
- ldb.FLAG_MOD_REPLACE,
- "userAccountControl")
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
remote_samdb.modify(msg)
raise CommandError("Error while renaming %s to %s" % (str(dc_dn), str(newdn)), e)
"CN=NTFRS Subscriptions"):
try:
remote_samdb.delete(ldb.Dn(remote_samdb,
- "%s,%s" % (s, str(newdn))))
+ "%s,%s" % (s, str(newdn))))
except ldb.LdbError as l:
pass
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
Option("-q", "--quiet", help="Be quiet", action="store_true"), # unused
Option("--forest-level", type="choice", choices=["2003", "2008", "2008_R2", "2012", "2012_R2"],
- help="The forest function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)"),
+ help="The forest function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)"),
Option("--domain-level", type="choice", choices=["2003", "2008", "2008_R2", "2012", "2012_R2"],
- help="The domain function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)")
- ]
+ help="The domain function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2)")
+ ]
takes_args = ["subcommand"]
creds = credopts.get_credentials(lp, fallback_machine=True)
samdb = SamDB(url=H, session_info=system_session(),
- credentials=creds, lp=lp)
+ credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
res_forest = samdb.search("CN=Partitions,%s" % samdb.get_config_basedn(),
- scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
+ scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
assert len(res_forest) == 1
res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
- attrs=["msDS-Behavior-Version", "nTMixedDomain"])
+ attrs=["msDS-Behavior-Version", "nTMixedDomain"])
assert len(res_domain) == 1
res_dc_s = samdb.search("CN=Sites,%s" % samdb.get_config_basedn(),
- scope=ldb.SCOPE_SUBTREE, expression="(objectClass=nTDSDSA)",
- attrs=["msDS-Behavior-Version"])
+ scope=ldb.SCOPE_SUBTREE, expression="(objectClass=nTDSDSA)",
+ attrs=["msDS-Behavior-Version"])
assert len(res_dc_s) >= 1
# default values, since "msDS-Behavior-Version" does not exist on Windows 2000 AD
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
m["nTMixedDomain"] = ldb.MessageElement("0",
- ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
+ ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
samdb.modify(m)
# Under partitions
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup") + ",CN=Partitions,%s" % samdb.get_config_basedn())
m["nTMixedDomain"] = ldb.MessageElement("0",
- ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
+ ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
try:
samdb.modify(m)
except ldb.LdbError as e:
m = ldb.Message()
m.dn = ldb.Dn(samdb, domain_dn)
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
# Under partitions
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
- + ",CN=Partitions,%s" % samdb.get_config_basedn())
+ + ",CN=Partitions,%s" % samdb.get_config_basedn())
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
try:
samdb.modify(m)
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
m["msDS-Behavior-Version"]= ldb.MessageElement(
- str(new_level_forest), ldb.FLAG_MOD_REPLACE,
+ str(new_level_forest), ldb.FLAG_MOD_REPLACE,
"msDS-Behavior-Version")
samdb.modify(m)
msgs.append("Forest function level changed!")
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
- credentials=creds, lp=lp)
+ credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
- attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
- "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold",
- "lockOutObservationWindow"])
+ attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
+ "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold",
+ "lockOutObservationWindow"])
assert(len(res) == 1)
try:
pwd_props = int(res[0]["pwdProperties"][0])
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
- }
+ }
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
Option("-q", "--quiet", help="Be quiet", action="store_true"), # unused
Option("--complexity", type="choice", choices=["on","off","default"],
- help="The password complexity (on | off | default). Default is 'on'"),
+ help="The password complexity (on | off | default). Default is 'on'"),
Option("--store-plaintext", type="choice", choices=["on","off","default"],
- help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
+ help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
Option("--history-length",
- help="The password history length (<integer> | default). Default is 24.", type=str),
+ help="The password history length (<integer> | default). Default is 24.", type=str),
Option("--min-pwd-length",
- help="The minimum password length (<integer> | default). Default is 7.", type=str),
+ help="The minimum password length (<integer> | default). Default is 7.", type=str),
Option("--min-pwd-age",
- help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
+ help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
Option("--max-pwd-age",
- help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
+ help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
Option("--account-lockout-duration",
- help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
+ help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
Option("--account-lockout-threshold",
- help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
+ help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
Option("--reset-account-lockout-after",
- help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
- ]
+ help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
+ ]
def run(self, H=None, min_pwd_age=None, max_pwd_age=None,
quiet=False, complexity=None, store_plaintext=None, history_length=None,
creds = credopts.get_credentials(lp)
samdb = SamDB(url=H, session_info=system_session(),
- credentials=creds, lp=lp)
+ credentials=creds, lp=lp)
domain_dn = samdb.domain_dn()
msgs = []
if complexity is not None or store_plaintext is not None:
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
- ldb.FLAG_MOD_REPLACE, "pwdProperties")
+ ldb.FLAG_MOD_REPLACE, "pwdProperties")
if history_length is not None:
if history_length == "default":
raise CommandError("Password history length must be in the range of 0 to 24!")
m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
- ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
+ ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
msgs.append("Password history length changed!")
if min_pwd_length is not None:
raise CommandError("Minimum password length must be in the range of 0 to 14!")
m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
- ldb.FLAG_MOD_REPLACE, "minPwdLength")
+ ldb.FLAG_MOD_REPLACE, "minPwdLength")
msgs.append("Minimum password length changed!")
if min_pwd_age is not None:
min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
- ldb.FLAG_MOD_REPLACE, "minPwdAge")
+ ldb.FLAG_MOD_REPLACE, "minPwdAge")
msgs.append("Minimum password age changed!")
if max_pwd_age is not None:
max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
- ldb.FLAG_MOD_REPLACE, "maxPwdAge")
+ ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
if account_lockout_duration is not None:
account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
- ldb.FLAG_MOD_REPLACE, "lockoutDuration")
+ ldb.FLAG_MOD_REPLACE, "lockoutDuration")
msgs.append("Account lockout duration changed!")
if account_lockout_threshold is not None:
account_lockout_threshold = int(account_lockout_threshold)
m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
- ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
+ ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
msgs.append("Account lockout threshold changed!")
if reset_account_lockout_after is not None:
reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
- ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
+ ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
msgs.append("Duration to reset account lockout after changed!")
if max_pwd_age and max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
takes_options = [
Option("--dbdir", type="string", metavar="DIR",
- help="Path to samba classic DC database directory"),
+ help="Path to samba classic DC database directory"),
Option("--testparm", type="string", metavar="PATH",
- help="Path to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followed"),
+ help="Path to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followed"),
Option("--targetdir", type="string", metavar="DIR",
- help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
+ help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
Option("-q", "--quiet", help="Be quiet", action="store_true"),
Option("-v", "--verbose", help="Be verbose", action="store_true"),
Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), "
- "BIND9_FLATFILE uses bind9 text database to store zone information, "
- "BIND9_DLZ uses samba4 AD to store zone information, "
- "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
+ "BIND9_FLATFILE uses bind9 text database to store zone information, "
+ "BIND9_DLZ uses samba4 AD to store zone information, "
+ "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
default="SAMBA_INTERNAL")
]
try:
try:
samba.ntacls.setntacl(lp, tmpfile.name,
- "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
eadb = False
except Exception:
# FIXME: Don't catch all exceptions here
nbt.NBT_SERVER_FOREST_ROOT: "FOREST_ROOT",
}
server_type_string = self.generic_bitmap_to_string(flag_map,
- remote_info.server_type, names_only=True)
+ remote_info.server_type, names_only=True)
self.outf.write("RemoteDC Netbios[%s] DNS[%s] ServerType[%s]\n" % (
remote_info.pdc_name,
remote_info.pdc_dns_name,
return (policy, info)
+ def get_netlogon_dc_unc(self, conn, server, domain):
+ try:
+ info = conn.netr_DsRGetDCNameEx2(server,
+ None, 0, None, None, None,
+ netlogon.DS_RETURN_DNS_NAME)
+ return info.dc_unc
+ except RuntimeError:
+ return conn.netr_GetDcName(server, domain)
+
def get_netlogon_dc_info(self, conn, server):
info = conn.netr_DsRGetDCNameEx2(server,
None, 0, None, None, None,
def netr_DomainTrust_to_name(self, t):
if t.trust_type == lsa.LSA_TRUST_TYPE_DOWNLEVEL:
- return t.netbios_name
+ return t.netbios_name
return t.dns_name
primary = None
primary_parent = None
for _t in a:
- if _t.trust_flags & netlogon.NETR_TRUST_FLAG_PRIMARY:
- primary = _t
- if not _t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
- primary_parent = a[_t.parent_index]
- break
+ if _t.trust_flags & netlogon.NETR_TRUST_FLAG_PRIMARY:
+ primary = _t
+ if not _t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
+ primary_parent = a[_t.parent_index]
+ break
if t.trust_flags & netlogon.NETR_TRUST_FLAG_IN_FOREST:
if t is primary_parent:
}
takes_options = [
- ]
+ ]
def run(self, sambaopts=None, versionopts=None, localdcopts=None):
raise self.LocalRuntimeError(self, error, "failed to connect netlogon server")
try:
- local_netlogon_trusts = local_netlogon.netr_DsrEnumerateDomainTrusts(local_server,
- netlogon.NETR_TRUST_FLAG_IN_FOREST |
- netlogon.NETR_TRUST_FLAG_OUTBOUND |
- netlogon.NETR_TRUST_FLAG_INBOUND)
+ local_netlogon_trusts = \
+ local_netlogon.netr_DsrEnumerateDomainTrusts(local_server,
+ netlogon.NETR_TRUST_FLAG_IN_FOREST |
+ netlogon.NETR_TRUST_FLAG_OUTBOUND |
+ netlogon.NETR_TRUST_FLAG_INBOUND)
except RuntimeError as error:
if self.check_runtime_error(error, werror.WERR_RPC_S_PROCNUM_OUT_OF_RANGE):
# TODO: we could implement a fallback to lsa.EnumTrustDom()
}
takes_options = [
- ]
+ ]
takes_args = ["domain"]
lsaString = lsa.String()
lsaString.string = domain
try:
- local_tdo_full = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ local_tdo_full = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
local_tdo_info = local_tdo_full.info_ex
local_tdo_posix = local_tdo_full.posix_offset
except NTSTATUSError as error:
raise self.LocalRuntimeError(self, error, "QueryTrustedDomainInfoByName(FULL_INFO) failed")
try:
- local_tdo_enctypes = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES)
+ local_tdo_enctypes = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES)
except NTSTATUSError as error:
if self.check_runtime_error(error, ntstatus.NT_STATUS_INVALID_PARAMETER):
error = None
if error is not None:
raise self.LocalRuntimeError(self, error,
- "QueryTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failed")
+ "QueryTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failed")
local_tdo_enctypes = lsa.TrustDomainInfoSupportedEncTypes()
local_tdo_enctypes.enc_types = 0
try:
local_tdo_forest = None
if local_tdo_info.trust_attributes & lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE:
- local_tdo_forest = local_lsa.lsaRQueryForestTrustInformation(local_policy,
- lsaString, lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
+ local_tdo_forest = \
+ local_lsa.lsaRQueryForestTrustInformation(local_policy,
+ lsaString,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
except RuntimeError as error:
if self.check_runtime_error(error, ntstatus.NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE):
error = None
help="Skip validation of the trust.",
dest='validate',
default=True),
- ]
+ ]
takes_args = ["domain"]
try:
lsaString.string = local_trust_info.domain_name.string
- local_old_netbios = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ local_old_netbios = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
raise CommandError("TrustedDomain %s already exist'" % lsaString.string)
except NTSTATUSError as error:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.LocalRuntimeError(self, error,
- "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
+ lsaString.string))
try:
lsaString.string = local_trust_info.netbios_name.string
- local_old_dns = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ local_old_dns = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
raise CommandError("TrustedDomain %s already exist'" % lsaString.string)
except NTSTATUSError as error:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.LocalRuntimeError(self, error,
- "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
+ lsaString.string))
if remote_trust_info:
try:
lsaString.string = remote_trust_info.domain_name.string
- remote_old_netbios = remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ remote_old_netbios = \
+ remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
raise CommandError("TrustedDomain %s already exist'" % lsaString.string)
except NTSTATUSError as error:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.RemoteRuntimeError(self, error,
- "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
+ lsaString.string))
try:
lsaString.string = remote_trust_info.netbios_name.string
- remote_old_dns = remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ remote_old_dns = \
+ remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
raise CommandError("TrustedDomain %s already exist'" % lsaString.string)
except NTSTATUSError as error:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.RemoteRuntimeError(self, error,
- "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
- lsaString.string))
+ "QueryTrustedDomainInfoByName(%s, FULL_INFO) failed" % (
+ lsaString.string))
try:
local_netlogon = self.new_local_netlogon_connection()
raise self.RemoteRuntimeError(self, error, "failed to connect netlogon server")
try:
- remote_netlogon_info = self.get_netlogon_dc_info(remote_netlogon, remote_server)
+ remote_netlogon_dc_unc = self.get_netlogon_dc_unc(remote_netlogon,
+ remote_server, domain)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "failed to get netlogon dc info")
if remote_trust_info:
self.outf.write("Creating remote TDO.\n")
current_request = { "location": "remote", "name": "CreateTrustedDomainEx2"}
- remote_tdo_handle = remote_lsa.CreateTrustedDomainEx2(remote_policy,
- remote_trust_info,
- remote_auth_info,
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
+ remote_tdo_handle = \
+ remote_lsa.CreateTrustedDomainEx2(remote_policy,
+ remote_trust_info,
+ remote_auth_info,
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
self.outf.write("Remote TDO created.\n")
if enc_types:
self.outf.write("Setting supported encryption types on remote TDO.\n")
self.outf.write("Creating local TDO.\n")
current_request = { "location": "local", "name": "CreateTrustedDomainEx2"}
local_tdo_handle = local_lsa.CreateTrustedDomainEx2(local_policy,
- local_trust_info,
- local_auth_info,
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
+ local_trust_info,
+ local_auth_info,
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
self.outf.write("Local TDO created\n")
if enc_types:
self.outf.write("Setting supported encryption types on local TDO.\n")
# this triggers netr_GetForestTrustInformation to the remote domain
# and lsaRSetForestTrustInformation() locally, but new top level
# names are disabled by default.
- local_forest_info = local_netlogon.netr_DsRGetForestTrustInformation(local_netlogon_info.dc_unc,
- remote_lsa_info.dns_domain.string,
- netlogon.DS_GFTI_UPDATE_TDO)
+ local_forest_info = \
+ local_netlogon.netr_DsRGetForestTrustInformation(local_netlogon_info.dc_unc,
+ remote_lsa_info.dns_domain.string,
+ netlogon.DS_GFTI_UPDATE_TDO)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "netr_DsRGetForestTrustInformation() failed")
try:
# here we try to enable all top level names
- local_forest_collision = local_lsa.lsaRSetForestTrustInformation(local_policy,
- remote_lsa_info.dns_domain,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
- local_forest_info,
- 0)
+ local_forest_collision = \
+ local_lsa.lsaRSetForestTrustInformation(local_policy,
+ remote_lsa_info.dns_domain,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
+ local_forest_info,
+ 0)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "lsaRSetForestTrustInformation() failed")
# this triggers netr_GetForestTrustInformation to our domain.
# and lsaRSetForestTrustInformation() remotely, but new top level
# names are disabled by default.
- remote_forest_info = remote_netlogon.netr_DsRGetForestTrustInformation(remote_netlogon_info.dc_unc,
- local_lsa_info.dns_domain.string,
- netlogon.DS_GFTI_UPDATE_TDO)
+ remote_forest_info = \
+ remote_netlogon.netr_DsRGetForestTrustInformation(remote_netlogon_dc_unc,
+ local_lsa_info.dns_domain.string,
+ netlogon.DS_GFTI_UPDATE_TDO)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "netr_DsRGetForestTrustInformation() failed")
try:
# here we try to enable all top level names
- remote_forest_collision = remote_lsa.lsaRSetForestTrustInformation(remote_policy,
- local_lsa_info.dns_domain,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
- remote_forest_info,
- 0)
+ remote_forest_collision = \
+ remote_lsa.lsaRSetForestTrustInformation(remote_policy,
+ local_lsa_info.dns_domain,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
+ remote_forest_info,
+ 0)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "lsaRSetForestTrustInformation() failed")
self.outf.write("Validating outgoing trust...\n")
try:
local_trust_verify = local_netlogon.netr_LogonControl2Ex(local_netlogon_info.dc_unc,
- netlogon.NETLOGON_CONTROL_TC_VERIFY,
- 2,
- remote_lsa_info.dns_domain.string)
+ netlogon.NETLOGON_CONTROL_TC_VERIFY,
+ 2,
+ remote_lsa_info.dns_domain.string)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "NETLOGON_CONTROL_TC_VERIFY failed")
if remote_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_OUTBOUND:
self.outf.write("Validating incoming trust...\n")
try:
- remote_trust_verify = remote_netlogon.netr_LogonControl2Ex(remote_netlogon_info.dc_unc,
- netlogon.NETLOGON_CONTROL_TC_VERIFY,
- 2,
- local_lsa_info.dns_domain.string)
+ remote_trust_verify = \
+ remote_netlogon.netr_LogonControl2Ex(remote_netlogon_dc_unc,
+ netlogon.NETLOGON_CONTROL_TC_VERIFY,
+ 2,
+ local_lsa_info.dns_domain.string)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "NETLOGON_CONTROL_TC_VERIFY failed")
help="Where to delete the trusted domain object: 'local' or 'both'.",
dest='delete_location',
default="both"),
- ]
+ ]
takes_args = ["domain"]
try:
lsaString.string = domain
local_tdo_info = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
+ lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
except NTSTATUSError as error:
if self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise CommandError("Failed to find trust for domain '%s'" % domain)
try:
lsaString.string = local_lsa_info.dns_domain.string
- remote_tdo_info = remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
+ remote_tdo_info = \
+ remote_lsa.QueryTrustedDomainInfoByName(remote_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
except NTSTATUSError as error:
if not self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise self.RemoteRuntimeError(self, error, "QueryTrustedDomainInfoByName(%s)" % (
if local_tdo_info is not None:
try:
lsaString.string = local_tdo_info.domain_name.string
- local_tdo_handle = local_lsa.OpenTrustedDomainByName(local_policy,
- lsaString,
- security.SEC_STD_DELETE)
+ local_tdo_handle = \
+ local_lsa.OpenTrustedDomainByName(local_policy,
+ lsaString,
+ security.SEC_STD_DELETE)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "OpenTrustedDomainByName(%s)" % (
lsaString.string))
if remote_tdo_info is not None:
try:
lsaString.string = remote_tdo_info.domain_name.string
- remote_tdo_handle = remote_lsa.OpenTrustedDomainByName(remote_policy,
- lsaString,
- security.SEC_STD_DELETE)
+ remote_tdo_handle = \
+ remote_lsa.OpenTrustedDomainByName(remote_policy,
+ lsaString,
+ security.SEC_STD_DELETE)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "OpenTrustedDomainByName(%s)" % (
lsaString.string))
help="Where to validate the trusted domain object: 'local' or 'both'.",
dest='validate_location',
default="both"),
- ]
+ ]
takes_args = ["domain"]
try:
lsaString = lsa.String()
lsaString.string = domain
- local_tdo_info = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
+ local_tdo_info = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
except NTSTATUSError as error:
if self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise CommandError("trusted domain object does not exist for domain [%s]" % domain)
raise self.LocalRuntimeError(self, error, "failed to connect netlogon server")
try:
- local_trust_verify = local_netlogon.netr_LogonControl2Ex(local_server,
- netlogon.NETLOGON_CONTROL_TC_VERIFY,
- 2,
- local_tdo_info.domain_name.string)
+ local_trust_verify = \
+ local_netlogon.netr_LogonControl2Ex(local_server,
+ netlogon.NETLOGON_CONTROL_TC_VERIFY,
+ 2,
+ local_tdo_info.domain_name.string)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "NETLOGON_CONTROL_TC_VERIFY failed")
try:
server = local_trust_verify.trusted_dc_name.replace('\\', '')
domain_and_server = "%s\\%s" % (local_tdo_info.domain_name.string, server)
- local_trust_rediscover = local_netlogon.netr_LogonControl2Ex(local_server,
- netlogon.NETLOGON_CONTROL_REDISCOVER,
- 2,
- domain_and_server)
+ local_trust_rediscover = \
+ local_netlogon.netr_LogonControl2Ex(local_server,
+ netlogon.NETLOGON_CONTROL_REDISCOVER,
+ 2,
+ domain_and_server)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "NETLOGON_CONTROL_REDISCOVER failed")
raise self.RemoteRuntimeError(self, error, "failed to connect netlogon server")
try:
- remote_trust_verify = remote_netlogon.netr_LogonControl2Ex(remote_server,
- netlogon.NETLOGON_CONTROL_TC_VERIFY,
- 2,
- local_lsa_info.dns_domain.string)
+ remote_trust_verify = \
+ remote_netlogon.netr_LogonControl2Ex(remote_server,
+ netlogon.NETLOGON_CONTROL_TC_VERIFY,
+ 2,
+ local_lsa_info.dns_domain.string)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "NETLOGON_CONTROL_TC_VERIFY failed")
try:
server = remote_trust_verify.trusted_dc_name.replace('\\', '')
domain_and_server = "%s\\%s" % (local_lsa_info.dns_domain.string, server)
- remote_trust_rediscover = remote_netlogon.netr_LogonControl2Ex(remote_server,
- netlogon.NETLOGON_CONTROL_REDISCOVER,
- 2,
- domain_and_server)
+ remote_trust_rediscover = \
+ remote_netlogon.netr_LogonControl2Ex(remote_server,
+ netlogon.NETLOGON_CONTROL_REDISCOVER,
+ 2,
+ domain_and_server)
except RuntimeError as error:
raise self.RemoteRuntimeError(self, error, "NETLOGON_CONTROL_REDISCOVER failed")
help="Delete an existing msDS-SPNSuffixes attribute of the local forest. Can be specified multiple times.",
dest='delete_spn',
default=[]),
- ]
+ ]
takes_args = ["domain?"]
self.outf.write("Stored uPNSuffixes attributes[%d]:\n" % len(stored_upn_vals))
for v in stored_upn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
self.outf.write("Stored msDS-SPNSuffixes attributes[%d]:\n" % len(stored_spn_vals))
for v in stored_spn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
if not require_update:
return
self.outf.write("Update uPNSuffixes attributes[%d]:\n" % len(update_upn_vals))
for v in update_upn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
self.outf.write("Update msDS-SPNSuffixes attributes[%d]:\n" % len(update_spn_vals))
for v in update_spn_vals:
- self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
+ self.outf.write("TLN: %-32s DNS[*.%s]\n" % ("", v))
update_msg = ldb.Message()
update_msg.dn = stored_msg.dn
if replace_upn:
update_msg['uPNSuffixes'] = ldb.MessageElement(update_upn_vals,
- ldb.FLAG_MOD_REPLACE,
- 'uPNSuffixes')
+ ldb.FLAG_MOD_REPLACE,
+ 'uPNSuffixes')
if replace_spn:
update_msg['msDS-SPNSuffixes'] = ldb.MessageElement(update_spn_vals,
ldb.FLAG_MOD_REPLACE,
try:
stored_forest_info = local_netlogon.netr_DsRGetForestTrustInformation(local_netlogon_info.dc_unc,
- None, 0)
+ None, 0)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "netr_DsRGetForestTrustInformation() failed")
try:
lsaString = lsa.String()
lsaString.string = domain
- local_tdo_info = local_lsa.QueryTrustedDomainInfoByName(local_policy,
- lsaString, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
+ local_tdo_info = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX)
except NTSTATUSError as error:
if self.check_runtime_error(error, ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND):
raise CommandError("trusted domain object does not exist for domain [%s]" % domain)
# this triggers netr_GetForestTrustInformation to the remote domain
# and lsaRSetForestTrustInformation() locally, but new top level
# names are disabled by default.
- fresh_forest_info = local_netlogon.netr_DsRGetForestTrustInformation(local_netlogon_info.dc_unc,
- local_tdo_info.domain_name.string,
- netlogon_update_tdo)
+ fresh_forest_info = \
+ local_netlogon.netr_DsRGetForestTrustInformation(local_netlogon_info.dc_unc,
+ local_tdo_info.domain_name.string,
+ netlogon_update_tdo)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "netr_DsRGetForestTrustInformation() failed")
try:
- fresh_forest_collision = local_lsa.lsaRSetForestTrustInformation(local_policy,
- local_tdo_info.domain_name,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
- fresh_forest_info,
- lsa_update_check)
+ fresh_forest_collision = \
+ local_lsa.lsaRSetForestTrustInformation(local_policy,
+ local_tdo_info.domain_name,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
+ fresh_forest_info,
+ lsa_update_check)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "lsaRSetForestTrustInformation() failed")
try:
lsaString = lsa.String()
lsaString.string = local_tdo_info.domain_name.string
- stored_forest_info = local_lsa.lsaRQueryForestTrustInformation(local_policy,
+ stored_forest_info = \
+ local_lsa.lsaRQueryForestTrustInformation(local_policy,
lsaString,
lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
except RuntimeError as error:
try:
lsaString = lsa.String()
lsaString.string = local_tdo_info.domain_name.string
- local_forest_info = local_lsa.lsaRQueryForestTrustInformation(local_policy,
- lsaString,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
+ local_forest_info = \
+ local_lsa.lsaRQueryForestTrustInformation(local_policy,
+ lsaString,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "lsaRQueryForestTrustInformation() failed")
try:
update_forest_collision = local_lsa.lsaRSetForestTrustInformation(local_policy,
- local_tdo_info.domain_name,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
- update_forest_info, 0)
+ local_tdo_info.domain_name,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO,
+ update_forest_info, 0)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "lsaRSetForestTrustInformation() failed")
lsaString = lsa.String()
lsaString.string = local_tdo_info.domain_name.string
stored_forest_info = local_lsa.lsaRQueryForestTrustInformation(local_policy,
- lsaString,
- lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
+ lsaString,
+ lsa.LSA_FOREST_TRUST_DOMAIN_INFO)
except RuntimeError as error:
raise self.LocalRuntimeError(self, error, "lsaRQueryForestTrustInformation() failed")
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
- metavar="URL", dest="H"),
+ metavar="URL", dest="H"),
Option("--current-time",
- help="The current time to evaluate the tombstone lifetime from, expressed as YYYY-MM-DD",
- type=str),
+ help="The current time to evaluate the tombstone lifetime from, expressed as YYYY-MM-DD",
+ type=str),
Option("--tombstone-lifetime", help="Number of days a tombstone should be preserved for", type=int),
]
"sambaopts": options.SambaOptions,
"credopts": options.CredentialsOptions,
"versionopts": options.VersionOptions,
- }
+ }
def run(self, *ncs, **kwargs):
sambaopts = kwargs.get("sambaopts")
if len(ncs) == 0:
res = samdb.search(expression="", base="", scope=ldb.SCOPE_BASE,
- attrs=["namingContexts"])
+ attrs=["namingContexts"])
ncs = []
for nc in res[0]["namingContexts"]:
help="The schema file to upgrade to. Default is (Windows) 2012_R2.",
default="2012_R2"),
Option("--ldf-file", type=str, default=None,
- help="Just apply the schema updates in the adprep/.LDF file(s) specified"),
+ help="Just apply the schema updates in the adprep/.LDF file(s) specified"),
Option("--base-dir", type=str, default=None,
help="Location of ldf files Default is ${SETUPDIR}/adprep.")
]
domain_dn = samdb.domain_dn()
infrastructure_dn = "CN=Infrastructure," + domain_dn
master = get_fsmo_roleowner(samdb, infrastructure_dn,
- 'infrastructure')
+ 'infrastructure')
if own_dn != master:
raise CommandError("This server is not the infrastructure master.")