# Copyright Andrew Kroeger 2009
# Copyright Jelmer Vernooij 2009
# Copyright Giampaolo Lauria 2011
+# Copyright Matthieu Patou <mat@matws.net> 2011
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
import samba.getopt as options
import ldb
+import string
import os
import tempfile
import logging
-from samba import Ldb
from samba.net import Net, LIBNET_JOIN_AUTOMATIC
import samba.ntacls
from samba.join import join_RODC, join_DC, join_subdomain
from samba.auth import system_session
from samba.samdb import SamDB
+from samba.dcerpc import drsuapi
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.netcmd import (
Command,
SuperCommand,
Option
)
+from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
from samba.samba3 import Samba3
from samba.samba3 import param as s3param
from samba.upgrade import upgrade_from_samba3
+from samba.drs_utils import (
+ sendDsReplicaSync, drsuapi_connect, drsException,
+ sendRemoveDsServer)
+
from samba.dsdb import (
DS_DOMAIN_FUNCTION_2000,
DS_DOMAIN_FUNCTION_2003_MIXED,
DS_DOMAIN_FUNCTION_2008,
DS_DOMAIN_FUNCTION_2008_R2,
+ DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL,
+ DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL,
+ UF_WORKSTATION_TRUST_ACCOUNT,
+ UF_SERVER_TRUST_ACCOUNT,
+ UF_TRUSTED_FOR_DELEGATION
)
def get_testparm_var(testparm, smbconf, varname):
synopsis = "%prog <keytab> [options]"
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
takes_options = [
+ Option("--principal", help="extract only this principal", type=str),
]
takes_args = ["keytab"]
- def run(self, keytab, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
lp = sambaopts.get_loadparm()
- net = Net(None, lp, server=credopts.ipaddress)
- net.export_keytab(keytab=keytab)
+ net = Net(None, lp)
+ net.export_keytab(keytab=keytab, principal=principal)
+
+
+class cmd_domain_info(Command):
+ """Print basic info about a domain and the DC passed as parameter"""
+
+ synopsis = "%prog domain info <ip_address> [options]"
+ takes_options = [
+ ]
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ takes_args = ["address"]
+
+ def run(self, address, credopts=None, sambaopts=None, versionopts=None):
+ lp = sambaopts.get_loadparm()
+ try:
+ res = netcmd_get_domain_infos_via_cldap(lp, None, address)
+ print "Forest : %s" % res.forest
+ print "Domain : %s" % res.dns_domain
+ print "Netbios domain : %s" % res.domain_name
+ print "DC name : %s" % res.pdc_dns_name
+ print "DC netbios name : %s" % res.pdc_name
+ print "Server site : %s" % res.server_site
+ print "Client site : %s" % res.client_site
+ except RuntimeError:
+ raise CommandError("Invalid IP address '" + address + "'!")
class cmd_domain_join(Command):
synopsis = "%prog <dnsdomain> [DC|RODC|MEMBER|SUBDOMAIN] [options]"
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
takes_options = [
Option("--server", help="DC to join", type=str),
Option("--site", help="site to join", type=str),
Option("--domain-critical-only",
help="only replicate critical domain objects",
action="store_true"),
+ Option("--machinepass", type=str, metavar="PASSWORD",
+ help="choose machine password (otherwise random)")
]
takes_args = ["domain", "role?"]
def run(self, domain, role=None, sambaopts=None, credopts=None,
versionopts=None, server=None, site=None, targetdir=None,
- domain_critical_only=False, parent_domain=None):
+ domain_critical_only=False, parent_domain=None, machinepass=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
net = Net(creds, lp, server=credopts.ipaddress)
if role is None or role == "MEMBER":
(join_password, sid, domain_name) = net.join_member(domain,
netbios_name,
- LIBNET_JOIN_AUTOMATIC)
+ LIBNET_JOIN_AUTOMATIC,
+ machinepass=machinepass)
self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
return
elif role == "DC":
join_DC(server=server, creds=creds, lp=lp, domain=domain,
site=site, netbios_name=netbios_name, targetdir=targetdir,
- domain_critical_only=domain_critical_only)
+ domain_critical_only=domain_critical_only,
+ machinepass=machinepass)
return
elif role == "RODC":
join_RODC(server=server, creds=creds, lp=lp, domain=domain,
site=site, netbios_name=netbios_name, targetdir=targetdir,
- domain_critical_only=domain_critical_only)
+ domain_critical_only=domain_critical_only,
+ machinepass=machinepass)
return
elif role == "SUBDOMAIN":
netbios_domain = lp.get("workgroup")
if parent_domain is None:
parent_domain = ".".join(domain.split(".")[1:])
join_subdomain(server=server, creds=creds, lp=lp, dnsdomain=domain, parent_domain=parent_domain,
- site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir)
+ site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir,
+ machinepass=machinepass)
return
else:
raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role)
+class cmd_domain_demote(Command):
+ """Demote ourselves from the role of Domain Controller"""
+
+ synopsis = "%prog [options]"
+
+ takes_options = [
+ Option("--server", help="DC to force replication before demote", type=str),
+ Option("--targetdir", help="where provision is stored", type=str),
+ ]
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ def run(self, sambaopts=None, credopts=None,
+ versionopts=None, server=None, targetdir=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+ net = Net(creds, lp, server=credopts.ipaddress)
+
+ netbios_name = lp.get("netbios name")
+ samdb = SamDB(session_info=system_session(), credentials=creds, lp=lp)
+ if not server:
+ res = samdb.search(expression='(&(objectClass=computer)(serverReferenceBL=*))', attrs=["dnsHostName", "name"])
+ if (len(res) == 0):
+ raise CommandError("Unable to search for servers")
+
+ if (len(res) == 1):
+ raise CommandError("You are the latest server in the domain")
+
+ server = None
+ for e in res:
+ if str(e["name"]).lower() != netbios_name.lower():
+ server = e["dnsHostName"]
+ break
+
+ ntds_guid = samdb.get_ntds_GUID()
+ msg = samdb.search(base=str(samdb.get_config_basedn()), scope=ldb.SCOPE_SUBTREE,
+ expression="(objectGUID=%s)" % ntds_guid,
+ attrs=['options'])
+ if len(msg) == 0 or "options" not in msg[0]:
+ raise CommandError("Failed to find options on %s" % ntds_guid)
+
+ ntds_dn = msg[0].dn
+ dsa_options = int(str(msg[0]['options']))
+
+ res = samdb.search(expression="(fSMORoleOwner=%s)" % str(ntds_dn),
+ controls=["search_options:1:2"])
+
+ if len(res) != 0:
+ raise CommandError("Current DC is still the owner of %d role(s), use the role command to transfer roles to another DC")
+
+ print "Using %s as partner server for the demotion" % server
+ (drsuapiBind, drsuapi_handle, supportedExtensions) = drsuapi_connect(server, lp, creds)
+
+ print "Desactivating inbound replication"
+
+ nmsg = ldb.Message()
+ nmsg.dn = msg[0].dn
+
+ dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+
+ if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
+
+ print "Asking partner server %s to synchronize from us" % server
+ for part in (samdb.get_schema_basedn(),
+ samdb.get_config_basedn(),
+ samdb.get_root_basedn()):
+ try:
+ sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
+ except drsException, e:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+ raise CommandError("Error while sending a DsReplicaSync for partion %s" % str(part), e)
+ try:
+ remote_samdb = SamDB(url="ldap://%s" % server,
+ session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ print "Changing userControl and container"
+ res = remote_samdb.search(base=str(remote_samdb.get_root_basedn()),
+ expression="(&(objectClass=user)(sAMAccountName=%s$))" %
+ netbios_name.upper(),
+ attrs=["userAccountControl"])
+ dc_dn = res[0].dn
+ uac = int(str(res[0]["userAccountControl"]))
+
+ except Exception, e:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+ raise CommandError("Error while changing account control", e)
+
+ if (len(res) != 1):
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+ raise CommandError("Unable to find object with samaccountName = %s$"
+ " in the remote dc" % netbios_name.upper())
+
+ olduac = uac
+
+ uac ^= (UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION)
+ uac |= UF_WORKSTATION_TRUST_ACCOUNT
+
+ msg = ldb.Message()
+ msg.dn = dc_dn
+
+ msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
+ try:
+ remote_samdb.modify(msg)
+ except Exception, e:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+
+ raise CommandError("Error while changing account control", e)
+
+ parent = msg.dn.parent()
+ rdn = str(res[0].dn)
+ rdn = string.replace(rdn, ",%s" % str(parent), "")
+ # Let's move to the Computer container
+ i = 0
+ newrdn = rdn
+
+ computer_dn = ldb.Dn(remote_samdb, "CN=Computers,%s" % str(remote_samdb.get_root_basedn()))
+ res = remote_samdb.search(base=computer_dn, expression=rdn, scope=ldb.SCOPE_ONELEVEL)
+
+ if (len(res) != 0):
+ res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
+ scope=ldb.SCOPE_ONELEVEL)
+ while(len(res) != 0 and i < 100):
+ i = i + 1
+ res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
+ scope=ldb.SCOPE_ONELEVEL)
+
+ if i == 100:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+
+ msg = ldb.Message()
+ msg.dn = dc_dn
+
+ msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
+
+ remote_samdb.modify(msg)
+
+ raise CommandError("Unable to find a slot for renaming %s,"
+ " all names from %s-1 to %s-%d seemed used" %
+ (str(dc_dn), rdn, rdn, i - 9))
+
+ newrdn = "%s-%d" % (rdn, i)
+
+ try:
+ newdn = ldb.Dn(remote_samdb, "%s,%s" % (newrdn, str(computer_dn)))
+ remote_samdb.rename(dc_dn, newdn)
+ except Exception, e:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+
+ msg = ldb.Message()
+ msg.dn = dc_dn
+
+ msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
+
+ remote_samdb.modify(msg)
+ raise CommandError("Error while renaming %s to %s" % (str(dc_dn), str(newdn)), e)
+
+
+ server_dsa_dn = samdb.get_serverName()
+ domain = remote_samdb.get_root_basedn()
+
+ try:
+ sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn, domain)
+ except drsException, e:
+ print "Error while demoting, re-enabling inbound replication"
+ dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
+ nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
+ samdb.modify(nmsg)
+
+ msg = ldb.Message()
+ msg.dn = newdn
+
+ msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
+ ldb.FLAG_MOD_REPLACE,
+ "userAccountControl")
+ print str(dc_dn)
+ remote_samdb.modify(msg)
+ remote_samdb.rename(newdn, dc_dn)
+ raise CommandError("Error while sending a removeDsServer", e)
+
+ for s in ("CN=Entreprise,CN=Microsoft System Volumes,CN=System,CN=Configuration",
+ "CN=%s,CN=Microsoft System Volumes,CN=System,CN=Configuration" % lp.get("realm"),
+ "CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System"):
+ try:
+ remote_samdb.delete(ldb.Dn(remote_samdb,
+ "%s,%s,%s" % (str(rdn), s, str(remote_samdb.get_root_basedn()))))
+ except ldb.LdbError, l:
+ pass
+
+ for s in ("CN=Entreprise,CN=NTFRS Subscriptions",
+ "CN=%s, CN=NTFRS Subscriptions" % lp.get("realm"),
+ "CN=Domain system Volumes (SYSVOL Share), CN=NTFRS Subscriptions",
+ "CN=NTFRS Subscriptions"):
+ try:
+ remote_samdb.delete(ldb.Dn(remote_samdb,
+ "%s,%s" % (s, str(newdn))))
+ except ldb.LdbError, l:
+ pass
+
+ self.outf.write("Demote successfull\n")
+
+
class cmd_domain_level(Command):
"""Raises domain and forest function levels"""
synopsis = "%prog (show|raise <options>) [options]"
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
-
-class cmd_domain_machinepassword(Command):
- """Gets a machine password out of our SAM"""
-
- synopsis = "%prog <accountname> [options]"
-
- takes_args = ["secret"]
-
- def run(self, secret, sambaopts=None, credopts=None, versionopts=None):
- lp = sambaopts.get_loadparm()
- creds = credopts.get_credentials(lp, fallback_machine=True)
- url = lp.private_path("secrets.ldb")
- if not os.path.exists(url):
- raise CommandError("secrets database not found at %s " % url)
- if not secret.endswith('$'):
- secret += '$'
- secretsdb = Ldb(url=url, session_info=system_session(),
- credentials=creds, lp=lp)
- result = secretsdb.search(attrs=["secret"],
- expression="(&(objectclass=primaryDomain)(samaccountname=%s))" % ldb.binary_encode(secret))
-
- if len(result) != 1:
- raise CommandError("search returned %d records, expected 1" % len(result))
-
- self.outf.write("%s\n" % result[0]["secret"])
-
-
-
class cmd_domain_passwordsettings(Command):
"""Sets password settings
synopsis = "%prog (show|set <options>) [options]"
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
takes_options = [
Option("-H", "--URL", help="LDB URL for database or target server", type=str,
metavar="URL", dest="H"),
cur_min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
- cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000:
+ cur_max_pwd_age = 0
+ else:
+ cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except Exception, e:
raise CommandError("Could not retrieve password properties!", e)
raise CommandError("Maximum password age must be in the range of 0 to 999!")
# days -> ticks
- max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
+ if max_pwd_age == 0:
+ max_pwd_age_ticks = -0x8000000000000000
+ else:
+ max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
Option("--targetdir", type="string", metavar="DIR",
help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
Option("--quiet", help="Be quiet", action="store_true"),
+ Option("--verbose", help="Be verbose", action="store_true"),
Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]",
help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"),
]
takes_args = ["smbconf"]
def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None,
- quiet=False, use_xattrs=None, sambaopts=None, versionopts=None):
+ quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None):
if not os.path.exists(smbconf):
raise CommandError("File %s does not exist" % smbconf)
-
+
if testparm and not os.path.exists(testparm):
raise CommandError("Testparm utility %s does not exist" % testparm)
if not dbdir and not testparm:
raise CommandError("Please specify either dbdir or testparm")
- if dbdir and testparm:
- self.outf.write("warning: both dbdir and testparm specified, ignoring dbdir.\n")
- dbdir = None
-
logger = self.get_logger()
- if quiet:
+ if verbose:
+ logger.setLevel(logging.DEBUG)
+ elif quiet:
logger.setLevel(logging.WARNING)
else:
logger.setLevel(logging.INFO)
+ if dbdir and testparm:
+ logger.warning("both dbdir and testparm specified, ignoring dbdir.")
+ dbdir = None
+
lp = sambaopts.get_loadparm()
s3conf = s3param.get_context()
if sambaopts.realm:
s3conf.set("realm", sambaopts.realm)
+ if targetdir is not None:
+ if not os.path.isdir(targetdir):
+ os.mkdir(targetdir)
+
eadb = True
if use_xattrs == "yes":
eadb = False
elif use_xattrs == "auto" and not s3conf.get("posix:eadb"):
if targetdir:
- tmpfile = tempfile.NamedTemporaryFile(prefix=os.path.abspath(targetdir))
+ tmpfile = tempfile.NamedTemporaryFile(dir=os.path.abspath(targetdir))
else:
- tmpfile = tempfile.NamedTemporaryFile(prefix=os.path.abspath(os.path.dirname(lp.get("private dir"))))
+ tmpfile = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
try:
- samba.ntacls.setntacl(lp, tmpfile.name,
- "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
- eadb = False
- except:
- # FIXME: Don't catch all exceptions here
- logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
- "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
- tmpfile.close()
+ try:
+ samba.ntacls.setntacl(lp, tmpfile.name,
+ "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ eadb = False
+ except Exception:
+ # FIXME: Don't catch all exceptions here
+ logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
+ "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
+ finally:
+ tmpfile.close()
# Set correct default values from dbdir or testparm
paths = {}
upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session(),
useeadb=eadb)
-
class cmd_domain(SuperCommand):
"""Domain management"""
subcommands = {}
+ subcommands["demote"] = cmd_domain_demote()
subcommands["exportkeytab"] = cmd_domain_export_keytab()
+ subcommands["info"] = cmd_domain_info()
subcommands["join"] = cmd_domain_join()
subcommands["level"] = cmd_domain_level()
- subcommands["machinepassword"] = cmd_domain_machinepassword()
subcommands["passwordsettings"] = cmd_domain_passwordsettings()
subcommands["samba3upgrade"] = cmd_domain_samba3upgrade()