Ejemplo n.º 1
0
 def run(self, name, password=None, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp )
     net = Net(creds, lp, server=credopts.ipaddress)
     net.create_user(name)
     if password is not None:
         net.set_password(name, creds.get_domain(), password, creds)
Ejemplo n.º 2
0
def netcmd_get_domain_infos_via_cldap(lp, creds, address=None):
    '''Return domain informations (CLDAP record) of the ldap-capable
       DC with the specified address'''
    net = Net(creds=creds, lp=lp)
    cldap_ret = net.finddc(address=address,
                flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
    return cldap_ret
Ejemplo n.º 3
0
    def test_admin_change_password(self):
        def isLastExpectedMessage(msg):
            return (msg["type"] == "Authentication" and
                    msg["Authentication"]["status"]
                        == "NT_STATUS_OK" and
                    msg["Authentication"]["serviceDescription"]
                        == "SAMR Password Change" and
                    msg["Authentication"]["authDescription"]
                        == "samr_ChangePasswordUser3")

        creds = self.insta_creds(template = self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server_ip)
        password = "******"

        net.change_password(newpassword=password.encode('utf-8'),
                            username=USER_NAME,
                            oldpassword=USER_PASS)


        messages = self.waitForMessages(isLastExpectedMessage)
        print "Received %d messages" % len(messages)
        self.assertEquals(8,
                          len(messages),
                          "Did not receive the expected number of messages")
Ejemplo n.º 4
0
    def test_admin_change_password_bad_original_password(self):
        def isLastExpectedMessage(msg):
            return ((msg["type"] == "Authentication") and
                    (msg["Authentication"]["status"] ==
                        "NT_STATUS_WRONG_PASSWORD") and
                    (msg["Authentication"]["serviceDescription"] ==
                        "SAMR Password Change") and
                    (msg["Authentication"]["authDescription"] ==
                        "samr_ChangePasswordUser3"))

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server_ip)
        password = "******"

        exception_thrown = False
        try:
            net.change_password(newpassword=password.encode('utf-8'),
                                oldpassword="******",
                                username=USER_NAME)
        except Exception:
            exception_thrown = True
        self.assertEquals(True, exception_thrown,
                          "Expected exception not thrown")

        messages = self.waitForMessages(isLastExpectedMessage)
        self.assertEquals(8,
                          len(messages),
                          "Did not receive the expected number of messages")
Ejemplo n.º 5
0
    def run(self, domain, role=None, sambaopts=None, credopts=None,
            versionopts=None, server=None, site=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        if site is None:
            site = "Default-First-Site-Name"

        netbios_name = lp.get("netbios name")

        if not role is None:
            role = role.upper()

        if role is None or role == "MEMBER":
            secure_channel_type = SEC_CHAN_WKSTA
        elif role == "DC":
            join_DC(server=server, creds=creds, lp=lp, domain=domain,
                    site=site, netbios_name=netbios_name)
            return
        elif role == "RODC":
            join_RODC(server=server, creds=creds, lp=lp, domain=domain,
                      site=site, netbios_name=netbios_name)
            return
        else:
            raise CommandError("Invalid role %s (possible values: MEMBER, BDC, RODC)" % role)

        (join_password, sid, domain_name) = net.join(domain,
                                                     netbios_name,
                                                     secure_channel_type,
                                                     LIBNET_JOIN_AUTOMATIC)

        self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
Ejemplo n.º 6
0
Archivo: user.py Proyecto: runt18/samba
    def run(self, credopts=None, sambaopts=None, versionopts=None,
                newpassword=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)

        # get old password now, to get the password prompts in the right order
        old_password = creds.get_password()

        net = Net(creds, lp, server=credopts.ipaddress)

        password = newpassword
        while True:
            if password is not None and password is not '':
                break
            password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")

        try:
            net.change_password(password)
        except Exception, msg:
            # FIXME: catch more specific exception
            raise CommandError("Failed to change password : {0!s}".format(msg))
Ejemplo n.º 7
0
 def run(self, server_name=None, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp, fallback_machine=True)
     net = Net(creds, lp, server=credopts.ipaddress)
     if server_name is None:
         server_name = common.netcmd_dnsname(lp)
     self.outf.write(net.time(server_name)+"\n")
Ejemplo n.º 8
0
def netcmd_finddc(lp, creds):
    '''return domain-name of a writable/ldap-capable DC for the domain.'''
    net = Net(creds=creds, lp=lp)
    realm = lp.get('realm')
    cldap_ret = net.finddc(realm,
                nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
    return cldap_ret.pdc_dns_name
Ejemplo n.º 9
0
 def run(self, domain, target_dir=None, credopts=None, sambaopts=None, versionopts=None, force=False):
     if not force:
         raise CommandError("samba-tool vampire is deprecated, please use samba-tool domain join. Use --force to override")
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp)
     net = Net(creds, lp, server=credopts.ipaddress)
     (domain_name, domain_sid) = net.vampire(domain=domain, target_dir=target_dir)
     self.outf.write("Vampired domain %s (%s)\n" % (domain_name, domain_sid))
Ejemplo n.º 10
0
def packet_cldap_3(packet, conversation, context):
    # searchRequest
    net = Net(creds=context.creds, lp=context.lp)
    net.finddc(domain=context.lp.get('realm'),
               flags=(nbt.NBT_SERVER_LDAP |
                      nbt.NBT_SERVER_DS |
                      nbt.NBT_SERVER_WRITABLE))
    return True
Ejemplo n.º 11
0
 def run(self, name, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp, fallback_machine=True)
     net = Net(creds, lp, server=credopts.ipaddress)
     try:
         net.delete_user(name)
     except RuntimeError, msg:
         raise CommandError("Failed to delete user %s: %s" % (name, msg))
Ejemplo n.º 12
0
Archivo: gpo.py Proyecto: runt18/samba
    def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
            versionopts=None):

        self.lp = sambaopts.get_loadparm()
        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)

        net = Net(creds=self.creds, lp=self.lp)

        # We need to know writable DC to setup SMB connection
        if H and H.startswith('ldap://'):
            dc_hostname = H[7:]
            self.url = H
            flags = (nbt.NBT_SERVER_LDAP |
                     nbt.NBT_SERVER_DS |
                     nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(address=dc_hostname, flags=flags)
        else:
            flags = (nbt.NBT_SERVER_LDAP |
                     nbt.NBT_SERVER_DS |
                     nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
            dc_hostname = cldap_ret.pdc_dns_name
            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)

        samdb_connect(self)

        msg = get_gpo_info(self.samdb, displayname=displayname)
        if msg.count > 0:
            raise CommandError("A GPO already existing with name '{0!s}'".format(displayname))

        # Create new GUID
        guid  = str(uuid.uuid4())
        gpo = "{{{0!s}}}".format(guid.upper())
        realm = cldap_ret.dns_domain
        unc_path = "\\\\{0!s}\\sysvol\\{1!s}\\Policies\\{2!s}".format(realm, realm, gpo)

        # Create GPT
        if tmpdir is None:
            tmpdir = "/tmp"
        if not os.path.isdir(tmpdir):
            raise CommandError("Temporary directory '{0!s}' does not exist".format(tmpdir))

        localdir = os.path.join(tmpdir, "policy")
        if not os.path.isdir(localdir):
            os.mkdir(localdir)

        gpodir = os.path.join(localdir, gpo)
        if os.path.isdir(gpodir):
            raise CommandError("GPO directory '{0!s}' already exists, refusing to overwrite".format(gpodir))

        try:
            os.mkdir(gpodir)
            os.mkdir(os.path.join(gpodir, "Machine"))
            os.mkdir(os.path.join(gpodir, "User"))
            gpt_contents = "[General]\r\nVersion=0\r\n"
            file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
        except Exception, e:
            raise CommandError("Error Creating GPO files", e)
Ejemplo n.º 13
0
def get_ldb_url(lp, creds, names):
    if names.serverrole == "member server":
        net = Net(creds, lp)
        dc = net.finddc(domain=names.dnsdomain, flags=nbt.NBT_SERVER_LDAP)
        url = "ldap://" + dc.pdc_dns_name
    else:
        url = lp.samdb_url()

    return url
Ejemplo n.º 14
0
def netcmd_finddc(lp, creds, realm=None):
    """Return domain-name of a writable/ldap-capable DC for the default
       domain (parameter "realm" in smb.conf) unless another realm has been
       specified as argument"""
    net = Net(creds=creds, lp=lp)
    if realm is None:
        realm = lp.get("realm")
    cldap_ret = net.finddc(domain=realm, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
    return cldap_ret.pdc_dns_name
Ejemplo n.º 15
0
 def test_export_keytab(self):
     net = Net(None, self.lp)
     net.export_keytab(keytab=self.ktfile, principal=self.principal)
     assert os.path.exists(self.ktfile), 'keytab was not created'
     with open_bytes(self.ktfile) as bytes_kt:
         result = ''
         for c in bytes_kt.read():
             if c in string.printable:
                 result += c
         principal_parts = self.principal.split('@')
         assert principal_parts[0] in result and \
                principal_parts[1] in result, \
                     'Principal not found in generated keytab'
Ejemplo n.º 16
0
    def run(self, domain, role=None, sambaopts=None, credopts=None,
            versionopts=None, server=None, site=None, targetdir=None,
            domain_critical_only=False, parent_domain=None, machinepass=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        if site is None:
            site = "Default-First-Site-Name"

        netbios_name = lp.get("netbios name")

        if not role is None:
            role = role.upper()

        if role is None or role == "MEMBER":
            (join_password, sid, domain_name) = net.join_member(domain,
                                                                netbios_name,
                                                                LIBNET_JOIN_AUTOMATIC,
                                                                machinepass=machinepass)

            self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
            return
        elif role == "DC":
            join_DC(server=server, creds=creds, lp=lp, domain=domain,
                    site=site, netbios_name=netbios_name, targetdir=targetdir,
                    domain_critical_only=domain_critical_only,
                    machinepass=machinepass)
            return
        elif role == "RODC":
            join_RODC(server=server, creds=creds, lp=lp, domain=domain,
                      site=site, netbios_name=netbios_name, targetdir=targetdir,
                      domain_critical_only=domain_critical_only,
                      machinepass=machinepass)
            return
        elif role == "SUBDOMAIN":
            netbios_domain = lp.get("workgroup")
            if parent_domain is None:
                parent_domain = ".".join(domain.split(".")[1:])
            join_subdomain(server=server, creds=creds, lp=lp, dnsdomain=domain, parent_domain=parent_domain,
                           site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir,
                           machinepass=machinepass)
            return
        else:
            raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role)
Ejemplo n.º 17
0
 def __init__(self, binding_string, lp, creds, samdb, invocation_id):
     self.drs = drsuapi.drsuapi(binding_string, lp, creds)
     (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
     self.net = Net(creds=creds, lp=lp)
     self.samdb = samdb
     if not isinstance(invocation_id, misc.GUID):
         raise RuntimeError("Must supply GUID for invocation_id")
     if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
         raise RuntimeError("Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id")
     self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs, invocation_id)
Ejemplo n.º 18
0
    def test_net_change_password(self):

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        self.discardSetupMessages(dn)

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server)
        password = "******"

        net.change_password(newpassword=password.encode('utf-8'),
                            username=USER_NAME,
                            oldpassword=USER_PASS)

        messages = self.waitForMessages(1, net, dn=dn)
        print("Received %d messages" % len(messages))
        self.assertEquals(1,
                          len(messages),
                          "Did not receive the expected number of messages")

        audit = messages[0]["dsdbChange"]
        self.assertEquals("Modify", audit["operation"])
        self.assertFalse(audit["performedAsSystem"])
        self.assertTrue(dn.lower(), audit["dn"].lower())
        self.assertRegexpMatches(audit["remoteAddress"],
                                 self.remoteAddress)
        session_id = self.get_session()
        self.assertEquals(session_id, audit["sessionId"])
        # We skip the check for self.get_service_description() as this
        # is subject to a race between smbd and the s4 rpc_server code
        # as to which will set the description as it is DCE/RPC over SMB

        self.assertTrue(self.is_guid(audit["transactionId"]))

        attributes = audit["attributes"]
        self.assertEquals(1, len(attributes))
        actions = attributes["clearTextPassword"]["actions"]
        self.assertEquals(1, len(actions))
        self.assertTrue(actions[0]["redacted"])
        self.assertEquals("replace", actions[0]["action"])
Ejemplo n.º 19
0
    def run(self, credopts=None, sambaopts=None, versionopts=None,
                newpassword=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)

        # get old password now, to get the password prompts in the right order
        old_password = creds.get_password()

        net = Net(creds, lp, server=credopts.ipaddress)

        password = newpassword
        while 1:
            if password is not None and password is not '':
                break
            password = getpass("New Password: "******"Failed to change password : %s" % msg)
Ejemplo n.º 20
0
    def test_net_join(self):
        netbios_name = "NetJoinTest"
        machinepass  = "******"
        creds = self.insta_creds(template=self.get_credentials(),
                                 kerberos_state=DONT_USE_KERBEROS)

        net = Net(creds, self.lp, server=self.server)

        # NOTE WELL: We must not run more than one successful
        # net.join_member per file (process), as the shared
        # secrets.ldb handle will be kept between runs.
        try:
            (join_password, sid, domain_name) = net.join_member(
                self.domain, netbios_name, LIBNET_JOIN_AUTOMATIC,
                machinepass=machinepass)
        except NTSTATUSError as e:
            code = ctypes.c_uint32(e[0]).value
            if code == ntstatus.NT_STATUS_CONNECTION_DISCONNECTED:
                self.fail("Connection failure")
            raise
        os.unlink(os.path.join(self.tempdir, "secrets.ldb"))
        pass
Ejemplo n.º 21
0
    def test_net_join_no_spnego(self):
        self.lp.set("client use spnego", "no")
        netbios_name = "NetJoinNoSpnego"
        machinepass  = "******"
        creds = self.insta_creds(template=self.get_credentials(),
                                 kerberos_state=DONT_USE_KERBEROS)

        net = Net(creds, self.lp, server=self.server)

        try:
            (join_password, sid, domain_name) = net.join_member(
                self.domain, netbios_name, LIBNET_JOIN_AUTOMATIC,
                machinepass=machinepass)
        except NTSTATUSError as e:
            code = ctypes.c_uint32(e.args[0]).value
            if code == ntstatus.NT_STATUS_CONNECTION_DISCONNECTED:
                self.fail("Connection failure")
            elif code == ntstatus.NT_STATUS_ACCESS_DENIED:
                return
            else:
                raise
        self.fail("Shoud have rejected NTLMv2 without SPNEGO")
Ejemplo n.º 22
0
    def run(self, credopts=None, sambaopts=None, versionopts=None,
                newpassword=None):

        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        connect_password = ""

        if len(creds.get_user_to_connect()) > 0:
            connect_password = getpass("Password for [%s\\%s]: " % (
                creds.get_user_to_connect_domain(),
                creds.get_user_to_connect())
            )
            creds.set_password_to_connect(connect_password)

        # get old password now, to get the password prompts in the right order
        old_password = creds.get_password()

        if len(creds.get_user_to_connect()) < 1:
            connect_password = old_password
        import pdb; pdb.set_trace()

        net = Net(creds, lp, server=credopts.ipaddress)

        password = newpassword
        while True:
            if password is not None and password is not '':
                break
            password = getpass("New Password: "******"Retype Password: "******"Sorry, passwords do not match.\n")

        try:
            net.change_password(password)
        except Exception, msg:
            # FIXME: catch more specific exception
            raise CommandError("Failed to change password : %s" % msg)
Ejemplo n.º 23
0
    def test_admin_change_password_bad_original_password(self):
        def isLastExpectedMessage(msg):
            return (msg["type"] == "Authentication" and
                    msg["Authentication"]["status"]
                        == "NT_STATUS_WRONG_PASSWORD" and
                    msg["Authentication"]["serviceDescription"]
                        == "SAMR Password Change" and
                    msg["Authentication"]["authDescription"]
                        == "samr_ChangePasswordUser3")

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server_ip)
        password = "******"

        exception_thrown = False
        try:
            net.change_password(newpassword=password.encode('utf-8'),
                                oldpassword="******",
                                username=USER_NAME)
        except Exception, msg:
            exception_thrown = True
Ejemplo n.º 24
0
    def test_net_change_password(self):

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        self.discardSetupMessages(dn)

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server)
        password = "******"

        net.change_password(newpassword=password.encode('utf-8'),
                            username=USER_NAME,
                            oldpassword=USER_PASS)

        messages = self.waitForMessages(1, net, dn=dn)
        print("Received %d messages" % len(messages))
        self.assertEquals(1, len(messages),
                          "Did not receive the expected number of messages")

        audit = messages[0]["dsdbChange"]
        self.assertEquals("Modify", audit["operation"])
        self.assertFalse(audit["performedAsSystem"])
        self.assertTrue(dn.lower(), audit["dn"].lower())
        self.assertRegexpMatches(audit["remoteAddress"], self.remoteAddress)
        session_id = self.get_session()
        self.assertEquals(session_id, audit["sessionId"])
        service_description = self.get_service_description()
        self.assertEquals(service_description, "DCE/RPC")
        self.assertTrue(self.is_guid(audit["transactionId"]))

        attributes = audit["attributes"]
        self.assertEquals(1, len(attributes))
        actions = attributes["clearTextPassword"]["actions"]
        self.assertEquals(1, len(actions))
        self.assertTrue(actions[0]["redacted"])
        self.assertEquals("replace", actions[0]["action"])
Ejemplo n.º 25
0
    def test_net_set_password(self):

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        self.discardSetupMessages(dn)

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server)
        password = "******"
        domain = lp.get("workgroup")

        net.set_password(newpassword=password,
                         account_name=USER_NAME,
                         domain_name=domain)

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        messages = self.waitForMessages(1, net, dn)
        print("Received %d messages" % len(messages))
        self.assertEquals(1,
                          len(messages),
                          "Did not receive the expected number of messages")

        audit = messages[0]["passwordChange"]
        self.assertEquals(EVT_ID_PASSWORD_RESET, audit["eventId"])
        self.assertEquals("Reset", audit["action"])
        self.assertEquals(dn, audit["dn"])
        self.assertRegexpMatches(audit["remoteAddress"],
                                 self.remoteAddress)
        session_id = self.get_session()
        self.assertEquals(session_id, audit["sessionId"])
        service_description = self.get_service_description()
        self.assertEquals(service_description, "DCE/RPC")
        session_id = self.get_session()
        self.assertEquals(session_id, audit["sessionId"])
        self.assertTrue(self.is_guid(audit["transactionId"]))
Ejemplo n.º 26
0
    def test_net_join_no_spnego(self):
        self.lp.set("client use spnego", "no")
        netbios_name = "NetJoinNoSpnego"
        machinepass = "******"
        creds = self.insta_creds(template=self.get_credentials(),
                                 kerberos_state=DONT_USE_KERBEROS)

        net = Net(creds, self.lp, server=self.server)

        try:
            (join_password, sid,
             domain_name) = net.join_member(self.domain,
                                            netbios_name,
                                            LIBNET_JOIN_AUTOMATIC,
                                            machinepass=machinepass)
        except NTSTATUSError as e:
            code = ctypes.c_uint32(e.args[0]).value
            if code == ntstatus.NT_STATUS_CONNECTION_DISCONNECTED:
                self.fail("Connection failure")
            elif code == ntstatus.NT_STATUS_ACCESS_DENIED:
                return
            else:
                raise
        self.fail("Shoud have rejected NTLMv2 without SPNEGO")
Ejemplo n.º 27
0
    def test_admin_change_password(self):
        def isLastExpectedMessage(msg):
            return ((msg["type"] == "Authentication") and
                    (msg["Authentication"]["status"] == "NT_STATUS_OK") and
                    (msg["Authentication"]["serviceDescription"] ==
                        "SAMR Password Change") and
                    (msg["Authentication"]["authDescription"] ==
                        "samr_ChangePasswordUser3"))

        creds = self.insta_creds(template=self.get_credentials())

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server_ip)
        password = "******"

        net.change_password(newpassword=password.encode('utf-8'),
                            username=USER_NAME,
                            oldpassword=USER_PASS)

        messages = self.waitForMessages(isLastExpectedMessage)
        print("Received %d messages" % len(messages))
        self.assertEquals(8,
                          len(messages),
                          "Did not receive the expected number of messages")
Ejemplo n.º 28
0
    def test_net_join(self):
        netbios_name = "NetJoinTest"
        machinepass = "******"
        creds = self.insta_creds(template=self.get_credentials(),
                                 kerberos_state=DONT_USE_KERBEROS)

        net = Net(creds, self.lp, server=self.server)

        # NOTE WELL: We must not run more than one successful
        # net.join_member per file (process), as the shared
        # secrets.ldb handle will be kept between runs.
        try:
            (join_password, sid,
             domain_name) = net.join_member(self.domain,
                                            netbios_name,
                                            LIBNET_JOIN_AUTOMATIC,
                                            machinepass=machinepass)
        except NTSTATUSError as e:
            code = ctypes.c_uint32(e.args[0]).value
            if code == ntstatus.NT_STATUS_CONNECTION_DISCONNECTED:
                self.fail("Connection failure")
            raise
        os.unlink(os.path.join(self.tempdir, "secrets.ldb"))
        pass
Ejemplo n.º 29
0
 def run(self,
         name,
         password=None,
         credopts=None,
         sambaopts=None,
         versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp)
     net = Net(creds, lp, server=credopts.ipaddress)
     net.create_user(name)
     if password is not None:
         net.set_password(name, creds.get_domain(), password, creds)
Ejemplo n.º 30
0
 def test_net_replicate_init__1(self):
     lp, creds, server = self.get_lp_et_al()
     net = Net(creds, lp, server=server)
     net.replicate_init(42, lp, None, misc.GUID())
Ejemplo n.º 31
0
 def __init__(self, username, password):
     BaseModel.__init__(self, username, password)
     self.user_list = []
     if self.isAuthenticate():
         self.net = Net(self.creds, self.lp, server=self.server_address)
         self.LoadUserList()
Ejemplo n.º 32
0
    def test_net_set_password_user_without_permission(self):

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        self.discardSetupMessages(dn)

        self.ldb.newuser(SECOND_USER_NAME, SECOND_USER_PASS)

        #
        # Get the password reset from the user add
        #
        dn = "CN=" + SECOND_USER_NAME + ",CN=Users," + self.base_dn
        messages = self.waitForMessages(1, dn=dn)
        print("Received %d messages" % len(messages))
        self.assertEqual(1, len(messages),
                         "Did not receive the expected number of messages")

        audit = messages[0]["passwordChange"]
        self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"])
        self.assertEqual("Reset", audit["action"])
        self.assertEqual(dn, audit["dn"])
        self.assertRegexpMatches(audit["remoteAddress"], self.remoteAddress)
        session_id = self.get_session()
        self.assertEqual(session_id, audit["sessionId"])
        service_description = self.get_service_description()
        self.assertEqual(service_description, "LDAP")
        self.assertTrue(self.is_guid(audit["transactionId"]))
        self.assertEqual(0, audit["statusCode"])
        self.assertEqual("Success", audit["status"])
        self.discardMessages()

        creds = self.insta_creds(template=self.get_credentials(),
                                 username=SECOND_USER_NAME,
                                 userpass=SECOND_USER_PASS,
                                 kerberos_state=None)

        lp = self.get_loadparm()
        net = Net(creds, lp, server=self.server)
        password = "******"
        domain = lp.get("workgroup")

        try:
            net.set_password(newpassword=password,
                             account_name=USER_NAME,
                             domain_name=domain)
            self.fail("Expected exception not thrown")
        except Exception:
            pass

        dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn
        messages = self.waitForMessages(1, net, dn=dn)
        print("Received %d messages" % len(messages))
        self.assertEqual(1, len(messages),
                         "Did not receive the expected number of messages")

        audit = messages[0]["passwordChange"]
        self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"])
        self.assertEqual("Reset", audit["action"])
        self.assertEqual(dn, audit["dn"])
        self.assertRegexpMatches(audit["remoteAddress"], self.remoteAddress)
        session_id = self.get_session()
        self.assertEqual(session_id, audit["sessionId"])
        service_description = self.get_service_description()
        self.assertEqual(service_description, "DCE/RPC")
        self.assertTrue(self.is_guid(audit["transactionId"]))
        self.assertEqual(ERR_INSUFFICIENT_ACCESS_RIGHTS, audit["statusCode"])
        self.assertEqual("insufficient access rights", audit["status"])
Ejemplo n.º 33
0
def get_dc_hostname(creds, lp):
    net = Net(creds=creds, lp=lp)
    cldap_ret = net.finddc(domain=lp.get('realm'),
                           flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
    return cldap_ret.pdc_dns_name
Ejemplo n.º 34
0
class drs_Replicate(object):
    '''DRS replication calls'''
    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError(
                "Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id"
            )
        self.replication_state = self.net.replicate_init(
            self.samdb, lp, self.drs, invocation_id)

    def drs_get_rodc_partial_attribute_set(self):
        '''get a list of attributes for RODC replication'''
        partial_attribute_set = drsuapi.DsPartialAttributeSet()
        partial_attribute_set.version = 1

        attids = []

        # the exact list of attids we send is quite critical. Note that
        # we do ask for the secret attributes, but set SPECIAL_SECRET_PROCESSING
        # to zero them out
        schema_dn = self.samdb.get_schema_basedn()
        res = self.samdb.search(
            base=schema_dn,
            scope=ldb.SCOPE_SUBTREE,
            expression="objectClass=attributeSchema",
            attrs=["lDAPDisplayName", "systemFlags", "searchFlags"])

        for r in res:
            ldap_display_name = r["lDAPDisplayName"][0]
            if "systemFlags" in r:
                system_flags = r["systemFlags"][0]
                if (int(system_flags) &
                    (samba.dsdb.DS_FLAG_ATTR_NOT_REPLICATED
                     | samba.dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED)):
                    continue
            if "searchFlags" in r:
                search_flags = r["searchFlags"][0]
                if (int(search_flags) & samba.dsdb.SEARCH_FLAG_RODC_ATTRIBUTE):
                    continue
            attid = self.samdb.get_attid_from_lDAPDisplayName(
                ldap_display_name)
            attids.append(int(attid))

        # the attids do need to be sorted, or windows doesn't return
        # all the attributes we need
        attids.sort()
        partial_attribute_set.attids = attids
        partial_attribute_set.num_attids = len(attids)
        return partial_attribute_set

    def replicate(self,
                  dn,
                  source_dsa_invocation_id,
                  destination_dsa_guid,
                  schema=False,
                  exop=drsuapi.DRSUAPI_EXOP_NONE,
                  rodc=False,
                  replica_flags=None):
        '''replicate a single DN'''

        # setup for a GetNCChanges call
        req8 = drsuapi.DsGetNCChangesRequest8()

        req8.destination_dsa_guid = destination_dsa_guid
        req8.source_dsa_invocation_id = source_dsa_invocation_id
        req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn = dn
        req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
        req8.highwatermark.tmp_highest_usn = 0
        req8.highwatermark.reserved_usn = 0
        req8.highwatermark.highest_usn = 0
        req8.uptodateness_vector = None
        if replica_flags is not None:
            req8.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req8.replica_flags = 0
        else:
            req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC
                                  | drsuapi.DRSUAPI_DRS_PER_SYNC
                                  | drsuapi.DRSUAPI_DRS_GET_ANC
                                  | drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                  drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
            if rodc:
                req8.replica_flags |= (
                    drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
            else:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
        req8.max_object_count = 402
        req8.max_ndr_size = 402116
        req8.extended_op = exop
        req8.fsmo_info = 0
        req8.partial_attribute_set = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings = None

        if not schema and rodc:
            req8.partial_attribute_set = self.drs_get_rodc_partial_attribute_set(
            )

        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 8
            req = req8
        else:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != '_':
                    setattr(req5, a, getattr(req8, a))
            req = req5

        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
                                                   req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError(
                    "DsGetNCChanges: NULL first_object with object_count=%u" %
                    (ctr.object_count))
            self.net.replicate_chunk(self.replication_state,
                                     level,
                                     ctr,
                                     schema=schema,
                                     req_level=req_level,
                                     req=req)
            if ctr.more_data == 0:
                break
            req.highwatermark = ctr.new_highwatermark
Ejemplo n.º 35
0
class drs_Replicate(object):
    '''DRS replication calls'''
    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError(
                "Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id"
            )
        self.replication_state = self.net.replicate_init(
            self.samdb, lp, self.drs, invocation_id)

    def replicate(self,
                  dn,
                  source_dsa_invocation_id,
                  destination_dsa_guid,
                  schema=False,
                  exop=drsuapi.DRSUAPI_EXOP_NONE,
                  rodc=False,
                  replica_flags=None,
                  full_sync=True,
                  sync_forced=False):
        '''replicate a single DN'''

        # setup for a GetNCChanges call
        req8 = drsuapi.DsGetNCChangesRequest8()

        req8.destination_dsa_guid = destination_dsa_guid
        req8.source_dsa_invocation_id = source_dsa_invocation_id
        req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn = dn

        # Default to a full replication if we don't find an upToDatenessVector
        udv = None
        hwm = drsuapi.DsReplicaHighWaterMark()
        hwm.tmp_highest_usn = 0
        hwm.reserved_usn = 0
        hwm.highest_usn = 0

        if not full_sync:
            res = self.samdb.search(base=dn,
                                    scope=ldb.SCOPE_BASE,
                                    attrs=["repsFrom"])
            if "repsFrom" in res[0]:
                for reps_from_packed in res[0]["repsFrom"]:
                    reps_from_obj = ndr_unpack(drsblobs.repsFromToBlob,
                                               reps_from_packed)
                    if reps_from_obj.ctr.source_dsa_invocation_id == source_dsa_invocation_id:
                        hwm = reps_from_obj.ctr.highwatermark

            udv = drsuapi.DsReplicaCursorCtrEx()
            udv.version = 1
            udv.reserved1 = 0
            udv.reserved2 = 0

            cursors_v1 = []
            cursors_v2 = dsdb._dsdb_load_udv_v2(
                self.samdb, self.samdb.get_default_basedn())
            for cursor_v2 in cursors_v2:
                cursor_v1 = drsuapi.DsReplicaCursor()
                cursor_v1.source_dsa_invocation_id = cursor_v2.source_dsa_invocation_id
                cursor_v1.highest_usn = cursor_v2.highest_usn
                cursors_v1.append(cursor_v1)

            udv.cursors = cursors_v1
            udv.count = len(cursors_v1)

        req8.highwatermark = hwm
        req8.uptodateness_vector = udv

        if replica_flags is not None:
            req8.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req8.replica_flags = 0
        else:
            req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC
                                  | drsuapi.DRSUAPI_DRS_PER_SYNC
                                  | drsuapi.DRSUAPI_DRS_GET_ANC
                                  | drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                  drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
            if rodc:
                req8.replica_flags |= (
                    drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
            else:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP

        if sync_forced:
            req8.replica_flags |= drsuapi.DRSUAPI_DRS_SYNC_FORCED

        req8.max_object_count = 402
        req8.max_ndr_size = 402116
        req8.extended_op = exop
        req8.fsmo_info = 0
        req8.partial_attribute_set = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings = None

        if not schema and rodc:
            req8.partial_attribute_set = drs_get_rodc_partial_attribute_set(
                self.samdb)

        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 8
            req = req8
        else:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != '_':
                    setattr(req5, a, getattr(req8, a))
            req = req5

        num_objects = 0
        num_links = 0
        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
                                                   req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError(
                    "DsGetNCChanges: NULL first_object with object_count=%u" %
                    (ctr.object_count))
            self.net.replicate_chunk(self.replication_state,
                                     level,
                                     ctr,
                                     schema=schema,
                                     req_level=req_level,
                                     req=req)

            num_objects += ctr.object_count

            # Cope with servers that do not return level 6, so do not return any links
            try:
                num_links += ctr.linked_attributes_count
            except AttributeError:
                pass

            if ctr.more_data == 0:
                break
            req.highwatermark = ctr.new_highwatermark

        return (num_objects, num_links)
Ejemplo n.º 36
0
    def __init__(ctx, server=None, creds=None, lp=None, site=None,
            netbios_name=None, targetdir=None, domain=None):
        ctx.creds = creds
        ctx.lp = lp
        ctx.site = site
        ctx.netbios_name = netbios_name
        ctx.targetdir = targetdir

        ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
        ctx.net = Net(creds=ctx.creds, lp=ctx.lp)

        if server is not None:
            ctx.server = server
        else:
            print("Finding a writeable DC for domain '%s'" % domain)
            ctx.server = ctx.find_dc(domain)
            print("Found DC %s" % ctx.server)

        ctx.samdb = SamDB(url="ldap://%s" % ctx.server,
                          session_info=system_session(),
                          credentials=ctx.creds, lp=ctx.lp)

        ctx.myname = netbios_name
        ctx.samname = "%s$" % ctx.myname
        ctx.base_dn = str(ctx.samdb.get_default_basedn())
        ctx.root_dn = str(ctx.samdb.get_root_basedn())
        ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
        ctx.config_dn = str(ctx.samdb.get_config_basedn())
        ctx.domsid = ctx.samdb.get_domain_sid()
        ctx.domain_name = ctx.get_domain_name()

        lp.set("workgroup", ctx.domain_name)
        print("workgroup is %s" % ctx.domain_name)

        ctx.dc_ntds_dn = ctx.get_dsServiceName()
        ctx.dc_dnsHostName = ctx.get_dnsHostName()
        ctx.behavior_version = ctx.get_behavior_version()

        ctx.acct_pass = samba.generate_random_password(32, 40)

        # work out the DNs of all the objects we will be adding
        ctx.server_dn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (ctx.myname, ctx.site, ctx.config_dn)
        ctx.ntds_dn = "CN=NTDS Settings,%s" % ctx.server_dn
        topology_base = "CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%s" % ctx.base_dn
        if ctx.dn_exists(topology_base):
            ctx.topology_dn = "CN=%s,%s" % (ctx.myname, topology_base)
        else:
            ctx.topology_dn = None

        ctx.dnsdomain = ldb.Dn(ctx.samdb, ctx.base_dn).canonical_str().split('/')[0]

        ctx.realm = ctx.dnsdomain
        lp.set("realm", ctx.realm)

        print("realm is %s" % ctx.realm)

        ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)

        ctx.acct_dn = "CN=%s,OU=Domain Controllers,%s" % (ctx.myname, ctx.base_dn)

        ctx.tmp_samdb = None

        ctx.SPNs = [ "HOST/%s" % ctx.myname,
                     "HOST/%s" % ctx.dnshostname,
                     "GC/%s/%s" % (ctx.dnshostname, ctx.dnsdomain) ]

        # these elements are optional
        ctx.never_reveal_sid = None
        ctx.reveal_sid = None
        ctx.connection_dn = None
        ctx.RODC = False
        ctx.krbtgt_dn = None
        ctx.drsuapi = None
        ctx.managedby = None
Ejemplo n.º 37
0
class drs_Replicate(object):
    '''DRS replication calls'''

    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError("Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id")
        self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs, invocation_id)

    def replicate(self, dn, source_dsa_invocation_id, destination_dsa_guid,
                  schema=False, exop=drsuapi.DRSUAPI_EXOP_NONE, rodc=False,
                  replica_flags=None, full_sync=True):
        '''replicate a single DN'''

        # setup for a GetNCChanges call
        req8 = drsuapi.DsGetNCChangesRequest8()

        req8.destination_dsa_guid = destination_dsa_guid
        req8.source_dsa_invocation_id = source_dsa_invocation_id
        req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn = dn

        udv = None
        if not full_sync:
            res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
                                    attrs=["repsFrom"])
            if "repsFrom" in res[0]:
                for reps_from_packed in res[0]["repsFrom"]:
                    reps_from_obj = ndr_unpack(drsblobs.repsFromToBlob, reps_from_packed)
                    if reps_from_obj.ctr.source_dsa_invocation_id == source_dsa_invocation_id:
                        hwm = reps_from_obj.ctr.highwatermark

            udv = drsuapi.DsReplicaCursorCtrEx()
            udv.version = 1
            udv.reserved1 = 0
            udv.reserved2 = 0

            cursors_v1 = []
            cursors_v2 = dsdb._dsdb_load_udv_v2(self.samdb,
                                                self.samdb.get_default_basedn())
            for cursor_v2 in cursors_v2:
                cursor_v1 = drsuapi.DsReplicaCursor()
                cursor_v1.source_dsa_invocation_id = cursor_v2.source_dsa_invocation_id
                cursor_v1.highest_usn = cursor_v2.highest_usn
                cursors_v1.append(cursor_v1)

            udv.cursors = cursors_v1
            udv.count = len(cursors_v1)

        # If we can't find an upToDateVector, or where told not to, replicate fully
        hwm = drsuapi.DsReplicaHighWaterMark()
        hwm.tmp_highest_usn = 0
        hwm.reserved_usn = 0
        hwm.highest_usn = 0

        req8.highwatermark = hwm
        req8.uptodateness_vector = udv

        if replica_flags is not None:
            req8.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req8.replica_flags = 0
        else:
            req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
                                  drsuapi.DRSUAPI_DRS_PER_SYNC |
                                  drsuapi.DRSUAPI_DRS_GET_ANC |
                                  drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                  drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
            if rodc:
                req8.replica_flags |= (
                    drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
            else:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
        req8.max_object_count = 402
        req8.max_ndr_size = 402116
        req8.extended_op = exop
        req8.fsmo_info = 0
        req8.partial_attribute_set = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings = None

        if not schema and rodc:
            req8.partial_attribute_set = drs_get_rodc_partial_attribute_set(self.samdb)

        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 8
            req = req8
        else:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != '_':
                    setattr(req5, a, getattr(req8, a))
            req = req5

        num_objects = 0
        num_links = 0
        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError("DsGetNCChanges: NULL first_object with object_count=%u" % (ctr.object_count))
            self.net.replicate_chunk(self.replication_state, level, ctr,
                schema=schema, req_level=req_level, req=req)

            num_objects += ctr.object_count

            # Cope with servers that do not return level 6, so do not return any links
            try:
                num_links += ctr.linked_attributes_count
            except AttributeError:
                pass

            if ctr.more_data == 0:
                break
            req.highwatermark = ctr.new_highwatermark

        return (num_objects, num_links)
Ejemplo n.º 38
0
 def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
     lp = sambaopts.get_loadparm()
     net = Net(None, lp)
     net.export_keytab(keytab=keytab, principal=principal)
Ejemplo n.º 39
0
def net_lookup(domain):
    global cldap_ret
    net = Net(Credentials())
    cldap_ret = net.finddc(domain=domain, flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS))
Ejemplo n.º 40
0
class drs_Replicate(object):
    '''DRS replication calls'''
    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError(
                "Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id"
            )
        self.replication_state = self.net.replicate_init(
            self.samdb, lp, self.drs, invocation_id)

    def replicate(self,
                  dn,
                  source_dsa_invocation_id,
                  destination_dsa_guid,
                  schema=False,
                  exop=drsuapi.DRSUAPI_EXOP_NONE,
                  rodc=False,
                  replica_flags=None,
                  highwatermark=None,
                  udv=None):
        '''replicate a single DN'''

        # setup for a GetNCChanges call
        req8 = drsuapi.DsGetNCChangesRequest8()

        req8.destination_dsa_guid = destination_dsa_guid
        req8.source_dsa_invocation_id = source_dsa_invocation_id
        req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn = dn

        if highwatermark is not None:
            req8.highwatermark = highwatermark
        else:
            req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
            req8.highwatermark.tmp_highest_usn = 0
            req8.highwatermark.reserved_usn = 0
            req8.highwatermark.highest_usn = 0

        req8.uptodateness_vector = udv

        if replica_flags is not None:
            req8.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req8.replica_flags = 0
        else:
            req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC
                                  | drsuapi.DRSUAPI_DRS_PER_SYNC
                                  | drsuapi.DRSUAPI_DRS_GET_ANC
                                  | drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                  drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
            if rodc:
                req8.replica_flags |= (
                    drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
            else:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
        req8.max_object_count = 402
        req8.max_ndr_size = 402116
        req8.extended_op = exop
        req8.fsmo_info = 0
        req8.partial_attribute_set = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings = None

        if not schema and rodc:
            req8.partial_attribute_set = drs_get_rodc_partial_attribute_set(
                self.samdb)

        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 8
            req = req8
        else:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != '_':
                    setattr(req5, a, getattr(req8, a))
            req = req5

        num_objects = 0
        num_links = 0
        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
                                                   req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError(
                    "DsGetNCChanges: NULL first_object with object_count=%u" %
                    (ctr.object_count))
            self.net.replicate_chunk(self.replication_state,
                                     level,
                                     ctr,
                                     schema=schema,
                                     req_level=req_level,
                                     req=req)

            num_objects += ctr.object_count

            # Cope with servers that do not return level 6, so do not return any links
            try:
                num_links += ctr.linked_attributes_count
            except AttributeError:
                pass

            if ctr.more_data == 0:
                break
            req.highwatermark = ctr.new_highwatermark

        return (num_objects, num_links)
Ejemplo n.º 41
0
Archivo: gpo.py Proyecto: lausser/samba
    def run(self,
            displayname,
            H=None,
            tmpdir=None,
            sambaopts=None,
            credopts=None,
            versionopts=None):

        self.lp = sambaopts.get_loadparm()
        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)

        net = Net(creds=self.creds, lp=self.lp)

        # We need to know writable DC to setup SMB connection
        if H and H.startswith('ldap://'):
            dc_hostname = H[7:]
            self.url = H
            flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
                     | nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(address=dc_hostname, flags=flags)
        else:
            flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
                     | nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
            dc_hostname = cldap_ret.pdc_dns_name
            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)

        samdb_connect(self)

        msg = get_gpo_info(self.samdb, displayname=displayname)
        if msg.count > 0:
            raise CommandError("A GPO already existing with name '%s'" %
                               displayname)

        # Create new GUID
        guid = str(uuid.uuid4())
        gpo = "{%s}" % guid.upper()
        realm = cldap_ret.dns_domain
        unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)

        # Create GPT
        if tmpdir is None:
            tmpdir = "/tmp"
        if not os.path.isdir(tmpdir):
            raise CommandError("Temporary directory '%s' does not exist" %
                               tmpdir)

        localdir = os.path.join(tmpdir, "policy")
        if not os.path.isdir(localdir):
            os.mkdir(localdir)

        gpodir = os.path.join(localdir, gpo)
        if os.path.isdir(gpodir):
            raise CommandError(
                "GPO directory '%s' already exists, refusing to overwrite" %
                gpodir)

        try:
            os.mkdir(gpodir)
            os.mkdir(os.path.join(gpodir, "Machine"))
            os.mkdir(os.path.join(gpodir, "User"))
            gpt_contents = "[General]\r\nVersion=0\r\n"
            file(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
        except Exception, e:
            raise CommandError("Error Creating GPO files", e)
Ejemplo n.º 42
0
 def __init__(self, binding_string, lp, creds, samdb):
     self.drs = drsuapi.drsuapi(binding_string, lp, creds)
     (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
     self.net = Net(creds=creds, lp=lp)
     self.samdb = samdb
     self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs)
    parser.add_option('-S',
                      '--sAMAccountName',
                      action='store',
                      dest='name',
                      help='The sAMAccountName of the object to manipulate')

    (opts, args) = parser.parse_args()

    if opts.__dict__['name'] is None:
        parser.error('Parameter --sAMAccountName is required')

    lp = sambaopts.get_loadparm()
    creds = credopts.get_credentials(lp)
    realm = lp.get('realm')

    net = Net(creds)
    cldap_ret = net.finddc(domain=realm,
                           flags=(nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
                                  | nbt.NBT_SERVER_WRITABLE))
    host = cldap_ret.pdc_dns_name

    ldb = samdb.SamDB(url='ldap://%s' % host,
                      lp=lp,
                      credentials=creds,
                      session_info=system_session())

    domain_sid = security.dom_sid(ldb.get_domain_sid())
    s = samr.samr("ncacn_ip_tcp:%s[seal]" % host, lp, creds)
    samr_handle = s.Connect2(None, security.SEC_FLAG_MAXIMUM_ALLOWED)
    samr_domain = s.OpenDomain(samr_handle, security.SEC_FLAG_MAXIMUM_ALLOWED,
                               domain_sid)
Ejemplo n.º 44
0
 def test_net_replicate_init__3(self):
     # third argument is also unchecked
     samdb = self.get_samdb()
     lp, creds, server = self.get_lp_et_al()
     net = Net(creds, lp, server=server)
     net.replicate_init(samdb, lp, 42, misc.GUID())
Ejemplo n.º 45
0
 def test_net_replicate_chunk_1(self):
     lp, creds, server = self.get_lp_et_al()
     ctr = drsuapi.DsGetNCChangesCtr6()
     net = Net(creds, lp, server=server)
     net.replicate_chunk(42, 1, ctr)
Ejemplo n.º 46
0
Archivo: gpo.py Proyecto: sYnfo/samba
    def run(self, displayname, H=None, tmpdir=None, sambaopts=None, credopts=None,
            versionopts=None):

        self.lp = sambaopts.get_loadparm()
        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)

        net = Net(creds=self.creds, lp=self.lp)

        # We need to know writable DC to setup SMB connection
        if H and H.startswith('ldap://'):
            dc_hostname = H[7:]
            self.url = H
            flags = (nbt.NBT_SERVER_LDAP |
                     nbt.NBT_SERVER_DS |
                     nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(address=dc_hostname, flags=flags)
        else:
            flags = (nbt.NBT_SERVER_LDAP |
                     nbt.NBT_SERVER_DS |
                     nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
            dc_hostname = cldap_ret.pdc_dns_name
            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)

        samdb_connect(self)

        msg = get_gpo_info(self.samdb, displayname=displayname)
        if msg.count > 0:
            raise CommandError("A GPO already existing with name '%s'" % displayname)

        # Create new GUID
        guid  = str(uuid.uuid4())
        gpo = "{%s}" % guid.upper()
        realm = cldap_ret.dns_domain
        unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)

        # Create GPT
        if tmpdir is None:
            tmpdir = "/tmp"
        if not os.path.isdir(tmpdir):
            raise CommandError("Temporary directory '%s' does not exist" % tmpdir)

        localdir = os.path.join(tmpdir, "policy")
        if not os.path.isdir(localdir):
            os.mkdir(localdir)

        gpodir = os.path.join(localdir, gpo)
        if os.path.isdir(gpodir):
            raise CommandError("GPO directory '%s' already exists, refusing to overwrite" % gpodir)

        try:
            os.mkdir(gpodir)
            os.mkdir(os.path.join(gpodir, "Machine"))
            os.mkdir(os.path.join(gpodir, "User"))
            gpt_contents = "[General]\r\nVersion=0\r\n"
            open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
        except Exception as e:
            raise CommandError("Error Creating GPO files", e)

        # Connect to DC over SMB
        [dom_name, service, sharepath] = parse_unc(unc_path)
        try:
            conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
        except Exception as e:
            raise CommandError("Error connecting to '%s' using SMB" % dc_hostname, e)

        self.samdb.transaction_start()
        try:
            # Add cn=<guid>
            gpo_dn = get_gpo_dn(self.samdb, gpo)

            m = ldb.Message()
            m.dn = gpo_dn
            m['a01'] = ldb.MessageElement("groupPolicyContainer", ldb.FLAG_MOD_ADD, "objectClass")
            self.samdb.add(m)

            # Add cn=User,cn=<guid>
            m = ldb.Message()
            m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
            m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
            self.samdb.add(m)

            # Add cn=Machine,cn=<guid>
            m = ldb.Message()
            m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
            m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD, "objectClass")
            self.samdb.add(m)

            # Get new security descriptor
            ds_sd_flags = ( security.SECINFO_OWNER |
                            security.SECINFO_GROUP |
                            security.SECINFO_DACL )
            msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
            ds_sd_ndr = msg['nTSecurityDescriptor'][0]
            ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()

            # Create a file system security descriptor
            domain_sid = security.dom_sid(self.samdb.get_domain_sid())
            sddl = dsacl2fsacl(ds_sd, domain_sid)
            fs_sd = security.descriptor.from_sddl(sddl, domain_sid)

            # Copy GPO directory
            create_directory_hier(conn, sharepath)

            # Set ACL
            sio = ( security.SECINFO_OWNER |
                    security.SECINFO_GROUP |
                    security.SECINFO_DACL |
                    security.SECINFO_PROTECTED_DACL )
            conn.set_acl(sharepath, fs_sd, sio)

            # Copy GPO files over SMB
            copy_directory_local_to_remote(conn, gpodir, sharepath)

            m = ldb.Message()
            m.dn = gpo_dn
            m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE, "displayName")
            m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE, "gPCFileSysPath")
            m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "versionNumber")
            m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE, "gpcFunctionalityVersion")
            m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
            controls=["permissive_modify:0"]
            self.samdb.modify(m, controls=controls)
        except Exception:
            self.samdb.transaction_cancel()
            raise
        else:
            self.samdb.transaction_commit()

        self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
Ejemplo n.º 47
0
    def run(self,
            displayname,
            H=None,
            tmpdir=None,
            sambaopts=None,
            credopts=None,
            versionopts=None):

        self.lp = sambaopts.get_loadparm()
        self.creds = credopts.get_credentials(self.lp, fallback_machine=True)

        net = Net(creds=self.creds, lp=self.lp)

        # We need to know writable DC to setup SMB connection
        if H and H.startswith('ldap://'):
            dc_hostname = H[7:]
            self.url = H
            flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
                     | nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(address=dc_hostname, flags=flags)
        else:
            flags = (nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
                     | nbt.NBT_SERVER_WRITABLE)
            cldap_ret = net.finddc(domain=self.lp.get('realm'), flags=flags)
            dc_hostname = cldap_ret.pdc_dns_name
            self.url = dc_url(self.lp, self.creds, dc=dc_hostname)

        samdb_connect(self)

        msg = get_gpo_info(self.samdb, displayname=displayname)
        if msg.count > 0:
            raise CommandError("A GPO already existing with name '%s'" %
                               displayname)

        # Create new GUID
        guid = str(uuid.uuid4())
        gpo = "{%s}" % guid.upper()
        realm = cldap_ret.dns_domain
        unc_path = "\\\\%s\\sysvol\\%s\\Policies\\%s" % (realm, realm, gpo)

        # Create GPT
        if tmpdir is None:
            tmpdir = "/tmp"
        if not os.path.isdir(tmpdir):
            raise CommandError("Temporary directory '%s' does not exist" %
                               tmpdir)

        localdir = os.path.join(tmpdir, "policy")
        if not os.path.isdir(localdir):
            os.mkdir(localdir)

        gpodir = os.path.join(localdir, gpo)
        if os.path.isdir(gpodir):
            raise CommandError(
                "GPO directory '%s' already exists, refusing to overwrite" %
                gpodir)

        try:
            os.mkdir(gpodir)
            os.mkdir(os.path.join(gpodir, "Machine"))
            os.mkdir(os.path.join(gpodir, "User"))
            gpt_contents = "[General]\r\nVersion=0\r\n"
            open(os.path.join(gpodir, "GPT.INI"), "w").write(gpt_contents)
        except Exception as e:
            raise CommandError("Error Creating GPO files", e)

        # Connect to DC over SMB
        [dom_name, service, sharepath] = parse_unc(unc_path)
        try:
            conn = smb.SMB(dc_hostname, service, lp=self.lp, creds=self.creds)
        except Exception as e:
            raise CommandError(
                "Error connecting to '%s' using SMB" % dc_hostname, e)

        self.samdb.transaction_start()
        try:
            # Add cn=<guid>
            gpo_dn = get_gpo_dn(self.samdb, gpo)

            m = ldb.Message()
            m.dn = gpo_dn
            m['a01'] = ldb.MessageElement("groupPolicyContainer",
                                          ldb.FLAG_MOD_ADD, "objectClass")
            self.samdb.add(m)

            # Add cn=User,cn=<guid>
            m = ldb.Message()
            m.dn = ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn))
            m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
                                          "objectClass")
            self.samdb.add(m)

            # Add cn=Machine,cn=<guid>
            m = ldb.Message()
            m.dn = ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn))
            m['a01'] = ldb.MessageElement("container", ldb.FLAG_MOD_ADD,
                                          "objectClass")
            self.samdb.add(m)

            # Get new security descriptor
            ds_sd_flags = (security.SECINFO_OWNER | security.SECINFO_GROUP
                           | security.SECINFO_DACL)
            msg = get_gpo_info(self.samdb, gpo=gpo, sd_flags=ds_sd_flags)[0]
            ds_sd_ndr = msg['nTSecurityDescriptor'][0]
            ds_sd = ndr_unpack(security.descriptor, ds_sd_ndr).as_sddl()

            # Create a file system security descriptor
            domain_sid = security.dom_sid(self.samdb.get_domain_sid())
            sddl = dsacl2fsacl(ds_sd, domain_sid)
            fs_sd = security.descriptor.from_sddl(sddl, domain_sid)

            # Copy GPO directory
            create_directory_hier(conn, sharepath)

            # Set ACL
            sio = (security.SECINFO_OWNER | security.SECINFO_GROUP
                   | security.SECINFO_DACL | security.SECINFO_PROTECTED_DACL)
            conn.set_acl(sharepath, fs_sd, sio)

            # Copy GPO files over SMB
            copy_directory_local_to_remote(conn, gpodir, sharepath)

            m = ldb.Message()
            m.dn = gpo_dn
            m['a02'] = ldb.MessageElement(displayname, ldb.FLAG_MOD_REPLACE,
                                          "displayName")
            m['a03'] = ldb.MessageElement(unc_path, ldb.FLAG_MOD_REPLACE,
                                          "gPCFileSysPath")
            m['a05'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE,
                                          "versionNumber")
            m['a07'] = ldb.MessageElement("2", ldb.FLAG_MOD_REPLACE,
                                          "gpcFunctionalityVersion")
            m['a04'] = ldb.MessageElement("0", ldb.FLAG_MOD_REPLACE, "flags")
            controls = ["permissive_modify:0"]
            self.samdb.modify(m, controls=controls)
        except Exception:
            self.samdb.transaction_cancel()
            raise
        else:
            self.samdb.transaction_commit()

        self.outf.write("GPO '%s' created as %s\n" % (displayname, gpo))
Ejemplo n.º 48
0
class drs_Replicate(object):
    """DRS replication calls"""

    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError("Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id")
        self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs, invocation_id)

    def drs_get_rodc_partial_attribute_set(self):
        """get a list of attributes for RODC replication"""
        partial_attribute_set = drsuapi.DsPartialAttributeSet()
        partial_attribute_set.version = 1

        attids = []

        # the exact list of attids we send is quite critical. Note that
        # we do ask for the secret attributes, but set SPECIAL_SECRET_PROCESSING
        # to zero them out
        schema_dn = self.samdb.get_schema_basedn()
        res = self.samdb.search(
            base=schema_dn,
            scope=ldb.SCOPE_SUBTREE,
            expression="objectClass=attributeSchema",
            attrs=["lDAPDisplayName", "systemFlags", "searchFlags"],
        )

        for r in res:
            ldap_display_name = r["lDAPDisplayName"][0]
            if "systemFlags" in r:
                system_flags = r["systemFlags"][0]
                if int(system_flags) & (
                    samba.dsdb.DS_FLAG_ATTR_NOT_REPLICATED | samba.dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED
                ):
                    continue
            if "searchFlags" in r:
                search_flags = r["searchFlags"][0]
                if int(search_flags) & samba.dsdb.SEARCH_FLAG_RODC_ATTRIBUTE:
                    continue
            attid = self.samdb.get_attid_from_lDAPDisplayName(ldap_display_name)
            attids.append(int(attid))

        # the attids do need to be sorted, or windows doesn't return
        # all the attributes we need
        attids.sort()
        partial_attribute_set.attids = attids
        partial_attribute_set.num_attids = len(attids)
        return partial_attribute_set

    def replicate(
        self,
        dn,
        source_dsa_invocation_id,
        destination_dsa_guid,
        schema=False,
        exop=drsuapi.DRSUAPI_EXOP_NONE,
        rodc=False,
        replica_flags=None,
    ):
        """replicate a single DN"""

        # setup for a GetNCChanges call
        req8 = drsuapi.DsGetNCChangesRequest8()

        req8.destination_dsa_guid = destination_dsa_guid
        req8.source_dsa_invocation_id = source_dsa_invocation_id
        req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req8.naming_context.dn = dn
        req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
        req8.highwatermark.tmp_highest_usn = 0
        req8.highwatermark.reserved_usn = 0
        req8.highwatermark.highest_usn = 0
        req8.uptodateness_vector = None
        if replica_flags is not None:
            req8.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req8.replica_flags = 0
        else:
            req8.replica_flags = (
                drsuapi.DRSUAPI_DRS_INIT_SYNC
                | drsuapi.DRSUAPI_DRS_PER_SYNC
                | drsuapi.DRSUAPI_DRS_GET_ANC
                | drsuapi.DRSUAPI_DRS_NEVER_SYNCED
            )
            if rodc:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
            else:
                req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
        req8.max_object_count = 402
        req8.max_ndr_size = 402116
        req8.extended_op = exop
        req8.fsmo_info = 0
        req8.partial_attribute_set = None
        req8.partial_attribute_set_ex = None
        req8.mapping_ctr.num_mappings = 0
        req8.mapping_ctr.mappings = None

        if not schema and rodc:
            req8.partial_attribute_set = self.drs_get_rodc_partial_attribute_set()

        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 8
            req = req8
        else:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != "_":
                    setattr(req5, a, getattr(req8, a))
            req = req5

        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError(
                    "DsGetNCChanges: NULL first_object with object_count={0:d}".format((ctr.object_count))
                )
            self.net.replicate_chunk(self.replication_state, level, ctr, schema=schema, req_level=req_level, req=req)
            if ctr.more_data == 0:
                break
            req.highwatermark = ctr.new_highwatermark
Ejemplo n.º 49
0
class drs_Replicate(object):
    '''DRS replication calls'''
    def __init__(self, binding_string, lp, creds, samdb, invocation_id):
        self.drs = drsuapi.drsuapi(binding_string, lp, creds)
        (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
        self.net = Net(creds=creds, lp=lp)
        self.samdb = samdb
        if not isinstance(invocation_id, misc.GUID):
            raise RuntimeError("Must supply GUID for invocation_id")
        if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
            raise RuntimeError(
                "Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id"
            )
        self.replication_state = self.net.replicate_init(
            self.samdb, lp, self.drs, invocation_id)
        self.more_flags = 0

    def _should_retry_with_get_tgt(self, error_code, req):

        # If the error indicates we fail to resolve a target object for a
        # linked attribute, then we should retry the request with GET_TGT
        # (if we support it and haven't already tried that)

        # TODO fix up the below line when we next update werror_err_table.txt
        # and pull in the new error-code
        # return (error_code == werror.WERR_DS_DRA_RECYCLED_TARGET and
        return (error_code == 0x21bf
                and (req.more_flags & drsuapi.DRSUAPI_DRS_GET_TGT) == 0
                and self.supported_extensions
                & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10)

    def process_chunk(self, level, ctr, schema, req_level, req, first_chunk):
        '''Processes a single chunk of received replication data'''
        # pass the replication into the py_net.c python bindings for processing
        self.net.replicate_chunk(self.replication_state,
                                 level,
                                 ctr,
                                 schema=schema,
                                 req_level=req_level,
                                 req=req)

    def replicate(self,
                  dn,
                  source_dsa_invocation_id,
                  destination_dsa_guid,
                  schema=False,
                  exop=drsuapi.DRSUAPI_EXOP_NONE,
                  rodc=False,
                  replica_flags=None,
                  full_sync=True,
                  sync_forced=False,
                  more_flags=0):
        '''replicate a single DN'''

        # setup for a GetNCChanges call
        if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10:
            req = drsuapi.DsGetNCChangesRequest10()
            req.more_flags = (more_flags | self.more_flags)
            req_level = 10
        else:
            req_level = 8
            req = drsuapi.DsGetNCChangesRequest8()

        req.destination_dsa_guid = destination_dsa_guid
        req.source_dsa_invocation_id = source_dsa_invocation_id
        req.naming_context = drsuapi.DsReplicaObjectIdentifier()
        req.naming_context.dn = dn

        # Default to a full replication if we don't find an upToDatenessVector
        udv = None
        hwm = drsuapi.DsReplicaHighWaterMark()
        hwm.tmp_highest_usn = 0
        hwm.reserved_usn = 0
        hwm.highest_usn = 0

        if not full_sync:
            res = self.samdb.search(base=dn,
                                    scope=ldb.SCOPE_BASE,
                                    attrs=["repsFrom"])
            if "repsFrom" in res[0]:
                for reps_from_packed in res[0]["repsFrom"]:
                    reps_from_obj = ndr_unpack(drsblobs.repsFromToBlob,
                                               reps_from_packed)
                    if reps_from_obj.ctr.source_dsa_invocation_id == source_dsa_invocation_id:
                        hwm = reps_from_obj.ctr.highwatermark

            udv = drsuapi.DsReplicaCursorCtrEx()
            udv.version = 1
            udv.reserved1 = 0
            udv.reserved2 = 0

            cursors_v1 = []
            cursors_v2 = dsdb._dsdb_load_udv_v2(
                self.samdb, self.samdb.get_default_basedn())
            for cursor_v2 in cursors_v2:
                cursor_v1 = drsuapi.DsReplicaCursor()
                cursor_v1.source_dsa_invocation_id = cursor_v2.source_dsa_invocation_id
                cursor_v1.highest_usn = cursor_v2.highest_usn
                cursors_v1.append(cursor_v1)

            udv.cursors = cursors_v1
            udv.count = len(cursors_v1)

        req.highwatermark = hwm
        req.uptodateness_vector = udv

        if replica_flags is not None:
            req.replica_flags = replica_flags
        elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
            req.replica_flags = 0
        else:
            req.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC
                                 | drsuapi.DRSUAPI_DRS_PER_SYNC
                                 | drsuapi.DRSUAPI_DRS_GET_ANC
                                 | drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
                                 drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
            if rodc:
                req.replica_flags |= (
                    drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
            else:
                req.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP

        if sync_forced:
            req.replica_flags |= drsuapi.DRSUAPI_DRS_SYNC_FORCED

        req.max_object_count = 402
        req.max_ndr_size = 402116
        req.extended_op = exop
        req.fsmo_info = 0
        req.partial_attribute_set = None
        req.partial_attribute_set_ex = None
        req.mapping_ctr.num_mappings = 0
        req.mapping_ctr.mappings = None

        if not schema and rodc:
            req.partial_attribute_set = drs_get_rodc_partial_attribute_set(
                self.samdb)

        if not self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
            req_level = 5
            req5 = drsuapi.DsGetNCChangesRequest5()
            for a in dir(req5):
                if a[0] != '_':
                    setattr(req5, a, getattr(req, a))
            req = req5

        num_objects = 0
        num_links = 0
        first_chunk = True

        while True:
            (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level,
                                                   req)
            if ctr.first_object is None and ctr.object_count != 0:
                raise RuntimeError(
                    "DsGetNCChanges: NULL first_object with object_count=%u" %
                    (ctr.object_count))

            try:
                self.process_chunk(level, ctr, schema, req_level, req,
                                   first_chunk)
            except WERRORError as e:
                # Check if retrying with the GET_TGT flag set might resolve this error
                if self._should_retry_with_get_tgt(e.args[0], req):

                    print("Missing target object - retrying with DRS_GET_TGT")
                    req.more_flags |= drsuapi.DRSUAPI_DRS_GET_TGT

                    # try sending the request again (this has the side-effect
                    # of causing the DC to restart the replication from scratch)
                    first_chunk = True
                    continue
                else:
                    raise e

            first_chunk = False
            num_objects += ctr.object_count

            # Cope with servers that do not return level 6, so do not return any links
            try:
                num_links += ctr.linked_attributes_count
            except AttributeError:
                pass

            if ctr.more_data == 0:
                break

            # update the request's HWM so we get the next chunk
            drs_copy_highwater_mark(req.highwatermark, ctr.new_highwatermark)

        return (num_objects, num_links)
Ejemplo n.º 50
0
 def run(self, keytab, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     net = Net(None, lp, server=credopts.ipaddress)
     net.export_keytab(keytab=keytab)
Ejemplo n.º 51
0
 def run(self, keytab, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     net = Net(None, lp, server=credopts.ipaddress)
     net.export_keytab(keytab=keytab)
Ejemplo n.º 52
0
 def run(self, name, credopts=None, sambaopts=None, versionopts=None):
     lp = sambaopts.get_loadparm()
     creds = credopts.get_credentials(lp, fallback_machine=True)
     net = Net(creds, lp, server=credopts.ipaddress)
     net.delete_user(name)
Ejemplo n.º 53
0
    def run(self,
            domain,
            role=None,
            sambaopts=None,
            credopts=None,
            versionopts=None,
            server=None,
            site=None,
            targetdir=None,
            domain_critical_only=False,
            parent_domain=None,
            machinepass=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        if site is None:
            site = "Default-First-Site-Name"

        netbios_name = lp.get("netbios name")

        if not role is None:
            role = role.upper()

        if role is None or role == "MEMBER":
            (join_password, sid,
             domain_name) = net.join_member(domain,
                                            netbios_name,
                                            LIBNET_JOIN_AUTOMATIC,
                                            machinepass=machinepass)

            self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
            return
        elif role == "DC":
            join_DC(server=server,
                    creds=creds,
                    lp=lp,
                    domain=domain,
                    site=site,
                    netbios_name=netbios_name,
                    targetdir=targetdir,
                    domain_critical_only=domain_critical_only,
                    machinepass=machinepass)
            return
        elif role == "RODC":
            join_RODC(server=server,
                      creds=creds,
                      lp=lp,
                      domain=domain,
                      site=site,
                      netbios_name=netbios_name,
                      targetdir=targetdir,
                      domain_critical_only=domain_critical_only,
                      machinepass=machinepass)
            return
        elif role == "SUBDOMAIN":
            netbios_domain = lp.get("workgroup")
            if parent_domain is None:
                parent_domain = ".".join(domain.split(".")[1:])
            join_subdomain(server=server,
                           creds=creds,
                           lp=lp,
                           dnsdomain=domain,
                           parent_domain=parent_domain,
                           site=site,
                           netbios_name=netbios_name,
                           netbios_domain=netbios_domain,
                           targetdir=targetdir,
                           machinepass=machinepass)
            return
        else:
            raise CommandError(
                "Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)"
                % role)
Ejemplo n.º 54
0
    def run(self,
            sambaopts=None,
            credopts=None,
            versionopts=None,
            server=None,
            targetdir=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        netbios_name = lp.get("netbios name")
        samdb = SamDB(session_info=system_session(), credentials=creds, lp=lp)
        if not server:
            res = samdb.search(
                expression='(&(objectClass=computer)(serverReferenceBL=*))',
                attrs=["dnsHostName", "name"])
            if (len(res) == 0):
                raise CommandError("Unable to search for servers")

            if (len(res) == 1):
                raise CommandError("You are the latest server in the domain")

            server = None
            for e in res:
                if str(e["name"]).lower() != netbios_name.lower():
                    server = e["dnsHostName"]
                    break

        ntds_guid = samdb.get_ntds_GUID()
        msg = samdb.search(base=str(samdb.get_config_basedn()),
                           scope=ldb.SCOPE_SUBTREE,
                           expression="(objectGUID=%s)" % ntds_guid,
                           attrs=['options'])
        if len(msg) == 0 or "options" not in msg[0]:
            raise CommandError("Failed to find options on %s" % ntds_guid)

        ntds_dn = msg[0].dn
        dsa_options = int(str(msg[0]['options']))

        res = samdb.search(expression="(fSMORoleOwner=%s)" % str(ntds_dn),
                           controls=["search_options:1:2"])

        if len(res) != 0:
            raise CommandError(
                "Current DC is still the owner of %d role(s), use the role command to transfer roles to another DC"
            )

        print "Using %s as partner server for the demotion" % server
        (drsuapiBind, drsuapi_handle,
         supportedExtensions) = drsuapi_connect(server, lp, creds)

        print "Desactivating inbound replication"

        nmsg = ldb.Message()
        nmsg.dn = msg[0].dn

        dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
        nmsg["options"] = ldb.MessageElement(str(dsa_options),
                                             ldb.FLAG_MOD_REPLACE, "options")
        samdb.modify(nmsg)

        if not (dsa_options &
                DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():

            print "Asking partner server %s to synchronize from us" % server
            for part in (samdb.get_schema_basedn(), samdb.get_config_basedn(),
                         samdb.get_root_basedn()):
                try:
                    sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid,
                                      str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
                except drsException, e:
                    print "Error while demoting, re-enabling inbound replication"
                    dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
                    nmsg["options"] = ldb.MessageElement(
                        str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
                    samdb.modify(nmsg)
                    raise CommandError(
                        "Error while sending a DsReplicaSync for partion %s" %
                        str(part), e)