diff options
Diffstat (limited to 'source4/scripting')
50 files changed, 8500 insertions, 0 deletions
diff --git a/source4/scripting/bin/enablerecyclebin b/source4/scripting/bin/enablerecyclebin new file mode 100755 index 0000000..3477f90 --- /dev/null +++ b/source4/scripting/bin/enablerecyclebin @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +# +# enabled the Recycle Bin optional feature +# +import optparse +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba +from samba import getopt as options, Ldb +from ldb import SCOPE_BASE +import sys +import ldb +from samba.auth import system_session + +parser = optparse.OptionParser("enablerecyclebin <URL>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option_group(options.VersionOptions(parser)) + +opts, args = parser.parse_args() +opts.dump_all = True + +if len(args) != 1: + parser.print_usage() + sys.exit(1) + +url = args[0] + +lp_ctx = sambaopts.get_loadparm() + +creds = credopts.get_credentials(lp_ctx) +sam_ldb = Ldb(url, session_info=system_session(), credentials=creds, lp=lp_ctx) + +# get the rootDSE +res = sam_ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) +rootDse = res[0] + +configbase=rootDse["configurationNamingContext"] + +# enable the feature +msg = ldb.Message() +msg.dn = ldb.Dn(sam_ldb, "") +msg["enableOptionalFeature"] = ldb.MessageElement( + "CN=Partitions," + str(configbase) + ":766ddcd8-acd0-445e-f3b9-a7f9b6744f2a", + ldb.FLAG_MOD_ADD, "enableOptionalFeature") +res = sam_ldb.modify(msg) + +print("Recycle Bin feature enabled") diff --git a/source4/scripting/bin/findprovisionusnranges b/source4/scripting/bin/findprovisionusnranges new file mode 100755 index 0000000..b05b5ce --- /dev/null +++ b/source4/scripting/bin/findprovisionusnranges @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +# +# Helper for determining USN ranges created of modified by provision and +# upgradeprovision. +# Copyright (C) Matthieu Patou <mat@matws.net> 2009-2011 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +import sys +import optparse +sys.path.insert(0, "bin/python") + +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import Ldb +import ldb + +import samba.getopt as options +from samba import param +from samba.upgradehelpers import get_paths, print_provision_ranges, findprovisionrange +from samba.ndr import ndr_unpack +from samba.dcerpc import misc + +parser = optparse.OptionParser("findprovisionusnranges [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +parser.add_option("--storedir", type="string", help="Directory where to store result files") +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts = parser.parse_args()[0] +lp = sambaopts.get_loadparm() +smbconf = lp.configfile + +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) +session = system_session() +paths = get_paths(param, smbconf=smbconf) +basedn="DC=" + lp.get("realm").replace(".",",DC=") +samdb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) + +res = samdb.search(base="", scope=ldb.SCOPE_BASE, attrs=["dsServiceName"]) + +invocation = None +if res and len(res) == 1 and res[0]["dsServiceName"] != None: + dn = ldb.Dn(samdb, str(res[0]["dsServiceName"])) + res = samdb.search(base=str(dn), scope=ldb.SCOPE_BASE, attrs=["invocationId"], + controls=["search_options:1:2"]) + + if res and len(res) == 1 and res[0]["invocationId"]: + invocation = str(ndr_unpack(misc.GUID, res[0]["invocationId"][0])) + else: + print("Unable to find invocation ID") + sys.exit(1) +else: + print("Unable to find attribute dsServiceName in rootDSE") + sys.exit(1) + +minobj = 5 +(hash_id, nb_obj) = findprovisionrange(samdb, basedn) +print("Here is a list of changes that modified more than %d objects in 1 minute." % minobj) +print("Usually changes made by provision and upgradeprovision are those who affect a couple" + " of hundred of objects or more") +print("Total number of objects: %d\n" % nb_obj) + +print_provision_ranges(hash_id, minobj, opts.storedir, str(paths.samdb), invocation) diff --git a/source4/scripting/bin/gen_error_common.py b/source4/scripting/bin/gen_error_common.py new file mode 100644 index 0000000..aa71afa --- /dev/null +++ b/source4/scripting/bin/gen_error_common.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python3 + +# +# Unix SMB/CIFS implementation. +# +# Utility methods for generating error codes from a file. +# +# Copyright (C) Noel Power <noel.power@suse.com> 2014 +# Copyright (C) Catalyst IT Ltd. 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +# error data model +class ErrorDef: + def __init__(self): + self.err_code = None + self.err_define = None + self.err_string = "" + self.linenum = "" + +def escapeString( input ): + output = input.replace('"','\\"') + output = output.replace("\\<","\\\\<") + output = output.replace('\t',"") + return output + +# Parse error descriptions from a file which is the content +# of an HTML table. +# The file must be formatted as: +# [error code hex] +# [error name short] +# [error description] +# Blank lines are allowed and errors do not have to have a +# description. +# Returns a list of ErrorDef objects. +def parseErrorDescriptions( file_contents, isWinError, transformErrorFunction ): + errors = [] + count = 0 + for line in file_contents: + if line is None or line == '\t' or line == "" or line == '\n': + continue + content = line.strip().split(None,1) + # start new error definition ? + if line.startswith("0x"): + newError = ErrorDef() + newError.err_code = int(content[0],0) + # escape the usual suspects + if len(content) > 1: + newError.err_string = escapeString(content[1]) + newError.linenum = count + newError.isWinError = isWinError + errors.append(newError) + else: + if len(errors) == 0: + continue + err = errors[-1] + if err.err_define is None: + err.err_define = transformErrorFunction(content[0]) + else: + if len(content) > 0: + desc = escapeString(line.strip()) + if len(desc): + if err.err_string == "": + err.err_string = desc + else: + err.err_string = err.err_string + " " + desc + count = count + 1 + print("parsed %d lines generated %d error definitions"%(count,len(errors))) + return errors + diff --git a/source4/scripting/bin/gen_hresult.py b/source4/scripting/bin/gen_hresult.py new file mode 100755 index 0000000..6a75c37 --- /dev/null +++ b/source4/scripting/bin/gen_hresult.py @@ -0,0 +1,228 @@ +#!/usr/bin/env python3 + +# +# Unix SMB/CIFS implementation. +# +# HRESULT Error definitions +# +# Copyright (C) Noel Power <noel.power@suse.com> 2014 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +import sys, os.path, io, string + +# parsed error data +Errors = [] + +# error data model +class ErrorDef: + + def __init__(self): + self.err_code = "" + self.err_define = None + self.err_string = "" + self.isWinError = False + self.linenum = "" + +def escapeString( input ): + output = input.replace('"','\\"') + output = output.replace("\\<","\\\\<") + output = output.replace('\t',"") + return output + +def parseErrorDescriptions( input_file, isWinError ): + # read in the data + fileContents = open(input_file,"r") + count = 0; + for line in fileContents: + content = line.strip().split(None,1) + # start new error definition ? + if len(content) == 0: + continue + if line.startswith("0x"): + newError = ErrorDef() + newError.err_code = content[0] + # escape the usual suspects + if len(content) > 1: + newError.err_string = escapeString(content[1]) + newError.linenum = count + newError.isWinError = isWinError + Errors.append(newError) + else: + if len(Errors) == 0: + print("Error parsing file as line %d"%count) + sys.exit() + err = Errors[-1] + if err.err_define is None: + err.err_define = "HRES_" + content[0] + else: + if len(content) > 0: + desc = escapeString(line.strip()) + if len(desc): + if err.err_string == "": + err.err_string = desc + else: + err.err_string = err.err_string + " " + desc + count = count + 1 + fileContents.close() + print("parsed %d lines generated %d error definitions"%(count,len(Errors))) + +def write_license(out_file): + out_file.write("/*\n") + out_file.write(" * Unix SMB/CIFS implementation.\n") + out_file.write(" *\n") + out_file.write(" * HRESULT Error definitions\n") + out_file.write(" *\n") + out_file.write(" * Copyright (C) Noel Power <noel.power@suse.com> 2014\n") + out_file.write(" *\n") + out_file.write(" * This program is free software; you can redistribute it and/or modify\n") + out_file.write(" * it under the terms of the GNU General Public License as published by\n") + out_file.write(" * the Free Software Foundation; either version 3 of the License, or\n") + out_file.write(" * (at your option) any later version.\n") + out_file.write(" *\n") + out_file.write(" * This program is distributed in the hope that it will be useful,\n") + out_file.write(" * but WITHOUT ANY WARRANTY; without even the implied warranty of\n") + out_file.write(" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n") + out_file.write(" * GNU General Public License for more details.\n") + out_file.write(" *\n") + out_file.write(" * You should have received a copy of the GNU General Public License\n") + out_file.write(" * along with this program. If not, see <http://www.gnu.org/licenses/>.\n") + out_file.write(" */\n") + out_file.write("\n") + +def generateHeaderFile(out_file): + write_license(out_file) + out_file.write("#ifndef _HRESULT_H_\n") + out_file.write("#define _HRESULT_H_\n\n") + macro_magic = "#if defined(HAVE_IMMEDIATE_STRUCTURES)\n" + macro_magic += "typedef struct {uint32_t h;} HRESULT;\n" + macro_magic += "#define HRES_ERROR(x) ((HRESULT) { x })\n" + macro_magic += "#define HRES_ERROR_V(x) ((x).h)\n" + macro_magic += "#else\n" + macro_magic += "typedef uint32_t HRESULT;\n" + macro_magic += "#define HRES_ERROR(x) (x)\n" + macro_magic += "#define HRES_ERROR_V(x) (x)\n" + macro_magic += "#endif\n" + macro_magic += "\n" + macro_magic += "#define HRES_IS_OK(x) (HRES_ERROR_V(x) == 0)\n" + macro_magic += "#define HRES_IS_EQUAL(x,y) (HRES_ERROR_V(x) == HRES_ERROR_V(y))\n" + + out_file.write(macro_magic) + out_file.write("\n\n") + out_file.write("/*\n") + out_file.write(" * The following error codes are autogenerated from [MS-ERREF]\n") + out_file.write(" * see http://msdn.microsoft.com/en-us/library/cc704587.aspx\n") + out_file.write(" */\n") + out_file.write("\n") + + for err in Errors: + line = "#define {0:49} HRES_ERROR({1})\n".format(err.err_define ,err.err_code) + out_file.write(line) + out_file.write("\nconst char *hresult_errstr_const(HRESULT err_code);\n") + out_file.write("\nconst char *hresult_errstr(HRESULT err_code);\n") + out_file.write("\n#define FACILITY_WIN32 0x0007\n") + out_file.write("#define WIN32_FROM_HRESULT(x) (HRES_ERROR_V(x) == 0 ? HRES_ERROR_V(x) : ~((FACILITY_WIN32 << 16) | 0x80000000) & HRES_ERROR_V(x))\n") + out_file.write("#define HRESULT_IS_LIKELY_WERR(x) ((HRES_ERROR_V(x) & 0xFFFF0000) == 0x80070000)\n") + out_file.write("#define HRESULT_FROM_WERROR(x) (HRES_ERROR(0x80070000 | W_ERROR_V(x)))\n") + out_file.write("\n\n\n#endif /*_HRESULT_H_*/") + + +def generateSourceFile(out_file): + write_license(out_file) + out_file.write("#include \"includes.h\"\n") + out_file.write("#include \"hresult.h\"\n") + out_file.write("/*\n") + out_file.write(" * The following error codes and descriptions are autogenerated from [MS-ERREF]\n") + out_file.write(" * see http://msdn.microsoft.com/en-us/library/cc704587.aspx\n") + out_file.write(" */\n") + out_file.write("\n") + out_file.write("static const struct {\n") + out_file.write(" HRESULT error_code;\n") + out_file.write(" const char *error_str;\n") + out_file.write(" const char *error_message;\n") + out_file.write("} hresult_errs[] = {\n") + + for err in Errors: + out_file.write(" {\n") + if err.isWinError: + out_file.write(" HRESULT_FROM_WIN32(%s),\n"%err.err_define) + out_file.write(" \"HRESULT_FROM_WIN32(%s)\",\n"%err.err_define) + else: + out_file.write(" %s,\n"%err.err_define) + out_file.write(" \"%s\",\n"%err.err_define) + out_file.write(" \"%s\"\n"%err.err_string) + out_file.write(" },\n") + out_file.write("};\n") + out_file.write("\n") + out_file.write("const char *hresult_errstr_const(HRESULT err_code)\n") + out_file.write("{\n"); + out_file.write(" const char *result = NULL;\n") + out_file.write(" int i;\n") + out_file.write(" for (i = 0; i < ARRAY_SIZE(hresult_errs); ++i) {\n") + out_file.write(" if (HRES_IS_EQUAL(err_code, hresult_errs[i].error_code)) {\n") + out_file.write(" result = hresult_errs[i].error_message;\n") + out_file.write(" break;\n") + out_file.write(" }\n") + out_file.write(" }\n") + out_file.write(" /* convert & check win32 error space? */\n") + out_file.write(" if (result == NULL && HRESULT_IS_LIKELY_WERR(err_code)) {\n") + out_file.write(" WERROR wErr = W_ERROR(WIN32_FROM_HRESULT(err_code));\n") + out_file.write(" result = get_friendly_werror_msg(wErr);\n") + out_file.write(" }\n") + out_file.write(" return result;\n") + out_file.write("};\n") + out_file.write("\n") + out_file.write("const char *hresult_errstr(HRESULT err_code)\n") + out_file.write("{\n"); + out_file.write(" static char msg[22];\n") + out_file.write(" int i;\n") + out_file.write("\n") + out_file.write(" for (i = 0; i < ARRAY_SIZE(hresult_errs); i++) {\n") + out_file.write(" if (HRES_IS_EQUAL(err_code, hresult_errs[i].error_code)) {\n") + out_file.write(" return hresult_errs[i].error_str;\n") + out_file.write(" }\n") + out_file.write(" }\n") + out_file.write(" snprintf(msg, sizeof(msg), \"HRES code 0x%08x\", HRES_ERROR_V(err_code));\n") + out_file.write(" return msg;\n") + out_file.write("};\n") + +# Very simple script to generate files hresult.c & hresult.h +# The script simply takes a text file as input, format of input file is +# very simple and is just the content of a html table ( such as that found +# in http://msdn.microsoft.com/en-us/library/cc704587.aspx ) copied and +# pasted into a text file + +def main (): + input_file1 = None; + filename = "hresult" + headerfile_name = filename + ".h" + sourcefile_name = filename + ".c" + if len(sys.argv) > 1: + input_file1 = sys.argv[1] + else: + print("usage: %s winerrorfile"%(sys.argv[0])) + sys.exit() + + parseErrorDescriptions(input_file1, False) + out_file = open(headerfile_name,"w") + generateHeaderFile(out_file) + out_file.close() + out_file = open(sourcefile_name,"w") + generateSourceFile(out_file) + +if __name__ == '__main__': + + main() diff --git a/source4/scripting/bin/gen_ntstatus.py b/source4/scripting/bin/gen_ntstatus.py new file mode 100755 index 0000000..b4a9bfc --- /dev/null +++ b/source4/scripting/bin/gen_ntstatus.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 + +# +# Unix SMB/CIFS implementation. +# +# HRESULT Error definitions +# +# Copyright (C) Noel Power <noel.power@suse.com> 2014 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys, os.path, io, string +from gen_error_common import parseErrorDescriptions, ErrorDef + +def generateHeaderFile(out_file, errors): + out_file.write("/*\n") + out_file.write(" * Descriptions for errors generated from\n") + out_file.write(" * [MS-ERREF] http://msdn.microsoft.com/en-us/library/cc704588.aspx\n") + out_file.write(" */\n\n") + out_file.write("#ifndef _NTSTATUS_GEN_H\n") + out_file.write("#define _NTSTATUS_GEN_H\n") + for err in errors: + line = "#define %s NT_STATUS(%#x)\n" % (err.err_define, err.err_code) + out_file.write(line) + out_file.write("\n#endif /* _NTSTATUS_GEN_H */\n") + +def generateSourceFile(out_file, errors): + out_file.write("/*\n") + out_file.write(" * Names for errors generated from\n") + out_file.write(" * [MS-ERREF] http://msdn.microsoft.com/en-us/library/cc704588.aspx\n") + out_file.write(" */\n") + + out_file.write("static const nt_err_code_struct nt_errs[] = \n") + out_file.write("{\n") + for err in errors: + out_file.write("\t{ \"%s\", %s },\n" % (err.err_define, err.err_define)) + out_file.write("{ 0, NT_STATUS(0) }\n") + out_file.write("};\n") + + out_file.write("\n/*\n") + out_file.write(" * Descriptions for errors generated from\n") + out_file.write(" * [MS-ERREF] http://msdn.microsoft.com/en-us/library/cc704588.aspx\n") + out_file.write(" */\n") + + out_file.write("static const nt_err_code_struct nt_err_desc[] = \n") + out_file.write("{\n") + for err in errors: + # Account for the possibility that some errors may not have descriptions + if err.err_string == "": + continue + out_file.write("\t{ N_(\"%s\"), %s },\n"%(err.err_string, err.err_define)) + out_file.write("{ 0, NT_STATUS(0) }\n") + out_file.write("};") + +def generatePythonFile(out_file, errors): + out_file.write("/*\n") + out_file.write(" * New descriptions for existing errors generated from\n") + out_file.write(" * [MS-ERREF] http://msdn.microsoft.com/en-us/library/cc704588.aspx\n") + out_file.write(" */\n") + out_file.write("#include <Python.h>\n") + out_file.write("#include \"python/py3compat.h\"\n") + out_file.write("#include \"includes.h\"\n\n") + # This is needed to avoid a missing prototype error from the C + # compiler. There is never a prototype for this function, it is a + # module loaded by python with dlopen() and found with dlsym(). + out_file.write("static struct PyModuleDef moduledef = {\n") + out_file.write("\tPyModuleDef_HEAD_INIT,\n") + out_file.write("\t.m_name = \"ntstatus\",\n") + out_file.write("\t.m_doc = \"NTSTATUS error defines\",\n") + out_file.write("\t.m_size = -1,\n") + out_file.write("};\n\n") + out_file.write("MODULE_INIT_FUNC(ntstatus)\n") + out_file.write("{\n") + out_file.write("\tPyObject *m;\n\n") + out_file.write("\tm = PyModule_Create(&moduledef);\n"); + out_file.write("\tif (m == NULL)\n"); + out_file.write("\t\treturn NULL;\n\n"); + for err in errors: + line = """\tPyModule_AddObject(m, \"%s\", + \t\tPyLong_FromUnsignedLongLong(NT_STATUS_V(%s)));\n""" % (err.err_define, err.err_define) + out_file.write(line) + out_file.write("\n"); + out_file.write("\treturn m;\n"); + out_file.write("}\n"); + +def transformErrorName( error_name ): + if error_name.startswith("STATUS_"): + error_name = error_name.replace("STATUS_", "", 1) + elif error_name.startswith("RPC_NT_"): + error_name = error_name.replace("RPC_NT_", "RPC_", 1) + elif error_name.startswith("EPT_NT_"): + error_name = error_name.replace("EPT_NT_", "EPT_", 1) + return "NT_STATUS_" + error_name + +# Very simple script to generate files nterr_gen.c & ntstatus_gen.h. +# These files contain generated definitions. +# This script takes four inputs: +# [1]: The name of the text file which is the content of an HTML table +# (e.g. the one found at http://msdn.microsoft.com/en-us/library/cc231200.aspx) +# copied and pasted. +# [2]: The name of the output generated header file with NTStatus #defines +# [3]: The name of the output generated source file with C arrays +# [4]: The name of the output generated python file +def main (): + input_file = None; + + if len(sys.argv) == 5: + input_file = sys.argv[1] + gen_headerfile_name = sys.argv[2] + gen_sourcefile_name = sys.argv[3] + gen_pythonfile_name = sys.argv[4] + else: + print("usage: %s winerrorfile headerfile sourcefile pythonfile" % (sys.argv[0])) + sys.exit() + + # read in the data + file_contents = io.open(input_file, "rt", encoding='utf8') + + errors = parseErrorDescriptions(file_contents, False, transformErrorName) + + print("writing new header file: %s" % gen_headerfile_name) + out_file = io.open(gen_headerfile_name, "wt", encoding='utf8') + generateHeaderFile(out_file, errors) + out_file.close() + print("writing new source file: %s" % gen_sourcefile_name) + out_file = io.open(gen_sourcefile_name, "wt", encoding='utf8') + generateSourceFile(out_file, errors) + out_file.close() + print("writing new python file: %s" % gen_pythonfile_name) + out_file = io.open(gen_pythonfile_name, "wt", encoding='utf8') + generatePythonFile(out_file, errors) + out_file.close() + +if __name__ == '__main__': + + main() diff --git a/source4/scripting/bin/gen_output.py b/source4/scripting/bin/gen_output.py new file mode 100755 index 0000000..8f5239f --- /dev/null +++ b/source4/scripting/bin/gen_output.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 + +# Copyright (C) Catalyst IT Ltd. 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +""" +A data generator to help tests. + +Generate large output to stdout by repeating input data. +Usage: + + python gen_output.py --data @ --repeat 1024 --retcode 1 + +The above command will output @ x 1024 (1K) and exit with 1. +""" + +import sys +import argparse + +parser = argparse.ArgumentParser(description='Generate output data') + +parser.add_argument( + '--data', type=str, default='$', + help='Characters used to generate data by repeating them' +) + +parser.add_argument( + '--repeat', type=int, default=1024 * 1024, + help='How many times to repeat the data' +) + +parser.add_argument( + '--retcode', type=int, default=0, + help='Specify the exit code for this script' +) + +args = parser.parse_args() + +sys.stdout.write(args.data * args.repeat) + +sys.exit(args.retcode) diff --git a/source4/scripting/bin/gen_werror.py b/source4/scripting/bin/gen_werror.py new file mode 100755 index 0000000..1ac9d33 --- /dev/null +++ b/source4/scripting/bin/gen_werror.py @@ -0,0 +1,149 @@ +#!/usr/bin/env python3 + +# +# Unix SMB/CIFS implementation. +# +# WERROR error definition generation +# +# Copyright (C) Catalyst.Net Ltd. 2017 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys, os.path, io, string +from gen_error_common import parseErrorDescriptions, ErrorDef + +def generateHeaderFile(out_file, errors): + out_file.write("/*\n") + out_file.write(" * Descriptions for errors generated from\n") + out_file.write(" * [MS-ERREF] https://msdn.microsoft.com/en-us/library/cc231199.aspx\n") + out_file.write(" */\n\n") + out_file.write("#ifndef _WERR_GEN_H\n") + out_file.write("#define _WERR_GEN_H\n") + for err in errors: + line = "#define %s W_ERROR(%s)\n" % (err.err_define, hex(err.err_code)) + out_file.write(line) + out_file.write("\n#endif /* _WERR_GEN_H */\n") + +def generateSourceFile(out_file, errors): + out_file.write("#include \"werror.h\"\n") + + out_file.write("/*\n") + out_file.write(" * Names for errors generated from\n") + out_file.write(" * [MS-ERREF] https://msdn.microsoft.com/en-us/library/cc231199.aspx\n") + out_file.write(" */\n") + + out_file.write("static const struct werror_code_struct dos_errs[] = \n") + out_file.write("{\n") + for err in errors: + out_file.write("\t{ \"%s\", %s },\n" % (err.err_define, err.err_define)) + out_file.write("{ 0, W_ERROR(0) }\n") + out_file.write("};\n") + + out_file.write("\n/*\n") + out_file.write(" * Descriptions for errors generated from\n") + out_file.write(" * [MS-ERREF] https://msdn.microsoft.com/en-us/library/cc231199.aspx\n") + out_file.write(" */\n") + + out_file.write("static const struct werror_str_struct dos_err_strs[] = \n") + out_file.write("{\n") + for err in errors: + # Account for the possibility that some errors may not have descriptions + if err.err_string == "": + continue + out_file.write("\t{ %s, \"%s\" },\n"%(err.err_define, err.err_string)) + out_file.write("\t{ W_ERROR(0), 0 }\n") + out_file.write("};") + +def generatePythonFile(out_file, errors): + out_file.write("/*\n") + out_file.write(" * Errors generated from\n") + out_file.write(" * [MS-ERREF] https://msdn.microsoft.com/en-us/library/cc231199.aspx\n") + out_file.write(" */\n") + out_file.write("#include <Python.h>\n") + out_file.write("#include \"python/py3compat.h\"\n") + out_file.write("#include \"includes.h\"\n\n") + # This is needed to avoid a missing prototype error from the C + # compiler. There is never a prototype for this function, it is a + # module loaded by python with dlopen() and found with dlsym(). + out_file.write("static struct PyModuleDef moduledef = {\n") + out_file.write("\tPyModuleDef_HEAD_INIT,\n") + out_file.write("\t.m_name = \"werror\",\n") + out_file.write("\t.m_doc = \"WERROR defines\",\n") + out_file.write("\t.m_size = -1,\n") + out_file.write("};\n\n") + out_file.write("MODULE_INIT_FUNC(werror)\n") + out_file.write("{\n") + out_file.write("\tPyObject *m;\n\n") + out_file.write("\tm = PyModule_Create(&moduledef);\n"); + out_file.write("\tif (m == NULL)\n"); + out_file.write("\t\treturn NULL;\n\n"); + for err in errors: + line = """\tPyModule_AddObject(m, \"%s\", + \t\tPyLong_FromUnsignedLongLong(W_ERROR_V(%s)));\n""" % (err.err_define, err.err_define) + out_file.write(line) + out_file.write("\n"); + out_file.write("\treturn m;\n"); + out_file.write("}\n"); + +def transformErrorName( error_name ): + if error_name.startswith("WERR_"): + error_name = error_name.replace("WERR_", "", 1) + elif error_name.startswith("ERROR_"): + error_name = error_name.replace("ERROR_", "", 1) + return "WERR_" + error_name.upper() + +# Script to generate files werror_gen.h, doserr_gen.c and +# py_werror.c. +# +# These files contain generated definitions for WERRs and +# their descriptions/names. +# +# This script takes four inputs: +# [1]: The name of the text file which is the content of an HTML table +# (e.g. the one found at https://msdn.microsoft.com/en-us/library/cc231199.aspx) +# copied and pasted. +# [2]: [[output werror_gen.h]] +# [3]: [[output doserr_gen.c]] +# [4]: [[output py_werror.c]] +def main(): + if len(sys.argv) == 5: + input_file_name = sys.argv[1] + gen_headerfile_name = sys.argv[2] + gen_sourcefile_name = sys.argv[3] + gen_pythonfile_name = sys.argv[4] + else: + print("usage: %s winerrorfile headerfile sourcefile pythonfile" % sys.argv[0]) + sys.exit() + + input_file = io.open(input_file_name, "rt", encoding='utf8') + errors = parseErrorDescriptions(input_file, True, transformErrorName) + input_file.close() + + print("writing new header file: %s" % gen_headerfile_name) + out_file = io.open(gen_headerfile_name, "wt", encoding='utf8') + generateHeaderFile(out_file, errors) + out_file.close() + print("writing new source file: %s" % gen_sourcefile_name) + out_file = io.open(gen_sourcefile_name, "wt", encoding='utf8') + generateSourceFile(out_file, errors) + out_file.close() + print("writing new python file: %s" % gen_pythonfile_name) + out_file = io.open(gen_pythonfile_name, "wt", encoding='utf8') + generatePythonFile(out_file, errors) + out_file.close() + +if __name__ == '__main__': + + main() diff --git a/source4/scripting/bin/get-descriptors b/source4/scripting/bin/get-descriptors new file mode 100755 index 0000000..6e69222 --- /dev/null +++ b/source4/scripting/bin/get-descriptors @@ -0,0 +1,154 @@ +#!/usr/bin/env python3 +# +# Unix SMB/CIFS implementation. +# A script to compare differences of security descriotors between +# a remote host and the local Ldb +# Needs the local domain, the remote domain, IP of the remote host +# Username and password for the remote domain, must be at least +# Domain Administrator +# +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 +# Copyright (C) Nadezhda Ivanova <nadezhda.ivanova@postpath.com> 2009 +# +# Based on the original in EJS: +# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import optparse +import sys +import base64 + +sys.path.insert(0, "bin/python") + +import samba +from samba.auth import system_session +import samba.getopt as options +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security +from samba import Ldb +from samba.samdb import SamDB +from ldb import SCOPE_SUBTREE, SCOPE_BASE + +parser = optparse.OptionParser("get-descriptors [options]") +sambaopts = options.SambaOptions(parser) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +parser.add_option("--local-domain", type="string", metavar="LOCALDOMAIN", + help="set local domain") +parser.add_option("--remote-domain", type="string", metavar="REMOTEDOMAIN", + help="set remote domain") +parser.add_option("--host", type="string", metavar="HOST", + help="Ip of the remote host used for comparison") +parser.add_option("--as-ldif", help="Output in LDIF format", action="store_true") + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +opts = parser.parse_args()[0] + +if not opts.host or not opts.localdomain or not opts.remote_domain: + parser.print_usage() + sys.exit(1) + +class DescrGetter: + + def __init__(self, localdomain, remotedomain): + self.samdb = SamDB(session_info=system_session(), lp=lp, options=["modules:paged_searches"]) + self.remote_ldb= Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp, + options=["modules:paged_searches"]) + self.local_domain = localdomain.replace(".", ",DC=") + self.local_domain = "DC=" + self.local_domain + self.remote_domain = remotedomain.replace(".", ",DC=") + self.remote_domain = "DC=" + self.remote_domain + self.local_map = {} + self.remote_map = {} + + def get_domain_local_sid(self): + res = self.samdb.search(base=self.local_domain,expression="(objectClass=*)", scope=SCOPE_BASE) + self.local_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def get_domain_remote_sid(self): + res = self.remote_ldb.search(base=self.remote_domain, expression="(objectClass=*)", scope=SCOPE_BASE) + self.remote_sid = ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def add_to_ldif(self, dn, descr): + ldif_entry = ["dn: " + dn, + "changetype: modify", + "replace: nTSecurityDescriptor", + "nTSecurityDescriptor:: " + base64.b64encode(ndr_pack(descr)).decode('utf8')] + + for line in ldif_entry: + length = 79 + if len(line) <= length + 1: + print(line) + else: + for i in range(len(line) / length + 1): + if i == 0: + l = line[i * length:((i + 1) * length)] + else: + l = " " + line[(i * length):((i + 1) * length)] + print(l) + print("\n") + + def write_as_sddl(self, dn, descr): + print(dn) + print(descr + "\n") + + def read_descr_by_base(self, search_base): + res = self.samdb.search(base=search_base + self.local_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) + for entry in res: + dn = entry["dn"].__str__().replace(self.local_domain, "") + + if "nTSecurityDescriptor" in entry: + desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) + self.local_map[dn] = desc_obj + + res = self.remote_ldb.search(base=search_base + self.remote_domain, expression="(objectClass=*)", scope=SCOPE_SUBTREE, attrs=["nTSecurityDescriptor"]) + for entry in res: + dn = entry["dn"].__str__().replace(self.remote_domain, "") + + if "nTSecurityDescriptor" in entry: + desc_obj = ndr_unpack(security.descriptor, entry["nTSecurityDescriptor"][0]) + self.remote_map[dn] = desc_obj + + def read_desc(self): + self.read_descr_by_base("CN=Schema,CN=Configuration,") + self.read_descr_by_base("CN=Configuration,") + self.read_descr_by_base("") + + def write_desc_to_ldif(self): + key_list_local = self.local_map.keys() + key_list_remote = self.remote_map.keys() + for key in key_list_remote: + if key in key_list_local: + sddl = self.remote_map[key].as_sddl(self.remote_sid) + sddl_local = self.local_map[key].as_sddl(self.local_sid) + if sddl != sddl_local: + descr = security.descriptor.from_sddl(sddl, self.local_sid) + if opts.as_ldif: + self.add_to_ldif(key + self.local_domain, descr) + else: + self.write_as_sddl(key, descr.as_sddl(self.local_sid)) + + def run(self): + self.get_domain_local_sid() + self.get_domain_remote_sid() + self.read_desc() + self.write_desc_to_ldif() + +desc = DescrGetter(opts.local_domain, opts.remote_domain) +desc.run() diff --git a/source4/scripting/bin/ktpass.sh b/source4/scripting/bin/ktpass.sh new file mode 100755 index 0000000..a165816 --- /dev/null +++ b/source4/scripting/bin/ktpass.sh @@ -0,0 +1,122 @@ +#!/bin/sh +# vim: expandtab +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2010 +# +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +name="ktpass.sh" +TEMP=$(getopt -o h --long princ:,pass:,out:,host:,ptype:,enc:,path-to-ldbsearch: \ + -n "$name" -- "$@") +eval set -- "$TEMP" + +usage() +{ + echo -ne "$name --out <keytabfile> --princ <principal> --pass <password>|*\n" + echo -ne " [--host hostname] [--enc <encryption>]\n" + echo -ne " [--ptype <type>] [--path-to-ldbsearch <path>]\n" + echo -ne "\nEncoding should be one of:\n" + echo -ne " * des-cbc-crc\n" + echo -ne " * des-cbc-md5\n" + echo -ne " * rc4-hmac (default)\n" + echo -ne " * aes128-cts\n" + echo -ne " * aes256-cts\n" + exit 0 +} +while true; do + case "$1" in + --out) + outfile=$2 + shift 2 + ;; + --princ) + princ=$2 + shift 2 + ;; + --pass) + pass=$2 + shift 2 + ;; + --host) + host=$2 + shift 2 + ;; + --ptype) shift 2 ;; + --enc) + enc=$2 + shift 2 + ;; + --path-to-ldbsearch) + path="$2/" + shift 2 + ;; + -h) usage ;; + --) + shift + break + ;; + *) + echo "Internal error!" + exit 1 + ;; + esac +done +#RC4-HMAC-NT|AES256-SHA1|AES128-SHA +if [ -z "$enc" ]; then + enc="rc4-hmac" +fi +if [ -z "$path" ]; then + path=$(dirname $0)/../bin/ + if [ ! -f ${path}ldbsearch ]; then + path=$(dirname $0)/../../bin/ + fi +fi +if [ -z "$outfile" -o -z "$princ" -o -z "$pass" ]; then + echo "At least one mandatory parameter (--out, --princ, --pass) was not specified" + usage +fi +if [ -z $host ]; then + host=$(hostname) +fi + +kvno=$(${path}ldbsearch -H ldap://$host "(|(samaccountname=$princ)(serviceprincipalname=$princ)(userprincipalname=$princ))" msds-keyversionnumber -k 1 -N 2>/dev/null | grep -i msds-keyversionnumber) +if [ x"$kvno" = x"" ]; then + echo -ne "Unable to find kvno for principal $princ\n" + echo -ne " check that you are authentified with kerberos\n" + exit 1 +else + kvno=$(echo $kvno | sed 's/^.*: //') +fi + +if [ "$pass" = "*" ]; then + echo -n "Enter password for $princ: " + stty -echo + read pass + stty echo + echo "" +fi + +ktutil >/dev/null <<EOF +add_entry -password -p $princ -k $kvno -e $enc +$pass +wkt $outfile +EOF + +if [ $? -eq 0 ]; then + echo "Keytab file $outfile created with success" +else + echo "Error while creating the keytab file $outfile" +fi diff --git a/source4/scripting/bin/machineaccountccache b/source4/scripting/bin/machineaccountccache new file mode 100755 index 0000000..5e6d3c5 --- /dev/null +++ b/source4/scripting/bin/machineaccountccache @@ -0,0 +1,30 @@ +#!/usr/bin/env python3 +import optparse +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + + +import samba +from samba import getopt as options +from samba.credentials import Credentials +parser = optparse.OptionParser("machineaccountccache <ccache name>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +opts, args = parser.parse_args() + +if len(args) != 1: + parser.print_usage() + sys.exit(1) + +ccachename = args[0] + +lp_ctx = sambaopts.get_loadparm() + +creds = Credentials() + +creds.guess(lp_ctx) +creds.set_machine_account(lp_ctx) +creds.get_named_ccache(lp_ctx, ccachename) diff --git a/source4/scripting/bin/machineaccountpw b/source4/scripting/bin/machineaccountpw new file mode 100755 index 0000000..eab773e --- /dev/null +++ b/source4/scripting/bin/machineaccountpw @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 +import optparse +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + + +import samba +from samba import getopt as options +from samba import NTSTATUSError +from samba.credentials import Credentials +parser = optparse.OptionParser("machineaccountpw") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +opts, args = parser.parse_args() + +if len(args) != 0: + parser.print_usage() + sys.exit(1) + +try: + lp_ctx = sambaopts.get_loadparm() +except RuntimeError as error: + print("Unable to load smb.conf %s: %s" % (sambaopts.get_loadparm_path(), + error), + file=sys.stderr) + sys.exit(1) + +creds = Credentials() + +creds.guess(lp_ctx) +try: + creds.set_machine_account(lp_ctx) +except NTSTATUSError as error: + print("Failed to find a stored machine account credential on this system: %s" \ + % error.args[1], + file=sys.stderr) + sys.exit(1) + +print(creds.get_password()) diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss new file mode 100755 index 0000000..509220d --- /dev/null +++ b/source4/scripting/bin/nsupdate-gss @@ -0,0 +1,352 @@ +#!/usr/bin/perl -w +# update a win2000 DNS server using gss-tsig +# tridge@samba.org, October 2002 + +# jmruiz@animatika.net +# updated, 2004-Enero + +# tridge@samba.org, September 2009 +# added --verbose, --noverify, --ntype and --nameserver + +# See draft-ietf-dnsext-gss-tsig-02, RFC2845 and RFC2930 + +use strict; +use lib "GSSAPI"; +use Net::DNS; +use GSSAPI; +use Getopt::Long; + +my $opt_wipe = 0; +my $opt_add = 0; +my $opt_noverify = 0; +my $opt_verbose = 0; +my $opt_help = 0; +my $opt_nameserver; +my $opt_realm; +my $opt_ntype = "A"; + +# main program +GetOptions ( + 'h|help|?' => \$opt_help, + 'wipe' => \$opt_wipe, + 'realm=s' => \$opt_realm, + 'nameserver=s' => \$opt_nameserver, + 'ntype=s' => \$opt_ntype, + 'add' => \$opt_add, + 'noverify' => \$opt_noverify, + 'verbose' => \$opt_verbose + ); + +######################################### +# display help text +sub ShowHelp() +{ + print " + nsupdate with gssapi + Copyright (C) tridge\@samba.org + + Usage: nsupdate-gss [options] HOST DOMAIN TARGET TTL + + Options: + --wipe wipe all records for this name + --add add to any existing records + --ntype=TYPE specify name type (default A) + --nameserver=server specify a specific nameserver + --noverify don't verify the MIC of the reply + --verbose show detailed steps + +"; + exit(0); +} + +if ($opt_help) { + ShowHelp(); +} + +if ($#ARGV != 3) { + ShowHelp(); +} + + +my $host = $ARGV[0]; +my $domain = $ARGV[1]; +my $target = $ARGV[2]; +my $ttl = $ARGV[3]; +my $alg = "gss.microsoft.com"; + + + +####################################################################### +# signing callback function for TSIG module +sub gss_sign($$) +{ + my $key = shift; + my $data = shift; + my $sig; + $key->get_mic(0, $data, $sig); + return $sig; +} + + + +##################################################################### +# write a string into a file +sub FileSave($$) +{ + my($filename) = shift; + my($v) = shift; + local(*FILE); + open(FILE, ">$filename") || die "can't open $filename"; + print FILE $v; + close(FILE); +} + + +####################################################################### +# verify a TSIG signature from a DNS server reply +# +sub sig_verify($$) +{ + my $context = shift; + my $packet = shift; + + my $tsig = ($packet->additional)[0]; + $opt_verbose && print "calling sig_data\n"; + my $sigdata = $tsig->sig_data($packet); + + $opt_verbose && print "sig_data_done\n"; + + return $context->verify_mic($sigdata, $tsig->{"mac"}, 0); +} + + +####################################################################### +# find the nameserver for the domain +# +sub find_nameserver($) +{ + my $server_name = shift; + return Net::DNS::Resolver->new( + nameservers => [$server_name], + recurse => 0, + debug => 0); +} + + +####################################################################### +# find a server name for a domain - currently uses the NS record +sub find_server_name($) +{ + my $domain = shift; + my $res = Net::DNS::Resolver->new; + my $srv_query = $res->query("$domain.", "NS"); + if (!defined($srv_query)) { + return undef; + } + my $server_name; + foreach my $rr (grep { $_->type eq 'NS' } $srv_query->answer) { + $server_name = $rr->nsdname; + } + return $server_name; +} + +####################################################################### +# +# +sub negotiate_tkey($$$$) +{ + + my $nameserver = shift; + my $domain = shift; + my $server_name = shift; + my $key_name = shift; + + my $status; + + my $context = GSSAPI::Context->new; + my $name = GSSAPI::Name->new; + + # use a principal name of dns/server@REALM + $opt_verbose && + print "Using principal dns/" . $server_name . "@" . uc($opt_realm) . "\n"; + $status = $name->import($name, "dns/" . $server_name . "@" . uc($opt_realm)); + if (! $status) { + print "import name: $status\n"; + return undef; + } + + my $flags = + GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG; + + + $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, + my $cred, my $oidset, my $time); + + if (! $status) { + print "acquire_cred: $status\n"; + return undef; + } + + $opt_verbose && print "creds acquired\n"; + + # call gss_init_sec_context() + $status = $context->init($cred, $name, undef, $flags, + 0, undef, "", undef, my $tok, + undef, undef); + if (! $status) { + print "init_sec_context: $status\n"; + return undef; + } + + $opt_verbose && print "init done\n"; + + my $gss_query = Net::DNS::Packet->new("$key_name", "TKEY", "IN"); + + # note that Windows2000 uses a SPNEGO wrapping on GSSAPI data sent to the nameserver. + # I tested using the gen_negTokenTarg() call from Samba 3.0 and it does work, but + # for this utility it is better to use plain GSSAPI/krb5 data so as to reduce the + # dependence on external libraries. If we ever want to sign DNS packets using + # NTLMSSP instead of krb5 then the SPNEGO wrapper could be used + + $opt_verbose && print "calling RR new\n"; + + $a = Net::DNS::RR->new( + Name => "$key_name", + Type => "TKEY", + TTL => 0, + Class => "ANY", + mode => 3, + algorithm => $alg, + inception => time, + expiration => time + 24*60*60, + key => $tok, + other_data => "", + ); + + $gss_query->push("answer", $a); + + my $reply = $nameserver->send($gss_query); + + if (!defined($reply) || $reply->header->{'rcode'} ne 'NOERROR') { + print "failed to send TKEY\n"; + return undef; + } + + my $key2 = ($reply->answer)[0]->{"key"}; + + # call gss_init_sec_context() again. Strictly speaking + # we should loop until this stops returning CONTINUE + # but I'm a lazy bastard + $status = $context->init($cred, $name, undef, $flags, + 0, undef, $key2, undef, $tok, + undef, undef); + if (! $status) { + print "init_sec_context step 2: $status\n"; + return undef; + } + + if (!$opt_noverify) { + $opt_verbose && print "verifying\n"; + + # check the signature on the TKEY reply + my $rc = sig_verify($context, $reply); + if (! $rc) { + print "Failed to verify TKEY reply: $rc\n"; +# return undef; + } + + $opt_verbose && print "verifying done\n"; + } + + return $context; +} + + +####################################################################### +# MAIN +####################################################################### + +if (!$opt_realm) { + $opt_realm = $domain; +} + +# find the name of the DNS server +if (!$opt_nameserver) { + $opt_nameserver = find_server_name($domain); + if (!defined($opt_nameserver)) { + print "Failed to find a DNS server name for $domain\n"; + exit 1; + } +} +$opt_verbose && print "Using DNS server name $opt_nameserver\n"; + +# connect to the nameserver +my $nameserver = find_nameserver($opt_nameserver); +if (!defined($nameserver) || $nameserver->{'errorstring'} ne 'NOERROR') { + print "Failed to connect to nameserver for domain $domain\n"; + exit 1; +} + + +# use a long random key name +my $key_name = int(rand 10000000000000); + +# negotiate a TKEY key +my $gss_context = negotiate_tkey($nameserver, $domain, $opt_nameserver, $key_name); +if (!defined($gss_context)) { + print "Failed to negotiate a TKEY\n"; + exit 1; +} +$opt_verbose && print "Negotiated TKEY $key_name\n"; + +# construct a signed update +my $update = Net::DNS::Update->new($domain); + +$update->push("pre", yxdomain("$domain")); +if (!$opt_add) { + $update->push("update", rr_del("$host.$domain. $opt_ntype")); +} +if (!$opt_wipe) { + $update->push("update", rr_add("$host.$domain. $ttl $opt_ntype $target")); +} + +my $sig = Net::DNS::RR->new( + Name => $key_name, + Type => "TSIG", + TTL => 0, + Class => "ANY", + Algorithm => $alg, + Time_Signed => time, + Fudge => 36000, + Mac_Size => 0, + Mac => "", + Key => $gss_context, + Sign_Func => \&gss_sign, + Other_Len => 0, + Other_Data => "", + Error => 0, + mode => 3, + ); + +$update->push("additional", $sig); + +# send the dynamic update +my $update_reply = $nameserver->send($update); + +if (! defined($update_reply)) { + print "No reply to dynamic update\n"; + exit 1; +} + +# make sure it worked +my $result = $update_reply->header->{"rcode"}; + +($opt_verbose || $result ne 'NOERROR') && print "Update gave rcode $result\n"; + +if ($result ne 'NOERROR') { + exit 1; +} + +exit 0; diff --git a/source4/scripting/bin/rebuildextendeddn b/source4/scripting/bin/rebuildextendeddn new file mode 100755 index 0000000..d5c0ecb --- /dev/null +++ b/source4/scripting/bin/rebuildextendeddn @@ -0,0 +1,135 @@ +#!/usr/bin/env python3 +# +# Unix SMB/CIFS implementation. +# Extended attributes (re)building +# Copyright (C) Matthieu Patou <mat@matws.net> 2009 +# +# Based on provision a Samba4 server by +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +import optparse +import os +import sys +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import Ldb +from ldb import SCOPE_SUBTREE, SCOPE_BASE +import ldb +import samba.getopt as options +from samba import param +from samba.provision import ProvisionNames, provision_paths_from_lp +from samba.schema import get_dnsyntax_attributes, get_linked_attributes + +parser = optparse.OptionParser("rebuildextendeddn [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--targetdir", type="string", metavar="DIR", + help="Set target directory") + +opts = parser.parse_args()[0] + +def message(text): + """print a message if quiet is not set.""" + if not opts.quiet: + print(text) + +if len(sys.argv) == 1: + opts.interactive = True + +lp = sambaopts.get_loadparm() +smbconf = lp.configfile + +creds = credopts.get_credentials(lp) + +creds.set_kerberos_state(DONT_USE_KERBEROS) + +session = system_session() + + +def get_paths(targetdir=None,smbconf=None): + if targetdir is not None: + if (not os.path.exists(os.path.join(targetdir, "etc"))): + os.makedirs(os.path.join(targetdir, "etc")) + smbconf = os.path.join(targetdir, "etc", "smb.conf") + if smbconf is None: + smbconf = param.default_path() + + if not os.path.exists(smbconf): + print("Unable to find smb.conf .. "+smbconf, file=sys.stderr) + parser.print_usage() + sys.exit(1) + + lp = param.LoadParm() + lp.load(smbconf) + paths = provision_paths_from_lp(lp,"foo") + return paths + + + +def rebuild_en_dn(credentials,session_info,paths): + lp = param.LoadParm() + lp.load(paths.smbconf) + names = ProvisionNames() + names.domain = lp.get("workgroup") + names.realm = lp.get("realm") + names.rootdn = "DC=" + names.realm.replace(".",",DC=") + + attrs = ["dn" ] + dn = "" + sam_ldb = Ldb(paths.samdb, session_info=session_info, credentials=credentials,lp=lp) + attrs2 = ["schemaNamingContext"] + res2 = sam_ldb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2) + attrs.extend(get_linked_attributes(ldb.Dn(sam_ldb,str(res2[0]["schemaNamingContext"])),sam_ldb).keys()) + attrs.extend(get_dnsyntax_attributes(ldb.Dn(sam_ldb,str(res2[0]["schemaNamingContext"])),sam_ldb)) + sam_ldb.transaction_start() + res = sam_ldb.search(expression="(cn=*)", scope=SCOPE_SUBTREE, attrs=attrs,controls=["search_options:1:2"]) + mod = "" + for i in range (0,len(res)): + #print >>sys.stderr,res[i].dn + dn = res[i].dn + for att in res[i]: + if ( (att != "dn" and att != "cn") and not (res[i][att] is None) ): + m = ldb.Message() + m.dn = ldb.Dn(sam_ldb, str(dn)) + saveatt = [] + for j in range (0,len( res[i][att])): + mod = mod +att +": "+str(res[i][att][j])+"\n" + saveatt.append(str(res[i][att][j])) + m[att] = ldb.MessageElement(saveatt, ldb.FLAG_MOD_REPLACE, att) + sam_ldb.modify(m) + res3 = sam_ldb.search(expression="(&(distinguishedName=%s)(%s=*))"%(dn,att),scope=SCOPE_SUBTREE, attrs=[att],controls=["search_options:1:2"]) + if( len(res3) == 0 or (len(res3[0][att])!= len(saveatt))): + print(str(dn) + " has no attr " +att+ " or a wrong value", + file=sys.stderr) + for satt in saveatt: + print("%s = %s" % (att, satt), + file=sys.stderr) + sam_ldb.transaction_cancel() + sam_ldb.transaction_commit() + + +paths = get_paths(targetdir=opts.targetdir, smbconf=smbconf) + +rebuild_en_dn(creds,session,paths) + diff --git a/source4/scripting/bin/renamedc b/source4/scripting/bin/renamedc new file mode 100755 index 0000000..e5e8a2c --- /dev/null +++ b/source4/scripting/bin/renamedc @@ -0,0 +1,191 @@ +#!/usr/bin/env python3 +# vim: expandtab +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2011 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import optparse +import sys +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import ldb +import samba +import samba.getopt as options +import os + +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import param +from samba.provision import find_provision_key_parameters, secretsdb_self_join +from samba.upgradehelpers import get_ldbs, get_paths + + +__docformat__ = "restructuredText" + +parser = optparse.OptionParser("renamedc [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--oldname", + help="Old DC name") +parser.add_option("--newname", + help="New DC name") + +opts = parser.parse_args()[0] + +if len(sys.argv) == 1: + opts.interactive = True +lp = sambaopts.get_loadparm() +smbconf = lp.configfile + +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + + +if __name__ == '__main__': + defSDmodified = False + # 1) First get files paths + paths = get_paths(param, smbconf=smbconf) + # Get ldbs with the system session, it is needed for searching + # provision parameters + session = system_session() + + ldbs = get_ldbs(paths, creds, session, lp) + ldbs.sam.transaction_start() + ldbs.secrets.transaction_start() + + if opts.oldname is None or opts.newname is None: + raise Exception("Option oldname or newname is missing") + res = ldbs.sam.search(expression="(&(name=%s)(serverReferenceBL=*))" % opts.oldname) + if len(res) != 1: + raise Exception("Wrong number of result returned (%d), are you sure of the old name %s" % + (len(res), opts.oldname)) + + # Ok got it then check that the new name is not used as well + res2 = ldbs.sam.search(expression="(&(name=%s)(objectclass=computer))" % opts.newname) + if len(res2) != 0: + raise Exception("Seems that %s is a name that already exists, pick another one" % + opts.newname) + + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, smbconf, lp) + + # First rename the entry + # provision put the name in upper case so let's do it too ! + newdn = ldb.Dn(ldbs.sam, str(res[0].dn)) + newdn.set_component(0, "cn", opts.newname.upper()) + ldbs.sam.rename(res[0].dn, newdn) + + # Then change password and samaccountname and dnshostname + msg = ldb.Message(newdn) + machinepass = samba.generate_random_machine_password(120, 120) + mputf16 = machinepass.encode('utf-16-le') + + account = "%s$" % opts.newname.upper() + msg["clearTextPassword"] = ldb.MessageElement(mputf16, + ldb.FLAG_MOD_REPLACE, + "clearTextPassword") + + msg["sAMAccountName"] = ldb.MessageElement(account, + ldb.FLAG_MOD_REPLACE, + "sAMAccountName") + + msg["dNSHostName"] = ldb.MessageElement("%s.%s" % (opts.newname, + names.dnsdomain), + ldb.FLAG_MOD_REPLACE, + "dNSHostName") + ldbs.sam.modify(msg) + + # Do a self join one more time to resync the secrets file + res = ldbs.sam.search(base=newdn, scope=ldb.SCOPE_BASE, + attrs=["msDs-keyVersionNumber", "serverReferenceBL"]) + assert(len(res) == 1) + kvno = int(str(res[0]["msDs-keyVersionNumber"])) + serverbldn = ldb.Dn(ldbs.sam, str(res[0]["serverReferenceBL"])) + + secrets_msg = ldbs.secrets.search(expression="sAMAccountName=%s$" % + opts.oldname.upper(), + attrs=["secureChannelType"]) + + secChanType = int(secrets_msg[0]["secureChannelType"][0]) + + secretsdb_self_join(ldbs.secrets, domain=names.domain, + realm=names.realm, + domainsid=names.domainsid, + dnsdomain=names.dnsdomain, + netbiosname=opts.newname.upper(), + machinepass=machinepass, + key_version_number=kvno, + secure_channel_type=secChanType) + + # Update RID set reference so we don't have to runtime fixup until the next dbcheck as there is no back link. + + res = ldbs.sam.search(expression="(objectClass=rIDSet)", base=newdn, scope=ldb.SCOPE_ONELEVEL, attrs=[]) + assert(len(res) == 1) + newridset = str(res[0].dn) + msg = ldb.Message(newdn) + + msg["rIDSetReferences"] = ldb.MessageElement(newridset, + ldb.FLAG_MOD_REPLACE, + "rIDSetReferences") + ldbs.sam.modify(msg) + + # Update the server's sites configuration + newserverrefdn = ldb.Dn(ldbs.sam, str(serverbldn)) + newserverrefdn.set_component(0, "cn", opts.newname.upper()) + + ldbs.sam.rename(serverbldn, newserverrefdn) + + msg = ldb.Message(newserverrefdn) + msg["dNSHostName"] = ldb.MessageElement("%s.%s" % (opts.newname, + names.dnsdomain), + ldb.FLAG_MOD_REPLACE, + "dNSHostName") + ldbs.sam.modify(msg) + + try: + ldbs.sam.transaction_prepare_commit() + ldbs.secrets.transaction_prepare_commit() + except Exception: + ldbs.sam.rollback() + ldbs.secrets.rollback() + raise + + try: + ldbs.sam.transaction_commit() + ldbs.secrets.transaction_commit() + except Exception: + ldbs.sam.rollback() + ldbs.secrets.rollback() + raise + + # All good so far + #print lp.get("private dir") + cf = open(lp.configfile) + ncfname = "%s.new" % lp.configfile + newconf = open(ncfname, 'w') + for l in cf.readlines(): + if l.find("netbios name") > 0: + newconf.write("\tnetbios name = %s\n" % opts.newname.upper()) + else: + newconf.write(l) + newconf.close() + cf.close() + os.rename(ncfname, lp.configfile) + diff --git a/source4/scripting/bin/samba-gpupdate b/source4/scripting/bin/samba-gpupdate new file mode 100755 index 0000000..4b3f057 --- /dev/null +++ b/source4/scripting/bin/samba-gpupdate @@ -0,0 +1,138 @@ +#!/usr/bin/env python3 +# Copyright Luke Morrison <luc785@.hotmail.com> July 2013 +# Co-Edited by Matthieu Pattou July 2013 from original August 2013 +# Edited by Garming Sam Feb. 2014 +# Edited by Luke Morrison April 2014 +# Edited by David Mulder May 2017 + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +'''This script reads a log file of previous GPO, gets all GPO from sysvol +and sorts them by container. Then, it applies the ones that haven't been +applied, have changed, or is in the right container''' + +import os +import sys + +sys.path.insert(0, "bin/python") + +import optparse +from samba import getopt as options +from samba.gp.gpclass import apply_gp, unapply_gp, GPOStorage, rsop +from samba.gp.gp_sec_ext import gp_krb_ext, gp_access_ext +from samba.gp.gp_ext_loader import get_gp_client_side_extensions +from samba.gp.gp_scripts_ext import gp_scripts_ext, gp_user_scripts_ext +from samba.gp.gp_sudoers_ext import gp_sudoers_ext +from samba.gp.vgp_sudoers_ext import vgp_sudoers_ext +from samba.gp.gp_smb_conf_ext import gp_smb_conf_ext +from samba.gp.gp_msgs_ext import gp_msgs_ext +from samba.gp.vgp_symlink_ext import vgp_symlink_ext +from samba.gp.vgp_files_ext import vgp_files_ext +from samba.gp.vgp_openssh_ext import vgp_openssh_ext +from samba.gp.vgp_motd_ext import vgp_motd_ext +from samba.gp.vgp_issue_ext import vgp_issue_ext +from samba.gp.vgp_startup_scripts_ext import vgp_startup_scripts_ext +from samba.gp.vgp_access_ext import vgp_access_ext +from samba.gp.gp_gnome_settings_ext import gp_gnome_settings_ext +from samba.gp.gp_cert_auto_enroll_ext import gp_cert_auto_enroll_ext +from samba.gp.gp_firefox_ext import gp_firefox_ext +from samba.gp.gp_chromium_ext import gp_chromium_ext, gp_chrome_ext +from samba.gp.gp_firewalld_ext import gp_firewalld_ext +from samba.gp.gp_centrify_sudoers_ext import gp_centrify_sudoers_ext +from samba.gp.gp_centrify_crontab_ext import gp_centrify_crontab_ext, \ + gp_user_centrify_crontab_ext +from samba.credentials import Credentials +from samba.gp.util.logging import logger_init + +if __name__ == "__main__": + parser = optparse.OptionParser('samba-gpupdate [options]') + sambaopts = options.Samba3Options(parser) + + # Get the command line options + parser.add_option_group(sambaopts) + parser.add_option_group(options.VersionOptions(parser)) + credopts = options.CredentialsOptions(parser) + parser.add_option('-X', '--unapply', help='Unapply Group Policy', + action='store_true') + parser.add_option('--target', default='Computer', help='{Computer | User}', + choices=['Computer', 'User']) + parser.add_option('--force', help='Reapplies all policy settings', + action='store_true') + parser.add_option('--rsop', help='Print the Resultant Set of Policy', + action='store_true') + parser.add_option_group(credopts) + + # Set the options and the arguments + (opts, args) = parser.parse_args() + + # Set the loadparm context + lp = sambaopts.get_loadparm() + + creds = credopts.get_credentials(lp, fallback_machine=True) + # Apply policy to the command line specified user + if opts.target == 'Computer': + username = creds.get_username() + elif opts.target == 'User': + username = '%s\\%s' % (creds.get_domain(), creds.get_username()) + # Always supply the machine creds for fetching the gpo list + creds = Credentials() + creds.guess(lp) + creds.set_machine_account(lp) + + # Set up logging + logger_init('samba-gpupdate', lp.log_level()) + + cache_dir = lp.get('cache directory') + store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) + + machine_exts, user_exts = get_gp_client_side_extensions(lp.configfile) + gp_extensions = [] + if opts.target == 'Computer': + gp_extensions.append(gp_access_ext) + gp_extensions.append(gp_krb_ext) + gp_extensions.append(gp_scripts_ext) + gp_extensions.append(gp_sudoers_ext) + gp_extensions.append(vgp_sudoers_ext) + gp_extensions.append(gp_centrify_sudoers_ext) + gp_extensions.append(gp_centrify_crontab_ext) + gp_extensions.append(gp_smb_conf_ext) + gp_extensions.append(gp_msgs_ext) + gp_extensions.append(vgp_symlink_ext) + gp_extensions.append(vgp_files_ext) + gp_extensions.append(vgp_openssh_ext) + gp_extensions.append(vgp_motd_ext) + gp_extensions.append(vgp_issue_ext) + gp_extensions.append(vgp_startup_scripts_ext) + gp_extensions.append(vgp_access_ext) + gp_extensions.append(gp_gnome_settings_ext) + gp_extensions.append(gp_cert_auto_enroll_ext) + gp_extensions.append(gp_firefox_ext) + gp_extensions.append(gp_chromium_ext) + gp_extensions.append(gp_chrome_ext) + gp_extensions.append(gp_firewalld_ext) + gp_extensions.extend(machine_exts) + elif opts.target == 'User': + gp_extensions.append(gp_user_scripts_ext) + gp_extensions.append(gp_user_centrify_crontab_ext) + gp_extensions.extend(user_exts) + + if opts.rsop: + rsop(lp, creds, store, gp_extensions, username, opts.target) + elif not opts.unapply: + apply_gp(lp, creds, store, gp_extensions, username, + opts.target, opts.force) + else: + unapply_gp(lp, creds, store, gp_extensions, username, + opts.target) + diff --git a/source4/scripting/bin/samba-tool b/source4/scripting/bin/samba-tool new file mode 100755 index 0000000..f8a70a6 --- /dev/null +++ b/source4/scripting/bin/samba-tool @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 + +# Unix SMB/CIFS implementation. +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2008-2012 +# Copyright (C) Amitay Isaacs <amitay@gmail.com> 2011 +# Copyright (C) Giampaolo Lauria <lauria2@yahoo.com> 2011 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys + +# Find right direction when running from source tree +sys.path.insert(0, "bin/python") + +# make sure the script dies immediately when hitting control-C, +# rather than raising KeyboardInterrupt. As we do all database +# operations using transactions, this is safe. +import signal +signal.signal(signal.SIGINT, signal.SIG_DFL) + +from samba.netcmd.main import cmd_sambatool +cmd = cmd_sambatool() +subcommand = None +args = () + +if len(sys.argv) > 1: + subcommand = sys.argv[1] + if len(sys.argv) > 2: + args = sys.argv[2:] + +try: + retval = cmd._run("samba-tool", subcommand, *args) +except SystemExit as e: + retval = e.code +except Exception as e: + cmd.show_command_error(e) + retval = 1 +sys.exit(retval) diff --git a/source4/scripting/bin/samba3dump b/source4/scripting/bin/samba3dump new file mode 100755 index 0000000..1a5d74f --- /dev/null +++ b/source4/scripting/bin/samba3dump @@ -0,0 +1,180 @@ +#!/usr/bin/env python3 +# +# Dump Samba3 data +# Copyright Jelmer Vernooij 2005-2007 +# Released under the GNU GPL v3 or later +# + +import optparse +import os, sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba +import samba.samba3 +from samba.samba3 import param as s3param +from samba.dcerpc import lsa + +parser = optparse.OptionParser("samba3dump <libdir> [<smb.conf>]") +parser.add_option("--format", type="choice", metavar="FORMAT", + choices=["full", "summary"]) + +opts, args = parser.parse_args() + +if opts.format is None: + opts.format = "summary" + +def print_header(txt): + print("\n%s" % txt) + print("=" * len(txt)) + +def print_samba3_policy(pol): + print_header("Account Policies") + print("Min password length: %d" % pol['min password length']) + print("Password history length: %d" % pol['password history']) + if pol['user must logon to change password']: + print("User must logon to change password: %d" % pol['user must logon to change password']) + if pol['maximum password age']: + print("Maximum password age: %d" % pol['maximum password age']) + if pol['minimum password age']: + print("Minimum password age: %d" % pol['minimum password age']) + if pol['lockout duration']: + print("Lockout duration: %d" % pol['lockout duration']) + if pol['reset count minutes']: + print("Reset Count Minutes: %d" % pol['reset count minutes']) + if pol['bad lockout attempt']: + print("Bad Lockout Minutes: %d" % pol['bad lockout attempt']) + if pol['disconnect time']: + print("Disconnect Time: %d" % pol['disconnect time']) + if pol['refuse machine password change']: + print("Refuse Machine Password Change: %d" % pol['refuse machine password change']) + +def print_samba3_sam(samdb): + print_header("SAM Database") + for user in samdb.search_users(0): + print("%s (%d): %s" % (user['account_name'], user['rid'], user['fullname'])) + +def print_samba3_shares(lp): + print_header("Configured shares") + for s in lp.services(): + print("--- %s ---" % s) + for p in ['path']: + print("\t%s = %s" % (p, lp.get(p, s))) + print("") + +def print_samba3_secrets(secrets): + print_header("Secrets") + + if secrets.get_auth_user(): + print("IPC Credentials:") + if secrets.get_auth_user(): + print(" User: %s\n" % secrets.get_auth_user()) + if secrets.get_auth_password(): + print(" Password: %s\n" % secrets.get_auth_password()) + if secrets.get_auth_domain(): + print(" Domain: %s\n" % secrets.get_auth_domain()) + + if len(list(secrets.ldap_dns())) > 0: + print("LDAP passwords:") + for dn in secrets.ldap_dns(): + print("\t%s -> %s" % (dn, secrets.get_ldap_bind_pw(dn))) + print("") + + print("Domains:") + for domain in secrets.domains(): + print("\t--- %s ---" % domain) + print("\tSID: %s" % secrets.get_sid(domain)) + print("\tGUID: %s" % secrets.get_domain_guid(domain)) + print("\tPlaintext pwd: %s" % secrets.get_machine_password(domain)) + if secrets.get_machine_last_change_time(domain): + print("\tLast Changed: %lu" % secrets.get_machine_last_change_time(domain)) + if secrets.get_machine_sec_channel_type(domain): + print("\tSecure Channel Type: %d\n" % secrets.get_machine_sec_channel_type(domain)) + + print("Trusted domains:") + for td in secrets.trusted_domains(): + print(td) + +def print_samba3_regdb(regdb): + print_header("Registry") + from samba.registry import str_regtype + + for k in regdb.keys(): + print("[%s]" % k) + for (value_name, (type, value)) in regdb.values(k).items(): + print("\"%s\"=%s:%s" % (value_name, str_regtype(type), value)) + +def print_samba3_winsdb(winsdb): + print_header("WINS Database") + + for name in winsdb: + (ttl, ips, nb_flags) = winsdb[name] + print("%s, nb_flags: %s, ttl: %lu, %d ips, fst: %s" % (name, nb_flags, ttl, len(ips), ips[0])) + +def print_samba3_groupmappings(groupdb): + print_header("Group Mappings") + + for g in groupdb.enum_group_mapping(samba.samba3.passdb.get_global_sam_sid(), + lsa.SID_NAME_DOM_GRP): + print("\t--- Group: %s ---" % g.sid) + +def print_samba3_aliases(groupdb): + for g in groupdb.enum_group_mapping(samba.samba3.passdb.get_global_sam_sid(), + lsa.SID_NAME_ALIAS): + print("\t--- Alias: %s ---" % g.sid) + +def print_samba3_idmapdb(idmapdb): + print_header("Winbindd SID<->GID/UID mappings") + + print("User High Water Mark: %d" % idmapdb.get_user_hwm()) + print("Group High Water Mark: %d\n" % idmapdb.get_group_hwm()) + + for uid in idmapdb.uids(): + print("%s -> UID %d" % (idmapdb.get_user_sid(uid), uid)) + + for gid in idmapdb.gids(): + print("%s -> GID %d" % (idmapdb.get_group_sid(gid), gid)) + +def print_samba3(samba3): + passdb = samba3.get_sam_db() + print_samba3_policy(passdb.get_account_policy()) + print_samba3_winsdb(samba3.get_wins_db()) + print_samba3_regdb(samba3.get_registry()) + print_samba3_secrets(samba3.get_secrets_db()) + print_samba3_idmapdb(samba3.get_idmap_db()) + print_samba3_sam(passdb) + print_samba3_groupmappings(passdb) + print_samba3_aliases(passdb) + print_samba3_shares(samba3.lp) + +def print_samba3_summary(samba3): + print("WINS db entries: %d" % len(samba3.get_wins_db())) + print("Registry key count: %d" % len(samba3.get_registry())) + passdb = samba3.get_sam_db() + print("Groupmap count: %d" % len(passdb.enum_group_mapping())) + print("Alias count: %d" % len(passdb.search_aliases())) + idmapdb = samba3.get_idmap_db() + print("Idmap count: %d" % (len(list(idmapdb.uids())) + len(list(idmapdb.gids())))) + +if len(args) < 1: + parser.print_help() + sys.exit(1) + +libdir = args[0] +if len(args) < 1: + smbconf = args[1] +else: + smbconf = os.path.join(libdir, "smb.conf") + +s3_lp = s3param.get_context() +s3_lp.set("private dir", libdir) +s3_lp.set("state directory", libdir) +s3_lp.set("lock directory", libdir) +s3_lp.load(smbconf) +samba3 = samba.samba3.Samba3(smbconf, s3_lp) + +if opts.format == "summary": + print_samba3_summary(samba3) +elif opts.format == "full": + print_samba3(samba3) diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate new file mode 100755 index 0000000..1ce53f5 --- /dev/null +++ b/source4/scripting/bin/samba_dnsupdate @@ -0,0 +1,960 @@ +#!/usr/bin/env python3 +# vim: expandtab +# +# update our DNS names using TSIG-GSS +# +# Copyright (C) Andrew Tridgell 2010 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import os +import fcntl +import sys +import tempfile +import subprocess + +# ensure we get messages out immediately, so they get in the samba logs, +# and don't get swallowed by a timeout +os.environ['PYTHONUNBUFFERED'] = '1' + +# forcing GMT avoids a problem in some timezones with kerberos. Both MIT +# heimdal can get mutual authentication errors due to the 24 second difference +# between UTC and GMT when using some zone files (eg. the PDT zone from +# the US) +os.environ["TZ"] = "GMT" + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba +import optparse +from samba import getopt as options +from ldb import SCOPE_BASE +from samba import dsdb +from samba.auth import system_session +from samba.samdb import SamDB +from samba.dcerpc import netlogon, winbind +from samba.netcmd.dns import cmd_dns +from samba import gensec +from samba.kcc import kcc_utils +from samba.common import get_string +import ldb + +from samba.dnsresolver import DNSResolver +import dns.resolver +import dns.exception + +default_ttl = 900 +am_rodc = False +error_count = 0 + +parser = optparse.OptionParser("samba_dnsupdate [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +parser.add_option("--verbose", action="store_true") +parser.add_option("--use-samba-tool", action="store_true", help="Use samba-tool to make updates over RPC, rather than over DNS") +parser.add_option("--use-nsupdate", action="store_true", help="Use nsupdate command to make updates over DNS (default, if kinit successful)") +parser.add_option("--all-names", action="store_true") +parser.add_option("--all-interfaces", action="store_true") +parser.add_option("--current-ip", action="append", help="IP address to update DNS to match (helpful if behind NAT, valid multiple times, defaults to values from interfaces=)") +parser.add_option("--rpc-server-ip", type="string", help="IP address of server to use with samba-tool (defaults to first --current-ip)") +parser.add_option("--use-file", type="string", help="Use a file, rather than real DNS calls") +parser.add_option("--update-list", type="string", help="Add DNS names from the given file") +parser.add_option("--update-cache", type="string", help="Cache database of already registered records") +parser.add_option("--fail-immediately", action='store_true', help="Exit on first failure") +parser.add_option("--no-credentials", dest='nocreds', action='store_true', help="don't try and get credentials") +parser.add_option("--no-substitutions", dest='nosubs', action='store_true', help="don't try and expands variables in file specified by --update-list") + +creds = None +ccachename = None + +opts, args = parser.parse_args() + +if len(args) != 0: + parser.print_usage() + sys.exit(1) + +lp = sambaopts.get_loadparm() + +domain = lp.get("realm") +host = lp.get("netbios name") +all_interfaces = opts.all_interfaces + +IPs = opts.current_ip or samba.interface_ips(lp, bool(all_interfaces)) or [] + +nsupdate_cmd = lp.get('nsupdate command') +dns_zone_scavenging = lp.get("dns zone scavenging") + +if len(IPs) == 0: + print("No IP interfaces - skipping DNS updates\n") + parser.print_usage() + sys.exit(0) + +rpc_server_ip = opts.rpc_server_ip or IPs[0] + +IP6s = [ip for ip in IPs if ':' in ip] +IP4s = [ip for ip in IPs if ':' not in ip] + +smb_conf = sambaopts.get_loadparm_path() + +if opts.verbose: + print("IPs: %s" % IPs) + +def get_possible_rw_dns_server(creds, domain): + """Get a list of possible read-write DNS servers, starting with + the SOA. The SOA is the correct answer, but old Samba domains + (4.6 and prior) do not maintain this value, so add NS servers + as well""" + + ans_soa = check_one_dns_name(domain, 'SOA') + # Actually there is only one + hosts_soa = [str(a.mname).rstrip('.') for a in ans_soa] + + # This is not strictly legit, but old Samba domains may have an + # unmaintained SOA record, so go for any NS that we can get a + # ticket to. + ans_ns = check_one_dns_name(domain, 'NS') + # Actually there is only one + hosts_ns = [str(a.target).rstrip('.') for a in ans_ns] + + return hosts_soa + hosts_ns + +def get_krb5_rw_dns_server(creds, domain): + """Get a list of read-write DNS servers that we can obtain a ticket + for, starting with the SOA. The SOA is the correct answer, but + old Samba domains (4.6 and prior) do not maintain this value, + so continue with the NS servers as well until we get one that + the KDC will issue a ticket to. + """ + + rw_dns_servers = get_possible_rw_dns_server(creds, domain) + # Actually there is only one + for i, target_hostname in enumerate(rw_dns_servers): + settings = {} + settings["lp_ctx"] = lp + settings["target_hostname"] = target_hostname + + gensec_client = gensec.Security.start_client(settings) + gensec_client.set_credentials(creds) + gensec_client.set_target_service("DNS") + gensec_client.set_target_hostname(target_hostname) + gensec_client.want_feature(gensec.FEATURE_SEAL) + gensec_client.start_mech_by_sasl_name("GSSAPI") + server_to_client = b"" + try: + (client_finished, client_to_server) = gensec_client.update(server_to_client) + if opts.verbose: + print("Successfully obtained Kerberos ticket to DNS/%s as %s" \ + % (target_hostname, creds.get_username())) + return target_hostname + except RuntimeError: + # Only raise an exception if they all failed + if i == len(rw_dns_servers) - 1: + raise + +def get_credentials(lp): + """# get credentials if we haven't got them already.""" + from samba import credentials + global ccachename + creds = credentials.Credentials() + creds.guess(lp) + creds.set_machine_account(lp) + creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE) + (tmp_fd, ccachename) = tempfile.mkstemp() + try: + if opts.use_file is not None: + return + + creds.get_named_ccache(lp, ccachename) + + # Now confirm we can get a ticket to the DNS server + get_krb5_rw_dns_server(creds, sub_vars['DNSDOMAIN'] + '.') + return creds + + except RuntimeError as e: + os.unlink(ccachename) + raise e + + +class dnsobj(object): + """an object to hold a parsed DNS line""" + + def __init__(self, string_form): + list = string_form.split() + if len(list) < 3: + raise Exception("Invalid DNS entry %r" % string_form) + self.dest = None + self.port = None + self.ip = None + self.existing_port = None + self.existing_weight = None + self.existing_cname_target = None + self.rpc = False + self.zone = None + if list[0] == "RPC": + self.rpc = True + self.zone = list[1] + list = list[2:] + self.type = list[0] + self.name = list[1] + self.nameservers = [] + if self.type == 'SRV': + if len(list) < 4: + raise Exception("Invalid DNS entry %r" % string_form) + self.dest = list[2] + self.port = list[3] + elif self.type in ['A', 'AAAA']: + self.ip = list[2] # usually $IP, which gets replaced + elif self.type == 'CNAME': + self.dest = list[2] + elif self.type == 'NS': + self.dest = list[2] + else: + raise Exception("Received unexpected DNS reply of type %s: %s" % (self.type, string_form)) + + def __str__(self): + if self.type == "A": + return "%s %s %s" % (self.type, self.name, self.ip) + if self.type == "AAAA": + return "%s %s %s" % (self.type, self.name, self.ip) + if self.type == "SRV": + return "%s %s %s %s" % (self.type, self.name, self.dest, self.port) + if self.type == "CNAME": + return "%s %s %s" % (self.type, self.name, self.dest) + if self.type == "NS": + return "%s %s %s" % (self.type, self.name, self.dest) + + +def parse_dns_line(line, sub_vars): + """parse a DNS line from.""" + if line.startswith("SRV _ldap._tcp.pdc._msdcs.") and not samdb.am_pdc(): + # We keep this as compat to the dns_update_list of 4.0/4.1 + if opts.verbose: + print("Skipping PDC entry (%s) as we are not a PDC" % line) + return None + subline = samba.substitute_var(line, sub_vars) + if subline == '' or subline[0] == "#": + return None + return dnsobj(subline) + + +def hostname_match(h1, h2): + """see if two hostnames match.""" + h1 = str(h1) + h2 = str(h2) + return h1.lower().rstrip('.') == h2.lower().rstrip('.') + +def get_resolver(d=None): + resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf') + resolver = DNSResolver(filename=resolv_conf, configure=True) + + if d is not None and d.nameservers != []: + resolver.nameservers = d.nameservers + + return resolver + +def check_one_dns_name(name, name_type, d=None): + resolver = get_resolver(d) + if d and not d.nameservers: + d.nameservers = resolver.nameservers + # dns.resolver.Answer + return resolver.resolve(name, name_type) + +def check_dns_name(d): + """check that a DNS entry exists.""" + normalised_name = d.name.rstrip('.') + '.' + if opts.verbose: + print("Looking for DNS entry %s as %s" % (d, normalised_name)) + + if opts.use_file is not None: + try: + dns_file = open(opts.use_file, "r") + except IOError: + return False + + for line in dns_file: + line = line.strip() + if line == '' or line[0] == "#": + continue + if line.lower() == str(d).lower(): + return True + return False + + try: + ans = check_one_dns_name(normalised_name, d.type, d) + except dns.exception.Timeout: + raise Exception("Timeout while waiting to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) + except dns.resolver.NoNameservers: + raise Exception("Unable to contact a working DNS server while looking for %s as %s" % (d, normalised_name)) + except dns.resolver.NXDOMAIN: + if opts.verbose: + print("The DNS entry %s, queried as %s does not exist" % (d, normalised_name)) + return False + except dns.resolver.NoAnswer: + if opts.verbose: + print("The DNS entry %s, queried as %s does not hold this record type" % (d, normalised_name)) + return False + except dns.exception.DNSException: + raise Exception("Failure while trying to resolve %s as %s" % (d, normalised_name)) + if d.type in ['A', 'AAAA']: + # we need to be sure that our IP is there + for rdata in ans: + if str(rdata) == str(d.ip): + return True + elif d.type == 'CNAME': + for i in range(len(ans)): + if hostname_match(ans[i].target, d.dest): + return True + else: + d.existing_cname_target = str(ans[i].target) + elif d.type == 'NS': + for i in range(len(ans)): + if hostname_match(ans[i].target, d.dest): + return True + elif d.type == 'SRV': + for rdata in ans: + if opts.verbose: + print("Checking %s against %s" % (rdata, d)) + if hostname_match(rdata.target, d.dest): + if str(rdata.port) == str(d.port): + return True + else: + d.existing_port = str(rdata.port) + d.existing_weight = str(rdata.weight) + + if opts.verbose: + print("Lookup of %s succeeded, but we failed to find a matching DNS entry for %s" % (normalised_name, d)) + + return False + + +def get_subst_vars(samdb): + """get the list of substitution vars.""" + global lp, am_rodc + vars = {} + + vars['DNSDOMAIN'] = samdb.domain_dns_name() + vars['DNSFOREST'] = samdb.forest_dns_name() + vars['HOSTNAME'] = samdb.host_dns_name() + vars['NTDSGUID'] = samdb.get_ntds_GUID() + vars['SITE'] = samdb.server_site_name() + res = samdb.search(base=samdb.get_default_basedn(), scope=SCOPE_BASE, attrs=["objectGUID"]) + guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0]) + vars['DOMAINGUID'] = get_string(guid) + + vars['IF_DC'] = "" + vars['IF_RWDC'] = "# " + vars['IF_RODC'] = "# " + vars['IF_PDC'] = "# " + vars['IF_GC'] = "# " + vars['IF_RWGC'] = "# " + vars['IF_ROGC'] = "# " + vars['IF_DNS_DOMAIN'] = "# " + vars['IF_RWDNS_DOMAIN'] = "# " + vars['IF_RODNS_DOMAIN'] = "# " + vars['IF_DNS_FOREST'] = "# " + vars['IF_RWDNS_FOREST'] = "# " + vars['IF_R0DNS_FOREST'] = "# " + + am_rodc = samdb.am_rodc() + if am_rodc: + vars['IF_RODC'] = "" + else: + vars['IF_RWDC'] = "" + + if samdb.am_pdc(): + vars['IF_PDC'] = "" + + # check if we "are DNS server" + res = samdb.search(base=samdb.get_config_basedn(), + expression='(objectguid=%s)' % vars['NTDSGUID'], + attrs=["options", "msDS-hasMasterNCs"]) + + if len(res) == 1: + if "options" in res[0]: + options = int(res[0]["options"][0]) + if (options & dsdb.DS_NTDSDSA_OPT_IS_GC) != 0: + vars['IF_GC'] = "" + if am_rodc: + vars['IF_ROGC'] = "" + else: + vars['IF_RWGC'] = "" + + basedn = str(samdb.get_default_basedn()) + forestdn = str(samdb.get_root_basedn()) + + if "msDS-hasMasterNCs" in res[0]: + for e in res[0]["msDS-hasMasterNCs"]: + if str(e) == "DC=DomainDnsZones,%s" % basedn: + vars['IF_DNS_DOMAIN'] = "" + if am_rodc: + vars['IF_RODNS_DOMAIN'] = "" + else: + vars['IF_RWDNS_DOMAIN'] = "" + if str(e) == "DC=ForestDnsZones,%s" % forestdn: + vars['IF_DNS_FOREST'] = "" + if am_rodc: + vars['IF_RODNS_FOREST'] = "" + else: + vars['IF_RWDNS_FOREST'] = "" + + return vars + + +def call_nsupdate(d, op="add"): + """call nsupdate for an entry.""" + global ccachename, nsupdate_cmd, krb5conf + + assert(op in ["add", "delete"]) + + if opts.use_file is not None: + if opts.verbose: + print("Use File instead of nsupdate for %s (%s)" % (d, op)) + + try: + rfile = open(opts.use_file, 'r+') + except IOError: + # Perhaps create it + open(opts.use_file, 'w+') + # Open it for reading again, in case someone else got to it first + rfile = open(opts.use_file, 'r+') + fcntl.lockf(rfile, fcntl.LOCK_EX) + (file_dir, file_name) = os.path.split(opts.use_file) + (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX") + wfile = os.fdopen(tmp_fd, 'a') + rfile.seek(0) + for line in rfile: + if op == "delete": + l = parse_dns_line(line, {}) + if str(l).lower() == str(d).lower(): + continue + wfile.write(line) + if op == "add": + wfile.write(str(d)+"\n") + os.rename(tmpfile, opts.use_file) + fcntl.lockf(rfile, fcntl.LOCK_UN) + return + + if opts.verbose: + print("Calling nsupdate for %s (%s)" % (d, op)) + + normalised_name = d.name.rstrip('.') + '.' + + (tmp_fd, tmpfile) = tempfile.mkstemp() + f = os.fdopen(tmp_fd, 'w') + + resolver = get_resolver(d) + + # Local the zone for this name + zone = dns.resolver.zone_for_name(normalised_name, + resolver=resolver) + + # Now find the SOA, or if we can't get a ticket to the SOA, + # any server with an NS record we can get a ticket for. + # + # Thanks to the Kerberos Credentials cache this is not + # expensive inside the loop + server = get_krb5_rw_dns_server(creds, zone) + f.write('server %s\n' % server) + + if d.type == "A": + f.write("update %s %s %u A %s\n" % (op, normalised_name, default_ttl, d.ip)) + if d.type == "AAAA": + f.write("update %s %s %u AAAA %s\n" % (op, normalised_name, default_ttl, d.ip)) + if d.type == "SRV": + if op == "add" and d.existing_port is not None: + f.write("update delete %s SRV 0 %s %s %s\n" % (normalised_name, d.existing_weight, + d.existing_port, d.dest)) + f.write("update %s %s %u SRV 0 100 %s %s\n" % (op, normalised_name, default_ttl, d.port, d.dest)) + if d.type == "CNAME": + f.write("update %s %s %u CNAME %s\n" % (op, normalised_name, default_ttl, d.dest)) + if d.type == "NS": + f.write("update %s %s %u NS %s\n" % (op, normalised_name, default_ttl, d.dest)) + if opts.verbose: + f.write("show\n") + f.write("send\n") + f.close() + + # Set a bigger MTU size to work around a bug in nsupdate's doio_send() + os.environ["SOCKET_WRAPPER_MTU"] = "2000" + + global error_count + if ccachename: + os.environ["KRB5CCNAME"] = ccachename + try: + cmd = nsupdate_cmd[:] + cmd.append(tmpfile) + env = os.environ + if krb5conf: + env["KRB5_CONFIG"] = krb5conf + if ccachename: + env["KRB5CCNAME"] = ccachename + ret = subprocess.call(cmd, shell=False, env=env) + if ret != 0: + if opts.fail_immediately: + if opts.verbose: + print("Failed update with %s" % tmpfile) + sys.exit(1) + error_count = error_count + 1 + if opts.verbose: + print("Failed nsupdate: %d" % ret) + except Exception as estr: + if opts.fail_immediately: + sys.exit(1) + error_count = error_count + 1 + if opts.verbose: + print("Failed nsupdate: %s : %s" % (str(d), estr)) + os.unlink(tmpfile) + + # Let socket_wrapper set the default MTU size + os.environ["SOCKET_WRAPPER_MTU"] = "0" + + +def call_samba_tool(d, op="add", zone=None): + """call samba-tool dns to update an entry.""" + + assert(op in ["add", "delete"]) + + if (sub_vars['DNSFOREST'] != sub_vars['DNSDOMAIN']) and \ + sub_vars['DNSFOREST'].endswith('.' + sub_vars['DNSDOMAIN']): + print("Refusing to use samba-tool when forest %s is under domain %s" \ + % (sub_vars['DNSFOREST'], sub_vars['DNSDOMAIN'])) + + if opts.verbose: + print("Calling samba-tool dns for %s (%s)" % (d, op)) + + normalised_name = d.name.rstrip('.') + '.' + if zone is None: + if normalised_name == (sub_vars['DNSDOMAIN'] + '.'): + short_name = '@' + zone = sub_vars['DNSDOMAIN'] + elif normalised_name == (sub_vars['DNSFOREST'] + '.'): + short_name = '@' + zone = sub_vars['DNSFOREST'] + elif normalised_name == ('_msdcs.' + sub_vars['DNSFOREST'] + '.'): + short_name = '@' + zone = '_msdcs.' + sub_vars['DNSFOREST'] + else: + if not normalised_name.endswith('.' + sub_vars['DNSDOMAIN'] + '.'): + print("Not Calling samba-tool dns for %s (%s), %s not in %s" % (d, op, normalised_name, sub_vars['DNSDOMAIN'] + '.')) + return False + elif normalised_name.endswith('._msdcs.' + sub_vars['DNSFOREST'] + '.'): + zone = '_msdcs.' + sub_vars['DNSFOREST'] + else: + zone = sub_vars['DNSDOMAIN'] + len_zone = len(zone)+2 + short_name = normalised_name[:-len_zone] + else: + len_zone = len(zone)+2 + short_name = normalised_name[:-len_zone] + + if d.type == "A": + args = [rpc_server_ip, zone, short_name, "A", d.ip] + if d.type == "AAAA": + args = [rpc_server_ip, zone, short_name, "AAAA", d.ip] + if d.type == "SRV": + if op == "add" and d.existing_port is not None: + print("Not handling modify of existing SRV %s using samba-tool" % d) + return False + args = [rpc_server_ip, zone, short_name, "SRV", + "%s %s %s %s" % (d.dest, d.port, "0", "100")] + if d.type == "CNAME": + if d.existing_cname_target is None: + args = [rpc_server_ip, zone, short_name, "CNAME", d.dest] + else: + op = "update" + args = [rpc_server_ip, zone, short_name, "CNAME", + d.existing_cname_target.rstrip('.'), d.dest] + + if d.type == "NS": + args = [rpc_server_ip, zone, short_name, "NS", d.dest] + + if smb_conf and args: + args += ["--configfile=" + smb_conf] + + global error_count + try: + cmd = cmd_dns() + if opts.verbose: + print(f'Calling samba-tool dns {op} --use-kerberos off -P {args}') + ret = cmd._run("dns", op, "--use-kerberos", "off", "-P", *args) + if ret == -1: + if opts.fail_immediately: + sys.exit(1) + error_count = error_count + 1 + if opts.verbose: + print("Failed 'samba-tool dns' based update of %s" % (str(d))) + except Exception as estr: + if opts.fail_immediately: + sys.exit(1) + error_count = error_count + 1 + if opts.verbose: + print("Failed 'samba-tool dns' based update: %s : %s" % (str(d), estr)) + raise + +irpc_wb = None +def cached_irpc_wb(lp): + global irpc_wb + if irpc_wb is not None: + return irpc_wb + irpc_wb = winbind.winbind("irpc:winbind_server", lp) + return irpc_wb + +def rodc_dns_update(d, t, op): + '''a single DNS update via the RODC netlogon call''' + global sub_vars + + assert(op in ["add", "delete"]) + + if opts.verbose: + print("Calling netlogon RODC update for %s" % d) + + typemap = { + netlogon.NlDnsLdapAtSite : netlogon.NlDnsInfoTypeNone, + netlogon.NlDnsGcAtSite : netlogon.NlDnsDomainNameAlias, + netlogon.NlDnsDsaCname : netlogon.NlDnsDomainNameAlias, + netlogon.NlDnsKdcAtSite : netlogon.NlDnsInfoTypeNone, + netlogon.NlDnsDcAtSite : netlogon.NlDnsInfoTypeNone, + netlogon.NlDnsRfc1510KdcAtSite : netlogon.NlDnsInfoTypeNone, + netlogon.NlDnsGenericGcAtSite : netlogon.NlDnsDomainNameAlias + } + + w = cached_irpc_wb(lp) + dns_names = netlogon.NL_DNS_NAME_INFO_ARRAY() + dns_names.count = 1 + name = netlogon.NL_DNS_NAME_INFO() + name.type = t + name.dns_domain_info_type = typemap[t] + name.priority = 0 + name.weight = 0 + if d.port is not None: + name.port = int(d.port) + if op == "add": + name.dns_register = True + else: + name.dns_register = False + dns_names.names = [ name ] + site_name = sub_vars['SITE'] + + global error_count + + try: + ret_names = w.DsrUpdateReadOnlyServerDnsRecords(site_name, default_ttl, dns_names) + if ret_names.names[0].status != 0: + print("Failed to set DNS entry: %s (status %u)" % (d, ret_names.names[0].status)) + error_count = error_count + 1 + except RuntimeError as reason: + print("Error setting DNS entry of type %u: %s: %s" % (t, d, reason)) + error_count = error_count + 1 + + if opts.verbose: + print("Called netlogon RODC update for %s" % d) + + if error_count != 0 and opts.fail_immediately: + sys.exit(1) + + +def call_rodc_update(d, op="add"): + '''RODCs need to use the netlogon API for nsupdate''' + global lp, sub_vars + + assert(op in ["add", "delete"]) + + # we expect failure for 3268 if we aren't a GC + if d.port is not None and int(d.port) == 3268: + return + + # map the DNS request to a netlogon update type + map = { + netlogon.NlDnsLdapAtSite : '_ldap._tcp.${SITE}._sites.${DNSDOMAIN}', + netlogon.NlDnsGcAtSite : '_ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}', + netlogon.NlDnsDsaCname : '${NTDSGUID}._msdcs.${DNSFOREST}', + netlogon.NlDnsKdcAtSite : '_kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}', + netlogon.NlDnsDcAtSite : '_ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}', + netlogon.NlDnsRfc1510KdcAtSite : '_kerberos._tcp.${SITE}._sites.${DNSDOMAIN}', + netlogon.NlDnsGenericGcAtSite : '_gc._tcp.${SITE}._sites.${DNSFOREST}' + } + + for t in map: + subname = samba.substitute_var(map[t], sub_vars) + if subname.lower() == d.name.lower(): + # found a match - do the update + rodc_dns_update(d, t, op) + return + if opts.verbose: + print("Unable to map to netlogon DNS update: %s" % d) + + +# get the list of DNS entries we should have +dns_update_list = opts.update_list or lp.private_path('dns_update_list') + +dns_update_cache = opts.update_cache or lp.private_path('dns_update_cache') + +krb5conf = None +# only change the krb5.conf if we are not in selftest +if 'SOCKET_WRAPPER_DIR' not in os.environ: + # use our private krb5.conf to avoid problems with the wrong domain + # bind9 nsupdate wants the default domain set + krb5conf = lp.private_path('krb5.conf') + os.environ['KRB5_CONFIG'] = krb5conf + +try: + file = open(dns_update_list, "r") +except OSError as e: + if opts.update_cache: + print("The specified update list does not exist") + else: + print("The server update list was not found, " + "and --update-list was not provided.") + print(e) + print() + parser.print_usage() + sys.exit(1) + +if opts.nosubs: + sub_vars = {} +else: + samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), lp=lp) + + # get the substitution dictionary + sub_vars = get_subst_vars(samdb) + +# build up a list of update commands to pass to nsupdate +update_list = [] +dns_list = [] +cache_list = [] +delete_list = [] + +dup_set = set() +cache_set = set() + +rebuild_cache = False +try: + cfile = open(dns_update_cache, 'r+') +except IOError: + # Perhaps create it + open(dns_update_cache, 'w+') + # Open it for reading again, in case someone else got to it first + cfile = open(dns_update_cache, 'r+') +fcntl.lockf(cfile, fcntl.LOCK_EX) +for line in cfile: + line = line.strip() + if line == '' or line[0] == "#": + continue + c = parse_dns_line(line, {}) + if c is None: + continue + if str(c) not in cache_set: + cache_list.append(c) + cache_set.add(str(c)) + +site_specific_rec = [] + +# read each line, and check that the DNS name exists +for line in file: + line = line.strip() + + if '${SITE}' in line: + site_specific_rec.append(line) + + if line == '' or line[0] == "#": + continue + d = parse_dns_line(line, sub_vars) + if d is None: + continue + if d.type == 'A' and len(IP4s) == 0: + continue + if d.type == 'AAAA' and len(IP6s) == 0: + continue + if str(d) not in dup_set: + dns_list.append(d) + dup_set.add(str(d)) + +# Perform automatic site coverage by default +auto_coverage = True + +if not am_rodc and auto_coverage: + site_names = kcc_utils.uncovered_sites_to_cover(samdb, + samdb.server_site_name()) + + # Duplicate all site specific records for the uncovered site + for site in site_names: + to_add = [samba.substitute_var(line, {'SITE': site}) + for line in site_specific_rec] + + for site_line in to_add: + d = parse_dns_line(site_line, + sub_vars=sub_vars) + if d is not None and str(d) not in dup_set: + dns_list.append(d) + dup_set.add(str(d)) + +# now expand the entries, if any are A record with ip set to $IP +# then replace with multiple entries, one for each interface IP +for d in dns_list: + if d.ip != "$IP": + continue + if d.type == 'A': + d.ip = IP4s[0] + for i in range(len(IP4s)-1): + d2 = dnsobj(str(d)) + d2.ip = IP4s[i+1] + dns_list.append(d2) + if d.type == 'AAAA': + d.ip = IP6s[0] + for i in range(len(IP6s)-1): + d2 = dnsobj(str(d)) + d2.ip = IP6s[i+1] + dns_list.append(d2) + +# now check if the entries already exist on the DNS server +for d in dns_list: + found = False + for c in cache_list: + if str(c).lower() == str(d).lower(): + found = True + break + if not found: + rebuild_cache = True + if opts.verbose: + print("need cache add: %s" % d) + if dns_zone_scavenging: + update_list.append(d) + if opts.verbose: + print("scavenging requires update: %s" % d) + elif opts.all_names: + update_list.append(d) + if opts.verbose: + print("force update: %s" % d) + elif not check_dns_name(d): + update_list.append(d) + if opts.verbose: + print("need update: %s" % d) + +for c in cache_list: + found = False + for d in dns_list: + if str(c).lower() == str(d).lower(): + found = True + break + if found: + continue + rebuild_cache = True + if opts.verbose: + print("need cache remove: %s" % c) + if not opts.all_names and not check_dns_name(c): + continue + delete_list.append(c) + if opts.verbose: + print("need delete: %s" % c) + +if len(delete_list) == 0 and len(update_list) == 0 and not rebuild_cache: + if opts.verbose: + print("No DNS updates needed") + sys.exit(0) +else: + if opts.verbose: + print("%d DNS updates and %d DNS deletes needed" % (len(update_list), len(delete_list))) + +use_samba_tool = opts.use_samba_tool +use_nsupdate = opts.use_nsupdate +# get our krb5 creds +if (delete_list or update_list) and not opts.nocreds: + try: + creds = get_credentials(lp) + except RuntimeError as e: + ccachename = None + + if sub_vars['IF_RWDNS_DOMAIN'] == "# ": + raise + + if use_nsupdate: + raise + + print("Failed to get Kerberos credentials, falling back to samba-tool: %s" % e) + use_samba_tool = True + + +# ask nsupdate to delete entries as needed +for d in delete_list: + if d.rpc or (not use_nsupdate and use_samba_tool): + if opts.verbose: + print("delete (samba-tool): %s" % d) + call_samba_tool(d, op="delete", zone=d.zone) + + elif am_rodc: + if d.name.lower() == domain.lower(): + if opts.verbose: + print("skip delete (rodc): %s" % d) + continue + if not d.type in [ 'A', 'AAAA' ]: + if opts.verbose: + print("delete (rodc): %s" % d) + call_rodc_update(d, op="delete") + else: + if opts.verbose: + print("delete (nsupdate): %s" % d) + call_nsupdate(d, op="delete") + else: + if opts.verbose: + print("delete (nsupdate): %s" % d) + call_nsupdate(d, op="delete") + +# ask nsupdate to add entries as needed +for d in update_list: + if d.rpc or (not use_nsupdate and use_samba_tool): + if opts.verbose: + print("update (samba-tool): %s" % d) + call_samba_tool(d, zone=d.zone) + + elif am_rodc: + if d.name.lower() == domain.lower(): + if opts.verbose: + print("skip (rodc): %s" % d) + continue + if not d.type in [ 'A', 'AAAA' ]: + if opts.verbose: + print("update (rodc): %s" % d) + call_rodc_update(d) + else: + if opts.verbose: + print("update (nsupdate): %s" % d) + call_nsupdate(d) + else: + if opts.verbose: + print("update(nsupdate): %s" % d) + call_nsupdate(d) + +if rebuild_cache: + print("Rebuilding cache at %s" % dns_update_cache) + (file_dir, file_name) = os.path.split(dns_update_cache) + (tmp_fd, tmpfile) = tempfile.mkstemp(dir=file_dir, prefix=file_name, suffix="XXXXXX") + wfile = os.fdopen(tmp_fd, 'a') + for d in dns_list: + if opts.verbose: + print("Adding %s to %s" % (str(d), file_name)) + wfile.write(str(d)+"\n") + wfile.flush() + os.rename(tmpfile, dns_update_cache) +fcntl.lockf(cfile, fcntl.LOCK_UN) + +# delete the ccache if we created it +if ccachename is not None: + os.unlink(ccachename) + +if error_count != 0: + print("Failed update of %u entries" % error_count) +sys.exit(error_count) diff --git a/source4/scripting/bin/samba_downgrade_db b/source4/scripting/bin/samba_downgrade_db new file mode 100755 index 0000000..b9a0909 --- /dev/null +++ b/source4/scripting/bin/samba_downgrade_db @@ -0,0 +1,135 @@ +#!/usr/bin/python3 +# +# Unix SMB/CIFS implementation. +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019 +# +# Downgrade a database from 4.11 format to 4.7 format. 4.7 Format will +# run on any version of Samba AD, and Samba will repack/reconfigure the +# database if necessary. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +import optparse +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + + +import samba +import ldb +import urllib +import os +from samba import getopt as options +from samba.samdb import SamDB +from samba.dbchecker import dbcheck +from samba.credentials import Credentials +parser = optparse.OptionParser("samba_downgrade_db") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(options.VersionOptions(parser)) +parser.add_option("-H", "--URL", help="LDB URL for database", + type=str, metavar="URL", dest="H") +opts, args = parser.parse_args() + +if len(args) != 0: + parser.print_usage() + sys.exit(1) + +lp_ctx = sambaopts.get_loadparm() + +if opts.H is None: + url = lp_ctx.private_path("sam.ldb") +else: + url = opts.H + +samdb = ldb.Ldb(url=url, + flags=ldb.FLG_DONT_CREATE_DB, + options=["modules:"]) + +partitions = samdb.search(base="@PARTITION", + scope=ldb.SCOPE_BASE, + attrs=["backendStore", "partition"]) + +backend = str(partitions[0].get('backendStore', 'tdb')) + +if backend == "mdb": + samdb = None + options = ["pack_format_override=%d" % ldb.PACKING_FORMAT] + # We can't remove GUID indexes from LMDB in case there are very + # long DNs, so we just move down the pack format, which also removes + # references to ORDERED_INTEGER in @ATTRIBUTES. + + # Reopen the DB with pack_format_override set + samdb = SamDB(url=url, + flags=ldb.FLG_DONT_CREATE_DB, + lp=lp_ctx, + options=options) + samdb.transaction_start() + samdb.transaction_commit() + print("Your database has been downgraded to LDB pack format version %0x (v1)." % ldb.PACKING_FORMAT) + + print("NOTE: Any use of a Samba 4.11 tool that modifies the DB will " + "auto-upgrade back to pack format version %0x (v2)" % + ldb.PACKING_FORMAT_V2) + exit(0); + +# This is needed to force the @ATTRIBUTES and @INDEXLIST to be correct +lp_ctx.set("dsdb:guid index", "false") + +modmsg = ldb.Message() +modmsg.dn = ldb.Dn(samdb, '@INDEXLIST') +modmsg.add(ldb.MessageElement( + elements=[], + flags=ldb.FLAG_MOD_REPLACE, + name='@IDXGUID')) +modmsg.add(ldb.MessageElement( + elements=[], + flags=ldb.FLAG_MOD_REPLACE, + name='@IDX_DN_GUID')) + +samdb.transaction_start() +samdb.modify(modmsg) + +privatedir = os.path.dirname(url) + +dbs = [] +for part in partitions[0]['partition']: + dbname = str(part).split(":")[1] + dbpath = os.path.join(privatedir, dbname) + if os.path.isfile(dbpath): + dbpath = "ldb://" + dbpath + db = ldb.Ldb(url=dbpath, + options=["modules:"], + flags=ldb.FLG_DONT_CREATE_DB) + db.transaction_start() + db.modify(modmsg) + dbs.append(db) + +for db in dbs: + db.transaction_commit() + +samdb.transaction_commit() + +print("Re-opening with the full DB stack") +samdb = SamDB(url=url, + flags=ldb.FLG_DONT_CREATE_DB, + lp=lp_ctx) +print("Re-triggering another re-index") +chk = dbcheck(samdb) + +chk.reindex_database() + +print("Your database has been downgraded to DN-based index values.") + +print("NOTE: Any use of a Samba 4.8 or later tool including ldbsearch will " + "auto-upgrade back to GUID index mode") diff --git a/source4/scripting/bin/samba_kcc b/source4/scripting/bin/samba_kcc new file mode 100755 index 0000000..67d801e --- /dev/null +++ b/source4/scripting/bin/samba_kcc @@ -0,0 +1,345 @@ +#!/usr/bin/env python3 +# +# Compute our KCC topology +# +# Copyright (C) Dave Craft 2011 +# Copyright (C) Andrew Bartlett 2015 +# +# Andrew Bartlett's alleged work performed by his underlings Douglas +# Bagnall and Garming Sam. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import random + +# ensure we get messages out immediately, so they get in the samba logs, +# and don't get swallowed by a timeout +os.environ['PYTHONUNBUFFERED'] = '1' + +# forcing GMT avoids a problem in some timezones with kerberos. Both MIT +# heimdal can get mutual authentication errors due to the 24 second difference +# between UTC and GMT when using some zone files (eg. the PDT zone from +# the US) +os.environ["TZ"] = "GMT" + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import optparse +import time + +from samba import getopt as options + +from samba.kcc.graph_utils import verify_and_dot, list_verify_tests +from samba.kcc.graph_utils import GraphError + +import logging +from samba.kcc.debug import logger, DEBUG, DEBUG_FN +from samba.kcc import KCC + +# If DEFAULT_RNG_SEED is None, /dev/urandom or system time is used. +DEFAULT_RNG_SEED = None + + +def test_all_reps_from(kcc, dburl, lp, creds, unix_now, rng_seed=None, + ldif_file=None): + """Run the KCC from all DSAs in read-only mode + + The behaviour depends on the global opts variable which contains + command line variables. Usually you will want to run it with + opt.dot_file_dir set (via --dot-file-dir) to see the graphs that + would be created from each DC. + + :param lp: a loadparm object. + :param creds: a Credentials object. + :param unix_now: the unix epoch time as an integer + :param rng_seed: a seed for the random number generator + :return None: + """ + # This implies readonly and attempt_live_connections + dsas = kcc.list_dsas() + samdb = kcc.samdb + needed_parts = {} + current_parts = {} + + guid_to_dnstr = {} + for site in kcc.site_table.values(): + guid_to_dnstr.update((str(dsa.dsa_guid), dnstr) + for dnstr, dsa in site.dsa_table.items()) + + dot_edges = [] + dot_vertices = [] + colours = [] + vertex_colours = [] + + for dsa_dn in dsas: + if rng_seed is not None: + random.seed(rng_seed) + kcc = KCC(unix_now, readonly=True, + verify=opts.verify, debug=opts.debug, + dot_file_dir=opts.dot_file_dir) + if ldif_file is not None: + try: + # The dburl in this case is a temporary database. + # Its non-existence is ensured at the script startup. + # If it exists, it is from a previous iteration of + # this loop -- unless we're in an unfortunate race. + # Because this database is temporary, it lacks some + # detail and needs to be re-created anew to set the + # local dsa. + os.unlink(dburl) + except OSError: + pass + + kcc.import_ldif(dburl, lp, ldif_file, dsa_dn) + else: + kcc.samdb = samdb + kcc.run(dburl, lp, creds, forced_local_dsa=dsa_dn, + forget_local_links=opts.forget_local_links, + forget_intersite_links=opts.forget_intersite_links, + attempt_live_connections=opts.attempt_live_connections) + + current, needed = kcc.my_dsa.get_rep_tables() + + for dsa in kcc.my_site.dsa_table.values(): + if dsa is kcc.my_dsa: + continue + kcc.translate_ntdsconn(dsa) + c, n = dsa.get_rep_tables() + current.update(c) + needed.update(n) + + for name, rep_table, rep_parts in ( + ('needed', needed, needed_parts), + ('current', current, current_parts)): + for part, nc_rep in rep_table.items(): + edges = rep_parts.setdefault(part, []) + for reps_from in nc_rep.rep_repsFrom: + source = guid_to_dnstr[str(reps_from.source_dsa_obj_guid)] + dest = guid_to_dnstr[str(nc_rep.rep_dsa_guid)] + edges.append((source, dest)) + + for site in kcc.site_table.values(): + for dsa in site.dsa_table.values(): + if dsa.is_ro(): + vertex_colours.append('#cc0000') + else: + vertex_colours.append('#0000cc') + dot_vertices.append(dsa.dsa_dnstr) + if dsa.connect_table: + DEBUG_FN("DSA %s %s connections:\n%s" % + (dsa.dsa_dnstr, len(dsa.connect_table), + [x.from_dnstr for x in + dsa.connect_table.values()])) + for con in dsa.connect_table.values(): + if con.is_rodc_topology(): + colours.append('red') + else: + colours.append('blue') + dot_edges.append((con.from_dnstr, dsa.dsa_dnstr)) + + verify_and_dot('all-dsa-connections', dot_edges, vertices=dot_vertices, + label="all dsa NTDSConnections", properties=(), + debug=DEBUG, verify=opts.verify, + dot_file_dir=opts.dot_file_dir, + directed=True, edge_colors=colours, + vertex_colors=vertex_colours) + + for name, rep_parts in (('needed', needed_parts), + ('current', current_parts)): + for part, edges in rep_parts.items(): + verify_and_dot('all-repsFrom_%s__%s' % (name, part), edges, + directed=True, label=part, + properties=(), debug=DEBUG, verify=opts.verify, + dot_file_dir=opts.dot_file_dir) + +################################################## +# samba_kcc entry point +################################################## + + +parser = optparse.OptionParser("samba_kcc [options]") +sambaopts = options.SambaOptions(parser) +credopts = options.CredentialsOptions(parser) + +parser.add_option_group(sambaopts) +parser.add_option_group(credopts) +parser.add_option_group(options.VersionOptions(parser)) + +parser.add_option("--readonly", default=False, + help="compute topology but do not update database", + action="store_true") + +parser.add_option("--debug", + help="debug output", + action="store_true") + +parser.add_option("--verify", + help="verify that assorted invariants are kept", + action="store_true") + +parser.add_option("--list-verify-tests", + help=("list what verification actions are available " + "and do nothing else"), + action="store_true") + +parser.add_option("--dot-file-dir", default=None, + help="Write Graphviz .dot files to this directory") + +parser.add_option("--seed", + help="random number seed", + type=int, default=DEFAULT_RNG_SEED) + +parser.add_option("--importldif", + help="import topology ldif file", + type=str, metavar="<file>") + +parser.add_option("--exportldif", + help="export topology ldif file", + type=str, metavar="<file>") + +parser.add_option("-H", "--URL", + help="LDB URL for database or target server", + type=str, metavar="<URL>", dest="dburl") + +parser.add_option("--tmpdb", + help="schemaless database file to create for ldif import", + type=str, metavar="<file>") + +parser.add_option("--now", + help=("assume current time is this ('YYYYmmddHHMMSS[tz]'," + " default: system time)"), + type=str, metavar="<date>") + +parser.add_option("--forced-local-dsa", + help="run calculations assuming the DSA is this DN", + type=str, metavar="<DSA>") + +parser.add_option("--attempt-live-connections", default=False, + help="Attempt to connect to other DSAs to test links", + action="store_true") + +parser.add_option("--list-valid-dsas", default=False, + help=("Print a list of DSA dnstrs that could be" + " used in --forced-local-dsa"), + action="store_true") + +parser.add_option("--test-all-reps-from", default=False, + help="Create and verify a graph of reps-from for every DSA", + action="store_true") + +parser.add_option("--forget-local-links", default=False, + help="pretend not to know the existing local topology", + action="store_true") + +parser.add_option("--forget-intersite-links", default=False, + help="pretend not to know the existing intersite topology", + action="store_true") + +opts, args = parser.parse_args() + + +if opts.list_verify_tests: + list_verify_tests() + sys.exit(0) + +if opts.test_all_reps_from: + opts.readonly = True + +if opts.debug: + logger.setLevel(logging.DEBUG) +elif opts.readonly: + logger.setLevel(logging.INFO) +else: + logger.setLevel(logging.WARNING) + +random.seed(opts.seed) + +if opts.now: + for timeformat in ("%Y%m%d%H%M%S%Z", "%Y%m%d%H%M%S"): + try: + now_tuple = time.strptime(opts.now, timeformat) + break + except ValueError: + pass + else: + # else happens if break doesn't --> no match + print("could not parse time '%s'" % (opts.now), file = sys.stderr) + sys.exit(1) + unix_now = int(time.mktime(now_tuple)) +else: + unix_now = int(time.time()) + +lp = sambaopts.get_loadparm() +# only log warnings/errors by default, unless the user has specified otherwise +if opts.debug is None: + lp.set('log level', '1') + +creds = credopts.get_credentials(lp, fallback_machine=True) + +if opts.dburl is None: + if opts.importldif: + opts.dburl = opts.tmpdb + else: + opts.dburl = lp.samdb_url() +elif opts.importldif: + logger.error("Don't use -H/--URL with --importldif, use --tmpdb instead") + sys.exit(1) + +# Instantiate Knowledge Consistency Checker and perform run +kcc = KCC(unix_now, readonly=opts.readonly, verify=opts.verify, + debug=opts.debug, dot_file_dir=opts.dot_file_dir) + +if opts.exportldif: + rc = kcc.export_ldif(opts.dburl, lp, creds, opts.exportldif) + sys.exit(rc) + +if opts.importldif: + if opts.tmpdb is None or opts.tmpdb.startswith('ldap'): + logger.error("Specify a target temp database file with --tmpdb option") + sys.exit(1) + if os.path.exists(opts.tmpdb): + logger.error("The temp database file (%s) specified with --tmpdb " + "already exists. We refuse to clobber it." % opts.tmpdb) + sys.exit(1) + + rc = kcc.import_ldif(opts.tmpdb, lp, opts.importldif, + forced_local_dsa=opts.forced_local_dsa) + if rc != 0: + sys.exit(rc) + + +kcc.load_samdb(opts.dburl, lp, creds, force=False) + +if opts.test_all_reps_from: + test_all_reps_from(kcc, opts.dburl, lp, creds, unix_now, + rng_seed=opts.seed, + ldif_file=opts.importldif) + sys.exit() + +if opts.list_valid_dsas: + print('\n'.join(kcc.list_dsas())) + sys.exit() + +try: + rc = kcc.run(opts.dburl, lp, creds, opts.forced_local_dsa, + opts.forget_local_links, opts.forget_intersite_links, + attempt_live_connections=opts.attempt_live_connections) + sys.exit(rc) + +except GraphError as e: + print( e) + sys.exit(1) diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate new file mode 100755 index 0000000..84ff771 --- /dev/null +++ b/source4/scripting/bin/samba_spnupdate @@ -0,0 +1,254 @@ +#!/usr/bin/env python3 +# +# update our servicePrincipalName names from spn_update_list +# +# Copyright (C) Andrew Tridgell 2010 +# Copyright (C) Matthieu Patou <mat@matws.net> 2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import os, sys, re + +# ensure we get messages out immediately, so they get in the samba logs, +# and don't get swallowed by a timeout +os.environ['PYTHONUNBUFFERED'] = '1' + +# forcing GMT avoids a problem in some timezones with kerberos. Both MIT +# heimdal can get mutual authentication errors due to the 24 second difference +# between UTC and GMT when using some zone files (eg. the PDT zone from +# the US) +os.environ["TZ"] = "GMT" + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba, ldb +import optparse +from samba import Ldb +from samba import getopt as options +from samba.auth import system_session +from samba.samdb import SamDB +from samba.credentials import Credentials, DONT_USE_KERBEROS +from samba.common import get_string + +parser = optparse.OptionParser("samba_spnupdate") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +parser.add_option("--verbose", action="store_true") + +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +ccachename = None + +opts, args = parser.parse_args() + +if len(args) != 0: + parser.print_usage() + sys.exit(1) + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +domain = lp.get("realm") +host = lp.get("netbios name") + + +# get the list of substitution vars +def get_subst_vars(samdb): + global lp + vars = {} + + vars['DNSDOMAIN'] = samdb.domain_dns_name() + vars['DNSFOREST'] = samdb.forest_dns_name() + vars['HOSTNAME'] = samdb.host_dns_name() + vars['NETBIOSNAME'] = lp.get('netbios name').upper() + vars['WORKGROUP'] = lp.get('workgroup') + vars['NTDSGUID'] = samdb.get_ntds_GUID() + res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=["objectGUID"]) + guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0]) + vars['DOMAINGUID'] = get_string(guid) + return vars + +try: + private_dir = lp.get("private dir") + secrets_path = os.path.join(private_dir, "secrets.ldb") + + secrets_db = Ldb(url=secrets_path, session_info=system_session(), + credentials=creds, lp=lp) + res = secrets_db.search(base=None, + expression="(&(objectclass=ldapSecret)(cn=SAMDB Credentials))", + attrs=["samAccountName", "secret"]) + + if len(res) == 1: + credentials = Credentials() + credentials.set_kerberos_state(DONT_USE_KERBEROS) + + if "samAccountName" in res[0]: + credentials.set_username(res[0]["samAccountName"][0]) + + if "secret" in res[0]: + credentials.set_password(res[0]["secret"][0]) + + else: + credentials = None + + samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), credentials=credentials, lp=lp) +except ldb.LdbError as e: + (num, msg) = e.args + print("Unable to open sam database %s : %s" % (lp.samdb_url(), msg)) + sys.exit(1) + + +# get the substitution dictionary +sub_vars = get_subst_vars(samdb) + +# get the list of SPN entries we should have +spn_update_list = lp.private_path('spn_update_list') + +file = open(spn_update_list, "r") + +spn_list = [] + +has_forest_dns = False +has_domain_dns = False +# check if we "are DNS server" +res = samdb.search(base=samdb.get_config_basedn(), + expression='(objectguid=%s)' % sub_vars['NTDSGUID'], + attrs=["msDS-hasMasterNCs"]) + +basedn = str(samdb.get_default_basedn()) +if len(res) == 1: + if "msDS-hasMasterNCs" in res[0]: + for e in res[0]["msDS-hasMasterNCs"]: + if str(e) == "DC=DomainDnsZones,%s" % basedn: + has_domain_dns = True + if str(e) == "DC=ForestDnsZones,%s" % basedn: + has_forest_dns = True + + +# build the spn list +for line in file: + line = line.strip() + if line == '' or line[0] == "#": + continue + if re.match(r".*/DomainDnsZones\..*", line) and not has_domain_dns: + continue + if re.match(r".*/ForestDnsZones\..*", line) and not has_forest_dns: + continue + line = samba.substitute_var(line, sub_vars) + spn_list.append(line) + +# get the current list of SPNs in our sam +res = samdb.search(base=samdb.get_default_basedn(), + expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'], + attrs=["servicePrincipalName"]) +if not res or len(res) != 1: + print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME']) + sys.exit(1) + +machine_dn = res[0]["dn"] + +old_spns = [] +if "servicePrincipalName" in res[0]: + for s in res[0]["servicePrincipalName"]: + old_spns.append(str(s)) + +if opts.verbose: + print("Existing SPNs: %s" % old_spns) + +add_list = [] + +# work out what needs to be added +for s in spn_list: + in_list = False + for s2 in old_spns: + if s2.upper() == s.upper(): + in_list = True + break + if not in_list: + add_list.append(s) + +if opts.verbose: + print("New SPNs: %s" % add_list) + +if add_list == []: + if opts.verbose: + print("Nothing to add") + sys.exit(0) + +def local_update(add_list): + '''store locally''' + global res + msg = ldb.Message() + msg.dn = res[0]['dn'] + msg[""] = ldb.MessageElement(add_list, + ldb.FLAG_MOD_ADD, "servicePrincipalName") + res = samdb.modify(msg) + +def call_rodc_update(d): + '''RODCs need to use the writeSPN DRS call''' + global lp, sub_vars + from samba import drs_utils + from samba.dcerpc import drsuapi, nbt + from samba.net import Net + + if opts.verbose: + print("Using RODC SPN update") + + creds = credopts.get_credentials(lp) + creds.set_machine_account(lp) + + net = Net(creds=creds, lp=lp) + try: + cldap_ret = net.finddc(domain=domain, flags=nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) + except Exception as reason: + print("Unable to find writeable DC for domain '%s' to send DRS writeSPN to : %s" % (domain, reason)) + sys.exit(1) + server = cldap_ret.pdc_dns_name + try: + binding_options = "seal" + if lp.log_level() >= 5: + binding_options += ",print" + drs = drsuapi.drsuapi('ncacn_ip_tcp:%s[%s]' % (server, binding_options), lp, creds) + (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs) + except Exception as reason: + print("Unable to connect to DC '%s' for domain '%s' : %s" % (server, domain, reason)) + sys.exit(1) + req1 = drsuapi.DsWriteAccountSpnRequest1() + req1.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD + req1.object_dn = str(machine_dn) + req1.count = 0 + spn_names = [] + for n in add_list: + if n.find('E3514235-4B06-11D1-AB04-00C04FC2DCD2') != -1: + # this one isn't allowed for RODCs, but we don't know why yet + continue + ns = drsuapi.DsNameString() + ns.str = n + spn_names.append(ns) + req1.count = req1.count + 1 + if spn_names == []: + return + req1.spn_names = spn_names + (level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1) + if (res.status != (0, 'WERR_OK')): + print("WriteAccountSpn has failed with error %s" % str(res.status)) + +if samdb.am_rodc(): + call_rodc_update(add_list) +else: + local_update(add_list) diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns new file mode 100755 index 0000000..afc5807 --- /dev/null +++ b/source4/scripting/bin/samba_upgradedns @@ -0,0 +1,589 @@ +#!/usr/bin/env python3 +# +# Unix SMB/CIFS implementation. +# Copyright (C) Amitay Isaacs <amitay@gmail.com> 2012 +# +# Upgrade DNS provision from BIND9_FLATFILE to BIND9_DLZ or SAMBA_INTERNAL +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import sys +import os +import errno +import optparse +import logging +import grp +from base64 import b64encode +import shlex + +sys.path.insert(0, "bin/python") + +import ldb +import samba +from samba import param +from samba.auth import system_session +from samba.ndr import ( + ndr_pack, + ndr_unpack ) +import samba.getopt as options +from samba.upgradehelpers import ( + get_paths, + get_ldbs ) +from samba.dsdb import DS_DOMAIN_FUNCTION_2003 +from samba.provision import ( + find_provision_key_parameters, + interface_ips_v4, + interface_ips_v6 ) +from samba.provision.common import ( + setup_path, + setup_add_ldif, + FILL_FULL) +from samba.provision.sambadns import ( + ARecord, + AAAARecord, + CNAMERecord, + NSRecord, + SOARecord, + SRVRecord, + TXTRecord, + get_dnsadmins_sid, + add_dns_accounts, + create_dns_partitions, + fill_dns_data_partitions, + create_dns_dir, + secretsdb_setup_dns, + create_dns_dir_keytab_link, + create_samdb_copy, + create_named_conf, + create_named_txt ) +from samba.dcerpc import security + +import dns.zone, dns.rdatatype + +__docformat__ = 'restructuredText' + + +def find_bind_gid(): + """Find system group id for bind9 + """ + for name in ["bind", "named"]: + try: + return grp.getgrnam(name)[2] + except KeyError: + pass + return None + + +def convert_dns_rdata(rdata, serial=1): + """Convert resource records in dnsRecord format + """ + if rdata.rdtype == dns.rdatatype.A: + rec = ARecord(rdata.address, serial=serial) + elif rdata.rdtype == dns.rdatatype.AAAA: + rec = AAAARecord(rdata.address, serial=serial) + elif rdata.rdtype == dns.rdatatype.CNAME: + rec = CNAMERecord(rdata.target.to_text(), serial=serial) + elif rdata.rdtype == dns.rdatatype.NS: + rec = NSRecord(rdata.target.to_text(), serial=serial) + elif rdata.rdtype == dns.rdatatype.SRV: + rec = SRVRecord(rdata.target.to_text(), int(rdata.port), + priority=int(rdata.priority), weight=int(rdata.weight), + serial=serial) + elif rdata.rdtype == dns.rdatatype.TXT: + slist = shlex.split(rdata.to_text()) + rec = TXTRecord(slist, serial=serial) + elif rdata.rdtype == dns.rdatatype.SOA: + rec = SOARecord(rdata.mname.to_text(), rdata.rname.to_text(), + serial=int(rdata.serial), + refresh=int(rdata.refresh), retry=int(rdata.retry), + expire=int(rdata.expire), minimum=int(rdata.minimum)) + else: + rec = None + return rec + + +def import_zone_data(samdb, logger, zone, serial, domaindn, forestdn, + dnsdomain, dnsforest): + """Insert zone data in DNS partitions + """ + labels = dnsdomain.split('.') + labels.append('') + domain_root = dns.name.Name(labels) + domain_prefix = "DC=%s,CN=MicrosoftDNS,DC=DomainDnsZones,%s" % (dnsdomain, + domaindn) + + tmp = "_msdcs.%s" % dnsforest + labels = tmp.split('.') + labels.append('') + forest_root = dns.name.Name(labels) + dnsmsdcs = "_msdcs.%s" % dnsforest + forest_prefix = "DC=%s,CN=MicrosoftDNS,DC=ForestDnsZones,%s" % (dnsmsdcs, + forestdn) + + # Extract @ record + at_record = zone.get_node(domain_root) + zone.delete_node(domain_root) + + # SOA record + rdset = at_record.get_rdataset(dns.rdataclass.IN, dns.rdatatype.SOA) + soa_rec = ndr_pack(convert_dns_rdata(rdset[0])) + at_record.delete_rdataset(dns.rdataclass.IN, dns.rdatatype.SOA) + + # NS record + rdset = at_record.get_rdataset(dns.rdataclass.IN, dns.rdatatype.NS) + ns_rec = ndr_pack(convert_dns_rdata(rdset[0])) + at_record.delete_rdataset(dns.rdataclass.IN, dns.rdatatype.NS) + + # A/AAAA records + ip_recs = [] + for rdset in at_record: + for r in rdset: + rec = convert_dns_rdata(r) + ip_recs.append(ndr_pack(rec)) + + # Add @ record for domain + dns_rec = [soa_rec, ns_rec] + ip_recs + msg = ldb.Message(ldb.Dn(samdb, 'DC=@,%s' % domain_prefix)) + msg["objectClass"] = ["top", "dnsNode"] + msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD, + "dnsRecord") + try: + samdb.add(msg) + except Exception: + logger.error("Failed to add @ record for domain") + raise + logger.debug("Added @ record for domain") + + # Add @ record for forest + dns_rec = [soa_rec, ns_rec] + msg = ldb.Message(ldb.Dn(samdb, 'DC=@,%s' % forest_prefix)) + msg["objectClass"] = ["top", "dnsNode"] + msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD, + "dnsRecord") + try: + samdb.add(msg) + except Exception: + logger.error("Failed to add @ record for forest") + raise + logger.debug("Added @ record for forest") + + # Add remaining records in domain and forest + for node in zone.nodes: + name = node.relativize(forest_root).to_text() + if name == node.to_text(): + name = node.relativize(domain_root).to_text() + dn = "DC=%s,%s" % (name, domain_prefix) + fqdn = "%s.%s" % (name, dnsdomain) + else: + dn = "DC=%s,%s" % (name, forest_prefix) + fqdn = "%s.%s" % (name, dnsmsdcs) + + dns_rec = [] + for rdataset in zone.nodes[node]: + for rdata in rdataset: + rec = convert_dns_rdata(rdata, serial) + if not rec: + logger.warn("Unsupported record type (%s) for %s, ignoring" % + dns.rdatatype.to_text(rdata.rdatatype), name) + else: + dns_rec.append(ndr_pack(rec)) + + msg = ldb.Message(ldb.Dn(samdb, dn)) + msg["objectClass"] = ["top", "dnsNode"] + msg["dnsRecord"] = ldb.MessageElement(dns_rec, ldb.FLAG_MOD_ADD, + "dnsRecord") + try: + samdb.add(msg) + except Exception: + logger.error("Failed to add DNS record %s" % (fqdn)) + raise + logger.debug("Added DNS record %s" % (fqdn)) + +def cleanup_remove_file(file_path): + try: + os.remove(file_path) + except OSError as e: + if e.errno not in [errno.EEXIST, errno.ENOENT]: + pass + else: + logger.debug("Could not remove %s: %s" % (file_path, e.strerror)) + +def cleanup_remove_dir(dir_path): + try: + for root, dirs, files in os.walk(dir_path, topdown=False): + for name in files: + os.remove(os.path.join(root, name)) + for name in dirs: + os.rmdir(os.path.join(root, name)) + os.rmdir(dir_path) + except OSError as e: + if e.errno not in [errno.EEXIST, errno.ENOENT]: + pass + else: + logger.debug("Could not delete dir %s: %s" % (dir_path, e.strerror)) + +def cleanup_obsolete_dns_files(paths): + cleanup_remove_file(os.path.join(paths.private_dir, "named.conf")) + cleanup_remove_file(os.path.join(paths.private_dir, "named.conf.update")) + cleanup_remove_file(os.path.join(paths.private_dir, "named.txt")) + + cleanup_remove_dir(os.path.join(paths.private_dir, "dns")) + + +# dnsprovision creates application partitions for AD based DNS mainly if the existing +# provision was created using earlier snapshots of samba4 which did not have support +# for DNS partitions + +if __name__ == '__main__': + + # Setup command line parser + parser = optparse.OptionParser("samba_upgradedns [options]") + sambaopts = options.SambaOptions(parser) + credopts = options.CredentialsOptions(parser) + + parser.add_option_group(options.VersionOptions(parser)) + parser.add_option_group(sambaopts) + parser.add_option_group(credopts) + + parser.add_option("--dns-backend", type="choice", metavar="<BIND9_DLZ|SAMBA_INTERNAL>", + choices=["SAMBA_INTERNAL", "BIND9_DLZ"], default="SAMBA_INTERNAL", + help="The DNS server backend, default SAMBA_INTERNAL") + parser.add_option("--migrate", type="choice", metavar="<yes|no>", + choices=["yes","no"], default="yes", + help="Migrate existing zone data, default yes") + parser.add_option("--verbose", help="Be verbose", action="store_true") + + opts = parser.parse_args()[0] + + if opts.dns_backend is None: + opts.dns_backend = 'SAMBA_INTERNAL' + + if opts.migrate: + autofill = False + else: + autofill = True + + # Set up logger + logger = logging.getLogger("upgradedns") + logger.addHandler(logging.StreamHandler(sys.stdout)) + logger.setLevel(logging.INFO) + if opts.verbose: + logger.setLevel(logging.DEBUG) + + lp = sambaopts.get_loadparm() + lp.load(lp.configfile) + creds = credopts.get_credentials(lp) + + logger.info("Reading domain information") + paths = get_paths(param, smbconf=lp.configfile) + paths.bind_gid = find_bind_gid() + ldbs = get_ldbs(paths, creds, system_session(), lp) + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, lp.configfile, lp) + + if names.domainlevel < DS_DOMAIN_FUNCTION_2003: + logger.error("Cannot create AD based DNS for OS level < 2003") + sys.exit(1) + + domaindn = names.domaindn + forestdn = names.rootdn + + dnsdomain = names.dnsdomain.lower() + dnsforest = dnsdomain + + site = names.sitename + hostname = names.hostname + dnsname = '%s.%s' % (hostname, dnsdomain) + + domainsid = names.domainsid + domainguid = names.domainguid + ntdsguid = names.ntdsguid + + # Check for DNS accounts and create them if required + try: + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=DnsAdmins)', + attrs=['objectSid']) + dnsadmins_sid = ndr_unpack(security.dom_sid, msg[0]['objectSid'][0]) + except IndexError: + logger.info("Adding DNS accounts") + add_dns_accounts(ldbs.sam, domaindn) + dnsadmins_sid = get_dnsadmins_sid(ldbs.sam, domaindn) + else: + logger.info("DNS accounts already exist") + + # Import dns records from zone file + if os.path.exists(paths.dns): + logger.info("Reading records from zone file %s" % paths.dns) + try: + zone = dns.zone.from_file(paths.dns, relativize=False) + rrset = zone.get_rdataset("%s." % dnsdomain, dns.rdatatype.SOA) + serial = int(rrset[0].serial) + except Exception as e: + logger.warn("Error parsing DNS data from '%s' (%s)" % (paths.dns, str(e))) + autofill = True + else: + logger.info("No zone file %s (normal)" % paths.dns) + autofill = True + + # Create DNS partitions if missing and fill DNS information + try: + expression = '(|(dnsRoot=DomainDnsZones.%s)(dnsRoot=ForestDnsZones.%s))' % \ + (dnsdomain, dnsforest) + msg = ldbs.sam.search(base=names.configdn, scope=ldb.SCOPE_DEFAULT, + expression=expression, attrs=['nCName']) + ncname = msg[0]['nCName'][0] + except IndexError: + logger.info("Creating DNS partitions") + + logger.info("Looking up IPv4 addresses") + hostip = interface_ips_v4(lp) + try: + hostip.remove('127.0.0.1') + except ValueError: + pass + if not hostip: + logger.error("No IPv4 addresses found") + sys.exit(1) + else: + hostip = hostip[0] + logger.debug("IPv4 addresses: %s" % hostip) + + logger.info("Looking up IPv6 addresses") + hostip6 = interface_ips_v6(lp) + if not hostip6: + hostip6 = None + else: + hostip6 = hostip6[0] + logger.debug("IPv6 addresses: %s" % hostip6) + + create_dns_partitions(ldbs.sam, domainsid, names, domaindn, forestdn, + dnsadmins_sid, FILL_FULL) + + logger.info("Populating DNS partitions") + if autofill: + logger.warn("DNS records will be automatically created") + + fill_dns_data_partitions(ldbs.sam, domainsid, site, domaindn, forestdn, + dnsdomain, dnsforest, hostname, hostip, hostip6, + domainguid, ntdsguid, dnsadmins_sid, + autofill=autofill) + + if not autofill: + logger.info("Importing records from zone file") + import_zone_data(ldbs.sam, logger, zone, serial, domaindn, forestdn, + dnsdomain, dnsforest) + else: + logger.info("DNS partitions already exist") + + # Mark that we are hosting DNS partitions + try: + dns_nclist = [ 'DC=DomainDnsZones,%s' % domaindn, + 'DC=ForestDnsZones,%s' % forestdn ] + + msgs = ldbs.sam.search(base=names.serverdn, scope=ldb.SCOPE_DEFAULT, + expression='(objectclass=nTDSDSa)', + attrs=['hasPartialReplicaNCs', + 'msDS-hasMasterNCs']) + msg = msgs[0] + + master_nclist = [] + ncs = msg.get("msDS-hasMasterNCs") + if ncs: + for nc in ncs: + master_nclist.append(str(nc)) + + partial_nclist = [] + ncs = msg.get("hasPartialReplicaNCs") + if ncs: + for nc in ncs: + partial_nclist.append(str(nc)) + + modified_master = False + modified_partial = False + + for nc in dns_nclist: + if nc not in master_nclist: + master_nclist.append(nc) + modified_master = True + if nc in partial_nclist: + partial_nclist.remove(nc) + modified_partial = True + + if modified_master or modified_partial: + logger.debug("Updating msDS-hasMasterNCs and hasPartialReplicaNCs attributes") + m = ldb.Message() + m.dn = msg.dn + if modified_master: + m["msDS-hasMasterNCs"] = ldb.MessageElement(master_nclist, + ldb.FLAG_MOD_REPLACE, + "msDS-hasMasterNCs") + if modified_partial: + if partial_nclist: + m["hasPartialReplicaNCs"] = ldb.MessageElement(partial_nclist, + ldb.FLAG_MOD_REPLACE, + "hasPartialReplicaNCs") + else: + m["hasPartialReplicaNCs"] = ldb.MessageElement(ncs, + ldb.FLAG_MOD_DELETE, + "hasPartialReplicaNCs") + ldbs.sam.modify(m) + except Exception: + raise + + # Special stuff for DLZ backend + if opts.dns_backend == "BIND9_DLZ": + config_migration = False + + if (paths.private_dir != paths.binddns_dir and + os.path.isfile(os.path.join(paths.private_dir, "named.conf"))): + config_migration = True + + # Check if dns-HOSTNAME account exists and create it if required + secrets_msgs = ldbs.secrets.search(expression='(samAccountName=dns-%s)' % hostname, attrs=['secret']) + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=[]) + + if len(secrets_msgs) == 0 or len(msg) == 0: + logger.info("Adding dns-%s account" % hostname) + + if len(secrets_msgs) == 1: + dn = secrets_msgs[0].dn + ldbs.secrets.delete(dn) + + if len(msg) == 1: + dn = msg[0].dn + ldbs.sam.delete(dn) + + dnspass = samba.generate_random_password(128, 255) + setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), { + "DNSDOMAIN": dnsdomain, + "DOMAINDN": domaindn, + "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')).decode('utf8'), + "HOSTNAME" : hostname, + "DNSNAME" : dnsname } + ) + + res = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=["msDS-KeyVersionNumber"]) + if "msDS-KeyVersionNumber" in res[0]: + dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) + else: + dns_key_version_number = None + + secretsdb_setup_dns(ldbs.secrets, names, + paths.private_dir, paths.binddns_dir, realm=names.realm, + dnsdomain=names.dnsdomain, + dns_keytab_path=paths.dns_keytab, dnspass=dnspass, + key_version_number=dns_key_version_number) + + else: + logger.info("dns-%s account already exists" % hostname) + + if not os.path.exists(paths.binddns_dir): + # This directory won't exist if we're restoring from an offline backup. + os.mkdir(paths.binddns_dir, 0o770) + + create_dns_dir_keytab_link(logger, paths) + + # This forces a re-creation of dns directory and all the files within + # It's an overkill, but it's easier to re-create a samdb copy, rather + # than trying to fix a broken copy. + create_dns_dir(logger, paths) + + # Setup a copy of SAM for BIND9 + create_samdb_copy(ldbs.sam, logger, paths, names, domainsid, + domainguid) + + create_named_conf(paths, names.realm, dnsdomain, opts.dns_backend, logger) + + create_named_txt(paths.namedtxt, names.realm, dnsdomain, dnsname, + paths.binddns_dir, paths.dns_keytab) + + cleanup_obsolete_dns_files(paths) + + if config_migration: + logger.info("ATTENTION: The BIND configuration and keytab has been moved to: %s", + paths.binddns_dir) + logger.info(" Please update your BIND configuration accordingly.") + else: + logger.info("See %s for an example configuration include file for BIND", paths.namedconf) + logger.info("and %s for further documentation required for secure DNS " + "updates", paths.namedtxt) + + elif opts.dns_backend == "SAMBA_INTERNAL": + # Make sure to remove everything from the bind-dns directory to avoid + # possible security issues with the named group having write access + # to all AD partitions + cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt")) + + cleanup_remove_dir(os.path.dirname(paths.dns)) + + try: + os.chmod(paths.private_dir, 0o700) + os.chown(paths.private_dir, -1, 0) + except: + logger.warn("Failed to restore owner and permissions for %s", + (paths.private_dir)) + + # Check if dns-HOSTNAME account exists and delete it if required + try: + dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname + msg = ldbs.secrets.search(expression='(dn=%s)' % dn_str, attrs=[]) + dn = msg[0].dn + except IndexError: + dn = None + + if dn is not None: + try: + ldbs.secrets.delete(dn) + except Exception: + logger.info("Failed to delete %s from secrets.ldb" % dn) + + try: + msg = ldbs.sam.search(base=domaindn, scope=ldb.SCOPE_DEFAULT, + expression='(sAMAccountName=dns-%s)' % (hostname), + attrs=[]) + dn = msg[0].dn + except IndexError: + dn = None + + if dn is not None: + try: + ldbs.sam.delete(dn) + except Exception: + logger.info("Failed to delete %s from sam.ldb" % dn) + + logger.info("Finished upgrading DNS") + + services = lp.get("server services") + for service in services: + if service == "dns": + if opts.dns_backend.startswith("BIND"): + logger.info("You have switched to using %s as your dns backend," + " but still have the internal dns starting. Please" + " make sure you add '-dns' to your server services" + " line in your smb.conf." % opts.dns_backend) + break + else: + if opts.dns_backend == "SAMBA_INTERNAL": + logger.info("You have switched to using %s as your dns backend," + " but you still have samba starting looking for a" + " BIND backend. Please remove the -dns from your" + " server services line." % opts.dns_backend) diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision new file mode 100755 index 0000000..3d072bc --- /dev/null +++ b/source4/scripting/bin/samba_upgradeprovision @@ -0,0 +1,1848 @@ +#!/usr/bin/env python3 +# vim: expandtab +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2009 - 2010 +# +# Based on provision a Samba4 server by +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import logging +import optparse +import os +import shutil +import sys +import tempfile +import re +import traceback +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import ldb +import samba +import samba.getopt as options +from samba.samdb import get_default_backend_store + +from base64 import b64encode +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session, admin_session +from samba import tdb_util +from samba import mdb_util +from ldb import (SCOPE_SUBTREE, SCOPE_BASE, + FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE, + MessageElement, Message, Dn, LdbError) +from samba import param, dsdb, Ldb +from samba.common import confirm +from samba.descriptor import get_wellknown_sds, get_empty_descriptor, get_diff_sds +from samba.provision import (find_provision_key_parameters, + ProvisioningError, get_last_provision_usn, + get_max_usn, update_provision_usn, setup_path) +from samba.schema import get_linked_attributes, Schema, get_schema_descriptor +from samba.dcerpc import security, drsblobs +from samba.dcerpc.security import ( + SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL) +from samba.ndr import ndr_unpack +from samba.upgradehelpers import (dn_sort, get_paths, newprovision, + get_ldbs, findprovisionrange, + usn_in_range, identic_rename, + update_secrets, CHANGE, ERROR, SIMPLE, + CHANGEALL, GUESS, CHANGESD, PROVISION, + updateOEMInfo, getOEMInfo, update_gpo, + delta_update_basesamdb, update_policyids, + update_machine_account_password, + search_constructed_attrs_stored, + int64range2str, update_dns_account_password, + increment_calculated_keyversion_number, + print_provision_ranges) +from samba.xattr import copytree_with_xattrs +from functools import cmp_to_key + +# make sure the script dies immediately when hitting control-C, +# rather than raising KeyboardInterrupt. As we do all database +# operations using transactions, this is safe. +import signal +signal.signal(signal.SIGINT, signal.SIG_DFL) + +replace=2**FLAG_MOD_REPLACE +add=2**FLAG_MOD_ADD +delete=2**FLAG_MOD_DELETE +never=0 + + +# Will be modified during provision to tell if default sd has been modified +# somehow ... + +#Errors are always logged + +__docformat__ = "restructuredText" + +# Attributes that are never copied from the reference provision (even if they +# do not exist in the destination object). +# This is most probably because they are populated automatcally when object is +# created +# This also apply to imported object from reference provision +replAttrNotCopied = [ "dn", "whenCreated", "whenChanged", "objectGUID", + "parentGUID", "distinguishedName", + "instanceType", "cn", + "lmPwdHistory", "pwdLastSet", "ntPwdHistory", + "unicodePwd", "dBCSPwd", "supplementalCredentials", + "gPCUserExtensionNames", "gPCMachineExtensionNames", + "maxPwdAge", "secret", "possibleInferiors", "privilege", + "sAMAccountType", "oEMInformation", "creationTime" ] + +nonreplAttrNotCopied = ["uSNCreated", "replPropertyMetaData", "uSNChanged", + "nextRid" ,"rIDNextRID", "rIDPreviousAllocationPool"] + +nonDSDBAttrNotCopied = ["msDS-KeyVersionNumber", "priorSecret", "priorWhenChanged"] + + +attrNotCopied = replAttrNotCopied +attrNotCopied.extend(nonreplAttrNotCopied) +attrNotCopied.extend(nonDSDBAttrNotCopied) +# Usually for an object that already exists we do not overwrite attributes as +# they might have been changed for good reasons. Anyway for a few of them it's +# mandatory to replace them otherwise the provision will be broken somehow. +# But for attribute that are just missing we do not have to specify them as the default +# behavior is to add missing attribute +hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, + "systemOnly":replace, "searchFlags":replace, + "mayContain":replace, "systemFlags":replace+add, + "description":replace, "operatingSystemVersion":replace, + "adminPropertyPages":replace, "groupType":replace, + "wellKnownObjects":replace, "privilege":never, + "rIDAvailablePool": never, + "rIDNextRID": add, "rIDUsedPool": never, + "defaultSecurityDescriptor": replace + add, + "isMemberOfPartialAttributeSet": delete, + "attributeDisplayNames": replace + add, + "versionNumber": add} + +dnNotToRecalculateFound = False +dnToRecalculate = [] +backlinked = [] +forwardlinked = set() +dn_syntax_att = [] +not_replicated = [] +def define_what_to_log(opts): + what = 0 + if opts.debugchange: + what = what | CHANGE + if opts.debugchangesd: + what = what | CHANGESD + if opts.debugguess: + what = what | GUESS + if opts.debugprovision: + what = what | PROVISION + if opts.debugall: + what = what | CHANGEALL + return what + + +parser = optparse.OptionParser("samba_upgradeprovision [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--setupdir", type="string", metavar="DIR", + help="directory with setup files") +parser.add_option("--debugprovision", help="Debug provision", action="store_true") +parser.add_option("--debugguess", action="store_true", + help="Print information on which values are guessed") +parser.add_option("--debugchange", action="store_true", + help="Print information on what is different but won't be changed") +parser.add_option("--debugchangesd", action="store_true", + help="Print security descriptor differences") +parser.add_option("--debugall", action="store_true", + help="Print all available information (very verbose)") +parser.add_option("--db_backup_only", action="store_true", + help="Do the backup of the database in the provision, skip the sysvol / netlogon shares") +parser.add_option("--full", action="store_true", + help="Perform full upgrade of the samdb (schema, configuration, new objects, ...") +parser.add_option("--very-old-pre-alpha9", action="store_true", + help="Perform additional forced SD resets required for a database from before Samba 4.0.0alpha9.") + +opts = parser.parse_args()[0] + +handler = logging.StreamHandler(sys.stdout) +upgrade_logger = logging.getLogger("upgradeprovision") +upgrade_logger.setLevel(logging.INFO) + +upgrade_logger.addHandler(handler) + +provision_logger = logging.getLogger("provision") +provision_logger.addHandler(handler) + +whatToLog = define_what_to_log(opts) + +def message(what, text): + """Print a message if this message type has been selected to be printed + + :param what: Category of the message + :param text: Message to print """ + if (whatToLog & what) or what <= 0: + upgrade_logger.info("%s", text) + +if len(sys.argv) == 1: + opts.interactive = True +lp = sambaopts.get_loadparm() +smbconf = lp.configfile + +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + + + +def check_for_DNS(refprivate, private, refbinddns_dir, binddns_dir, dns_backend): + """Check if the provision has already the requirement for dynamic dns + + :param refprivate: The path to the private directory of the reference + provision + :param private: The path to the private directory of the upgraded + provision""" + + spnfile = "%s/spn_update_list" % private + dnsfile = "%s/dns_update_list" % private + + if not os.path.exists(spnfile): + shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile) + + if not os.path.exists(dnsfile): + shutil.copy("%s/dns_update_list" % refprivate, "%s" % dnsfile) + + if not os.path.exists(binddns_dir): + os.mkdir(binddns_dir) + + if dns_backend not in ['BIND9_DLZ', 'BIND9_FLATFILE']: + return + + namedfile = lp.get("dnsupdate:path") + if not namedfile: + namedfile = "%s/named.conf.update" % binddns_dir + if not os.path.exists(namedfile): + destdir = "%s/new_dns" % binddns_dir + dnsdir = "%s/dns" % binddns_dir + + if not os.path.exists(destdir): + os.mkdir(destdir) + if not os.path.exists(dnsdir): + os.mkdir(dnsdir) + shutil.copy("%s/named.conf" % refbinddns_dir, "%s/named.conf" % destdir) + shutil.copy("%s/named.txt" % refbinddns_dir, "%s/named.txt" % destdir) + message(SIMPLE, "It seems that your provision did not integrate " + "new rules for dynamic dns update of domain related entries") + message(SIMPLE, "A copy of the new bind configuration files and " + "template has been put in %s, you should read them and " + "configure dynamic dns updates" % destdir) + + +def populate_links(samdb, schemadn): + """Populate an array with all the back linked attributes + + This attributes that are modified automatically when + front attibutes are changed + + :param samdb: A LDB object for sam.ldb file + :param schemadn: DN of the schema for the partition""" + linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb) + backlinked.extend(linkedAttHash.values()) + for t in linkedAttHash.keys(): + forwardlinked.add(t) + +def isReplicated(att): + """ Indicate if the attribute is replicated or not + + :param att: Name of the attribute to be tested + :return: True is the attribute is replicated, False otherwise + """ + + return (att not in not_replicated) + +def populateNotReplicated(samdb, schemadn): + """Populate an array with all the attributes that are not replicated + + :param samdb: A LDB object for sam.ldb file + :param schemadn: DN of the schema for the partition""" + res = samdb.search(expression="(&(objectclass=attributeSchema)(systemflags:1.2.840.113556.1.4.803:=1))", base=Dn(samdb, + str(schemadn)), scope=SCOPE_SUBTREE, + attrs=["lDAPDisplayName"]) + for elem in res: + not_replicated.append(str(elem["lDAPDisplayName"])) + + +def populate_dnsyntax(samdb, schemadn): + """Populate an array with all the attributes that have DN synthax + (oid 2.5.5.1) + + :param samdb: A LDB object for sam.ldb file + :param schemadn: DN of the schema for the partition""" + res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb, + str(schemadn)), scope=SCOPE_SUBTREE, + attrs=["lDAPDisplayName"]) + for elem in res: + dn_syntax_att.append(elem["lDAPDisplayName"]) + + +def sanitychecks(samdb, names): + """Make some checks before trying to update + + :param samdb: An LDB object opened on sam.ldb + :param names: list of key provision parameters + :return: Status of check (1 for Ok, 0 for not Ok) """ + res = samdb.search(expression="objectClass=ntdsdsa", base=str(names.configdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + if len(res) == 0: + print("No DC found. Your provision is most probably broken!") + return False + elif len(res) != 1: + print("Found %d domain controllers. For the moment " \ + "upgradeprovision is not able to handle an upgrade on a " \ + "domain with more than one DC. Please demote the other " \ + "DC(s) before upgrading") % len(res) + return False + else: + return True + + +def print_provision_key_parameters(names): + """Do a a pretty print of provision parameters + + :param names: list of key provision parameters """ + message(GUESS, "rootdn :" + str(names.rootdn)) + message(GUESS, "configdn :" + str(names.configdn)) + message(GUESS, "schemadn :" + str(names.schemadn)) + message(GUESS, "serverdn :" + str(names.serverdn)) + message(GUESS, "netbiosname :" + names.netbiosname) + message(GUESS, "defaultsite :" + names.sitename) + message(GUESS, "dnsdomain :" + names.dnsdomain) + message(GUESS, "hostname :" + names.hostname) + message(GUESS, "domain :" + names.domain) + message(GUESS, "realm :" + names.realm) + message(GUESS, "invocationid:" + names.invocation) + message(GUESS, "policyguid :" + names.policyid) + message(GUESS, "policyguiddc:" + str(names.policyid_dc)) + message(GUESS, "domainsid :" + str(names.domainsid)) + message(GUESS, "domainguid :" + names.domainguid) + message(GUESS, "ntdsguid :" + names.ntdsguid) + message(GUESS, "domainlevel :" + str(names.domainlevel)) + + +def handle_special_case(att, delta, new, old, useReplMetadata, basedn, aldb): + """Define more complicate update rules for some attributes + + :param att: The attribute to be updated + :param delta: A messageElement object that correspond to the difference + between the updated object and the reference one + :param new: The reference object + :param old: The Updated object + :param useReplMetadata: A boolean that indicate if the update process + use replPropertyMetaData to decide what has to be updated. + :param basedn: The base DN of the provision + :param aldb: An ldb object used to build DN + :return: True to indicate that the attribute should be kept, False for + discarding it""" + + # We do most of the special case handle if we do not have the + # highest usn as otherwise the replPropertyMetaData will guide us more + # correctly + if not useReplMetadata: + flag = delta.get(att).flags() + if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and + ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT," + "CN=Services,CN=Configuration,%s" % basedn) + == old[0].dn): + return True + if (att == "userAccountControl" and flag == FLAG_MOD_REPLACE and + ldb.Dn(aldb, "CN=Administrator,CN=Users,%s" % basedn) + == old[0].dn): + message(SIMPLE, "We suggest that you change the userAccountControl" + " for user Administrator from value %d to %d" % + (int(str(old[0][att])), int(str(new[0][att])))) + return False + if (att == "minPwdAge" and flag == FLAG_MOD_REPLACE): + if (int(str(old[0][att])) == 0): + delta[att] = MessageElement(new[0][att], FLAG_MOD_REPLACE, att) + return True + + if (att == "member" and flag == FLAG_MOD_REPLACE): + hash = {} + newval = [] + changeDelta=0 + for elem in old[0][att]: + hash[str(elem).lower()]=1 + newval.append(str(elem)) + + for elem in new[0][att]: + if not str(elem).lower() in hash: + changeDelta=1 + newval.append(str(elem)) + if changeDelta == 1: + delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att) + else: + delta.remove(att) + return True + + if (att in ("gPLink", "gPCFileSysPath") and + flag == FLAG_MOD_REPLACE and + str(new[0].dn).lower() == str(old[0].dn).lower()): + delta.remove(att) + return True + + if att == "forceLogoff": + ref=0x8000000000000000 + oldval=int(old[0][att][0]) + newval=int(new[0][att][0]) + ref == old and ref == abs(new) + return True + + if att in ("adminDisplayName", "adminDescription"): + return True + + if (str(old[0].dn) == "CN=Samba4-Local-Domain, %s" % (names.schemadn) + and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE): + return True + + if (str(old[0].dn) == "CN=Title, %s" % (str(names.schemadn)) and + att == "rangeUpper" and flag == FLAG_MOD_REPLACE): + return True + + if (str(old[0].dn) == "%s" % (str(names.rootdn)) + and att == "subRefs" and flag == FLAG_MOD_REPLACE): + return True + #Allow to change revision of ForestUpdates objects + if (att == "revision" or att == "objectVersion"): + if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0: + return True + if str(delta.dn).endswith("CN=DisplaySpecifiers, %s" % names.configdn): + return True + + # This is a bit of special animal as we might have added + # already SPN entries to the list that has to be modified + # So we go in detail to try to find out what has to be added ... + if (att == "servicePrincipalName" and delta.get(att).flags() == FLAG_MOD_REPLACE): + hash = {} + newval = [] + changeDelta = 0 + for elem in old[0][att]: + hash[str(elem)]=1 + newval.append(str(elem)) + + for elem in new[0][att]: + if not str(elem) in hash: + changeDelta = 1 + newval.append(str(elem)) + if changeDelta == 1: + delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att) + else: + delta.remove(att) + return True + + return False + +def dump_denied_change(dn, att, flagtxt, current, reference): + """Print detailed information about why a change is denied + + :param dn: DN of the object which attribute is denied + :param att: Attribute that was supposed to be upgraded + :param flagtxt: Type of the update that should be performed + (add, change, remove, ...) + :param current: Value(s) of the current attribute + :param reference: Value(s) of the reference attribute""" + + message(CHANGE, "dn= " + str(dn)+" " + att+" with flag " + flagtxt + + " must not be changed/removed. Discarding the change") + if att == "objectSid" : + message(CHANGE, "old : %s" % ndr_unpack(security.dom_sid, current[0])) + message(CHANGE, "new : %s" % ndr_unpack(security.dom_sid, reference[0])) + elif att == "rIDPreviousAllocationPool" or att == "rIDAllocationPool": + message(CHANGE, "old : %s" % int64range2str(current[0])) + message(CHANGE, "new : %s" % int64range2str(reference[0])) + else: + i = 0 + for e in range(0, len(current)): + message(CHANGE, "old %d : %s" % (i, str(current[e]))) + i+=1 + if reference is not None: + i = 0 + for e in range(0, len(reference)): + message(CHANGE, "new %d : %s" % (i, str(reference[e]))) + i+=1 + +def handle_special_add(samdb, dn, names): + """Handle special operation (like remove) on some object needed during + upgrade + + This is mostly due to wrong creation of the object in previous provision. + :param samdb: An Ldb object representing the SAM database + :param dn: DN of the object to inspect + :param names: list of key provision parameters + """ + + dntoremove = None + objDn = Dn(samdb, "CN=IIS_IUSRS, CN=Builtin, %s" % names.rootdn) + if dn == objDn : + #This entry was misplaced lets remove it if it exists + dntoremove = "CN=IIS_IUSRS, CN=Users, %s" % names.rootdn + + objDn = Dn(samdb, + "CN=Certificate Service DCOM Access, CN=Builtin, %s" % names.rootdn) + if dn == objDn: + #This entry was misplaced lets remove it if it exists + dntoremove = "CN=Certificate Service DCOM Access,"\ + "CN=Users, %s" % names.rootdn + + objDn = Dn(samdb, "CN=Cryptographic Operators, CN=Builtin, %s" % names.rootdn) + if dn == objDn: + #This entry was misplaced lets remove it if it exists + dntoremove = "CN=Cryptographic Operators, CN=Users, %s" % names.rootdn + + objDn = Dn(samdb, "CN=Event Log Readers, CN=Builtin, %s" % names.rootdn) + if dn == objDn: + #This entry was misplaced lets remove it if it exists + dntoremove = "CN=Event Log Readers, CN=Users, %s" % names.rootdn + + objDn = Dn(samdb,"CN=System,CN=WellKnown Security Principals," + "CN=Configuration,%s" % names.rootdn) + if dn == objDn: + oldDn = Dn(samdb,"CN=Well-Known-Security-Id-System," + "CN=WellKnown Security Principals," + "CN=Configuration,%s" % names.rootdn) + + res = samdb.search(expression="(distinguishedName=%s)" % oldDn, + base=str(names.rootdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + + res2 = samdb.search(expression="(distinguishedName=%s)" % dn, + base=str(names.rootdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + + if len(res) > 0 and len(res2) == 0: + message(CHANGE, "Existing object %s must be replaced by %s. " + "Renaming old object" % (str(oldDn), str(dn))) + samdb.rename(oldDn, objDn, ["relax:0", "provision:0"]) + + return 0 + + if dntoremove is not None: + res = samdb.search(expression="(cn=RID Set)", + base=str(names.rootdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + + if len(res) == 0: + return 2 + res = samdb.search(expression="(distinguishedName=%s)" % dntoremove, + base=str(names.rootdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + if len(res) > 0: + message(CHANGE, "Existing object %s must be replaced by %s. " + "Removing old object" % (dntoremove, str(dn))) + samdb.delete(res[0]["dn"]) + return 0 + + return 1 + + +def check_dn_nottobecreated(hash, index, listdn): + """Check if one of the DN present in the list has a creation order + greater than the current. + + Hash is indexed by dn to be created, with each key + is associated the creation order. + + First dn to be created has the creation order 0, second has 1, ... + Index contain the current creation order + + :param hash: Hash holding the different DN of the object to be + created as key + :param index: Current creation order + :param listdn: List of DNs on which the current DN depends on + :return: None if the current object do not depend on other + object or if all object have been created before.""" + if listdn is None: + return None + for dn in listdn: + key = str(dn).lower() + if key in hash and hash[key] > index: + return str(dn) + return None + + + +def add_missing_object(ref_samdb, samdb, dn, names, basedn, hash, index): + """Add a new object if the dependencies are satisfied + + The function add the object if the object on which it depends are already + created + + :param ref_samdb: Ldb object representing the SAM db of the reference + provision + :param samdb: Ldb object representing the SAM db of the upgraded + provision + :param dn: DN of the object to be added + :param names: List of key provision parameters + :param basedn: DN of the partition to be updated + :param hash: Hash holding the different DN of the object to be + created as key + :param index: Current creation order + :return: True if the object was created False otherwise""" + + ret = handle_special_add(samdb, dn, names) + + if ret == 2: + return False + + if ret == 0: + return True + + + reference = ref_samdb.search(expression="(distinguishedName=%s)" % (str(dn)), + base=basedn, scope=SCOPE_SUBTREE, + controls=["search_options:1:2"]) + empty = Message() + delta = samdb.msg_diff(empty, reference[0]) + delta.dn + skip = False + try: + if str(reference[0].get("cn")) == "RID Set": + for klass in reference[0].get("objectClass"): + if str(klass).lower() == "ridset": + skip = True + finally: + if delta.get("objectSid"): + sid = str(ndr_unpack(security.dom_sid, reference[0]["objectSid"][0])) + m = re.match(r".*-(\d+)$", sid) + if m and int(m.group(1))>999: + delta.remove("objectSid") + for att in attrNotCopied: + delta.remove(att) + for att in backlinked: + delta.remove(att) + for att in dn_syntax_att: + depend_on_yet_tobecreated = check_dn_nottobecreated(hash, index, + delta.get(str(att))) + if depend_on_yet_tobecreated is not None: + message(CHANGE, "Object %s depends on %s in attribute %s. " + "Delaying the creation" % (dn, + depend_on_yet_tobecreated, att)) + return False + + delta.dn = dn + if not skip: + message(CHANGE,"Object %s will be added" % dn) + samdb.add(delta, ["relax:0", "provision:0"]) + else: + message(CHANGE,"Object %s was skipped" % dn) + + return True + +def gen_dn_index_hash(listMissing): + """Generate a hash associating the DN to its creation order + + :param listMissing: List of DN + :return: Hash with DN as keys and creation order as values""" + hash = {} + for i in range(0, len(listMissing)): + hash[str(listMissing[i]).lower()] = i + return hash + +def add_deletedobj_containers(ref_samdb, samdb, names): + """Add the object container: CN=Deleted Objects + + This function create the container for each partition that need one and + then reference the object into the root of the partition + + :param ref_samdb: Ldb object representing the SAM db of the reference + provision + :param samdb: Ldb object representing the SAM db of the upgraded provision + :param names: List of key provision parameters""" + + + wkoPrefix = "B:32:18E2EA80684F11D2B9AA00C04F79F805" + partitions = [str(names.rootdn), str(names.configdn)] + for part in partitions: + ref_delObjCnt = ref_samdb.search(expression="(cn=Deleted Objects)", + base=part, scope=SCOPE_SUBTREE, + attrs=["dn"], + controls=["show_deleted:0", + "show_recycled:0"]) + delObjCnt = samdb.search(expression="(cn=Deleted Objects)", + base=part, scope=SCOPE_SUBTREE, + attrs=["dn"], + controls=["show_deleted:0", + "show_recycled:0"]) + if len(ref_delObjCnt) > len(delObjCnt): + reference = ref_samdb.search(expression="cn=Deleted Objects", + base=part, scope=SCOPE_SUBTREE, + controls=["show_deleted:0", + "show_recycled:0"]) + empty = Message() + delta = samdb.msg_diff(empty, reference[0]) + + delta.dn = Dn(samdb, str(reference[0]["dn"])) + for att in attrNotCopied: + delta.remove(att) + + modcontrols = ["relax:0", "provision:0"] + samdb.add(delta, modcontrols) + + listwko = [] + res = samdb.search(expression="(objectClass=*)", base=part, + scope=SCOPE_BASE, + attrs=["dn", "wellKnownObjects"]) + + targetWKO = "%s:%s" % (wkoPrefix, str(reference[0]["dn"])) + found = False + + if len(res[0]) > 0: + wko = res[0]["wellKnownObjects"] + + # The wellKnownObject that we want to add. + for o in wko: + if str(o) == targetWKO: + found = True + listwko.append(str(o)) + + if not found: + listwko.append(targetWKO) + + delta = Message() + delta.dn = Dn(samdb, str(res[0]["dn"])) + delta["wellKnownObjects"] = MessageElement(listwko, + FLAG_MOD_REPLACE, + "wellKnownObjects" ) + samdb.modify(delta) + +def add_missing_entries(ref_samdb, samdb, names, basedn, list): + """Add the missing object whose DN is the list + + The function add the object if the objects on which it depends are + already created. + + :param ref_samdb: Ldb object representing the SAM db of the reference + provision + :param samdb: Ldb object representing the SAM db of the upgraded + provision + :param dn: DN of the object to be added + :param names: List of key provision parameters + :param basedn: DN of the partition to be updated + :param list: List of DN to be added in the upgraded provision""" + + listMissing = [] + listDefered = list + + while(len(listDefered) != len(listMissing) and len(listDefered) > 0): + index = 0 + listMissing = listDefered + listDefered = [] + hashMissing = gen_dn_index_hash(listMissing) + for dn in listMissing: + ret = add_missing_object(ref_samdb, samdb, dn, names, basedn, + hashMissing, index) + index = index + 1 + if ret == 0: + # DN can't be created because it depends on some + # other DN in the list + listDefered.append(dn) + + if len(listDefered) != 0: + raise ProvisioningError("Unable to insert missing elements: " + "circular references") + +def handle_links(samdb, att, basedn, dn, value, ref_value, delta): + """This function handle updates on links + + :param samdb: An LDB object pointing to the updated provision + :param att: Attribute to update + :param basedn: The root DN of the provision + :param dn: The DN of the inspected object + :param value: The value of the attribute + :param ref_value: The value of this attribute in the reference provision + :param delta: The MessageElement object that will be applied for + transforming the current provision""" + + res = samdb.search(base=dn, controls=["search_options:1:2", "reveal:1"], + attrs=[att]) + + blacklist = {} + hash = {} + newlinklist = [] + changed = False + + for v in value: + newlinklist.append(str(v)) + + for e in value: + hash[e] = 1 + # for w2k domain level the reveal won't reveal anything ... + # it means that we can readd links that were removed on purpose ... + # Also this function in fact just accept add not removal + + for e in res[0][att]: + if not e in hash: + # We put in the blacklist all the element that are in the "revealed" + # result and not in the "standard" result + # This element are links that were removed before and so that + # we don't wan't to readd + blacklist[e] = 1 + + for e in ref_value: + if not e in blacklist and not e in hash: + newlinklist.append(str(e)) + changed = True + if changed: + delta[att] = MessageElement(newlinklist, FLAG_MOD_REPLACE, att) + else: + delta.remove(att) + + return delta + + +def checkKeepAttributeWithMetadata(delta, att, message, reference, current, + hash_attr_usn, basedn, usns, samdb): + """ Check if we should keep the attribute modification or not + + :param delta: A message diff object + :param att: An attribute + :param message: A function to print messages + :param reference: A message object for the current entry comming from + the reference provision. + :param current: A message object for the current entry commin from + the current provision. + :param hash_attr_usn: A dictionary with attribute name as keys, + USN and invocation id as values. + :param basedn: The DN of the partition + :param usns: A dictionary with invocation ID as keys and USN ranges + as values. + :param samdb: A ldb object pointing to the sam DB + + :return: The modified message diff. + """ + global defSDmodified + isFirst = True + txt = "" + dn = current[0].dn + + for att in list(delta): + if att in ["dn", "objectSid"]: + delta.remove(att) + continue + + # We have updated by provision usn information so let's exploit + # replMetadataProperties + if att in forwardlinked: + curval = current[0].get(att, ()) + refval = reference[0].get(att, ()) + delta = handle_links(samdb, att, basedn, current[0]["dn"], + curval, refval, delta) + continue + + + if isFirst and len(list(delta)) > 1: + isFirst = False + txt = "%s\n" % (str(dn)) + + if handle_special_case(att, delta, reference, current, True, None, None): + # This attribute is "complicated" to handle and handling + # was done in handle_special_case + continue + + attrUSN = None + if hash_attr_usn.get(att): + [attrUSN, attInvId] = hash_attr_usn.get(att) + + if attrUSN is None: + # If it's a replicated attribute and we don't have any USN + # information about it. It means that we never saw it before + # so let's add it ! + # If it is a replicated attribute but we are not master on it + # (ie. not initially added in the provision we masterize). + # attrUSN will be -1 + if isReplicated(att): + continue + else: + message(CHANGE, "Non replicated attribute %s changed" % att) + continue + + if att == "nTSecurityDescriptor": + cursd = ndr_unpack(security.descriptor, + current[0]["nTSecurityDescriptor"][0]) + refsd = ndr_unpack(security.descriptor, + reference[0]["nTSecurityDescriptor"][0]) + + diff = get_diff_sds(refsd, cursd, names.domainsid) + if diff == "": + # FIXME find a way to have it only with huge huge verbose mode + # message(CHANGE, "%ssd are identical" % txt) + # txt = "" + delta.remove(att) + continue + else: + delta.remove(att) + message(CHANGESD, "%ssd are not identical:\n%s" % (txt, diff)) + txt = "" + if attrUSN == -1: + message(CHANGESD, "But the SD has been changed by someonelse " + "so it's impossible to know if the difference" + " cames from the modification or from a previous bug") + global dnNotToRecalculateFound + dnNotToRecalculateFound = True + else: + dnToRecalculate.append(dn) + continue + + if attrUSN == -1: + # This attribute was last modified by another DC forget + # about it + message(CHANGE, "%sAttribute: %s has been " + "created/modified/deleted by another DC. " + "Doing nothing" % (txt, att)) + txt = "" + delta.remove(att) + continue + elif not usn_in_range(int(attrUSN), usns.get(attInvId)): + message(CHANGE, "%sAttribute: %s was not " + "created/modified/deleted during a " + "provision or upgradeprovision. Current " + "usn: %d. Doing nothing" % (txt, att, + attrUSN)) + txt = "" + delta.remove(att) + continue + else: + if att == "defaultSecurityDescriptor": + defSDmodified = True + if attrUSN: + message(CHANGE, "%sAttribute: %s will be modified" + "/deleted it was last modified " + "during a provision. Current usn: " + "%d" % (txt, att, attrUSN)) + txt = "" + else: + message(CHANGE, "%sAttribute: %s will be added because " + "it did not exist before" % (txt, att)) + txt = "" + continue + + return delta + +def update_present(ref_samdb, samdb, basedn, listPresent, usns): + """ This function updates the object that are already present in the + provision + + :param ref_samdb: An LDB object pointing to the reference provision + :param samdb: An LDB object pointing to the updated provision + :param basedn: A string with the value of the base DN for the provision + (ie. DC=foo, DC=bar) + :param listPresent: A list of object that is present in the provision + :param usns: A list of USN range modified by previous provision and + upgradeprovision grouped by invocation ID + """ + + # This hash is meant to speedup lookup of attribute name from an oid, + # it's for the replPropertyMetaData handling + hash_oid_name = {} + res = samdb.search(expression="objectClass=attributeSchema", base=basedn, + controls=["search_options:1:2"], attrs=["attributeID", + "lDAPDisplayName"]) + if len(res) > 0: + for e in res: + strDisplay = str(e.get("lDAPDisplayName")) + hash_oid_name[str(e.get("attributeID"))] = strDisplay + else: + msg = "Unable to insert missing elements: circular references" + raise ProvisioningError(msg) + + changed = 0 + sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL + controls = ["search_options:1:2", "sd_flags:1:%d" % sd_flags] + message(CHANGE, "Using replPropertyMetadata for change selection") + for dn in listPresent: + reference = ref_samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn, + scope=SCOPE_SUBTREE, + controls=controls) + current = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn, + scope=SCOPE_SUBTREE, controls=controls) + + if ( + (str(current[0].dn) != str(reference[0].dn)) and + (str(current[0].dn).upper() == str(reference[0].dn).upper()) + ): + message(CHANGE, "Names are the same except for the case. " + "Renaming %s to %s" % (str(current[0].dn), + str(reference[0].dn))) + identic_rename(samdb, reference[0].dn) + current = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn, + scope=SCOPE_SUBTREE, + controls=controls) + + delta = samdb.msg_diff(current[0], reference[0]) + + for att in backlinked: + delta.remove(att) + + for att in attrNotCopied: + delta.remove(att) + + delta.remove("name") + + nb_items = len(list(delta)) + + if nb_items == 1: + continue + + if nb_items > 1: + # Fetch the replPropertyMetaData + res = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn, + scope=SCOPE_SUBTREE, controls=controls, + attrs=["replPropertyMetaData"]) + ctr = ndr_unpack(drsblobs.replPropertyMetaDataBlob, + res[0]["replPropertyMetaData"][0]).ctr + + hash_attr_usn = {} + for o in ctr.array: + # We put in this hash only modification + # made on the current host + att = hash_oid_name[samdb.get_oid_from_attid(o.attid)] + if str(o.originating_invocation_id) in usns.keys(): + hash_attr_usn[att] = [o.originating_usn, str(o.originating_invocation_id)] + else: + hash_attr_usn[att] = [-1, None] + + delta = checkKeepAttributeWithMetadata(delta, att, message, reference, + current, hash_attr_usn, + basedn, usns, samdb) + + delta.dn = dn + + + if len(delta) >1: + # Skip dn as the value is not really changed ... + attributes=", ".join(delta.keys()[1:]) + modcontrols = [] + relaxedatt = ['iscriticalsystemobject', 'grouptype'] + # Let's try to reduce as much as possible the use of relax control + for attr in delta.keys(): + if attr.lower() in relaxedatt: + modcontrols = ["relax:0", "provision:0"] + message(CHANGE, "%s is different from the reference one, changed" + " attributes: %s\n" % (dn, attributes)) + changed += 1 + samdb.modify(delta, modcontrols) + return changed + +def reload_full_schema(samdb, names): + """Load the updated schema with all the new and existing classes + and attributes. + + :param samdb: An LDB object connected to the sam.ldb of the update + provision + :param names: List of key provision parameters + """ + + schemadn = str(names.schemadn) + current = samdb.search(expression="objectClass=*", base=schemadn, + scope=SCOPE_SUBTREE) + + schema_ldif = "".join(samdb.write_ldif(ent, ldb.CHANGETYPE_NONE) for ent in current) + + prefixmap_data = b64encode(open(setup_path("prefixMap.txt"), 'rb').read()).decode('utf8') + + # We don't actually add this ldif, just parse it + prefixmap_ldif = "dn: %s\nprefixMap:: %s\n\n" % (schemadn, prefixmap_data) + + dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif, schemadn) + + +def update_partition(ref_samdb, samdb, basedn, names, schema, provisionUSNs, prereloadfunc): + """Check differences between the reference provision and the upgraded one. + + It looks for all objects which base DN is name. + + This function will also add the missing object and update existing object + to add or remove attributes that were missing. + + :param ref_sambdb: An LDB object conntected to the sam.ldb of the + reference provision + :param samdb: An LDB object connected to the sam.ldb of the update + provision + :param basedn: String value of the DN of the partition + :param names: List of key provision parameters + :param schema: A Schema object + :param provisionUSNs: A dictionary with range of USN modified during provision + or upgradeprovision. Ranges are grouped by invocationID. + :param prereloadfunc: A function that must be executed just before the reload + of the schema + """ + + hash_new = {} + hash = {} + listMissing = [] + listPresent = [] + reference = [] + current = [] + + # Connect to the reference provision and get all the attribute in the + # partition referred by name + reference = ref_samdb.search(expression="objectClass=*", base=basedn, + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + + current = samdb.search(expression="objectClass=*", base=basedn, + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + # Create a hash for speeding the search of new object + for i in range(0, len(reference)): + hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"] + + # Create a hash for speeding the search of existing object in the + # current provision + for i in range(0, len(current)): + hash[str(current[i]["dn"]).lower()] = current[i]["dn"] + + + for k in hash_new.keys(): + if not k in hash: + if not str(hash_new[k]) == "CN=Deleted Objects, %s" % names.rootdn: + listMissing.append(hash_new[k]) + else: + listPresent.append(hash_new[k]) + + # Sort the missing object in order to have object of the lowest level + # first (which can be containers for higher level objects) + listMissing.sort(key=cmp_to_key(dn_sort)) + listPresent.sort(key=cmp_to_key(dn_sort)) + + # The following lines is to load the up to + # date schema into our current LDB + # a complete schema is needed as the insertion of attributes + # and class is done against it + # and the schema is self validated + samdb.set_schema(schema) + try: + message(SIMPLE, "There are %d missing objects" % (len(listMissing))) + add_deletedobj_containers(ref_samdb, samdb, names) + + add_missing_entries(ref_samdb, samdb, names, basedn, listMissing) + + prereloadfunc() + message(SIMPLE, "Reloading a merged schema, which might trigger " + "reindexing so please be patient") + reload_full_schema(samdb, names) + message(SIMPLE, "Schema reloaded!") + + changed = update_present(ref_samdb, samdb, basedn, listPresent, + provisionUSNs) + message(SIMPLE, "There are %d changed objects" % (changed)) + return 1 + + except Exception as err: + message(ERROR, "Exception during upgrade of samdb:") + (typ, val, tb) = sys.exc_info() + traceback.print_exception(typ, val, tb) + return 0 + + +def check_updated_sd(ref_sam, cur_sam, names): + """Check if the security descriptor in the upgraded provision are the same + as the reference + + :param ref_sam: A LDB object connected to the sam.ldb file used as + the reference provision + :param cur_sam: A LDB object connected to the sam.ldb file used as + upgraded provision + :param names: List of key provision parameters""" + reference = ref_sam.search(expression="objectClass=*", base=str(names.rootdn), + scope=SCOPE_SUBTREE, + attrs=["dn", "nTSecurityDescriptor"], + controls=["search_options:1:2"]) + current = cur_sam.search(expression="objectClass=*", base=str(names.rootdn), + scope=SCOPE_SUBTREE, + attrs=["dn", "nTSecurityDescriptor"], + controls=["search_options:1:2"]) + hash = {} + for i in range(0, len(reference)): + refsd_blob = reference[i]["nTSecurityDescriptor"][0] + hash[str(reference[i]["dn"]).lower()] = refsd_blob + + + for i in range(0, len(current)): + key = str(current[i]["dn"]).lower() + if key in hash: + cursd_blob = current[i]["nTSecurityDescriptor"][0] + cursd = ndr_unpack(security.descriptor, + cursd_blob) + if cursd_blob != hash[key]: + refsd = ndr_unpack(security.descriptor, + hash[key]) + txt = get_diff_sds(refsd, cursd, names.domainsid, False) + if txt != "": + message(CHANGESD, "On object %s ACL is different" + " \n%s" % (current[i]["dn"], txt)) + + + +def fix_wellknown_sd(samdb, names): + """This function fix the SD for partition/wellknown containers (basedn, configdn, ...) + This is needed because some provision use to have broken SD on containers + + :param samdb: An LDB object pointing to the sam of the current provision + :param names: A list of key provision parameters + """ + + list_wellknown_dns = [] + + subcontainers = get_wellknown_sds(samdb) + + for [dn, descriptor_fn] in subcontainers: + list_wellknown_dns.append(dn) + if dn in dnToRecalculate: + delta = Message() + delta.dn = dn + descr = descriptor_fn(names.domainsid, name_map=names.name_map) + delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE, + "nTSecurityDescriptor" ) + samdb.modify(delta) + message(CHANGESD, "nTSecurityDescriptor updated on wellknown DN: %s" % delta.dn) + + return list_wellknown_dns + +def rebuild_sd(samdb, names): + """Rebuild security descriptor of the current provision from scratch + + During the different pre release of samba4 security descriptors + (SD) were notarly broken (up to alpha11 included) + + This function allows one to get them back in order, this function works + only after the database comparison that --full mode uses and which + populates the dnToRecalculate and dnNotToRecalculate lists. + + The idea is that the SD can be safely recalculated from scratch to get it right. + + :param names: List of key provision parameters""" + + listWellknown = fix_wellknown_sd(samdb, names) + + if len(dnToRecalculate) != 0: + message(CHANGESD, "%d DNs have been marked as needed to be recalculated" + % (len(dnToRecalculate))) + + for dn in dnToRecalculate: + # well known SDs have already been reset + if dn in listWellknown: + continue + delta = Message() + delta.dn = dn + sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL + try: + descr = get_empty_descriptor(names.domainsid) + delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE, + "nTSecurityDescriptor") + samdb.modify(delta, ["sd_flags:1:%d" % sd_flags,"relax:0","local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK]) + except LdbError as e: + samdb.transaction_cancel() + res = samdb.search(expression="objectClass=*", base=str(delta.dn), + scope=SCOPE_BASE, + attrs=["nTSecurityDescriptor"], + controls=["sd_flags:1:%d" % sd_flags]) + badsd = ndr_unpack(security.descriptor, + res[0]["nTSecurityDescriptor"][0]) + message(ERROR, "On %s bad stuff %s" % (str(delta.dn),badsd.as_sddl(names.domainsid))) + return + +def hasATProvision(samdb): + entry = samdb.search(expression="(distinguishedName=@PROVISION)", base = "", + scope=SCOPE_BASE, + attrs=["dn"]) + + if entry is not None and len(entry) == 1: + return True + else: + return False + +def removeProvisionUSN(samdb): + attrs = [samba.provision.LAST_PROVISION_USN_ATTRIBUTE, "dn"] + entry = samdb.search(expression="(distinguishedName=@PROVISION)", base = "", + scope=SCOPE_BASE, + attrs=attrs) + empty = Message() + empty.dn = entry[0].dn + delta = samdb.msg_diff(entry[0], empty) + delta.remove("dn") + delta.dn = entry[0].dn + samdb.modify(delta) + +def remove_stored_generated_attrs(paths, creds, session, lp): + """Remove previously stored constructed attributes + + :param paths: List of paths for different provision objects + from the upgraded provision + :param creds: A credential object + :param session: A session object + :param lp: A line parser object + :return: An associative array whose key are the different constructed + attributes and the value the dn where this attributes were found. + """ + + +def simple_update_basesamdb(newpaths, paths, names): + """Update the provision container db: sam.ldb + This function is aimed at very old provision (before alpha9) + + :param newpaths: List of paths for different provision objects + from the reference provision + :param paths: List of paths for different provision objects + from the upgraded provision + :param names: List of key provision parameters""" + + message(SIMPLE, "Copy samdb") + tdb_util.tdb_copy(newpaths.samdb, paths.samdb) + + message(SIMPLE, "Update partitions filename if needed") + schemaldb = os.path.join(paths.private_dir, "schema.ldb") + configldb = os.path.join(paths.private_dir, "configuration.ldb") + usersldb = os.path.join(paths.private_dir, "users.ldb") + samldbdir = os.path.join(paths.private_dir, "sam.ldb.d") + + if not os.path.isdir(samldbdir): + os.mkdir(samldbdir) + os.chmod(samldbdir, 0o700) + if os.path.isfile(schemaldb): + tdb_util.tdb_copy(schemaldb, os.path.join(samldbdir, + "%s.ldb"%str(names.schemadn).upper())) + os.remove(schemaldb) + if os.path.isfile(usersldb): + tdb_util.tdb_copy(usersldb, os.path.join(samldbdir, + "%s.ldb"%str(names.rootdn).upper())) + os.remove(usersldb) + if os.path.isfile(configldb): + tdb_util.tdb_copy(configldb, os.path.join(samldbdir, + "%s.ldb"%str(names.configdn).upper())) + os.remove(configldb) + + +def update_samdb(ref_samdb, samdb, names, provisionUSNs, schema, prereloadfunc): + """Upgrade the SAM DB contents for all the provision partitions + + :param ref_sambdb: An LDB object conntected to the sam.ldb of the reference + provision + :param samdb: An LDB object connected to the sam.ldb of the update + provision + :param names: List of key provision parameters + :param provisionUSNs: A dictionary with range of USN modified during provision + or upgradeprovision. Ranges are grouped by invocationID. + :param schema: A Schema object that represent the schema of the provision + :param prereloadfunc: A function that must be executed just before the reload + of the schema + """ + + message(SIMPLE, "Starting update of samdb") + ret = update_partition(ref_samdb, samdb, str(names.rootdn), names, + schema, provisionUSNs, prereloadfunc) + if ret: + message(SIMPLE, "Update of samdb finished") + return 1 + else: + message(SIMPLE, "Update failed") + return 0 + + +def backup_provision(samdb, paths, dir, only_db): + """This function backup the provision files so that a rollback + is possible + + :param paths: Paths to different objects + :param dir: Directory where to store the backup + :param only_db: Skip sysvol for users with big sysvol + """ + + # Currently we default to tdb for the backend store type + # + backend_store = "tdb" + res = samdb.search(base="@PARTITION", + scope=ldb.SCOPE_BASE, + attrs=["backendStore"]) + if "backendStore" in res[0]: + backend_store = str(res[0]["backendStore"][0]) + + + if paths.sysvol and not only_db: + copytree_with_xattrs(paths.sysvol, os.path.join(dir, "sysvol")) + + tdb_util.tdb_copy(paths.samdb, os.path.join(dir, os.path.basename(paths.samdb))) + tdb_util.tdb_copy(paths.secrets, os.path.join(dir, os.path.basename(paths.secrets))) + tdb_util.tdb_copy(paths.idmapdb, os.path.join(dir, os.path.basename(paths.idmapdb))) + tdb_util.tdb_copy(paths.privilege, os.path.join(dir, os.path.basename(paths.privilege))) + if os.path.isfile(os.path.join(paths.private_dir,"eadb.tdb")): + tdb_util.tdb_copy(os.path.join(paths.private_dir,"eadb.tdb"), os.path.join(dir, "eadb.tdb")) + shutil.copy2(paths.smbconf, dir) + shutil.copy2(os.path.join(paths.private_dir,"secrets.keytab"), dir) + + samldbdir = os.path.join(paths.private_dir, "sam.ldb.d") + if not os.path.isdir(samldbdir): + samldbdir = paths.private_dir + schemaldb = os.path.join(paths.private_dir, "schema.ldb") + configldb = os.path.join(paths.private_dir, "configuration.ldb") + usersldb = os.path.join(paths.private_dir, "users.ldb") + tdb_util.tdb_copy(schemaldb, os.path.join(dir, "schema.ldb")) + tdb_util.tdb_copy(usersldb, os.path.join(dir, "configuration.ldb")) + tdb_util.tdb_copy(configldb, os.path.join(dir, "users.ldb")) + else: + os.mkdir(os.path.join(dir, "sam.ldb.d"), 0o700) + + for ldb_name in os.listdir(samldbdir): + if not ldb_name.endswith("-lock"): + if backend_store == "mdb" and ldb_name != "metadata.tdb": + mdb_util.mdb_copy(os.path.join(samldbdir, ldb_name), + os.path.join(dir, "sam.ldb.d", ldb_name)) + else: + tdb_util.tdb_copy(os.path.join(samldbdir, ldb_name), + os.path.join(dir, "sam.ldb.d", ldb_name)) + + +def sync_calculated_attributes(samdb, names): + """Synchronize attributes used for constructed ones, with the + old constructed that were stored in the database. + + This apply for instance to msds-keyversionnumber that was + stored and that is now constructed from replpropertymetadata. + + :param samdb: An LDB object attached to the currently upgraded samdb + :param names: Various key parameter about current provision. + """ + listAttrs = ["msDs-KeyVersionNumber"] + hash = search_constructed_attrs_stored(samdb, names.rootdn, listAttrs) + if "msDs-KeyVersionNumber" in hash: + increment_calculated_keyversion_number(samdb, names.rootdn, + hash["msDs-KeyVersionNumber"]) + +# Synopsis for updateprovision +# 1) get path related to provision to be update (called current) +# 2) open current provision ldbs +# 3) fetch the key provision parameter (domain sid, domain guid, invocationid +# of the DC ....) +# 4) research of lastProvisionUSN in order to get ranges of USN modified +# by either upgradeprovision or provision +# 5) creation of a new provision the latest version of provision script +# (called reference) +# 6) get reference provision paths +# 7) open reference provision ldbs +# 8) setup helpers data that will help the update process +# 9) (SKIPPED) we no longer update the privilege ldb by copying the one of referecence provision to +# the current provision, because a shutil.copy would break the transaction locks both databases are under +# and this database has not changed between 2009 and Samba 4.0.3 in Feb 2013 (at least) +# 10)get the oemInfo field, this field contains information about the different +# provision that have been done +# 11)Depending on if the --very-old-pre-alpha9 flag is set the following things are done +# A) When alpha9 or alphaxx not specified (default) +# The base sam.ldb file is updated by looking at the difference between +# referrence one and the current one. Everything is copied with the +# exception of lastProvisionUSN attributes. +# B) Other case (it reflect that that provision was done before alpha9) +# The base sam.ldb of the reference provision is copied over +# the current one, if necessary ldb related to partitions are moved +# and renamed +# The highest used USN is fetched so that changed by upgradeprovision +# usn can be tracked +# 12)A Schema object is created, it will be used to provide a complete +# schema to current provision during update (as the schema of the +# current provision might not be complete and so won't allow some +# object to be created) +# 13)Proceed to full update of sam DB (see the separate paragraph about i) +# 14)The secrets db is updated by pull all the difference from the reference +# provision into the current provision +# 15)As the previous step has most probably modified the password stored in +# in secret for the current DC, a new password is generated, +# the kvno is bumped and the entry in samdb is also updated +# 16)For current provision older than alpha9, we must fix the SD a little bit +# administrator to update them because SD used to be generated with the +# system account before alpha9. +# 17)The highest usn modified so far is searched in the database it will be +# the upper limit for usn modified during provision. +# This is done before potential SD recalculation because we do not want +# SD modified during recalculation to be marked as modified during provision +# (and so possibly remplaced at next upgradeprovision) +# 18)Rebuilt SD if the flag indicate to do so +# 19)Check difference between SD of reference provision and those of the +# current provision. The check is done by getting the sddl representation +# of the SD. Each sddl in chuncked into parts (user,group,dacl,sacl) +# Each part is verified separetly, for dacl and sacl ACL is splited into +# ACEs and each ACE is verified separately (so that a permutation in ACE +# didn't raise as an error). +# 20)The oemInfo field is updated to add information about the fact that the +# provision has been updated by the upgradeprovision version xxx +# (the version is the one obtained when starting samba with the --version +# parameter) +# 21)Check if the current provision has all the settings needed for dynamic +# DNS update to work (that is to say the provision is newer than +# january 2010). If not dns configuration file from reference provision +# are copied in a sub folder and the administrator is invited to +# do what is needed. +# 22)If the lastProvisionUSN attribute was present it is updated to add +# the range of usns modified by the current upgradeprovision + + +# About updating the sam DB +# The update takes place in update_partition function +# This function read both current and reference provision and list all +# the available DN of objects +# If the string representation of a DN in reference provision is +# equal to the string representation of a DN in current provision +# (without taking care of case) then the object is flaged as being +# present. If the object is not present in current provision the object +# is being flaged as missing in current provision. Object present in current +# provision but not in reference provision are ignored. +# Once the list of objects present and missing is done, the deleted object +# containers are created in the differents partitions (if missing) +# +# Then the function add_missing_entries is called +# This function will go through the list of missing entries by calling +# add_missing_object for the given object. If this function returns 0 +# it means that the object needs some other object in order to be created +# The object is reappended at the end of the list to be created later +# (and preferably after all the needed object have been created) +# The function keeps on looping on the list of object to be created until +# it's empty or that the number of deferred creation is equal to the number +# of object that still needs to be created. + +# The function add_missing_object will first check if the object can be created. +# That is to say that it didn't depends other not yet created objects +# If requisit can't be fullfilled it exists with 0 +# Then it will try to create the missing entry by creating doing +# an ldb_message_diff between the object in the reference provision and +# an empty object. +# This resulting object is filtered to remove all the back link attribute +# (ie. memberOf) as they will be created by the other linked object (ie. +# the one with the member attribute) +# All attributes specified in the attrNotCopied array are +# also removed it's most of the time generated attributes + +# After missing entries have been added the update_partition function will +# take care of object that exist but that need some update. +# In order to do so the function update_present is called with the list +# of object that are present in both provision and that might need an update. + +# This function handle first case mismatch so that the DN in the current +# provision have the same case as in reference provision + +# It will then construct an associative array consiting of attributes as +# key and invocationid as value( if the originating invocation id is +# different from the invocation id of the current DC the value is -1 instead). + +# If the range of provision modified attributes is present, the function will +# use the replMetadataProperty update method which is the following: +# Removing attributes that should not be updated: rIDAvailablePool, objectSid, +# creationTime, msDs-KeyVersionNumber, oEMInformation +# Check for each attribute if its usn is within one of the modified by +# provision range and if its originating id is the invocation id of the +# current DC, then validate the update from reference to current. +# If not or if there is no replMetatdataProperty for this attribute then we +# do not update it. +# Otherwise (case the range of provision modified attribute is not present) it +# use the following process: +# All attributes that need to be added are accepted at the exeption of those +# listed in hashOverwrittenAtt, in this case the attribute needs to have the +# correct flags specified. +# For attributes that need to be modified or removed, a check is performed +# in OverwrittenAtt, if the attribute is present and the modification flag +# (remove, delete) is one of those listed for this attribute then modification +# is accepted. For complicated handling of attribute update, the control is passed +# to handle_special_case + + + +if __name__ == '__main__': + defSDmodified = False + + # From here start the big steps of the program + # 1) First get files paths + paths = get_paths(param, smbconf=smbconf) + # Get ldbs with the system session, it is needed for searching + # provision parameters + session = system_session() + + # This variable will hold the last provision USN once if it exists. + minUSN = 0 + # 2) + ldbs = get_ldbs(paths, creds, session, lp) + backupdir = tempfile.mkdtemp(dir=paths.private_dir, + prefix="backupprovision") + backup_provision(ldbs.sam, paths, backupdir, opts.db_backup_only) + try: + ldbs.startTransactions() + + # 3) Guess all the needed names (variables in fact) from the current + # provision. + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, smbconf, lp) + # 4) + lastProvisionUSNs = get_last_provision_usn(ldbs.sam) + if lastProvisionUSNs is not None: + v = 0 + for k in lastProvisionUSNs.keys(): + for r in lastProvisionUSNs[k]: + v = v + 1 + + message(CHANGE, + "Find last provision USN, %d invocation(s) for a total of %d ranges" % + (len(lastProvisionUSNs.keys()), v /2 )) + + if lastProvisionUSNs.get("default") is not None: + message(CHANGE, "Old style for usn ranges used") + lastProvisionUSNs[str(names.invocation)] = lastProvisionUSNs["default"] + del lastProvisionUSNs["default"] + else: + message(SIMPLE, "Your provision lacks provision range information") + if confirm("Do you want to run findprovisionusnranges to try to find them ?", False): + ldbs.groupedRollback() + minobj = 5 + (hash_id, nb_obj) = findprovisionrange(ldbs.sam, ldb.Dn(ldbs.sam, str(names.rootdn))) + message(SIMPLE, "Here is a list of changes that modified more than %d objects in 1 minute." % minobj) + message(SIMPLE, "Usually changes made by provision and upgradeprovision are those who affect a couple" + " of hundred of objects or more") + message(SIMPLE, "Total number of objects: %d" % nb_obj) + message(SIMPLE, "") + + print_provision_ranges(hash_id, minobj, None, str(paths.samdb), str(names.invocation)) + + message(SIMPLE, "Once you applied/adapted the change(s) please restart the upgradeprovision script") + sys.exit(0) + + # Objects will be created with the admin session + # (not anymore system session) + adm_session = admin_session(lp, str(names.domainsid)) + # So we reget handle on objects + # ldbs = get_ldbs(paths, creds, adm_session, lp) + + if not sanitychecks(ldbs.sam, names): + message(SIMPLE, "Sanity checks for the upgrade have failed. " + "Check the messages and correct the errors " + "before rerunning upgradeprovision") + ldbs.groupedRollback() + sys.exit(1) + + # Let's see provision parameters + print_provision_key_parameters(names) + + # 5) With all this information let's create a fresh new provision used as + # reference + message(SIMPLE, "Creating a reference provision") + provisiondir = tempfile.mkdtemp(dir=paths.private_dir, + prefix="referenceprovision") + result = newprovision(names, session, smbconf, provisiondir, + provision_logger, base_schema="2008_R2") + result.report_logger(provision_logger) + + # TODO + # 6) and 7) + # We need to get a list of object which SD is directly computed from + # defaultSecurityDescriptor. + # This will allow us to know which object we can rebuild the SD in case + # of change of the parent's SD or of the defaultSD. + # Get file paths of this new provision + newpaths = get_paths(param, targetdir=provisiondir) + new_ldbs = get_ldbs(newpaths, creds, session, lp) + new_ldbs.startTransactions() + + populateNotReplicated(new_ldbs.sam, names.schemadn) + # 8) Populate some associative array to ease the update process + # List of attribute which are link and backlink + populate_links(new_ldbs.sam, names.schemadn) + # List of attribute with ASN DN synthax) + populate_dnsyntax(new_ldbs.sam, names.schemadn) + # 9) (now skipped, was copy of privileges.ldb) + # 10) + oem = getOEMInfo(ldbs.sam, str(names.rootdn)) + # Do some modification on sam.ldb + ldbs.groupedCommit() + new_ldbs.groupedCommit() + deltaattr = None + # 11) + message(GUESS, oem) + if oem is None or hasATProvision(ldbs.sam) or not opts.very_old_pre_alpha9: + # 11) A + # Starting from alpha9 we can consider that the structure is quite ok + # and that we should do only dela + deltaattr = delta_update_basesamdb(newpaths.samdb, + paths.samdb, + creds, + session, + lp, + message) + else: + # 11) B + simple_update_basesamdb(newpaths, paths, names) + ldbs = get_ldbs(paths, creds, session, lp) + removeProvisionUSN(ldbs.sam) + + ldbs.startTransactions() + minUSN = int(str(get_max_usn(ldbs.sam, str(names.rootdn)))) + 1 + new_ldbs.startTransactions() + + # 12) + schema = Schema(names.domainsid, schemadn=str(names.schemadn)) + # We create a closure that will be invoked just before schema reload + def schemareloadclosure(): + basesam = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp, + options=["modules:"]) + doit = False + if deltaattr is not None and len(deltaattr) > 1: + doit = True + if doit: + deltaattr.remove("dn") + for att in deltaattr: + if att.lower() == "dn": + continue + if (deltaattr.get(att) is not None + and deltaattr.get(att).flags() != FLAG_MOD_ADD): + doit = False + elif deltaattr.get(att) is None: + doit = False + if doit: + message(CHANGE, "Applying delta to @ATTRIBUTES") + deltaattr.dn = ldb.Dn(basesam, "@ATTRIBUTES") + basesam.modify(deltaattr) + else: + message(CHANGE, "Not applying delta to @ATTRIBUTES because " + "there is not only add") + # 13) + if opts.full: + if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs, + schema, schemareloadclosure): + message(SIMPLE, "Rolling back all changes. Check the cause" + " of the problem") + message(SIMPLE, "Your system is as it was before the upgrade") + ldbs.groupedRollback() + new_ldbs.groupedRollback() + shutil.rmtree(provisiondir) + sys.exit(1) + else: + # Try to reapply the change also when we do not change the sam + # as the delta_upgrade + schemareloadclosure() + sync_calculated_attributes(ldbs.sam, names) + res = ldbs.sam.search(expression="(samaccountname=dns)", + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + if len(res) > 0: + message(SIMPLE, "You still have the old DNS object for managing " + "dynamic DNS, but you didn't supply --full so " + "a correct update can't be done") + ldbs.groupedRollback() + new_ldbs.groupedRollback() + shutil.rmtree(provisiondir) + sys.exit(1) + # 14) + update_secrets(new_ldbs.secrets, ldbs.secrets, message) + # 14bis) + res = ldbs.sam.search(expression="(samaccountname=dns)", + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) + + if (len(res) == 1): + ldbs.sam.delete(res[0]["dn"]) + res2 = ldbs.secrets.search(expression="(samaccountname=dns)", + scope=SCOPE_SUBTREE, attrs=["dn"]) + update_dns_account_password(ldbs.sam, ldbs.secrets, names) + message(SIMPLE, "IMPORTANT!!! " + "If you were using Dynamic DNS before you need " + "to update your configuration, so that the " + "tkey-gssapi-credential has the following value: " + "DNS/%s.%s" % (names.netbiosname.lower(), + names.realm.lower())) + # 15) + message(SIMPLE, "Update machine account") + update_machine_account_password(ldbs.sam, ldbs.secrets, names) + + # 16) SD should be created with admin but as some previous acl were so wrong + # that admin can't modify them we have first to recreate them with the good + # form but with system account and then give the ownership to admin ... + if opts.very_old_pre_alpha9: + message(SIMPLE, "Fixing very old provision SD") + rebuild_sd(ldbs.sam, names) + + # We calculate the max USN before recalculating the SD because we might + # touch object that have been modified after a provision and we do not + # want that the next upgradeprovision thinks that it has a green light + # to modify them + + # 17) + maxUSN = get_max_usn(ldbs.sam, str(names.rootdn)) + + # 18) We rebuild SD if a we have a list of DN to recalculate or if the + # defSDmodified is set. + if opts.full and (defSDmodified or len(dnToRecalculate) >0): + message(SIMPLE, "Some (default) security descriptors (SDs) have " + "changed, recalculating them") + ldbs.sam.set_session_info(adm_session) + rebuild_sd(ldbs.sam, names) + + # 19) + # Now we are quite confident in the recalculate process of the SD, we make + # it optional. And we don't do it if there is DN that we must touch + # as we are assured that on this DNs we will have differences ! + # Also the check must be done in a clever way as for the moment we just + # compare SDDL + if dnNotToRecalculateFound == False and (opts.debugchangesd or opts.debugall): + message(CHANGESD, "Checking recalculated SDs") + check_updated_sd(new_ldbs.sam, ldbs.sam, names) + + # 20) + updateOEMInfo(ldbs.sam, str(names.rootdn)) + # 21) + check_for_DNS(newpaths.private_dir, paths.private_dir, + newpaths.binddns_dir, paths.binddns_dir, + names.dns_backend) + # 22) + update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation) + if opts.full and (names.policyid is None or names.policyid_dc is None): + update_policyids(names, ldbs.sam) + + if opts.full: + try: + update_gpo(paths, ldbs.sam, names, lp, message) + except ProvisioningError as e: + message(ERROR, "The policy for domain controller is missing. " + "You should restart upgradeprovision with --full") + + ldbs.groupedCommit() + new_ldbs.groupedCommit() + message(SIMPLE, "Upgrade finished!") + # remove reference provision now that everything is done ! + # So we have reindexed first if need when the merged schema was reloaded + # (as new attributes could have quick in) + # But the second part of the update (when we update existing objects + # can also have an influence on indexing as some attribute might have their + # searchflag modificated + message(SIMPLE, "Reopening samdb to trigger reindexing if needed " + "after modification") + samdb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp) + message(SIMPLE, "Reindexing finished") + + shutil.rmtree(provisiondir) + except Exception as err: + message(ERROR, "A problem occurred while trying to upgrade your " + "provision. A full backup is located at %s" % backupdir) + if opts.debugall or opts.debugchange: + (typ, val, tb) = sys.exc_info() + traceback.print_exception(typ, val, tb) + sys.exit(1) diff --git a/source4/scripting/bin/setup_dns.sh b/source4/scripting/bin/setup_dns.sh new file mode 100755 index 0000000..143f2c2 --- /dev/null +++ b/source4/scripting/bin/setup_dns.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# example script to setup DNS for a vampired domain + +[ $# = 3 ] || { + echo "Usage: setup_dns.sh HOSTNAME DOMAIN IP" + exit 1 +} + +HOSTNAME="$(echo $1 | tr '[a-z]' '[A-Z]')" +DOMAIN="$(echo $2 | tr '[a-z]' '[A-Z]')" +IP="$3" + +RSUFFIX=$(echo $DOMAIN | sed s/[\.]/,DC=/g) + +[ -z "$PRIVATEDIR" ] && { + PRIVATEDIR=$(bin/samba-tool testparm --section-name=global --parameter-name='private dir' --suppress-prompt 2>/dev/null) +} + +OBJECTGUID=$(bin/ldbsearch --scope=base -H "$PRIVATEDIR/sam.ldb" -b "CN=NTDS Settings,CN=$HOSTNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=$RSUFFIX" objectguid | grep ^objectGUID | cut -d: -f2) + +samba4kinit=kinit +if test -x $BINDIR/samba4kinit; then + samba4kinit=bin/samba4kinit +fi + +echo "Found objectGUID $OBJECTGUID" + +echo "Running kinit for $HOSTNAME\$@$DOMAIN" +$samba4kinit -e arcfour-hmac-md5 -k -t "$PRIVATEDIR/secrets.keytab" $HOSTNAME\$@$DOMAIN || exit 1 +echo "Adding $HOSTNAME.$DOMAIN" +scripting/bin/nsupdate-gss --noverify $HOSTNAME $DOMAIN $IP 300 || { + echo "Failed to add A record" + exit 1 +} +echo "Adding $OBJECTGUID._msdcs.$DOMAIN => $HOSTNAME.$DOMAIN" +scripting/bin/nsupdate-gss --realm=$DOMAIN --noverify --ntype="CNAME" $OBJECTGUID _msdcs.$DOMAIN $HOSTNAME.$DOMAIN 300 || { + echo "Failed to add CNAME" + exit 1 +} +echo "Checking" +rndc flush +host $HOSTNAME.$DOMAIN +host $OBJECTGUID._msdcs.$DOMAIN diff --git a/source4/scripting/bin/subunitrun b/source4/scripting/bin/subunitrun new file mode 100755 index 0000000..7bfa851 --- /dev/null +++ b/source4/scripting/bin/subunitrun @@ -0,0 +1,87 @@ +#!/usr/bin/env python3 + +# Simple subunit testrunner for python + +# NOTE: This is deprecated - Using the standard subunit runner is +# preferred - e.g. "python -m samba.subunit.run YOURMODULE". +# +# This wrapper will be removed once all tests can be run +# without it. At the moment there are various tests which still +# get e.g. credentials passed via command-line options to this +# script. + +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2014 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys + +# make sure the script dies immediately when hitting control-C, +# rather than raising KeyboardInterrupt. As we do all database +# operations using transactions, this is safe. +import signal +signal.signal(signal.SIGINT, signal.SIG_DFL) + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import optparse +import samba +from samba.tests.subunitrun import TestProgram, SubunitOptions + +import samba.getopt as options +import samba.tests + + +usage = 'subunitrun [options] <tests>' +description = ''' +This runs a Samba python test suite. The tests are typically located in +python/samba/tests/*.py + +To run the tests from one of those modules, specify the test as +samba.tests.MODULE. For example, to run the tests in common.py: + + subunitrun samba.tests.common + +To list the tests in that module, use: + + subunitrun -l samba.tests.common + +NOTE: This script is deprecated in favor of "python -m subunit.run". Don't use +it unless it can be avoided. +''' + +def format_description(formatter): + '''hack to prevent textwrap of the description''' + return description + +parser = optparse.OptionParser(usage=usage, description=description) +parser.format_description = format_description +credopts = options.CredentialsOptions(parser) +sambaopts = options.SambaOptions(parser) +subunitopts = SubunitOptions(parser) +parser.add_option_group(credopts) +parser.add_option_group(sambaopts) +parser.add_option_group(subunitopts) + +opts, args = parser.parse_args() + +if not getattr(opts, "listtests", False): + lp = sambaopts.get_loadparm() + samba.tests.cmdline_credentials = credopts.get_credentials(lp) +if getattr(opts, 'load_list', None): + args.insert(0, "--load-list=%s" % opts.load_list) + +TestProgram(module=None, args=args, opts=subunitopts) diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build new file mode 100644 index 0000000..d31afb2 --- /dev/null +++ b/source4/scripting/bin/wscript_build @@ -0,0 +1,14 @@ +#!/usr/bin/env python3 + +if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + for script in ['samba_dnsupdate', + 'samba_spnupdate', + 'samba_kcc', + 'samba_upgradeprovision', + 'samba_upgradedns', + 'gen_output.py', + 'samba_downgrade_db']: + bld.SAMBA_SCRIPT(script, pattern=script, installdir='.') +if bld.CONFIG_SET('WITH_ADS'): + bld.SAMBA_SCRIPT('samba-tool', pattern='samba-tool', installdir='.') +bld.SAMBA_SCRIPT('samba-gpupdate', pattern='samba-gpupdate', installdir='.') diff --git a/source4/scripting/devel/addlotscontacts b/source4/scripting/devel/addlotscontacts new file mode 100644 index 0000000..9ecd16b --- /dev/null +++ b/source4/scripting/devel/addlotscontacts @@ -0,0 +1,95 @@ +#!/usr/bin/env python3 +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2010 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +__docformat__ = "restructuredText" + + +import optparse +import sys +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import param +from samba.provision import find_provision_key_parameters +from samba.upgradehelpers import (get_paths, get_ldbs) +from ldb import SCOPE_BASE, Message, MessageElement, Dn, FLAG_MOD_ADD + +parser = optparse.OptionParser("addlotscontacts [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +(opts, args) = parser.parse_args() + +lp = sambaopts.get_loadparm() +smbconf = lp.configfile +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + +if len(args) > 0: + num_contacts = int(args[0]) +else: + num_contacts = 10000 + +if __name__ == '__main__': + paths = get_paths(param, smbconf=smbconf) + session = system_session() + + ldbs = get_ldbs(paths, creds, session, lp) + ldbs.startTransactions() + + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, smbconf, lp) + + contactdn = "OU=Contacts,%s" % str(names.domaindn) + res = ldbs.sam.search(expression="(distinguishedName=%s)" % contactdn, + base=str(names.domaindn), + scope=SCOPE_BASE) + + if (len(res) == 0): + msg = Message() + msg.dn = Dn(ldbs.sam, contactdn) + msg["objectClass"] = MessageElement("organizationalUnit", FLAG_MOD_ADD, + "objectClass") + + ldbs.sam.add(msg) + + print("Creating %d contacts" % num_contacts) + count = 0 + increment = num_contacts / 10 + if increment > 5000: + increment = 5000 + + while (count < num_contacts): + msg = Message() + msg.dn = Dn(ldbs.sam, "CN=contact%d,%s" % (count + 1, contactdn)) + msg["objectClass"] = MessageElement("contact", FLAG_MOD_ADD, + "objectClass") + + if count !=0 and (count % increment) == 0: + print("Added contacts: %d" % count) + + ldbs.sam.add(msg) + count += 1 + + ldbs.groupedCommit() diff --git a/source4/scripting/devel/chgkrbtgtpass b/source4/scripting/devel/chgkrbtgtpass new file mode 100644 index 0000000..2beb2e7 --- /dev/null +++ b/source4/scripting/devel/chgkrbtgtpass @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2010 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2015 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +__docformat__ = "restructuredText" + + +import optparse +import sys +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import param +from samba.provision import find_provision_key_parameters +from samba.upgradehelpers import (get_paths, + get_ldbs, + update_krbtgt_account_password) + +parser = optparse.OptionParser("chgkrbtgtpass [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +opts = parser.parse_args()[0] + +lp = sambaopts.get_loadparm() +smbconf = lp.configfile +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + + +paths = get_paths(param, smbconf=smbconf) +session = system_session() + +ldbs = get_ldbs(paths, creds, session, lp) +ldbs.startTransactions() + +update_krbtgt_account_password(ldbs.sam) +ldbs.groupedCommit() diff --git a/source4/scripting/devel/chgtdcpass b/source4/scripting/devel/chgtdcpass new file mode 100755 index 0000000..8f2415c --- /dev/null +++ b/source4/scripting/devel/chgtdcpass @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# +# Copyright (C) Matthieu Patou <mat@matws.net> 2010 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +__docformat__ = "restructuredText" + + +import optparse +import sys +# Allow to run from s4 source directory (without installing samba) +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session +from samba import param +from samba.provision import find_provision_key_parameters +from samba.upgradehelpers import (get_paths, + get_ldbs, + update_machine_account_password) + +parser = optparse.OptionParser("chgtdcpass [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +opts = parser.parse_args()[0] + +lp = sambaopts.get_loadparm() +smbconf = lp.configfile +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + + +if __name__ == '__main__': + paths = get_paths(param, smbconf=smbconf) + session = system_session() + + ldbs = get_ldbs(paths, creds, session, lp) + ldbs.startTransactions() + + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + paths, smbconf, lp) + + update_machine_account_password(ldbs.sam, ldbs.secrets, names) + ldbs.groupedCommit() diff --git a/source4/scripting/devel/config_base b/source4/scripting/devel/config_base new file mode 100755 index 0000000..f593f2f --- /dev/null +++ b/source4/scripting/devel/config_base @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +# this is useful for running samba tools with a different prefix + +# for example: +# samba-tool $(scripting/devel/config_base /tmp/testprefix) join ..... + +import sys, os + +vars = { + "ncalrpc dir" : "${PREFIX}/var/ncalrpc", + "private dir" : "${PREFIX}/private", + "lock dir" : "${PREFIX}/var/locks", + "pid directory" : "${PREFIX}/var/run", + "winbindd socket directory" : "${PREFIX}/var/run/winbindd", + "ntp signd socket directory" : "${PREFIX}/var/run/ntp_signd" +} + +if len(sys.argv) != 2: + print("Usage: config_base BASEDIRECTORY") + sys.exit(1) + +prefix = sys.argv[1] + +config_dir = prefix + "/etc" +config_file = config_dir + "/smb.conf" + +if not os.path.isdir(config_dir): + os.makedirs(config_dir, mode=0o755) +if not os.path.isfile(config_file): + open(config_file, mode='w').close() + +options = ( + " --configfile=${PREFIX}/etc/smb.conf" + "".join(" --option=%s=%s" % (v.replace(" ",""), vars[v]) for v in vars) + ).replace("${PREFIX}", prefix) + + +print(options) diff --git a/source4/scripting/devel/crackname b/source4/scripting/devel/crackname new file mode 100755 index 0000000..021adfa --- /dev/null +++ b/source4/scripting/devel/crackname @@ -0,0 +1,77 @@ +#!/usr/bin/env python3 + +# Copyright Matthieu Patou <mat@matws.net> 2011 +# script to call a DRSUAPI crackname +# this is useful for plugfest testing and replication debug +import sys +from optparse import OptionParser + +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.dcerpc import drsuapi, misc + +def do_DsBind(drs): + '''make a DsBind call, returning the binding handle''' + bind_info = drsuapi.DsBindInfoCtr() + bind_info.length = 28 + bind_info.info = drsuapi.DsBindInfo28() + bind_info.info.supported_extensions = 0 + (info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info) + return handle + + +########### main code ########### +if __name__ == "__main__": + parser = OptionParser("crackname server [options]") + sambaopts = options.SambaOptions(parser) + parser.add_option_group(sambaopts) + credopts = options.CredentialsOptionsDouble(parser) + parser.add_option_group(credopts) + + parser.add_option("", "--name", type='str', + default='{ED9F5546-9729-4B04-9385-3FCFE2B17BA1}', help="name to crack") + parser.add_option("", "--outformat", type='int', + default=drsuapi.DRSUAPI_DS_NAME_FORMAT_FQDN_1779, + help='format desired') + parser.add_option("", "--informat", type='int', + default=drsuapi.DRSUAPI_DS_NAME_FORMAT_GUID, + help='format offered') + + (opts, args) = parser.parse_args() + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + if len(args) != 1: + parser.error("You must supply a server") + + if creds.is_anonymous(): + parser.error("You must supply credentials") + + server = args[0] + + binding_str = "ncacn_ip_tcp:%s[seal,print]" % server + + drs = drsuapi.drsuapi(binding_str, lp, creds) + drs_handle = do_DsBind(drs) + print("DRS Handle: %s" % drs_handle) + + req = drsuapi.DsNameRequest1() + names = drsuapi.DsNameString() + names.str = opts.name + + req.codepage = 1252 + req.language = 1033 + req.format_flags = 0 + req.format_offered = opts.informat + req.format_desired = opts.outformat + req.count = 1 + req.names = [names] + + (result, ctr) = drs.DsCrackNames(drs_handle, 1, req) + print("# of result = %d" %ctr.count) + if ctr.count: + print("status = %d" % ctr.array[0].status) + print("result name = %s" % ctr.array[0].result_name) + print("domain = %s" % ctr.array[0].dns_domain_name) diff --git a/source4/scripting/devel/demodirsync.py b/source4/scripting/devel/demodirsync.py new file mode 100755 index 0000000..e21dbbc --- /dev/null +++ b/source4/scripting/devel/demodirsync.py @@ -0,0 +1,159 @@ +#!/usr/bin/python + +import optparse +import sys +import base64 + +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from samba.dcerpc import drsblobs, misc +from samba.ndr import ndr_pack, ndr_unpack +from samba import Ldb + +parser = optparse.OptionParser("demodirsync [options]") +sambaopts = options.SambaOptions(parser) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) + +parser.add_option("-b", type="string", metavar="BASE", + help="set base DN for the search") +parser.add_option("--host", type="string", metavar="HOST", + help="Ip of the host") + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +opts = parser.parse_args()[0] + +if opts.host is None: + print("Usage: demodirsync.py --host HOST [-b BASE]") + sys.exit(1) + +def printdirsync(ctl): + arr = ctl.split(':') + if arr[0] == 'dirsync': + print("Need to continue: %s" % arr[1]) + cookie = ndr_unpack(drsblobs.ldapControlDirSyncCookie, base64.b64decode(arr[3])) + print("DC's NTDS guid: %s " % cookie.blob.guid1) + print("highest usn %s" % cookie.blob.highwatermark.highest_usn) + print("tmp higest usn %s" % cookie.blob.highwatermark.tmp_highest_usn) + print("reserved usn %s" % cookie.blob.highwatermark.reserved_usn) + if cookie.blob.extra_length > 0: + print("highest usn in extra %s" % cookie.blob.extra.ctr.cursors[0].highest_usn) + return cookie + + +remote_ldb = Ldb("ldap://" + opts.host + ":389", credentials=creds, lp=lp) +tab = [] +if opts.b: + base = opts.b +else: + base = None + +guid = None +(msgs, ctrls) = remote_ldb.search(expression="(samaccountname=administrator)", base=base, attrs=["objectClass"], controls=["dirsync:1:1:50"]) +if (len(ctrls)): + for ctl in ctrls: + arr = ctl.split(':') + if arr[0] == 'dirsync': + cookie = ndr_unpack(drsblobs.ldapControlDirSyncCookie, base64.b64decode(arr[3])) + guid = cookie.blob.guid1 +if not guid: + print("No dirsync control ... strange") + sys.exit(1) + +print("") +print("Getting first guest without any cookie") +(msgs, ctrls) = remote_ldb.searchex(expression="(samaccountname=guest)", base=base, attrs=["objectClass"], controls=["dirsync:1:1:50"]) +cookie = None +if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + print("Returned %d entries" % len(msgs)) + +savedcookie = cookie + +print("") +print("Getting allusers with cookie") +controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] +(msgs, ctrls) = remote_ldb.searchex(expression="(samaccountname=*)", base=base, attrs=["objectClass"], controls=controls) +if (len(ctrls)): + for ctl in ctrls: + printdirsync(ctl) + print("Returned %d entries" % len(msgs)) + +cookie = savedcookie +cookie.blob.guid1 = misc.GUID("128a99bf-e2df-4832-ac0a-1fb625e530db") +if cookie.blob.extra_length > 0: + cookie.blob.extra.ctr.cursors[0].source_dsa_invocation_id = misc.GUID("128a99bf-e2df-4832-ac0a-1fb625e530db") + +print("") +print("Getting all the entries") +controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] +(msgs, ctrls) = remote_ldb.searchex(expression="(objectclass=*)", base=base, controls=controls) +cont = 0 +if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + if cookie is not None: + cont = (ctl.split(':'))[1] + print("Returned %d entries" % len(msgs)) + +usn = cookie.blob.highwatermark.tmp_highest_usn +if cookie.blob.extra_length > 0: + bigusn = cookie.blob.extra.ctr.cursors[0].highest_usn +else: + bigusn = usn + 1000 +while (cont == "1"): + print("") + controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] + (msgs, ctrls) = remote_ldb.searchex(expression="(objectclass=*)", base=base, controls=controls) + if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + if cookie is not None: + cont = (ctl.split(':'))[1] + print("Returned %d entries" % len(msgs)) + +print("") +print("Getting with cookie but usn changed to %d we should use the one in extra" % (bigusn - 1)) +cookie.blob.highwatermark.highest_usn = 0 +cookie.blob.highwatermark.tmp_highest_usn = usn - 2 +if cookie.blob.extra_length > 0: + print("here") + cookie.blob.extra.ctr.cursors[0].highest_usn = bigusn - 1 +controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] +(msgs, ctrls) = remote_ldb.searchex(expression="(objectclass=*)", base=base, controls=controls) +if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + print("Returned %d entries" % len(msgs)) + +print("") +print("Getting with cookie but usn %d changed and extra/cursor GUID too" % (usn - 2)) +print(" so that it's (tmp)highest_usn that drives the limit") +cookie.blob.highwatermark.highest_usn = 0 +cookie.blob.highwatermark.tmp_highest_usn = usn - 2 +if cookie.blob.extra_length > 0: + cookie.blob.extra.ctr.cursors[0].source_dsa_invocation_id = misc.GUID("128a99bf-e2df-4832-ac0a-1fb625e530db") + cookie.blob.extra.ctr.cursors[0].highest_usn = bigusn - 1 +controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] +(msgs, ctrls) = remote_ldb.searchex(expression="(objectclass=*)", base=base, controls=controls) +if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + print("Returned %d entries" % len(msgs)) + +print("") +print("Getting with cookie but usn changed to %d" % (usn - 2)) +cookie.blob.highwatermark.highest_usn = 0 +cookie.blob.highwatermark.tmp_highest_usn = (usn - 2) +if cookie.blob.extra_length > 0: + cookie.blob.extra.ctr.cursors[0].highest_usn = (usn - 2) +controls = ["dirsync:1:1:50:%s" % base64.b64encode(ndr_pack(cookie)).decode('utf8')] +(msgs, ctrls) = remote_ldb.searchex(expression="(objectclass=*)", base=base, controls=controls) +if (len(ctrls)): + for ctl in ctrls: + cookie = printdirsync(ctl) + print("Returned %d entries" % len(msgs)) diff --git a/source4/scripting/devel/drs/fsmo.ldif.template b/source4/scripting/devel/drs/fsmo.ldif.template new file mode 100644 index 0000000..d5b373a --- /dev/null +++ b/source4/scripting/devel/drs/fsmo.ldif.template @@ -0,0 +1,75 @@ +dn: CN=RID Manager$,CN=System,BASEDN +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,C + N=Sites,CN=Configuration,BASEDN +- + +dn: BASEDN +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,C + N=Sites,CN=Configuration,BASEDN +- + +dn: CN=Infrastructure,BASEDN +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,C + N=Sites,CN=Configuration,BASEDN +- + +dn: CN=Partitions,CN=Configuration,BASEDN +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +- + +dn: CN=Schema,CN=Configuration,BASEDN +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +- + +dn: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +changetype: modify +replace: options +options: 1 +- + +dn: CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +changetype: modify +replace: dNSHostName +dNSHostName: MACHINE.DNSDOMAIN +- + +dn: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +changetype: modify +replace: interSiteTopologyGenerator +interSiteTopologyGenerator: CN=NTDS Settings,CN=MACHINE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,BASEDN +- + +dn: CN=MACHINE,OU=Domain Controllers,BASEDN +changetype: modify +replace: servicePrincipalName +servicePrincipalName: GC/MACHINE.DNSDOMAIN/DNSDOMAIN +servicePrincipalName: HOST/MACHINE/NETBIOSDOMAIN +servicePrincipalName: ldap/MACHINE/NETBIOSDOMAIN +servicePrincipalName: ldap/MACHINE.DNSDOMAIN/ForestDnsZones.DNSDOMAIN +servicePrincipalName: ldap/MACHINE.DNSDOMAIN/DomainDnsZones.DNSDOMAIN +servicePrincipalName: DNS/MACHINE.DNSDOMAIN +servicePrincipalName: RestrictedKrbHost/MACHINE.DNSDOMAIN +servicePrincipalName: RestrictedKrbHost/MACHINE +servicePrincipalName: HOST/MACHINE.DNSDOMAIN/NETBIOSDOMAIN +servicePrincipalName: HOST/MACHINE +servicePrincipalName: HOST/MACHINE.DNSDOMAIN +servicePrincipalName: HOST/MACHINE.DNSDOMAIN/DNSDOMAIN +servicePrincipalName: ldap/MACHINE.DNSDOMAIN/NETBIOSDOMAIN +servicePrincipalName: ldap/MACHINE +servicePrincipalName: ldap/MACHINE.DNSDOMAIN +servicePrincipalName: ldap/MACHINE.DNSDOMAIN/DNSDOMAIN +servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN +servicePrincipalName: ldap/NTDSGUID._msdcs.DNSDOMAIN +servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/MACHINE.DNSDOMAIN +servicePrincipalName: NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/MACHINE.DNSDOMAIN +- diff --git a/source4/scripting/devel/drs/named.conf.ad.template b/source4/scripting/devel/drs/named.conf.ad.template new file mode 100644 index 0000000..071c98c --- /dev/null +++ b/source4/scripting/devel/drs/named.conf.ad.template @@ -0,0 +1,6 @@ +zone "DNSDOMAIN" IN { + type forward; + forwarders { + SERVERIP; + }; +}; diff --git a/source4/scripting/devel/drs/revampire_ad.sh b/source4/scripting/devel/drs/revampire_ad.sh new file mode 100755 index 0000000..cd3164c --- /dev/null +++ b/source4/scripting/devel/drs/revampire_ad.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -x + +. $(dirname $0)/vars + +$(dirname $0)/vampire_ad.sh || exit 1 + +ntds_guid=$(sudo bin/ldbsearch -H $PREFIX/private/sam.ldb -b "CN=NTDS Settings,CN=$machine,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,$dn" objectGUID | grep ^objectGUID | awk '{print $2}') + +cp $PREFIX/private/$DNSDOMAIN.zone{.template,} +sed -i "s/NTDSGUID/$ntds_guid/g" $PREFIX/private/$DNSDOMAIN.zone +cp $PREFIX/private/named.conf{.local,} +sudo rndc reconfig +fsmotmp=$(mktemp fsmo.ldif.XXXXXXXXX) +cp $(dirname $0)/fsmo.ldif.template $fsmotmp +sed -i "s/NTDSGUID/$ntds_guid/g" $fsmotmp +sed -i "s/MACHINE/$machine/g" $fsmotmp +sed -i "s/DNSDOMAIN/$DNSDOMAIN/g" $fsmotmp +sed -i "s/BASEDN/$dn/g" $fsmotmp +sed -i "s/NETBIOSDOMAIN/$workgroup/g" $fsmotmp +sudo bin/ldbmodify -H $PREFIX/private/sam.ldb $fsmotmp +rm $fsmotmp diff --git a/source4/scripting/devel/drs/unvampire_ad.sh b/source4/scripting/devel/drs/unvampire_ad.sh new file mode 100755 index 0000000..c005374 --- /dev/null +++ b/source4/scripting/devel/drs/unvampire_ad.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -x + +. $(dirname $0)/vars + +if [ -z "$site" ]; then + site="Default-First-Site-Name" +fi + +bin/ldbdel -r -H ldap://$server.$DNSDOMAIN -U$workgroup/administrator%$pass "CN=$machine,CN=Computers,$dn" +bin/ldbdel -r -H ldap://$server.$DNSDOMAIN -U$workgroup/administrator%$pass "CN=$machine,OU=Domain Controllers,$dn" +bin/ldbdel -r -H ldap://$server.$DNSDOMAIN -U$workgroup/administrator%$pass "CN=$machine,CN=Servers,CN=$site,CN=Sites,CN=Configuration,$dn" +rm -f $PREFIX/private/*.ldb diff --git a/source4/scripting/devel/drs/vampire_ad.sh b/source4/scripting/devel/drs/vampire_ad.sh new file mode 100755 index 0000000..f3cdc3c --- /dev/null +++ b/source4/scripting/devel/drs/vampire_ad.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -x + +. $(dirname $0)/vars + +namedtmp=$(mktemp named.conf.ad.XXXXXXXXX) +cp $(dirname $0)/named.conf.ad.template $namedtmp +sed -i "s/DNSDOMAIN/$DNSDOMAIN/g" $namedtmp +sed -i "s/SERVERIP/$server_ip/g" $namedtmp +chmod a+r $namedtmp +mv -f $namedtmp $PREFIX/private/named.conf +sudo rndc reconfig +$(dirname $0)/unvampire_ad.sh + +cat <<EOF >nsupdate.txt +update delete $DNSDOMAIN A $machine_ip +show +send +EOF +echo "$pass" | kinit administrator +nsupdate -g nsupdate.txt + +REALM="$(echo $DNSDOMAIN | tr '[a-z]' '[A-Z]')" + +sudo $GDB bin/samba-tool domain join $DNSDOMAIN DC -Uadministrator%$pass -s $PREFIX/etc/smb.conf --option=realm=$REALM --option="ads:dc function level=4" --option="ads:min function level=0" -d2 "$@" || exit 1 +# PRIVATEDIR=$PREFIX/private sudo -E scripting/bin/setup_dns.sh $machine $DNSDOMAIN $machine_ip || exit 1 +#sudo rndc flush diff --git a/source4/scripting/devel/drs/vars b/source4/scripting/devel/drs/vars new file mode 100644 index 0000000..b69b9f9 --- /dev/null +++ b/source4/scripting/devel/drs/vars @@ -0,0 +1,12 @@ +DNSDOMAIN=ad.samba.example.com +PREFIX="/data/samba/samba4/prefix.ad" +export PYTHONPATH=$PYTHONPATH:$PREFIX/lib/python2.6/site-packages +pass="penguin" +machine="ruth" +machine_ip="192.168.122.1" +workgroup=adruth +dn="DC=ad,DC=samba,DC=example,DC=com" +server=win2008-1 +server_ip=192.168.122.53 +site="Default-First-Site-Name" + diff --git a/source4/scripting/devel/enumprivs b/source4/scripting/devel/enumprivs new file mode 100755 index 0000000..389f7d0 --- /dev/null +++ b/source4/scripting/devel/enumprivs @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 + +# script to enumerate LSA privileges on a server + +import sys +from optparse import OptionParser + +sys.path.insert(0, "bin/python") + +import samba +import samba.getopt as options +from samba.dcerpc import lsa, security + +def get_display_name(lsaconn, pol_handle, name): + '''get the display name for a privilege''' + string = lsa.String() + string.string = name + + (disp_names, ret_lang) = lsaconn.LookupPrivDisplayName(pol_handle, string, 0x409, 0) + return disp_names.string + + + + +########### main code ########### +if __name__ == "__main__": + parser = OptionParser("enumprivs [options] server") + sambaopts = options.SambaOptions(parser) + credopts = options.CredentialsOptionsDouble(parser) + parser.add_option_group(credopts) + + (opts, args) = parser.parse_args() + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + if len(args) != 1: + parser.error("You must supply a server") + + if not creds.authentication_requested(): + parser.error("You must supply credentials") + + server = args[0] + + binding_str = "ncacn_np:%s[print]" % server + + lsaconn = lsa.lsarpc(binding_str, lp, creds) + + objectAttr = lsa.ObjectAttribute() + objectAttr.sec_qos = lsa.QosInfo() + + pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'), + objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED) + + (handle, privs) = lsaconn.EnumPrivs(pol_handle, 0, 100) + for p in privs.privs: + disp_name = get_display_name(lsaconn, pol_handle, p.name.string) + print("0x%08x %31s \"%s\"" % (p.luid.low, p.name.string, disp_name)) diff --git a/source4/scripting/devel/getncchanges b/source4/scripting/devel/getncchanges new file mode 100755 index 0000000..a1a4d14 --- /dev/null +++ b/source4/scripting/devel/getncchanges @@ -0,0 +1,143 @@ +#!/usr/bin/env python3 + +# script to call a DRS GetNCChanges from the command line +# this is useful for plugfest testing +import sys +from optparse import OptionParser + +sys.path.insert(0, "bin/python") + +import samba, ldb +import samba.getopt as options +from samba.dcerpc import drsuapi, misc +from samba.samdb import SamDB +from samba.auth import system_session +from samba.ndr import ndr_unpack +from samba.drs_utils import drs_get_rodc_partial_attribute_set, drs_DsBind + + +########### main code ########### +if __name__ == "__main__": + parser = OptionParser("getncchanges [options] server") + sambaopts = options.SambaOptions(parser) + parser.add_option_group(sambaopts) + credopts = options.CredentialsOptionsDouble(parser) + parser.add_option_group(credopts) + + parser.add_option("", "--dn", dest="dn", help="DN to replicate",) + parser.add_option("", "--exop", dest="exop", help="extended operation",) + parser.add_option("", "--pas", dest="use_pas", action='store_true', default=False, + help="send partial attribute set (for RODC)") + parser.add_option("", "--nb-iter", type='int', help="Number of getncchange iterations") + parser.add_option("", "--dest-dsa", type='str', help="destination DSA GUID") + parser.add_option("", "--rodc", action='store_true', default=False, + help='use RODC replica flags') + parser.add_option("", "--partial-rw", action='store_true', default=False, + help='use RW partial replica flags, not be confused with --pas') + parser.add_option("", "--replica-flags", type='int', + default=drsuapi.DRSUAPI_DRS_INIT_SYNC | + drsuapi.DRSUAPI_DRS_PER_SYNC | + drsuapi.DRSUAPI_DRS_WRIT_REP | + drsuapi.DRSUAPI_DRS_GET_ANC | + drsuapi.DRSUAPI_DRS_NEVER_SYNCED, + help='replica flags') + + (opts, args) = parser.parse_args() + if opts.rodc: + opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\ + drsuapi.DRSUAPI_DRS_PER_SYNC |\ + drsuapi.DRSUAPI_DRS_GET_ANC |\ + drsuapi.DRSUAPI_DRS_NEVER_SYNCED |\ + drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |\ + drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP + + if opts.partial_rw: + opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\ + drsuapi.DRSUAPI_DRS_PER_SYNC |\ + drsuapi.DRSUAPI_DRS_GET_ANC |\ + drsuapi.DRSUAPI_DRS_NEVER_SYNCED + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + if len(args) != 1: + parser.error("You must supply a server") + + if creds.is_anonymous(): + parser.error("You must supply credentials") + + if opts.partial_rw and opts.rodc: + parser.error("Can't specify --partial-rw and --rodc") + + server = args[0] + + binding_str = "ncacn_ip_tcp:%s[seal,print]" % server + + drs = drsuapi.drsuapi(binding_str, lp, creds) + drs_handle, supported_extensions = drs_DsBind(drs) + print("DRS Handle: %s" % drs_handle) + + req8 = drsuapi.DsGetNCChangesRequest8() + + samdb = SamDB(url="ldap://%s" % server, + session_info=system_session(), + credentials=creds, lp=lp) + + if opts.use_pas: + local_samdb = SamDB(url=None, session_info=system_session(), + credentials=creds, lp=lp) + + if opts.dn is None: + opts.dn = str(samdb.get_default_basedn()) + + if opts.exop is None: + exop = drsuapi.DRSUAPI_EXOP_NONE + else: + exop = int(opts.exop) + + dest_dsa = opts.dest_dsa + if not dest_dsa: + print("no dest_dsa specified trying to figure out from ldap") + msgs = samdb.search(controls=["search_options:1:2"], + expression='(objectclass=ntdsdsa)') + if len(msgs) == 1: + dest_dsa = str(ndr_unpack(misc.GUID, msgs[0]["invocationId"][0])) + print("Found this dsa: %s" % dest_dsa) + else: + # TODO fixme + pass + if not dest_dsa: + print("Unable to find the dest_dsa automatically please specify it") + import sys + sys.exit(1) + + null_guid = misc.GUID() + req8.destination_dsa_guid = misc.GUID(dest_dsa) + req8.source_dsa_invocation_id = misc.GUID(samdb.get_invocation_id()) + req8.naming_context = drsuapi.DsReplicaObjectIdentifier() + req8.naming_context.dn = opts.dn.decode("utf-8") + req8.highwatermark = drsuapi.DsReplicaHighWaterMark() + req8.highwatermark.tmp_highest_usn = 0 + req8.highwatermark.reserved_usn = 0 + req8.highwatermark.highest_usn = 0 + req8.uptodateness_vector = None + req8.replica_flags = opts.replica_flags + req8.max_object_count = 402 + req8.max_ndr_size = 402116 + req8.extended_op = exop + req8.fsmo_info = 0 + if opts.use_pas: + req8.partial_attribute_set = drs_get_rodc_partial_attribute_set(local_samdb) + else: + req8.partial_attribute_set = None + req8.partial_attribute_set_ex = None + req8.mapping_ctr.num_mappings = 0 + req8.mapping_ctr.mappings = None + + nb_iter = 0 + while True: + (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8) + nb_iter += 1 + if ctr.more_data == 0 or opts.nb_iter == nb_iter: + break + req8.highwatermark = ctr.new_highwatermark diff --git a/source4/scripting/devel/nmfind b/source4/scripting/devel/nmfind new file mode 100755 index 0000000..865c0d7 --- /dev/null +++ b/source4/scripting/devel/nmfind @@ -0,0 +1,15 @@ +#!/bin/sh + +# find object files containing a symbol +# for example: +# nmfind foo_function $(find bin/default -name '*.o') + +TARGET=$1 +shift +for f in $*; do + if nm $f 2>&1 | grep $TARGET >/dev/null; then + echo [$f] + nm $f | grep $TARGET + echo + fi +done diff --git a/source4/scripting/devel/pfm_verify.py b/source4/scripting/devel/pfm_verify.py new file mode 100755 index 0000000..f29c1e5 --- /dev/null +++ b/source4/scripting/devel/pfm_verify.py @@ -0,0 +1,192 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# script to verify cached prefixMap on remote +# server against the prefixMap stored in Schema NC +# +# Copyright (C) Kamen Mazdrashki <kamenim@samba.org> 2010 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +import sys +from optparse import OptionParser + +sys.path.insert(0, "bin/python") + +import samba +import samba.getopt as options +from ldb import SCOPE_BASE, SCOPE_SUBTREE +from samba.dcerpc import drsuapi, misc, drsblobs +from samba.drs_utils import drs_DsBind +from samba.samdb import SamDB +from samba.auth import system_session +from samba.ndr import ndr_pack, ndr_unpack + + +def _samdb_fetch_pfm(samdb): + """Fetch prefixMap stored in SamDB using LDB connection""" + res = samdb.search(base=samdb.get_schema_basedn(), expression="", scope=SCOPE_BASE, attrs=["*"]) + assert len(res) == 1 + pfm = ndr_unpack(drsblobs.prefixMapBlob, + str(res[0]['prefixMap'])) + + pfm_schi = _samdb_fetch_schi(samdb) + + return (pfm.ctr, pfm_schi) + + +def _samdb_fetch_schi(samdb): + """Fetch schemaInfo stored in SamDB using LDB connection""" + res = samdb.search(base=samdb.get_schema_basedn(), expression="", scope=SCOPE_BASE, attrs=["*"]) + assert len(res) == 1 + if 'schemaInfo' in res[0]: + pfm_schi = ndr_unpack(drsblobs.schemaInfoBlob, + str(res[0]['schemaInfo'])) + else: + pfm_schi = drsblobs.schemaInfoBlob() + pfm_schi.marker = 0xFF + return pfm_schi + + +def _drs_fetch_pfm(server, samdb, creds, lp): + """Fetch prefixMap using DRS interface""" + binding_str = "ncacn_ip_tcp:%s[print,seal]" % server + + drs = drsuapi.drsuapi(binding_str, lp, creds) + (drs_handle, supported_extensions) = drs_DsBind(drs) + print("DRS Handle: %s" % drs_handle) + + req8 = drsuapi.DsGetNCChangesRequest8() + + dest_dsa = misc.GUID("9c637462-5b8c-4467-aef2-bdb1f57bc4ef") + replica_flags = 0 + + req8.destination_dsa_guid = dest_dsa + req8.source_dsa_invocation_id = misc.GUID(samdb.get_invocation_id()) + req8.naming_context = drsuapi.DsReplicaObjectIdentifier() + req8.naming_context.dn = samdb.get_schema_basedn() + req8.highwatermark = drsuapi.DsReplicaHighWaterMark() + req8.highwatermark.tmp_highest_usn = 0 + req8.highwatermark.reserved_usn = 0 + req8.highwatermark.highest_usn = 0 + req8.uptodateness_vector = None + req8.replica_flags = replica_flags + req8.max_object_count = 0 + req8.max_ndr_size = 402116 + req8.extended_op = 0 + req8.fsmo_info = 0 + req8.partial_attribute_set = None + req8.partial_attribute_set_ex = None + req8.mapping_ctr.num_mappings = 0 + req8.mapping_ctr.mappings = None + + (level, ctr) = drs.DsGetNCChanges(drs_handle, 8, req8) + pfm = ctr.mapping_ctr + # check for schemaInfo element + pfm_it = pfm.mappings[-1] + assert pfm_it.id_prefix == 0 + assert pfm_it.oid.length == 21 + s = "".join(chr(x) for x in pfm_it.oid.binary_oid) + pfm_schi = ndr_unpack(drsblobs.schemaInfoBlob, s) + assert pfm_schi.marker == 0xFF + # remove schemaInfo element + pfm.num_mappings -= 1 + return (pfm, pfm_schi) + + +def _pfm_verify(drs_pfm, ldb_pfm): + errors = [] + if drs_pfm.num_mappings != ldb_pfm.num_mappings: + errors.append("Different count of prefixes: drs = %d, ldb = %d" + % (drs_pfm.num_mappings, ldb_pfm.num_mappings)) + count = min(drs_pfm.num_mappings, ldb_pfm.num_mappings) + for i in range(0, count): + it_err = [] + drs_it = drs_pfm.mappings[i] + ldb_it = ldb_pfm.mappings[i] + if drs_it.id_prefix != ldb_it.id_prefix: + it_err.append("id_prefix") + if drs_it.oid.length != ldb_it.oid.length: + it_err.append("oid.length") + if drs_it.oid.binary_oid != ldb_it.oid.binary_oid: + it_err.append("oid.binary_oid") + if len(it_err): + errors.append("[%2d] differences in (%s)" % (i, it_err)) + return errors + + +def _pfm_schi_verify(drs_schi, ldb_schi): + errors = [] + print(drs_schi.revision) + print(drs_schi.invocation_id) + if drs_schi.marker != ldb_schi.marker: + errors.append("Different marker in schemaInfo: drs = %d, ldb = %d" + % (drs_schi.marker, ldb_schi.marker)) + if drs_schi.revision != ldb_schi.revision: + errors.append("Different revision in schemaInfo: drs = %d, ldb = %d" + % (drs_schi.revision, ldb_schi.revision)) + if drs_schi.invocation_id != ldb_schi.invocation_id: + errors.append("Different invocation_id in schemaInfo: drs = %s, ldb = %s" + % (drs_schi.invocation_id, ldb_schi.invocation_id)) + return errors + + +########### main code ########### +if __name__ == "__main__": + # command line parsing + parser = OptionParser("pfm_verify.py [options] server") + sambaopts = options.SambaOptions(parser) + parser.add_option_group(sambaopts) + credopts = options.CredentialsOptionsDouble(parser) + parser.add_option_group(credopts) + + (opts, args) = parser.parse_args() + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + if len(args) != 1: + if "DC_SERVER" not in os.environ.keys(): + parser.error("You must supply a server") + args.append(os.environ["DC_SERVER"]) + + if creds.is_anonymous(): + parser.error("You must supply credentials") + + server = args[0] + + samdb = SamDB(url="ldap://%s" % server, + session_info=system_session(lp), + credentials=creds, lp=lp) + + exit_code = 0 + (drs_pfm, drs_schi) = _drs_fetch_pfm(server, samdb, creds, lp) + (ldb_pfm, ldb_schi) = _samdb_fetch_pfm(samdb) + # verify prefixMaps + errors = _pfm_verify(drs_pfm, ldb_pfm) + if len(errors): + print("prefixMap verification errors:") + print("%s" % errors) + exit_code = 1 + # verify schemaInfos + errors = _pfm_schi_verify(drs_schi, ldb_schi) + if len(errors): + print("schemaInfo verification errors:") + print("%s" % errors) + exit_code = 2 + + if exit_code != 0: + sys.exit(exit_code) diff --git a/source4/scripting/devel/rebuild_zone.sh b/source4/scripting/devel/rebuild_zone.sh new file mode 100755 index 0000000..94d1f9e --- /dev/null +++ b/source4/scripting/devel/rebuild_zone.sh @@ -0,0 +1,109 @@ +#!/bin/sh +# rebuild a zone file, adding all DCs + +[ $# -eq 2 ] || { + echo "rebuild_zone.sh <sam.ldb> <zonefile>" + exit 1 +} + +LDB="$1" +ZFILE="$2" + +dnshostname=$(bin/ldbsearch -H $LDB --scope=base -b '' dnsHostname | grep ^dns | cut -d' ' -f2) +host=$(echo $dnshostname | cut -d. -f1) +realm=$(echo $dnshostname | cut -d. -f2-) +GUIDs=$(bin/ldbsearch -H $LDB objectclass=ntdsdsa objectguid --cross-ncs | grep ^objectGUID | cut -d' ' -f2) +DOMAINGUID=$(bin/ldbsearch -H $LDB --scope=base objectguid | grep ^objectGUID | cut -d' ' -f2) + +dcname() +{ + GUID=$1 + echo $(bin/ldbsearch -H $LDB objectguid=$GUID dn --cross-ncs | grep CN=NTDS.Settings | cut -d, -f2 | cut -d= -f2) +} + +getip() +{ + NAME=$1 + ret=$(nmblookup $NAME | egrep '^[0-9]' | head -1 | cut -d' ' -f1) + test -n "$ret" || { + echo "Unable to find IP for $NAME. Using XX.XX.XX.XX. Please edit" 1>&2 + echo "XX.XX.XX.XX" + } + echo $ret +} + +echo "Generating header for host $host in realm $realm" +cat <<EOF >$ZFILE +; -*- zone -*- +; generated by rebuild_zone.sh +\$ORIGIN $realm. +\$TTL 1W +@ IN SOA @ hostmaster ( + $(date +%Y%m%d%H) ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + IN NS $host + +EOF + +for GUID in $GUIDs; do + dc=$(dcname $GUID) + echo "Generating IP for DC $dc" + ip=$(getip $dc) + test -n "$ip" || exit 1 + echo " IN A $ip" >>$ZFILE +done + +echo "; IP Addresses" >>$ZFILE +for GUID in $GUIDs; do + dc=$(dcname $GUID) + ip=$(getip $dc) + test -n "$ip" || exit 1 + echo "$dc IN A $ip" >>$ZFILE +done + +for GUID in $GUIDs; do + dc=$(dcname $GUID) + ip=$(getip $dc) + test -n "$ip" || exit 1 + echo "Generating zone body for DC $dc with IP $ip" + cat <<EOF >>$ZFILE +; +; Entries for $dc +gc._msdcs IN A $ip +$GUID._msdcs IN CNAME $dc +_gc._tcp IN SRV 0 100 3268 $dc +_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 $dc +_ldap._tcp.gc._msdcs IN SRV 0 100 389 $dc +_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 $dc +_ldap._tcp IN SRV 0 100 389 $dc +_ldap._tcp.dc._msdcs IN SRV 0 100 389 $dc +_ldap._tcp.pdc._msdcs IN SRV 0 100 389 $dc +_ldap._tcp.$DOMAINGUID.domains._msdcs IN SRV 0 100 389 $dc +_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 $dc +_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 $dc +_kerberos._tcp IN SRV 0 100 88 $dc +_kerberos._tcp.dc._msdcs IN SRV 0 100 88 $dc +_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 $dc +_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 $dc +_kerberos._udp IN SRV 0 100 88 $dc +_kerberos-master._tcp IN SRV 0 100 88 $dc +_kerberos-master._udp IN SRV 0 100 88 $dc +_kpasswd._tcp IN SRV 0 100 464 $dc +_kpasswd._udp IN SRV 0 100 464 $dc +EOF +done + +cat <<EOF >>$ZFILE + +; kerberos hack +_kerberos IN TXT $(echo $realm | tr [a-z] [A-Z]) +EOF + +echo "Rebuilt zone file $ZFILE OK" + +echo "Reloading bind config" +PATH="/usr/sbin:$PATH" rndc reload +exit 0 diff --git a/source4/scripting/devel/repl_cleartext_pwd.py b/source4/scripting/devel/repl_cleartext_pwd.py new file mode 100755 index 0000000..6439291 --- /dev/null +++ b/source4/scripting/devel/repl_cleartext_pwd.py @@ -0,0 +1,412 @@ +#!/usr/bin/env python3 +# +# Copyright Stefan Metzmacher 2011-2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# This is useful to sync passwords from an AD domain. +# +# $ +# $ source4/scripting/devel/repl_cleartext_pwd.py \ +# -Uadministrator%A1b2C3d4 \ +# 172.31.9.219 DC=bla,DC=base /tmp/cookie cleartext_utf8 131085 displayName +# # starting at usn[0] +# dn: CN=Test User1,CN=Users,DC=bla,DC=base +# cleartext_utf8: A1b2C3d4 +# displayName:: VABlAHMAdAAgAFUAcwBlAHIAMQA= +# +# # up to usn[16449] +# $ +# $ source4/scripting/devel/repl_cleartext_pwd.py \ +# -Uadministrator%A1b2C3d4 +# 172.31.9.219 DC=bla,DC=base cookie_file cleartext_utf8 131085 displayName +# # starting at usn[16449] +# # up to usn[16449] +# $ +# + +import sys + +# Find right direction when running from source tree +sys.path.insert(0, "bin/python") + +import samba.getopt as options +from optparse import OptionParser + +from samba.dcerpc import drsuapi, drsblobs, misc +from samba.ndr import ndr_pack, ndr_unpack, ndr_print + +import binascii +import hashlib +import Crypto.Cipher.ARC4 +import struct +import os + +from ldif import LDIFWriter + + +class globals: + def __init__(self): + self.global_objs = {} + self.ldif = LDIFWriter(sys.stdout) + + def add_attr(self, dn, attname, vals): + if dn not in self.global_objs: + self.global_objs[dn] = {} + self.global_objs[dn][attname] = vals + + def print_all(self): + for dn, obj in self.global_objs.items(): + self.ldif.unparse(dn, obj) + continue + self.global_objs = {} + + +def attid_equal(a1, a2): + return (a1 & 0xffffffff) == (a2 & 0xffffffff) + + +########### main code ########### +if __name__ == "__main__": + parser = OptionParser("repl_cleartext_pwd.py [options] server dn cookie_file clear_utf8_name [attid attname attmode] [clear_utf16_name") + sambaopts = options.SambaOptions(parser) + credopts = options.CredentialsOptions(parser) + parser.add_option_group(credopts) + + (opts, args) = parser.parse_args() + + if len(args) == 4: + pass + elif len(args) == 7: + pass + elif len(args) >= 8: + pass + else: + parser.error("more arguments required - given=%d" % (len(args))) + + server = args[0] + dn = args[1] + cookie_file = args[2] + if len(cookie_file) == 0: + cookie_file = None + clear_utf8_name = args[3] + if len(args) >= 7: + try: + attid = int(args[4], 16) + except Exception: + attid = int(args[4]) + attname = args[5] + attmode = args[6] + if attmode not in ["raw", "utf8"]: + parser.error("attmode should be 'raw' or 'utf8'") + else: + attid = -1 + attname = None + attmode = "raw" + if len(args) >= 8: + clear_utf16_name = args[7] + else: + clear_utf16_name = None + + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + + if not creds.authentication_requested(): + parser.error("You must supply credentials") + + gls = globals() + try: + f = open(cookie_file, 'r') + store_blob = f.read() + f.close() + + store_hdr = store_blob[0:28] + (store_version, + store_dn_len, store_dn_ofs, + store_hwm_len, store_hwm_ofs, + store_utdv_len, store_utdv_ofs) = \ + struct.unpack("<LLLLLLL", store_hdr) + + store_dn = store_blob[store_dn_ofs:store_dn_ofs + store_dn_len] + store_hwm_blob = store_blob[store_hwm_ofs:store_hwm_ofs + store_hwm_len] + store_utdv_blob = store_blob[store_utdv_ofs:store_utdv_ofs + store_utdv_len] + + store_hwm = ndr_unpack(drsuapi.DsReplicaHighWaterMark, store_hwm_blob) + store_utdv = ndr_unpack(drsblobs.replUpToDateVectorBlob, store_utdv_blob) + + assert store_dn == dn + # print "%s" % ndr_print(store_hwm) + # print "%s" % ndr_print(store_utdv) + except Exception: + store_dn = dn + store_hwm = drsuapi.DsReplicaHighWaterMark() + store_hwm.tmp_highest_usn = 0 + store_hwm.reserved_usn = 0 + store_hwm.highest_usn = 0 + store_utdv = None + + binding_str = "ncacn_ip_tcp:%s[spnego,seal]" % server + + drs_conn = drsuapi.drsuapi(binding_str, lp, creds) + + bind_info = drsuapi.DsBindInfoCtr() + bind_info.length = 28 + bind_info.info = drsuapi.DsBindInfo28() + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_BASE + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7 + bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT + (info, drs_handle) = drs_conn.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info) + + null_guid = misc.GUID() + + naming_context = drsuapi.DsReplicaObjectIdentifier() + naming_context.dn = dn + highwatermark = store_hwm + uptodateness_vector = None + if store_utdv is not None: + uptodateness_vector = drsuapi.DsReplicaCursorCtrEx() + if store_utdv.version == 1: + uptodateness_vector.cursors = store_utdv.cursors + elif store_utdv.version == 2: + cursors = [] + for i in range(0, store_utdv.ctr.count): + cursor = drsuapi.DsReplicaCursor() + cursor.source_dsa_invocation_id = store_utdv.ctr.cursors[i].source_dsa_invocation_id + cursor.highest_usn = store_utdv.ctr.cursors[i].highest_usn + cursors.append(cursor) + uptodateness_vector.cursors = cursors + + req8 = drsuapi.DsGetNCChangesRequest8() + + req8.destination_dsa_guid = null_guid + req8.source_dsa_invocation_id = null_guid + req8.naming_context = naming_context + req8.highwatermark = highwatermark + req8.uptodateness_vector = uptodateness_vector + req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC | + drsuapi.DRSUAPI_DRS_PER_SYNC | + drsuapi.DRSUAPI_DRS_GET_ANC | + drsuapi.DRSUAPI_DRS_NEVER_SYNCED | + drsuapi.DRSUAPI_DRS_WRIT_REP) + req8.max_object_count = 402 + req8.max_ndr_size = 402116 + req8.extended_op = 0 + req8.fsmo_info = 0 + req8.partial_attribute_set = None + req8.partial_attribute_set_ex = None + req8.mapping_ctr.num_mappings = 0 + req8.mapping_ctr.mappings = None + + user_session_key = drs_conn.user_session_key + + print("# starting at usn[%d]" % (highwatermark.highest_usn)) + + while True: + (level, ctr) = drs_conn.DsGetNCChanges(drs_handle, 8, req8) + if ctr.first_object is None and ctr.object_count != 0: + raise RuntimeError("DsGetNCChanges: NULL first_object with object_count=%u" % (ctr.object_count)) + + obj_item = ctr.first_object + while obj_item is not None: + obj = obj_item.object + + if obj.identifier is None: + obj_item = obj_item.next_object + continue + + # print '%s' % obj.identifier.dn + + is_deleted = False + for i in range(0, obj.attribute_ctr.num_attributes): + attr = obj.attribute_ctr.attributes[i] + if attid_equal(attr.attid, drsuapi.DRSUAPI_ATTID_isDeleted): + is_deleted = True + if is_deleted: + obj_item = obj_item.next_object + continue + + spl_crypt = None + attvals = None + for i in range(0, obj.attribute_ctr.num_attributes): + attr = obj.attribute_ctr.attributes[i] + if attid_equal(attr.attid, attid): + attvals = [] + for j in range(0, attr.value_ctr.num_values): + assert attr.value_ctr.values[j].blob is not None + val_raw = attr.value_ctr.values[j].blob + val = None + if attmode == "utf8": + val_unicode = unicode(val_raw, 'utf-16-le') + val = val_unicode.encode('utf-8') + elif attmode == "raw": + val = val_raw + else: + assert False, "attmode[%s]" % attmode + attvals.append(val) + if not attid_equal(attr.attid, drsuapi.DRSUAPI_ATTID_supplementalCredentials): + continue + assert attr.value_ctr.num_values <= 1 + if attr.value_ctr.num_values == 0: + break + assert attr.value_ctr.values[0].blob is not None + spl_crypt = attr.value_ctr.values[0].blob + + if spl_crypt is None: + obj_item = obj_item.next_object + continue + + assert len(spl_crypt) >= 20 + confounder = spl_crypt[0:16] + enc_buffer = spl_crypt[16:] + + m5 = hashlib.md5() + m5.update(user_session_key) + m5.update(confounder) + enc_key = m5.digest() + + rc4 = Crypto.Cipher.ARC4.new(enc_key) + plain_buffer = rc4.decrypt(enc_buffer) + + (crc32_v) = struct.unpack("<L", plain_buffer[0:4]) + attr_val = plain_buffer[4:] + crc32_c = binascii.crc32(attr_val) & 0xffffffff + assert int(crc32_v[0]) == int(crc32_c), "CRC32 0x%08X != 0x%08X" % (crc32_v[0], crc32_c) + + spl = ndr_unpack(drsblobs.supplementalCredentialsBlob, attr_val) + + # print '%s' % ndr_print(spl) + + cleartext_hex = None + + for i in range(0, spl.sub.num_packages): + pkg = spl.sub.packages[i] + if pkg.name != "Primary:CLEARTEXT": + continue + cleartext_hex = pkg.data + + if cleartext_hex is not None: + cleartext_utf16 = binascii.a2b_hex(cleartext_hex) + if clear_utf16_name is not None: + gls.add_attr(obj.identifier.dn, clear_utf16_name, [cleartext_utf16]) + try: + cleartext_unicode = unicode(cleartext_utf16, 'utf-16-le') + cleartext_utf8 = cleartext_unicode.encode('utf-8') + gls.add_attr(obj.identifier.dn, clear_utf8_name, [cleartext_utf8]) + except Exception: + pass + + if attvals is not None: + gls.add_attr(obj.identifier.dn, attname, attvals) + + krb5_old_hex = None + + for i in range(0, spl.sub.num_packages): + pkg = spl.sub.packages[i] + if pkg.name != "Primary:Kerberos": + continue + krb5_old_hex = pkg.data + + if krb5_old_hex is not None: + krb5_old_raw = binascii.a2b_hex(krb5_old_hex) + krb5_old = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_old_raw, allow_remaining=True) + + # print '%s' % ndr_print(krb5_old) + + krb5_new_hex = None + + for i in range(0, spl.sub.num_packages): + pkg = spl.sub.packages[i] + if pkg.name != "Primary:Kerberos-Newer-Keys": + continue + krb5_new_hex = pkg.data + + if krb5_new_hex is not None: + krb5_new_raw = binascii.a2b_hex(krb5_new_hex) + krb5_new = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, krb5_new_raw, allow_remaining=True) + + # print '%s' % ndr_print(krb5_new) + + obj_item = obj_item.next_object + + gls.print_all() + + if ctr.more_data == 0: + store_hwm = ctr.new_highwatermark + + store_utdv = drsblobs.replUpToDateVectorBlob() + store_utdv.version = ctr.uptodateness_vector.version + store_utdv_ctr = store_utdv.ctr + store_utdv_ctr.count = ctr.uptodateness_vector.count + store_utdv_ctr.cursors = ctr.uptodateness_vector.cursors + store_utdv.ctr = store_utdv_ctr + + # print "%s" % ndr_print(store_hwm) + # print "%s" % ndr_print(store_utdv) + + store_hwm_blob = ndr_pack(store_hwm) + store_utdv_blob = ndr_pack(store_utdv) + + # + # uint32_t version '1' + # uint32_t dn_str_len + # uint32_t dn_str_ofs + # uint32_t hwm_blob_len + # uint32_t hwm_blob_ofs + # uint32_t utdv_blob_len + # uint32_t utdv_blob_ofs + store_hdr_len = 7 * 4 + dn_ofs = store_hdr_len + hwm_ofs = dn_ofs + len(dn) + utdv_ofs = hwm_ofs + len(store_hwm_blob) + store_blob = struct.pack("<LLLLLLL", 1, + len(dn), dn_ofs, + len(store_hwm_blob), hwm_ofs, + len(store_utdv_blob), utdv_ofs) + \ + dn + store_hwm_blob + store_utdv_blob + + tmp_file = "%s.tmp" % cookie_file + f = open(tmp_file, 'wb') + f.write(store_blob) + f.close() + os.rename(tmp_file, cookie_file) + + print("# up to usn[%d]" % (ctr.new_highwatermark.highest_usn)) + break + print("# up to tmp_usn[%d]" % (ctr.new_highwatermark.highest_usn)) + req8.highwatermark = ctr.new_highwatermark diff --git a/source4/scripting/devel/rodcdns b/source4/scripting/devel/rodcdns new file mode 100755 index 0000000..6830580 --- /dev/null +++ b/source4/scripting/devel/rodcdns @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 + +# script to call a netlogon RODC DNS update + +import sys +from optparse import OptionParser + +sys.path.insert(0, "bin/python") + +import samba +import samba.getopt as options +from samba.dcerpc import netlogon, winbind + +########### main code ########### +if __name__ == "__main__": + parser = OptionParser("rodcdns [options]") + sambaopts = options.SambaOptions(parser) + + parser.add_option("", "--weight", dest="weight", help="record weight", default=0, type='int') + parser.add_option("", "--priority", dest="priority", help="record priority", default=100, type='int') + parser.add_option("", "--port", dest="port", help="port number", default=389, type='int') + parser.add_option("", "--type", dest="type", help="record type", default=netlogon.NlDnsLdapAtSite, type='int') + parser.add_option("", "--site", dest="site", help="site name", default="Default-First-Site-Name") + + (opts, args) = parser.parse_args() + + lp = sambaopts.get_loadparm() + + w = winbind.winbind("irpc:winbind_server", lp) + + dns_names = netlogon.NL_DNS_NAME_INFO_ARRAY() + dns_names.count = 1 + name = netlogon.NL_DNS_NAME_INFO() + name.type = opts.type + name.priority = opts.priority + name.weight = opts.weight + name.port = opts.port + name.dns_register = True + dns_names.names = [ name ] + site_name = opts.site + + ret_names = w.DsrUpdateReadOnlyServerDnsRecords(site_name, 600, dns_names) + print("Status: %u" % ret_names.names[0].status) diff --git a/source4/scripting/devel/speedtest.py b/source4/scripting/devel/speedtest.py new file mode 100755 index 0000000..8c044c4 --- /dev/null +++ b/source4/scripting/devel/speedtest.py @@ -0,0 +1,235 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# Unix SMB/CIFS implementation. +# This speed test aims to show difference in execution time for bulk +# creation of user objects. This will help us compare +# Samba4 vs MS Active Directory performance. + +# Copyright (C) Zahari Zahariev <zahari.zahariev@postpath.com> 2010 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import optparse +import sys +import time +import base64 +from decimal import Decimal + +sys.path.insert(0, "bin/python") +import samba +from samba.tests.subunitrun import TestProgram, SubunitOptions + +import samba.getopt as options + +from ldb import SCOPE_BASE, SCOPE_SUBTREE +from samba.ndr import ndr_unpack +from samba.dcerpc import security + +from samba.auth import system_session +from samba import gensec, sd_utils +from samba.samdb import SamDB +from samba.credentials import Credentials +import samba.tests +from samba.tests import delete_force + +parser = optparse.OptionParser("speedtest.py [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +subunitopts = SubunitOptions(parser) +parser.add_option_group(subunitopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) +creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) + +# +# Tests start here +# + + +class SpeedTest(samba.tests.TestCase): + + def find_domain_sid(self, ldb): + res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) + + def setUp(self): + super(SpeedTest, self).setUp() + self.ldb_admin = ldb + self.base_dn = ldb.domain_dn() + self.domain_sid = security.dom_sid(ldb.get_domain_sid()) + self.user_pass = "samba123@" + print("baseDN: %s" % self.base_dn) + + def create_user(self, user_dn): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +unicodePwd:: """ + base64.b64encode(("\"%s\"" % self.user_pass).encode('utf-16-le')).decode('utf8') + """ +url: www.example.com +""" + self.ldb_admin.add_ldif(ldif) + + def create_group(self, group_dn, desc=None): + ldif = """ +dn: """ + group_dn + """ +objectClass: group +sAMAccountName: """ + group_dn.split(",")[0][3:] + """ +groupType: 4 +url: www.example.com +""" + self.ldb_admin.add_ldif(ldif) + + def create_bundle(self, count): + for i in range(count): + self.create_user("cn=speedtestuser%d,cn=Users,%s" % (i + 1, self.base_dn)) + + def remove_bundle(self, count): + for i in range(count): + delete_force(self.ldb_admin, "cn=speedtestuser%d,cn=Users,%s" % (i + 1, self.base_dn)) + + def remove_test_users(self): + res = ldb.search(base="cn=Users,%s" % self.base_dn, expression="(objectClass=user)", scope=SCOPE_SUBTREE) + dn_list = [item.dn for item in res if "speedtestuser" in str(item.dn)] + for dn in dn_list: + delete_force(self.ldb_admin, dn) + + +class SpeedTestAddDel(SpeedTest): + + def setUp(self): + super(SpeedTestAddDel, self).setUp() + + def run_bundle(self, num): + print("\n=== Test ADD/DEL %s user objects ===\n" % num) + avg_add = Decimal("0.0") + avg_del = Decimal("0.0") + for x in [1, 2, 3]: + start = time.time() + self.create_bundle(num) + res_add = Decimal(str(time.time() - start)) + avg_add += res_add + print(" Attempt %s ADD: %.3fs" % (x, float(res_add))) + # + start = time.time() + self.remove_bundle(num) + res_del = Decimal(str(time.time() - start)) + avg_del += res_del + print(" Attempt %s DEL: %.3fs" % (x, float(res_del))) + print("Average ADD: %.3fs" % float(Decimal(avg_add) / Decimal("3.0"))) + print("Average DEL: %.3fs" % float(Decimal(avg_del) / Decimal("3.0"))) + print("") + + def test_00000(self): + """ Remove possibly undeleted test users from previous test + """ + self.remove_test_users() + + def test_00010(self): + self.run_bundle(10) + + def test_00100(self): + self.run_bundle(100) + + def test_01000(self): + self.run_bundle(1000) + + def _test_10000(self): + """ This test should be enabled preferably against MS Active Directory. + It takes quite the time against Samba4 (1-2 days). + """ + self.run_bundle(10000) + + +class AclSearchSpeedTest(SpeedTest): + + def setUp(self): + super(AclSearchSpeedTest, self).setUp() + self.ldb_admin.newuser("acltestuser", "samba123@") + self.sd_utils = sd_utils.SDUtils(self.ldb_admin) + self.ldb_user = self.get_ldb_connection("acltestuser", "samba123@") + self.user_sid = self.sd_utils.get_object_sid(self.get_user_dn("acltestuser")) + + def tearDown(self): + super(AclSearchSpeedTest, self).tearDown() + delete_force(self.ldb_admin, self.get_user_dn("acltestuser")) + + def run_search_bundle(self, num, _ldb): + print("\n=== Creating %s user objects ===\n" % num) + self.create_bundle(num) + mod = "(A;;LC;;;%s)(D;;RP;;;%s)" % (str(self.user_sid), str(self.user_sid)) + for i in range(num): + self.sd_utils.dacl_add_ace("cn=speedtestuser%d,cn=Users,%s" % + (i + 1, self.base_dn), mod) + print("\n=== %s user objects created ===\n" % num) + print("\n=== Test search on %s user objects ===\n" % num) + avg_search = Decimal("0.0") + for x in [1, 2, 3]: + start = time.time() + res = _ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_SUBTREE) + res_search = Decimal(str(time.time() - start)) + avg_search += res_search + print(" Attempt %s SEARCH: %.3fs" % (x, float(res_search))) + print("Average Search: %.3fs" % float(Decimal(avg_search) / Decimal("3.0"))) + self.remove_bundle(num) + + def get_user_dn(self, name): + return "CN=%s,CN=Users,%s" % (name, self.base_dn) + + def get_ldb_connection(self, target_username, target_password): + creds_tmp = Credentials() + creds_tmp.set_username(target_username) + creds_tmp.set_password(target_password) + creds_tmp.set_domain(creds.get_domain()) + creds_tmp.set_realm(creds.get_realm()) + creds_tmp.set_workstation(creds.get_workstation()) + creds_tmp.set_gensec_features(creds_tmp.get_gensec_features() + | gensec.FEATURE_SEAL) + ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) + return ldb_target + + def test_search_01000(self): + self.run_search_bundle(1000, self.ldb_admin) + + def test_search2_01000(self): + # allow the user to see objects but not attributes, all attributes will be filtered out + mod = "(A;;LC;;;%s)(D;;RP;;;%s)" % (str(self.user_sid), str(self.user_sid)) + self.sd_utils.dacl_add_ace("CN=Users,%s" % self.base_dn, mod) + self.run_search_bundle(1000, self.ldb_user) + +# Important unit running information + + +if "://" not in host: + host = "ldap://%s" % host + +ldb_options = ["modules:paged_searches"] +ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, options=ldb_options) + +TestProgram(module=__name__, opts=subunitopts) diff --git a/source4/scripting/devel/tmpfs.sh b/source4/scripting/devel/tmpfs.sh new file mode 100755 index 0000000..e4798ec --- /dev/null +++ b/source4/scripting/devel/tmpfs.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# This sets up bin/ and st/ as tmpfs filesystems, which saves a lot of +# time waiting on the disk! + +sudo echo "About to (re)mount bin and st as tmpfs" +rm -rf bin st +sudo umount bin >/dev/null 2>&1 +sudo umount st >/dev/null 2>&1 +mkdir -p bin st || exit 1 +sudo mount -t tmpfs /dev/null bin || exit 1 +sudo chown $USER bin/. || exit 1 +echo "tmpfs setup for bin/" +sudo mount -t tmpfs /dev/null st || exit 1 +sudo chown $USER st/. || exit 1 +echo "tmpfs setup for st/" diff --git a/source4/scripting/devel/watch_servers.sh b/source4/scripting/devel/watch_servers.sh new file mode 100644 index 0000000..88d66a2 --- /dev/null +++ b/source4/scripting/devel/watch_servers.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +[ $# -ge 3 ] || { + echo "Usage: watch_servers.sh DB1 DB2 PASSWORD SEARCH <attrs>" + exit 1 +} + +host1="$1" +host2="$2" +password="$3" +search="$4" +shift 4 + +watch -n1 "echo '$host1:'; bin/ldbsearch -S -H $host1 -Uadministrator%$password '$search' description $* | egrep -v '^ref|Ref|returned|entries|referrals' | uniq; echo; echo '$host2:'; bin/ldbsearch -S -H $host2 -Uadministrator%$password '$search' description $* | egrep -v '^ref|Ref|returned|entries|referrals' | uniq;" diff --git a/source4/scripting/man/samba-gpupdate.8.xml b/source4/scripting/man/samba-gpupdate.8.xml new file mode 100644 index 0000000..c7c9963 --- /dev/null +++ b/source4/scripting/man/samba-gpupdate.8.xml @@ -0,0 +1,128 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> +<refentry id="samba-gpupdate.8"> +<refentryinfo><date>2017-07-11</date></refentryinfo> + +<refmeta> + <refentrytitle>SAMBA_GPOUPDATE</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="source">Samba</refmiscinfo> + <refmiscinfo class="manual">System Administration tools</refmiscinfo> + <refmiscinfo class="version">4.8.0</refmiscinfo> +</refmeta> + +<refnamediv> + <refname>samba-gpupdate</refname> + <refpurpose>apply group policy</refpurpose> +</refnamediv> + +<refsynopsisdiv> + <cmdsynopsis> + <command>samba-gpupdate</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>samba-gpupdate</command> + <arg choice="opt"> + <replaceable>options</replaceable> + </arg> + </cmdsynopsis> + +</refsynopsisdiv> + + +<refsect1> + <title>DESCRIPTION</title> + <para>This tool is part of the + <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> suite.</para> + + <para><command>samba-gpupdate</command> a script for + applying and unapplying Group Policy. This applies + password policies (minimum/maximum password age, + minimum password length, and password complexity), + kerberos policies (user/service ticket lifetime and + renew lifetime), smb.conf policies, + hourly/daily/weekly/monthly cron scripts, Sudo + Privileges, Message of the Day and Logon Prompt + messages, etc.</para> + +</refsect1> + +<refsect1> + <title>OPTIONS</title> + +<para><option>-h</option>, <option>--help</option> + show this help message and exit</para> + +<para><option>-H </option>URL, <option>--url</option>=<emphasis remap="I">URL</emphasis> + URL for the samdb</para> + +<para><option>-X</option>, <option>--unapply</option> + Unapply Group Policy</para> + +<para><option>--target</option> + {Computer | User}</para> + +<para><option>--force</option> + Reapplies all policy settings</para> + +<para><option>--rsop</option> + Print the Resultant Set of Policy</para> + +<para>Samba Common Options:</para> + +<para><option>-s </option>FILE, <option>--configfile</option>=<emphasis remap="I">FILE</emphasis> + Configuration file</para> + +<para><option>-d </option>DEBUGLEVEL, <option>--debuglevel</option>=<emphasis remap="I">DEBUGLEVEL</emphasis> + debug level</para> + +<para><option>--option</option>=<emphasis remap="I">OPTION</emphasis> + set smb.conf option from command line</para> + +<para><option>--realm</option>=<emphasis remap="I">REALM</emphasis> + set the realm name</para> + +<para>Version Options:</para> + +<para><option>-V</option>, <option>--version</option> + Display version number</para> + +<para>Credentials Options:</para> + +<para><option>--simple-bind-dn</option>=<emphasis remap="I">DN</emphasis> + DN to use for a simple bind</para> + +<para><option>--password</option>=<emphasis remap="I">PASSWORD</emphasis> + Password</para> + +<para><option>-U </option>USERNAME, <option>--username</option>=<emphasis remap="I">USERNAME</emphasis> + Username</para> + +<para><option>-W </option>WORKGROUP, <option>--workgroup</option>=<emphasis remap="I">WORKGROUP</emphasis> + Workgroup</para> + +<para><option>-N</option>, <option>--no-pass</option> + Don't ask for a password</para> + +<para><option>-k </option>KERBEROS, <option>--kerberos</option>=<emphasis remap="I">KERBEROS</emphasis> + Use Kerberos</para> + +<para><option>--ipaddress</option>=<emphasis remap="I">IPADDRESS</emphasis> + IP address of server</para> + +<para><option>-P</option>, <option>--machine-pass</option> + Use stored machine account password</para> + +</refsect1> + +<refsect1> + <title>AUTHOR</title> + <para>The original Samba software and related utilities were + created by Andrew Tridgell. Samba is now developed by the + Samba Team as an Open Source project similar to the way the + Linux kernel is developed.</para> +</refsect1> + +</refentry> diff --git a/source4/scripting/wscript_build b/source4/scripting/wscript_build new file mode 100644 index 0000000..6728dec --- /dev/null +++ b/source4/scripting/wscript_build @@ -0,0 +1,24 @@ +#!/usr/bin/env python + +from samba_utils import MODE_755 + +sbin_files = '' +if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + sbin_files = 'bin/samba_downgrade_db bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns bin/samba_kcc ' +if not bld.env.disable_python: + sbin_files += 'bin/samba-gpupdate' + man_files = 'man/samba-gpupdate.8' + +if sbin_files: + bld.INSTALL_FILES('${SBINDIR}', + sbin_files, + chmod=MODE_755, python_fixup=True, flat=True) + if 'XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']: + bld.MANPAGES(man_files, True) + +if bld.CONFIG_SET('WITH_ADS'): + bld.INSTALL_FILES('${BINDIR}', + 'bin/samba-tool', + chmod=MODE_755, python_fixup=True, flat=True) + +bld.RECURSE('bin') |