Attachment #4523 for bug #27027

Lines 50-62 Link Here

(-)samba4-4.0.0~alpha17~git201110100928.orig/source4/scripting/python/samba/join.py (-8 / +50 lines)
50		50
51	def __init__(ctx, server=None, creds=None, lp=None, site=None,	51	def __init__(ctx, server=None, creds=None, lp=None, site=None,
52	netbios_name=None, targetdir=None, domain=None,	52	netbios_name=None, targetdir=None, domain=None,
53	machinepass=None):	53	machinepass=None, promote_existing=False):
54	ctx.creds = creds	54	ctx.creds = creds
55	ctx.lp = lp	55	ctx.lp = lp
56	ctx.site = site	56	ctx.site = site
57	ctx.netbios_name = netbios_name	57	ctx.netbios_name = netbios_name
58	ctx.targetdir = targetdir	58	ctx.targetdir = targetdir
59		59
		60	ctx.promote_existing = promote_existing
		61	ctx.promote_from_dn = None
		62
60	ctx.creds.set_gensec_features(creds.get_gensec_features() \| gensec.FEATURE_SEAL)	63	ctx.creds.set_gensec_features(creds.get_gensec_features() \| gensec.FEATURE_SEAL)
61	ctx.net = Net(creds=ctx.creds, lp=ctx.lp)	64	ctx.net = Net(creds=ctx.creds, lp=ctx.lp)
62		65
Lines 198-203 Link Here
198	except Exception:	201	except Exception:
199	pass	202	pass
200		203
		204	def promote_possible(ctx):
		205	'''confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted'''
		206	if ctx.subdomain:
		207	# This shouldn't happen
		208	raise Exception("Can not promote into a subdomain")
		209
		210	res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
		211	expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
		212	attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"])
		213	if len(res) == 0:
		214	raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname)
		215	if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:
		216	raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname)
		217	if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT\|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):
		218	raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname)
		219
		220	ctx.promote_from_dn = res[0].dn
		221
		222
201	def find_dc(ctx, domain):	223	def find_dc(ctx, domain):
202	'''find a writeable DC for the given domain'''	224	'''find a writeable DC for the given domain'''
203	try:	225	try:
Lines 431-443 Link Here
431	"dnshostname" : ctx.dnshostname}	453	"dnshostname" : ctx.dnshostname}
432	if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008:	454	if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008:
433	rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES)	455	rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES)
		456	elif ctx.promote_existing:
		457	rec['msDS-SupportedEncryptionTypes'] = []
434	if ctx.managedby:	458	if ctx.managedby:
435	rec["managedby"] = ctx.managedby	459	rec["managedby"] = ctx.managedby
		460	elif ctx.promote_existing:
		461	rec["managedby"] = []
		462
436	if ctx.never_reveal_sid:	463	if ctx.never_reveal_sid:
437	rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid	464	rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid
		465	elif ctx.promote_existing:
		466	rec["msDS-NeverRevealGroup"] = []
		467
438	if ctx.reveal_sid:	468	if ctx.reveal_sid:
439	rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid	469	rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid
440	ctx.samdb.add(rec)	470	elif ctx.promote_existing:
		471	rec["msDS-RevealOnDemandGroup"] = []
		472
		473	if ctx.promote_existing:
		474	if ctx.promote_from_dn != ctx.acct_dn:
		475	ctx.samdb.rename(ctx.promote_from_dn, ctx.acct_dn)
		476	ctx.samdb.modify(ldb.Message.from_dict(ctx.samdb, rec, ldb.FLAG_MOD_REPLACE))
		477	else:
		478	ctx.samdb.add(rec)
441		479
442	if ctx.krbtgt_dn:	480	if ctx.krbtgt_dn:
443	ctx.add_krbtgt_account()	481	ctx.add_krbtgt_account()
Lines 491-497 Link Here
491	for i in range(len(ctx.SPNs)):	529	for i in range(len(ctx.SPNs)):
492	ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid))	530	ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid))
493	m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs,	531	m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs,
494	ldb.FLAG_MOD_ADD,	532	ldb.FLAG_MOD_REPLACE,
495	"servicePrincipalName")	533	"servicePrincipalName")
496	ctx.samdb.modify(m)	534	ctx.samdb.modify(m)
497		535
Lines 828-834 Link Here
828		866
829		867
830	def do_join(ctx):	868	def do_join(ctx):
831	ctx.cleanup_old_join()	869	if ctx.promote_existing:
		870	ctx.promote_possible()
		871	else:
		872	ctx.cleanup_old_join()
		873
832	try:	874	try:
833	ctx.join_add_objects()	875	ctx.join_add_objects()
834	ctx.join_provision()	876	ctx.join_provision()
Lines 846-856 Link Here
846		888
847	def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,	889	def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,
848	targetdir=None, domain=None, domain_critical_only=False,	890	targetdir=None, domain=None, domain_critical_only=False,
849	machinepass=None):	891	machinepass=None, promote_existing=False):
850	"""join as a RODC"""	892	"""join as a RODC"""
851		893
852	ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,	894	ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,
853	machinepass)	895	machinepass, promote_existing)
854		896
855	lp.set("workgroup", ctx.domain_name)	897	lp.set("workgroup", ctx.domain_name)
856	print("workgroup is %s" % ctx.domain_name)	898	print("workgroup is %s" % ctx.domain_name)
Lines 900-909 Link Here
900		942
901	def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None,	943	def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None,
902	targetdir=None, domain=None, domain_critical_only=False,	944	targetdir=None, domain=None, domain_critical_only=False,
903	machinepass=None):	945	machinepass=None, promote_existing=False):
904	"""join as a DC"""	946	"""join as a DC"""
905	ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,	947	ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,
906	machinepass)	948	machinepass, promote_existing)
907		949
908	lp.set("workgroup", ctx.domain_name)	950	lp.set("workgroup", ctx.domain_name)
909	print("workgroup is %s" % ctx.domain_name)	951	print("workgroup is %s" % ctx.domain_name)







class cmd_domain_dcpromo(Command):
    """Promotes an existing domain member or NT4 PDC to an AD DC"""

    synopsis = "%prog <dnsdomain> [DC|RODC] [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "versionopts": options.VersionOptions,
        "credopts": options.CredentialsOptions,
    }

    takes_options = [
        Option("--server", help="DC to join", type=str),
        Option("--site", help="site to join", type=str),
        Option("--targetdir", help="where to store provision", type=str),
        Option("--domain-critical-only",
               help="only replicate critical domain objects",
               action="store_true"),
        Option("--machinepass", type=str, metavar="PASSWORD",
               help="choose machine password (otherwise random)"),
        Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
               action="store_true"),
        Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
               choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
               help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
                   "BIND9_DLZ uses samba4 AD to store zone information (default), " \
                   "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
               default="BIND9_DLZ")
       ]

    takes_args = ["domain", "role?"]

    def run(self, domain, role=None, sambaopts=None, credopts=None,
            versionopts=None, server=None, site=None, targetdir=None,
            domain_critical_only=False, parent_domain=None, machinepass=None,
            use_ntvfs=False, dns_backend=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        if site is None:
            site = "Default-First-Site-Name"

        netbios_name = lp.get("netbios name")

        if not role is None:
            role = role.upper()

        if role == "DC":
            join_DC(server=server, creds=creds, lp=lp, domain=domain,
                    site=site, netbios_name=netbios_name, targetdir=targetdir,
                    domain_critical_only=domain_critical_only,
                    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend, 
                    promote_existing=True)
            return
        elif role == "RODC":
            join_RODC(server=server, creds=creds, lp=lp, domain=domain,
                      site=site, netbios_name=netbios_name, targetdir=targetdir,
                      domain_critical_only=domain_critical_only,
                      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
                      promote_existing=True)
            return
        else:
            raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)


class cmd_domain_join(Command):
    """Joins domain as either member or backup domain controller *"""


    subcommands = {}
    subcommands["exportkeytab"] = cmd_domain_export_keytab()
    subcommands["join"] = cmd_domain_join()
    subcommands["dcpromo"] = cmd_domain_dcpromo()
    subcommands["level"] = cmd_domain_level()
    subcommands["machinepassword"] = cmd_domain_machinepassword()
    subcommands["passwordsettings"] = cmd_domain_passwordsettings()

Return to bug 27027

Lines 76-81 Link Here

(-)samba4-4.0.0~alpha17~git201110100928.orig/source4/scripting/python/samba/netcmd/domain.py (+67 lines)
76		76
77		77
78		78
		79	class cmd_domain_dcpromo(Command):
		80	"""Promotes an existing domain member or NT4 PDC to an AD DC"""
		81
		82	synopsis = "%prog <dnsdomain> [DC\|RODC] [options]"
		83
		84	takes_optiongroups = {
		85	"sambaopts": options.SambaOptions,
		86	"versionopts": options.VersionOptions,
		87	"credopts": options.CredentialsOptions,
		88	}
		89
		90	takes_options = [
		91	Option("--server", help="DC to join", type=str),
		92	Option("--site", help="site to join", type=str),
		93	Option("--targetdir", help="where to store provision", type=str),
		94	Option("--domain-critical-only",
		95	help="only replicate critical domain objects",
		96	action="store_true"),
		97	Option("--machinepass", type=str, metavar="PASSWORD",
		98	help="choose machine password (otherwise random)"),
		99	Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
		100	action="store_true"),
		101	Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
		102	choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
		103	help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
		104	"BIND9_DLZ uses samba4 AD to store zone information (default), " \
		105	"NONE skips the DNS setup entirely (this DC will not be a DNS server)",
		106	default="BIND9_DLZ")
		107	]
		108
		109	takes_args = ["domain", "role?"]
		110
		111	def run(self, domain, role=None, sambaopts=None, credopts=None,
		112	versionopts=None, server=None, site=None, targetdir=None,
		113	domain_critical_only=False, parent_domain=None, machinepass=None,
		114	use_ntvfs=False, dns_backend=None):
		115	lp = sambaopts.get_loadparm()
		116	creds = credopts.get_credentials(lp)
		117	net = Net(creds, lp, server=credopts.ipaddress)
		118
		119	if site is None:
		120	site = "Default-First-Site-Name"
		121
		122	netbios_name = lp.get("netbios name")
		123
		124	if not role is None:
		125	role = role.upper()
		126
		127	if role == "DC":
		128	join_DC(server=server, creds=creds, lp=lp, domain=domain,
		129	site=site, netbios_name=netbios_name, targetdir=targetdir,
		130	domain_critical_only=domain_critical_only,
		131	machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
		132	promote_existing=True)
		133	return
		134	elif role == "RODC":
		135	join_RODC(server=server, creds=creds, lp=lp, domain=domain,
		136	site=site, netbios_name=netbios_name, targetdir=targetdir,
		137	domain_critical_only=domain_critical_only,
		138	machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
		139	promote_existing=True)
		140	return
		141	else:
		142	raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)
143
144
79	class cmd_domain_join(Command):	145	class cmd_domain_join(Command):
80	"""Joins domain as either member or backup domain controller *"""	146	"""Joins domain as either member or backup domain controller *"""
81		147
Lines 642-647 Link Here
642	subcommands = {}	708	subcommands = {}
643	subcommands["exportkeytab"] = cmd_domain_export_keytab()	709	subcommands["exportkeytab"] = cmd_domain_export_keytab()
644	subcommands["join"] = cmd_domain_join()	710	subcommands["join"] = cmd_domain_join()
		711	subcommands["dcpromo"] = cmd_domain_dcpromo()
645	subcommands["level"] = cmd_domain_level()	712	subcommands["level"] = cmd_domain_level()
646	subcommands["machinepassword"] = cmd_domain_machinepassword()	713	subcommands["machinepassword"] = cmd_domain_machinepassword()
647	subcommands["passwordsettings"] = cmd_domain_passwordsettings()	714	subcommands["passwordsettings"] = cmd_domain_passwordsettings()