|
50 |
|
50 |
|
51 |
def __init__(ctx, server=None, creds=None, lp=None, site=None, |
51 |
def __init__(ctx, server=None, creds=None, lp=None, site=None, |
52 |
netbios_name=None, targetdir=None, domain=None, |
52 |
netbios_name=None, targetdir=None, domain=None, |
53 |
machinepass=None): |
53 |
machinepass=None, promote_existing=False): |
54 |
ctx.creds = creds |
54 |
ctx.creds = creds |
55 |
ctx.lp = lp |
55 |
ctx.lp = lp |
56 |
ctx.site = site |
56 |
ctx.site = site |
57 |
ctx.netbios_name = netbios_name |
57 |
ctx.netbios_name = netbios_name |
58 |
ctx.targetdir = targetdir |
58 |
ctx.targetdir = targetdir |
59 |
|
59 |
|
|
|
60 |
ctx.promote_existing = promote_existing |
61 |
ctx.promote_from_dn = None |
62 |
|
60 |
ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) |
63 |
ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) |
61 |
ctx.net = Net(creds=ctx.creds, lp=ctx.lp) |
64 |
ctx.net = Net(creds=ctx.creds, lp=ctx.lp) |
62 |
|
65 |
|
|
198 |
except Exception: |
201 |
except Exception: |
199 |
pass |
202 |
pass |
200 |
|
203 |
|
|
|
204 |
def promote_possible(ctx): |
205 |
'''confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted''' |
206 |
if ctx.subdomain: |
207 |
# This shouldn't happen |
208 |
raise Exception("Can not promote into a subdomain") |
209 |
|
210 |
res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), |
211 |
expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname), |
212 |
attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"]) |
213 |
if len(res) == 0: |
214 |
raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname) |
215 |
if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]: |
216 |
raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname) |
217 |
if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0): |
218 |
raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname) |
219 |
|
220 |
ctx.promote_from_dn = res[0].dn |
221 |
|
222 |
|
201 |
def find_dc(ctx, domain): |
223 |
def find_dc(ctx, domain): |
202 |
'''find a writeable DC for the given domain''' |
224 |
'''find a writeable DC for the given domain''' |
203 |
try: |
225 |
try: |
|
431 |
"dnshostname" : ctx.dnshostname} |
453 |
"dnshostname" : ctx.dnshostname} |
432 |
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008: |
454 |
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008: |
433 |
rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES) |
455 |
rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES) |
|
|
456 |
elif ctx.promote_existing: |
457 |
rec['msDS-SupportedEncryptionTypes'] = [] |
434 |
if ctx.managedby: |
458 |
if ctx.managedby: |
435 |
rec["managedby"] = ctx.managedby |
459 |
rec["managedby"] = ctx.managedby |
|
|
460 |
elif ctx.promote_existing: |
461 |
rec["managedby"] = [] |
462 |
|
436 |
if ctx.never_reveal_sid: |
463 |
if ctx.never_reveal_sid: |
437 |
rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid |
464 |
rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid |
|
|
465 |
elif ctx.promote_existing: |
466 |
rec["msDS-NeverRevealGroup"] = [] |
467 |
|
438 |
if ctx.reveal_sid: |
468 |
if ctx.reveal_sid: |
439 |
rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid |
469 |
rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid |
440 |
ctx.samdb.add(rec) |
470 |
elif ctx.promote_existing: |
|
|
471 |
rec["msDS-RevealOnDemandGroup"] = [] |
472 |
|
473 |
if ctx.promote_existing: |
474 |
if ctx.promote_from_dn != ctx.acct_dn: |
475 |
ctx.samdb.rename(ctx.promote_from_dn, ctx.acct_dn) |
476 |
ctx.samdb.modify(ldb.Message.from_dict(ctx.samdb, rec, ldb.FLAG_MOD_REPLACE)) |
477 |
else: |
478 |
ctx.samdb.add(rec) |
441 |
|
479 |
|
442 |
if ctx.krbtgt_dn: |
480 |
if ctx.krbtgt_dn: |
443 |
ctx.add_krbtgt_account() |
481 |
ctx.add_krbtgt_account() |
|
491 |
for i in range(len(ctx.SPNs)): |
529 |
for i in range(len(ctx.SPNs)): |
492 |
ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid)) |
530 |
ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid)) |
493 |
m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs, |
531 |
m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs, |
494 |
ldb.FLAG_MOD_ADD, |
532 |
ldb.FLAG_MOD_REPLACE, |
495 |
"servicePrincipalName") |
533 |
"servicePrincipalName") |
496 |
ctx.samdb.modify(m) |
534 |
ctx.samdb.modify(m) |
497 |
|
535 |
|
|
828 |
|
866 |
|
829 |
|
867 |
|
830 |
def do_join(ctx): |
868 |
def do_join(ctx): |
831 |
ctx.cleanup_old_join() |
869 |
if ctx.promote_existing: |
|
|
870 |
ctx.promote_possible() |
871 |
else: |
872 |
ctx.cleanup_old_join() |
873 |
|
832 |
try: |
874 |
try: |
833 |
ctx.join_add_objects() |
875 |
ctx.join_add_objects() |
834 |
ctx.join_provision() |
876 |
ctx.join_provision() |
|
846 |
|
888 |
|
847 |
def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, |
889 |
def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, |
848 |
targetdir=None, domain=None, domain_critical_only=False, |
890 |
targetdir=None, domain=None, domain_critical_only=False, |
849 |
machinepass=None): |
891 |
machinepass=None, promote_existing=False): |
850 |
"""join as a RODC""" |
892 |
"""join as a RODC""" |
851 |
|
893 |
|
852 |
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, |
894 |
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, |
853 |
machinepass) |
895 |
machinepass, promote_existing) |
854 |
|
896 |
|
855 |
lp.set("workgroup", ctx.domain_name) |
897 |
lp.set("workgroup", ctx.domain_name) |
856 |
print("workgroup is %s" % ctx.domain_name) |
898 |
print("workgroup is %s" % ctx.domain_name) |
|
900 |
|
942 |
|
901 |
def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None, |
943 |
def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None, |
902 |
targetdir=None, domain=None, domain_critical_only=False, |
944 |
targetdir=None, domain=None, domain_critical_only=False, |
903 |
machinepass=None): |
945 |
machinepass=None, promote_existing=False): |
904 |
"""join as a DC""" |
946 |
"""join as a DC""" |
905 |
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, |
947 |
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, |
906 |
machinepass) |
948 |
machinepass, promote_existing) |
907 |
|
949 |
|
908 |
lp.set("workgroup", ctx.domain_name) |
950 |
lp.set("workgroup", ctx.domain_name) |
909 |
print("workgroup is %s" % ctx.domain_name) |
951 |
print("workgroup is %s" % ctx.domain_name) |