Attachment #4523 for bug #27027

(-)samba4-4.0.0~alpha17~git201110100928.orig/source4/scripting/python/samba/join.py (-8 / +50 lines)

Lines 50-62	Link Here

    def __init__(ctx, server=None, creds=None, lp=None, site=None,

    def __init__(ctx, server=None, creds=None, lp=None, site=None,

            netbios_name=None, targetdir=None, domain=None,

            netbios_name=None, targetdir=None, domain=None,

            machinepass=None):

            machinepass=None, promote_existing=False):

        ctx.creds = creds

        ctx.creds = creds

        ctx.lp = lp

        ctx.lp = lp

        ctx.site = site

        ctx.site = site

        ctx.netbios_name = netbios_name

        ctx.netbios_name = netbios_name

        ctx.targetdir = targetdir

        ctx.targetdir = targetdir

        ctx.promote_existing = promote_existing

        ctx.promote_from_dn = None

        ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)

        ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)

        ctx.net = Net(creds=ctx.creds, lp=ctx.lp)

        ctx.net = Net(creds=ctx.creds, lp=ctx.lp)

Lines 198-203	Link Here

198

        except Exception:

201

        except Exception:

199

            pass

202

            pass

200

203

204

    def promote_possible(ctx):

205

        '''confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted'''

206

        if ctx.subdomain:

207

            # This shouldn't happen

208

            raise Exception("Can not promote into a subdomain")

209

210

        res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),

211

                               expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),

212

                               attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"])

213

        if len(res) == 0:

214

            raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname)

215

        if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:

216

            raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname)

217

        if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):

218

            raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname)

219

220

        ctx.promote_from_dn = res[0].dn

221

222

201

    def find_dc(ctx, domain):

223

    def find_dc(ctx, domain):

202

        '''find a writeable DC for the given domain'''

224

        '''find a writeable DC for the given domain'''

203

        try:

225

        try:

Lines 431-443	Link Here

431

                "dnshostname" : ctx.dnshostname}

453

                "dnshostname" : ctx.dnshostname}

432

            if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008:

454

            if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008:

433

                rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES)

455

                rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES)

456

            elif ctx.promote_existing:

457

                rec['msDS-SupportedEncryptionTypes'] = []

434

            if ctx.managedby:

458

            if ctx.managedby:

435

                rec["managedby"] = ctx.managedby

459

                rec["managedby"] = ctx.managedby

460

            elif ctx.promote_existing:

461

                rec["managedby"] = []

462

436

            if ctx.never_reveal_sid:

463

            if ctx.never_reveal_sid:

437

                rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid

464

                rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid

465

            elif ctx.promote_existing:

466

                rec["msDS-NeverRevealGroup"] = []

467

438

            if ctx.reveal_sid:

468

            if ctx.reveal_sid:

439

                rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid

469

                rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid

440

            ctx.samdb.add(rec)

470

            elif ctx.promote_existing:

471

                rec["msDS-RevealOnDemandGroup"] = []

472

473

            if ctx.promote_existing:

474

                if ctx.promote_from_dn != ctx.acct_dn:

475

                    ctx.samdb.rename(ctx.promote_from_dn, ctx.acct_dn)

476

                ctx.samdb.modify(ldb.Message.from_dict(ctx.samdb, rec, ldb.FLAG_MOD_REPLACE))

477

            else:

478

                ctx.samdb.add(rec)

441

479

442

        if ctx.krbtgt_dn:

480

        if ctx.krbtgt_dn:

443

            ctx.add_krbtgt_account()

481

            ctx.add_krbtgt_account()

Lines 491-497	Link Here

491

            for i in range(len(ctx.SPNs)):

529

            for i in range(len(ctx.SPNs)):

492

                ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid))

530

                ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid))

493

            m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs,

531

            m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs,

494

                                                           ldb.FLAG_MOD_ADD,

532

                                                           ldb.FLAG_MOD_REPLACE,

495

                                                           "servicePrincipalName")

533

                                                           "servicePrincipalName")

496

            ctx.samdb.modify(m)

534

            ctx.samdb.modify(m)

497

535

Lines 828-834	Link Here

828

866

829

867

830

    def do_join(ctx):

868

    def do_join(ctx):

831

        ctx.cleanup_old_join()

869

        if ctx.promote_existing:

870

            ctx.promote_possible()

871

        else:

872

            ctx.cleanup_old_join()

873

832

        try:

874

        try:

833

            ctx.join_add_objects()

875

            ctx.join_add_objects()

834

            ctx.join_provision()

876

            ctx.join_provision()

Lines 846-856	Link Here

846

888

847

def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,

889

def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,

848

              targetdir=None, domain=None, domain_critical_only=False,

890

              targetdir=None, domain=None, domain_critical_only=False,

849

              machinepass=None):

891

              machinepass=None, promote_existing=False):

850

    """join as a RODC"""

892

    """join as a RODC"""

851

893

852

    ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,

894

    ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,

853

                  machinepass)

895

                  machinepass, promote_existing)

854

896

855

    lp.set("workgroup", ctx.domain_name)

897

    lp.set("workgroup", ctx.domain_name)

856

    print("workgroup is %s" % ctx.domain_name)

898

    print("workgroup is %s" % ctx.domain_name)

Lines 900-909	Link Here

900

942

901

def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None,

943

def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None,

902

            targetdir=None, domain=None, domain_critical_only=False,

944

            targetdir=None, domain=None, domain_critical_only=False,

903

            machinepass=None):

945

            machinepass=None, promote_existing=False):

904

    """join as a DC"""

946

    """join as a DC"""

905

    ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,

947

    ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,

906

                  machinepass)

948

                  machinepass, promote_existing)

907

949

908

    lp.set("workgroup", ctx.domain_name)

950

    lp.set("workgroup", ctx.domain_name)

909

    print("workgroup is %s" % ctx.domain_name)

951

    print("workgroup is %s" % ctx.domain_name)







class cmd_domain_dcpromo(Command):
    """Promotes an existing domain member or NT4 PDC to an AD DC"""

    synopsis = "%prog <dnsdomain> [DC|RODC] [options]"

    takes_optiongroups = {
        "sambaopts": options.SambaOptions,
        "versionopts": options.VersionOptions,
        "credopts": options.CredentialsOptions,
    }

    takes_options = [
        Option("--server", help="DC to join", type=str),
        Option("--site", help="site to join", type=str),
        Option("--targetdir", help="where to store provision", type=str),
        Option("--domain-critical-only",
               help="only replicate critical domain objects",
               action="store_true"),
        Option("--machinepass", type=str, metavar="PASSWORD",
               help="choose machine password (otherwise random)"),
        Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
               action="store_true"),
        Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
               choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
               help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
                   "BIND9_DLZ uses samba4 AD to store zone information (default), " \
                   "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
               default="BIND9_DLZ")
       ]

    takes_args = ["domain", "role?"]

    def run(self, domain, role=None, sambaopts=None, credopts=None,
            versionopts=None, server=None, site=None, targetdir=None,
            domain_critical_only=False, parent_domain=None, machinepass=None,
            use_ntvfs=False, dns_backend=None):
        lp = sambaopts.get_loadparm()
        creds = credopts.get_credentials(lp)
        net = Net(creds, lp, server=credopts.ipaddress)

        if site is None:
            site = "Default-First-Site-Name"

        netbios_name = lp.get("netbios name")

        if not role is None:
            role = role.upper()

        if role == "DC":
            join_DC(server=server, creds=creds, lp=lp, domain=domain,
                    site=site, netbios_name=netbios_name, targetdir=targetdir,
                    domain_critical_only=domain_critical_only,
                    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend, 
                    promote_existing=True)
            return
        elif role == "RODC":
            join_RODC(server=server, creds=creds, lp=lp, domain=domain,
                      site=site, netbios_name=netbios_name, targetdir=targetdir,
                      domain_critical_only=domain_critical_only,
                      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
                      promote_existing=True)
            return
        else:
            raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)


class cmd_domain_join(Command):
    """Joins domain as either member or backup domain controller *"""


    subcommands = {}
    subcommands["exportkeytab"] = cmd_domain_export_keytab()
    subcommands["join"] = cmd_domain_join()
    subcommands["dcpromo"] = cmd_domain_dcpromo()
    subcommands["level"] = cmd_domain_level()
    subcommands["machinepassword"] = cmd_domain_machinepassword()
    subcommands["passwordsettings"] = cmd_domain_passwordsettings()

Return to bug 27027