# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+"""Helpers used for upgrading between different database formats."""
import os
-import string
import re
import shutil
import samba
from samba import Ldb, version, ntacls
-from samba.dsdb import DS_DOMAIN_FUNCTION_2000
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
import ldb
-from samba.provision import (ProvisionNames, provision_paths_from_lp,
- getpolicypath, set_gpo_acl, create_gpo_struct,
+from samba.provision import (provision_paths_from_lp,
+ getpolicypath, set_gpos_acl, create_gpo_struct,
FILL_FULL, provision, ProvisioningError,
- setsysvolacl)
-from samba.dcerpc import misc, security, xattr
-from samba.ndr import ndr_unpack
+ setsysvolacl, secretsdb_self_join)
+from samba.dcerpc import xattr
+from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.samdb import SamDB
-# All the ldb related to registry are commented because the path for them is relative
-# in the provisionPath object
-# And so opening them create a file in the current directory which is not what we want
+# All the ldb related to registry are commented because the path for them is
+# relative in the provisionPath object
+# And so opening them create a file in the current directory which is not what
+# we want
# I still keep them commented because I plan soon to make more cleaner
ERROR = -1
SIMPLE = 0x00
PROVISION = 0x08
CHANGEALL = 0xff
-hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
- "objectGUID": 1, "uSNCreated": 1,
- "replPropertyMetaData": 1, "uSNChanged": 1,
- "parentGUID": 1, "objectCategory": 1,
- "distinguishedName": 1, "nTMixedDomain": 1,
- "showInAdvancedViewOnly": 1, "instanceType": 1,
- "msDS-Behavior-Version":1, "nextRid":1, "cn": 1,
- "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1,
- "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1,
- "supplementalCredentials":1, "gPCUserExtensionNames":1,
- "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1,
- "possibleInferiors":1, "privilege":1,
- "sAMAccountType":1 }
+hashAttrNotCopied = set(["dn", "whenCreated", "whenChanged", "objectGUID",
+ "uSNCreated", "replPropertyMetaData", "uSNChanged", "parentGUID",
+ "objectCategory", "distinguishedName", "nTMixedDomain",
+ "showInAdvancedViewOnly", "instanceType", "msDS-Behavior-Version",
+ "nextRid", "cn", "versionNumber", "lmPwdHistory", "pwdLastSet",
+ "ntPwdHistory", "unicodePwd","dBCSPwd", "supplementalCredentials",
+ "gPCUserExtensionNames", "gPCMachineExtensionNames","maxPwdAge", "secret",
+ "possibleInferiors", "privilege", "sAMAccountType"])
+
class ProvisionLDB(object):
ok = True
try:
self.sam.transaction_cancel()
- except:
+ except Exception:
ok = False
try:
self.secrets.transaction_cancel()
- except:
+ except Exception:
ok = False
try:
self.idmap.transaction_cancel()
- except:
+ except Exception:
ok = False
try:
self.privilege.transaction_cancel()
- except:
+ except Exception:
ok = False
return ok
self.secrets.transaction_prepare_commit()
self.idmap.transaction_prepare_commit()
self.privilege.transaction_prepare_commit()
- except:
+ except Exception:
return self.groupedRollback()
# TO BE DONE
# self.hkcr.transaction_prepare_commit()
self.secrets.transaction_commit()
self.idmap.transaction_commit()
self.privilege.transaction_commit()
- except:
+ except Exception:
return self.groupedRollback()
-
+
# TO BE DONE
# self.hkcr.transaction_commit()
# self.hkcu.transaction_commit()
scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
names.policyid = str(res[0]["cn"]).replace("{","").replace("}","")
# dc policy guid
- res2 = samdb.search(expression="(displayName=Default Domain Controllers" \
+ res2 = samdb.search(expression="(displayName=Default Domain Controllers"
" Policy)",
base="CN=Policies,CN=System," + str(names.rootdn),
scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
names.policyid_dc = None
-def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
- """Get key provision parameters (realm, domain, ...) from a given provision
-
- :param samdb: An LDB object connected to the sam.ldb file
- :param secretsdb: An LDB object connected to the secrets.ldb file
- :param idmapdb: An LDB object connected to the idmap.ldb file
- :param paths: A list of path to provision object
- :param smbconf: Path to the smb.conf file
- :param lp: A LoadParm object
- :return: A list of key provision parameters
- """
- names = ProvisionNames()
- names.adminpass = None
-
- # NT domain, kerberos realm, root dn, domain dn, domain dns name
- names.domain = string.upper(lp.get("workgroup"))
- names.realm = lp.get("realm")
- basedn = "DC=" + names.realm.replace(".",",DC=")
- names.dnsdomain = names.realm.lower()
- names.realm = string.upper(names.realm)
- # netbiosname
- # Get the netbiosname first (could be obtained from smb.conf in theory)
- res = secretsdb.search(expression="(flatname=%s)" % \
- names.domain,base="CN=Primary Domains",
- scope=SCOPE_SUBTREE, attrs=["sAMAccountName"])
- names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
-
- names.smbconf = smbconf
-
- # That's a bit simplistic but it's ok as long as we have only 3
- # partitions
- current = samdb.search(expression="(objectClass=*)",
- base="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext", "schemaNamingContext",
- "configurationNamingContext","rootDomainNamingContext"])
-
- names.configdn = current[0]["configurationNamingContext"]
- configdn = str(names.configdn)
- names.schemadn = current[0]["schemaNamingContext"]
- if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
- current[0]["defaultNamingContext"][0]))):
- raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
- "is not the same ..." % (paths.samdb,
- str(current[0]["defaultNamingContext"][0]),
- paths.smbconf, basedn)))
-
- names.domaindn=current[0]["defaultNamingContext"]
- names.rootdn=current[0]["rootDomainNamingContext"]
- # default site name
- res3 = samdb.search(expression="(objectClass=*)",
- base="CN=Sites," + configdn, scope=SCOPE_ONELEVEL, attrs=["cn"])
- names.sitename = str(res3[0]["cn"])
-
- # dns hostname and server dn
- res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
- base="OU=Domain Controllers,%s" % basedn,
- scope=SCOPE_ONELEVEL, attrs=["dNSHostName"])
- names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain,"")
-
- server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
- attrs=[], base=configdn)
- names.serverdn = server_res[0].dn
-
- # invocation id/objectguid
- res5 = samdb.search(expression="(objectClass=*)",
- base="CN=NTDS Settings,%s" % str(names.serverdn), scope=SCOPE_BASE,
- attrs=["invocationID", "objectGUID"])
- names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
- names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
-
- # domain guid/sid
- res6 = samdb.search(expression="(objectClass=*)", base=basedn,
- scope=SCOPE_BASE, attrs=["objectGUID",
- "objectSid","msDS-Behavior-Version" ])
- names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
- names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
- if res6[0].get("msDS-Behavior-Version") is None or \
- int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
- names.domainlevel = DS_DOMAIN_FUNCTION_2000
- else:
- names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
-
- # policy guid
- res7 = samdb.search(expression="(displayName=Default Domain Policy)",
- base="CN=Policies,CN=System," + basedn,
- scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
- names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
- # dc policy guid
- res8 = samdb.search(expression="(displayName=Default Domain Controllers" \
- " Policy)",
- base="CN=Policies,CN=System," + basedn,
- scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
- if len(res8) == 1:
- names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
- else:
- names.policyid_dc = None
- res9 = idmapdb.search(expression="(cn=%s)" % \
- (security.SID_BUILTIN_ADMINISTRATORS),
- attrs=["xidNumber"])
- if len(res9) == 1:
- names.wheel_gid = res9[0]["xidNumber"]
- else:
- raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
- return names
-
-
-def newprovision(names, setup_dir, creds, session, smbconf, provdir, logger):
+def newprovision(names, creds, session, smbconf, provdir, logger):
"""Create a new provision.
This provision will be the reference for knowing what has changed in the
since the latest upgrade in the current provision
:param names: List of provision parameters
- :param setup_dis: Directory where the setup files are stored
:param creds: Credentials for the authentification
:param session: Session object
:param smbconf: Path to the smb.conf file
:param provdir: Directory where the provision will be stored
- :param logger: A `Logger`
+ :param logger: A Logger
"""
if os.path.isdir(provdir):
shutil.rmtree(provdir)
- os.chdir(os.path.join(setup_dir,".."))
os.mkdir(provdir)
logger.info("Provision stored in %s", provdir)
- provision(setup_dir, logger, session, creds, smbconf=smbconf,
+ provision(logger, session, creds, smbconf=smbconf,
targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
domain=names.domain, domainguid=names.domainguid,
domainsid=str(names.domainsid), ntdsguid=names.ntdsguid,
policyguid=names.policyid, policyguid_dc=names.policyid_dc,
- hostname=names.netbiosname, hostip=None, hostip6=None,
+ hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
invocationid=names.invocation, adminpass=names.adminpass,
krbtgtpass=None, machinepass=None, dnspass=None, root=None,
nobody=None, wheel=None, users=None,
:param dn: DN of the object to manipulate
"""
(before, after) = str(dn).split('=', 1)
- ldbobj.rename(dn, ldb.Dn(ldbobj, "%s=foo%s" % (before, after)))
- ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn)
+ # we need to use relax to avoid the subtree_rename constraints
+ ldbobj.rename(dn, ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), ["relax:0"])
+ ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn, ["relax:0"])
def chunck_acl(acl):
return hash
-def get_diff_sddls(refsddl, cursddl):
+
+def get_diff_sddls(refsddl, cursddl, checkSacl = True):
"""Get the difference between 2 sddl
- This function split the textual representation of ACL into smaller
- chunck in order to not to report a simple permutation as a difference
- :param refsddl: First sddl to compare
- :param cursddl: Second sddl to compare
- :return: A string that explain difference between sddls"""
+ This function split the textual representation of ACL into smaller
+ chunck in order to not to report a simple permutation as a difference
+
+ :param refsddl: First sddl to compare
+ :param cursddl: Second sddl to compare
+ :param checkSacl: If false we skip the sacl checks
+ :return: A string that explain difference between sddls
+ """
txt = ""
- hash_new = chunck_sddl(cursddl)
+ hash_cur = chunck_sddl(cursddl)
hash_ref = chunck_sddl(refsddl)
- if hash_new["owner"] != hash_ref["owner"]:
+ if not hash_cur.has_key("owner"):
+ txt = "\tNo owner in current SD"
+ elif hash_cur["owner"] != hash_ref["owner"]:
txt = "\tOwner mismatch: %s (in ref) %s" \
- "(in current)\n" % (hash_ref["owner"], hash_new["owner"])
+ "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
- if hash_new["group"] != hash_ref["group"]:
+ if not hash_cur.has_key("group"):
+ txt = "%s\tNo group in current SD" % txt
+ elif hash_cur["group"] != hash_ref["group"]:
txt = "%s\tGroup mismatch: %s (in ref) %s" \
- "(in current)\n" % (txt, hash_ref["group"], hash_new["group"])
+ "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
- for part in ["dacl", "sacl"]:
- if hash_new.has_key(part) and hash_ref.has_key(part):
+ parts = [ "dacl" ]
+ if checkSacl:
+ parts.append("sacl")
+ for part in parts:
+ if hash_cur.has_key(part) and hash_ref.has_key(part):
# both are present, check if they contain the same ACE
- h_new = set()
+ h_cur = set()
h_ref = set()
- c_new = chunck_acl(hash_new[part])
+ c_cur = chunck_acl(hash_cur[part])
c_ref = chunck_acl(hash_ref[part])
- for elem in c_new["aces"]:
- h_new.add(elem)
+ for elem in c_cur["aces"]:
+ h_cur.add(elem)
for elem in c_ref["aces"]:
h_ref.add(elem)
for k in set(h_ref):
- if k in h_new:
- h_new.remove(k)
+ if k in h_cur:
+ h_cur.remove(k)
h_ref.remove(k)
- if len(h_new) + len(h_ref) > 0:
+ if len(h_cur) + len(h_ref) > 0:
txt = "%s\tPart %s is different between reference" \
" and current here is the detail:\n" % (txt, part)
- for item in h_new:
+ for item in h_cur:
txt = "%s\t\t%s ACE is not present in the" \
" reference\n" % (txt, item)
txt = "%s\t\t%s ACE is not present in the" \
" current\n" % (txt, item)
- elif hash_new.has_key(part) and not hash_ref.has_key(part):
+ elif hash_cur.has_key(part) and not hash_ref.has_key(part):
txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part)
- elif not hash_new.has_key(part) and hash_ref.has_key(part):
+ elif not hash_cur.has_key(part) and hash_ref.has_key(part):
txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part)
return txt
"""Update secrets.ldb
:param newsecrets_ldb: An LDB object that is connected to the secrets.ldb
- of the reference provision
+ of the reference provision
:param secrets_ldb: An LDB object that is connected to the secrets.ldb
- of the updated provision
+ of the updated provision
"""
- messagefunc(SIMPLE, "update secrets.ldb")
- reference = newsecrets_ldb.search(expression="dn=@MODULES", base="",
- scope=SCOPE_SUBTREE)
- current = secrets_ldb.search(expression="dn=@MODULES", base="",
- scope=SCOPE_SUBTREE)
+ messagefunc(SIMPLE, "Update of secrets.ldb")
+ reference = newsecrets_ldb.search(base="@MODULES", scope=SCOPE_BASE)
+ current = secrets_ldb.search(base="@MODULES", scope=SCOPE_BASE)
assert reference, "Reference modules list can not be empty"
if len(current) == 0:
# No modules present
current = secrets_ldb.search(expression="dn=%s" % entry,
base="", scope=SCOPE_SUBTREE)
delta = secrets_ldb.msg_diff(empty, reference[0])
- for att in hashAttrNotCopied.keys():
+ for att in hashAttrNotCopied:
delta.remove(att)
- messagefunc(CHANGE, "Entry %s is missing from secrets.ldb" % \
+ messagefunc(CHANGE, "Entry %s is missing from secrets.ldb" %
reference[0].dn)
for att in delta:
messagefunc(CHANGE, " Adding attribute %s" % att)
current = secrets_ldb.search(expression="dn=%s" % entry, base="",
scope=SCOPE_SUBTREE)
delta = secrets_ldb.msg_diff(current[0], reference[0])
- for att in hashAttrNotCopied.keys():
+ for att in hashAttrNotCopied:
delta.remove(att)
for att in delta:
if att == "name":
- messagefunc(CHANGE, "Found attribute name on %s," \
+ messagefunc(CHANGE, "Found attribute name on %s,"
" must rename the DN" % (current[0].dn))
identic_rename(secrets_ldb, reference[0].dn)
else:
current = secrets_ldb.search(expression="dn=%s" % entry, base="",
scope=SCOPE_SUBTREE)
delta = secrets_ldb.msg_diff(current[0], reference[0])
- for att in hashAttrNotCopied.keys():
+ for att in hashAttrNotCopied:
delta.remove(att)
for att in delta:
if att == "msDS-KeyVersionNumber":
delta.remove(att)
if att != "dn":
messagefunc(CHANGE,
- "Adding/Changing attribute %s to %s" % \
+ "Adding/Changing attribute %s to %s" %
(att, current[0].dn))
delta.dn = current[0].dn
secrets_ldb.modify(delta)
+ res2 = secrets_ldb.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"])
+
+ if (len(res2) == 1):
+ messagefunc(SIMPLE, "Remove old dns account")
+ secrets_ldb.delete(res2[0]["dn"])
+
+
def getOEMInfo(samdb, rootdn):
- """Return OEM Information on the top level
- Samba4 use to store version info in this field
+ """Return OEM Information on the top level Samba4 use to store version
+ info in this field
:param samdb: An LDB object connect to sam.ldb
:param rootdn: Root DN of the domain
- :return: The content of the field oEMInformation (if any)"""
+ :return: The content of the field oEMInformation (if any)
+ """
res = samdb.search(expression="(objectClass=*)", base=str(rootdn),
scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
- if len(res) > 0:
+ if len(res) > 0 and res[0].get("oEMInformation"):
info = res[0]["oEMInformation"]
return info
else:
return ""
+
def updateOEMInfo(samdb, rootdn):
"""Update the OEMinfo field to add information about upgrade
- :param samdb: an LDB object connected to the sam DB
- :param rootdn: The string representation of the root DN of
- the provision (ie. DC=...,DC=...)
+
+ :param samdb: an LDB object connected to the sam DB
+ :param rootdn: The string representation of the root DN of
+ the provision (ie. DC=...,DC=...)
"""
res = samdb.search(expression="(objectClass=*)", base=rootdn,
scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
if len(res) > 0:
- info = res[0]["oEMInformation"]
+ if res[0].get("oEMInformation"):
+ info = str(res[0]["oEMInformation"])
+ else:
+ info = ""
info = "%s, upgrade to %s" % (info, version)
delta = ldb.Message()
delta.dn = ldb.Dn(samdb, str(res[0]["dn"]))
try:
attribute = samba.xattr_tdb.wrap_getxattr(eadbname,
paths.sysvol, xattr.XATTR_NTACL_NAME)
- except:
+ except Exception:
attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
xattr.XATTR_NTACL_NAME)
else:
attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
xattr.XATTR_NTACL_NAME)
- except:
+ except Exception:
resetacls = True
if force:
# We always reinforce acls on GPO folder because they have to be in sync
# with the one in DS
try:
- set_gpo_acl(paths.sysvol, names.dnsdomain, names.domainsid,
+ set_gpos_acl(paths.sysvol, names.dnsdomain, names.domainsid,
names.domaindn, samdb, lp)
except TypeError, e:
- message(ERROR, "Unable to set ACLs on policies related objects, if not using posix:eadb, you must be root to do it")
+ message(ERROR, "Unable to set ACLs on policies related objects,"
+ " if not using posix:eadb, you must be root to do it")
if resetacls:
try:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid,
names.domainsid, names.dnsdomain, names.domaindn, lp)
except TypeError, e:
- message(ERROR, "Unable to set ACLs on sysvol share, if not using posix:eadb, you must be root to do it")
-
-def delta_update_basesamdb(refsam, sam, creds, session, lp, message):
+ message(ERROR, "Unable to set ACLs on sysvol share, if not using"
+ "posix:eadb, you must be root to do it")
+
+def increment_calculated_keyversion_number(samdb, rootdn, hashDns):
+ """For a given hash associating dn and a number, this function will
+ update the replPropertyMetaData of each dn in the hash, so that the
+ calculated value of the msDs-KeyVersionNumber is equal or superior to the
+ one associated to the given dn.
+
+ :param samdb: An SamDB object pointing to the sam
+ :param rootdn: The base DN where we want to start
+ :param hashDns: A hash with dn as key and number representing the
+ minimum value of msDs-KeyVersionNumber that we want to
+ have
+ """
+ entry = samdb.search(expression='(objectClass=user)',
+ base=ldb.Dn(samdb,str(rootdn)),
+ scope=SCOPE_SUBTREE, attrs=["msDs-KeyVersionNumber"],
+ controls=["search_options:1:2"])
+ done = 0
+ hashDone = {}
+ if len(entry) == 0:
+ raise ProvisioningError("Unable to find msDs-KeyVersionNumber")
+ else:
+ for e in entry:
+ if hashDns.has_key(str(e.dn).lower()):
+ val = e.get("msDs-KeyVersionNumber")
+ if not val:
+ val = "0"
+ version = int(str(hashDns[str(e.dn).lower()]))
+ if int(str(val)) < version:
+ done = done + 1
+ samdb.set_attribute_replmetadata_version(str(e.dn),
+ "unicodePwd",
+ version, True)
+def delta_update_basesamdb(refsampath, sampath, creds, session, lp, message):
"""Update the provision container db: sam.ldb
This function is aimed for alpha9 and newer;
- :param refsam: Path to the samdb in the reference provision
- :param sam: Path to the samdb in the upgraded provision
+ :param refsampath: Path to the samdb in the reference provision
+ :param sampath: Path to the samdb in the upgraded provision
:param creds: Credential used for openning LDB files
:param session: Session to use for openning LDB files
- :param lp: A loadparam object"""
+ :param lp: A loadparam object
+ :return: A msg_diff object with the difference between the @ATTRIBUTES
+ of the current provision and the reference provision
+ """
message(SIMPLE,
"Update base samdb by searching difference with reference one")
- refsam = Ldb(refsam, session_info=session, credentials=creds,
+ refsam = Ldb(refsampath, session_info=session, credentials=creds,
lp=lp, options=["modules:"])
- sam = Ldb(sam, session_info=session, credentials=creds, lp=lp,
+ sam = Ldb(sampath, session_info=session, credentials=creds, lp=lp,
options=["modules:"])
empty = ldb.Message()
-
+ deltaattr = None
reference = refsam.search(expression="")
for refentry in reference:
sam.add(delta)
else:
delta = sam.msg_diff(entry[0], refentry)
+ if str(refentry.dn) == "@ATTRIBUTES":
+ deltaattr = sam.msg_diff(refentry, entry[0])
if str(refentry.dn) == "@PROVISION" and\
delta.get(samba.provision.LAST_PROVISION_USN_ATTRIBUTE):
delta.remove(samba.provision.LAST_PROVISION_USN_ATTRIBUTE)
delta.dn = refentry.dn
sam.modify(delta)
+ return deltaattr
+
def construct_existor_expr(attrs):
"""Construct a exists or LDAP search expression.
- ie (|(foo=*)(bar=*)
:param attrs: List of attribute on which we want to create the search
- expression.
+ expression.
:return: A string representing the expression, if attrs is empty an
- empty string is returned"""
+ empty string is returned
+ """
expr = ""
if len(attrs) > 0:
expr = "(|"
expr = "%s)"%expr
return expr
+def update_machine_account_password(samdb, secrets_ldb, names):
+ """Update (change) the password of the current DC both in the SAM db and in
+ secret one
+
+ :param samdb: An LDB object related to the sam.ldb file of a given provision
+ :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
+ provision
+ :param names: List of key provision parameters"""
+
+ expression = "samAccountName=%s$" % names.netbiosname
+ secrets_msg = secrets_ldb.search(expression=expression,
+ attrs=["secureChannelType"])
+ if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
+ res = samdb.search(expression=expression, attrs=[])
+ assert(len(res) == 1)
+
+ msg = ldb.Message(res[0].dn)
+ machinepass = samba.generate_random_password(128, 255)
+ mputf16 = machinepass.encode('utf-16-le')
+ msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ ldb.FLAG_MOD_REPLACE,
+ "clearTextPassword")
+ samdb.modify(msg)
+
+ res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
+ attrs=["msDs-keyVersionNumber"])
+ assert(len(res) == 1)
+ kvno = int(str(res[0]["msDs-keyVersionNumber"]))
+ secChanType = int(secrets_msg[0]["secureChannelType"][0])
+
+ secretsdb_self_join(secrets_ldb, domain=names.domain,
+ realm=names.realm,
+ domainsid=names.domainsid,
+ dnsdomain=names.dnsdomain,
+ netbiosname=names.netbiosname,
+ machinepass=machinepass,
+ key_version_number=kvno,
+ secure_channel_type=secChanType)
+ else:
+ raise ProvisioningError("Unable to find a Secure Channel"
+ "of type SEC_CHAN_BDC")
+
+def update_dns_account_password(samdb, secrets_ldb, names):
+ """Update (change) the password of the dns both in the SAM db and in
+ secret one
+
+ :param samdb: An LDB object related to the sam.ldb file of a given provision
+ :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
+ provision
+ :param names: List of key provision parameters"""
+
+ expression = "samAccountName=dns-%s" % names.netbiosname
+ secrets_msg = secrets_ldb.search(expression=expression)
+ if len(secrets_msg) == 1:
+ res = samdb.search(expression=expression, attrs=[])
+ assert(len(res) == 1)
+
+ msg = ldb.Message(res[0].dn)
+ machinepass = samba.generate_random_password(128, 255)
+ mputf16 = machinepass.encode('utf-16-le')
+ msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ ldb.FLAG_MOD_REPLACE,
+ "clearTextPassword")
+
+ samdb.modify(msg)
+
+ res = samdb.search(expression=expression,
+ attrs=["msDs-keyVersionNumber"])
+ assert(len(res) == 1)
+ kvno = str(res[0]["msDs-keyVersionNumber"])
+
+ msg = ldb.Message(secrets_msg[0].dn)
+ msg["secret"] = ldb.MessageElement(machinepass,
+ ldb.FLAG_MOD_REPLACE,
+ "secret")
+ msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
+ ldb.FLAG_MOD_REPLACE,
+ "msDS-KeyVersionNumber")
+
+ secrets_ldb.modify(msg)
+ else:
+ raise ProvisioningError("Unable to find an object"
+ " with %s" % expression )
+
def search_constructed_attrs_stored(samdb, rootdn, attrs):
"""Search a given sam DB for calculated attributes that are
still stored in the db.
expr = construct_existor_expr(attrs)
if expr == "":
return hashAtt
- entry = samdb.search(expression=expr, base=ldb.Dn(samdb,str(rootdn)),
+ entry = samdb.search(expression=expr, base=ldb.Dn(samdb, str(rootdn)),
scope=SCOPE_SUBTREE, attrs=attrs,
controls=["search_options:1:2","bypassoperational:0"])
if len(entry) == 0:
hashAtt[att][str(ent.dn).lower()] = str(ent[att])
return hashAtt
+
+def int64range2str(value):
+ """Display the int64 range stored in value as xxx-yyy
+
+ :param value: The int64 range
+ :return: A string of the representation of the range
+ """
+
+ lvalue = long(value)
+ str = "%d-%d" % (lvalue&0xFFFFFFFF, lvalue>>32)
+ return str
git.samba.org / metze / samba / wip.git / blobdiff