ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
ctx.config_dn = str(ctx.samdb.get_config_basedn())
ctx.domsid = ctx.samdb.get_domain_sid()
+ ctx.forestsid = ctx.domsid
ctx.domain_name = ctx.get_domain_name()
ctx.forest_domain_name = ctx.get_forest_domain_name()
ctx.invocation_id = misc.GUID(str(uuid.uuid4()))
ctx.paths = presult.paths
ctx.names = presult.names
+ # Fix up the forestsid, it may be different if we are joining as a subdomain
+ ctx.names.forestsid = ctx.forestsid
+
def join_provision_own_domain(ctx):
"""Provision the local SAM."""
raise DCJoinException("Can't find naming context on partition DN %s in %s" % (ctx.partition_dn, ctx.samdb.url))
try:
- domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
+ ctx.names.domainguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
except KeyError:
raise DCJoinException("Can't find GUID in naming master on partition DN %s" % res[0]['ncName'][0])
- ctx.logger.info("Got domain GUID %s" % domguid)
+ ctx.logger.info("Got domain GUID %s" % ctx.names.domainguid)
ctx.logger.info("Calling own domain provision")
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
presult = provision_fill(ctx.local_samdb, secrets_ldb,
- ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
- domainguid=domguid,
+ ctx.logger, ctx.names, ctx.paths,
dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
key_version_number=ctx.key_version_number)
if ctx.dns_backend.startswith("BIND9_"):
- setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
+ setup_bind9_dns(ctx.local_samdb, secrets_ldb,
ctx.names, ctx.paths, ctx.lp, ctx.logger,
dns_backend=ctx.dns_backend,
dnspass=ctx.dnspass, os_level=ctx.behavior_version,
logger.info("DNS name of new naming master is %s" % ctx.server)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
+ ctx.forestsid = ctx.domsid
ctx.domsid = str(security.random_sid())
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)
self.hostname = None
self.sitename = None
self.smbconf = None
+ self.domainsid = None
+ self.forestsid = None
+ self.domainguid = None
self.name_map = {}
"objectSid","msDS-Behavior-Version" ])
names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
+ names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
if res6[0].get("msDS-Behavior-Version") is None or \
int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
names.domainlevel = DS_DOMAIN_FUNCTION_2000
return samdb
-def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
+def fill_samdb(samdb, lp, names, logger, policyguid,
policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
samdb.set_opaque_integer("domainControllerFunctionality",
domainControllerFunctionality)
- samdb.set_domain_sid(str(domainsid))
+ samdb.set_domain_sid(str(names.domainsid))
samdb.set_invocation_id(invocationid)
logger.info("Adding DomainDN: %s" % names.domaindn)
# impersonate domain admin
- admin_session_info = admin_session(lp, str(domainsid))
+ admin_session_info = admin_session(lp, str(names.domainsid))
samdb.set_session_info(admin_session_info)
- if domainguid is not None:
- domainguid_line = "objectGUID: %s\n-" % domainguid
+ if names.domainguid is not None:
+ domainguid_line = "objectGUID: %s\n-" % names.domainguid
else:
domainguid_line = ""
- descr = b64encode(get_domain_descriptor(domainsid))
+ descr = b64encode(get_domain_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
"DOMAINDN": names.domaindn,
- "DOMAINSID": str(domainsid),
+ "DOMAINSID": str(names.domainsid),
"DESCRIPTOR": descr,
"DOMAINGUID": domainguid_line
})
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
logger.info("Adding configuration container")
- descr = b64encode(get_config_descriptor(domainsid))
+ descr = b64encode(get_config_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
"CONFIGDN": names.configdn,
"DESCRIPTOR": descr,
if fill == FILL_FULL:
logger.info("Setting up sam.ldb configuration data")
- partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
- sites_descr = b64encode(get_config_sites_descriptor(domainsid))
- ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid))
- protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid))
- protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
- protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid))
+ partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid))
+ sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
+ ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
+ protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid))
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
+ protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
})
logger.info("Adding users container")
- users_desc = b64encode(get_domain_users_descriptor(domainsid))
+ users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
"DOMAINDN": names.domaindn,
"USERS_DESCRIPTOR": users_desc
setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Adding computers container")
- computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
+ computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
"DOMAINDN": names.domaindn,
"COMPUTERS_DESCRIPTOR": computers_desc
setup_path("provision_computers_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Setting up sam.ldb data")
- infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
- lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(domainsid))
- system_desc = b64encode(get_domain_delete_protected1_descriptor(domainsid))
- builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
- controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
+ infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid))
+ lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
+ system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
+ builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
+ controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
"SCHEMADN": names.schemadn})
logger.info("Setting up well known security principals")
- protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
"CONFIGDN": names.configdn,
"WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
logger.info("Setting up sam.ldb users and groups")
setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
"DOMAINDN": names.domaindn,
- "DOMAINSID": str(domainsid),
+ "DOMAINSID": str(names.domainsid),
"ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
})
dns_backend=dns_backend,
dnspass=dnspass,
machinepass=machinepass,
- domainsid=domainsid,
+ domainsid=names.domainsid,
next_rid=next_rid,
dc_rid=dc_rid,
policyguid=policyguid,
def provision_fill(samdb, secrets_ldb, logger, names, paths,
- domainsid, schema=None,
+ schema=None,
targetdir=None, samdb_fill=FILL_FULL,
hostip=None, hostip6=None,
next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
dnspass = samba.generate_random_password(128, 255)
samdb = fill_samdb(samdb, lp, names, logger=logger,
- domainsid=domainsid, schema=schema, domainguid=domainguid,
+ schema=schema,
policyguid=policyguid, policyguid_dc=policyguid_dc,
fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid, machinepass=machinepass,
policyguid_dc)
if not skip_sysvolacl:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
- paths.root_gid, domainsid, names.dnsdomain,
+ paths.root_gid, names.domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
logger.info("Setting acl on sysvol skipped")
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm, dnsdomain=names.dnsdomain,
- netbiosname=names.netbiosname, domainsid=domainsid,
+ netbiosname=names.netbiosname, domainsid=names.domainsid,
machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
# Now set up the right msDS-SupportedEncryptionTypes into the DB
# It might be that this attribute does not exist in this schema
raise
- setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
+ setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
dnspass=dnspass, os_level=dom_for_fun_level,
targetdir=targetdir, fill_level=samdb_fill)
names.hostip = hostip
names.hostip6 = hostip6
+ names.domainguid = domainguid
+ names.domainsid = domainsid
+ names.forestsid = domainsid
if serverrole is None:
serverrole = lp.get("server role")
if samdb_fill == FILL_FULL:
provision_fill(samdb, secrets_ldb, logger, names, paths,
schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
- hostip=hostip, hostip6=hostip6, domainsid=domainsid,
+ hostip=hostip, hostip6=hostip6,
next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
- krbtgtpass=krbtgtpass, domainguid=domainguid,
+ krbtgtpass=krbtgtpass,
policyguid=policyguid, policyguid_dc=policyguid_dc,
invocationid=invocationid, machinepass=machinepass,
ntdsguid=ntdsguid, dns_backend=dns_backend,
domainguid, ntdsguid)
-def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
+def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, dnspass=None, hostip=None, hostip6=None,
targetdir=None, fill_level=FILL_FULL):
"""Provision DNS information (assuming GC role)
:param samdb: LDB object connected to sam.ldb file
:param secretsdb: LDB object connected to secrets.ldb file
- :param domainsid: Domain SID (as dom_sid object)
:param names: Names shortcut
:param paths: Paths shortcut
:param lp: Loadparm object
# Create CN=System
logger.info("Creating CN=MicrosoftDNS,CN=System,%s" % domaindn)
- create_dns_legacy(samdb, domainsid, domaindn, dnsadmins_sid)
+ create_dns_legacy(samdb, names.domainsid, domaindn, dnsadmins_sid)
if os_level == DS_DOMAIN_FUNCTION_2000:
# Populating legacy dns
logger.info("Populating CN=MicrosoftDNS,CN=System,%s" % domaindn)
- fill_dns_data_legacy(samdb, domainsid, domaindn, dnsdomain, site,
+ fill_dns_data_legacy(samdb, names.domainsid, domaindn, dnsdomain, site,
hostname, hostip, hostip6, dnsadmins_sid)
elif dns_backend in ("SAMBA_INTERNAL", "BIND9_DLZ") and \
# Create DNS partitions
logger.info("Creating DomainDnsZones and ForestDnsZones partitions")
- create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
+ create_dns_partitions(samdb, names.domainsid, names, domaindn, forestdn,
dnsadmins_sid, fill_level)
# Populating dns partitions
logger.info("Populating DomainDnsZones and ForestDnsZones partitions")
- fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
+ fill_dns_data_partitions(samdb, names.domainsid, site, domaindn, forestdn,
dnsdomain, dnsforest, hostname, hostip, hostip6,
domainguid, names.ntdsguid, dnsadmins_sid,
fill_level=fill_level)
if dns_backend.startswith("BIND9_"):
- setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
+ setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip,
hostip6=hostip6, targetdir=targetdir)
-def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
+def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, site=None, dnspass=None, hostip=None,
hostip6=None, targetdir=None, key_version_number=None):
"""Provision DNS information (assuming BIND9 backend in DC role)
:param samdb: LDB object connected to sam.ldb file
:param secretsdb: LDB object connected to secrets.ldb file
- :param domainsid: Domain SID (as dom_sid object)
:param names: Names shortcut
:param paths: Paths shortcut
:param lp: Loadparm object
ntdsguid=names.ntdsguid)
if dns_backend == "BIND9_DLZ" and os_level >= DS_DOMAIN_FUNCTION_2003:
- create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
+ create_samdb_copy(samdb, logger, paths, names, names.domainsid, domainguid)
create_named_conf(paths, realm=names.realm,
dnsdomain=names.dnsdomain, dns_backend=dns_backend,