g=:SrSSKJr SSKJr SSKJrJrJrJ r SSK r SSKrSSK r SSK J r Jr SSKJrJrJrJrJrJrJrJr SSKJrJr SS KJrJrJrJrJ r J!r! SS K"J#r# SS K$J%r% SS KJ&r& SS K'J(r( SSK)J*r* SSKJ+r+ SSKJ,r, SSK-J.r. SSKJ/r/J0r0 SSKJ1r1 SSK2J3r3J4r4J5r5 SSK6r6SSK7r7SSK8r8SSK9r9SSK:r:SSK;Jr> SSK?J@r@ SSKJArAJBrB "SS\C5rD"SS\E5rFS$SjrGS$SjrHS%SjrI"S S!\F5rJ"S"S#\J5rKg)&zJoining a domain.)system_session)SamDB)gensecLdb drs_utilsarcfour_encryptN)ndr_pack ndr_unpack)securitydrsuapimiscnbtlsadrsblobs dnsserverdnsp) CredentialsDONT_USE_KERBEROS)secretsdb_self_join provisionprovision_fillFILL_DRSFILL_SUBDOMAIN DEFAULTSITE) setup_path)Schema) descriptor)Net)setup_bind9_dns)read_and_sub_file)werror) b64encode) WERRORError NTSTATUSError)sd_utils)ARecord AAAARecord CNAMERecord) OrderedDict) get_string) CommandError)dsdbfunctional_levelc(^\rSrSrU4SjrSrU=r$)DCJoinException6c*>[TU]SU-5 g)NzCan't join, error: %s)super__init__)selfmsg __class__s ,/usr/lib/python3/dist-packages/samba/join.pyr3DCJoinException.__init__8s 0367)__name__ __module__ __qualname____firstlineno__r3__static_attributes__ __classcell__r6s@r7r/r/6s 88r9r/c\rSrSrSrS'SjrS(SjrS(SjrS(SjrSr S r S r S r S r S rSrSrSrSrSrSrSrSrSrSrS)SjrSrSrSrSrSrSrSr S r!S!r"S"r#S#r$S$r%S%r&S&r'g)* DCJoinContext<zPerform a DC join.NcVXlX0lX@lXPlXplXlXlXlXlXl SUl /Ul /Ul URRUR5[R -5 [#URURS9UlX lUUlU(a#UUlUR*R,UlOUR&(a$Uc UR/UR&5UlO\URR1SU-5 UR3U5UlURR1SUR&-5 [5SUR&-[75URURS9UlURc [8UlUR*R;[<R>/S9 [GUR*RI55Ul%[GUR*RM55Ul'[GUR*RQ55Ul)[GUR*RU55Ul+[XRZ"UR*R]55Ul/UR^Ul0URc5Ul2URg5Ul4[jRl"[G[nRp"555Ul9UR*Ru5Ul;URy5Ul=UR}5Ul?U bXl@O[R"SS5Ul@UR*R5UlDU(GaX`lESUR-UlFS UR<S UR<S URV<3UlGS UR-UlHS UR<S URJ<3UlIURR5<SUR<3UlKUR*R5UlMSURJ-nURU5(aS UR<SU<3UlOOSUlOSUR-SUR-SUR<SUR<3/UlPUR*R;[<R>S/URJS9nUSSSUlQSURJ-UlRSURN-UlSS[<R"UR5-nUR*R;[<R/UR*R5US9nU cSUlWO([U5S:XaSUlW[S5 OXlWURUlZSUl[[R[R-[R-[R-[R-UlbSUlcSUldSUleSUlfSUlgSUl\SUlhSUliSUljSUlkSUllSUlmSUlng![<R@anURBunn[EU5eSnAff=f)N)credslpz&Finding a writeable DC for domain '%s'z Found DC %s ldap://%surl session_info credentialsrGscopeattrsx%s$CN=z,CN=Servers,CN=z ,CN=Sites,zCN=NTDS Settings,%sz,OU=Domain Controllers,.zGCN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,%s,zHOST/%szGC//rIDManagerReference)rNrObaserzDC=DomainDnsZones,%szDC=ForestDnsZones,%s$(&(objectClass=crossRef)(ncName=%s))rNrOrW expressionNONEzCNO DNS zone information found in source domain, not replicating DNSF)ologgerrFrGsite targetdir use_ntvfsplaintext_secrets backend_storebackend_store_sizepromote_existingpromote_from_dnnc_list full_nc_listset_gensec_featuresget_gensec_featuresr FEATURE_SEALrnetserverforced_local_samdbsamdbrJ find_dc_siteinfofind_dcrrrsearchldb SCOPE_BASELdbErrorargsr/strget_default_basednbase_dnget_root_basednroot_dnget_schema_basedn schema_dnget_config_basedn config_dnr dom_sidget_domain_siddomsid forestsidget_domain_name domain_nameget_forest_domain_nameforest_domain_namer GUIDuuiduuid4 invocation_idget_dsServiceName dc_ntds_dnget_dnsHostNamedc_dnsHostNameget_behavior_versionbehavior_version acct_passsamba generate_random_machine_passworddomain_dns_name dnsdomainmynamesamname server_dnntds_dnacct_dnlower dnshostnameforest_dns_name dnsforest dn_exists topology_dnSPNsrid_manager_dndomaindns_zoneforestdns_zone binary_encodeSCOPE_ONELEVELget_partitions_dn dns_backendlenprintrealm tmp_samdbr DRSUAPI_DRS_INIT_SYNCDRSUAPI_DRS_PER_SYNCDRSUAPI_DRS_GET_ANCDRSUAPI_DRS_GET_NC_SIZEDRSUAPI_DRS_NEVER_SYNCED replica_flagsnever_reveal_sid reveal_sid connection_dnRODC krbtgt_dn managedby subdomain adminpass partition_dndns_a_dn dns_cname_dn force_all_ips)ctxr\rkrFrGr] netbios_namer^domain machinepassr_rrcr`rarbrleenumestr topology_baseres_rid_managerexpr res_domaindnss r7r3DCJoinContext.__init__?s  ! ! 1)!3/"  %%e&?&?&AFDWDW&WXCII#&&1 !3 *CICJzz<"// ;CH  H6 QR [[0    :;+ ":+9+;*-))@CI 88 "CH ( II  3>>  < #))6689 #))3356 CII779: CII779: %%cii&>&>&@A   --/!$!;!;!= IIc$**,&78446 002"779  "'M!BB3LCM 113  %J#**,CKDGJJPSPXPXZ]ZgZghCM/#--?CK>Ajj#++VCK),)9)9);S]]KCOII557CMehkhshssM}}]++03 M"J"&!CJJ.!COO3&)oos}}EGCH"ii..S^^6K5L47KK/AO"1!34I!J1!MC 3ckkA3ckkA58I8I#J\J\8]] ((s/A/A/1.1ii.I.I.K48):   $CO=!Q&"([\"-MM  $::$99:$889%<<=%== > $       "A|| (66LT4!$' ' (s ([55\( \##\(cBU(aNURRU[RS/S9nUHnUR UR SS9 M URRU5 [SU-5 g![a gf=f![a gf=f)NdnrWrNrOT recursivez Deleted %s) rmrqrrr Exception del_noerrorrdeleter)rrrresrs r7rDCJoinContext.del_noerrors  ii&&Bc6H6HQUPV&W5  II  R ,# $      s#*B)B B B BBc  URRURR5S[R"UR 5-SS/S9n[ U5S:XagU(d[5nURUR5 URUR5 URURR55 [SUR-[!5X0RS9nUR[R"SS /S 9nUSS SUSSS:Xa[%S UR -5eUR'USR(S S 9 USR+SSS9nUb!X`lUR'UR,5 URRURR5S[R"SUR.-5<S[R"SUR0-5<S3/S9nU(aUR'USR(S S 9 URRURR5S[R"SUR.-5-/S9nU(aU[%S[R"SUR.-5<S[R"SUR0-5<35eg! GN=f)NsAMAccountName=%smsDS-krbTgtLink objectSIDrWrZrOrrHrI tokenGroups)rNrWrOzNot removing account %s which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdbTrmsDS-KrbTgtLink)idxz(&(sAMAccountName=dns-%sz)(servicePrincipalName=zdns/%sz))z(sAMAccountName=%s)zNot removing account zU which looks like a Samba DNS service account but does not have servicePrincipalName=)rmrqrwrrrrrrguessrGset_machine_accountset_kerberos_staterFget_kerberos_staterrkrrsr/rrget new_krbtgt_dnrr)rforcerrF machine_samdb token_resrs r7cleanup_old_accounts"DCJoinContext.cleanup_old_accountssiiCII$@$@$B*=@Q@QRUR]R]@^*^&7%EG s8q= ME KK  9))#&&1(()E)E)GH %+ *B3A3C27FF!D *00s~~BWdVe0f Q< .q1!f[)!,-)+\-0KK +899- A T2FJJ0aJ8  )  OOC-- .iiCII$@$@$B # 1 1(SZZ2G H # 1 1(S__2L M+O&( )  OOCFIIO 6iiCII$@$@$B*?#BSBST\_b_i_iTiBj*j%') !$'#4#4X 5J#K##4X5O#P #RS S = s A.K==LcUR(dURUS9 URbURUR5 URbURUR5 URUR 5 URUR SS9 UR(aURUR5 UR(aURUR5 UR(GagSn[R"SUR<SU<S3URUR5n[R"5n[R"5UlUR#S U[$R&5n[R("5nUR*UlUR/XV[R05nUR3XWR4R65 [R("5nUR8UlUR/XV[R05nUR3XWR4R65 UR:(aURUR:5 UR<(aURUR<5 gg) z$Remove any DNs from a previous join.)rNTrsign ncacn_ip_tcp:[]r)rrrrrrrrrrlsarpcrkrGrFObjectAttributeQosInfosec_qos OpenPolicy2r SEC_FLAG_MAXIMUM_ALLOWEDStringrstringQueryTrustedDomainInfoByName!LSA_TRUSTED_DOMAIN_INFO_FULL_INFODeleteTrustedDomaininfo_exsidrrr)rrbinding_optionslsaconn objectAttr pol_handlenameros r7cleanup_old_joinDCJoinContext.cleanup_old_joins}}  $ $5 $ 1    ( OOC-- . == $ OOCMM *  $  6 ?? OOCOO ,    OOC,, - ===$Ojj#**o!V!$4G,,.J!$J  ,,R-7-5-N-NPJ::? ?iiCII$@$@$B*=@Q@QRUR]R]@^*^%wy s8q=BEHEPEPPQ Q A &*=Q*GK]adefagKgGJMJUJUUV V A+,Q/ 0EJJ4[4[49JJ4V4V5W X[\ ]x{~|G|GGH H!!fiir9cURRU[R[R-[R -S9UlUR Rb5UR RS:waUR RUl UR R$![a%n[SU<SURS<35eSnAf[a [SU-5ef=f)z(find a writeable DC for the given domain)rflagsz*Failed to find a writeable DC for domain 'z': Nz-Failed to find a writeable DC for domain '%s'r)rjfinddcrNBT_SERVER_LDAP NBT_SERVER_DSNBT_SERVER_WRITABLE cldap_retr$r+rur client_siter] pdc_dns_name)rrerrors r7rpDCJoinContext.find_dc[s YGGNN&@S@SVYVgVg@gjmkBkBABNCCM == $ $ 0S]]5N5NRT5T}}00CH}}))) 8 & 1  78 8 YNQWWX X YsAB33 C9= CC9cSnURRU[R[R-S9nUR bUR S:wa UR nU$)N)addressrr)rjrrrrr)rrkr]rs r7rnDCJoinContext.find_dc_sitehs^GGNN6),)<)G>R>RSVS^S^>_; S:r9c [URURS9Ul[ [ 5SSUR URSSS9UlURRUR5 g)z2create a temporary samdb object for schema queries)schemadnNF)rKrJ auto_connectrLrG global_schemaam_rodc) rrr| tmp_schemarrrFrGr set_schemars r7create_tmp_samdbDCJoinContext.create_tmp_samdbs[ ),8>+;TY*-))e&+-    0r9c URcUR5 URcUR5 /nUGH>n[R"5nUSUl/nUHnUS:XaM [ X6[5(dX6/nOX6nUVs/sH+n[ U[5(aURS5OUPM- nnURRURXg5n URU 5 M [R"5n [U5U lXZl[R "5n XKlXl[R&"5n XlURU 5 GMA [R*"5n USU lU R,nUSSH nXlUnM URR1UR2SU 5unnUS:XaUR4[R6:wa#[9SUR4-5 [;S5eUR<S[>R@:wa#[9S UR<-5 [;S5eUS :XGa8URBS:wa[;S URB-5eURDRFS[>R@:waURDRHc&[9S URDRFS-5 OH[9S URDRFS<SURDRHR<<35 [;S5eURDR4[R6:wa-[9SURDR4-5 [;S5eURJ$s snf)z,add a record via the DRSUAPI DsAddEntry callNrutf8rrz!DsAddEntry failed with dir_err %uzDsAddEntry failedz(DsAddEntry failed with status %s info %szexpected err_ver 1, got %uz.DsAddEntry failed with status %s, info omittedzDsAddEntry failed with status z info )&r r]rrgDsReplicaObjectIdentifierr isinstancelistrvencodedsdb_DsReplicaAttributeappendDsReplicaAttributeCtrrnum_attributes attributesDsReplicaObject identifier attribute_ctrDsReplicaObjectListItemobjectDsAddEntryRequest2 first_object next_object DsAddEntryrZdir_errDRSUAPI_DIRERR_OKr RuntimeError extended_errr! WERR_SUCCESSerr_vererr_datastatusroobjects)rrecsrrPidrOavxrattrrxrz list_objectreq2prevolevelctrs r7r~DCJoinContext.DsAddEntrys ;;     ! ==  "C224BIBEE9!#&$//AALMNAqAs););QXXf%BAN ==cmmQR U#$99;M+.u:M (', $,,.F " #0 !99;K!'  NN; '58))+#AJ  A D{{--c.@.@!TJ  A:{{g7779CKKGH"#677"f&9&99@CDTDTUV"#677 A:{{a"#?#++#MNN||""1%)<)<<<<$$,JcllNaNabcNdef H[H[\]H^HK HYHYHfHfhi"#677||##w'@'@@9CLL-5URS .nUR(aURUS'UR$R3U5 UR@(aS Ul!g URD(GaURG5 S[*RH"URJ5-nUR$RM[*RN/UR$RQ5US9URJ4nS[*RH"URR5-nUR$RM[*RN/UR$RQ5US9URR4nXV4HupxXRT;aM[WU5S:XdM'[*R,"5n USRXU l,Sn URZ(aSn [*R\"URD[*R^U 5X'UR$R)U 5 M UR`bO[SUR`-5 UR`SSSURbS.nUR$R3U5 UR(Ga[SUR-5 [*R,"5n [*Rd"UR$UR5U l,[g[WURh55HBn URhU RkS[URB55URhU 'MD [*R\"URh[*R0S5U S'UR$R)U 5 [SUR-5 UR$RmS[*RH"UR5-URnSURS9 UR$RMUR[*R|S!S"/S#9nS!US;a[USS!S5Ul@OS Ul@[[RUSSS5UlD[S$5 [*R,"5n [*Rd"UR$UR5U l,[*R\"[UR5[*R0S%5U S%'UR$R)U 5 URRS&5(Ga[ R"S'S(5UlHUR$R[[S)5URURUR[URRS*55RS+5URS,.55nUHunnU[*R:XdeUS-n[S.US--5 US/ US0 [[ R R[ R R-5US%'UR$R3U5 M [S1UR-5 UR$RmS2[*RH"UR5-URSURS9 UR$RMW[*R|S!/S#9nS!US;a[USS!S5UlUg S UlUg g ![*Rpagn U RrupU [*Rt:waeURvRyURURzURnS 9 S n A GNS n A ff=f![*Rpa/nURrupU [*R:waeS nAGMS nAff=f![*RpajnURrupU [*Rt:waeURvRyS3UR-URzURS 9 S nAGNS nAff=f)4z+add the various objects needed for the joinr<computer)r objectClass displaynamesamaccountnamerrzmsDS-SupportedEncryptionTypesrzmsDS-NeverRevealGroupzmsDS-RevealOnDemandGroup objectSidNrrrk)rr?rr"serverReferencerXrYrrzmsDS-NC-Replica-LocationszmsDS-NC-RO-Replica-LocationsnTDSConnectionr>65)rr?enabledconnectionr fromServerzAdding SPNs to %sz $NTDSGUIDservicePrincipalNamezSetting account password for %sz((&(objectClass=user)(sAMAccountName=%s))F)force_change_at_next_loginusername) account_namer newpasswordzmsDS-KeyVersionNumberrrzEnabling accountrBIND9_zprovision_dns_add_samba.ldif utf-16-lerj) DNSDOMAINDOMAINDNHOSTNAME DNSPASS_B64DNSNAMErz#Adding DNS account %s with dns/ SPNclearTextPasswordisCriticalSystemObjectz#Setting account password for dns-%sz,(&(objectClass=user)(samAccountName=dns-%s))r)Vrrrrvrrr,rGrrDS_DOMAIN_FUNCTION_2008 ENC_ALL_TYPESrcrrrr rdrmrOrNrrrJ from_dictrMrHrrRrSYSTEM_FLAG_CONFIG_ALLOW_RENAME%SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVErrrrrrrrqrrrrerrrrL FLAG_MOD_ADDrrrKrangerreplace setpasswordrrtruERR_UNWILLING_TO_PERFORMrj set_passwordrrsrkey_version_numberr r rnew_dc_account_sidr startswithgenerate_random_passworddnspass parse_ldifr rrrxrr"rpdecodeCHANGETYPE_NONErFERR_ENTRY_ALREADY_EXISTSdns_key_version_number)r specified_sidrPrrrforestpartzonerQattrie2num_rr changetyper5 dns_acct_dnre3s r7join_add_objectsDCJoinContext.join_add_objectsTsB ;;; + + ,kk)"{{"%++&)#*@*@5::C_C_*_&`" 0C##uzz'I'II7:5::;S;S7T34%%7934}}#&==K %%#%K ##/2/C/C+,%%/1+,~~25.../%%24./#+M#:K ##&&#++5II$$S%8%8#++F   !6!6syy#sG[G[!\] , ){H c 5 ==  " " $ == + - .mm'"5::#M#M#(::#S#S$T#(::#Q#Q$R S #0C{{),%& IIMM#  == CM  ;;;  ":C A7::AD6Dxx=!00141A1A4IAGII$$Q'/    ( + 1 11 2''/%+!nn .C IIMM#  ;;; % 3 4 A66#))S[[1AD3sxx=)!hhqk11+s3==?QR *(+(:(:388;>;O;O;Q)SA$ % II  Q  3ckkA B @ %%&P(+(9(9#++(F'G&)mmAF/2{{ &<))"" 3>>*A*5*7#8C'#a&0),SV4K-LQ-O)P&)-&%/0@0@03A{0CA0F&HC " $ % A66#))S[[1AD&)&8&8S=S=S9T9<9M9M9M'OA" # II  Q  ?? % %h / /88cBCK99''(9*Ec:dHK GJ{{GJzzJSTWT_T_TfTfgrTsJtJ{J{}CKDFIoo ;W)XYD $( C!S%8%8888!$i ;c$iGH+,01,/ 0L0L05 0L0L1M-N()IIMM#&$(0 7#**D E > %%&T(+(9(9#**(E'F&)kkAF/2{{ &<))"" 3>>*A)B#DC&#a&0-0Q8O1PQR1S-T*-1*k 07<< @77#666$$#++1414%@  @d|| vvHSc:::;"<< >77#666$$(SZZ2G1414%>  >sLAi? k=Am?k:Ak55k:=m#l;;moAn<<oc [SUR-5 S[UR5<S[R <30n[ R"URUS9nURSSUR-URURURUR[[RR [RR"-5US. nUR$[RR&:a[UR$5US'UR)5nUR+X4/5n[-U5S :wa [/S 5eUS R0Ul[S 5 UR4R7UR[8R:"S 5UR2[<R>[<R@S9 [S5 UR4R7URB[8R:"S 5UR2[<R>[<R@S9 g)zLadd the various objects needed for the join, for subdomains post replicationr<SubdomainAdmins-)name_mapcrossRefzCN=Cross-Ref,%s) rr?rnCNamer&dnsRoot trustParentrntSecurityDescriptorrrkz"Expected 2 objects from DsAddEntryrzReplicating partition DN$00000000-0000-0000-0000-000000000000)exoprzReplicating NTDS DNN)"rrrvrr DOMAIN_RID_ADMINSr+get_paritions_crossref_subdomain_descriptorrr|rxrrparent_partition_dnrr,SYSTEM_FLAG_CR_NTDS_NCr/rrrr~rr/guidrrepl replicater rr DRSUAPI_EXOP_REPL_OBJDRSUAPI_DRS_WRIT_REPr)rr sd_binaryrPrec2rs r7join_add_objects2DCJoinContext.join_add_objects2+s kC,,,-%#cjj/8C]C]'^_JJ3==ckl ""%/#--?kk??}}22uzz@@%**BgBggh$-     5::#E#E E+.s/C/C+DC' (##%..#- w<1 !"FG G   () 3++99%KL== ' = =)0)E)E  G #$ 3;;99%KL== ' = =)0)E)E  Gr9c|[S5 URRn[UR[ 540SU_SUR _S[_SUR_SUR_SUR_SUR_S UR_S UR_S UR_S UR_S UR _SUR"_SS_SUR$_SUR_SUR&_SUR(_SUR*_SUR,_SUR._SUR0_SS_6n[SUR2-5 UR4UlURUlUR8UlUR:UlUR<UR:lg)Provision the local SAM.zCalling bare provisionsmbconfr^ samdb_fillrrootdndomaindnr`configdnserverdnrhostname domainsidr serverrole"active directory domain controllersitenamerGntdsguidr_rr`rarb batch_modeTzProvision OK for domain DN %sN)rrG configfilerr\rr^rrrzrxr|r~rrrrrr]rr_rr`rarbr rm local_samdbpathsnamesr)rrpresults r7join_provisionDCJoinContext.join_provisionVs &'&&##CJJ(8 -' -&)mm -@H -PSPYPY -#&;; -9< -&)]] ->A]] -&)]] -SUR UR,R@UR,RBURDURFS9 UR:[HRJRL:aUR:nSnUR ROS5c)UR RQSS5 [S5 SnUR RS5 S SK*J+n U"URSS9nURYU[HRJRZSS9 UR R]5 U(aUR RQSS5 [S UR,Rb-5 g![0a [!SUS SS -5ef=f![^a-nUR Ra5 [!SU-5eSnAff=f)!rzReconnecting to local samdbz#transaction_index_cache_size:200000F)rJrrKrGrbzFinding domain GUID from ncNamencNamezextended_dn:1:1zreveal_internals:0)rWrNrOrrrz*Can't find naming context on partition DN z in rjrz3Can't find GUID in naming master on partition DN %szGot domain GUID %szCalling own domain provisionrKrGr) dom_for_fun_levelrrrrGhostiphostip6rrzdsdb:schema update allowedNyesz;Temporarily overriding 'dsdb:schema update allowed' settingT) DomainUpdate)fix)update_revisionzDomainUpdate() failed: %snozProvision OK for domain %s)2rrrrJrrGrmset_invocation_idrvrr\rorqrrrrsr/r rrKrget_extended_componentr domainguidKeyErrorrrsecretsrrrrrrrrrr,DS_DOMAIN_FUNCTION_2012rsettransaction_startsamba.domain_updater!check_updates_functional_levelrtransaction_commitrtransaction_cancelr)rr secrets_ldb adprep_levelupdates_allowed_overriddenr!rrs r7join_provision_own_domain'DCJoinContext.join_provision_own_domainssb +,coo11B"D'5'7 __//(- / ##C(9(9$:;)) 9:oo$$#*:*:#..YaXb/@BV.W%Y 3q6 !!Z]ZjZjlolululyly"z{ { o#&tyy 3q6(CSTUCVC]C]^dCe1f1}1}E2F(G$HCII  ,syy/C/CCD 67#))++.:JsvvV s zz399cii),)=)="0#&===a&&)9)9399CTCT#&??cmm  M   5::#E#E E//L). &vvzz67? 7?ST-1* II ' ' ) G<%coo4@55l6;jj6X6XFJ6L ,,. * 7> *SYY-@-@@AW o!"WZ]^_Z`aiZjklZm"mn n oH G ,,.%&AA&EFF Gs&A4O?AP"P P;(P66P;c[R"SUR<SU<S3URXRUR 5$z2Creates a new DRS object for managing replicationsrrr)r drs_ReplicaterkrGrr)r repl_credsrs r7create_replicatorDCJoinContext.create_replicators8&&),_E OOS5F5FH Hr9c  URRS5 URR5 [R "UR R55nURc0[S5 [R "[R5nO URnUR(aq[5nURUR5 UR!["5 UR%UR&5 UR)UR*5 O UR,nSnURR/5S:aUS- nUR1X45nUR3UR4UUSURUR6S9 UR3UR8UX RUR6S 9 UR:(d[S 5 UR3UR<UX RUR>[R@-S 9 UR>[R@-(d1UR3UR<UX RUR>S 9 [S5 URLURN4HPnXpRP;dM[S[SU5-5 UR3XqX RUR6S 9 MR UR(aWUR3URTUU[RVSS9 UR3URXUU[RVSS9 O8URZb+UR3URZUU[R\S9 XPl3Xl4X l5URRS5 UR>[R@-(d*URRm[nRpS5 URRs5 URRm[nRpS 5 URRS5 URw5 g![BaHnURDS [FRH:Xa!URRKS 5 SnAGNeSnAff=f![BadnURDS [FRH:Xa=UR>[R@-(aURRKS 5 eSnAff=f![^R`aQnURDupU [Rb:Xa)[SURd-5 [S5 SnAGNeSnAff=f! URRu5 e=f)zReplicate the SAM.zStarting replicationNzUsing DS_BIND_GUID_W2K3rUrVrWT)schemarodcr)r>rz;Replicating critical objects from the base DN of the domainrzFirst pass of replication with DRSUAPI_DRS_CRITICAL_ONLY not possible due to a missing parent object. This is typical of a Samba 4.5 or earlier server. We will replicate all the objects instead.zReplication with DRSUAPI_DRS_CRITICAL_ONLY failed due to a missing parent object. This may be a Samba 4.5 or earlier server and is not compatible with --critical-onlyz5Done with always replicated NC (base, config, schema)zReplicating %s)rr>)rzdWARNING: Unable to replicate own RID Set, as server %s (the server we joined) is not the RID Master.zxNOTE: This is normal and expected, Samba will be able to create users after it contacts the RID Master at first startup.z1Committing SAM database - this may take some timerzCommitted SAM database)$*c"g67NN2#7hh141B1B#D?xxs{{,D3$+$D$D4Qs002J3$+$D$D4Q##/ NN3#5#57O#7(/(K(K#MH+C ('; $ JJOOO P++g.O.OO**4+`+`+,. OO . . 0 OO & &t'\'\'( * JJOO4 5 ""$C# vvayF$E$EE **,XYY 4'66!9(I(II33g6W6WWJJ..0\]F,,#%77LTwFFFEHKHRHRRSYZZ   OO . . 0 sF9V31AR2"V30S3V3>  <|| ,66LT0004<-5 ""#NO!kCJJ&>/=/?.1iiCFFD &d++ ,s(+CBC CCc[R"5n[R"5Ul[ U5URl[ R"S5URl[R"S5URl URUl [ UR5<SUR<3Ul[R [R"-UlUR&(d#U=R$[R(-slURcUR+5 URR-UR.SU5 g)NrzS-0-0z._msdcs.r)r DsReplicaUpdateRefsRequest1rmnaming_contextrvrr rrr rrr dest_dsa_guidrdest_dsa_dns_nameDRSUAPI_DRS_ADD_REFDRSUAPI_DRS_DEL_REFrrrr]DsReplicaUpdateRefsrZ)rrrs r7send_DsReplicaUpdateRefs&DCJoinContext.send_DsReplicaUpdateRefshs  / / 1"<<>!"g $ *P Q'//8--03CMM0BCMMR//'2M2MM xx II55 5I ;;     ! ''(:(:AqAr9c  [Rn[R[R-nURnSUR -nUR n[UR5nU<SU<3n[R"URUR5nURRS[U5XS4-5 Sn [R"SUR <SU <S3URUR"5n Sn [$R&"UR(5n [*R,"5n UR.U l[*R2"S [UR45[*R64-5U lU R;US UR UUS [<R>US S 5 upU (aWRHHnURJHnURL[<RN:Xd URL[<RP:XdMA[RR"5nUUl$U RUUS UR UUS U5 M M UHnURWS 5S:wa3URRSU<SU<SU<35 [YU5nO2URRSU<SU<SU<35 [[U5n[RR"5nUUl$U RUUS UR UUUS 5 M [U5S :Ga[\R^"UR(UR`5nUR(RcU<SU<3US9uUl2nU RgURdU S[*Rh[*Rj--/S9 URRSU<SU<SU<35 [RR"5n[mU5nUUl$U RUUS UR UUUS 5 [\R^"UR(URn5nUR(RcU<SU<3US9uUl8nU RgURpU S[*Rh[*Rj--/S9 URRS5 g ![@a.nURBS [DRF:XaS n S nAGN[S nAff=f![@a.nURBS [DRF:XaS nAGMseS nAff=f)a>Remotely Add a DNS record to the target DC. We assume that if we replicate DNS that the server holds the DNS roles and can accept updates. This avoids issues getting replication going after the DC first starts as the rest of the domain does not have to wait for samba_dnsupdate to run successfully. Specifically, we add the records implied by the DsReplicaUpdateRefs call above. We do not just run samba_dnsupdate as we want to strictly operate against the DC we just joined: - We do not want to query another DNS server - We do not want to obtain a Kerberos ticket (as the KDC we select may not be the DC we just joined, and so may not be in sync with the password we just set) - We do not wish to set the _ldap records until we have started - We do not wish to use NTLM (the --use-samba-tool mode forces NTLM) z _msdcs.%srSz&Adding %d remote DNS records for %s.%srrrrTz%s-%drNF:zAdding DNS AAAA record z for IPv6 IP: zAdding DNS A record z for IPv4 IP: ) dns_partitionz sd_flags:1:%drzAdding DNS CNAME record z for z_All other DNS records (like _ldap SRV records) will be created samba_dnsupdate on first startup)9rDNS_CLIENT_VERSION_LONGHORNDNS_RPC_VIEW_AUTHORITY_DATADNS_RPC_VIEW_NO_CHILDRENrrrrvrr interface_ipsrGrr\rorrkrFr%SDUtilsrmr rr owner_sidrrDOMAIN_RID_DCS group_sidDnssrvEnumRecords2r DNS_TYPE_ALLr#rur!"WERR_DNS_ERROR_NAME_DOES_NOT_EXISTrPrecordswType DNS_TYPE_A DNS_TYPE_AAAADNS_RPC_RECORD_BUFDnssrvUpdateRecord2findr'r&rrrKr dns_lookuprmodify_sd_on_dn SECINFO_OWNER SECINFO_GROUPr(rr)rclient_version select_flagsr msdcs_zoner msdcs_cname cname_targetIPsrdns_conn name_found sd_helperchange_owner_sdbuflenrrrPrecord del_rec_bufIP add_rec_bufdomaindns_zone_dn ldap_recordforestdns_zone_dns r7join_add_dns_records"DCJoinContext.join_add_dns_recordsys0#>> <<  . ./ }} 3==0 zz#--( "&- !!#&&#*;*;< @S4./ 0!&& O'\'*vvsyy: $$SYY/ "--/$'$:$:!$,$4$4W69#**o6>6M6M6O6O%P!  #--n./.1jj.2.2.2.2.?.?.:.2.2 4 V ww!kkF||t6||t'9'99&/&B&B&D *0  &$889:9<9=9=9=9D F**Bwws|r! #'r!34 n #'r!34bk$668K!KO  ( ()*),)-)-)4)-  /* HqL #syy#2D2D E ))&&$'=5F'H (S\;  % %cllO0?3;3I3I5=5K5K4L1M0N & O JJOO*J F G$668Kl+C!KO  ( ()*),)3)4)4)-  /!$syy#2D2D E ))&&+z'J5F'H ,S {  % %c&6&60?3;3I3I5=5K5K4L1M0N & O K Lk #vvayFEEE"  #( +& vvayF,U,UU $ % &s64S2 !T-2 T*<#T%%T*- U%7!U U  U%c <URUR4HnXR;dMURR S[ U5-5 UR RXRURURURSS9 M g)Nz!Replicating new DNS records in %sF)r>r full_sync) rrrer\rorvrrrJrrr)rrs r7join_replicate_new_dns_records,DCJoinContext.join_replicate_new_dns_recordssy%%s'9'9:B[[   Cs2w OP""2'C'C#&==sxx141B1B-2#4;r9c &URRS5 URHnURU5 M UR(Ga%[ S5 UR R[UR55 UR RSUR5 [R"5n[R"UR SUR-5Ul[R""[%UR5[R&S5US'UR R)U5 UR R+UR SS5 URRS5 [R"5n[R"UR S5Ul[R""S [R&S 5US 'UR,n[R""S [U5-[R&S 5US 'UR R)U5 UR.(ag [1UR2R4[75UR8S9nURRS5 [;X@R<UR>UR@URBURDURFURHURJS9 URLROS5(ab[QUR UURRUR2URURLURTURURVS9 g g )z=Finalise the join, mark us synchronised and setup secrets db.z=Sending DsReplicaUpdateRefs for all the replicated partitionszSetting RODC invocationIddomainFunctionalityz%srr(Setting isSynchronized and dsServiceName@ROOTDSEr>isSynchronized dsServiceNameNrzSetting up secrets database)rrr netbiosnamer rsecure_channel_typerr)rros_levelr),r\rorer_rrrr%rvrrLrrrrJrKrrrLr rMrN"set_attribute_replmetadata_versionrrrrr)rrGrrrrrrrrrrrrrrr)rrrQrr1s r7 join_finaliseDCJoinContext.join_finalises WX++B  ( ( , 888 - . OO - -c#2C2C.D E OO & &'<'*';'; = A66#//4#+++=>AD # 2 28C >qtt?M?@ B BC KKMvvcooz2!009M9MO_` }} // c$i0G030D0DoW/ q! == #))++.:JsvvV  56K"%))&)mm(+ &)jj(+ 030G0G/2/E/E G ?? % %h / / COO[IIsyy#**(+$'KK#:N:N/2/I/I  K 0r9c r [SUR-5 Sn[R"SUR<SU<S3URUR 5n[R "5n[R"5UlURSRS5U[R5n[R"5nURURlURUR"lUR$Ul[R([R*-Ul[R.Ul[R2Ul[R6"5nURUlUR9XF[R:5n[SUR<SUR<R&<S 35 UR?XGR<R&5 [CURDRGS 55n[HRJ"5n [MU5U l'Xl([HRR"5n [TRV"[Y[ZRZ"555U l.[R^U l0Xl1[HRd"5n S U l3U /U l4[HRj"5n S U l3Xl6[HRn"5n S /S -n[qS 5Hn[rRt"SS5X'M Xl;Xl<Xl=[}U 5n[URU5n[R"5n[MU5Ul'[CU5UlB[R"5nUUlDURUUU[R5nSUR<SUR<3S[UR05[UR45[UR,5URUR[}U 5[}U 5[}UR5S. nURRU5 SUR<SUR<3S[[TRR5URDRGS 5SUR-S.nURRU5 g![@a GN2f=f)zprovision the local SAM.z"Setup domain trusts with server %srz ncacn_np:rrzutf-8zRemoving old trust record for  (SID )rrrlirrzcn=z ,cn=system, trustedDomain) rr? trustTypetrustAttributestrustDirectionflatname trustPartnertrustAuthIncomingtrustAuthOutgoingsecurityIdentifierz $,cn=users,r=rQ)rr?rrrDN)PrrkrrrGrFrrrrrr rTrustDomainInfoInfoExrrrrrrLSA_TRUST_DIRECTION_INBOUNDLSA_TRUST_DIRECTION_OUTBOUNDtrust_directionLSA_TRUST_TYPE_UPLEVEL trust_type!LSA_TRUST_ATTRIBUTE_WITHIN_FORESTtrust_attributesrrrrrrro trustdom_passrpr AuthInfoClearrsizepasswordAuthenticationInformationr unix2nttimertimeLastUpdateTimeTRUST_AUTH_TYPE_CLEARAuthTypeAuthInfoAuthenticationInformationArraycountarraytrustAuthInOutBlobcurrenttrustDomainPasswordsrrandomrandint confounderoutgoingincomingr r session_key DATA_BUF2dataTrustDomainInfoAuthInfoInternal auth_blobCreateTrustedDomainEx2SEC_STD_DELETErrxrvrrrrHr,UF_INTERDOMAIN_TRUST_ACCOUNT)rrrrrrooldnameoldinfo password_blob clear_value clear_authentication_information authentication_information_arrayr trustpassrrtrustpass_blobencrypted_trustpassr auth_infotrustdom_handlerPs r7join_setup_trustsDCJoinContext.join_setup_trustsbs 2SZZ?@**#**oN VVSYY0((*  [[] ((7);)3X5V5VX ((*"%--#&?? ::">>AaAaa44 # E E jjlG ]]GN:::;>;`;`bG PWP_P_PcPcd e  ' ' OO4G4G HS..55kBC ,,. }- ,+3+M+M+O(:?:K:KCPTPYPYP[L\:](7474M4M(14?1+3+R+R+T(12(.2R1S(...0;113 S3Y sA"NN1c2JM *%%!),-g.A.A>RMMO 01 12 779 ' !889=9B9A9P9PR +.--E*T__-"4#8#89!$"6"67..MM!)(!3!)(!3"*3=="9   C +.*@*@#++N!"%ejj&M&M"N!$!2!2!9!9+!F#c&<&<<   C M   s&BT(( T65T6cURUR/UlURURUR/UlUR (a1UR S:wa!U=RUR/- slgUR (dU=RUR/- slUR S:waU=RUR/- slU=RUR/- slU=RUR/- slU=RUR/- slggg)Nr[) r~r|rerxrfrrrrrfs r7build_nc_listsDCJoinContext.build_nc_listss }}cmm4 KK F ==S__6   !3!3 4 4  KKCKK= (K&(  2 233   2 233   S%7%7$88   S%7%7$88 )r9crUR5 UR(aUR5 OUR5 UR 5 UR 5 UR 5 UR(a0UR5 UR5 UR5 URS:wa UR5 UR5 UR5 g! [S5 O![ a Of=fUR#5 UR5 e=f)Nr[zJoin failed - cleaning up)rrcr rrrrPrrr4rrrrrrIOErrorrNrfs r7do_joinDCJoinContext.do_joins      "  "   "       }}%%'--/%%'&(((*224      12    & & (  " s1B1C66D69 DD6 DD6D$D6r:)NNNNNNNNNFNFFNNN)FN)(r;r<r=r>__doc__r3rrrr rprnrrrrr0r5rrRr]rgr~rrrrrr4r:rPrNr_rrrrrrr?r:r9r7rCrC<sJN;?@D;@#$($( U"n 3Sj-.^(& *6---N ;:`1AF.` hU2n)GV,:FBPH S%j,$B"WLr4EKNc!J9* r9rCc[XX#XEXgXU XUUS9nURSUR5 URSUR-5 URSUR5 URSUR-5 SUR <SUR <3UlSUR<S [R<S 3S [R-S [R-S [R-S [R-/UlSUR<S [R <S 3UlUR%5nS U-nUUl[(R*R,[(R*R.-[(R*R0-UlUR4R7S UR -S UR8-/5 S UR:-Ul[>R@Ul!SUl"U=RF[HRJ[HRL--sl#URFUl'U(a#U=RN[HRP-sl'URS5 URSUR<SUR<S35 g)zJoin as a RODC.rarb workgroupworkgroup is %sr realm is %sz CN=krbtgt_rEzzzRestrictedKrbHost/%szCN=RODC Connection (FRS),%sTJoined domain rz ) as an RODCN)*rCr+rrorrrxrrr DOMAIN_RID_RODC_DENYSID_BUILTIN_ADMINISTRATORSSID_BUILTIN_SERVER_OPERATORSSID_BUILTIN_BACKUP_OPERATORSSID_BUILTIN_ACCOUNT_OPERATORSrDOMAIN_RID_RODC_ALLOWrr5rrr,r )UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONUF_PARTIAL_SECRETS_ACCOUNTrrextendrrrr SEC_CHAN_RODCrrrr %DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING$DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIPrBrCr)r\rkrFrGr]rr^rdomain_critical_onlyrr_rrcr`rarbrmysidadmin_dns r7 join_RODCrs 4!;;(&3+=  ?C FF;( KK!COO34FF7CII KK  )*25**ckkJCMX%B%BCX888X:::X:::X;;; =C '*jj(2P2PQCN MMOEE!HCM#jjEE#jjRRS#jjCCDCHHOO+cjj8+coo=?@6 CC"00CCH'GG!FFGH"00C   G$E$EE KKM KK#//3::VWr9cV[XX#XEXgXU XUUS9nURSUR5 URSUR-5 URSUR5 URSUR-5 [ R R[ R R-Ul URRSUR-5 [RUlU=R ["R$["R&--slUR UlU(a#U=R(["R*-slUR-5 URSUR<SUR.<S 35 g ) z Join as a DC.rrrrrz1E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/%srrz ) as a DCN)rCr+rrorrr,r UF_TRUSTED_FOR_DELEGATIONrrrrrr SEC_CHAN_BDCrrr r!DRSUAPI_DRS_FULL_SYNC_IN_PROGRESSrBrCrr)r\rkrFrGr]rr^rrrr_rrcr`rarbrs r7join_DCr7s1 4!;;(&3+=  ?C FF;( KK!COO34FF7CII KK  )*"ZZ??%**BfBffCHHOOG#--WX"//C'66!CCDE"00C   G$E$EE KKM KKs STr9c [XX#UXWUUU S9 n URSU R5 URSU R-5 URSU R5 URSU R-5 U R 5 URSU R<SU R <S35 U $) z%Creates a local clone of a remote DC.)r^rrinclude_secretsrarbrrrrzCloned domain rr)DCCloneContextr+rrorrr) r\rkrFrGr^rrrrarbrs r7 join_clonerYs i &)8'4,>  @C FF;( KK!COO34FF7CII KK  )*KKM KKs KL Jr9cD^\rSrSrSrSU4SjjrSrSrSrU=r $)riozClones a remote DC.c >[T U]XX4XVUU U S9 SUlSUlSUlUR R S5SUlSUlSUl URR5Ul U=R[R[R --sl U(d#U=R[R"-sl URUlg)N)r^rrrarbrSr)r2r3rrrrksplitrrrrm get_ntds_GUIDremote_dc_ntds_guidrr rrrrB) rr\rkrFrGr^rrrrarbr6s r7r3DCCloneContext.__init__rs #,%0'4,>  @   ZZ%%c*1-  !#&))"9"9"; g::%GGH I   !N!N N ##4 r9cURRS5 [R"5n[R"UR S5Ul[R"S[RS5US'URn[R"S[U5-[RS5US'UR RU5 g)Nrrr>rrr) r\rorrrJrKrrrLrMr rvrN)rrQrs r7rDCCloneContext.join_finalises BC KKMvvcooz2!009M9M1AC && // c$i0G030D0D0?A/ q!r9cUR5 UR5 UR5 UR5 gr)rrrPrrfs r7rDCCloneContext.do_joins4    r9r:) NNNNNNNFNN) r;r<r=r>rr3rrr?r@rAs@r7rros&?C:>6:$(56 "r9rcN^\rSrSrSrS U4SjjrSrSrSrSr Sr U=r $) DCCloneAndRenameContextiz6Clones a remote DC, renaming the domain along the way.c P>[T U]XEXgUU U U U S9 XlX lX0lg)N)r^rrrra)r2r3 new_base_dnnew_domain_name new_realm)rrrrr\rkrFrGr^rrrrar6s r7r3 DCCloneAndRenameContext.__init__s< #, &%0)8'4  6&-! r9c SUR<SU<S3n[R"X0RUURUR UR UR5$r7)rkrdrs_ReplicateRenamerrGrrrxr)rr9r binding_strs r7r:)DCCloneAndRenameContext.create_replicatorsL 03zz?K --k66:.1oo.1.?.?.1kk3??L Lr9c[R"5up#URSU5 [RR US9n[ R"U5 U$)z?Creates a non-global LoadParm based on the global LP's settingsF)filename_for_non_global_lp)tempfilemkstempdumprparamLoadParmosremove)r global_lpfdtmp_filelocal_lps r7create_non_global_lp,DCCloneAndRenameContext.create_non_global_lpsJ '') uh';;''8'L (r9cdURn[R"SU-URU5$)z/Uses string substitution to replace the base DNrQ)rxresubr)rdn_str old_base_dns r7 rename_dn!DCCloneAndRenameContext.rename_dns'kk vvek)3??FCCr9c@[S5 URUR5n[UR[ 5UR [URUURUR5URURUR5URUR5URURSUR UR"S9n[SUR$-5 UR&UlUR*Ulg)z"Provision the local (renamed) SAM.z(Provisioning the new (renamed) domain...r) r^rrrGrr r`r rr rrraz%Provision OK for renamed domain DN %sN)rr*rGrr\rr^rrr1rzrr|r~rrrrar rmrr)r non_global_lprs r7r&DCCloneAndRenameContext.join_provisions 89008 CJJ(8&)mm"%--M#&==#=%(]]3==%A%(]]3==%A##6#**'K(+*-*;*; = 58H8HHI!--MM r9r:) NNNNNNNTN) r;r<r=r>rr3r:r*r1rr?r@rAs@r7rrs/@FJJNGK " L D""r9r)NNNNNNNNFNFNFFNN) NNNNNNFr[NN)Lr samba.authr samba.samdbrrrrrrrrr samba.ndrr r samba.dcerpcr r r rrrrrsamba.credentialsrrsamba.provisionrrrrrrsamba.provision.commonr samba.schemarr samba.netrsamba.provision.sambadnsrr r!base64r"r#r$r%samba.dnsserverr&r'r(rrr-r$r collectionsr) samba.commonr* samba.netcmdr+r,r-rr/rzrCrrrrrr:r9r7rEs&%99 *UUU<DD-4#,<< ##%(8i8 @F@F.VZ@E=A8= !% 5XpTX>C;?6;# UD9=