%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python3/dist-packages/samba/provision/__pycache__/
Upload File :
Create Path :
Current File : //lib/python3/dist-packages/samba/provision/__pycache__/__init__.cpython-312.pyc

�

�de6��1�@�dZdZddlmZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlZddlmZmZddlmZddlZddlmZddlmZmZdd	lmZdd
lmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%ddl&m'Z'm(Z(ddl)m*Z*m+Z+dd
lm,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9m:Z:m;Z;ddl<m=Z=m>Z>ddl?m@Z@ddlAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVddlWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^ddl_m`Z`maZambZbmcZcddldZddleZddlfmgZgddlhmiZiddljmkZkddllmmZmddlhmnZnddlmoZodZpdZqdZrdZsd ZtGd!�d"eu�ZvGd#�d$eu�Zwd%�Zxdhd'�Zyd(�Zzd)�Z{d*�Z|Gd+�d,eu�Z}d-�Z~d.�Zd/�Z�d0�Z�d1�Z�d2�Z�				did3�Z�		djd4�Z�d5�Z�		dkd6�Z�ddddd7e+fd8�Z�d9�Z�d:�Z�d;�Z�d<�Z�d=�Z�d>�Z�	dld?�Z�d@�Z�dA�Z�dB�Z�dCZ�			dmdD�Z�				dndE�Z�dFZ�dGZ�dHZ�e�fdI�Z�dJ�Z�dK�Z�dL�Z�dM�Z�dN�Z�dO�Z�dhdP�Z�dQ�Z�dde[dddRdddddddddddddd&dd&d&ddfdS�Z�dTdUdVdVdVdUdVdVdUdTdTdW�Z�dX�Z�dY�Z�dodZ�Z�dpd[�Z�dpd\�Z�dde[ddddddddddddRddddddddddddddddddddd&d&dd&d&ddd]d^e2d&ddd&f1d_�Z�							dqd`�Z�da�Z�Gdb�dce��Z�Gdd�dee��Z�Gdf�dge��Z�y)rz/Functions for setting up a Samba configuration.�restructuredText�)�	b64encodeN)�system_session�
admin_session)�system_session_unix)�auth)�smbd�passdb)�param)	�Ldb�MAX_NETBIOS_NAME_LEN�check_all_substituted�is_valid_netbios_char�
setup_file�substitute_var�valid_netbios_name�version�is_heimdal_built)�security�misc)�SEC_CHAN_BDC�SEC_CHAN_WKSTA)�DS_DOMAIN_FUNCTION_2000�DS_DOMAIN_FUNCTION_2003�DS_DOMAIN_FUNCTION_2008�DS_DOMAIN_FUNCTION_2008_R2�DS_DOMAIN_FUNCTION_2012�DS_DOMAIN_FUNCTION_2012_R2�DS_DOMAIN_FUNCTION_2016�
ENC_ALL_TYPES)�IDmapDB)�read_ms_ldif)�setntacl�getntacl�dsacl2fsacl)�ndr_pack�
ndr_unpack)�
LDBBackend)�get_deletedobjects_descriptor�get_empty_descriptor�get_config_descriptor� get_config_partitions_descriptor�get_config_sites_descriptor�!get_config_ntds_quotas_descriptor�'get_config_delete_protected1_descriptor�)get_config_delete_protected1wd_descriptor�'get_config_delete_protected2_descriptor�get_domain_descriptor�$get_domain_infrastructure_descriptor�get_domain_builtin_descriptor�get_domain_computers_descriptor�get_domain_users_descriptor�!get_domain_controllers_descriptor�'get_domain_delete_protected1_descriptor�'get_domain_delete_protected2_descriptor�get_dns_partition_descriptor�'get_dns_forest_microsoft_dns_descriptor�'get_dns_domain_microsoft_dns_descriptor�'get_managed_service_accounts_descriptor)�
setup_path�setup_add_ldif�setup_modify_ldif�	FILL_FULL�FILL_SUBDOMAIN�FILL_NT4SYNC�FILL_DRS)�get_dnsadmins_sid�setup_ad_dns�create_dns_dir_keytab_link�create_dns_update_list)�Schema)�SamDB)�dbcheck)�create_kdc_conf)�get_default_backend_store)�functional_levelz$31B2F340-016D-11D2-945F-00C04FB984F9z$6AC1786C-016F-11D2-945F-00C04FB984F9zDefault-First-Site-Name�lastProvisionUSN�c��eZdZd�Zy)�ProvisionPathsc���d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_	d|_
d|_d|_d|_
d|_d|_d|_y�N)�	shareconf�hklm�hkcu�hkcr�hku�hkpd�hkpt�samdb�idmapdb�secrets�keytab�
dns_keytab�dns�winsdb�private_dir�binddns_dir�	state_dir��selfs �:/usr/lib/python3/dist-packages/samba/provision/__init__.py�__init__zProvisionPaths.__init__�s{�������	���	���	������	���	���
����������������������������N��__name__�
__module__�__qualname__ri�rjrhrRrR�s��rjrRc��eZdZd�Zy)�ProvisionNamesc��d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_	d|_
d|_d|_d|_
d|_d|_d|_d|_i|_yrT)�ncs�rootdn�domaindn�configdn�schemadn�dnsforestdn�dnsdomaindn�
ldapmanagerdn�	dnsdomain�realm�netbiosname�domain�hostname�sitename�smbconf�	domainsid�	forestsid�
domainguid�name_maprfs rhrizProvisionNames.__init__�s�����������
���
���
�������!��������
���������
���
���������������
rjNrkrorjrhrqrq�s��rjrqc�N�t�}d|_|jd�j�|_|jd�|_|j
j
�|_tj|j�}|j
j�|_|jd|jzdtjdg��}t|dd�jd	d
�|_||_|jdd
tj"gd���}	t|	dd
d�|_t|	ddd�|_tj(||�tj(||	dddj+d��k(sMt-d|j.�dt|	dddj+d���d|j �d|�d�	��t|	ddd�|_t|	ddd�|_|	dd|_d|_d|_t;dt=|j4��D]d}
t|j4|
�}dt|j2�z}||k(r||_�@dt|j0�z}
||
k(s�^|
|_�f|jddt|j$�ztj>dg��}t|dd�|_ |jd|jzd|ztj>dg��}t=|�dk(rt-d|j�d |����t|dd�jd!|jzd
�|_!|jd"|djDzg|j$�#�}t|djD�|_#|jdd$t|jF�ztj"d%d&g��}ttItJjL|dd'd��|_'ttItJjL|dd&d��|_(|jd|tj"gd(���}ttItJjL|dd&d��|_)tItTjV|dd)d�|_,tItTjV|dd)d�|_-|djd*��t]|dd*d�t^krt^|_0nt]|dd*d�|_0|jd+tbzd,|ztj>dd-g��}t|dd�jd.d
�jd/d
�|_2|jd+tfzd,|ztj>dd-g��}t=|�d0k(r7t|dd�jd.d
�jd/d
�|_4nd|_4|jd1t|jX��d2tTjj�d3�d4d5g�6�}t=|�d0k7r2t-d7t|jX��d2tTjj����t|dd5d�d8k(rt]|dd4d�|_6n6tojpt]|dd4d��jr|_6|jd9tjd:gd;g�<�}t=|�dkDrd=}nd>}|jd?|jztjd:gd;g�<�}t=|�dkDrd=}nd>}|j8�|rd@|_:ndA|_:n|s|rdB|_:ndC|_:tw||j0�}t|�|jxdD<|S)Ea�Get key provision parameters (realm, domain, ...) from a given provision

    :param samdb: An LDB object connected to the sam.ldb file
    :param secretsdb: An LDB object connected to the secrets.ldb file
    :param idmapdb: An LDB object connected to the idmap.ldb file
    :param paths: A list of path to provision object
    :param smbconf: Path to the smb.conf file
    :param lp: A LoadParm object
    :return: A list of key provision parameters
    N�	workgroupr|z
(flatname=%s)zCN=Primary Domains�sAMAccountName��
expression�base�scope�attrsr�$�z(objectClass=*))�defaultNamingContext�schemaNamingContext�configurationNamingContext�rootDomainNamingContext�namingContextsr�r�r��utf8z
basedn in z (z) and from z)is not the same ...r�r�zDC=ForestDnsZones,%szDC=DomainDnsZones,%sz(objectClass=site)z	CN=Sites,�cnz(CN=%s)zOU=Domain Controllers,%s�dNSHostNamezUnable to find DC called CN=z under OU=Domain Controllers,�.zserverReference=%s)r�r�r��CN=NTDS Settings,%s�invocationID�
objectGUID�invocationId)r��	objectSid�msDS-Behavior-Versionr�r�z(name={%s})zCN=Policies,CN=System,�displayName�{�}�z(cn=�-�)�	xidNumber�type)r�r�z.Unable to find uid/gid for Domain Admins rid (�ID_TYPE_BOTHz(samaccountname=dns)�dn�search_options:1:2)r�r�r��controlsTFz(samaccountname=dns-%s)�	BIND9_DLZ�SAMBA_INTERNAL�BIND9_FLATFILE�NONE�	DnsAdmins)=rq�	adminpass�get�upperr~r|�lowerr{�samba�dn_from_dns_name�search�ldb�
SCOPE_SUBTREE�str�replacer}r��
SCOPE_BASErvrw�Dn�decode�ProvisioningErrorr\rurtrsrxry�range�len�SCOPE_ONELEVELr�rr��serverdnr'r�GUID�
invocation�ntdsguidr�r�dom_sidr�r��intr�domainlevel�DEFAULT_POLICY_GUID�policyid�DEFAULT_DC_POLICY_GUID�policyid_dc�DOMAIN_RID_ADMINISTRATOR�root_gid�pwd�getpwuid�pw_gid�dns_backendrEr�)r\�	secretsdbr]�pathsr��lp�names�basedn�res�current�i�ncrxry�res3�res4�
server_res�res5�res6�res7�res8�res9�res10�has_legacy_dns_account�res11�has_dns_account�dns_admins_sids                           rh�find_provision_key_parametersr��s���
��E��E�O��6�6�+�&�,�,�.�E�L��&�&��/�E�K��k�k�'�'�)�E�O�
�
#�
#�E�O�O�
4�F��+�+�#�#�%�E�K��
�
�o� �<�<�'(�.B�!$�!2�!2�;K�:L��N�C��C��F�#3�4�5�=�=�c�2�F�E���E�M��l�l�&7� "�#�.�.�"4��5�G�����$@�A�!�D�E�E�N�����$9�:�1�=�>�E�N��F�F�5�&�!�c�f�f�U�-4�Q�Z�8N�-O�PQ�-R�-Y�-Y�Z`�-a�'c�
d��:?�+�+�:=�g�a�j�I_�>`�ab�>c�>j�>j�kq�>r�:s�:?�-�-��"Q�S�	S�
����$:�;�A�>�?�E�N��w�q�z�";�<�Q�?�@�E�L���
�+�,�E�I��E���E��
�1�c�%�)�)�n�
%���
����1��
��,��E�L�L�0A�B��
��� +�E���,��E�N�N�0C�D��
��� +�E�����<�<�#7�(�3�u�~�~�+>�>�c�FX�FX�ae�`f��h�D���a����'�E�N��<�<�9�u�/@�/@�#@�7�&�@�!�0�0����I�D��4�y�A�~��ch�ct�ct�v|� }�~�~���a���/�0�8�8��u���9N�PR�S�E�N����)=��Q��
�
�)J�$&�U�^�^��=�J���A��)�)�*�E�N��<�<�#4�2�S����5H�H�!�n�n�-�|�<��>�D��:�d�i�i��a���1H��1K�L�M�E����D�I�I�t�A�w�|�/D�Q�/G�H�I�E�N��<�<�#4�6�!�n�n�5[��\�D��:�d�i�i��a���1F�q�1I�J�K�E�� ��!1�!1�4��7�;�3G��3J�K�E�O� ��!1�!1�4��7�;�3G��3J�K�E�O��A�w�{�{�*�+�3���Q��/�0��3�4�7N�N�3�����Q��(?� @�� C�D����<�<�=�3F�#F�5��>�!�0�0��}�8M��O�D���a����'�/�/��R�8�@�@��b�I�E�N��<�<�=�3I�#I�5��>�!�0�0�#�]�3��5�D��4�y�A�~���Q���
�.�6�6�s�B�?�G�G��R�P��� ����>�>��u���/��1R�1R�&T�!,�f� 5��7�D��4�y�A�~��Y\�]b�]l�]l�Ym�ow�pQ�pQ�!R�S�	S�
�4��7�6�?�1���.�0��T�!�W�[�1�!�4�5������c�$�q�'�+�*>�q�*A�&B�C�J�J����L�L�$:�"�0�0���#7�"8�
�
:�E�	�E�
�Q��!%��!&���L�L�$=��@Q�@Q�$Q�"�0�0���#7�"8�
�
:�E�	�E�
�Q���������$�� +�E�� 0�E��	�2�,���"���&�u�e�n�n�=�N�"%�n�"5�E�N�N�;���LrjFc��g}|s�|jdtjtdg��}|dtD]K}t	jdt|��st|��d|��}|j
t|���M|j
|�d|�d|���tj�}tj|d�|_	tj|tjt�|t<|jddtjdg�	�}t|�dk(st|d�dk(r(tj|tjd�|d<|j|�y
)a_Update the field provisionUSN in sam.ldb

    This field is used to track range of USN modified by provision and
    upgradeprovision.
    This value is used afterward by next provision to figure out if
    the field have been modified since last provision.

    :param samdb: An LDB object connect to sam.ldb
    :param low: The lowest USN modified by this upgrade
    :param high: The highest USN modified by this upgrade
    :param id: The invocation id of the samba's dc
    :param replace: A boolean indicating if the range should replace any
                    existing one or appended (default)
    �
@PROVISIONr�)r�r�r�r�;r�zprovisionnerID=*�provisionnerIDr�N)r�r�r��LAST_PROVISION_USN_ATTRIBUTE�rer��append�Messager�r��MessageElement�FLAG_MOD_REPLACEr��FLAG_MOD_ADD�modify)	r\�low�high�idr��tab�entry�e�deltas	         rh�update_provision_usnr�\sE�� 
�C�����,�#&�>�>�$@�$�#G��I���q��6�7�	�A��9�9�S�#�a�&�)�"�1�v�r�*���J�J�s�1�v��	�
�J�J�S�$��+�,��K�K�M�E��v�v�e�\�*�E�H����3��/�/�7�	9�
�
&�'�
�L�L�$6�*�#�.�.� 0�1�
�
3�E��5�z�Q��#�e�A�h�-�1�,�"%�"4�"4�R��9I�9I�K[�"\����	�L�L��rjc��g}|j|�d|�d|���tj�}tj|d�|_tj
|tjt�|t<|j|�y)a�Set the field provisionUSN in sam.ldb
    This field is used to track range of USN modified by provision and
    upgradeprovision.
    This value is used afterward by next provision to figure out if
    the field have been modified since last provision.

    :param samdb: An LDB object connect to sam.ldb
    :param low: The lowest USN modified by this upgrade
    :param high: The highest USN modified by this upgrade
    :param id: The invocationId of the provisionr�r�r�N)	r�r�r�r�r�r�r�r��add)r\r�r�r�r�r�s      rh�set_provision_usnr�sn��
�C��J�J�S�$��+�,��K�K�M�E��v�v�e�\�*�E�H����3��+�+�7�	9�
�
&�'�
�I�I�e�rjc�`�|jd|tjdggd���}|ddS)a This function return the biggest USN present in the provision

    :param samdb: A LDB object pointing to the sam.ldb
    :param basedn: A string containing the base DN of the provision
                    (ie. DC=foo, DC=bar)
    :return: The biggest USN in the provisionz
objectClass=*�
uSNChanged)r�zserver_sort:1:1:uSNChangedzpaged_results:1:1)r�r�r�r�r�r)r�r�r�)r\r�r�s   rh�get_max_usnr�s>���,�,�/�� �.�.�|�n�!6��7�C�
�q�6�,��rjc��	|jdtzdtjtdg��}t|�dkD�rg}i}tjd�}|djd�r'|ddD]}|jt|���|dtD]�}	t|	�jd�}
t|
�d	k(r|
d
}nd}t|�dkDr||vr�F|j|
d�}|j|��g||<||j|d�||j|d
���|Sy#tj$r-}|j
\}}|tjk(rYd}~y�d}~wwxYw)aGet USNs ranges modified by a provision or an upgradeprovision

    :param sam: An LDB object pointing to the sam.ldb
    :return: a dictionary which keys are invocation id and values are an array
             of integer representing the different ranges
    z%s=*r�r�r�Nrr�r��r��default)r�r�r�r��LdbError�args�ERR_NO_SUCH_OBJECTr�r��compiler�r�r��split)
�samr��e1�ecode�emsg�myidsr��pr��r�tab1r��tab2s
             rh�get_last_provision_usnr�s�����
�
�f�/K�&K� ,�C�N�N�">�@P�!Q��S���5�z�A�~������J�J�t�����8�<�<�(�)��1�X�.�/�
%�����S��V�$�
%��q��6�7�	&�A��q�6�<�<��$�D��4�y�A�~��!�W�����E�
�Q��2�U�?���7�7�4��7�#�D��y�y��}�$���b�	��"�I���T�!�W�%��"�I���T�!�W�%�	&�����7�<�<�����
����C�*�*�*��
��	�s�0E�F�"E?�>E?�?Fc��eZdZdZd�Zd�Zy)�ProvisionResultz�Result of a provision.

    :ivar server_role: The server role
    :ivar paths: ProvisionPaths instance
    :ivar domaindn: The domain dn, as string
    c��d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_	d|_
yrT)�server_roler�rur�r\�idmapr�r��adminpass_generatedr��backend_resultrfs rhrizProvisionResult.__init__�sR�������
���
������
���
���
����#'�� ����"��rjc��|jd�|jr|jd|j�|jd|j�|jd|jj
�|jd|jj�|jd|jj�|jd|j�|jr|jj|�yy)	z)Report this provision result to a logger.zMOnce the above files are installed, your Samba AD server will be ready to usezAdmin password:        %szServer Role:           %szHostname:              %szNetBIOS Domain:        %szDNS Domain:            %szDOMAIN SID:            %sN)�inforr�rr�rr~r{r�r�
report_logger)rg�loggers  rhrzProvisionResult.report_logger�s������
�	��#�#��K�K�3�T�^�^�D����/��1A�1A�B����/����1D�1D�E����/����1B�1B�C����/����1E�1E�F����/����@�������-�-�f�5�rjN)rlrmrn�__doc__rirrorjrhrr�s���#�6rjrc�^�|D]}	||�cStd|z��#t$rY�(wxYw)z�Find a user or group from a list of possibilities.

    :param nssfn: NSS Function to try (should raise KeyError if not found)
    :param names: Names to check.
    :return: Value return by first names list.
    zUnable to find user/group in %r)�KeyError)�nssfnr��names   rh�findnssr&�sI�����	���;���
�4�u�<�
=�=���	��	�s� �	,�,c�<�ttj|�dS�Nr)r&r��getpwnam�r�s rh�findnss_uidr+����3�<�<��'��*�*rjc�<�ttj|�dSr()r&�grp�getgrnamr*s rh�findnss_gidr0r,rjc��	t|�}|S#t$r/}|j|�|jd�d}Yd}~|Sd}~wwxYw)NzAssuming root user has UID zeror)r+r#r)�rootr �root_uidr�s    rh�get_root_uidr4sL����t�$��
�O��	�����A�����5�6����O��	�s��	A�$A�Ac�t�t�}|jd�|_|jd�|_|jd�|_d|_d|_tjj|jd�|_
tjj|jd�|_tjj|jd�|_tjj|jd	�|_
tjj|jd
�|_tjj|jd�|_tjj|jd�|_tjj|jd
�|_tjj|jd�|_tjj|jd�|_tjj|jd�|_tjj|jd�|_tjj|jd|dz�|_tjj|jd�|_tjj|jd�|_tjj|jd�|_d|_d|_d|_d|_d|_d|_|jdd�|_ |jdd�|_!|jD|_#|S) ztSet the default paths for provisioning.

    :param lp: Loadparm context.
    :param dnsdomain: DNS Domain name
    �private dir�binddns dir�state directoryz
dns.keytab�secrets.keytabz	share.ldbzsam.ldbz	idmap.ldbzsecrets.ldbz
privilege.ldb�dns_update_list�spn_update_list�	krb5.confzkdc.confzwins.ldb�ldapizencrypted_secrets.keyraz.zonez
named.confznamed.conf.updatez	named.txtzhklm.ldbzhkcr.ldbzhkcu.ldbzhku.ldbzhkpd.ldbzhkpt.ldb�path�sysvol�netlogon)$rRr�rcrdrer`r_�osr>�joinrUr\r]r^�	privileger:r;�krb5conf�kdcconfrb�
s4_ldapi_path�encrypted_secrets_key_pathra�	namedconf�namedconf_update�namedtxtrVrXrWrYrZr[r?r@�
configfiler�)r�r{r�s   rh�provision_paths_from_lprLs���
��E����}�-�E�����}�-�E���f�f�.�/�E�O�$�E��#�E�L��g�g�l�l�5�#4�#4�k�B�E�O��'�'�,�,�u�0�0�)�<�E�K��G�G�L�L��!2�!2�K�@�E�M��G�G�L�L��!2�!2�M�B�E�M��g�g�l�l�5�#4�#4�o�F�E�O��G�G�L�L��):�):�<M�N�E���G�G�L�L��):�):�<M�N�E���W�W�\�\�%�"3�"3�[�A�E�N��G�G�L�L��!2�!2�J�?�E�M��7�7�<�<�� 1� 1�:�>�E�L��'�'�,�,�u�'8�'8�'�B�E��')�w�w�|�|�
����(!�E�$������U�.�.��y�7�7J�K�E�I��g�g�l�l�5�#4�#4�l�C�E�O��W�W�\�\�%�*;�*;�=P�Q�E���W�W�\�\�%�"3�"3�[�A�E�N��E�J��E�J��E�J��E�I��E�J��E�J��6�6�&�(�+�E�L��V�V�F�J�/�E�N��M�M�E�M��Lrjc��dj|D�cgc]}t|�s�|��c}�}|dtj�Scc}w)z)Determine a netbios name from a hostname.r�N)rBrr
r�)r�xr}s   rh�determine_netbios_namerOMsC���'�'�h�K��2G��2J�1�K�L�K��,�,�-�3�3�5�5��Ls
�A�Ac	�R�|�&tj�jd�d}|jd�}|�t	|�}|j�}t
|�st|��|�0|jd�}|�|dk(rtd|jz��|j�}|�+|jd�}|�td|jz��|j�}|j�}
|jd�dk(rtd	|jz��|jd�j�|
k7r<td
|jd�j��d|j�d|
�d
���|jd�j�|k7r.td|jd��d|j�d|�d
���|dk(r�|�|jd�}|j�}|jd�j�|k7r<td|jd�j��d|�d|j�d���|�tj|�}||k(rtd|�d|�d���|}|�d|z}t
|�st|��|j�|
k(rtd|
�d|�d���|j�|
k(rtd|
�d|�d���||
k(r|std|
�d|�d���|dk7r|}
|j�}|�|}|�d|z}|�d|z}|
�t}
t�}||_||_||_||_d |z|_||_||_|
|_||_||_|
|_d!|�d"|
�d#|��|_|S)$z$Guess configuration settings to use.r�r�netbios namer|r�z2guess_names: 'realm' not specified in supplied %s!�server rolez8guess_names: 'server role' not specified in supplied %s!zwguess_names: 'realm =' was not specified in supplied %s.  Please remove the smb.conf file and let provision generate itzguess_names: 'realm=z' in z must match chosen realm 'zA'!  Please remove the smb.conf file and let provision generate itzguess_names: 'server role=z  must match chosen server role '�"active directory domain controllerr�zguess_names: Workgroup 'z(' in smb.conf must match chosen domain 'z'!  Please remove the z# file and let provision generate itzguess_names: Domain 'z(' must not be equal to short host name 'z'!zDC=zguess_names: Realm 'z!' must not be equal to hostname 'z)' must not be equal to NetBIOS hostname 'z*' must not be equal to short domain name 'zCN=Configuration,z
CN=Schema,zCN=Manager,zCN=z,CN=Servers,CN=z
,CN=Sites,)�socket�gethostnamerr�rOr�r�InvalidNetbiosNamer�rKr�r�r��DEFAULTSITErqrtrurvrwrzr{r~r|r}rr�r�)r�rr~r{�
serverrolertrurvrwr�r��domain_names_forcedr}r|r�s               rh�guess_namesrZTsa�����%�%�'�-�-�c�2�1�5���&�&��(�K���,�X�6���#�#�%�K��k�*� ��-�-����F�F�7�O�	���	�R��#�D��
�
���
����!�I����V�V�M�*�
���#�$^�ac�an�an�$n�o�o��!�!�#�J��O�O��E�	�v�v�g��"���!Z�]_�]j�]j�!j�k�	k�	�v�v�g�����%�'��ac�ag�ag�ho�ap�av�av�ax�z|�zG�zG�IN�!O�P�	P�	�v�v�m��"�"�$�
�2��mo�ms�ms�tA�mB�DF�DQ�DQ�S]�!^�_�	_��9�9��>��V�V�K�(�F������
�6�6�+��$�$�&�&�0�#�jl�jp�jp�q|�j}�jC�jC�jE�GM�OQ�O\�O\�%]�^�
^����-�-�i�8�H��[� �#�ms�vA�%B�C�
C������{�*�H��f�%� ��(�(��~�~��5� ��af�hp� q�r�r�����e�#��in�p{� |�}�}�
���2��jo�qw� x�y�y��9�9����%�%�'�	�
�~�����&��/�����(�*��������E��E�L��E�N��E�N��E�N�'�&�0�E���E�O��E�L��E�K�#�E���E�N��E�N��X�x�)�E�N��Lrjc
	�r�|�J�|�&tj�jd�d}t|�}
|�d}|�J�|j	�}|�J�|j	�}|
|||d�}|�t
jj�}tjj|�r|j|�|	�$|	D]}|	|��	dj|	|�||<�!|���tjjtjj|d��|d<tjj|�|d	<tjjtjj|d
��|d<tjjtjj|d��|d
<tjjtjj|d��|d<|jd	tjj|��|jd|d�|jd
|d
�|jd|d�|�r�|r�|�otjj|d�}
|jdtjjtjj|
d����nP|jd��s>|jd�}
|jdtjjtjj|
d���n�|�ntjj|d
�}|jdtjjtjj|d���no|jd�s^|jd�}|jdtjjtjj|d���i}|dk(rhtjj|jd�d�|d<tjj|d|j!�d�|d<nd|d<t#|d�}	|j%d�|j'�D]\}}|j%d|�d|�d���|j%d�|j'�D]O\}}|j%d|z�|j%d |z�|j%d!�|j%d��Q	|j)�|j|�|j+d"|�y#|j)�wxYw)#zDCreate a new smb.conf file based on a couple of basic settings.
    Nr�r�standalone server)rQr�r|rR� �privater6zlock dir�stater8�cachezcache directoryzbind-dnsr7z
posix:eadbzeadb.tdbzxattr_tdb:filez	xattr.tdbrSr?�scriptsr@�
samba_dsdb�passdb backend�wz
[globals]
�	z = �
z[%s]
z	path = %s
z	read only = no
F)rTrUrrOr�r�r�LoadParmrAr>�exists�loadrB�abspath�setr�r��open�write�items�close�dump)r�rr~r|�	targetdirrX�eadb�	use_ntvfsr��global_paramr}�global_settings�ent�privdir�statedir�shares�f�key�valr%r>s                     rh�make_smbconfr}�s���
�������%�%�'�-�-�c�2�1�5��(��2�K���(�
�����
�\�\�^�F������K�K�M�E�$���!�	�O�
�z�
�[�[�
!�
!�
#��	�w�w�~�~�g��
��������	C�C��C� �,�'*�x�x��S�0A�'B���$�	C���)+����������i�QZ�9[�)\��
�&�&(�g�g�o�o�i�&@��
�#�-/�W�W�_�_�R�W�W�\�\�)�U\�=]�-^��)�*�-/�W�W�_�_�R�W�W�\�\�)�U\�=]�-^��)�*�)+����������i�Q[�9\�)]��
�&�
���z�2�7�7�?�?�9�5�6�
��� �/�2C�"D�E�
��� �/�2C�"D�E�
���}�o�m�<�=����$��'�'�,�,�y�)�<�����|��w�w���r�w�w�|�|�G�Z�'H�I�K��V�V�L�)��&�&��/�����|��w�w���r�w�w�|�|�G�Z�'H�I�K��$��7�7�<�<�	�7�;�����'��w�w���r�w�w�|�|�H�k�'J�K�M��V�V�,�-��6�6�"3�4�����'��w�w���r�w�w�|�|�H�k�'J�K�M��F��9�9��7�7�<�<����/@�(A�8�L��x���W�W�\�\�&��*:�E�K�K�M�*3�5��z��-9��(�)��W�c��A��	���
��'�-�-�/�	0�H�C��
�G�G�S�#�.�/�	0�	����
� �,�,�.�	�J�D�$�
�G�G�H�t�O�$�
�G�G�O�d�*�+�
�G�G�(�)�
�G�G�D�M�		�	
���	��G�G�G��
�G�G�E�7���	
���	�s
�;B4V$�$V6c��|jd|j|�|j|dz|j|�|j|dz|j|�y)a�setup reasonable name mappings for sam names to unix names.

    :param samdb: SamDB object.
    :param idmap: IDmap db object.
    :param sid: The domain sid.
    :param domaindn: The domain DN.
    :param root_uid: uid of the UNIX root user.
    :param nobody_uid: uid of the UNIX nobody user.
    :param users_gid: gid of the UNIX users group.
    :param root_gid: gid of the UNIX root group.
    zS-1-5-7z-500z-513N)�setup_name_mapping�TYPE_UID�TYPE_GID)r�sidr3�
nobody_uid�	users_gidr�s      rh�setup_name_mappingsr�/sN��
���Y����
�C�	���S�6�\�5�>�>�8�D�	���S�6�\�5�>�>�9�Erjc�X�|�J�	tj|�t|||dg��}d}|jdk7rd|j
z}d}
|sd}
|	�
t
�}	d|	z}|	d	k(r|
�|
d
z
}
nd}
|
dz
}
|
�d
}
|j�	|jd�t|td�||d��t|td�|j||
d��|jd�t||�|j�y#t$rY��wxYw#|j��xYw)akSetup the partitions for the SAM database.

    Alternatively, provision() may call this, and then populate the database.

    :note: This will wipe the Sam Database!

    :note: This function always removes the local SAM LDB file. The erase
        parameter controls whether to erase the existing data, which
        may not be stored locally but in LDAP.

    Nzmodules:)�url�session_infor��optionsz# No LDAP backendr�zldapBackend: %sz"requiredFeatures: encryptedSecretszbackendStore: %s�mdbrfr�zrequiredFeatures: lmdbLevelOnez# No required featuresz*Setting up sam.ldb partitions and settingszprovision_partitions.ldif)�LDAP_BACKEND_LINE�
BACKEND_STOREzprovision_init.ldif)�BACKEND_TYPE�SERVER_ROLE�REQUIRED_FEATURESzSetting up sam.ldb rootDSE)rA�unlink�OSErrorrr��ldap_urirM�transaction_startrr?r>�setup_samdb_rootdse�transaction_commit�transaction_cancel)�
samdb_pathr r�r��provision_backendr�rX�erase�plaintext_secrets�
backend_store�backend_store_sizer\�ldap_backend_line�required_features�backend_store_lines               rh�setup_samdb_partitionsr�Bsv���#�#�#�

�
�	�	�*��
�J�\��
�|�
-�E�,������&�-�0A�0J�0J�J�����@����1�3�
�+�m�;������(���%�� "���=�=��� �4��	����#����@�A��u�j�)D�E�%6�!3�H
�	�
	�u�j�)>�?� 1� 6� 6�)�%6�B�	�	���0�1��E�5�)�
	� � �"��a�
��
��X�
� � �"�
�s�D�A+D�	D�D�D)r�c
��gd�}
|�6|�|j�}|j��d|j���}nd}|j�}tjtj|d|z��}
t	|	�g|
d<ddg|
d<|�<gd	�|
d<|g|
d
<d|�d|j���g|
d
<t	|�g|
d<dg|
d<|j
d�g|
d<d|zg|
d<t	|	�g|
d<|�t|�g|
d<|jd|
d|�d|�dt	|��dt	|
j��d�	tj��}|D]}|j|j��|j|
j|
tj��}t|�dk(r�|dddg|
d <	|dd!dg|
d"<	|dddg|
d<	|dd#dg|
d#<|
D]*}|d$k7s�	|
|jtj ��,|j#|
�|j%|dj|
j�yd%|zg}|	t&k(r|�|j)d%|zg�||
d&<|j+|
�y#t$rY��wxYw#t$rY��wxYw#t$rY��wxYw)'z�Add domain join-specific bits to a secrets database.

    :param secretsdb: Ldb Handle to the secrets database
    :param machinepass: Machine password
    )�whenChanged�secret�priorSecret�priorChanged�
krb5Keytab�
privateKeytabNr�zflatname=%s,cn=Primary Domains�secureChannelType�top�
primaryDomain�objectClass)r�r��kerberosSecretr|zhost/�@�
saltPrincipalzmsDS-KeyVersionNumberr9r��utf-8r�z%s$�samAccountNamer�zcn=Primary Domainsz(&(|(flatname=z)(realm=z)(objectSid=z2))(objectclass=primaryDomain)(!(distinguishedName=z)))�r�r�r�r�)r�r�r�r�rr�r��priorWhenChangedr�r�zHOST/%s�servicePrincipalName)r�r�r�r�r�r��encoder&r�r�r��deleter�r�r#�	set_flagsr�r��renamer�extendr�)r�r~r}�machinepassr�r|r{�keytab_path�key_version_number�secure_channel_typer��dnsname�	shortname�msgr��del_msg�el�spns                  rh�secretsdb_self_joinr��sV��
�E�
�������
�I�(�.�.�0�)�/�/�2C�D�����!�!�#�I��+�+�c�f�f�Y�(H�6�(Q�R�
S�C� #�$7� 8�9�C�����1�C�
����G��M���w��G��07����� G�H��O��(+�,>�(?�'@��#�$� 0�1��O�� �'�'��0�1�C��M�"�[�0�1�C��� #�$7� 8�9�C�����$�Y�/�0��K���
�
� 4�E�MS�UZ�\_�`i�\j�lo�ps�pv�pv�lw�(x�!$�!3�!3��5�C��%��������$�%��
�
����e�3�>�>�
�
J�C�
�3�x�1�}�!�!�f�X�.�q�1�2��M��	�'*�1�v�m�'<�Q�'?�&@�C�"�#�	�$'��F�?�$;�A�$>�#?�C�� �	�!$�Q���!5�a�!8� 9�C����	8�B��T�z��B��!�!�#�"6�"6�7�	8�	���������Q����C�F�F�+��9�$�%���,�.�7�3F�
�J�J�	�G�+�,�-�&)��"�#��
�
�c���5�	��	��
�	��	��
�	��	�s6�J�J*�%J9�	J'�&J'�*	J6�5J6�9	K�Kc�,�tjj|j�rtj|j�tjj|j|j�}tjj|�rtj|�tjj|j|j�}tjj|�rtj|�tjj|j|j�}tjj|�rtj|�|j}t|||��}|j�|jtd��t|||��}|j�	|jtd��|S#|j��xYw)arSetup the secrets database.

    :note: This function does not handle exceptions and transaction on purpose,
       it's up to the caller to do this job.

    :param path: Path to the secrets database.
    :param session_info: Session info.
    :param credentials: Credentials
    :param lp: Loadparm context
    :return: LDB handle for the created secrets database
    �r�r�zsecrets_init.ldifzsecrets.ldif)rAr>rhr^r�rBrcr_rdr`rr��load_ldif_file_addr>r�r�)r�r�r�r��bind_dns_keytab_path�dns_keytab_pathr>�secrets_ldbs        rh�setup_secretsdbr��sd��
�w�w�~�~�e�m�m�$�
�	�	�%�-�-� ��'�'�,�,�u�0�0�%�,�,�?�K�	�w�w�~�~�k�"�
�	�	�+���7�7�<�<��(9�(9�5�;K�;K�L��	�w�w�~�~�*�+�
�	�	�&�'��g�g�l�l�5�#4�#4�e�6F�6F�G�O�	�w�w�~�~�o�&�
�	�	�/�"��=�=�D��d��"�=�K������"�"�:�.A�#B�C��d��"�=�K��!�!�#���&�&�z�.�'A�B������&�&�(�
�s�$H�Hc���tjj|�rtj|�t	|||��}|j�|j
td��y)z�Setup the privileges database.

    :param path: Path to the privileges database.
    :param session_info: Session info.
    :param credentials: Credentials
    :param lp: Loadparm context
    :return: LDB handle for the created secrets database
    r�zprovision_privilege.ldifN)rAr>rhr�rr�r�r>)r>r�r��
privilege_ldbs    rh�setup_privilegesr�sM��
�w�w�~�~�d��
�	�	�$����<�B�?�M������$�$�Z�0J�%K�Lrjc�l�tjj|�rtj|�tjtj
ztjz}tjtjz}tjd�}	tj|||�}tj|�tj|d�5}tjd�}|j|�ddd�y#tj|�wxYw#1swYyxYw)z�Setup the encrypted secrets key file.

    Any existing key file will be deleted and a new random key generated.

    :param path: Path to the secrets key file.

    r�wb�N)rAr>rhr��O_WRONLY�O_CREAT�O_EXCL�stat�S_IRUSR�S_IWUSR�umaskrl�fdopenr��generate_random_bytesrm)r>�flags�mode�umask_original�fdrzr{s       rh�setup_encrypted_secrets_keyr�s���
�w�w�~�~�d��
�	�	�$���K�K�"�*�*�$�r�y�y�0�E��<�<�$�,�,�&�D��X�X�a�[�N�!�
�W�W�T�5�$�
'��
���� �	���2�t�	����)�)�"�-��	��������	���� ����s�D� 'D*�D'�*D3c�R�tjj�}tjj|||��}|j	|tjj
�t
d�}tjj|�sJ�|j|�y)z�Setup the registry.

    :param path: Path to the registry database
    :param session_info: Session information
    :param credentials: Credentials
    :param lp: Loadparm context
    )r��lp_ctxz
provision.regN)r��registry�Registry�open_ldb�
mount_hive�HKEY_LOCAL_MACHINEr>rAr>rh�
diff_apply)r>r�r��reg�hive�
provision_regs      rh�setup_registryr�8su���.�.�
!�
!�
#�C��>�>�"�"�4�l�2�"�N�D��N�N�4����:�:�;���/�M�
�7�7�>�>�-�(�(�(��N�N�=�!rjc���tjj|�rtj|�t	|||��}|j�|j
td��|S)z�Setup the idmap database.

    :param path: path to the idmap database
    :param session_info: Session information
    :param credentials: Credentials
    :param lp: Loadparm context
    r�zidmap_init.ldif)rAr>rhr�r!r�r�r>)r>r�r��	idmap_ldbs    rh�
setup_idmapdbr�HsQ��
�w�w�~�~�d��
�	�	�$����<�B�?�I�
�O�O��
� � ��,=�!>�?��rjc
��t|td�|j|j|j|j
|jd��y)zDSetup the SamDB rootdse.

    :param samdb: Sam Database handle
    zprovision_rootdse_add.ldif)�SCHEMADN�DOMAINDN�ROOTDN�CONFIGDN�SERVERDNN)r?r>rwrurtrvr�)r\r�s  rhr�r�Ys?��
�5�*�%A�B��N�N��N�N��,�,��N�N��N�N�E�rjc�0�t|	t�sJ�|
�d|
z}nd}|�|}tjj	|�}t|t
d�id|j�d|j�d|j�d|j�d	|	�d
|j�d|j�d|j���d
t|jd��j!d��dt|��dt|��ddt"z�d|�d|�dt|��dt|dz��dt|dzdz���t|t
d�|
||j|jd��|t$k(�r)t|t
d�|j|j|j|j|	|j|j�d|j��t|jd��j!d�t|�t|�t"|t|�d�
�t'|t
d�|j|jd �d!d"g�#�t'|t
d$�|j|j(|j|jd%��t+�}|j-|�t'|t
d&�|j|j|jd'��|j-|�|d(k7r�t|t
d)�|j|jt|jd��j!d�|j|jj/��d|jj/���d*��yy)+zJoin a host to its own domain.NzobjectGUID: %s
r�zprovision_self_join.ldifr�r�r�r��INVOCATIONID�NETBIOSNAME�DNSNAMEr��MACHINEPASS_B64�	utf-16-ler��	DOMAINSID�DCRID�OPERATING_SYSTEMzSamba-%s�OPERATING_SYSTEM_VERSION�NTDSGUID�DOMAIN_CONTROLLER_FUNCTIONALITY�RIDALLOCATIONSTART�d�RIDALLOCATIONENDi�zprovision_group_policy.ldif)�
POLICYGUID�
POLICYGUID_DC�	DNSDOMAINr�zprovision_self_join_config.ldif)
r�r�r�r�r�r�r�r�r�r��SAMBA_VERSION_STRINGr�r�z&provision_self_join_modify_schema.ldif)r�r��provision:0�relax:0�r�z&provision_self_join_modify_config.ldif)r�rWr�r�zprovision_self_join_modify.ldif)r�r�r�r�zprovision_dns_add_samba.ldif)rr��DNSPASS_B64�HOSTNAMEr�)�
isinstancer�r��dsdb�dc_operatingSystemVersionr?r>rvrwrur�r}rr{rr�r�rrAr@r�r�set_session_infor�)r\�admin_session_infor��fillr�r��dnspassr��next_rid�invocationid�
policyguid�
policyguid_dc�domainControllerFunctionalityr��dc_rid�
ntdsguid_line�operatingSystemVersion�system_session_infos                  rh�setup_self_joinrgs���
�l�C�(�(�(���*�X�5�
��
�
�~���#�Z�Z�A�A�B_�`���5�*�%?�@�C=��%�.�.�C=��%�.�.�C=��%�.�.�C=��%�.�.�	C=�
�l�C=��U�.�.�
C=��E�N�N�E�O�O�D�C=� ��;�+=�+=�k�+J�!K�!R�!R�SY�!Z�C=��3�y�>�C=��s�6�{�C=�!�*�w�"6�C=�)�*@�C=��-�C=�0��/�21�C=� #�C��3��$7�!C=�"!�#�h��n�s�&:�";�#C=�>�&�5�*�%B�C�&�,� �?�?��.�.�	F*�+��y���u�j�)J�K�!�N�N�!�N�N�!�N�N�!�N�N� ,�$�0�0�&+�n�n�e�o�o�F�#,�[�-?�-?��-L�#M�#T�#T�U[�#\� ��^��V��(/�)�36�1�43�N4�	5�"	�%�$�%M�N�*/�.�.�*/�.�.�Q�%2�9�#=�	?�	�%�$�%M�N�*/�.�.�-2�^�^�-2�->�->�*/�.�.�	Q�	�)�*��	���.�/��e�Z�(I�J��.�.��.�.�"�.�.�M��
���-�.��&�&�	�u�j�)G�H� �?�?��.�.�&�w�~�~�k�'B�C�J�J�6�R��.�.��#�#�)�)�+�U�_�_�-B�-B�-D�F�K�	�'rjc�d�|ddk7rd|z}tjj||d|�}|S)aReturn the physical path of policy given its guid.

    :param sysvolpath: Path to the sysvol folder
    :param dnsdomain: DNS name of the AD domain
    :param guid: The GUID of the policy
    :return: A string with the complete path to the policy folder
    rr�z{%s}�Policies)rAr>rB)�
sysvolpathr{�guid�policy_paths    rh�
getpolicypathr"�s6���A�w�#�~���}���'�'�,�,�z�9�j�$�G�K��rjc��tjj|�stj|d�t	tjj|d�d�}	|j
d�|j�tjj|d�}tjj|�stj|d�tjj|d�}tjj|�stj|d�yy#|j�wxYw)N�zGPT.INIrdz[General]
Version=0�MACHINE�USER)rAr>rh�makedirsrlrBrmro)r!rzrs   rh�create_gpo_structr(�s���
�7�7�>�>�+�&�
���K��'��R�W�W�\�\�+�y�
1�3�7�A��	���(�)�	���	�
�����[�)�,�A�
�7�7�>�>�!��
���A�u��
�����[�&�)�A�
�7�7�>�>�!��
���A�u����	
���	�s�!D.�.Ec�d�t|||�}t|�t|||�}t|�y)aCreate the default GPO for a domain

    :param sysvolpath: Physical path for the sysvol folder
    :param dnsdomain: DNS domain name of the AD domain
    :param policyguid: GUID of the default domain policy
    :param policyguid_dc: GUID of the default domain controller policy
    N)r"r()rr{rrr!s     rh�create_default_gpor*�s0�� �
�I�z�B�K��k�"��
�I�}�E�K��k�"rjlc��t||||||||
||��
t}|r|}g}|dk(r|jdt|�z�|
r|jd�|
r.t	|dz�dz}|jdt|�z�t|dd	|d	|	|�
�}|j
d�|j|d	��|jd
|jz�	|j||��|j|d��|S#tj$r6}|j\}}|tjk(rtd|z���d}~wwxYw)zZSetup a complete SAM Database.

    :note: This will wipe the main SAM database file!
    )	r r�r�r�r�rXr�r�r�r�zlmdb_env_size:zbatch_mode:1i��r�ztransaction_index_cache_size:NF)r�r��auto_connectr��
global_schema�am_rodcr�z%Pre-loading the Samba 4 and AD schema)�write_indices_and_attributesr�)r�z<Permission denied connecting to %s, are you running as root?T)r��DEFAULT_BACKEND_SIZEr�r�r�rJr�
set_schema�set_ntds_settings_dnr��connectr�rr�ERR_INSUFFICIENT_ACCESS_RIGHTSr�)r>r�r�r�r�r rrX�schemar.r�r�r��
batch_mode�
store_sizer��
cache_sizer\�e2�num�string_errors                     rh�setup_samdbr<sg���4��2�->�\�!&�:�Qb�)6�.@�	B�&�J��'�
��G�������'�#�j�/�9�:�����~�&����e�+�,�q�0�
����6��Z��H�I�
�|��E�� %�w��
I�E��K�K�7�8�
���V�%��@�
���4�u�~�~�E�F��
�
�
�d�G�
�,�
���V�$��?��L���<�<�� �g�g���l��3�5�5�5�#�$b�ei�$i�j�j����s�D�E
�1E�E
c�N�|�d}|dks|dkDrd|z}|ddzz
}t|��tj|�}|�t}||kDr$tj|�}td|�d���|}|}|jd|jz�|jd	|�|jd
|�|jd|�|jt|j��|j|�|jd|jz�t|t|j��}|j|�|j �d
|j z}nd}t#t%|j��j'd�}t)|t+d�|jt|j�||d��t-|t+d�|jtt/j0t3t5j4����t|�|j6|j8|t|�t:tt<�d�	�|t>k(�r|jd�t#tA|j��j'd�}t)|t+d�|j8|d��dt.jBjDz}dd|g}|jd�|jG|jH|��|jK|jL|��|jO�|jG|jP|��t)|t+d�d|jRi|��tUjVtUjX||j��} tUjZ|j8tTj\d�| d<t#t_|j��j'd�}!||_0|t>k(�r�|jd�t#tc|j��j'd�}"t#te|j��j'd�}#t#tg|j��j'd�}$t#ti|j��j'd�}%t#tk|j��j'd�}&t#tm|j��j'd�}'d |jnvrd!}(nd}(t)|t+d"�id#|j8�d$|jp�d%|j6�d&|jr�d'|jt�d|jR�d(|j�d)|j�d*t|��d+t|��d,|$�d-|!�d.|&�d/|%�d0|&�d1|&�d2|'�|"|#d3���t)|t+d4�|j8|(d5��|jd6�twt+d7��})ty|)d#|j8i�})t{|)�|jG|)�|jd8�t-|t+d9�|j8|'d:��|jd;�t#t}|j��j'd�}*t)|t+d<�|j|*d=��|jd>�t-|t+d?�d(|ji�|jd@�t#t|j��j'd�}+t)|t+dA�|j|+dB��|jdC�t-|t+dD�d(|ji�|jdE�t#t�|j��j'd�},t#t�|j��j'd�}-t#t�|j��j'd�}.t#t�|j��j'd�}/t#t�|j��j'd�}0t)|t+dF�tt/j0t3t5j4����|j|jp|j6|j8|jt|dGz�||,|!|-|.|/|0dH��|t>k(r�t#t�|j��j'd�}1t-|t+dI�|j8|jRdJ��|jdK�t#tk|j��j'd�}&t)|t+dL�|j8|&dM�ddg��|t>k(s
|t�k(�rUt-|t+dN�|j1dO��|jdP�t)|t+dQ�|jt|j�t#|j�dR��j'd�t#|j�dR��j'd�dS�ddg��|jdT�t�||||||
||	|j||||||
�U�d|jz}2|j�|2dVdtTj��W�j'd�|_Kt�|j�t�sJ�|S)XN���ʚ;z/You want to run SAMBA 4 with a next_rid of %u, z,the valid range is %u-%u. The default is %u.)r>r?r>zxYou want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (z). This won't work!r��domainFunctionality�forestFunctionalityrzAdding DomainDN: %szobjectGUID: %s
-r�r�zprovision_basedn.ldif)r�r��
DESCRIPTOR�
DOMAINGUIDzprovision_basedn_modify.ldif)	r��	CREATTIME�NEXTRIDrWr�r�DOMAIN_FUNCTIONALITYr�MIN_PWD_LENGTHzAdding configuration containerz#provision_configuration_basedn.ldif)r�rBzlocal_oid:%s:0rrzSetting up sam.ldb schemar	zaggregate_schema.ldifr��subRefsz%Setting up sam.ldb configuration data�2008�#zprovision_configuration.ldifr�r�rWr�DOMAINr�r��FOREST_FUNCTIONALITYrF�NTDSQUOTAS_DESCRIPTOR�DELETEDOBJECTS_DESCRIPTOR�LOSTANDFOUND_DESCRIPTOR�SERVICES_DESCRIPTOR�PHYSICALLOCATIONS_DESCRIPTOR�FORESTUPDATES_DESCRIPTOR�EXTENDEDRIGHTS_DESCRIPTOR)�PARTITIONS_DESCRIPTOR�SITES_DESCRIPTORzextended-rights.ldif)r��INC2012zSetting up display specifiersz1display-specifiers/DisplaySpecifiers-Win2k8R2.txtz0Modifying display specifiers and extended rightsz#provision_configuration_modify.ldif)r��DISPLAYSPECIFIERS_DESCRIPTORzAdding users containerzprovision_users_add.ldif)r��USERS_DESCRIPTORzModifying users containerzprovision_users_modify.ldifzAdding computers containerzprovision_computers_add.ldif)r��COMPUTERS_DESCRIPTORzModifying computers containerzprovision_computers_modify.ldifzSetting up sam.ldb datazprovision.ldifiX)rDr�r�rWr�r��RIDAVAILABLESTARTr�INFRASTRUCTURE_DESCRIPTORrNrO�SYSTEM_DESCRIPTOR�BUILTIN_DESCRIPTOR�DOMAIN_CONTROLLERS_DESCRIPTORz'provision_configuration_references.ldif)r�r�z)Setting up well known security principalsz#provision_well_known_sec_princ.ldif)r��WELLKNOWNPRINCIPALS_DESCRIPTORz provision_basedn_references.ldif)r��MANAGEDSERVICE_DESCRIPTORz#Setting up sam.ldb users and groupszprovision_users.ldifr�)r�r��
ADMINPASS_B64�KRBTGTPASS_B64zSetting up self join)
r�rrr�rr�r�rrrrrr�r�)r��	attributer�r�)Mr�rN�dc_level_from_lpr�level_to_stringr2r��set_opaque_integer�set_domain_sidr�r��set_invocation_idrrurrr�rr2r�r?r>r@r��unix2nttimer��timer�rvr�DEFAULT_MIN_PWD_LENGTHrAr+r
�&DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID�add_ldif�
schema_dn_add�modify_ldif�schema_dn_modify�write_prefixes_from_schema�schema_datarwr�r�r�r�r�r)�
invocation_idr,r-r.r/r0r1�base_schemar}r{r~r"rrr6r5r3r9r8r4r7r=rBr�r�	searchoner�r�r)3r\r�r�r rrrr��
krbtgtpassr�r�rrr�rXr.�dom_for_fun_levelr5rrr�r��errorr�levelr@rAr�domainguid_line�descr�ignore_checks_oid�schema_controlsr��deletedobjects_descr�partitions_descr�sites_descr�ntdsquotas_descr�protected1_descr�protected1wd_descr�protected2_descr�	incl_2012�display_specifiers_ldif�
users_desc�computers_desc�infrastructure_desc�lostandfound_desc�system_desc�builtin_desc�controllers_desc�managedservice_descr�ntds_dns3                                                   rh�
fill_samdbr�Ds�
������
�$��(�Z�/�A�X�N��
�?�C$�$�	$����&�&�$4�$E�$E�b�$I�!�� �6���8�8� �0�0�1N�O���#[�\a�[b�bu�!v�w�	w�+��+��
���4�u�~�~�E�F�
���2�4G�H�	���2�4G�H�	���<�:�<�
����U�_�_�-�.�	���L�)�
�K�K�%����6�7�'�r�3�u���+?�@��	���-�.����#�-��0@�0@�@�����+�E�O�O�<�=�D�D�V�L�E��5�*�%<�=�����U�_�_�-��)�	@���e�Z�(F�G��N�N���*�*�3�t�y�y�{�+;�<�=��x�=��~�~��N�N� � #�$7� 8� '��4�5�
J�
��y�����4�5��/����@�A�H�H��P���u�j�)N�O�!�N�N�#�R�	�-�u�z�z�/`�/`�`�����
��	���/�0�
���v�+�+�o��F�
���&�1�1�O��L�
�(�(�*�
���v�)�)�O��D��u�j�)@�A�"�E�N�N�3� /�	1�
�+�+�c�f�f�U�E�N�N�3�
4�C��'�'�����8H�8H�(1�3�C�	�N�%�%B�5�?�?�%S�T�[�[�\b�c��&�E���y�����;�<�$�%E�e�o�o�%V�W�^�^�_e�f��� ;�E�O�O� L�M�T�T�U[�\��$�%F�u���%W�X�_�_�`f�g��$�%L�U�_�_�%]�^�e�e�fl�m��&�'P�QV�Q`�Q`�'a�b�i�i�jp�q��$�%L�U�_�_�%]�^�e�e�fl�m���V�'�'�'��I��I��u�j�)G�H�K��E�N�N�K��u�0�0�K��u�~�~�K��U�_�_�	K�
�%�,�,�K��E�N�N�
K��E�N�N�K��E�N�N�K�'��,?�(@�K�'��,?�(@�K�(�)9�K�,�-A�K�*�+=�K�&�'7�K�/�0B�K� +�,>�!K�",�-=�#K�$*:�$/�'K�	�,	�u�j�)?�@�!�N�N�$�C�	�
	���3�4�".��J�K�#M��"0�1H�2<�e�n�n�1M�#O���5�6�
���.�/����F�G��%�$�%J�K�*/�.�.�>N�N�	��K�K�(�)��6�u���G�H�O�O�PV�W�J��5�*�%?�@���� *�C���K�K�+�,��e�Z�(E�F�����I(�)�
�K�K�,�-��>�u���O�P�W�W�X^�_�N��5�*�%C�D����$2�G���K�K�/�0��e� �!B�C�$�e�n�n�F6�7��K�K�)�*�#�$H����$Y�Z�a�a�bh�i��!�"I�%�/�/�"Z�[�b�b�ci�j���C�E�O�O�T�U�\�\�]c�d�K��:�5�?�?�K�L�S�S�TZ�[�L� �!B�5�?�?�!S�T�[�[�\b�c���5�*�%5�6���*�*�3�t�y�y�{�+;�<�=��N�N��(�(��~�~��N�N��N�N� ��C��0�&�%8�%9�#4�(�*�)9�9��$�y��(�)P�QV�Q`�Q`�)a�b�i�i�jp�q���%�$�%N�O�*/�.�.�*/�.�.�R:�	;�
	���?�@�&�'P�QV�Q`�Q`�'a�b�i�i�jp�q���u�j�)N�O����.@�R
��
�.�	0�
�y��D�N�2��%�$�%G�H�*/�.�.�;O�K�	�	���9�:��u�j�)?�@�����U�_�_�-�&�y�'7�'7��'D�E�L�L�V�T�'�
�(9�(9�+�(F�G�N�N�v�V�	C
�
�
�.�	0�	���*�+���1��T�%1�$/� '�$/�"'�/�/�!)�%�#-�&3�6S�!)�	+�(�%�.�.�8������3?�B�VY�Vd�Vd�)�f�fl�fl�ms�ft�	���%�.�.�#�.�.�.��LrjzWO:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)zmO:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)r?c
�d�t�}t||||||d||��	tj|d��D]x\}}	}
|
D]4}t|tjj||�||||d||��	�6|	D]4}t|tjj||�||||d||��	�6�zy)NT�rs�skip_invalid_chownr
�serviceF��topdown)rr#rA�walkr>rB)r>�aclr��domsidrsr
r�r�r2�dirs�filesr%s            rh�set_dir_aclr�Vs���&�(�L��R��s�F�L�I�Z^�gm�w~���W�W�T�5�9�c���d�E��	c�D��R������d�D�1�3���(�T�&�Za�
c�	c��	c�D��R������d�D�1�3���(�T�&�Za�
c�	c�	crjc���tjj||d�}t�}	t	||t
t
|�|	|d|t��	|jd|zddgdtj��}
|
D]m}ttj|dd	�j�}t||t
|d��}
t!|
t#||�|t
|�||�
��oy)�nSet ACL on the sysvol/<dnsname>/Policies folder and the policy
    folders beneath.

    :param sysvol: Physical path for the sysvol folder
    :param dnsdomain: The DNS name of the domain
    :param domainsid: The SID of the domain
    :param domaindn: The DN of the domain (ie. DC=...)
    :param samdb: An LDB object on the SAM db
    :param lp: an LP object
    rTr��CN=Policies,CN=System,%sr��nTSecurityDescriptorr�r�r�r
N)rAr>rBrr#�POLICIES_ACLr��SYSVOL_SERVICEr�r�r�r'r�
descriptor�as_sddlr"r�r%)r?r{r�rur\r�rsr
�root_policy_pathr�r��policyr�r!s              rh�set_gpos_aclr�bs����w�w�|�|�F�I�z�B��&�(�L��R�!�<��Y��� �T�&�R`�b��,�,�6��B�"�$:�;�"$�C�,>�,>��@�C��#����,�,�� 6�7��:�<�<C�G�I�	�#�F�I�s�6�$�<�7H�I���K��S�)�!<�b��	�N�I�!�	#�	#rjc

����	���d��	�s
tj�}
|
j�j�t	j
tjj|���}		tj|jdt�|�	tj |j||t��	|j#�tj�}
|
j�j�|
j%dd|j&z�t)j*�t)j,|
j/d���t)j0��k7r$td	t)j0��d
��d����j3�}|d�k7rtd
|d�d
��d���|dj5�|j5�k7r1td|dj5��d|j5��d���	�	rt
j |d|�d}
dj7�t8j:�}t<j>t<j@zt<jBz}t=jD|�||���t=jF��d||�������	fd�}||�t
jH|d��D]�\}}}|D]a}�	r7|
r5t
j tjjK||�d|�|tjjK||���c|D]a}�	r7|
r5t
j tjjK||�d|�|tjjK||���c��tM||�||��	���y#t$r+tj�std��td��wxYw#t$rtd��wxYw#|j#�wxYw#t$rd}
Y��wxYw)��Set the ACL for the sysvol share and the subfolders

    :param samdb: An LDB object on the SAM db
    :param netlogon: Physical path for the netlogon folder
    :param sysvol: Physical path for the sysvol folder
    :param uid: The UID of the "Administrator" user
    :param gid: The GID of the "Domain administrators" group
    :param domainsid: The SID of the domain
    :param dnsdomain: The DNS name of the domain
    :param domaindn: The DN of the domain (ie. DC=...)
    N)�dir��z�Samba was compiled without the posix ACL support that s3fs requires.  Try installing libacl1-dev or libacl-devel, then re-run configure and make.z�Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.zUUnable to chown a file on your filesystem.  You may not be running provision as root.rc�
samba_dsdb:%s�SID as seen by smbd [�6] does not match SID as seen by the provision script [�]!r��SID as seen by pdb_samba_dsdb [�
dns_domain�!Realm as seen by pdb_samba_dsdb [�8] does not match Realm as seen by the provision script [���TFz<SID={}-{}>)r�r��session_info_flags�
Administrator)r��	user_name�uid�gidc�N��t�|tt����d�t��	S)zA helper to reuse argsTr�)r#�
SYSVOL_ACLr�r�)r>r�r��	s4_passdbr�rss �����rh�	_setntaclzsetsysvolacl.<locals>._setntacl�s)������j�#�i�.�,��D��"�$�	$rjr�r�)'�s3param�get_contextrirK�tempfile�NamedTemporaryFilerAr>rjr	�set_simple_aclr%rr��have_posix_aclsr��chownrorkr�r
�reload_static_pdb�PDBr��get_global_sam_sid�domain_infor��formatrr�r� AUTH_SESSION_INFO_DEFAULT_GROUPS�AUTH_SESSION_INFO_AUTHENTICATED�#AUTH_SESSION_INFO_SIMPLE_PRIVILEGES�user_session�session_info_set_unixr�rBr�)r\r@r?r�r�r�r{rur�rs�s3conf�filer��canchown�userdnr�r�r2r�r�r%r�r�s     `  ``           @@rh�setsysvolaclr��s����I���$�$�&�����B�M�M�"��*�*�r�w�w���v�/F�G��	�
b��#�#�D�I�I�u�6I�6K�S�Q�
U��
�
�4�9�9�c�3�0C�0E�F�

�J�J�L��$�$�&�����B�M�M�"��
�
�#�_�u�y�y�%@�A�� � �"��J�J�v�z�z�*:�;�<�	��$�$�&�)�3�#�|B�|U�|U�|W�Yb�%c�d�
d��+�+�-���y�!�Y�.�#�FQ�R[�F\�^g�%h�i�
i��|�$�*�*�,�	���0A�A�#�JU�Vb�Jc�Ji�Ji�Jk�mv�m|�m|�m~�%�@�
@����H�H�V�R��%����
!�
!�)�X�-N�-N�
O�F�
�
2�
2�
�
1�
1�2�
�
5�
5�6�E��$�$�U�2�&�8=�?�L����|�&(�)8�#&�#&�	(�$�$��f���W�W�V�U�;�0���d�E��	0�D��X���������d�D�1�2�s�;��b�g�g�l�l�4��.�/�	0��	0�D��X���������d�D�1�2�s�;��b�g�g�l�l�4��.�/�	0�0����I�x���I�V_�`��k�	
b��+�+�-�,�-z�{�{�(�)a�b�b�	
b���
U�'�)T�U�U�
U��
�J�J�L��8�����s<�/*O
�*P�P.�
4O>�>P�P�P�P+�.P=�<P=c�
�|ryy)N�DB�VFSro)�direct_db_accesss rh�acl_typer��s����rjc��t�}t||||t��}|j|�}||k7r t	t|��d|�d|�d|�d���t
j|d��D�]�\}}	}
|
D]�}t|tjj||�||t��}|�8t	t|��dtjj||��d	���|j|�}||k7s��t	t|��dtjj||��d|�d|�d���|	D]�}t|tjj||�||t��}|�8t	t|��dtjj||��d	���|j|�}||k7s��t	t|��dtjj||��d|�d|�d������y)
N�r�r�z ACL on GPO directory r]� does not match expected value z from GPO objectFr�z ACL on GPO file � not found!)
rr$r�r�r�r�rAr�r>rB)r>r�r�r�r�r��fsacl�
fsacl_sddlr2r�r�r%s            rh�
check_dir_aclr��sv��&�(�L��R��|�>N�Xf�g�E����y�)�J��S���t|�~N�uO�QU�Wa�cf�!g�h�	h��W�W�T�5�9�D���d�E��		�D��R������d�D�!9�<�.>��X�E��}�'�)1�2B�)C�)+�����d�D�)A�)C�D�D����y�1�J��S� �'�w�AQ�xR�TV�T[�T[�T`�T`�ae�gk�Tl�nx�z}�)~���		��		D�D��R������d�D�!9�<�.>��X�E��}�'�+3�4D�+E�+-�7�7�<�<��d�+C�)E�F�F����y�1�J��S� �'�}E�FV�}W�Y[�Y`�Y`�Ye�Ye�fj�lp�Yq�s}�B�)C�D�D�		D�Drjc
�N�tjj||d�}t�}t	||||t
��}	|	�t
dt|��d|�d���|	j|�}
|
tk7r t
t|��d|�d|
�d|	�d	���|jd
|zddgd
tj��}|D]b}ttj|dd�j�}
t!||t#|d��}t%|t'|
|�|||��dy)r�rr�NzDB ACL on policy root r]r�z ACL on policy root r�� from provisionr�r�r�r�r�r)rAr>rBrr$r�r�r�r�r�r�r�r�r'rr�r"r�r�r%)r?r{r�rur\r�r�r�r�r�r�r�r�r�r!s               rh�check_gpos_aclr�sD���w�w�|�|�F�I�z�B��&�(�L��R�)�<�&6��
P�E��}��H�Ue�Lf�hx� y�z�z����y�)�J��\�!��qy�{K�rL�N^�`j�lq�!r�s�	s�
�,�,�6��B�"�$:�;�"$�C�,>�,>��@�C��3����,�,�� 6�7��:�<�<C�G�I�	�#�F�I�s�6�$�<�7H�I���k�;�s�I�#>���!1�	3�	3rjc���tj�}|j|j�|j	dd|j
z�t
j|jd��}t
j�|k7r$tdt
j��d|�d���|j�}	|	d|k7rtd|	d�d|�d���|	dj�|j�k7r1td	|	dj��d
|j��d���t�}
dD]�}tjj!||�|fD]p}t#|||
|t$��}
|
�tt'|��d|�d���|
j)|�}|t*k7s�Ntt'|��d|�d|�dt*�d���t-|||||||���y
)r�rcr�r�r�r�r�r�r�r�r�)TFr�Nz ACL on sysvol directory r�r]r�r�)r�r�rirKrkr�r
r�r�r�r�r�r�rrAr>rBr$r�r�r�r�r�)r\r@r?r�r{rur�r�r�r�r�r��dir_pathr�r�s               rh�checksysvolaclr�:s;���
 �
 �
"�F�
�K�K��
�
��
�J�J���5�9�9�!<�=��
�
�6�:�:�&6�7�8�I�� � �"�i�/��w}�xQ�xQ�xS�U^�!_�`�	`��'�'�)�K��9���*��BM�NW�BX�Zc�!d�e�	e��<� �&�&�(�I�O�O�,=�=��FQ�R^�F_�Fe�Fe�Fg�ir�ix�ix�iz�!{�|�	|�'�(�L�)�)�������f�i�8�(�C�	}�H��R��<�JZ�dr�s�E��}�'�V^�_o�Vp�rz�({�|�|����y�1�J��Z�'�'�G�HX�Y�[c�eo�q{�)|�}�}�
	}�	�v�y�)�X�u�b�'�	)�)rjc��tj||�}g}|D](}|jd�dk(s�|j|��*|S)zreturn only IPv4 IPs�:r��r��
interface_ips�findr�)r��all_interfaces�ips�retr�s     rh�interface_ips_v4r�lsJ��
�
�
�b�.�
1�C�
�C�
����6�6�#�;�"���J�J�q�M���Jrjc��tj|d�}g}|D](}|jd�dk7s�|j|��*|S)zreturn only IPv6 IPsFr�r�r�)r�r�r�r�s    rh�interface_ips_v6r�vsJ��
�
�
�b�%�
(�C�
�C�
����6�6�#�;�"���J�J�q�M���Jrjr>c�	�|�t}|j�}|�t}|j�}|�tt	j
��}|
�t
jdd�}
|�t
jdd�}|�t
jdd�}|j�	t|||fid|�d|�d|�d|�d|�d	|�d
|
�d|�d|�d
|�d|�d|�d|�d|�d|�d|
�d|�d|�d|��}|dk(r"t|j|j||�|j�|dk(�r�|s[t!||j"|j|j$|j&|j(|j|j*||�
n|j-d�t/||j0|j2|j|j4|j(|t6��tt8�}	t;j<t;j>||jAdd|j4zt:jB��jEd���}t;jF|t:jHd��|d<|jK|�tS||||||||	||||||� �|jA|jU�d!�"�jEd�}tW|t�sJ�tY|�}#t[|t|j\��}$|#�t_|d#|$|d$�nta|d#|$|�|j-d%�tc|ted&�d'|jfi�|j-d(�ti||d)d*d*d*�+�}%|j�	d,D]4}&|%jk|&�d-|jl��t:jnd.g�/��6|%jkd0|j*zt:jpgd1��/�|%jk|jlt:jBd2d3g�/�d#k7rtsd4��	|j�y#|j��xYw#t:jL$r.} | jN\}!}"|!t:jPk7r�Yd} ~ ��d} ~ wwxYw#|j��xYw)5N���xr r5rrrr�rvrr�r�rr�rXrwr.rrr�r�rSzSetting acl on sysvol skipped)r~r|r{r}r�r�r��distinguishedNamezsamAccountName=%s$)r�r�r�zmsDS-SupportedEncryptionTypes)�elementsr�r%)�hostip�hostip6r�r�os_levelrq�
fill_levelr�r�)r�rcrr�z2Setting up sam.ldb rootDSE marking as synchronizedzprovision_rootdse_modify.ldifr�zFixing provision GUIDsFT)�samdb_schema�verbose�fix�yes�quiet)z	CN=DomainzCN=Organizational-Personz
CN=ContactzCN=inetOrgPerson�,�defaultObjectCategory)�DNr�r�zCN=IP Security,CN=System,%s)�ipsecOwnersReference�ipsecFilterReference�ipsecISAKMPReference�ipsecNegotiationPolicyReference�ipsecNFAReference�attributeId�	governsIdzFDuplicate attributeId or governsId in schema. Must be fixed manually!!):r�r�r�r��uuid�uuid4r�� generate_random_machine_password�generate_random_passwordr�r�r*r?r{r�r�r�r@r3r�r�rurr�r~r|r}rr r�r�r�rur�r�r�r�r�rr�ERR_NO_SUCH_ATTRIBUTErF�get_default_basednrrrrtr�rr@r>r�rK�check_databaserwr�r�r�)'r\r�r r�r�r5rq�
samdb_fillr�r�rrr�rvr�rrrr�r�r�rrXrwr.r�rs�skip_sysvolaclr�r��kerberos_enctypesr�r��enum�estr�lastProvisionUSNs�maxUSN�chk�
schema_objs'                                       rh�provision_fillr�s�� ��(�
��!�!�#�J���.�
�!�'�'�)�M����4�:�:�<�(�����;�;�C��E�
����<�<�S�#�F�����0�0��c�:��	����#��5�"�e�
B�F�
B�"(�
B�&0�
B�@M�
B�!+�
B�7@�
B�MW�
B�)5�	
B�CN�	
B�
(3�
B�
=D�
B�%-�
B�:D�
B�.?�
B�IP�
B�%-�
B�6<�
B�*7�
B�/A�
B���=�=��u�|�|�U�_�_�j�,�
.�	� � �"��9�9����������e�n�n�������%�/�/�����Y�
8�
�K�K�7�8��K����"'�+�+����(-�(9�(9�U�_�_�(3��	W� �
�.��
	��+�+�c�f�f�U�%*�_�_�5H�@T�W\�Wh�Wh�@h�;>�;L�;L�&5�&N�NT�f�U[�n�^�_�C�47�3E�3E�*�#�2F�2F�4�46�C�/�0�
�L�L���	�U�K���r�6�"�G��$�/@�(�Z�#0�		2��_�_�E�,D�,D�,F�/;�%�=�=C�V�F�^�	��*�c�*�*�*�.�u�5��
���E�L�L� 1�
2�F��$��U�A�v�|�Q�?��%��F�L�9�
�K�K�D�E��e�Z�(G�H�!�5�>�>�2�4��K�K�(�)�
�%�e�U��$���C�	����#�f�	@�J����Z����"H�%(�^�^�&=�%>�
�
@�	@�	���;�e�n�n�L�!$�!3�!3�"7�	�	8�������s�7H�7H�%2�K�$@��B�EF�G�#�$l�m�m�G�	� � �"��o�
� � �"�
��@�|�|�	��6�6�L�T�4��s�0�0�0��1��	��b�
� � �"�
�s3�)A,Q�2BQ*�B&R.�Q'�*R+�=#R&�&R+�.Sr\�
member serverrS)�ROLE_STANDALONE�ROLE_DOMAIN_MEMBER�ROLE_DOMAIN_BDC�ROLE_DOMAIN_PDC�dc�memberzdomain controllerrSr�
standaloner\c�F�	t|S#t$rt|��wxYw)z�Sanitize a server role name.

    :param role: Server role
    :raise ValueError: If the role can not be interpreted
    :return: Sanitized server role (one of "member server",
        "active directory domain controller", "standalone server")
    )�
_ROLES_MAPr#�
ValueError)�roles rh�sanitize_server_roler( s,����$�����������s�� c���|j�	|jd�t|td�|||d��|j	�y#|j��xYw)ztCreate AD entries for the fake ypserver.

    This is needed for being able to manipulate posix attrs via ADUC.
    z"Setting up fake yp server settingsz
ypServ30.ldif)r�r��	NISDOMAINN)r�rr?r>r�r��r r\rur}�	nisdomain�maxuid�maxgids       rh�provision_fake_ypserverr/.se��
����#����8�9��u�j��9� �&�"�<
�	�	� � �"��	�
� � �"�
�s�+A�A!c��tjj|�s	tj||�yy#t$rC}|j
t
jfvrntd|�d|j����Yd}~yd}~wwxYw)NzFailed to create directory z: )	rAr>rh�mkdirr��errno�EEXISTr��strerror)r>r�r�s   rh�directory_create_or_existsr5Csp��
�7�7�>�>�$��	b��H�H�T�4� � ���	b��w�w�5�<�<�.�(��'�t�UV�U_�U_�(`�a�a���	b�s�9�	B�9B�Bc���|�O|jd�t|�}t|�dkDr%|d}t|�dkDr|jd|�|dk(rd}|�|jd�|S)NzLooking up IPv4 addressesrr�z*More than one IPv4 address found. Using %sz	127.0.0.1z No IPv4 address will be assigned)rr�r��warning)r r�r��hostipss    rh�determine_host_ipr9Nsu��
�~����/�0�"�2�&���w�<�!���Q�Z�F��7�|�a�����K�%�'�
�����
�~����9�:��Mrjc��|�C|jd�t|�}|r|d}t|�dkDr|jd|�|�|jd�|S)NzLooking up IPv6 addressesrr�z*More than one IPv6 address found. Using %sz No IPv6 address will be assigned)rr�r�r7)r r�r�r8s    rh�determine_host_ip6r;_s\�������/�0�"�2�&����a�j�G��w�<�!���N�N�G��Q������9�:��NrjT�2019c3�.�	t|#�}#|$�t}$|-dvrt}3n|-dvrt}3n|-dvrt
}3nt}3|3|$krtd|$|-fz��|.�|3|.krtd|-|.fz��|.�|.|$krtd|$|.fz��|�tjd	d
�}|0�
t�}0|�tj�}t|xsdg|�}4t|xsdg�}5t| xsd
d
ddg�}6tj |4�j"}7	tddg�}8|�"t&j(j+|dd�}n |�tj,j/�}t&j(j1t&j(j3|��s2t'j4t&j(j3|��g}9i}:|)rdg|:d<|dk7r|9j7d�n|�|g|:d<|(r)|9j7d�|9j7d�ddg|:d<t9|9�dkDr|9|:d<t&j(j1|�rXt;|d �};	|;j=�j?�}<|;jA�|<�|<d!k(r+tC||||||#|%|(|'|:�"�
ntC||||||#|%|(|'|:�"�
|'�tj,jE�}'|'jG|�tI|'||||#||	||
|"||tJk(�#�}=tM|'|=jN�}>|8|>_(|4|>_)|7|>_*tW||'|
�}
tY||'|�}|
|=_-||=_.||=_/||=_0||=_1|#�|'jed$�}#tg|>jhd%�tg|>jjd&�tgt&j(j+|>jhd'��tg|>jl�|/sto|>jp�|>jrrIt&j(j1|>jr�s t'j4|>jrd(�tu|||=jv|-�)�}?ty|>|'|=|�*�}@|@j{�|@j}�t&j(j1|>j~�sC|j�d+�t�|>j~||'�,�}A|Aj�t�d-��|j�d.�t�|>||'�,�}B	|j�d/�t�|>j�||'�0�|j�d1�t�|>j�||'�0�|j�d2�t�|>j�||'�,�}Ct�|Ct�|�|4|5|6|7�3�|j�d4�t�|>j�|@|'|=||#|?||&|/|0|1|2�5�}D|#d6k(r�|>j��t�d7|>j���|>jr�t�d8|>j���t&j(j�|>j��s t'j4|>j�d9�|�tjd:d;�}d<}En#t�|t��r|j�d=�}d>}E|t�k(�rAt�DB||=|>fid?|?�d@|�dA|�dB|
�dC|�dD|�dE|�dF|�dG|�dH|�dI|�dJ|�dK|�dL|�dM|�dN|�dO|#�dP|$�dQ|&�dR|'�dS|(�dT|,�dU|0�dV|1��|.��d>}F|'jedW��|'j�dWd�t�dX�d<}FDj��	ddYl[m\}G|GDd<�Z�}H|Hj�gd[��|Hj�|.td<�\�|Dj��Dj��	dd]lbmc}J|JDd<�Z�j�|.t�d<�\�|Dj��Fr|'j�dWd^�t��s`t�|>j�||t&j(j3|'jed_���|j�d`|>j��t�|>j�|=jN|=j�|=j��a�|j�db|>j��|j�dc�|#d6k(r
t�|'||>�@j��}K|@j��Bj��t�||>�t��}L|#|L_q||L_r|>|L_s|=|L_t|'|L_uD|L_NC|L_vt�|�|L_0|t�k(rEL_w||L_xnd>L_wd|L_xKL_y|)r>t�|D|=j�|=j�|=j�j��|*|+�d�LS#t$rtd|#z��wxYw#t$$rd}8Y�	�wxYw#|;jA�wxYw#t�$r}IDj��I�d}I~IwwxYw#t�$r}IDj��I�d}I~IwwxYw#Bj���xYw)ezHProvision samba4

    :note: caution, this wipes all existing data!
    zlserver role (%s) should be one of "active directory domain controller", "member server", "standalone server"N)�2008_R2�2008_R2_old)�2012)�2012_R2z7dom_for_fun_level[%u] incompatible with base_schema[%s]z2base_schema[%s] incompatible with adprep_level[%u]z8dom_for_fun_level[%u] incompatible with adprep_level[%u]r�r�r2�nobody�users�other�staff�bind�named�etczsmb.confr�zidmap_ldb:use rfc2307r�z-dnsz
dns forwarderz+smbz-s3fsz+winregz+srvsvczdcerpc endpoint serversrzserver servicesrr�)rXrrrsr�rt)r�rr~r{rXrurvrwr�r�rtrYrRi�i��tlsr$)rrwrt)r�r�r�r zSetting up share.ldbr�z
share.ldifzSetting up secrets.ldbzSetting up the registry)r�z"Setting up the privileges databasezSetting up idmap db)r�r3r�r�r�zSetting up SAM db)	r rXr5rr.r�r�r�r6rSr@r?r��� Tr�Fr5rqrr�r�rrr�rvrrrr�r�r�rrXrwr.r�rsrr�r�zdsdb:schema update allowedz;Temporarily overriding 'dsdb:schema update allowed' setting)�ForestUpdate)r�)��6�O�P�Q�R�S)�update_revision)�DomainUpdate�nozlog filez<The Kerberos KDC configuration for Samba AD is located at %s)r{rr|zGA Kerberos configuration suitable for Samba AD has been generated at %szpMerge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!r+)~r(r&r�rrrrr�rrMr�
random_sidr4r+r0r�r�r�r#rAr>rBr�default_pathrh�dirnamer'r�r�rl�read�lstripror}rgrirZrDrLr{�bind_gidr3r�r9r;r�r�r�r�r�r�r5rcrdrer�rGr?rIrwr(�init�startrUrrr�r>r�r�rVr�rCr�r]r�r�r<r\r@�MissingShareErrorr��isdirr�bytesr�rArrk�printr��samba.forest_updaterL�check_updates_iterator�check_updates_functional_levelr��	Exceptionr��samba.domain_updaterUrrrLrE�create_krb5_confrDrr|rH�
post_setup�shutdownrGrrrur�r�r�rrr�rr/r}r~r�)Mr r�r�rqrr|rtrurwrvr�r~rr�r�r�rrr��
ldapadminpassrvr�rrr��
dns_forwarderrrr�r�r2rBrC�backupr�rXrw�useeadbr.r�rs�use_rfc2307r-r.rrt�adprep_levelr�r�r�r6�max_adprep_levelr3r�r�r�r\�server_servicesrtrz�datar�r�r5r��	share_ldbr�rr\r�updates_allowed_overriddenrL�forestr�rUr�resultsM                                                                             rh�	provisionrxms�
��(]�)�*�5�
�� �6���0�0�5��	��	 �2��	��	#�5��2���+�+�� Y�!2�K� @�!A�B�	B���$4�|�$C�� T�!,�l� ;�!<�=�	=���L�3D�$D�� Z�!2�L� A�!B�C�	C����6�6�s�C�@�
���1�3�
����'�'�)�	��T�^�V�,�f�5�H��f�0��1�2�J��U�-�g�w���I�J�I��|�|�H�%�,�,�H�����0�1�����'�'�,�,�y�%��<��	���+�+�*�*�,��
�7�7�>�>�"�'�'�/�/�'�2�3�
���B�G�G�O�O�G�,�-��O��L��16���,�-��&�&����v�&��$�-:�O�L��)�����v�&����w�'�3<�i�2H��.�/�
�?��a��*9��&�'�
�w�w�~�~�g��
��#���	��6�6�8�?�?�$�D�
�G�G�I��<�4�2�:���(�F�E�"�z�%���\�
;�
	�W�h���y� *�!�Y�2�L�	Z�
�z�
�[�[�
!�
!�
#���G�G�G���2���"'�J��!)�H�x�!)�&�z�]e�Oe�
h�E�
$�B����8�E��E�N��E�N��E�N�
�v�r�6�
2�F� ���W�5�G��E�L��E�M�!�E���E�O��E�O����V�V�M�*�
��u�0�0�%�8��u�0�0�%�8��r�w�w�|�|�E�,=�,=�u�E�F��u���/��#�E�$D�$D�E��|�|�B�G�G�N�N�5�<�<�8�
���E�L�L�%�(�
�I�L�"�^�^��F�F�#��&(�).�v�?�����������7�7�>�>�%�/�/�*����*�+�����l�r�J�	��$�$�Z��%=�>�
�K�K�(�)�!�%�/;��D�K�x����-�.��u�z�z�<�B�7����8�9�����,�2�>����)�*��e�m�m�,�2�N���E�s�9�~�%-�*�&/�(�	D�	���'�(��E�K�K��-�r�5��'1�#)�
�G�.?�*7�/A�'1�3���=�=��~�~�%�'�
�E�M�M�B�B��|�|�#�'��%�-�-�@�@��7�7�=�=����0����E�N�N�E�2����6�6�r�2�>�I�"&���)�U�+�%�,�,�W�5�	�"'����"��5�+�v�u�e�

B�"(�

B�4=�

B�JT�

B�"(�

B�29�

B�%-�

B�6<�

B�HQ�

B�'1�	

B�
'1�

B�
AN�

B�)5�


B�CN�


B�%-�

B�;F�

B�$+�

B�8B�

B�.?�

B�IP�

B�!�

B�-6�

B�+9�

B�*7�

B�/A�

B��'�-2�*��6�6�6�7�?��F�F�7��?��W�X�15�.��'�'�)��@�)�%�T�:�F��1�1�2N�O��9�9�,�:T�JN�:�P��,�,�.�
�'�'�)��@� ��D�1�P�P�$�/�(,�Q���,�,�.�
.��F�F�7��>��!��E�M�M�5�&�"�'�'�/�/�"�&�&�Q[�J\�:]�^��K�K�(�).���
8�	����#(�?�?�U�^�^�$�{�{�	,�	���&�',�~�~�	7�����	 ��=�=�"�2�v�u�5�*�5�5�7���"�"�$��"�"�$��v�u�-�
�
�F�#�F���F�O��F�L��F�L��F�I��F�L��F�L��9�~�F���Y��%8��"�$���%*��"����*�F����v�U�).���U�EV�EV�*/�,�,�*<�*<�*>�v�V\�	^��M��W	�]��!O�R\�!\�]�	]�]��X������L
�G�G�I��Z!���,�,�.��G����!���,�,�.��G����6��&�&�(�
�s��g9�

h�!h&�?H=j�=Ah;�j�6i�Dj�9h�h#�"h#�&h8�;	i�i�i�j�	i>�'i9�9i>�>j�jc�D�tjd�}tj|�t	|t�fid|�d|�dt�d|�d|�d|�d|�d	|�d
|�d|�d|	�d
d�d|
�d|�dd�d|�d|
�d|�d|��}|jjdt|��|S)Nrxr�rqrr|rtrurwrvr�r~rr�r�r�rXrSr�r�rrs�
debuglevel)
�logging�	getLoggerr��set_debug_levelrxrrDr�rkr�)r�rqr|rtrurwrvr�r~rr�r�rr�r�rzrsr r�s                   rh�provision_become_dcr~�	s���
�
�{�
+�F�	���*�%�
�F�N�,�)�#�)�/8�)�EM�)��)�(.�)�9A�)�LT�)�&�)�19�)�BH�)�&�	)�/3�	)�?H�	)�
!,�)� D�
)�&�)�4?�)�IP�)�(�)�C��F�F�J�J�|�S��_�-��Jrjc�8�ttd�||||d��y)z�Write out a file containing a valid krb5.conf file

    :param path: Path of the new krb5.conf file.
    :param dnsdomain: DNS Domain name
    :param hostname: Local hostname
    :param realm: Realm name
    r<)rr�REALMN)rr>)r>r{rr|s    rhrhrh�	s#���z�+�&��"� ��/�rjc��eZdZdZd�Zd�Zy)r�zA generic provision error.c��||_yrT��value)rgr�s  rhrizProvisioningError.__init__�	s	����
rjc� �d|jzS)NzProvisioningError: r�rfs rh�__str__zProvisioningError.__str__�	s��$�t�z�z�1�1rjN)rlrmrnr!rir�rorjrhr�r��	s��$��2rjr�c�"��eZdZdZ�fd�Z�xZS)rVz.A specified name was not a valid NetBIOS name.c�2��tt|�d|z�y)Nz)The name '%r' is not a valid NetBIOS name)�superrVri)rgr%�	__class__s  �rhrizInvalidNetbiosName.__init__�	s���
� �$�0�7�$�>�	@rj)rlrmrnr!ri�
__classcell__�r�s@rhrVrV�	s���8�@�@rjrVc���eZdZ�fd�Z�xZS)r_c�:��tt|�d|�d|�d��y)Nz#Existing smb.conf does not have a [z5] share, but you are configuring a DC. Please remove z or add the share manually.)r�r_ri)rgr%r�r�s   �rhrizMissingShareError.__init__�	s���
���/��7�
�	rj)rlrmrnrir�r�s@rhr_r_�	s
����rjr_)F)NNNNNNNNNNNF)NFFNN)FFNN)NN)FFNNF)FNNNNNN)r�rT)NNNNNNNNNNNNNNNr�F)�r!�
__docformat__�base64rr2rAr�r�r�r.r{rjrrTr��
samba.dsdbr�r��
samba.authrr�samba.auth_utilrr�samba.samba3r	r
rr�rr
rrrrrrr�samba.dcerpcrr�samba.dcerpc.miscrrrrrrrrrr �samba.idmapr!�samba.ms_display_specifiersr"�samba.ntaclsr#r$r%�	samba.ndrr&r'�samba.provision.backendr(�samba.descriptorr)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r=�samba.provision.commonr>r?r@rArBrCrD�samba.provision.sambadnsrErFrGrH�samba.param�samba.registry�samba.schemarI�samba.samdbrJ�samba.dbcheckerrK�samba.provision.kerberosrLrMrNr�r�rWr�rk�objectrRrqr�r�rrrrr&r+r0r4rLrOrZr}r�r�r�r�r�r�r�r�r�rr"r(r*r0r<r�r�r�r�r�r�r�r�r�r�r�r�r�rr%r(r/r5r9r;rxr~rhrfr�rVr_rorjrh�<module>r�s���26�"�
���	��	�
�
����
���
�4�/���%�)�
�
�
�(��	�	�	� �4�8�8�*��������.���������#�4�1�"�<��?��'��1�����V��,�V��0_�D&�R�0
 � &�R#6�f�#6�L>�+�+��-�`6�@D�FJ�7;�$)�r�lCG�"�c�LF�*;@�AE�F#�T=A�"�d�$(�+,�,:�W�t'�T
M� �2
"� �"�"JN�h�V�
� #� -��;@�7;�49�?�HEJ�JN�!�"&�J�Zg�
�~����CQ�	c�#�@la�^�D�> 3�F/)�d���!�i��� ���$�"�t�4� $�$��#�T�"�d� �T�U�"'�t�&*�N#�d+�)�;�;�
.��=�*N�$�%�,��
��#�*b��"�-1���$�t��d�T�D��D��t�t��D�D���$�4�t��d�D��T�D���D������U�t�u���T�$� �/F� %�T�!%�%�A�H
=A�=A�=A�15�26�DE�"'�
�0�2�	�2�@��@��)�rj

Zerion Mini Shell 1.0