3 # update our servicePrincipalName names from spn_update_list
5 # Copyright (C) Andrew Tridgell 2010
6 # Copyright (C) Matthieu Patou <mat@matws.net> 2012
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 # ensure we get messages out immediately, so they get in the samba logs,
25 # and don't get swallowed by a timeout
26 os.environ['PYTHONUNBUFFERED'] = '1'
28 # forcing GMT avoids a problem in some timezones with kerberos. Both MIT
29 # heimdal can get mutual authentication errors due to the 24 second difference
30 # between UTC and GMT when using some zone files (eg. the PDT zone from
32 os.environ["TZ"] = "GMT"
34 # Find right directory when running from source tree
35 sys.path.insert(0, "bin/python")
40 from samba import getopt as options
41 from samba.auth import system_session
42 from samba.samdb import SamDB
43 from samba.credentials import Credentials, DONT_USE_KERBEROS
44 from samba.common import get_string
46 parser = optparse.OptionParser("samba_spnupdate")
47 sambaopts = options.SambaOptions(parser)
48 parser.add_option_group(sambaopts)
49 parser.add_option_group(options.VersionOptions(parser))
50 parser.add_option("--verbose", action="store_true")
52 credopts = options.CredentialsOptions(parser)
53 parser.add_option_group(credopts)
57 opts, args = parser.parse_args()
63 lp = sambaopts.get_loadparm()
64 creds = credopts.get_credentials(lp)
66 domain = lp.get("realm")
67 host = lp.get("netbios name")
70 # get the list of substitution vars
71 def get_subst_vars(samdb):
75 vars['DNSDOMAIN'] = samdb.domain_dns_name()
76 vars['DNSFOREST'] = samdb.forest_dns_name()
77 vars['HOSTNAME'] = samdb.host_dns_name()
78 vars['NETBIOSNAME'] = lp.get('netbios name').upper()
79 vars['WORKGROUP'] = lp.get('workgroup')
80 vars['NTDSGUID'] = samdb.get_ntds_GUID()
81 res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=["objectGUID"])
82 guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
83 vars['DOMAINGUID'] = get_string(guid)
87 private_dir = lp.get("private dir")
88 secrets_path = os.path.join(private_dir, "secrets.ldb")
90 secrets_db = Ldb(url=secrets_path, session_info=system_session(),
91 credentials=creds, lp=lp)
92 res = secrets_db.search(base=None,
93 expression="(&(objectclass=ldapSecret)(cn=SAMDB Credentials))",
94 attrs=["samAccountName", "secret"])
97 credentials = Credentials()
98 credentials.set_kerberos_state(DONT_USE_KERBEROS)
100 if "samAccountName" in res[0]:
101 credentials.set_username(res[0]["samAccountName"][0])
103 if "secret" in res[0]:
104 credentials.set_password(res[0]["secret"][0])
109 samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), credentials=credentials, lp=lp)
110 except ldb.LdbError as e:
112 print("Unable to open sam database %s : %s" % (lp.samdb_url(), msg))
116 # get the substitution dictionary
117 sub_vars = get_subst_vars(samdb)
119 # get the list of SPN entries we should have
120 spn_update_list = lp.private_path('spn_update_list')
124 has_forest_dns = False
125 has_domain_dns = False
126 # check if we "are DNS server"
127 res = samdb.search(base=samdb.get_config_basedn(),
128 expression='(objectguid=%s)' % sub_vars['NTDSGUID'],
129 attrs=["msDS-hasMasterNCs"])
131 basedn = str(samdb.get_default_basedn())
133 if "msDS-hasMasterNCs" in res[0]:
134 for e in res[0]["msDS-hasMasterNCs"]:
135 if str(e) == "DC=DomainDnsZones,%s" % basedn:
136 has_domain_dns = True
137 if str(e) == "DC=ForestDnsZones,%s" % basedn:
138 has_forest_dns = True
142 with open(spn_update_list, "r") as file:
145 if line == '' or line[0] == "#":
147 if re.match(r".*/DomainDnsZones\..*", line) and not has_domain_dns:
149 if re.match(r".*/ForestDnsZones\..*", line) and not has_forest_dns:
151 line = samba.substitute_var(line, sub_vars)
152 spn_list.append(line)
154 # get the current list of SPNs in our sam
155 res = samdb.search(base=samdb.get_default_basedn(),
156 expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'],
157 attrs=["servicePrincipalName"])
158 if not res or len(res) != 1:
159 print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME'])
162 machine_dn = res[0]["dn"]
165 if "servicePrincipalName" in res[0]:
166 for s in res[0]["servicePrincipalName"]:
167 old_spns.append(str(s))
170 print("Existing SPNs: %s" % old_spns)
174 # work out what needs to be added
178 if s2.upper() == s.upper():
185 print("New SPNs: %s" % add_list)
189 print("Nothing to add")
192 def local_update(add_list):
196 msg.dn = res[0]['dn']
197 msg[""] = ldb.MessageElement(add_list,
198 ldb.FLAG_MOD_ADD, "servicePrincipalName")
199 res = samdb.modify(msg)
201 def call_rodc_update(d):
202 '''RODCs need to use the writeSPN DRS call'''
204 from samba import drs_utils
205 from samba.dcerpc import drsuapi, nbt
206 from samba.net import Net
209 print("Using RODC SPN update")
211 creds = credopts.get_credentials(lp)
212 creds.set_machine_account(lp)
214 net = Net(creds=creds, lp=lp)
216 cldap_ret = net.finddc(domain=domain, flags=nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
217 except Exception as reason:
218 print("Unable to find writeable DC for domain '%s' to send DRS writeSPN to : %s" % (domain, reason))
220 server = cldap_ret.pdc_dns_name
222 binding_options = "seal"
223 if lp.log_level() >= 5:
224 binding_options += ",print"
225 drs = drsuapi.drsuapi('ncacn_ip_tcp:%s[%s]' % (server, binding_options), lp, creds)
226 (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs)
227 except Exception as reason:
228 print("Unable to connect to DC '%s' for domain '%s' : %s" % (server, domain, reason))
230 req1 = drsuapi.DsWriteAccountSpnRequest1()
231 req1.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD
232 req1.object_dn = str(machine_dn)
236 if n.find('E3514235-4B06-11D1-AB04-00C04FC2DCD2') != -1:
237 # this one isn't allowed for RODCs, but we don't know why yet
239 ns = drsuapi.DsNameString()
242 req1.count = req1.count + 1
245 req1.spn_names = spn_names
246 (level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1)
247 if (res.status != (0, 'WERR_OK')):
248 print("WriteAccountSpn has failed with error %s" % str(res.status))
251 call_rodc_update(add_list)
253 local_update(add_list)