source4/scripting/python/samba/drs_utils.py

   1 #!/usr/bin/env python
   2 #
   3 # DRS utility code
   4 #
   5 # Copyright Andrew Tridgell 2010
   6 # Copyright Andrew Bartlett 2010
   7 #
   8 # This program is free software; you can redistribute it and/or modify
   9 # it under the terms of the GNU General Public License as published by
  10 # the Free Software Foundation; either version 3 of the License, or
  11 # (at your option) any later version.
  12 #
  13 # This program is distributed in the hope that it will be useful,
  14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 # GNU General Public License for more details.
  17 #
  18 # You should have received a copy of the GNU General Public License
  19 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 #
  21
  22 from samba.dcerpc import drsuapi, misc
  23 from samba.net import Net
  24 import samba, ldb
  25
  26
  27 def drs_DsBind(drs):
  28     '''make a DsBind call, returning the binding handle'''
  29     bind_info = drsuapi.DsBindInfoCtr()
  30     bind_info.length = 28
  31     bind_info.info = drsuapi.DsBindInfo28()
  32     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_BASE
  33     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
  34     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
  35     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
  36     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
  37     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
  38     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
  39     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE
  40     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2
  41     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION
  42     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2
  43     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD
  44     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND
  45     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO
  46     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION
  47     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01
  48     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP
  49     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY
  50     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3
  51     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2
  52     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6
  53     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS
  54     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8
  55     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5
  56     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6
  57     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3
  58     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7
  59     bind_info.info.supported_extensions |= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT
  60     (info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info)
  61
  62     return (handle, info.info.supported_extensions)
  63
  64
  65 class drs_Replicate:
  66     '''DRS replication calls'''
  67
  68     def __init__(self, binding_string, lp, creds, samdb):
  69         self.drs = drsuapi.drsuapi(binding_string, lp, creds)
  70         (self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
  71         self.net = Net(creds=creds, lp=lp)
  72         self.samdb = samdb
  73         self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs)
  74
  75     def drs_get_rodc_partial_attribute_set(self):
  76         '''get a list of attributes for RODC replication'''
  77         partial_attribute_set = drsuapi.DsPartialAttributeSet()
  78         partial_attribute_set.version = 1
  79
  80         attids = []
  81
  82         # the exact list of attids we send is quite critical. Note that
  83         # we do ask for the secret attributes, but set SPECIAL_SECRET_PROCESSING
  84         # to zero them out
  85         schema_dn = self.samdb.get_schema_basedn()
  86         res = self.samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
  87                                       expression="objectClass=attributeSchema",
  88                                       attrs=["lDAPDisplayName", "systemFlags",
  89                                              "searchFlags"])
  90
  91         for r in res:
  92             ldap_display_name = r["lDAPDisplayName"][0]
  93             if "systemFlags" in r:
  94                 system_flags      = r["systemFlags"][0]
  95                 if (int(system_flags) & (samba.dsdb.DS_FLAG_ATTR_NOT_REPLICATED |
  96                                          samba.dsdb.DS_FLAG_ATTR_IS_CONSTRUCTED)):
  97                     continue
  98             if "searchFlags" in r:
  99                 search_flags = r["searchFlags"][0]
 100                 if (int(search_flags) & samba.dsdb.SEARCH_FLAG_RODC_ATTRIBUTE):
 101                     continue
 102             attid = self.samdb.get_attid_from_lDAPDisplayName(ldap_display_name)
 103             attids.append(int(attid))
 104
 105         # the attids do need to be sorted, or windows doesn't return
 106         # all the attributes we need
 107         attids.sort()
 108         partial_attribute_set.attids         = attids
 109         partial_attribute_set.num_attids = len(attids)
 110         return partial_attribute_set
 111
 112     def replicate(self, dn, source_dsa_invocation_id, destination_dsa_guid,
 113                   schema=False, exop=drsuapi.DRSUAPI_EXOP_NONE, rodc=False,
 114                   replica_flags=None):
 115         '''replicate a single DN'''
 116
 117         # setup for a GetNCChanges call
 118         req8 = drsuapi.DsGetNCChangesRequest8()
 119
 120         req8.destination_dsa_guid           = destination_dsa_guid
 121         req8.source_dsa_invocation_id       = source_dsa_invocation_id
 122         req8.naming_context                 = drsuapi.DsReplicaObjectIdentifier()
 123         req8.naming_context.dn              = dn
 124         req8.highwatermark                  = drsuapi.DsReplicaHighWaterMark()
 125         req8.highwatermark.tmp_highest_usn  = 0
 126         req8.highwatermark.reserved_usn     = 0
 127         req8.highwatermark.highest_usn      = 0
 128         req8.uptodateness_vector            = None
 129         if replica_flags is not None:
 130             req8.replica_flags = replica_flags
 131         elif exop == drsuapi.DRSUAPI_EXOP_REPL_SECRET:
 132             req8.replica_flags              = 0
 133         else:
 134             req8.replica_flags              = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
 135                                                drsuapi.DRSUAPI_DRS_PER_SYNC |
 136                                                drsuapi.DRSUAPI_DRS_GET_ANC |
 137                                                drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
 138             if rodc:
 139                 req8.replica_flags |= drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
 140             else:
 141                 req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
 142         req8.max_object_count = 402
 143         req8.max_ndr_size = 402116
 144         req8.extended_op = exop
 145         req8.fsmo_info = 0
 146         req8.partial_attribute_set = None
 147         req8.partial_attribute_set_ex = None
 148         req8.mapping_ctr.num_mappings = 0
 149         req8.mapping_ctr.mappings = None
 150
 151         if not schema and rodc:
 152             req8.partial_attribute_set = self.drs_get_rodc_partial_attribute_set()
 153
 154         if self.supported_extensions & drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8:
 155             req_level = 8
 156             req = req8
 157         else:
 158             req_level = 5
 159             req5 = drsuapi.DsGetNCChangesRequest5()
 160             for a in dir(req5):
 161                 if a[0] != '_':
 162                     setattr(req5, a, getattr(req8, a))
 163             req = req5
 164
 165
 166         while True:
 167             (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
 168             if ctr.first_object == None and ctr.object_count != 0:
 169                 raise RuntimeError("DsGetNCChanges: NULL first_object with object_count=%u" % (ctr.object_count))
 170             self.net.replicate_chunk(self.replication_state, level, ctr,
 171                 schema=schema, req_level=req_level, req=req)
 172             if ctr.more_data == 0:
 173                 break
 174             req.highwatermark.tmp_highest_usn = ctr.new_highwatermark.tmp_highest_usn