[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Sep 13 01:35:01 MDT 2011
The branch, master has been updated
via 85598e6 s3-selftest use a more portable shell syntax
via 45c5805 script/librelease.sh: automate Samba4 alpha releases
via 9488679 s4-subdomain: match windows form for trustAuthInOutBlob
via 588c50f s4-subdomain: fixed domain guid choice for subdomain join
via 877e48c s4-subdomain: don't delete account DN not created in subdomain join
via b8c6e36 s4-subdomain: use a password length of 128
via 4ff9926 s4-join: fixed non-subdomain join
via eb00607 s4-subdomain: fixed invocationID and hostIPs in subdomain join
via 8c33036 s4-subdomain more work on sub-domain join
via 6015032 s4: add createtrust tool for testing
via 4d74fb7 selftest: add test for subdomain support
via dd9138d s4-join Add a partitions DN when we join a subdomain
via c271b71 s4-provision Perform 'modify' operations as system
via 840448e s4-join supply the NTDS GUID to the provision
via 846e342 s4-provision Split addition of users and well known principals
via 6635bb7 s4-provision Add initial support for joining as a new subdomain
from 6d9b0ee2 start work on Samba 4.0 alpha18
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 85598e68502a594339434b71fec14fe186cb2131
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 13 15:19:46 2011 +1000
s3-selftest use a more portable shell syntax
"$10" evaulates to $1 and 0, not the 10th argument.
Thanks to Amitay for pointing this out!
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Sep 13 09:34:49 CEST 2011 on sn-devel-104
commit 45c580575f38a2e5f7952aaad9921a53723b9f66
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 13 15:18:52 2011 +1000
script/librelease.sh: automate Samba4 alpha releases
commit 94886797bc6fdbf9adad221ae79021232ec03278
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 7 17:22:49 2011 +1000
s4-subdomain: match windows form for trustAuthInOutBlob
Windows does not put a version element in the array
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 588c50f11e42bf6d21d1d213302001d178533f66
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 7 17:21:07 2011 +1000
s4-subdomain: fixed domain guid choice for subdomain join
We need to use the domain GUID that the server choose in the ncName
link
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 877e48cac8bd9c6bcf0ee983abcb187780ec294d
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 5 17:23:48 2011 +1000
s4-subdomain: don't delete account DN not created in subdomain join
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit b8c6e36b09c72bf77077f853b4aac910c04a57ed
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 5 16:45:28 2011 +1000
s4-subdomain: use a password length of 128
windows seems to use a fixed size for this password. It is possible
that windows servers can only handle one size, given we have observed
some strange behaviour from the windows kdc when we setup trusts
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 4ff99264cbc4ae39c3160a8eeba3ee27be899746
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 5 16:43:26 2011 +1000
s4-join: fixed non-subdomain join
these two vars need to be initialised for general join
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit eb0060766f2eced27fb0ac747af5bb4728df4448
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 2 15:12:11 2011 +1000
s4-subdomain: fixed invocationID and hostIPs in subdomain join
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 8c33036a374b6f61677965dbb357d6ae7216cbfb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 26 13:23:41 2011 +1000
s4-subdomain more work on sub-domain join
we can now create a subdomain of an existing windows domain using:
samba-tool domain join sub.domain.dns.name subdomain
The ordering of the creation of the key records is quite tricky,
especially for the NTDSDSA object
Pair-Programmed-With: Andrew Tridgell <tridge at samba.org>
commit 60150323be045bf6612fcde18eaea5bbc0d2e818
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 2 10:35:46 2011 +1000
s4: add createtrust tool for testing
commit 4d74fb7d471c9b64ca991654449b868defb8dc6d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 25 21:47:03 2011 +1000
selftest: add test for subdomain support
commit dd9138d9c64cbc6d381ce589eb247a33b8f5e217
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 26 16:07:05 2011 +1000
s4-join Add a partitions DN when we join a subdomain
commit c271b7142062f833869bb13aed4a873edcd1e445
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 25 19:15:13 2011 +1000
s4-provision Perform 'modify' operations as system
We need this so that we can modify the cn=configuration partition when
we are setting up a new subdomain.
The serverReference on our ${SERVERDN} is in that partition, and
without this change creating a new subdomain fails due to ACLs.
Andrew Bartlett
commit 840448eae81542b78c22d4b2bc93281c39688007
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 25 19:13:34 2011 +1000
s4-join supply the NTDS GUID to the provision
Unlike other join operations, the creation of a subdomain makes local
changes to the DB, so we need to pass in the NTDS GUID to ensure the
one set on the object created in the parent domain is the one that is
used.
Andrew Bartlett
commit 846e34264828e725ad32897aafbdfd6c0334a7a9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 25 13:18:43 2011 +1000
s4-provision Split addition of users and well known principals
If we are provisioning a subdomain, then these are already in
cn=configuration.
Andrew Bartlett
commit 6635bb70d32d5214bc027428ac4a3737e8327c17
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 24 15:39:51 2011 +1000
s4-provision Add initial support for joining as a new subdomain
To do this we need to reorganise a lot of the provision code, so that
we can create the framework for the inbound replicaton of the config
and schema partitions and then add in the new subdomain locally.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
script/librelease.sh | 22 +-
selftest/target/Samba4.pm | 120 +++++
source3/script/tests/test_smbclient_s3.sh | 20 +-
source4/librpc/rpc/pyrpc.c | 13 +
source4/script/mkrelease.sh | 19 -
source4/scripting/devel/createtrust | 137 +++++
source4/scripting/python/samba/join.py | 478 ++++++++++++++---
source4/scripting/python/samba/netcmd/domain.py | 14 +-
.../scripting/python/samba/provision/__init__.py | 538 +++++++++++---------
source4/selftest/tests.py | 5 +-
source4/setup/provision_self_join.ldif | 40 +--
source4/setup/provision_self_join_config.ldif | 33 ++
source4/setup/provision_self_join_modify.ldif | 28 +-
.../setup/provision_self_join_modify_config.ldif | 14 +
source4/setup/provision_users.ldif | 136 -----
source4/setup/provision_well_known_sec_princ.ldif | 136 +++++
16 files changed, 1199 insertions(+), 554 deletions(-)
delete mode 100755 source4/script/mkrelease.sh
create mode 100755 source4/scripting/devel/createtrust
create mode 100644 source4/setup/provision_self_join_config.ldif
create mode 100644 source4/setup/provision_self_join_modify_config.ldif
create mode 100644 source4/setup/provision_well_known_sec_princ.ldif
Changeset truncated at 500 lines:
diff --git a/script/librelease.sh b/script/librelease.sh
index 089b371..ac82762 100755
--- a/script/librelease.sh
+++ b/script/librelease.sh
@@ -1,8 +1,13 @@
#!/bin/bash
# make a release of a Samba library
-GPG_USER='Samba Library Distribution Key <samba-bugs at samba.org>'
-GPG_KEYID='13084025'
+[ -z "$GPG_USER" ] && {
+ GPG_USER='Samba Library Distribution Key <samba-bugs at samba.org>'
+}
+
+[ -z "$GPG_KEYID" ] && {
+ GPG_KEYID='13084025'
+}
if [ ! -d ".git" ]; then
echo "Run this script from the top-level directory in the"
@@ -20,6 +25,7 @@ umask 0022
release_lib() {
lib="$1"
srcdir="$2"
+ ftpdir="$3"
pushd $srcdir
@@ -67,21 +73,21 @@ release_lib() {
}
echo "Transferring for FTP"
- rsync -Pav $tarname.asc $tgzname master.samba.org:~ftp/pub/$lib/ || {
+ rsync -Pav $tarname.asc $tgzname master.samba.org:~ftp/pub/$ftpdir/ || {
exit 1
}
- rsync master.samba.org:~ftp/pub/$lib/$tarname.*
+ rsync master.samba.org:~ftp/pub/$ftpdir/$tarname.*
popd
}
for lib in $*; do
case $lib in
- talloc | tdb | tevent)
- release_lib $lib "lib/$lib"
+ talloc | tdb | tevent | ldb)
+ release_lib $lib "lib/$lib" $lib
;;
- ldb)
- release_lib $lib "source4/lib/$lib"
+ samba4)
+ release_lib $lib "." "samba/$lib"
;;
*)
echo "Unknown library $lib"
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2b1472e..b356048 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1027,6 +1027,68 @@ sub provision_vampire_dc($$$)
return $ret;
}
+sub provision_subdom_dc($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+ print "PROVISIONING SUBDOMAIN DC...";
+
+ # We do this so that we don't run the provision. That's the job of 'net vampire'.
+ my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+ "localsubdc",
+ "SAMBASUBDOM",
+ "sub.samba.example.com",
+ "2008",
+ 31, $dcvars->{PASSWORD},
+ undef);
+
+ $ctx->{smb_conf_extra_options} = "
+ max xmit = 32K
+ server max protocol = SMB2
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = yes
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = no
+
+";
+
+ my $ret = $self->provision_raw_step1($ctx);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $dc_realms = Samba::mk_realms_stanza($dcvars->{REALM}, lc($dcvars->{REALM}),
+ $dcvars->{DOMAIN}, $dcvars->{SERVER_IP});
+ Samba::mk_krb5_conf($ctx, $dc_realms);
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
+ $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ $ret->{SUBDOM_DC_SERVER} = $ret->{SERVER};
+ $ret->{SUBDOM_DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{SUBDOM_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+
+ $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+
+ return $ret;
+}
+
sub provision_dc($$)
{
my ($self, $prefix) = @_;
@@ -1329,6 +1391,11 @@ sub setup_env($$$)
$self->setup_dc("$path/dc");
}
return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{dc});
+ } elsif ($envname eq "subdom_dc") {
+ if (not defined($self->{vars}->{dc})) {
+ $self->setup_dc("$path/dc");
+ }
+ return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{dc});
} elsif ($envname eq "s4member") {
if (not defined($self->{vars}->{dc})) {
$self->setup_dc("$path/dc");
@@ -1559,6 +1626,59 @@ sub setup_vampire_dc($$$)
return $env;
}
+sub setup_subdom_dc($$$)
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_subdom_dc($path, $dc_vars);
+
+ if (defined $env) {
+ $self->check_or_start($env, "single");
+
+ $self->wait_for_start($env);
+
+ $self->{vars}->{subdom_dc} = $env;
+
+ # force replicated DC to update repsTo/repsFrom
+ # for primary domain partitions
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+ $cmd .= " $env->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
+ unless (system($cmd) == 0) {
+ warn("Failed to exec kcc\n$cmd");
+ return undef;
+ }
+
+ # as 'subdomain' dc may add data in its local replica
+ # we need to synchronize data between DCs
+ my $base_dn = "DC=".join(",DC=", split(/\./, $env->{REALM}));
+ my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+ $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+ $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SUBDOM_DC_SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
+ # replicate Configuration NC
+ my $cmd_repl = "$cmd \"$config_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
sub setup_rodc($$$)
{
my ($self, $path, $dc_vars) = @_;
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index d2c5049..3341c62 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -9,16 +9,16 @@ EOF
exit 1;
fi
-SERVER="$1"
-SERVER_IP="$2"
-DOMAIN="$3"
-USERNAME="$4"
-PASSWORD="$5"
-USERID="$6"
-LOCAL_PATH="$7"
-PREFIX="$8"
-SMBCLIENT="$9"
-WBINFO="$10"
+SERVER="${1}"
+SERVER_IP="${2}"
+DOMAIN="${3}"
+USERNAME="${4}"
+PASSWORD="${5}"
+USERID="${6}"
+LOCAL_PATH="${7}"
+PREFIX="${8}"
+SMBCLIENT="${9}"
+WBINFO="${10}"
SMBCLIENT="$VALGRIND ${SMBCLIENT}"
WBINFO="$VALGRIND ${WBINFO}"
shift 10
diff --git a/source4/librpc/rpc/pyrpc.c b/source4/librpc/rpc/pyrpc.c
index 2d6e1f6..7aa5ff5 100644
--- a/source4/librpc/rpc/pyrpc.c
+++ b/source4/librpc/rpc/pyrpc.c
@@ -117,6 +117,17 @@ static PyObject *py_iface_transfer_syntax(PyObject *obj, void *closure)
return py_ndr_syntax_id(&iface->pipe->transfer_syntax);
}
+static PyObject *py_iface_session_key(PyObject *obj, void *closure)
+{
+ dcerpc_InterfaceObject *iface = (dcerpc_InterfaceObject *)obj;
+ DATA_BLOB session_key;
+
+ NTSTATUS status = dcerpc_fetch_session_key(iface->pipe, &session_key);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
+
+ return PyString_FromStringAndSize((const char *)session_key.data, session_key.length);
+}
+
static PyGetSetDef dcerpc_interface_getsetters[] = {
{ discard_const_p(char, "server_name"), py_iface_server_name, NULL,
discard_const_p(char, "name of the server, if connected over SMB") },
@@ -124,6 +135,8 @@ static PyGetSetDef dcerpc_interface_getsetters[] = {
discard_const_p(char, "syntax id of the abstract syntax") },
{ discard_const_p(char, "transfer_syntax"), py_iface_transfer_syntax, NULL,
discard_const_p(char, "syntax id of the transfersyntax") },
+ { discard_const_p(char, "session_key"), py_iface_session_key, NULL,
+ discard_const_p(char, "session key (as used for blob encryption on LSA and SAMR)") },
{ NULL }
};
diff --git a/source4/script/mkrelease.sh b/source4/script/mkrelease.sh
deleted file mode 100755
index 19a1ade..0000000
--- a/source4/script/mkrelease.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ ! -d ".git" -o `dirname $0` != "./source4/script" ]; then
- echo "Run this script from the top-level directory in the"
- echo "repository as: ./source4/script/mkrelease.sh"
- exit 1
-fi
-
-./buildtools/bin/waf dist
-TGZFILE="`echo *.tar.gz`"
-gunzip $TGZFILE
-TARFILE="`echo *.tar`"
-
-echo "Now run: "
-echo "gpg --detach-sign --armor $TARFILE"
-echo "gzip $TARFILE"
-echo "And then upload "
-echo "$TARFILE.gz $TARFILE.asc"
-echo "to pub/samba/samba4/ on samba.org"
diff --git a/source4/scripting/devel/createtrust b/source4/scripting/devel/createtrust
new file mode 100755
index 0000000..7f1ba33
--- /dev/null
+++ b/source4/scripting/devel/createtrust
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+
+# create a domain trust
+
+import sys
+from optparse import OptionParser
+
+sys.path.insert(0, "bin/python")
+
+import samba
+import samba.getopt as options
+from samba.dcerpc import lsa, security, drsblobs
+from samba.ndr import ndr_pack
+import random
+
+def arcfour_encrypt(key, data):
+ from Crypto.Cipher import ARC4
+ c = ARC4.new(key)
+ return c.encrypt(data)
+
+def string_to_array(string):
+ blob = [0] * len(string)
+
+ for i in range(len(string)):
+ blob[i] = ord(string[i])
+
+ return blob
+
+########### main code ###########
+if __name__ == "__main__":
+ parser = OptionParser("createtrust [options] server")
+ sambaopts = options.SambaOptions(parser)
+ credopts = options.CredentialsOptionsDouble(parser)
+ parser.add_option_group(credopts)
+
+ (opts, args) = parser.parse_args()
+
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ if len(args) != 1:
+ parser.error("You must supply a server")
+
+ if not creds.authentication_requested():
+ parser.error("You must supply credentials")
+
+ server = args[0]
+
+ binding_str = "ncacn_np:%s[print]" % server
+
+ lsaconn = lsa.lsarpc(binding_str, lp, creds)
+
+ objectAttr = lsa.ObjectAttribute()
+ objectAttr.sec_qos = lsa.QosInfo()
+
+ pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
+ objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
+
+ name = lsa.String()
+ name.string = "sub2.win2k3.obed.home.abartlet.net"
+ try:
+ info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+ lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+ except RuntimeError:
+ pass
+
+ info = lsa.TrustDomainInfoInfoEx()
+ info.domain_name.string = "sub2.win2k3.obed.home.abartlet.net"
+ info.netbios_name.string = "sub2"
+ info.sid = security.dom_sid("S-1-5-21-538090388-3760119675-95745416")
+ info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
+ info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
+ info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
+
+ password_blob = string_to_array("password".encode('utf-16-le'))
+
+ clear_value = drsblobs.AuthInfoClear()
+ clear_value.size = len(password_blob)
+ clear_value.password = password_blob
+
+ clear_authentication_information = drsblobs.AuthenticationInformation()
+ clear_authentication_information.LastUpdateTime = 0
+ clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
+ clear_authentication_information.AuthInfo = clear_value
+
+ version_value = drsblobs.AuthInfoVersion()
+ version_value.version = 1
+
+ version = drsblobs.AuthenticationInformation()
+ version.LastUpdateTime = 0
+ version.AuthType = lsa.TRUST_AUTH_TYPE_VERSION
+ version.AuthInfo = version_value
+
+ authentication_information_array = drsblobs.AuthenticationInformationArray()
+ authentication_information_array.count = 2
+ authentication_information_array.array = [clear_authentication_information, version]
+
+ outgoing = drsblobs.trustAuthInOutBlob()
+ outgoing.count = 1
+ outgoing.current = authentication_information_array
+
+ trustpass = drsblobs.trustDomainPasswords()
+ confounder = [3] * 512
+
+ for i in range(512):
+ confounder[i] = random.randint(0, 255)
+
+ trustpass.confounder = confounder
+
+# print "confounder: ", trustpass.confounder
+
+ trustpass.outgoing = outgoing
+ trustpass.incoming = outgoing
+
+ trustpass_blob = ndr_pack(trustpass)
+
+# print "trustpass_blob: ", list(trustpass_blob)
+
+ encrypted_trustpass = arcfour_encrypt(lsaconn.session_key, trustpass_blob)
+
+# print "encrypted_trustpass: ", list(encrypted_trustpass)
+
+ auth_blob = lsa.DATA_BUF2()
+ auth_blob.size = len(encrypted_trustpass)
+ auth_blob.data = string_to_array(encrypted_trustpass)
+
+ auth_info = lsa.TrustDomainInfoAuthInfoInternal()
+ auth_info.auth_blob = auth_blob
+
+
+# print "auth_info.auth_blob.data: ", auth_info.auth_blob.data
+
+ trustdom_handle = lsaconn.CreateTrustedDomainEx2(pol_handle,
+ info,
+ auth_info,
+ security.SEC_STD_DELETE)
diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py
index 3d81a29..ccb9f06 100644
--- a/source4/scripting/python/samba/join.py
+++ b/source4/scripting/python/samba/join.py
@@ -25,13 +25,16 @@ from samba.samdb import SamDB
from samba import gensec, Ldb, drs_utils
import ldb, samba, sys, os, uuid
from samba.ndr import ndr_pack
-from samba.dcerpc import security, drsuapi, misc, nbt
+from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
from samba.credentials import Credentials, DONT_USE_KERBEROS
-from samba.provision import secretsdb_self_join, provision, FILL_DRS
+from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
from samba.schema import Schema
from samba.net import Net
+from samba.dcerpc import security
import logging
import talloc
+import random
+import time
# this makes debugging easier
talloc.enable_null_tracking()
@@ -81,9 +84,7 @@ class dc_join(object):
ctx.config_dn = str(ctx.samdb.get_config_basedn())
ctx.domsid = ctx.samdb.get_domain_sid()
ctx.domain_name = ctx.get_domain_name()
-
- lp.set("workgroup", ctx.domain_name)
- print("workgroup is %s" % ctx.domain_name)
+ ctx.invocation_id = misc.GUID(str(uuid.uuid4()))
ctx.dc_ntds_dn = ctx.get_dsServiceName()
ctx.dc_dnsHostName = ctx.get_dnsHostName()
@@ -105,9 +106,6 @@ class dc_join(object):
ctx.dnshostname = "%s.%s" % (ctx.myname, ctx.dnsdomain)
ctx.realm = ctx.dnsdomain
- lp.set("realm", ctx.realm)
-
- print("realm is %s" % ctx.realm)
ctx.acct_dn = "CN=%s,OU=Domain Controllers,%s" % (ctx.myname, ctx.base_dn)
@@ -125,6 +123,7 @@ class dc_join(object):
ctx.krbtgt_dn = None
ctx.drsuapi = None
ctx.managedby = None
+ ctx.subdomain = False
def del_noerror(ctx, dn, recursive=False):
@@ -146,11 +145,14 @@ class dc_join(object):
try:
# find the krbtgt link
print("checking samaccountname")
- res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
- expression='samAccountName=%s' % ldb.binary_encode(ctx.samname),
- attrs=["msDS-krbTgtLink"])
- if res:
- ctx.del_noerror(res[0].dn, recursive=True)
+ if ctx.subdomain:
+ res = None
+ else:
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='samAccountName=%s' % ldb.binary_encode(ctx.samname),
+ attrs=["msDS-krbTgtLink"])
+ if res:
+ ctx.del_noerror(res[0].dn, recursive=True)
--
Samba Shared Repository
More information about the samba-cvs
mailing list