diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-07-06 15:38:06 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-07-06 08:10:18 +0200 |
commit | 1c86ab9c5056c457a40dc4c8e3b39c9b940c077b (patch) | |
tree | 12195efef014874b3c05220ebd59430e2dee3978 /source4 | |
parent | c436f986ca67c71fe5d0855a14dfea65942a47fb (diff) | |
download | samba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.tar.gz samba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.tar.bz2 samba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.zip |
s4-samba-tool: Provide a samba-tool domain dcpromo that upgrades a member to a DC
This command is like dcpromo in that it upgrades the existing workstation account
to be a domain controller.
The SID (and therefore any file ownerships) is preserved.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/join.py | 64 | ||||
-rw-r--r-- | source4/scripting/python/samba/netcmd/domain.py | 67 |
2 files changed, 121 insertions, 10 deletions
diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py index 9ef7d3dd17..0d21279e25 100644 --- a/source4/scripting/python/samba/join.py +++ b/source4/scripting/python/samba/join.py @@ -47,8 +47,9 @@ class dc_join(object): '''perform a DC join''' def __init__(ctx, server=None, creds=None, lp=None, site=None, - netbios_name=None, targetdir=None, domain=None, - machinepass=None, use_ntvfs=False, dns_backend=None): + netbios_name=None, targetdir=None, domain=None, + machinepass=None, use_ntvfs=False, dns_backend=None, + promote_existing=False): ctx.creds = creds ctx.lp = lp ctx.site = site @@ -60,6 +61,9 @@ class dc_join(object): else: ctx.dns_backend = dns_backend + ctx.promote_existing = promote_existing + ctx.promote_from_dn = None + ctx.nc_list = [] ctx.full_nc_list = [] @@ -203,6 +207,25 @@ class dc_join(object): except Exception: pass + def promote_possible(ctx): + '''confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted''' + if ctx.subdomain: + # This shouldn't happen + raise Exception("Can not promote into a subdomain") + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), + expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname), + attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"]) + if len(res) == 0: + raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname) + if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]: + raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname) + if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0): + raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname) + + ctx.promote_from_dn = res[0].dn + + def find_dc(ctx, domain): '''find a writeable DC for the given domain''' try: @@ -439,13 +462,29 @@ class dc_join(object): "dnshostname" : ctx.dnshostname} if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008: rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES) + elif ctx.promote_existing: + rec['msDS-SupportedEncryptionTypes'] = [] if ctx.managedby: rec["managedby"] = ctx.managedby + elif ctx.promote_existing: + rec["managedby"] = [] + if ctx.never_reveal_sid: rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid + elif ctx.promote_existing: + rec["msDS-NeverRevealGroup"] = [] + if ctx.reveal_sid: rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid - ctx.samdb.add(rec) + elif ctx.promote_existing: + rec["msDS-RevealOnDemandGroup"] = [] + + if ctx.promote_existing: + if ctx.promote_from_dn != ctx.acct_dn: + ctx.samdb.rename(ctx.promote_from_dn, ctx.acct_dn) + ctx.samdb.modify(ldb.Message.from_dict(ctx.samdb, rec, ldb.FLAG_MOD_REPLACE)) + else: + ctx.samdb.add(rec) if ctx.krbtgt_dn: ctx.add_krbtgt_account() @@ -490,7 +529,7 @@ class dc_join(object): for i in range(len(ctx.SPNs)): ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid)) m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs, - ldb.FLAG_MOD_ADD, + ldb.FLAG_MOD_REPLACE, "servicePrincipalName") ctx.samdb.modify(m) @@ -908,8 +947,11 @@ class dc_join(object): ctx.full_nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn] ctx.nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn] - - ctx.cleanup_old_join() + if ctx.promote_existing: + ctx.promote_possible() + else: + ctx.cleanup_old_join() + try: ctx.join_add_objects() ctx.join_provision() @@ -927,11 +969,12 @@ class dc_join(object): def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, domain=None, domain_critical_only=False, - machinepass=None, use_ntvfs=False, dns_backend=None): + machinepass=None, use_ntvfs=False, dns_backend=None, + promote_existing=False): """join as a RODC""" ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, - machinepass, use_ntvfs, dns_backend) + machinepass, use_ntvfs, dns_backend, promote_existing) lp.set("workgroup", ctx.domain_name) print("workgroup is %s" % ctx.domain_name) @@ -981,10 +1024,11 @@ def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None, def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None, targetdir=None, domain=None, domain_critical_only=False, - machinepass=None, use_ntvfs=False, dns_backend=None): + machinepass=None, use_ntvfs=False, dns_backend=None, + promote_existing=False): """join as a DC""" ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain, - machinepass, use_ntvfs, dns_backend) + machinepass, use_ntvfs, dns_backend, promote_existing) lp.set("workgroup", ctx.domain_name) print("workgroup is %s" % ctx.domain_name) diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index 4e73a29140..9791704064 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -126,6 +126,72 @@ class cmd_domain_info(Command): raise CommandError("Invalid IP address '" + address + "'!") +class cmd_domain_dcpromo(Command): + """Promotes an existing domain member or NT4 PDC to an AD DC""" + + synopsis = "%prog <dnsdomain> [DC|RODC] [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("--server", help="DC to join", type=str), + Option("--site", help="site to join", type=str), + Option("--targetdir", help="where to store provision", type=str), + Option("--domain-critical-only", + help="only replicate critical domain objects", + action="store_true"), + Option("--machinepass", type=str, metavar="PASSWORD", + help="choose machine password (otherwise random)"), + Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)", + action="store_true"), + Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND", + choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"], + help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \ + "BIND9_DLZ uses samba4 AD to store zone information (default), " \ + "NONE skips the DNS setup entirely (this DC will not be a DNS server)", + default="BIND9_DLZ") + ] + + takes_args = ["domain", "role?"] + + def run(self, domain, role=None, sambaopts=None, credopts=None, + versionopts=None, server=None, site=None, targetdir=None, + domain_critical_only=False, parent_domain=None, machinepass=None, + use_ntvfs=False, dns_backend=None): + lp = sambaopts.get_loadparm() + creds = credopts.get_credentials(lp) + net = Net(creds, lp, server=credopts.ipaddress) + + if site is None: + site = "Default-First-Site-Name" + + netbios_name = lp.get("netbios name") + + if not role is None: + role = role.upper() + + if role == "DC": + join_DC(server=server, creds=creds, lp=lp, domain=domain, + site=site, netbios_name=netbios_name, targetdir=targetdir, + domain_critical_only=domain_critical_only, + machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend, + promote_existing=True) + return + elif role == "RODC": + join_RODC(server=server, creds=creds, lp=lp, domain=domain, + site=site, netbios_name=netbios_name, targetdir=targetdir, + domain_critical_only=domain_critical_only, + machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend, + promote_existing=True) + return + else: + raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role) + + class cmd_domain_join(Command): """Joins domain as either member or backup domain controller""" @@ -953,6 +1019,7 @@ class cmd_domain(SuperCommand): subcommands["exportkeytab"] = cmd_domain_export_keytab() subcommands["info"] = cmd_domain_info() subcommands["join"] = cmd_domain_join() + subcommands["dcpromo"] = cmd_domain_dcpromo() subcommands["level"] = cmd_domain_level() subcommands["passwordsettings"] = cmd_domain_passwordsettings() subcommands["classicupgrade"] = cmd_domain_classicupgrade() |