summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-07-06 15:38:06 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-07-06 08:10:18 +0200
commit1c86ab9c5056c457a40dc4c8e3b39c9b940c077b (patch)
tree12195efef014874b3c05220ebd59430e2dee3978 /source4
parentc436f986ca67c71fe5d0855a14dfea65942a47fb (diff)
downloadsamba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.tar.gz
samba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.tar.bz2
samba-1c86ab9c5056c457a40dc4c8e3b39c9b940c077b.zip
s4-samba-tool: Provide a samba-tool domain dcpromo that upgrades a member to a DC
This command is like dcpromo in that it upgrades the existing workstation account to be a domain controller. The SID (and therefore any file ownerships) is preserved. Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r--source4/scripting/python/samba/join.py64
-rw-r--r--source4/scripting/python/samba/netcmd/domain.py67
2 files changed, 121 insertions, 10 deletions
diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py
index 9ef7d3dd17..0d21279e25 100644
--- a/source4/scripting/python/samba/join.py
+++ b/source4/scripting/python/samba/join.py
@@ -47,8 +47,9 @@ class dc_join(object):
'''perform a DC join'''
def __init__(ctx, server=None, creds=None, lp=None, site=None,
- netbios_name=None, targetdir=None, domain=None,
- machinepass=None, use_ntvfs=False, dns_backend=None):
+ netbios_name=None, targetdir=None, domain=None,
+ machinepass=None, use_ntvfs=False, dns_backend=None,
+ promote_existing=False):
ctx.creds = creds
ctx.lp = lp
ctx.site = site
@@ -60,6 +61,9 @@ class dc_join(object):
else:
ctx.dns_backend = dns_backend
+ ctx.promote_existing = promote_existing
+ ctx.promote_from_dn = None
+
ctx.nc_list = []
ctx.full_nc_list = []
@@ -203,6 +207,25 @@ class dc_join(object):
except Exception:
pass
+ def promote_possible(ctx):
+ '''confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted'''
+ if ctx.subdomain:
+ # This shouldn't happen
+ raise Exception("Can not promote into a subdomain")
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
+ attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"])
+ if len(res) == 0:
+ raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname)
+ if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:
+ raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname)
+ if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT|samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):
+ raise Exception("Account %s is not a domain member or a bare NT4 BDC, use 'samba-tool domain join' instead'" % ctx.samname)
+
+ ctx.promote_from_dn = res[0].dn
+
+
def find_dc(ctx, domain):
'''find a writeable DC for the given domain'''
try:
@@ -439,13 +462,29 @@ class dc_join(object):
"dnshostname" : ctx.dnshostname}
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2008:
rec['msDS-SupportedEncryptionTypes'] = str(samba.dsdb.ENC_ALL_TYPES)
+ elif ctx.promote_existing:
+ rec['msDS-SupportedEncryptionTypes'] = []
if ctx.managedby:
rec["managedby"] = ctx.managedby
+ elif ctx.promote_existing:
+ rec["managedby"] = []
+
if ctx.never_reveal_sid:
rec["msDS-NeverRevealGroup"] = ctx.never_reveal_sid
+ elif ctx.promote_existing:
+ rec["msDS-NeverRevealGroup"] = []
+
if ctx.reveal_sid:
rec["msDS-RevealOnDemandGroup"] = ctx.reveal_sid
- ctx.samdb.add(rec)
+ elif ctx.promote_existing:
+ rec["msDS-RevealOnDemandGroup"] = []
+
+ if ctx.promote_existing:
+ if ctx.promote_from_dn != ctx.acct_dn:
+ ctx.samdb.rename(ctx.promote_from_dn, ctx.acct_dn)
+ ctx.samdb.modify(ldb.Message.from_dict(ctx.samdb, rec, ldb.FLAG_MOD_REPLACE))
+ else:
+ ctx.samdb.add(rec)
if ctx.krbtgt_dn:
ctx.add_krbtgt_account()
@@ -490,7 +529,7 @@ class dc_join(object):
for i in range(len(ctx.SPNs)):
ctx.SPNs[i] = ctx.SPNs[i].replace("$NTDSGUID", str(ctx.ntds_guid))
m["servicePrincipalName"] = ldb.MessageElement(ctx.SPNs,
- ldb.FLAG_MOD_ADD,
+ ldb.FLAG_MOD_REPLACE,
"servicePrincipalName")
ctx.samdb.modify(m)
@@ -908,8 +947,11 @@ class dc_join(object):
ctx.full_nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn]
ctx.nc_list += ['DC=ForestDnsZones,%s' % ctx.root_dn]
-
- ctx.cleanup_old_join()
+ if ctx.promote_existing:
+ ctx.promote_possible()
+ else:
+ ctx.cleanup_old_join()
+
try:
ctx.join_add_objects()
ctx.join_provision()
@@ -927,11 +969,12 @@ class dc_join(object):
def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,
targetdir=None, domain=None, domain_critical_only=False,
- machinepass=None, use_ntvfs=False, dns_backend=None):
+ machinepass=None, use_ntvfs=False, dns_backend=None,
+ promote_existing=False):
"""join as a RODC"""
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,
- machinepass, use_ntvfs, dns_backend)
+ machinepass, use_ntvfs, dns_backend, promote_existing)
lp.set("workgroup", ctx.domain_name)
print("workgroup is %s" % ctx.domain_name)
@@ -981,10 +1024,11 @@ def join_RODC(server=None, creds=None, lp=None, site=None, netbios_name=None,
def join_DC(server=None, creds=None, lp=None, site=None, netbios_name=None,
targetdir=None, domain=None, domain_critical_only=False,
- machinepass=None, use_ntvfs=False, dns_backend=None):
+ machinepass=None, use_ntvfs=False, dns_backend=None,
+ promote_existing=False):
"""join as a DC"""
ctx = dc_join(server, creds, lp, site, netbios_name, targetdir, domain,
- machinepass, use_ntvfs, dns_backend)
+ machinepass, use_ntvfs, dns_backend, promote_existing)
lp.set("workgroup", ctx.domain_name)
print("workgroup is %s" % ctx.domain_name)
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index 4e73a29140..9791704064 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -126,6 +126,72 @@ class cmd_domain_info(Command):
raise CommandError("Invalid IP address '" + address + "'!")
+class cmd_domain_dcpromo(Command):
+ """Promotes an existing domain member or NT4 PDC to an AD DC"""
+
+ synopsis = "%prog <dnsdomain> [DC|RODC] [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("--server", help="DC to join", type=str),
+ Option("--site", help="site to join", type=str),
+ Option("--targetdir", help="where to store provision", type=str),
+ Option("--domain-critical-only",
+ help="only replicate critical domain objects",
+ action="store_true"),
+ Option("--machinepass", type=str, metavar="PASSWORD",
+ help="choose machine password (otherwise random)"),
+ Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
+ action="store_true"),
+ Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
+ choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
+ help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
+ "BIND9_DLZ uses samba4 AD to store zone information (default), " \
+ "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
+ default="BIND9_DLZ")
+ ]
+
+ takes_args = ["domain", "role?"]
+
+ def run(self, domain, role=None, sambaopts=None, credopts=None,
+ versionopts=None, server=None, site=None, targetdir=None,
+ domain_critical_only=False, parent_domain=None, machinepass=None,
+ use_ntvfs=False, dns_backend=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+ net = Net(creds, lp, server=credopts.ipaddress)
+
+ if site is None:
+ site = "Default-First-Site-Name"
+
+ netbios_name = lp.get("netbios name")
+
+ if not role is None:
+ role = role.upper()
+
+ if role == "DC":
+ join_DC(server=server, creds=creds, lp=lp, domain=domain,
+ site=site, netbios_name=netbios_name, targetdir=targetdir,
+ domain_critical_only=domain_critical_only,
+ machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
+ promote_existing=True)
+ return
+ elif role == "RODC":
+ join_RODC(server=server, creds=creds, lp=lp, domain=domain,
+ site=site, netbios_name=netbios_name, targetdir=targetdir,
+ domain_critical_only=domain_critical_only,
+ machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
+ promote_existing=True)
+ return
+ else:
+ raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)
+
+
class cmd_domain_join(Command):
"""Joins domain as either member or backup domain controller"""
@@ -953,6 +1019,7 @@ class cmd_domain(SuperCommand):
subcommands["exportkeytab"] = cmd_domain_export_keytab()
subcommands["info"] = cmd_domain_info()
subcommands["join"] = cmd_domain_join()
+ subcommands["dcpromo"] = cmd_domain_dcpromo()
subcommands["level"] = cmd_domain_level()
subcommands["passwordsettings"] = cmd_domain_passwordsettings()
subcommands["classicupgrade"] = cmd_domain_classicupgrade()