a

�N(ih�@s�
dd
lm
Z

ddlZddlZddlZddlmZ
ddlmZ
ddl	m
Z

ddlmZm
Z

ddlmZmZ
ddlmZ
dd	lmZ
dd
lmZ
ddlmZ
ddlmZ
dd
lmZ
ddlmZ
ddlm Z 
ddl!m"Z"
ddl#m$Z$
ddl%m&Z&
ddl'm(Z(
ddl)m*Z*
ddl+m,Z,
e�-ej.�/e0�
�
Z1e1�2ej3�

edd��
Z4dd�Z5dZ6dd�Z7dddd �Z8dd!dd �Z9d"d#�Z:d$Z;d%Z<d&Z=d'd(�Z>d)d*�Z?d+d,�Z@d-d.�ZAd/d0�ZBd:d2d3�
ZCd4d5�ZDd6d7�ZEd8d9�ZFdS);�)
�print_functionN)
�urlsplit)
�contextmanager)
�	discovery)�CLIENT_NOT_CONFIGURED�CLIENT_ALREADY_CONFIGURED)�api�errors)
�
sysrestore)
�check_client_configuration)
�context)
�ipautil)
�SetseboolError)
�standard_logging_setup)
�DNSName)
�tasks)
�paths)
�	constants)
�services)
�ScriptError�
�generate_random_password)
�IPAOptionParserccs8
t�
��
�}ttd
d�}z�t�|tjj�}||
d�}tj|d|d�
t	�
d�
sVt	��
z.t	jj
��rpt	jj
��
t	jj
��
dV
Wn>tjjy�
}
z"td||
t|�
f�
�
WYd}~n
d}~00Wt	jj
��r�t	jj
��
ttd
|�
n(t	jj
���
rt	jj
��
ttd
|�
0Wd�
n1�
s*0


Y
dS)N�	principal)ZccacheZ
client_keytabZinitiate)�name�usage�store�finalizezGUnable to bind to IPA server. Error initializing principal %s in %s: %s)r
Zprivate_ccache�getattrr�gssapi�NameZNameTypeZkerberos_principalZCredentialsrZisdonerZBackendZ	rpcclientZisconnectedZ
disconnectZconnect�
exceptionsZGSSError�	Exception�str�setattr)rZkeytabZccache_fileZ
old_principalrr�
e�r&�F/usr/lib/python3.9/site-packages/ipaclient/install/ipa_client_samba.py�use_api_as_principal's2















��

�

r(cCs�d
}t|d�
}
|
j
dddd�
|
j
ddd	dd
�
|
j
ddd
ddd�
|
j
ddd
ddd�
|
j
ddd
ddd�
|
j
dddd
ddd�
|
j
dddd
ddd�
|
j
dd d
dd!d�
|
��\}}||fS)"Nz%prog [options]
)
rz--server�serverz FQDN of IPA server to connect to)�dest�helpz--netbios-name�netbiosnamezNetBIOS name of this machine)r*r+�defaultz
--no-homes�no_homes�
store_trueFz=Do not add [homes] share to the generated Samba configuration)r*�actionr-r+z--no-nfs�no_nfsz/Do not allow NFS integration (SELinux booleans)z--force�forcez'force installation by redoing all stepsz-dz--debug�debugzprint debugging informationz-Uz--unattended�
unattendedz.unattended installation never prompts the userz--uninstall�	uninstallz+Revert configuration and remove SMB service)rZ
add_option�
parse_args)r�parser�options�argsr&r&r'�
parse_optionsEsv






�



�




�




�




�





�





�




�
r:z�
 Domain name: {domain_name}
NetBIOS name: {netbios_name}
         SID: {domain_sid}
    ID range: {range_id_min} - {range_id_max}
c
Cs.g}
|D]}|
�t
jfi|�
�
�

qd
�|
�
S)N�

)�append�domain_information_template�format�join)�info�result�domainr&r&r'�pretty_print_domain_information�s



rCZ
ipantflatnameZipantsecurityidentifier�cn)�netbios_name�
domain_sid�domain_nameZipanttrusteddomainsidc
Cs�
z|jj
}
Wnty"


gYS0z|
�d
}WntjyJ


gYS0t�}t��D]\}}|�|dg
�d||<qZdj	|j
jd�
}|j�|�
d
}t
|dd�
|d<t
|dd�
t
|dd�
d|d	<|g
}|j��d
}|D]�}|jj|d
dddd�d
}	|	D]�}
t�}tD] }|
�t|dg
�d||<�
q"dj	|d
��d�
}|j�|�
d
}
t
|
dd�
|d<t
|
dd�
t
|
dd�
d|d	<|�|�

�
qq�|S)NrAr
z{realm}_id_range)
�realmZ	ipabaseidZrange_id_minZipaidrangesize�
Zrange_id_maxrDT)�all�rawrG)�CommandZtrustconfig_show�AttributeErrorr	�PublicError�dict�trust_keymap�items�getr>�envrHZidrange_show�intZ
trust_findZtrustdomain_find�trust_keymap_trustdomain�upperr<)rZ
tc_commandrAZl_domain�key�valZ
idrange_local�domainsZforest�
r�domZr_domZr_idrange_nameZ	r_idranger&r&r'�retrieve_domain_information�sN












"�


�




�

�
��
r\a-
[global]
    # Limit number of forked processes to avoid SMBLoris attack
    max smbd processes = 1000
    # Use dedicated Samba keytab. The key there must be synchronized
    # with Samba tdb databases or nothing will work
    dedicated keytab file = FILE:${samba_keytab}
    kerberos method = dedicated keytab
    # Set up logging per machine and Samba process
    log file = /var/log/samba/log.%m
    log level = 1
    # We force 'member server' role to allow winbind automatically
    # discover what is supported by the domain controller side
    server role = member server
    realm = ${realm}
    netbios name = ${machine_name}
    workgroup = ${netbios_name}
    # Local writable range for IDs not coming from IPA or trusted domains
    idmap config * : range = 0 - 0
    idmap config * : backend = tdb
z
    idmap config ${netbios_name} : range = ${range_id_min} - ${range_id_max}
    idmap config ${netbios_name} : backend = sss
z2
# Default homes share
[homes]
    read only = no
cCs�tj
tjj|jd
�}|dd|d<tg
}|D]}|�t�	t
|�g
�

q.|jsZ|�tg
�

|�
tj�

ttjd��(}|�t�	d�|�
|��

Wd�
n1s�0


Y
t�tj�

dS)N)Zsamba_keytabrHZmachine_namer
rE�
wr;)r�SAMBA_KEYTABrrSrHr,�smb_conf_template�extendr
Ztemplate_str�idmap_conf_domain_snippetr.�homes_conf_snippetZbackup_file�SMB_CONF�open�writer?rZrestore_context)�fstore�
statestorer8rYZsub_dict�templater[�
fr&r&r'�configure_smb_conf
s

�




6
rjcCs
td
d�S)N��r�rfrgr8rBr&r&r'�generate_smb_machine_account
srnc	
Cs�tj
d
|dtjdddg}ztj||d|dd�
Wn4tjyh
}
zt�d	|�
�WYd}~n
d}~00d
}ztj	j
||d�
Wn6tjy�
}
zt�d||�
�WYd}~n
d}~00dS)
Nz-p�-kz-Pz-ez<aes128-cts-hmac-sha1-96,aes256-cts-hmac-sha1-96,arcfour-hmacr;�utf-8��stdin�encodingz8Cannot set machine account password at IPA DC. Error: %szipaNTHash=MagicRegen)
Zaddattrz<Cannot update %s principal NT hash value due to an error: %s)
rZ
IPA_GETKEYTABr^r
�run�CalledProcessError�logger�errorrrLZservice_modr	rN)	rfrgr8rBr�passwordr9r%�valuer&r&r'�retrieve_service_principal#
s6






�





�






�rzc
Csz
tj
d
|dg}zt�|�

Wn4tjyR
}
zt�d|�
�WYd}~n
d}~00d�|d�
}tjtj	d|dg}zt�|�

Wn4tjy�
}
zt�d|�
�WYd}~n
d}~00d	�|d�
}tjtj	d|dg}zt�|�

Wn6tj�
y
}
zt�d|�
�WYd}~n
d}~00tj
d
dg}ztj||dd
�
Wn6tj�
yt
}
zt�d|�
�WYd}~n
d}~00dS)NZsetdomainsidrFz)Cannot set domain SID in Samba. Error: %sz#SECRETS/MACHINE_LAST_CHANGE_TIME/{}rErz2\00z8Cannot prepare machine account creds in Samba. Error: %szSECRETS/MACHINE_PASSWORD/{}Zchangesecretpwz-frprqz4Cannot set machine account creds in Samba. Error: %s)
r�NETr
rtrurvrwr>ZTDBTOOLZSECRETS_TDB)rfrgr8rBrxr9r%Zsecrets_keyr&r&r'�populate_samba_databasesI
sD





�




�





�




�r|c
Csntj
d
ddddg}t�d�

zt�|�

Wn>tjyh
}
z$d|jv
rTt�d|�
�WYd}~n
d}~00dS)	N�groupmap�addzsid=S-1-5-32-546zunixgroup=nobodyztype=builtinz&Map BUILTIN\Guests to a group 'nobody'z"already mapped to SID S-1-5-32-546z8Cannot map BUILTIN\Guests to a group "nobody". Error: %s)	rr{rvr@r
rtru�stdoutrw)rfrgr8rBr9r%r&r&r'�configure_default_groupmapv
s"




�	








�r�Tc
sp�f
d
d�}|r|nd}ztj
||d�
Wn@tyj
}
z(tdt|�
�

t�d|�
WYd}~n
d}~00dS)Ncs��d
||
�
dS)N�selinux)
�backup_state)rry�
rgr&r'�default_backup_func�
s
z1set_selinux_booleans.<locals>.default_backup_func)
�backup_funcz	WARNING: zWARNING: %s)r�set_selinux_booleansr�printr#rvr@)Zbooleansrg�backupr�r�r%r&r�r'r��
s





r�cCs0|jst
tjd
|
�
|js,t
tjd|
�
dS)NZshare_home_dirsZreshare_nfs_with_samba)r.r�r�SELINUX_BOOLEAN_SMBSERVICEr1rmr&r&r'�harden_configuration�
s


�


�r�csLt�
d
t�}t�
dt�}||fD]}|��r4|��
|��
q i}tjD]}|D]}|
�d|�||<qPqH|rzt	||
dd�
t
jtj
d�

|�tj�
r�t
�tj�

|�tj�

tjtj�tjd�tj�tjd�fD]0��f
d	d
�t���
D�
}	|	D]}
t
�|
�

q�q�tj�tj�
�
rxz t
�tjdtjjdtjg�

WnDt
j�
yv
}
z(|jd
k�
rbt� dtjj�
WYd}~n
d}~00t!tjj"tj#���
ztj$�%tjj�

Wn�t&j'�
y�
}
zt(dt)|�
�

WYd}~nZd}~0t&j*�
y�


t�+d�

Yn4t&j,�y&
}
zt�-d|�
WYd}~n
d}~00Wd�
n1�s>0


Y
dS)N�smb�winbindr�F)
r�)
Zccache_pathZprivate�lockc
s$g|]}
|
�d�
rt
j��|
��qS)
z.tdb)�endswith�os�pathr?)�.0�tdb_file�
Zsmbpathr&r'�
<listcomp>�
s

�zuninstall.<locals>.<listcomp>z--principalro�zFailed to remove old key for %s�This client is incompatible: �.No SMB service principal exists, OK to proceed�7Cannot connect to the server due to a generic error: %s).rZservicerZ
is_running�stop�disablerr�Z
restore_stater�r
Z
remove_ccacherZKRB5CC_SAMBAZhas_filercZremove_fileZrestore_fileZ	SAMBA_DIRr�r�r?�listdir�existsr^rtZIPA_RMKEYTABrS�	smb_princru�
returncodervZcriticalr(�
host_princ�KRB5_KEYTABrL�service_delr	�VersionErrorr�r#�NotFoundr3rNrw)rfrgr8r�r�ZsvcZboolean_statesZusecaserZ	tdb_filesr�r%r&r�r'r5�
sh














�
�






��	


�



$





�r5cCs.z
t�
Wn4t
y>
}
zt|j�

|jWYd}~Sd}~00t�tj�
}
t�	tj�
}t
�\}}tj}|jrttj
}t|d
|jddd�
tdtjd
|jdd�}tjfi|�
�

ttdtjjtjjf�
td	tjjtjjf�
d
�}tjjfi|�
�

|j�
r�|�d�
�
rtt|
||�
z d}|D]}	|�d|	�
�
qWn4t�
yh
}
ztd
|�

WYd}~dSd}~00td�

ntd�

dSd}
tj�tj�
�
r�tj}
|�d�
�
r�|j �
s�td�

t!Stj�tj"�
�
s�td�

t#Sd
}t$�%�}|j&�sztd�

|j'|
d�
}
t(�d�

|
t$j)k�rBt(�d�

t*tjj+�
}|j,g
}t(�d|j,�
n6d}|j-�sZtd�

dSt(�dd�.|j-�
�
|j-d}n�|j&}t(�d|�
|�/|tjj|
�}|dt$j0k�r�td�

td�

td�

n:|dt$j1k�r�t(�2d �

n|ddk�rtd!|�

dS|�s"td"|�

t(�d#|�
ntd$�

t(�3d%�

tjj|k�rPt(�4d&�

dS|j5�spt6�7tjj�
d�8�|_5|j5�9�|_5t:tjj;tj<����
zVtj=j>}tj=�?tjj@�

td'tjj@�

|j �s�WWd�
dStj=�Atjj@�

Wn�tB�y


t(�4d(|�
YWd�
dStCjD�yX
}
z*td)t|�
�

WYd}~Wd�
dSd}~0tCjE�yv


t(�d*�

YnBtCjF�y�
}
z&t(�4d+|�
WYd}~Wd�
dSd}~00td,|�

td-tjj@�

td.|j5�

t(�3d,|�
t(�3d-tjj@�
t(�3d.|j5�
tGt�
}tH|�
dk�r<t(�4d/�

Wd�
dStI|�
}t(�3d0|�
td0|�

|jJ�s�tK�Ld1d
��s�td2�

Wd�
dS|�Mdd3��r�|j �r�|tjj|j5�
|�Ndd3d4�
tO|
|||d�}|�Mdd5��r�|j �rtP|
|||�
|�Ndd5d4�
|�Mdd3�d4k�r<tQ|
|||dtjj@|�
|�Ndd3d4�
|�Mdd6��rR|j �rttR|
|||d|�
|�Ndd6d4�
|�Mdd7��r�|j �r�tS|
|||d�
|�Ndd7d4�
|�Mdd8��r�|j �r�tT|
|||d�
|�Ndd8d4�
|�Ndd4d�
td9tjU�

t(�3d9tjU�
Wd�
n1�s 0


Y
dS):NF�
az%(message)s)�verboser3�filemodeZconsole_formatZ
cli_installerr
)rZconfdirZ	in_serverr3r�z
host/%s@%sz
cifs/%s@%s)r�r�Z
domain_member)�
configured�	hardeningr}�tdb�service.principal�smb.confz9Error: Failed to remove the domain_member statestores: %srIz�Samba configuration is reverted. However, Samba databases were fully cleaned and old configuration file will not be usable anymore.z)Samba domain member is not configured yetz)Samba domain member is already configuredzSamba suite is not installedzSearching for IPA server...)
�ca_cert_pathzExecuting DNS discoveryz&Autodiscovery did not find LDAP serverzSetting server to %sTz7Autodiscovery was successful but didn't return a serverz*Autodiscovery success, possible servers %s�
,z"Verifying that %s is an IPA serverz0Anonymous access to the LDAP server is disabled.z'Proceeding without strict verification.zNNote: This is not an error if anonymous access has been explicitly restricted.z,Unencrypted access to LDAP is not supported.z*Unable to confirm that %s is an IPA serverzIPA server: %szUsing fixed server %szIPA server: DNS discoveryzConfigured to use DNS discoveryz�Cannot run on IPA master. Cannot configure Samba as a domain member on a domain controller. Please use ipa-adtrust-install for that!zUWARNING: SMB service principal %s already exists. Please remove it before proceeding.zIChosen IPA master %s does not have support to set up Samba domain membersr�r�r�zChosen IPA master: %szSMB principal to be created: %szNetBIOS name to be used: %sz�No configured trust controller detected on IPA masters. Use ipa-adtrust-install on an IPA master to configure trust controller role.zDiscovered domains to use:
%sz3Continue to configure the system with these values?zInstallation abortedr�r�r�r�r}r�zfSamba domain member is configured. Please check configuration at %s and start smb and winbind services)Vrrr��msgZrvalr
Z	FileStorerZIPA_CLIENT_SYSRESTOREZ	StateFiler:ZIPACLIENTSAMBA_INSTALL_LOGr5ZIPACLIENTSAMBA_UNINSTALL_LOGrr3rOZETC_IPArZ	bootstrapr#rS�hostrHZ_mergeZ	has_stateZdelete_stater"r�r�r�Z
IPA_CA_CRTr2rZSMBDrrZIPADiscoveryr)�searchrvZNO_LDAP_SERVERrZ
xmlrpc_uri�netlocZserversr?ZipacheckldapZNO_ACCESS_TO_LDAPZNO_TLS_LDAPZwarningr@rwr,rZ	from_text�decoderVr(r�r�rL�service_add_smbZservice_showr�r�rMr	r�r�rNr\�lenrCr4r
Z
user_inputZ	get_stater�rnrjrzr|r�r�rc)r%rfrgr8�_argsZlogfileZcfgZlocal_config�keysrWr�ZautodiscoverZds�ret�
sr)Zldapretr�rYZstr_inforxr&r&r'rt�
s�
















�




�	

�








��
�





















�



�






�









�




��




�


"





�$









�

��

�
�
��

�
�

�
�

�
��

��

��
�$rt)
T)GZ
__future__rZloggingr�r�urllib.parser�
contextlibrZ	ipaclientrZipaclient.install.clientrrZipalibrr	Zipalib.installr
Zipalib.utilrZipalib.requestrZ	ipapythonr
Zipapython.errorsrZipapython.ipa_log_managerrZipapython.dnsutilrZipaplatform.tasksrZipaplatform.pathsrZipaplatform.constantsrZipaplatformrZipapython.admintoolrZsambarZipapython.configrZ	getLoggerr��basename�__file__rvZsetLevel�DEBUGr(r:r=rCrPrUr\r_rarbrjrnrzr|r�r�r�r5rtr&r&r&r'�<module>sd





















?

�

�?&-
F