/* msg.h
 * Header file for all msg-related functions.
 *
 * File begun on 2007-07-13 by RGerhards (extracted from syslogd.c)
 *
 * Copyright 2007 Rainer Gerhards and Adiscon GmbH.
 *
 * This file is part of rsyslog.
 *
 * Rsyslog is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * Rsyslog is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Rsyslog.  If not, see <http://www.gnu.org/licenses/>.
 *
 * A copy of the GPL can be found in the file "COPYING" in this distribution.
 */
#include "template.h" /* this is a quirk, but these two are too interdependant... */

#ifndef	MSG_H_INCLUDED
#define	MSG_H_INCLUDED 1

#include <pthread.h>
#include "obj.h"
#include "syslogd-types.h"
#include "template.h"

/* rgerhards 2004-11-08: The following structure represents a
 * syslog message. 
 *
 * Important Note:
 * The message object is used for multiple purposes (once it
 * has been created). Once created, it actully is a read-only
 * object (though we do not specifically express this). In order
 * to avoid multiple copies of the same object, we use a
 * reference counter. This counter is set to 1 by the constructer
 * and increased by 1 with a call to MsgAddRef(). The destructor
 * checks the reference count. If it is more than 1, only the counter
 * will be decremented. If it is 1, however, the object is actually
 * destroyed. To make this work, it is vital that MsgAddRef() is
 * called each time a "copy" is stored somewhere.
 */
struct msg {
	BEGINobjInstance;	/* Data to implement generic object - MUST be the first data element! */
	pthread_mutexattr_t mutAttr;
	pthread_mutex_t mut;
	int	iRefCount;	/* reference counter (0 = unused) */
	short	bParseHOSTNAME;	/* should the hostname be parsed from the message? */
	   /* background: the hostname is not present on "regular" messages
	    * received via UNIX domain sockets from the same machine. However,
	    * it is available when we have a forwarder (e.g. rfc3195d) using local
	    * sockets. All in all, the parser would need parse templates, that would
	    * resolve all these issues... rgerhards, 2005-10-06
	    */
	flowControl_t flowCtlType; /**< type of flow control we can apply, for enqueueing, needs not to be persisted because
				        once data has entered the queue, this property is no longer needed. */
	short	iSeverity;	/* the severity 0..7 */
	uchar *pszSeverity;	/* severity as string... */
	int iLenSeverity;	/* ... and its length. */
 	uchar *pszSeverityStr;   /* severity name... */
 	int iLenSeverityStr;    /* ... and its length. */
	short	iFacility;	/* Facility code 0 .. 23*/
	uchar *pszFacility;	/* Facility as string... */
	int iLenFacility;	/* ... and its length. */
 	uchar *pszFacilityStr;   /* facility name... */
 	int iLenFacilityStr;    /* ... and its length. */
	uchar *pszPRI;		/* the PRI as a string */
	int iLenPRI;		/* and its length */
	uchar	*pszRawMsg;	/* message as it was received on the
				 * wire. This is important in case we
				 * need to preserve cryptographic verifiers.
				 */
	int	iLenRawMsg;	/* length of raw message */
	uchar	*pszMSG;	/* the MSG part itself */
	int	iLenMSG;	/* Length of the MSG part */
	uchar	*pszUxTradMsg;	/* the traditional UNIX message */
	int	iLenUxTradMsg;/* Length of the traditional UNIX message */
	uchar	*pszTAG;	/* pointer to tag value */
	int	iLenTAG;	/* Length of the TAG part */
	uchar	*pszHOSTNAME;	/* HOSTNAME from syslog message */
	int	iLenHOSTNAME;	/* Length of HOSTNAME */
	uchar	*pszRcvFrom;	/* System message was received from */
	int	iLenRcvFrom;	/* Length of pszRcvFrom */
	short	iProtocolVersion;/* protocol version of message received 0 - legacy, 1 syslog-protocol) */
	cstr_t *pCSProgName;	/* the (BSD) program name */
	cstr_t *pCSStrucData;/* STRUCTURED-DATA */
	cstr_t *pCSAPPNAME;	/* APP-NAME */
	cstr_t *pCSPROCID;	/* PROCID */
	cstr_t *pCSMSGID;	/* MSGID */
	struct syslogTime tRcvdAt;/* time the message entered this program */
	char *pszRcvdAt3164;	/* time as RFC3164 formatted string (always 15 charcters) */
	char *pszRcvdAt3339;	/* time as RFC3164 formatted string (32 charcters at most) */
	char *pszRcvdAt_MySQL;	/* rcvdAt as MySQL formatted string (always 14 charcters) */
        char *pszRcvdAt_PgSQL;  /* rcvdAt as PgSQL formatted string (always 21 characters) */
	struct syslogTime tTIMESTAMP;/* (parsed) value of the timestamp */
	char *pszTIMESTAMP3164;	/* TIMESTAMP as RFC3164 formatted string (always 15 charcters) */
	char *pszTIMESTAMP3339;	/* TIMESTAMP as RFC3339 formatted string (32 charcters at most) */
	char *pszTIMESTAMP_MySQL;/* TIMESTAMP as MySQL formatted string (always 14 charcters) */
        char *pszTIMESTAMP_PgSQL;/* TIMESTAMP as PgSQL formatted string (always 21 characters) */
	int msgFlags;		/* flags associated with this message */
};
typedef struct msg msg_t;	/* new name */

/* function prototypes
 */
PROTOTYPEObjClassInit(msg);
char* getProgramName(msg_t*);
rsRetVal msgConstruct(msg_t **ppThis);
rsRetVal msgDestruct(msg_t **ppM);
msg_t* MsgDup(msg_t* pOld);
msg_t *MsgAddRef(msg_t *pM);
void setProtocolVersion(msg_t *pM, int iNewVersion);
int getProtocolVersion(msg_t *pM);
char *getProtocolVersionString(msg_t *pM);
int getMSGLen(msg_t *pM);
char *getRawMsg(msg_t *pM);
char *getUxTradMsg(msg_t *pM);
char *getMSG(msg_t *pM);
char *getPRI(msg_t *pM);
int getPRIi(msg_t *pM);
char *getTimeReported(msg_t *pM, enum tplFormatTypes eFmt);
char *getTimeGenerated(msg_t *pM, enum tplFormatTypes eFmt);
char *getSeverity(msg_t *pM);
char *getSeverityStr(msg_t *pM);
char *getFacility(msg_t *pM);
char *getFacilityStr(msg_t *pM);
rsRetVal MsgSetAPPNAME(msg_t *pMsg, char* pszAPPNAME);
char *getAPPNAME(msg_t *pM);
rsRetVal MsgSetPROCID(msg_t *pMsg, char* pszPROCID);
int getPROCIDLen(msg_t *pM);
char *getPROCID(msg_t *pM);
rsRetVal MsgSetMSGID(msg_t *pMsg, char* pszMSGID);
void MsgAssignTAG(msg_t *pMsg, uchar *pBuf);
void MsgSetTAG(msg_t *pMsg, char* pszTAG);
rsRetVal MsgSetFlowControlType(msg_t *pMsg, flowControl_t eFlowCtl);
char *getTAG(msg_t *pM);
int getHOSTNAMELen(msg_t *pM);
char *getHOSTNAME(msg_t *pM);
char *getRcvFrom(msg_t *pM);
rsRetVal MsgSetStructuredData(msg_t *pMsg, char* pszStrucData);
char *getStructuredData(msg_t *pM);
int getProgramNameLen(msg_t *pM);
char *getProgramName(msg_t *pM);
void MsgSetRcvFrom(msg_t *pMsg, char* pszRcvFrom);
void MsgAssignHOSTNAME(msg_t *pMsg, char *pBuf);
void MsgSetHOSTNAME(msg_t *pMsg, char* pszHOSTNAME);
int MsgSetUxTradMsg(msg_t *pMsg, char* pszUxTradMsg);
void MsgSetMSG(msg_t *pMsg, char* pszMSG);
void MsgSetRawMsg(msg_t *pMsg, char* pszRawMsg);
void moveHOSTNAMEtoTAG(msg_t *pM);
char *getMSGID(msg_t *pM);
char *MsgGetProp(msg_t *pMsg, struct templateEntry *pTpe,
                 cstr_t *pCSPropName, unsigned short *pbMustBeFreed);
char *textpri(char *pRes, size_t pResLen, int pri);
rsRetVal msgGetMsgVar(msg_t *pThis, cstr_t *pstrPropName, var_t **ppVar);
rsRetVal MsgEnableThreadSafety(void);

/* The MsgPrepareEnqueue() function is a macro for performance reasons.
 * It needs one global variable to work. This is acceptable, as it gains
 * us quite some performance and is fully abstracted using this header file.
 * The important thing is that no other module is permitted to actually
 * access that global variable! -- rgerhards, 2008-01-05
 */
extern void (*funcMsgPrepareEnqueue)(msg_t *pMsg);
#define MsgPrepareEnqueue(pMsg) funcMsgPrepareEnqueue(pMsg)

#endif /* #ifndef MSG_H_INCLUDED */
/*
 * vi:set ai:
 */
='n137' href='#n137'>137</a>
<a id='n138' href='#n138'>138</a>
<a id='n139' href='#n139'>139</a>
<a id='n140' href='#n140'>140</a>
<a id='n141' href='#n141'>141</a>
<a id='n142' href='#n142'>142</a>
<a id='n143' href='#n143'>143</a>
<a id='n144' href='#n144'>144</a>
<a id='n145' href='#n145'>145</a>
<a id='n146' href='#n146'>146</a>
<a id='n147' href='#n147'>147</a>
<a id='n148' href='#n148'>148</a>
<a id='n149' href='#n149'>149</a>
<a id='n150' href='#n150'>150</a>
<a id='n151' href='#n151'>151</a>
<a id='n152' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
<a id='n312' href='#n312'>312</a>
<a id='n313' href='#n313'>313</a>
<a id='n314' href='#n314'>314</a>
<a id='n315' href='#n315'>315</a>
<a id='n316' href='#n316'>316</a>
<a id='n317' href='#n317'>317</a>
<a id='n318' href='#n318'>318</a>
<a id='n319' href='#n319'>319</a>
<a id='n320' href='#n320'>320</a>
<a id='n321' href='#n321'>321</a>
<a id='n322' href='#n322'>322</a>
<a id='n323' href='#n323'>323</a>
<a id='n324' href='#n324'>324</a>
<a id='n325' href='#n325'>325</a>
<a id='n326' href='#n326'>326</a>
<a id='n327' href='#n327'>327</a>
<a id='n328' href='#n328'>328</a>
<a id='n329' href='#n329'>329</a>
<a id='n330' href='#n330'>330</a>
<a id='n331' href='#n331'>331</a>
<a id='n332' href='#n332'>332</a>
<a id='n333' href='#n333'>333</a>
<a id='n334' href='#n334'>334</a>
<a id='n335' href='#n335'>335</a>
<a id='n336' href='#n336'>336</a>
<a id='n337' href='#n337'>337</a>
<a id='n338' href='#n338'>338</a>
<a id='n339' href='#n339'>339</a>
<a id='n340' href='#n340'>340</a>
<a id='n341' href='#n341'>341</a>
<a id='n342' href='#n342'>342</a>
<a id='n343' href='#n343'>343</a>
<a id='n344' href='#n344'>344</a>
<a id='n345' href='#n345'>345</a>
<a id='n346' href='#n346'>346</a>
<a id='n347' href='#n347'>347</a>
<a id='n348' href='#n348'>348</a>
<a id='n349' href='#n349'>349</a>
<a id='n350' href='#n350'>350</a>
<a id='n351' href='#n351'>351</a>
<a id='n352' href='#n352'>352</a>
<a id='n353' href='#n353'>353</a>
<a id='n354' href='#n354'>354</a>
<a id='n355' href='#n355'>355</a>
<a id='n356' href='#n356'>356</a>
<a id='n357' href='#n357'>357</a>
<a id='n358' href='#n358'>358</a>
<a id='n359' href='#n359'>359</a>
<a id='n360' href='#n360'>360</a>
<a id='n361' href='#n361'>361</a>
<a id='n362' href='#n362'>362</a>
<a id='n363' href='#n363'>363</a>
<a id='n364' href='#n364'>364</a>
<a id='n365' href='#n365'>365</a>
<a id='n366' href='#n366'>366</a>
<a id='n367' href='#n367'>367</a>
<a id='n368' href='#n368'>368</a>
<a id='n369' href='#n369'>369</a>
<a id='n370' href='#n370'>370</a>
<a id='n371' href='#n371'>371</a>
<a id='n372' href='#n372'>372</a>
<a id='n373' href='#n373'>373</a>
<a id='n374' href='#n374'>374</a>
<a id='n375' href='#n375'>375</a>
<a id='n376' href='#n376'>376</a>
<a id='n377' href='#n377'>377</a>
<a id='n378' href='#n378'>378</a>
<a id='n379' href='#n379'>379</a>
<a id='n380' href='#n380'>380</a>
<a id='n381' href='#n381'>381</a>
<a id='n382' href='#n382'>382</a>
<a id='n383' href='#n383'>383</a>
<a id='n384' href='#n384'>384</a>
<a id='n385' href='#n385'>385</a>
<a id='n386' href='#n386'>386</a>
<a id='n387' href='#n387'>387</a>
<a id='n388' href='#n388'>388</a>
<a id='n389' href='#n389'>389</a>
<a id='n390' href='#n390'>390</a>
<a id='n391' href='#n391'>391</a>
<a id='n392' href='#n392'>392</a>
<a id='n393' href='#n393'>393</a>
<a id='n394' href='#n394'>394</a>
<a id='n395' href='#n395'>395</a>
<a id='n396' href='#n396'>396</a>
<a id='n397' href='#n397'>397</a>
<a id='n398' href='#n398'>398</a>
<a id='n399' href='#n399'>399</a>
<a id='n400' href='#n400'>400</a>
<a id='n401' href='#n401'>401</a>
<a id='n402' href='#n402'>402</a>
<a id='n403' href='#n403'>403</a>
<a id='n404' href='#n404'>404</a>
<a id='n405' href='#n405'>405</a>
<a id='n406' href='#n406'>406</a>
<a id='n407' href='#n407'>407</a>
<a id='n408' href='#n408'>408</a>
<a id='n409' href='#n409'>409</a>
<a id='n410' href='#n410'>410</a>
<a id='n411' href='#n411'>411</a>
<a id='n412' href='#n412'>412</a>
<a id='n413' href='#n413'>413</a>
<a id='n414' href='#n414'>414</a>
<a id='n415' href='#n415'>415</a>
<a id='n416' href='#n416'>416</a>
<a id='n417' href='#n417'>417</a>
<a id='n418' href='#n418'>418</a>
<a id='n419' href='#n419'>419</a>
<a id='n420' href='#n420'>420</a>
<a id='n421' href='#n421'>421</a>
<a id='n422' href='#n422'>422</a>
<a id='n423' href='#n423'>423</a>
<a id='n424' href='#n424'>424</a>
<a id='n425' href='#n425'>425</a>
<a id='n426' href='#n426'>426</a>
<a id='n427' href='#n427'>427</a>
<a id='n428' href='#n428'>428</a>
<a id='n429' href='#n429'>429</a>
<a id='n430' href='#n430'>430</a>
<a id='n431' href='#n431'>431</a>
<a id='n432' href='#n432'>432</a>
<a id='n433' href='#n433'>433</a>
<a id='n434' href='#n434'>434</a>
<a id='n435' href='#n435'>435</a>
<a id='n436' href='#n436'>436</a>
<a id='n437' href='#n437'>437</a>
<a id='n438' href='#n438'>438</a>
<a id='n439' href='#n439'>439</a>
<a id='n440' href='#n440'>440</a>
<a id='n441' href='#n441'>441</a>
<a id='n442' href='#n442'>442</a>
<a id='n443' href='#n443'>443</a>
<a id='n444' href='#n444'>444</a>
<a id='n445' href='#n445'>445</a>
<a id='n446' href='#n446'>446</a>
<a id='n447' href='#n447'>447</a>
<a id='n448' href='#n448'>448</a>
<a id='n449' href='#n449'>449</a>
<a id='n450' href='#n450'>450</a>
<a id='n451' href='#n451'>451</a>
<a id='n452' href='#n452'>452</a>
<a id='n453' href='#n453'>453</a>
<a id='n454' href='#n454'>454</a>
<a id='n455' href='#n455'>455</a>
<a id='n456' href='#n456'>456</a>
<a id='n457' href='#n457'>457</a>
<a id='n458' href='#n458'>458</a>
<a id='n459' href='#n459'>459</a>
<a id='n460' href='#n460'>460</a>
<a id='n461' href='#n461'>461</a>
<a id='n462' href='#n462'>462</a>
<a id='n463' href='#n463'>463</a>
<a id='n464' href='#n464'>464</a>
<a id='n465' href='#n465'>465</a>
<a id='n466' href='#n466'>466</a>
<a id='n467' href='#n467'>467</a>
<a id='n468' href='#n468'>468</a>
<a id='n469' href='#n469'>469</a>
<a id='n470' href='#n470'>470</a>
<a id='n471' href='#n471'>471</a>
<a id='n472' href='#n472'>472</a>
<a id='n473' href='#n473'>473</a>
<a id='n474' href='#n474'>474</a>
<a id='n475' href='#n475'>475</a>
<a id='n476' href='#n476'>476</a>
<a id='n477' href='#n477'>477</a>
<a id='n478' href='#n478'>478</a>
<a id='n479' href='#n479'>479</a>
<a id='n480' href='#n480'>480</a>
<a id='n481' href='#n481'>481</a>
<a id='n482' href='#n482'>482</a>
<a id='n483' href='#n483'>483</a>
<a id='n484' href='#n484'>484</a>
<a id='n485' href='#n485'>485</a>
<a id='n486' href='#n486'>486</a>
<a id='n487' href='#n487'>487</a>
<a id='n488' href='#n488'>488</a>
<a id='n489' href='#n489'>489</a>
<a id='n490' href='#n490'>490</a>
<a id='n491' href='#n491'>491</a>
<a id='n492' href='#n492'>492</a>
<a id='n493' href='#n493'>493</a>
<a id='n494' href='#n494'>494</a>
<a id='n495' href='#n495'>495</a>
<a id='n496' href='#n496'>496</a>
<a id='n497' href='#n497'>497</a>
<a id='n498' href='#n498'>498</a>
<a id='n499' href='#n499'>499</a>
<a id='n500' href='#n500'>500</a>
<a id='n501' href='#n501'>501</a>
<a id='n502' href='#n502'>502</a>
<a id='n503' href='#n503'>503</a>
<a id='n504' href='#n504'>504</a>
<a id='n505' href='#n505'>505</a>
<a id='n506' href='#n506'>506</a>
<a id='n507' href='#n507'>507</a>
<a id='n508' href='#n508'>508</a>
<a id='n509' href='#n509'>509</a>
<a id='n510' href='#n510'>510</a>
<a id='n511' href='#n511'>511</a>
<a id='n512' href='#n512'>512</a>
<a id='n513' href='#n513'>513</a>
<a id='n514' href='#n514'>514</a>
<a id='n515' href='#n515'>515</a>
<a id='n516' href='#n516'>516</a>
<a id='n517' href='#n517'>517</a>
<a id='n518' href='#n518'>518</a>
<a id='n519' href='#n519'>519</a>
<a id='n520' href='#n520'>520</a>
<a id='n521' href='#n521'>521</a>
<a id='n522' href='#n522'>522</a>
<a id='n523' href='#n523'>523</a>
<a id='n524' href='#n524'>524</a>
<a id='n525' href='#n525'>525</a>
<a id='n526' href='#n526'>526</a>
<a id='n527' href='#n527'>527</a>
<a id='n528' href='#n528'>528</a>
<a id='n529' href='#n529'>529</a>
<a id='n530' href='#n530'>530</a>
<a id='n531' href='#n531'>531</a>
<a id='n532' href='#n532'>532</a>
<a id='n533' href='#n533'>533</a>
<a id='n534' href='#n534'>534</a>
<a id='n535' href='#n535'>535</a>
<a id='n536' href='#n536'>536</a>
<a id='n537' href='#n537'>537</a>
<a id='n538' href='#n538'>538</a>
<a id='n539' href='#n539'>539</a>
<a id='n540' href='#n540'>540</a>
<a id='n541' href='#n541'>541</a>
<a id='n542' href='#n542'>542</a>
<a id='n543' href='#n543'>543</a>
<a id='n544' href='#n544'>544</a>
<a id='n545' href='#n545'>545</a>
<a id='n546' href='#n546'>546</a>
<a id='n547' href='#n547'>547</a>
<a id='n548' href='#n548'>548</a>
<a id='n549' href='#n549'>549</a>
<a id='n550' href='#n550'>550</a>
<a id='n551' href='#n551'>551</a>
<a id='n552' href='#n552'>552</a>
<a id='n553' href='#n553'>553</a>
<a id='n554' href='#n554'>554</a>
<a id='n555' href='#n555'>555</a>
<a id='n556' href='#n556'>556</a>
<a id='n557' href='#n557'>557</a>
<a id='n558' href='#n558'>558</a>
<a id='n559' href='#n559'>559</a>
<a id='n560' href='#n560'>560</a>
<a id='n561' href='#n561'>561</a>
<a id='n562' href='#n562'>562</a>
<a id='n563' href='#n563'>563</a>
<a id='n564' href='#n564'>564</a>
<a id='n565' href='#n565'>565</a>
<a id='n566' href='#n566'>566</a>
<a id='n567' href='#n567'>567</a>
<a id='n568' href='#n568'>568</a>
<a id='n569' href='#n569'>569</a>
<a id='n570' href='#n570'>570</a>
<a id='n571' href='#n571'>571</a>
<a id='n572' href='#n572'>572</a>
<a id='n573' href='#n573'>573</a>
<a id='n574' href='#n574'>574</a>
<a id='n575' href='#n575'>575</a>
<a id='n576' href='#n576'>576</a>
<a id='n577' href='#n577'>577</a>
<a id='n578' href='#n578'>578</a>
<a id='n579' href='#n579'>579</a>
<a id='n580' href='#n580'>580</a>
<a id='n581' href='#n581'>581</a>
<a id='n582' href='#n582'>582</a>
<a id='n583' href='#n583'>583</a>
<a id='n584' href='#n584'>584</a>
<a id='n585' href='#n585'>585</a>
<a id='n586' href='#n586'>586</a>
<a id='n587' href='#n587'>587</a>
<a id='n588' href='#n588'>588</a>
<a id='n589' href='#n589'>589</a>
<a id='n590' href='#n590'>590</a>
<a id='n591' href='#n591'>591</a>
<a id='n592' href='#n592'>592</a>
<a id='n593' href='#n593'>593</a>
<a id='n594' href='#n594'>594</a>
<a id='n595' href='#n595'>595</a>
<a id='n596' href='#n596'>596</a>
<a id='n597' href='#n597'>597</a>
<a id='n598' href='#n598'>598</a>
<a id='n599' href='#n599'>599</a>
<a id='n600' href='#n600'>600</a>
<a id='n601' href='#n601'>601</a>
<a id='n602' href='#n602'>602</a>
<a id='n603' href='#n603'>603</a>
<a id='n604' href='#n604'>604</a>
<a id='n605' href='#n605'>605</a>
<a id='n606' href='#n606'>606</a>
<a id='n607' href='#n607'>607</a>
<a id='n608' href='#n608'>608</a>
<a id='n609' href='#n609'>609</a>
<a id='n610' href='#n610'>610</a>
<a id='n611' href='#n611'>611</a>
<a id='n612' href='#n612'>612</a>
<a id='n613' href='#n613'>613</a>
<a id='n614' href='#n614'>614</a>
<a id='n615' href='#n615'>615</a>
<a id='n616' href='#n616'>616</a>
<a id='n617' href='#n617'>617</a>
<a id='n618' href='#n618'>618</a>
<a id='n619' href='#n619'>619</a>
<a id='n620' href='#n620'>620</a>
<a id='n621' href='#n621'>621</a>
<a id='n622' href='#n622'>622</a>
<a id='n623' href='#n623'>623</a>
<a id='n624' href='#n624'>624</a>
<a id='n625' href='#n625'>625</a>
<a id='n626' href='#n626'>626</a>
<a id='n627' href='#n627'>627</a>
<a id='n628' href='#n628'>628</a>
<a id='n629' href='#n629'>629</a>
<a id='n630' href='#n630'>630</a>
<a id='n631' href='#n631'>631</a>
<a id='n632' href='#n632'>632</a>
<a id='n633' href='#n633'>633</a>
<a id='n634' href='#n634'>634</a>
<a id='n635' href='#n635'>635</a>
<a id='n636' href='#n636'>636</a>
<a id='n637' href='#n637'>637</a>
<a id='n638' href='#n638'>638</a>
<a id='n639' href='#n639'>639</a>
<a id='n640' href='#n640'>640</a>
<a id='n641' href='#n641'>641</a>
<a id='n642' href='#n642'>642</a>
<a id='n643' href='#n643'>643</a>
<a id='n644' href='#n644'>644</a>
<a id='n645' href='#n645'>645</a>
<a id='n646' href='#n646'>646</a>
<a id='n647' href='#n647'>647</a>
<a id='n648' href='#n648'>648</a>
<a id='n649' href='#n649'>649</a>
<a id='n650' href='#n650'>650</a>
<a id='n651' href='#n651'>651</a>
<a id='n652' href='#n652'>652</a>
<a id='n653' href='#n653'>653</a>
<a id='n654' href='#n654'>654</a>
<a id='n655' href='#n655'>655</a>
<a id='n656' href='#n656'>656</a>
<a id='n657' href='#n657'>657</a>
<a id='n658' href='#n658'>658</a>
<a id='n659' href='#n659'>659</a>
<a id='n660' href='#n660'>660</a>
<a id='n661' href='#n661'>661</a>
<a id='n662' href='#n662'>662</a>
<a id='n663' href='#n663'>663</a>
<a id='n664' href='#n664'>664</a>
<a id='n665' href='#n665'>665</a>
<a id='n666' href='#n666'>666</a>
<a id='n667' href='#n667'>667</a>
<a id='n668' href='#n668'>668</a>
<a id='n669' href='#n669'>669</a>
<a id='n670' href='#n670'>670</a>
<a id='n671' href='#n671'>671</a>
<a id='n672' href='#n672'>672</a>
<a id='n673' href='#n673'>673</a>
<a id='n674' href='#n674'>674</a>
<a id='n675' href='#n675'>675</a>
<a id='n676' href='#n676'>676</a>
<a id='n677' href='#n677'>677</a>
<a id='n678' href='#n678'>678</a>
<a id='n679' href='#n679'>679</a>
<a id='n680' href='#n680'>680</a>
<a id='n681' href='#n681'>681</a>
<a id='n682' href='#n682'>682</a>
<a id='n683' href='#n683'>683</a>
<a id='n684' href='#n684'>684</a>
<a id='n685' href='#n685'>685</a>
<a id='n686' href='#n686'>686</a>
<a id='n687' href='#n687'>687</a>
<a id='n688' href='#n688'>688</a>
<a id='n689' href='#n689'>689</a>
<a id='n690' href='#n690'>690</a>
<a id='n691' href='#n691'>691</a>
<a id='n692' href='#n692'>692</a>
<a id='n693' href='#n693'>693</a>
<a id='n694' href='#n694'>694</a>
<a id='n695' href='#n695'>695</a>
<a id='n696' href='#n696'>696</a>
<a id='n697' href='#n697'>697</a>
<a id='n698' href='#n698'>698</a>
<a id='n699' href='#n699'>699</a>
<a id='n700' href='#n700'>700</a>
<a id='n701' href='#n701'>701</a>
<a id='n702' href='#n702'>702</a>
<a id='n703' href='#n703'>703</a>
<a id='n704' href='#n704'>704</a>
<a id='n705' href='#n705'>705</a>
<a id='n706' href='#n706'>706</a>
<a id='n707' href='#n707'>707</a>
<a id='n708' href='#n708'>708</a>
<a id='n709' href='#n709'>709</a>
<a id='n710' href='#n710'>710</a>
<a id='n711' href='#n711'>711</a>
<a id='n712' href='#n712'>712</a>
<a id='n713' href='#n713'>713</a>
<a id='n714' href='#n714'>714</a>
<a id='n715' href='#n715'>715</a>
<a id='n716' href='#n716'>716</a>
<a id='n717' href='#n717'>717</a>
<a id='n718' href='#n718'>718</a>
<a id='n719' href='#n719'>719</a>
<a id='n720' href='#n720'>720</a>
<a id='n721' href='#n721'>721</a>
<a id='n722' href='#n722'>722</a>
<a id='n723' href='#n723'>723</a>
<a id='n724' href='#n724'>724</a>
<a id='n725' href='#n725'>725</a>
<a id='n726' href='#n726'>726</a>
<a id='n727' href='#n727'>727</a>
<a id='n728' href='#n728'>728</a>
<a id='n729' href='#n729'>729</a>
<a id='n730' href='#n730'>730</a>
<a id='n731' href='#n731'>731</a>
<a id='n732' href='#n732'>732</a>
<a id='n733' href='#n733'>733</a>
<a id='n734' href='#n734'>734</a>
<a id='n735' href='#n735'>735</a>
<a id='n736' href='#n736'>736</a>
<a id='n737' href='#n737'>737</a>
<a id='n738' href='#n738'>738</a>
<a id='n739' href='#n739'>739</a>
<a id='n740' href='#n740'>740</a>
<a id='n741' href='#n741'>741</a>
<a id='n742' href='#n742'>742</a>
<a id='n743' href='#n743'>743</a>
<a id='n744' href='#n744'>744</a>
<a id='n745' href='#n745'>745</a>
<a id='n746' href='#n746'>746</a>
<a id='n747' href='#n747'>747</a>
<a id='n748' href='#n748'>748</a>
<a id='n749' href='#n749'>749</a>
<a id='n750' href='#n750'>750</a>
<a id='n751' href='#n751'>751</a>
<a id='n752' href='#n752'>752</a>
<a id='n753' href='#n753'>753</a>
<a id='n754' href='#n754'>754</a>
<a id='n755' href='#n755'>755</a>
<a id='n756' href='#n756'>756</a>
<a id='n757' href='#n757'>757</a>
<a id='n758' href='#n758'>758</a>
<a id='n759' href='#n759'>759</a>
<a id='n760' href='#n760'>760</a>
<a id='n761' href='#n761'>761</a>
<a id='n762' href='#n762'>762</a>
<a id='n763' href='#n763'>763</a>
<a id='n764' href='#n764'>764</a>
<a id='n765' href='#n765'>765</a>
<a id='n766' href='#n766'>766</a>
<a id='n767' href='#n767'>767</a>
<a id='n768' href='#n768'>768</a>
<a id='n769' href='#n769'>769</a>
<a id='n770' href='#n770'>770</a>
<a id='n771' href='#n771'>771</a>
<a id='n772' href='#n772'>772</a>
<a id='n773' href='#n773'>773</a>
<a id='n774' href='#n774'>774</a>
<a id='n775' href='#n775'>775</a>
<a id='n776' href='#n776'>776</a>
<a id='n777' href='#n777'>777</a>
<a id='n778' href='#n778'>778</a>
<a id='n779' href='#n779'>779</a>
<a id='n780' href='#n780'>780</a>
<a id='n781' href='#n781'>781</a>
<a id='n782' href='#n782'>782</a>
<a id='n783' href='#n783'>783</a>
<a id='n784' href='#n784'>784</a>
<a id='n785' href='#n785'>785</a>
<a id='n786' href='#n786'>786</a>
<a id='n787' href='#n787'>787</a>
<a id='n788' href='#n788'>788</a>
<a id='n789' href='#n789'>789</a>
<a id='n790' href='#n790'>790</a>
<a id='n791' href='#n791'>791</a>
<a id='n792' href='#n792'>792</a>
<a id='n793' href='#n793'>793</a>
<a id='n794' href='#n794'>794</a>
<a id='n795' href='#n795'>795</a>
<a id='n796' href='#n796'>796</a>
<a id='n797' href='#n797'>797</a>
<a id='n798' href='#n798'>798</a>
<a id='n799' href='#n799'>799</a>
<a id='n800' href='#n800'>800</a>
<a id='n801' href='#n801'>801</a>
<a id='n802' href='#n802'>802</a>
<a id='n803' href='#n803'>803</a>
<a id='n804' href='#n804'>804</a>
<a id='n805' href='#n805'>805</a>
<a id='n806' href='#n806'>806</a>
<a id='n807' href='#n807'>807</a>
<a id='n808' href='#n808'>808</a>
<a id='n809' href='#n809'>809</a>
<a id='n810' href='#n810'>810</a>
<a id='n811' href='#n811'>811</a>
<a id='n812' href='#n812'>812</a>
<a id='n813' href='#n813'>813</a>
<a id='n814' href='#n814'>814</a>
<a id='n815' href='#n815'>815</a>
<a id='n816' href='#n816'>816</a>
<a id='n817' href='#n817'>817</a>
<a id='n818' href='#n818'>818</a>
<a id='n819' href='#n819'>819</a>
<a id='n820' href='#n820'>820</a>
<a id='n821' href='#n821'>821</a>
<a id='n822' href='#n822'>822</a>
<a id='n823' href='#n823'>823</a>
<a id='n824' href='#n824'>824</a>
<a id='n825' href='#n825'>825</a>
<a id='n826' href='#n826'>826</a>
<a id='n827' href='#n827'>827</a>
<a id='n828' href='#n828'>828</a>
<a id='n829' href='#n829'>829</a>
<a id='n830' href='#n830'>830</a>
<a id='n831' href='#n831'>831</a>
<a id='n832' href='#n832'>832</a>
<a id='n833' href='#n833'>833</a>
<a id='n834' href='#n834'>834</a>
<a id='n835' href='#n835'>835</a>
<a id='n836' href='#n836'>836</a>
<a id='n837' href='#n837'>837</a>
<a id='n838' href='#n838'>838</a>
<a id='n839' href='#n839'>839</a>
<a id='n840' href='#n840'>840</a>
<a id='n841' href='#n841'>841</a>
<a id='n842' href='#n842'>842</a>
<a id='n843' href='#n843'>843</a>
<a id='n844' href='#n844'>844</a>
<a id='n845' href='#n845'>845</a>
<a id='n846' href='#n846'>846</a>
<a id='n847' href='#n847'>847</a>
<a id='n848' href='#n848'>848</a>
<a id='n849' href='#n849'>849</a>
<a id='n850' href='#n850'>850</a>
<a id='n851' href='#n851'>851</a>
<a id='n852' href='#n852'>852</a>
<a id='n853' href='#n853'>853</a>
<a id='n854' href='#n854'>854</a>
<a id='n855' href='#n855'>855</a>
<a id='n856' href='#n856'>856</a>
<a id='n857' href='#n857'>857</a>
<a id='n858' href='#n858'>858</a>
<a id='n859' href='#n859'>859</a>
<a id='n860' href='#n860'>860</a>
<a id='n861' href='#n861'>861</a>
<a id='n862' href='#n862'>862</a>
<a id='n863' href='#n863'>863</a>
<a id='n864' href='#n864'>864</a>
<a id='n865' href='#n865'>865</a>
<a id='n866' href='#n866'>866</a>
<a id='n867' href='#n867'>867</a>
<a id='n868' href='#n868'>868</a>
<a id='n869' href='#n869'>869</a>
<a id='n870' href='#n870'>870</a>
<a id='n871' href='#n871'>871</a>
<a id='n872' href='#n872'>872</a>
<a id='n873' href='#n873'>873</a>
<a id='n874' href='#n874'>874</a>
<a id='n875' href='#n875'>875</a>
<a id='n876' href='#n876'>876</a>
<a id='n877' href='#n877'>877</a>
<a id='n878' href='#n878'>878</a>
<a id='n879' href='#n879'>879</a>
<a id='n880' href='#n880'>880</a>
<a id='n881' href='#n881'>881</a>
<a id='n882' href='#n882'>882</a>
<a id='n883' href='#n883'>883</a>
<a id='n884' href='#n884'>884</a>
<a id='n885' href='#n885'>885</a>
<a id='n886' href='#n886'>886</a>
<a id='n887' href='#n887'>887</a>
<a id='n888' href='#n888'>888</a>
<a id='n889' href='#n889'>889</a>
<a id='n890' href='#n890'>890</a>
<a id='n891' href='#n891'>891</a>
<a id='n892' href='#n892'>892</a>
<a id='n893' href='#n893'>893</a>
<a id='n894' href='#n894'>894</a>
<a id='n895' href='#n895'>895</a>
<a id='n896' href='#n896'>896</a>
<a id='n897' href='#n897'>897</a>
<a id='n898' href='#n898'>898</a>
<a id='n899' href='#n899'>899</a>
<a id='n900' href='#n900'>900</a>
<a id='n901' href='#n901'>901</a>
<a id='n902' href='#n902'>902</a>
<a id='n903' href='#n903'>903</a>
<a id='n904' href='#n904'>904</a>
<a id='n905' href='#n905'>905</a>
<a id='n906' href='#n906'>906</a>
<a id='n907' href='#n907'>907</a>
<a id='n908' href='#n908'>908</a>
<a id='n909' href='#n909'>909</a>
<a id='n910' href='#n910'>910</a>
<a id='n911' href='#n911'>911</a>
<a id='n912' href='#n912'>912</a>
<a id='n913' href='#n913'>913</a>
<a id='n914' href='#n914'>914</a>
<a id='n915' href='#n915'>915</a>
<a id='n916' href='#n916'>916</a>
<a id='n917' href='#n917'>917</a>
<a id='n918' href='#n918'>918</a>
<a id='n919' href='#n919'>919</a>
<a id='n920' href='#n920'>920</a>
<a id='n921' href='#n921'>921</a>
<a id='n922' href='#n922'>922</a>
<a id='n923' href='#n923'>923</a>
<a id='n924' href='#n924'>924</a>
<a id='n925' href='#n925'>925</a>
<a id='n926' href='#n926'>926</a>
<a id='n927' href='#n927'>927</a>
<a id='n928' href='#n928'>928</a>
<a id='n929' href='#n929'>929</a>
<a id='n930' href='#n930'>930</a>
<a id='n931' href='#n931'>931</a>
<a id='n932' href='#n932'>932</a>
<a id='n933' href='#n933'>933</a>
<a id='n934' href='#n934'>934</a>
<a id='n935' href='#n935'>935</a>
<a id='n936' href='#n936'>936</a>
<a id='n937' href='#n937'>937</a>
<a id='n938' href='#n938'>938</a>
<a id='n939' href='#n939'>939</a>
<a id='n940' href='#n940'>940</a>
<a id='n941' href='#n941'>941</a>
<a id='n942' href='#n942'>942</a>
<a id='n943' href='#n943'>943</a>
<a id='n944' href='#n944'>944</a>
<a id='n945' href='#n945'>945</a>
<a id='n946' href='#n946'>946</a>
<a id='n947' href='#n947'>947</a>
<a id='n948' href='#n948'>948</a>
<a id='n949' href='#n949'>949</a>
<a id='n950' href='#n950'>950</a>
<a id='n951' href='#n951'>951</a>
<a id='n952' href='#n952'>952</a>
<a id='n953' href='#n953'>953</a>
<a id='n954' href='#n954'>954</a>
<a id='n955' href='#n955'>955</a>
<a id='n956' href='#n956'>956</a>
<a id='n957' href='#n957'>957</a>
<a id='n958' href='#n958'>958</a>
<a id='n959' href='#n959'>959</a>
<a id='n960' href='#n960'>960</a>
<a id='n961' href='#n961'>961</a>
<a id='n962' href='#n962'>962</a>
<a id='n963' href='#n963'>963</a>
<a id='n964' href='#n964'>964</a>
<a id='n965' href='#n965'>965</a>
<a id='n966' href='#n966'>966</a>
<a id='n967' href='#n967'>967</a>
<a id='n968' href='#n968'>968</a>
<a id='n969' href='#n969'>969</a>
<a id='n970' href='#n970'>970</a>
<a id='n971' href='#n971'>971</a>
<a id='n972' href='#n972'>972</a>
<a id='n973' href='#n973'>973</a>
<a id='n974' href='#n974'>974</a>
<a id='n975' href='#n975'>975</a>
<a id='n976' href='#n976'>976</a>
<a id='n977' href='#n977'>977</a>
<a id='n978' href='#n978'>978</a>
<a id='n979' href='#n979'>979</a>
<a id='n980' href='#n980'>980</a>
<a id='n981' href='#n981'>981</a>
<a id='n982' href='#n982'>982</a>
<a id='n983' href='#n983'>983</a>
<a id='n984' href='#n984'>984</a>
<a id='n985' href='#n985'>985</a>
<a id='n986' href='#n986'>986</a>
<a id='n987' href='#n987'>987</a>
<a id='n988' href='#n988'>988</a>
<a id='n989' href='#n989'>989</a>
<a id='n990' href='#n990'>990</a>
<a id='n991' href='#n991'>991</a>
<a id='n992' href='#n992'>992</a>
<a id='n993' href='#n993'>993</a>
<a id='n994' href='#n994'>994</a>
<a id='n995' href='#n995'>995</a>
<a id='n996' href='#n996'>996</a>
<a id='n997' href='#n997'>997</a>
<a id='n998' href='#n998'>998</a>
<a id='n999' href='#n999'>999</a>
<a id='n1000' href='#n1000'>1000</a>
<a id='n1001' href='#n1001'>1001</a>
<a id='n1002' href='#n1002'>1002</a>
<a id='n1003' href='#n1003'>1003</a>
<a id='n1004' href='#n1004'>1004</a>
<a id='n1005' href='#n1005'>1005</a>
<a id='n1006' href='#n1006'>1006</a>
<a id='n1007' href='#n1007'>1007</a>
<a id='n1008' href='#n1008'>1008</a>
<a id='n1009' href='#n1009'>1009</a>
<a id='n1010' href='#n1010'>1010</a>
<a id='n1011' href='#n1011'>1011</a>
<a id='n1012' href='#n1012'>1012</a>
<a id='n1013' href='#n1013'>1013</a>
<a id='n1014' href='#n1014'>1014</a>
<a id='n1015' href='#n1015'>1015</a>
<a id='n1016' href='#n1016'>1016</a>
<a id='n1017' href='#n1017'>1017</a>
<a id='n1018' href='#n1018'>1018</a>
<a id='n1019' href='#n1019'>1019</a>
<a id='n1020' href='#n1020'>1020</a>
<a id='n1021' href='#n1021'>1021</a>
<a id='n1022' href='#n1022'>1022</a>
<a id='n1023' href='#n1023'>1023</a>
<a id='n1024' href='#n1024'>1024</a>
<a id='n1025' href='#n1025'>1025</a>
<a id='n1026' href='#n1026'>1026</a>
<a id='n1027' href='#n1027'>1027</a>
<a id='n1028' href='#n1028'>1028</a>
<a id='n1029' href='#n1029'>1029</a>
<a id='n1030' href='#n1030'>1030</a>
<a id='n1031' href='#n1031'>1031</a>
<a id='n1032' href='#n1032'>1032</a>
<a id='n1033' href='#n1033'>1033</a>
<a id='n1034' href='#n1034'>1034</a>
<a id='n1035' href='#n1035'>1035</a>
<a id='n1036' href='#n1036'>1036</a>
<a id='n1037' href='#n1037'>1037</a>
<a id='n1038' href='#n1038'>1038</a>
<a id='n1039' href='#n1039'>1039</a>
<a id='n1040' href='#n1040'>1040</a>
<a id='n1041' href='#n1041'>1041</a>
<a id='n1042' href='#n1042'>1042</a>
<a id='n1043' href='#n1043'>1043</a>
<a id='n1044' href='#n1044'>1044</a>
<a id='n1045' href='#n1045'>1045</a>
<a id='n1046' href='#n1046'>1046</a>
<a id='n1047' href='#n1047'>1047</a>
<a id='n1048' href='#n1048'>1048</a>
<a id='n1049' href='#n1049'>1049</a>
<a id='n1050' href='#n1050'>1050</a>
<a id='n1051' href='#n1051'>1051</a>
<a id='n1052' href='#n1052'>1052</a>
<a id='n1053' href='#n1053'>1053</a>
<a id='n1054' href='#n1054'>1054</a>
<a id='n1055' href='#n1055'>1055</a>
<a id='n1056' href='#n1056'>1056</a>
<a id='n1057' href='#n1057'>1057</a>
<a id='n1058' href='#n1058'>1058</a>
<a id='n1059' href='#n1059'>1059</a>
<a id='n1060' href='#n1060'>1060</a>
<a id='n1061' href='#n1061'>1061</a>
<a id='n1062' href='#n1062'>1062</a>
<a id='n1063' href='#n1063'>1063</a>
<a id='n1064' href='#n1064'>1064</a>
<a id='n1065' href='#n1065'>1065</a>
<a id='n1066' href='#n1066'>1066</a>
<a id='n1067' href='#n1067'>1067</a>
<a id='n1068' href='#n1068'>1068</a>
<a id='n1069' href='#n1069'>1069</a>
<a id='n1070' href='#n1070'>1070</a>
<a id='n1071' href='#n1071'>1071</a>
<a id='n1072' href='#n1072'>1072</a>
<a id='n1073' href='#n1073'>1073</a>
<a id='n1074' href='#n1074'>1074</a>
<a id='n1075' href='#n1075'>1075</a>
<a id='n1076' href='#n1076'>1076</a>
<a id='n1077' href='#n1077'>1077</a>
<a id='n1078' href='#n1078'>1078</a>
<a id='n1079' href='#n1079'>1079</a>
<a id='n1080' href='#n1080'>1080</a>
<a id='n1081' href='#n1081'>1081</a>
<a id='n1082' href='#n1082'>1082</a>
<a id='n1083' href='#n1083'>1083</a>
<a id='n1084' href='#n1084'>1084</a>
<a id='n1085' href='#n1085'>1085</a>
<a id='n1086' href='#n1086'>1086</a>
<a id='n1087' href='#n1087'>1087</a>
<a id='n1088' href='#n1088'>1088</a>
<a id='n1089' href='#n1089'>1089</a>
<a id='n1090' href='#n1090'>1090</a>
<a id='n1091' href='#n1091'>1091</a>
<a id='n1092' href='#n1092'>1092</a>
<a id='n1093' href='#n1093'>1093</a>
<a id='n1094' href='#n1094'>1094</a>
<a id='n1095' href='#n1095'>1095</a>
<a id='n1096' href='#n1096'>1096</a>
<a id='n1097' href='#n1097'>1097</a>
<a id='n1098' href='#n1098'>1098</a>
<a id='n1099' href='#n1099'>1099</a>
<a id='n1100' href='#n1100'>1100</a>
<a id='n1101' href='#n1101'>1101</a>
<a id='n1102' href='#n1102'>1102</a>
<a id='n1103' href='#n1103'>1103</a>
<a id='n1104' href='#n1104'>1104</a>
<a id='n1105' href='#n1105'>1105</a>
<a id='n1106' href='#n1106'>1106</a>
<a id='n1107' href='#n1107'>1107</a>
<a id='n1108' href='#n1108'>1108</a>
<a id='n1109' href='#n1109'>1109</a>
<a id='n1110' href='#n1110'>1110</a>
<a id='n1111' href='#n1111'>1111</a>
<a id='n1112' href='#n1112'>1112</a>
<a id='n1113' href='#n1113'>1113</a>
<a id='n1114' href='#n1114'>1114</a>
<a id='n1115' href='#n1115'>1115</a>
<a id='n1116' href='#n1116'>1116</a>
<a id='n1117' href='#n1117'>1117</a>
<a id='n1118' href='#n1118'>1118</a>
<a id='n1119' href='#n1119'>1119</a>
<a id='n1120' href='#n1120'>1120</a>
<a id='n1121' href='#n1121'>1121</a>
<a id='n1122' href='#n1122'>1122</a>
<a id='n1123' href='#n1123'>1123</a>
<a id='n1124' href='#n1124'>1124</a>
<a id='n1125' href='#n1125'>1125</a>
<a id='n1126' href='#n1126'>1126</a>
<a id='n1127' href='#n1127'>1127</a>
<a id='n1128' href='#n1128'>1128</a>
<a id='n1129' href='#n1129'>1129</a>
<a id='n1130' href='#n1130'>1130</a>
<a id='n1131' href='#n1131'>1131</a>
<a id='n1132' href='#n1132'>1132</a>
<a id='n1133' href='#n1133'>1133</a>
<a id='n1134' href='#n1134'>1134</a>
<a id='n1135' href='#n1135'>1135</a>
<a id='n1136' href='#n1136'>1136</a>
<a id='n1137' href='#n1137'>1137</a>
<a id='n1138' href='#n1138'>1138</a>
<a id='n1139' href='#n1139'>1139</a>
<a id='n1140' href='#n1140'>1140</a>
<a id='n1141' href='#n1141'>1141</a>
<a id='n1142' href='#n1142'>1142</a>
<a id='n1143' href='#n1143'>1143</a>
<a id='n1144' href='#n1144'>1144</a>
<a id='n1145' href='#n1145'>1145</a>
<a id='n1146' href='#n1146'>1146</a>
<a id='n1147' href='#n1147'>1147</a>
<a id='n1148' href='#n1148'>1148</a>
<a id='n1149' href='#n1149'>1149</a>
<a id='n1150' href='#n1150'>1150</a>
<a id='n1151' href='#n1151'>1151</a>
<a id='n1152' href='#n1152'>1152</a>
<a id='n1153' href='#n1153'>1153</a>
<a id='n1154' href='#n1154'>1154</a>
<a id='n1155' href='#n1155'>1155</a>
<a id='n1156' href='#n1156'>1156</a>
<a id='n1157' href='#n1157'>1157</a>
<a id='n1158' href='#n1158'>1158</a>
<a id='n1159' href='#n1159'>1159</a>
<a id='n1160' href='#n1160'>1160</a>
<a id='n1161' href='#n1161'>1161</a>
<a id='n1162' href='#n1162'>1162</a>
<a id='n1163' href='#n1163'>1163</a>
<a id='n1164' href='#n1164'>1164</a>
<a id='n1165' href='#n1165'>1165</a>
<a id='n1166' href='#n1166'>1166</a>
<a id='n1167' href='#n1167'>1167</a>
<a id='n1168' href='#n1168'>1168</a>
<a id='n1169' href='#n1169'>1169</a>
<a id='n1170' href='#n1170'>1170</a>
<a id='n1171' href='#n1171'>1171</a>
<a id='n1172' href='#n1172'>1172</a>
<a id='n1173' href='#n1173'>1173</a>
<a id='n1174' href='#n1174'>1174</a>
<a id='n1175' href='#n1175'>1175</a>
<a id='n1176' href='#n1176'>1176</a>
<a id='n1177' href='#n1177'>1177</a>
<a id='n1178' href='#n1178'>1178</a>
<a id='n1179' href='#n1179'>1179</a>
<a id='n1180' href='#n1180'>1180</a>
<a id='n1181' href='#n1181'>1181</a>
<a id='n1182' href='#n1182'>1182</a>
<a id='n1183' href='#n1183'>1183</a>
<a id='n1184' href='#n1184'>1184</a>
<a id='n1185' href='#n1185'>1185</a>
<a id='n1186' href='#n1186'>1186</a>
<a id='n1187' href='#n1187'>1187</a>
<a id='n1188' href='#n1188'>1188</a>
<a id='n1189' href='#n1189'>1189</a>
<a id='n1190' href='#n1190'>1190</a>
<a id='n1191' href='#n1191'>1191</a>
<a id='n1192' href='#n1192'>1192</a>
<a id='n1193' href='#n1193'>1193</a>
<a id='n1194' href='#n1194'>1194</a>
<a id='n1195' href='#n1195'>1195</a>
<a id='n1196' href='#n1196'>1196</a>
<a id='n1197' href='#n1197'>1197</a>
<a id='n1198' href='#n1198'>1198</a>
<a id='n1199' href='#n1199'>1199</a>
<a id='n1200' href='#n1200'>1200</a>
<a id='n1201' href='#n1201'>1201</a>
<a id='n1202' href='#n1202'>1202</a>
<a id='n1203' href='#n1203'>1203</a>
<a id='n1204' href='#n1204'>1204</a>
<a id='n1205' href='#n1205'>1205</a>
<a id='n1206' href='#n1206'>1206</a>
<a id='n1207' href='#n1207'>1207</a>
<a id='n1208' href='#n1208'>1208</a>
<a id='n1209' href='#n1209'>1209</a>
<a id='n1210' href='#n1210'>1210</a>
<a id='n1211' href='#n1211'>1211</a>
<a id='n1212' href='#n1212'>1212</a>
<a id='n1213' href='#n1213'>1213</a>
<a id='n1214' href='#n1214'>1214</a>
<a id='n1215' href='#n1215'>1215</a>
<a id='n1216' href='#n1216'>1216</a>
<a id='n1217' href='#n1217'>1217</a>
<a id='n1218' href='#n1218'>1218</a>
<a id='n1219' href='#n1219'>1219</a>
<a id='n1220' href='#n1220'>1220</a>
<a id='n1221' href='#n1221'>1221</a>
<a id='n1222' href='#n1222'>1222</a>
<a id='n1223' href='#n1223'>1223</a>
<a id='n1224' href='#n1224'>1224</a>
<a id='n1225' href='#n1225'>1225</a>
</pre></td>
<td class='lines'><pre><code><span class="hl slc"># python join code</span>
<span class="hl slc"># Copyright Andrew Tridgell 2010</span>
<span class="hl slc"># Copyright Andrew Bartlett 2010</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is free software; you can redistribute it and/or modify</span>
<span class="hl slc"># it under the terms of the GNU General Public License as published by</span>
<span class="hl slc"># the Free Software Foundation; either version 3 of the License, or</span>
<span class="hl slc"># (at your option) any later version.</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is distributed in the hope that it will be useful,</span>
<span class="hl slc"># but WITHOUT ANY WARRANTY; without even the implied warranty of</span>
<span class="hl slc"># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the</span>
<span class="hl slc"># GNU General Public License for more details.</span>
<span class="hl slc">#</span>
<span class="hl slc"># You should have received a copy of the GNU General Public License</span>
<span class="hl slc"># along with this program.  If not, see &lt;http://www.gnu.org/licenses/&gt;.</span>
<span class="hl slc">#</span>

<span class="hl str">&quot;&quot;&quot;Joining a domain.&quot;&quot;&quot;</span>

<span class="hl kwa">from</span> samba<span class="hl opt">.</span>auth <span class="hl kwa">import</span> system_session
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>samdb <span class="hl kwa">import</span> SamDB
<span class="hl kwa">from</span> samba <span class="hl kwa">import</span> gensec<span class="hl opt">,</span> Ldb<span class="hl opt">,</span> drs_utils
<span class="hl kwa">import</span> ldb<span class="hl opt">,</span> samba<span class="hl opt">,</span> sys<span class="hl opt">,</span> uuid
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>ndr <span class="hl kwa">import</span> ndr_pack
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>dcerpc <span class="hl kwa">import</span> security<span class="hl opt">,</span> drsuapi<span class="hl opt">,</span> misc<span class="hl opt">,</span> nbt<span class="hl opt">,</span> lsa<span class="hl opt">,</span> drsblobs
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>dsdb <span class="hl kwa">import</span> DS_DOMAIN_FUNCTION_2003
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>credentials <span class="hl kwa">import</span> Credentials<span class="hl opt">,</span> DONT_USE_KERBEROS
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>provision <span class="hl kwa">import</span> secretsdb_self_join<span class="hl opt">,</span> provision<span class="hl opt">,</span> provision_fill<span class="hl opt">,</span> FILL_DRS<span class="hl opt">,</span> FILL_SUBDOMAIN
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>provision<span class="hl opt">.</span>common <span class="hl kwa">import</span> setup_path
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>schema <span class="hl kwa">import</span> Schema
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>net <span class="hl kwa">import</span> Net
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>provision<span class="hl opt">.</span>sambadns <span class="hl kwa">import</span> setup_bind9_dns
<span class="hl kwa">from</span> samba <span class="hl kwa">import</span> read_and_sub_file
<span class="hl kwa">from</span> base64 <span class="hl kwa">import</span> b64encode
<span class="hl kwa">import</span> logging
<span class="hl kwa">import</span> talloc
<span class="hl kwa">import</span> random
<span class="hl kwa">import</span> time

<span class="hl slc"># this makes debugging easier</span>
talloc<span class="hl opt">.</span><span class="hl kwd">enable_null_tracking</span><span class="hl opt">()</span>

<span class="hl kwa">class</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl kwc">Exception</span><span class="hl opt">):</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__init__</span><span class="hl opt">(</span>self<span class="hl opt">,</span> msg<span class="hl opt">):</span>
        <span class="hl kwb">super</span><span class="hl opt">(</span>DCJoinException<span class="hl opt">,</span> self<span class="hl opt">)</span><span class="hl num">.__</span>init<span class="hl num">__</span><span class="hl opt">(</span><span class="hl str">&quot;Can&#39;t join, error:</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> msg<span class="hl opt">)</span>


<span class="hl kwa">class</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span><span class="hl kwb">object</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;Perform a DC join.&quot;&quot;&quot;</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__init__</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> logger<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
                 netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
                 machinepass<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> use_ntvfs<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span> dns_backend<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
                 promote_existing<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
        ctx<span class="hl opt">.</span>logger <span class="hl opt">=</span> logger
        ctx<span class="hl opt">.</span>creds <span class="hl opt">=</span> creds
        ctx<span class="hl opt">.</span>lp <span class="hl opt">=</span> lp
        ctx<span class="hl opt">.</span>site <span class="hl opt">=</span> site
        ctx<span class="hl opt">.</span>netbios_name <span class="hl opt">=</span> netbios_name
        ctx<span class="hl opt">.</span>targetdir <span class="hl opt">=</span> targetdir
        ctx<span class="hl opt">.</span>use_ntvfs <span class="hl opt">=</span> use_ntvfs

        ctx<span class="hl opt">.</span>promote_existing <span class="hl opt">=</span> promote_existing
        ctx<span class="hl opt">.</span>promote_from_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>

        ctx<span class="hl opt">.</span>nc_list <span class="hl opt">= []</span>

        ctx<span class="hl opt">.</span>creds<span class="hl opt">.</span><span class="hl kwd">set_gensec_features</span><span class="hl opt">(</span>creds<span class="hl opt">.</span><span class="hl kwd">get_gensec_features</span><span class="hl opt">()</span> | gensec<span class="hl opt">.</span>FEATURE_SEAL<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>net <span class="hl opt">=</span> <span class="hl kwd">Net</span><span class="hl opt">(</span>creds<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        <span class="hl kwa">if</span> server <span class="hl kwa">is not None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> server
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Finding a writeable DC for domain &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;&quot;</span> <span class="hl opt">%</span> domain<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">find_dc</span><span class="hl opt">(</span>domain<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Found DC</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>url<span class="hl opt">=</span><span class="hl str">&quot;ldap://</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">,</span>
                          session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span>
                          credentials<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dn&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>enum<span class="hl opt">,</span> estr<span class="hl opt">):</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span>estr<span class="hl opt">)</span>


        ctx<span class="hl opt">.</span>myname <span class="hl opt">=</span> netbios_name
        ctx<span class="hl opt">.</span>samname <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">$&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname
        ctx<span class="hl opt">.</span>base_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>root_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_root_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_schema_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>config_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_config_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>domsid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_domain_sid</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>domain_name <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_domain_name</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>forest_domain_name <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_forest_domain_name</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>invocation_id <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>uuid<span class="hl opt">.</span><span class="hl kwd">uuid4</span><span class="hl opt">()))</span>

        ctx<span class="hl opt">.</span>dc_ntds_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_dsServiceName</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>dc_dnsHostName <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_dnsHostName</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_behavior_version</span><span class="hl opt">()</span>

        <span class="hl kwa">if</span> machinepass <span class="hl kwa">is not None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>acct_pass <span class="hl opt">=</span> machinepass
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>acct_pass <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">generate_random_password</span><span class="hl opt">(</span><span class="hl num">32</span><span class="hl opt">,</span> <span class="hl num">40</span><span class="hl opt">)</span>

        <span class="hl slc"># work out the DNs of all the objects we will be adding</span>
        ctx<span class="hl opt">.</span>server_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Servers,CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Sites,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>site<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>ntds_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=NTDS Settings,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server_dn
        topology_base <span class="hl opt">=</span> <span class="hl str">&quot;CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>base_dn
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span><span class="hl kwd">dn_exists</span><span class="hl opt">(</span>topology_base<span class="hl opt">):</span>
            ctx<span class="hl opt">.</span>topology_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> topology_base<span class="hl opt">)</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>topology_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>

        ctx<span class="hl opt">.</span>dnsdomain <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">domain_dns_name</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>dnsforest <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">forest_dns_name</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>domaindns_zone <span class="hl opt">=</span> <span class="hl str">&#39;DC=DomainDnsZones,</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>base_dn
        ctx<span class="hl opt">.</span>forestdns_zone <span class="hl opt">=</span> <span class="hl str">&#39;DC=ForestDnsZones,</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>root_dn

        res_domaindns <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span>
                                         attrs<span class="hl opt">=[],</span>
                                         base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_partitions_dn</span><span class="hl opt">(),</span>
                                         expression<span class="hl opt">=</span><span class="hl str">&quot;(&amp;(objectClass=crossRef)(ncName=</span><span class="hl ipl">%s</span><span class="hl str">))&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>domaindns_zone<span class="hl opt">)</span>
        <span class="hl kwa">if</span> dns_backend <span class="hl kwa">is None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>dns_backend <span class="hl opt">=</span> <span class="hl str">&quot;NONE&quot;</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            <span class="hl kwa">if</span> <span class="hl kwb">len</span><span class="hl opt">(</span>res_domaindns<span class="hl opt">) ==</span> <span class="hl num">0</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>dns_backend <span class="hl opt">=</span> <span class="hl str">&quot;NONE&quot;</span>
                <span class="hl kwa">print</span> <span class="hl str">&quot;NO DNS zone information found in source domain, not replicating DNS&quot;</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>dns_backend <span class="hl opt">=</span> dns_backend

        ctx<span class="hl opt">.</span>dnshostname <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">.</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>realm <span class="hl opt">=</span> ctx<span class="hl opt">.</span>dnsdomain

        ctx<span class="hl opt">.</span>acct_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,OU=Domain Controllers,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>tmp_samdb <span class="hl opt">=</span> <span class="hl kwa">None</span>

        ctx<span class="hl opt">.</span>SPNs <span class="hl opt">= [</span> <span class="hl str">&quot;HOST/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                     <span class="hl str">&quot;HOST/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">,</span>
                     <span class="hl str">&quot;GC/</span><span class="hl ipl">%s</span><span class="hl str">/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>dnsforest<span class="hl opt">) ]</span>

        <span class="hl slc"># these elements are optional</span>
        ctx<span class="hl opt">.</span>never_reveal_sid <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>reveal_sid <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>connection_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>RODC <span class="hl opt">=</span> <span class="hl kwa">False</span>
        ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>drsuapi <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>managedby <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>subdomain <span class="hl opt">=</span> <span class="hl kwa">False</span>
        ctx<span class="hl opt">.</span>adminpass <span class="hl opt">=</span> <span class="hl kwa">None</span>

    <span class="hl kwa">def</span> <span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
        <span class="hl kwa">if</span> recursive<span class="hl opt">:</span>
            <span class="hl kwa">try</span><span class="hl opt">:</span>
                res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dn&quot;</span><span class="hl opt">])</span>
            <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
                <span class="hl kwa">return</span>
            <span class="hl kwa">for</span> r <span class="hl kwa">in</span> res<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>r<span class="hl opt">.</span>dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">delete</span><span class="hl opt">(</span>dn<span class="hl opt">)</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Deleted</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> dn
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">pass</span>

    <span class="hl kwa">def</span> <span class="hl kwd">cleanup_old_join</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Remove any DNs from a previous join.&quot;&quot;&quot;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            <span class="hl slc"># find the krbtgt link</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;checking sAMAccountName&quot;</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
                res <span class="hl opt">=</span> <span class="hl kwa">None</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">(),</span>
                                       expression<span class="hl opt">=</span><span class="hl str">&#39;sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">),</span>
                                       attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">])</span>
                <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                    ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">].</span>dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>

                res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">(),</span>
                                       expression<span class="hl opt">=</span><span class="hl str">&#39;(&amp;(sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">)(servicePrincipalName=</span><span class="hl ipl">%s</span><span class="hl str">))&#39;</span> <span class="hl opt">% (</span>ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span><span class="hl str">&quot;dns-</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">),</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span><span class="hl str">&quot;dns/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">)),</span>
                                       attrs<span class="hl opt">=[])</span>
                <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                    ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">].</span>dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>

                res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">(),</span>
                                       expression<span class="hl opt">=</span><span class="hl str">&#39;(sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">)&#39;</span> <span class="hl opt">%</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span><span class="hl str">&quot;dns-</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">),</span>
                                       attrs<span class="hl opt">=[])</span>
                <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                    <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;Not removing account</span> <span class="hl ipl">%s</span> <span class="hl str">which looks like a Samba DNS service account but does not have servicePrincipalName=</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span><span class="hl str">&quot;dns-</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">),</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span><span class="hl str">&quot;dns/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">)))</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>connection_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>connection_dn<span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">)</span>
            <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>new_krbtgt_dn <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-Krbtgtlink&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
                binding_options <span class="hl opt">=</span> <span class="hl str">&quot;sign&quot;</span>
                lsaconn <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">lsarpc</span><span class="hl opt">(</span><span class="hl str">&quot;ncacn_ip_tcp:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">),</span>
                                     ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ctx<span class="hl opt">.</span>creds<span class="hl opt">)</span>

                objectAttr <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">ObjectAttribute</span><span class="hl opt">()</span>
                objectAttr<span class="hl opt">.</span>sec_qos <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">QosInfo</span><span class="hl opt">()</span>

                pol_handle <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">OpenPolicy2</span><span class="hl opt">(</span><span class="hl str">&#39;&#39;</span><span class="hl opt">.</span><span class="hl kwd">decode</span><span class="hl opt">(</span><span class="hl str">&#39;utf-8&#39;</span><span class="hl opt">),</span>
                                                 objectAttr<span class="hl opt">,</span> security<span class="hl opt">.</span>SEC_FLAG_MAXIMUM_ALLOWED<span class="hl opt">)</span>

                name <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">String</span><span class="hl opt">()</span>
                name<span class="hl opt">.</span>string <span class="hl opt">=</span> ctx<span class="hl opt">.</span>realm
                info <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">QueryTrustedDomainInfoByName</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> name<span class="hl opt">,</span> lsa<span class="hl opt">.</span>LSA_TRUSTED_DOMAIN_INFO_FULL_INFO<span class="hl opt">)</span>

                lsaconn<span class="hl opt">.</span><span class="hl kwd">DeleteTrustedDomain</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> info<span class="hl opt">.</span>info_ex<span class="hl opt">.</span>sid<span class="hl opt">)</span>

                name <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">String</span><span class="hl opt">()</span>
                name<span class="hl opt">.</span>string <span class="hl opt">=</span> ctx<span class="hl opt">.</span>forest_domain_name
                info <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">QueryTrustedDomainInfoByName</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> name<span class="hl opt">,</span> lsa<span class="hl opt">.</span>LSA_TRUSTED_DOMAIN_INFO_FULL_INFO<span class="hl opt">)</span>

                lsaconn<span class="hl opt">.</span><span class="hl kwd">DeleteTrustedDomain</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> info<span class="hl opt">.</span>info_ex<span class="hl opt">.</span>sid<span class="hl opt">)</span>

        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">pass</span>

    <span class="hl kwa">def</span> <span class="hl kwd">promote_possible</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted&quot;&quot;&quot;</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
            <span class="hl slc"># This shouldn&#39;t happen</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Can not promote into a subdomain&quot;</span><span class="hl opt">)</span>

        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">(),</span>
                               expression<span class="hl opt">=</span><span class="hl str">&#39;sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">),</span>
                               attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;serverReferenceBL&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;rIDSetReferences&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">if</span> <span class="hl kwb">len</span><span class="hl opt">(</span>res<span class="hl opt">) ==</span> <span class="hl num">0</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Could not find domain member account &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39; to promote to a DC, use &#39;samba-tool domain join&#39; instead&#39;&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
        <span class="hl kwa">if</span> <span class="hl str">&quot;msDS-krbTgtLink&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]</span> <span class="hl kwa">or</span> <span class="hl str">&quot;serverReferenceBL&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]</span> <span class="hl kwa">or</span> <span class="hl str">&quot;rIDSetReferences&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Account &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39; appears to be an active DC, use &#39;samba-tool domain join&#39; if you must re-create this account&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
        <span class="hl kwa">if</span> <span class="hl opt">(</span><span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]) &amp; (</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_WORKSTATION_TRUST_ACCOUNT|samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_SERVER_TRUST_ACCOUNT<span class="hl opt">) ==</span> <span class="hl num">0</span><span class="hl opt">):</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Account</span> <span class="hl ipl">%s</span> <span class="hl str">is not a domain member or a bare NT4 BDC, use &#39;samba-tool domain join&#39; instead&#39;&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>promote_from_dn <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">].</span>dn


    <span class="hl kwa">def</span> <span class="hl kwd">find_dc</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> domain<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;find a writeable DC for the given domain&quot;&quot;&quot;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>cldap_ret <span class="hl opt">=</span> ctx<span class="hl opt">.</span>net<span class="hl opt">.</span><span class="hl kwd">finddc</span><span class="hl opt">(</span>domain<span class="hl opt">=</span>domain<span class="hl opt">,</span> flags<span class="hl opt">=</span>nbt<span class="hl opt">.</span>NBT_SERVER_LDAP | nbt<span class="hl opt">.</span>NBT_SERVER_DS | nbt<span class="hl opt">.</span>NBT_SERVER_WRITABLE<span class="hl opt">)</span>
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Failed to find a writeable DC for domain &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;&quot;</span> <span class="hl opt">%</span> domain<span class="hl opt">)</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site <span class="hl kwa">is not None and</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site <span class="hl opt">!=</span> <span class="hl str">&quot;&quot;</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>site <span class="hl opt">=</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site
        <span class="hl kwa">return</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>pdc_dns_name


    <span class="hl kwa">def</span> <span class="hl kwd">get_behavior_version</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">if</span> <span class="hl str">&quot;msDS-Behavior-Version&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
            <span class="hl kwa">return</span> <span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            <span class="hl kwa">return</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2000

    <span class="hl kwa">def</span> <span class="hl kwd">get_dnsHostName</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dnsHostName&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;dnsHostName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_domain_name</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get netbios name of the domain from the partitions record&#39;&#39;&#39;</span>
        partitions_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_partitions_dn</span><span class="hl opt">()</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>partitions_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">],</span>
                               expression<span class="hl opt">=</span><span class="hl str">&#39;ncName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">())</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_forest_domain_name</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get netbios name of the domain from the partitions record&#39;&#39;&#39;</span>
        partitions_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_partitions_dn</span><span class="hl opt">()</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>partitions_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">],</span>
                               expression<span class="hl opt">=</span><span class="hl str">&#39;ncName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_root_basedn</span><span class="hl opt">())</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_parent_partition_dn</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get the parent domain partition DN from parent DNS name&#39;&#39;&#39;</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> attrs<span class="hl opt">=[],</span>
                               expression<span class="hl opt">=</span><span class="hl str">&#39;(&amp;(objectclass=crossRef)(dnsRoot=</span><span class="hl ipl">%s</span><span class="hl str">)(systemFlags:</span><span class="hl ipl">%s</span><span class="hl str">:=</span><span class="hl ipl">%u</span><span class="hl str">))&#39;</span> <span class="hl opt">%</span>
                               <span class="hl opt">(</span>ctx<span class="hl opt">.</span>parent_dnsdomain<span class="hl opt">,</span> ldb<span class="hl opt">.</span>OID_COMPARATOR_AND<span class="hl opt">,</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CR_NTDS_DOMAIN<span class="hl opt">))</span>
        <span class="hl kwa">return</span> <span class="hl kwb">str</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">].</span>dn<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_naming_master</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get the parent domain partition DN from parent DNS name&#39;&#39;&#39;</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&#39;CN=Partitions,</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&#39;fSMORoleOwner&#39;</span><span class="hl opt">],</span>
                               scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> controls<span class="hl opt">=[</span><span class="hl str">&quot;extended_dn:1:1&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">if not</span> <span class="hl str">&#39;fSMORoleOwner&#39;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl str">&quot;Can&#39;t find naming master on partition DN</span> <span class="hl ipl">%s</span> <span class="hl str">in</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span>url<span class="hl opt">))</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            master_guid <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&#39;fSMORoleOwner&#39;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]).</span><span class="hl kwd">get_extended_component</span><span class="hl opt">(</span><span class="hl str">&#39;GUID&#39;</span><span class="hl opt">)))</span>
        <span class="hl kwa">except</span> <span class="hl kwc">KeyError</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl str">&quot;Can&#39;t find GUID in naming master on partition DN</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&#39;fSMORoleOwner&#39;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>

        master_host <span class="hl opt">=</span> <span class="hl str">&#39;</span><span class="hl ipl">%s</span><span class="hl str">._msdcs.</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">% (</span>master_guid<span class="hl opt">,</span> ctx<span class="hl opt">.</span>dnsforest<span class="hl opt">)</span>
        <span class="hl kwa">return</span> master_host

    <span class="hl kwa">def</span> <span class="hl kwd">get_mysid</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get the SID of the connected user. Only works with w2k8 and later,</span>
<span class="hl str">           so only used for RODC join&#39;&#39;&#39;</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;tokenGroups&quot;</span><span class="hl opt">])</span>
        binsid <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;tokenGroups&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>
        <span class="hl kwa">return</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">schema_format_value</span><span class="hl opt">(</span><span class="hl str">&quot;objectSID&quot;</span><span class="hl opt">,</span> binsid<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">dn_exists</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> dn<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;check if a DN exists&#39;&#39;&#39;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[])</span>
        <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>enum<span class="hl opt">,</span> estr<span class="hl opt">):</span>
            <span class="hl kwa">if</span> enum <span class="hl opt">==</span> ldb<span class="hl opt">.</span>ERR_NO_SUCH_OBJECT<span class="hl opt">:</span>
                <span class="hl kwa">return False</span>
            <span class="hl kwa">raise</span>
        <span class="hl kwa">return True</span>

    <span class="hl kwa">def</span> <span class="hl kwd">add_krbtgt_account</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;RODCs need a special krbtgt account&#39;&#39;&#39;</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>krbtgt_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;user&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;useraccountcontrol&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_NORMAL_ACCOUNT |
                                       samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_ACCOUNTDISABLE<span class="hl opt">),</span>
            <span class="hl str">&quot;showinadvancedviewonly&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;description&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;krbtgt for</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">}</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">, [</span><span class="hl str">&quot;rodc_join:1:1&quot;</span><span class="hl opt">])</span>

        <span class="hl slc"># now we need to search for the samAccountName attribute on the krbtgt DN,</span>
        <span class="hl slc"># as this will have been magically set to the krbtgt number</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;samAccountName&quot;</span><span class="hl opt">])</span>
        ctx<span class="hl opt">.</span>krbtgt_name <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;samAccountName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Got krbtgt_name=</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>krbtgt_name

        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span>
                                                  ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span> <span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>new_krbtgt_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Users,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>krbtgt_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Renaming</span> <span class="hl ipl">%s</span> <span class="hl str">to</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">rename</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">drsuapi_connect</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;make a DRSUAPI connection to the naming master&#39;&#39;&#39;</span>
        binding_options <span class="hl opt">=</span> <span class="hl str">&quot;seal&quot;</span>
        <span class="hl kwa">if</span> <span class="hl kwb">int</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span><span class="hl kwd">get</span><span class="hl opt">(</span><span class="hl str">&quot;log level&quot;</span><span class="hl opt">)) &gt;=</span> <span class="hl num">4</span><span class="hl opt">:</span>
            binding_options <span class="hl opt">+=</span> <span class="hl str">&quot;,print&quot;</span>
        binding_string <span class="hl opt">=</span> <span class="hl str">&quot;ncacn_ip_tcp:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>drsuapi <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">drsuapi</span><span class="hl opt">(</span>binding_string<span class="hl opt">,</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ctx<span class="hl opt">.</span>creds<span class="hl opt">)</span>
        <span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi_handle<span class="hl opt">,</span> ctx<span class="hl opt">.</span>bind_supported_extensions<span class="hl opt">) =</span> drs_utils<span class="hl opt">.</span><span class="hl kwd">drs_DsBind</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">create_tmp_samdb</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;create a temporary samdb object for schema queries&#39;&#39;&#39;</span>
        ctx<span class="hl opt">.</span>tmp_schema <span class="hl opt">=</span> <span class="hl kwd">Schema</span><span class="hl opt">(</span>security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                                schemadn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>tmp_samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span> url<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> auto_connect<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                              credentials<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> global_schema<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                              am_rodc<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">set_schema</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>tmp_schema<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">build_DsReplicaAttribute</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> attrname<span class="hl opt">,</span> attrvalue<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;build a DsReplicaAttributeCtr object&#39;&#39;&#39;</span>
        r <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaAttribute</span><span class="hl opt">()</span>
        r<span class="hl opt">.</span>attid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">get_attid_from_lDAPDisplayName</span><span class="hl opt">(</span>attrname<span class="hl opt">)</span>
        r<span class="hl opt">.</span>value_ctr <span class="hl opt">=</span> <span class="hl num">1</span>


    <span class="hl kwa">def</span> <span class="hl kwd">DsAddEntry</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> recs<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;add a record via the DRSUAPI DsAddEntry call&#39;&#39;&#39;</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>drsuapi <span class="hl kwa">is None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">drsuapi_connect</span><span class="hl opt">()</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>tmp_samdb <span class="hl kwa">is None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">create_tmp_samdb</span><span class="hl opt">()</span>

        objects <span class="hl opt">= []</span>
        <span class="hl kwa">for</span> rec <span class="hl kwa">in</span> recs<span class="hl opt">:</span>
            <span class="hl kwb">id</span> <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObjectIdentifier</span><span class="hl opt">()</span>
            <span class="hl kwb">id</span><span class="hl opt">.</span>dn <span class="hl opt">=</span> rec<span class="hl opt">[</span><span class="hl str">&#39;dn&#39;</span><span class="hl opt">]</span>

            attrs <span class="hl opt">= []</span>
            <span class="hl kwa">for</span> a <span class="hl kwa">in</span> rec<span class="hl opt">:</span>
                <span class="hl kwa">if</span> a <span class="hl opt">==</span> <span class="hl str">&#39;dn&#39;</span><span class="hl opt">:</span>
                    <span class="hl kwa">continue</span>
                <span class="hl kwa">if not</span> <span class="hl kwb">isinstance</span><span class="hl opt">(</span>rec<span class="hl opt">[</span>a<span class="hl opt">],</span> <span class="hl kwb">list</span><span class="hl opt">):</span>
                    v <span class="hl opt">= [</span>rec<span class="hl opt">[</span>a<span class="hl opt">]]</span>
                <span class="hl kwa">else</span><span class="hl opt">:</span>
                    v <span class="hl opt">=</span> rec<span class="hl opt">[</span>a<span class="hl opt">]</span>
                rattr <span class="hl opt">=</span> ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">dsdb_DsReplicaAttribute</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">,</span> a<span class="hl opt">,</span> v<span class="hl opt">)</span>
                attrs<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span>rattr<span class="hl opt">)</span>

            attribute_ctr <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaAttributeCtr</span><span class="hl opt">()</span>
            attribute_ctr<span class="hl opt">.</span>num_attributes <span class="hl opt">=</span> <span class="hl kwb">len</span><span class="hl opt">(</span>attrs<span class="hl opt">)</span>
            attribute_ctr<span class="hl opt">.</span>attributes <span class="hl opt">=</span> attrs

            <span class="hl kwb">object</span> <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObject</span><span class="hl opt">()</span>
            <span class="hl kwb">object</span><span class="hl opt">.</span>identifier <span class="hl opt">=</span> <span class="hl kwb">id</span>
            <span class="hl kwb">object</span><span class="hl opt">.</span>attribute_ctr <span class="hl opt">=</span> attribute_ctr

            list_object <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObjectListItem</span><span class="hl opt">()</span>
            list_object<span class="hl opt">.</span><span class="hl kwb">object</span> <span class="hl opt">=</span> <span class="hl kwb">object</span>
            objects<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span>list_object<span class="hl opt">)</span>

        req2 <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsAddEntryRequest2</span><span class="hl opt">()</span>
        req2<span class="hl opt">.</span>first_object <span class="hl opt">=</span> objects<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]</span>
        prev <span class="hl opt">=</span> req2<span class="hl opt">.</span>first_object
        <span class="hl kwa">for</span> o <span class="hl kwa">in</span> objects<span class="hl opt">[</span><span class="hl num">1</span><span class="hl opt">:]:</span>
            prev<span class="hl opt">.</span>next_object <span class="hl opt">=</span> o
            prev <span class="hl opt">=</span> o

        <span class="hl opt">(</span>level<span class="hl opt">,</span> ctr<span class="hl opt">) =</span> ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">.</span><span class="hl kwd">DsAddEntry</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi_handle<span class="hl opt">,</span> <span class="hl num">2</span><span class="hl opt">,</span> req2<span class="hl opt">)</span>
        <span class="hl kwa">if</span> level <span class="hl opt">==</span> <span class="hl num">2</span><span class="hl opt">:</span>
            <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>dir_err <span class="hl opt">!=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DIRERR_OK<span class="hl opt">:</span>
                <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed with dir_err</span> <span class="hl ipl">%u</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctr<span class="hl opt">.</span>dir_err<span class="hl opt">)</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed&quot;</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>extended_err <span class="hl opt">!= (</span><span class="hl num">0</span><span class="hl opt">,</span> <span class="hl str">&#39;WERR_OK&#39;</span><span class="hl opt">):</span>
                <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed with status</span> <span class="hl ipl">%s</span> <span class="hl str">info</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctr<span class="hl opt">.</span>extended_err<span class="hl opt">))</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed&quot;</span><span class="hl opt">)</span>
        <span class="hl kwa">if</span> level <span class="hl opt">==</span> <span class="hl num">3</span><span class="hl opt">:</span>
            <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>err_ver <span class="hl opt">!=</span> <span class="hl num">1</span><span class="hl opt">:</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;expected err_ver 1, got</span> <span class="hl ipl">%u</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctr<span class="hl opt">.</span>err_ver<span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>status <span class="hl opt">!= (</span><span class="hl num">0</span><span class="hl opt">,</span> <span class="hl str">&#39;WERR_OK&#39;</span><span class="hl opt">):</span>
                <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed with status</span> <span class="hl ipl">%s</span> <span class="hl str">info</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>status<span class="hl opt">,</span>
                                                                    ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>info<span class="hl opt">.</span>extended_err<span class="hl opt">))</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed&quot;</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>dir_err <span class="hl opt">!=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DIRERR_OK<span class="hl opt">:</span>
                <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed with dir_err</span> <span class="hl ipl">%u</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>dir_err<span class="hl opt">)</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed&quot;</span><span class="hl opt">)</span>

        <span class="hl kwa">return</span> ctr<span class="hl opt">.</span>objects

    <span class="hl kwa">def</span> <span class="hl kwd">join_add_ntdsdsa</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;add the ntdsdsa object&#39;&#39;&#39;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>ntds_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;nTDSDSA&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE<span class="hl opt">),</span>
            <span class="hl str">&quot;dMDLocation&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">}</span>

        nc_list <span class="hl opt">= [</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2008_R2<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasDomainNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>base_dn

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;objectCategory&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;CN=NTDS-DSA-RO,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasFullReplicaNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>nc_list
            rec<span class="hl opt">[</span><span class="hl str">&quot;options&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;37&quot;</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">, [</span><span class="hl str">&quot;rodc_join:1:1&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;objectCategory&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;CN=NTDS-DSA,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn
            rec<span class="hl opt">[</span><span class="hl str">&quot;HasMasterNCs&quot;</span><span class="hl opt">]      =</span> nc_list
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasMasterNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>nc_list
            rec<span class="hl opt">[</span><span class="hl str">&quot;options&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;1&quot;</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">] =</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">DsAddEntry</span><span class="hl opt">([</span>rec<span class="hl opt">])</span>

        <span class="hl slc"># find the GUID of our NTDS DN</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">])</span>
        ctx<span class="hl opt">.</span>ntds_guid <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">schema_format_value</span><span class="hl opt">(</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">,</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]))</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_add_objects</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;add the various objects needed for the join&#39;&#39;&#39;</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>acct_dn
            rec <span class="hl opt">= {</span>
                <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span>
                <span class="hl str">&quot;objectClass&quot;</span><span class="hl opt">:</span> <span class="hl str">&quot;computer&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;displayname&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
                <span class="hl str">&quot;samaccountname&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
                <span class="hl str">&quot;userAccountControl&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>userAccountControl | samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_ACCOUNTDISABLE<span class="hl opt">),</span>
                <span class="hl str">&quot;dnshostname&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">}</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2008<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&#39;msDS-SupportedEncryptionTypes&#39;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>ENC_ALL_TYPES<span class="hl opt">)</span>
            <span class="hl kwa">elif</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&#39;msDS-SupportedEncryptionTypes&#39;</span><span class="hl opt">] = []</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>managedby<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;managedby&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>managedby
            <span class="hl kwa">elif</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;managedby&quot;</span><span class="hl opt">] = []</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>never_reveal_sid<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-NeverRevealGroup&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>never_reveal_sid
            <span class="hl kwa">elif</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-NeverRevealGroup&quot;</span><span class="hl opt">] = []</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>reveal_sid<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-RevealOnDemandGroup&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>reveal_sid
            <span class="hl kwa">elif</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-RevealOnDemandGroup&quot;</span><span class="hl opt">] = []</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
                <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>promote_from_dn <span class="hl opt">!=</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">:</span>
                    ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">rename</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>promote_from_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
                ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>ldb<span class="hl opt">.</span>Message<span class="hl opt">.</span><span class="hl kwd">from_dict</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> rec<span class="hl opt">,</span> ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">))</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">add_krbtgt_account</span><span class="hl opt">()</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;server&quot;</span><span class="hl opt">,</span>
            <span class="hl slc"># windows uses 50000000 decimal for systemFlags. A windows hex/decimal mixup bug?</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CONFIG_ALLOW_RENAME |
                                samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE |
                                samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE<span class="hl opt">),</span>
            <span class="hl slc"># windows seems to add the dnsHostName later</span>
            <span class="hl str">&quot;dnsHostName&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">}</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;serverReference&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>acct_dn

        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
            <span class="hl slc"># the rest is done after replication</span>
            ctx<span class="hl opt">.</span>ntds_guid <span class="hl opt">=</span> <span class="hl kwa">None</span>
            <span class="hl kwa">return</span>

        ctx<span class="hl opt">.</span><span class="hl kwd">join_add_ntdsdsa</span><span class="hl opt">()</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>connection_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>connection_dn
            rec <span class="hl opt">= {</span>
                <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>connection_dn<span class="hl opt">,</span>
                <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;nTDSConnection&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;enabledconnection&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;options&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;65&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;fromServer&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dc_ntds_dn<span class="hl opt">}</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding SPNs to</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>acct_dn
            m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
            m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
            <span class="hl kwa">for</span> i <span class="hl kwa">in</span> <span class="hl kwb">range</span><span class="hl opt">(</span><span class="hl kwb">len</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>SPNs<span class="hl opt">)):</span>
                ctx<span class="hl opt">.</span>SPNs<span class="hl opt">[</span>i<span class="hl opt">] =</span> ctx<span class="hl opt">.</span>SPNs<span class="hl opt">[</span>i<span class="hl opt">].</span><span class="hl kwd">replace</span><span class="hl opt">(</span><span class="hl str">&quot;$NTDSGUID&quot;</span><span class="hl opt">,</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">))</span>
            m<span class="hl opt">[</span><span class="hl str">&quot;servicePrincipalName&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>SPNs<span class="hl opt">,</span>
                                                           ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span>
                                                           <span class="hl str">&quot;servicePrincipalName&quot;</span><span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

            <span class="hl slc"># The account password set operation should normally be done over</span>
            <span class="hl slc"># LDAP. Windows 2000 DCs however allow this only with SSL</span>
            <span class="hl slc"># connections which are hard to set up and otherwise refuse with</span>
            <span class="hl slc"># ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet</span>
            <span class="hl slc"># over SAMR.</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Setting account password for</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname
            <span class="hl kwa">try</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">setpassword</span><span class="hl opt">(</span><span class="hl str">&quot;(&amp;(objectClass=user)(sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">))&quot;</span>
                                      <span class="hl opt">%</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">),</span>
                                      ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span>
                                      force_change_at_next_login<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                                      username<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
            <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>num<span class="hl opt">,</span> _<span class="hl opt">):</span>
                <span class="hl kwa">if</span> num <span class="hl opt">!=</span> ldb<span class="hl opt">.</span>ERR_UNWILLING_TO_PERFORM<span class="hl opt">:</span>
                    <span class="hl kwa">pass</span>
                ctx<span class="hl opt">.</span>net<span class="hl opt">.</span><span class="hl kwd">set_password</span><span class="hl opt">(</span>account_name<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
                                     domain_name<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                                     newpassword<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">)</span>

            res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span>
                                   attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span><span class="hl opt">])</span>
            <span class="hl kwa">if</span> <span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
                ctx<span class="hl opt">.</span>key_version_number <span class="hl opt">=</span> <span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>key_version_number <span class="hl opt">=</span> <span class="hl kwa">None</span>

            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Enabling account&quot;</span><span class="hl opt">)</span>
            m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
            m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
            m<span class="hl opt">[</span><span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>userAccountControl<span class="hl opt">),</span>
                                                         ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span>
                                                         <span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>dns_backend<span class="hl opt">.</span><span class="hl kwd">startswith</span><span class="hl opt">(</span><span class="hl str">&quot;BIND9_&quot;</span><span class="hl opt">):</span>
            ctx<span class="hl opt">.</span>dnspass <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">generate_random_password</span><span class="hl opt">(</span><span class="hl num">128</span><span class="hl opt">,</span> <span class="hl num">255</span><span class="hl opt">)</span>

            recs <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">parse_ldif</span><span class="hl opt">(</span><span class="hl kwd">read_and_sub_file</span><span class="hl opt">(</span><span class="hl kwd">setup_path</span><span class="hl opt">(</span><span class="hl str">&quot;provision_dns_add_samba.ldif&quot;</span><span class="hl opt">),</span>
                                                                <span class="hl opt">{</span><span class="hl str">&quot;DNSDOMAIN&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">,</span>
                                                                 <span class="hl str">&quot;DOMAINDN&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span>
                                                                 <span class="hl str">&quot;HOSTNAME&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                                                                 <span class="hl str">&quot;DNSPASS_B64&quot;</span><span class="hl opt">:</span> <span class="hl kwd">b64encode</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>dnspass<span class="hl opt">),</span>
                                                                 <span class="hl str">&quot;DNSNAME&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">}))</span>
            <span class="hl kwa">for</span> changetype<span class="hl opt">,</span> msg <span class="hl kwa">in</span> recs<span class="hl opt">:</span>
                <span class="hl kwa">assert</span> changetype <span class="hl opt">==</span> ldb<span class="hl opt">.</span>CHANGETYPE_NONE
                dns_acct_dn <span class="hl opt">=</span> msg<span class="hl opt">[</span><span class="hl str">&quot;dn&quot;</span><span class="hl opt">]</span>
                <span class="hl kwa">print</span> <span class="hl str">&quot;Adding DNS account</span> <span class="hl ipl">%s</span> <span class="hl str">with dns/ SPN&quot;</span> <span class="hl opt">%</span> msg<span class="hl opt">[</span><span class="hl str">&quot;dn&quot;</span><span class="hl opt">]</span>

                <span class="hl slc"># Remove dns password (we will set it as a modify, as we can&#39;t do clearTextPassword over LDAP)</span>
                <span class="hl kwa">del</span> msg<span class="hl opt">[</span><span class="hl str">&quot;clearTextPassword&quot;</span><span class="hl opt">]</span>
                <span class="hl slc"># Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP</span>
                <span class="hl kwa">del</span> msg<span class="hl opt">[</span><span class="hl str">&quot;isCriticalSystemObject&quot;</span><span class="hl opt">]</span>
                <span class="hl slc"># Disable account until password is set</span>
                msg<span class="hl opt">[</span><span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_NORMAL_ACCOUNT |
                                                samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_ACCOUNTDISABLE<span class="hl opt">)</span>
                <span class="hl kwa">try</span><span class="hl opt">:</span>
                    ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>msg<span class="hl opt">)</span>
                <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>num<span class="hl opt">,</span> _<span class="hl opt">):</span>
                    <span class="hl kwa">if</span> num <span class="hl opt">!=</span> ldb<span class="hl opt">.</span>ERR_ENTRY_ALREADY_EXISTS<span class="hl opt">:</span>
                        <span class="hl kwa">raise</span>

            <span class="hl slc"># The account password set operation should normally be done over</span>
            <span class="hl slc"># LDAP. Windows 2000 DCs however allow this only with SSL</span>
            <span class="hl slc"># connections which are hard to set up and otherwise refuse with</span>
            <span class="hl slc"># ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet</span>
            <span class="hl slc"># over SAMR.</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Setting account password for dns-</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname
            <span class="hl kwa">try</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">setpassword</span><span class="hl opt">(</span><span class="hl str">&quot;(&amp;(objectClass=user)(samAccountName=dns-</span><span class="hl ipl">%s</span><span class="hl str">))&quot;</span>
                                      <span class="hl opt">%</span> ldb<span class="hl opt">.</span><span class="hl kwd">binary_encode</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">),</span>
                                      ctx<span class="hl opt">.</span>dnspass<span class="hl opt">,</span>
                                      force_change_at_next_login<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                                      username<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
            <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>num<span class="hl opt">,</span> _<span class="hl opt">):</span>
                <span class="hl kwa">if</span> num <span class="hl opt">!=</span> ldb<span class="hl opt">.</span>ERR_UNWILLING_TO_PERFORM<span class="hl opt">:</span>
                    <span class="hl kwa">raise</span>
                ctx<span class="hl opt">.</span>net<span class="hl opt">.</span><span class="hl kwd">set_password</span><span class="hl opt">(</span>account_name<span class="hl opt">=</span><span class="hl str">&quot;dns-</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                                     domain_name<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                                     newpassword<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dnspass<span class="hl opt">)</span>

            res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>dns_acct_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span>
                                   attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span><span class="hl opt">])</span>
            <span class="hl kwa">if</span> <span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
                ctx<span class="hl opt">.</span>dns_key_version_number <span class="hl opt">=</span> <span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-KeyVersionNumber&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>dns_key_version_number <span class="hl opt">=</span> <span class="hl kwa">None</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_add_objects2</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;add the various objects needed for the join, for subdomains post replication&quot;&quot;&quot;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>partition_dn
        <span class="hl slc"># NOTE: windows sends a ntSecurityDescriptor here, we</span>
        <span class="hl slc"># let it default</span>
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;crossRef&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;objectCategory&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;CN=Cross-Ref,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;nCName&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;nETBIOSName&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
            <span class="hl str">&quot;dnsRoot&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">,</span>
            <span class="hl str">&quot;trustParent&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>parent_partition_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CR_NTDS_NC|samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CR_NTDS_DOMAIN<span class="hl opt">)}</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>behavior_version<span class="hl opt">)</span>

        rec2 <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;nTDSDSA&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE<span class="hl opt">),</span>
            <span class="hl str">&quot;dMDLocation&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">}</span>

        nc_list <span class="hl opt">= [</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec2<span class="hl opt">[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>behavior_version<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec2<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasDomainNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>base_dn

        rec2<span class="hl opt">[</span><span class="hl str">&quot;objectCategory&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;CN=NTDS-DSA,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn
        rec2<span class="hl opt">[</span><span class="hl str">&quot;HasMasterNCs&quot;</span><span class="hl opt">]      =</span> nc_list
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec2<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasMasterNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>nc_list
        rec2<span class="hl opt">[</span><span class="hl str">&quot;options&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;1&quot;</span>
        rec2<span class="hl opt">[</span><span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">] =</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">)</span>

        objects <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">DsAddEntry</span><span class="hl opt">([</span>rec<span class="hl opt">,</span> rec2<span class="hl opt">])</span>
        <span class="hl kwa">if</span> <span class="hl kwb">len</span><span class="hl opt">(</span>objects<span class="hl opt">) !=</span> <span class="hl num">2</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl str">&quot;Expected 2 objects from DsAddEntry&quot;</span><span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>ntds_guid <span class="hl opt">=</span> objects<span class="hl opt">[</span><span class="hl num">1</span><span class="hl opt">].</span>guid

        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Replicating partition DN&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">,</span>
                           misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span><span class="hl str">&quot;00000000-0000-0000-0000-000000000000&quot;</span><span class="hl opt">),</span>
                           ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">,</span>
                           exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_OBJ<span class="hl opt">,</span>
                           replica_flags<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP<span class="hl opt">)</span>

        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Replicating NTDS DN&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span>
                           misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span><span class="hl str">&quot;00000000-0000-0000-0000-000000000000&quot;</span><span class="hl opt">),</span>
                           ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">,</span>
                           exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_OBJ<span class="hl opt">,</span>
                           replica_flags<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_provision</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Provision the local SAM.&quot;&quot;&quot;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Calling bare provision&quot;</span>

        smbconf <span class="hl opt">=</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span>configfile

        presult <span class="hl opt">=</span> <span class="hl kwd">provision</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>logger<span class="hl opt">,</span> <span class="hl kwd">system_session</span><span class="hl opt">(),</span> smbconf<span class="hl opt">=</span>smbconf<span class="hl opt">,</span>
                targetdir<span class="hl opt">=</span>ctx<span class="hl opt">.</span>targetdir<span class="hl opt">,</span> samdb_fill<span class="hl opt">=</span>FILL_DRS<span class="hl opt">,</span> realm<span class="hl opt">=</span>ctx<span class="hl opt">.</span>realm<span class="hl opt">,</span>
                rootdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>root_dn<span class="hl opt">,</span> domaindn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span>
                schemadn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">,</span> configdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span>
                serverdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span> domain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                hostname<span class="hl opt">=</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> domainsid<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span>
                machinepass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span> serverrole<span class="hl opt">=</span><span class="hl str">&quot;active directory domain controller&quot;</span><span class="hl opt">,</span>
                sitename<span class="hl opt">=</span>ctx<span class="hl opt">.</span>site<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ntdsguid<span class="hl opt">=</span>ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">,</span>
                use_ntvfs<span class="hl opt">=</span>ctx<span class="hl opt">.</span>use_ntvfs<span class="hl opt">,</span> dns_backend<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dns_backend<span class="hl opt">)</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Provision OK for domain DN</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> presult<span class="hl opt">.</span>domaindn
        ctx<span class="hl opt">.</span>local_samdb <span class="hl opt">=</span> presult<span class="hl opt">.</span>samdb
        ctx<span class="hl opt">.</span>lp          <span class="hl opt">=</span> presult<span class="hl opt">.</span>lp
        ctx<span class="hl opt">.</span>paths       <span class="hl opt">=</span> presult<span class="hl opt">.</span>paths
        ctx<span class="hl opt">.</span>names       <span class="hl opt">=</span> presult<span class="hl opt">.</span>names

    <span class="hl kwa">def</span> <span class="hl kwd">join_provision_own_domain</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Provision the local SAM.&quot;&quot;&quot;</span>

        <span class="hl slc"># we now operate exclusively on the local database, which</span>
        <span class="hl slc"># we need to reopen in order to get the newly created schema</span>
        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Reconnecting to local samdb&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>url<span class="hl opt">=</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span>url<span class="hl opt">,</span>
                          session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span>
                          lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span>lp<span class="hl opt">,</span>
                          global_schema<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">set_invocation_id</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">))</span>
        ctx<span class="hl opt">.</span>local_samdb <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb

        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Finding domain GUID from ncName&quot;</span><span class="hl opt">)</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&#39;ncName&#39;</span><span class="hl opt">],</span>
                                     controls<span class="hl opt">=[</span><span class="hl str">&quot;extended_dn:1:1&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;reveal_internals:0&quot;</span><span class="hl opt">])</span>

        <span class="hl kwa">if</span> <span class="hl str">&#39;nCName&#39;</span> <span class="hl kwa">not in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl str">&quot;Can&#39;t find naming context on partition DN</span> <span class="hl ipl">%s</span> <span class="hl str">in</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>partition_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span>url<span class="hl opt">))</span>

        <span class="hl kwa">try</span><span class="hl opt">:</span>
            domguid <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&#39;ncName&#39;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]).</span><span class="hl kwd">get_extended_component</span><span class="hl opt">(</span><span class="hl str">&#39;GUID&#39;</span><span class="hl opt">)))</span>
        <span class="hl kwa">except</span> <span class="hl kwc">KeyError</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwd">DCJoinException</span><span class="hl opt">(</span><span class="hl str">&quot;Can&#39;t find GUID in naming master on partition DN</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&#39;ncName&#39;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>

        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Got domain GUID</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> domguid<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Calling own domain provision&quot;</span><span class="hl opt">)</span>

        secrets_ldb <span class="hl opt">=</span> <span class="hl kwd">Ldb</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>paths<span class="hl opt">.</span>secrets<span class="hl opt">,</span> session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        presult <span class="hl opt">=</span> <span class="hl kwd">provision_fill</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">,</span> secrets_ldb<span class="hl opt">,</span>
                                 ctx<span class="hl opt">.</span>logger<span class="hl opt">,</span> ctx<span class="hl opt">.</span>names<span class="hl opt">,</span> ctx<span class="hl opt">.</span>paths<span class="hl opt">,</span> domainsid<span class="hl opt">=</span>security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                                 domainguid<span class="hl opt">=</span>domguid<span class="hl opt">,</span>
                                 dom_for_fun_level<span class="hl opt">=</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">,</span>
                                 targetdir<span class="hl opt">=</span>ctx<span class="hl opt">.</span>targetdir<span class="hl opt">,</span> samdb_fill<span class="hl opt">=</span>FILL_SUBDOMAIN<span class="hl opt">,</span>
                                 machinepass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span> serverrole<span class="hl opt">=</span><span class="hl str">&quot;active directory domain controller&quot;</span><span class="hl opt">,</span>
                                 lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> hostip<span class="hl opt">=</span>ctx<span class="hl opt">.</span>names<span class="hl opt">.</span>hostip<span class="hl opt">,</span> hostip6<span class="hl opt">=</span>ctx<span class="hl opt">.</span>names<span class="hl opt">.</span>hostip6<span class="hl opt">,</span>
                                 dns_backend<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dns_backend<span class="hl opt">,</span> adminpass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>adminpass<span class="hl opt">)</span>
        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Provision OK for domain</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>names<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Replicate the SAM.&quot;&quot;&quot;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Starting replication&quot;</span>
        ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_start</span><span class="hl opt">()</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            source_dsa_invocation_id <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_invocation_id</span><span class="hl opt">())</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>ntds_guid <span class="hl kwa">is None</span><span class="hl opt">:</span>
                <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Using DS_BIND_GUID_W2K3&quot;</span><span class="hl opt">)</span>
                destination_dsa_guid <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DS_BIND_GUID_W2K3<span class="hl opt">)</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                destination_dsa_guid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>ntds_guid

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
                repl_creds <span class="hl opt">=</span> <span class="hl kwd">Credentials</span><span class="hl opt">()</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">guess</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_kerberos_state</span><span class="hl opt">(</span>DONT_USE_KERBEROS<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_username</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_password</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">)</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                repl_creds <span class="hl opt">=</span> ctx<span class="hl opt">.</span>creds

            binding_options <span class="hl opt">=</span> <span class="hl str">&quot;seal&quot;</span>
            <span class="hl kwa">if</span> <span class="hl kwb">int</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span><span class="hl kwd">get</span><span class="hl opt">(</span><span class="hl str">&quot;log level&quot;</span><span class="hl opt">)) &gt;=</span> <span class="hl num">5</span><span class="hl opt">:</span>
                binding_options <span class="hl opt">+=</span> <span class="hl str">&quot;,print&quot;</span>
            repl <span class="hl opt">=</span> drs_utils<span class="hl opt">.</span><span class="hl kwd">drs_Replicate</span><span class="hl opt">(</span>
                <span class="hl str">&quot;ncacn_ip_tcp:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">),</span>
                ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> repl_creds<span class="hl opt">,</span> ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">)</span>

            repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                    destination_dsa_guid<span class="hl opt">,</span> schema<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>
            repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                    destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>
            <span class="hl kwa">if not</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
                <span class="hl slc"># Replicate first the critical object for the basedn</span>
                <span class="hl kwa">if not</span> ctx<span class="hl opt">.</span>domain_replica_flags <span class="hl opt">&amp;</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_CRITICAL_ONLY<span class="hl opt">:</span>
                    <span class="hl kwa">print</span> <span class="hl str">&quot;Replicating critical objects from the base DN of the domain&quot;</span>
                    ctx<span class="hl opt">.</span>domain_replica_flags |<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_CRITICAL_ONLY | drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ANC
                    repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                                destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                                replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_replica_flags<span class="hl opt">)</span>
                    ctx<span class="hl opt">.</span>domain_replica_flags ^<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_CRITICAL_ONLY | drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ANC
                <span class="hl kwa">else</span><span class="hl opt">:</span>
                    ctx<span class="hl opt">.</span>domain_replica_flags |<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ANC
                repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                               destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                               replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_replica_flags<span class="hl opt">)</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Done with always replicated NC (base, config, schema)&quot;</span>

            <span class="hl kwa">for</span> nc <span class="hl kwa">in</span> <span class="hl opt">(</span>ctx<span class="hl opt">.</span>domaindns_zone<span class="hl opt">,</span> ctx<span class="hl opt">.</span>forestdns_zone<span class="hl opt">):</span>
                <span class="hl kwa">if</span> nc <span class="hl kwa">in</span> ctx<span class="hl opt">.</span>nc_list<span class="hl opt">:</span>
                    <span class="hl kwa">print</span> <span class="hl str">&quot;Replicating</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span><span class="hl kwb">str</span><span class="hl opt">(</span>nc<span class="hl opt">))</span>
                    repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>nc<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                                    destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>

            <span class="hl slc"># FIXME At this point we should add an entry in the forestdns and domaindns NC</span>
            <span class="hl slc"># (those under CN=Partions,DC=...)</span>
            <span class="hl slc"># in order to indicate that we hold a replica for this NC</span>

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
                repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                        destination_dsa_guid<span class="hl opt">,</span>
                        exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_SECRET<span class="hl opt">,</span> rodc<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
                repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                        destination_dsa_guid<span class="hl opt">,</span>
                        exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_SECRET<span class="hl opt">,</span> rodc<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>repl <span class="hl opt">=</span> repl
            ctx<span class="hl opt">.</span>source_dsa_invocation_id <span class="hl opt">=</span> source_dsa_invocation_id
            ctx<span class="hl opt">.</span>destination_dsa_guid <span class="hl opt">=</span> destination_dsa_guid

            <span class="hl kwa">print</span> <span class="hl str">&quot;Committing SAM database&quot;</span>
        <span class="hl kwa">except</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_cancel</span><span class="hl opt">()</span>
            <span class="hl kwa">raise</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_commit</span><span class="hl opt">()</span>

    <span class="hl kwa">def</span> <span class="hl kwd">send_DsReplicaUpdateRefs</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> dn<span class="hl opt">):</span>
        r <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaUpdateRefsRequest1</span><span class="hl opt">()</span>
        r<span class="hl opt">.</span>naming_context <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObjectIdentifier</span><span class="hl opt">()</span>
        r<span class="hl opt">.</span>naming_context<span class="hl opt">.</span>dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>dn<span class="hl opt">)</span>
        r<span class="hl opt">.</span>naming_context<span class="hl opt">.</span>guid <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span><span class="hl str">&quot;00000000-0000-0000-0000-000000000000&quot;</span><span class="hl opt">)</span>
        r<span class="hl opt">.</span>naming_context<span class="hl opt">.</span>sid <span class="hl opt">=</span> security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span><span class="hl str">&quot;S-0-0&quot;</span><span class="hl opt">)</span>
        r<span class="hl opt">.</span>dest_dsa_guid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>ntds_guid
        r<span class="hl opt">.</span>dest_dsa_dns_name <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">._msdcs.</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span><span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">),</span> ctx<span class="hl opt">.</span>dnsforest<span class="hl opt">)</span>
        r<span class="hl opt">.</span>options <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_ADD_REF | drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_DEL_REF
        <span class="hl kwa">if not</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
            r<span class="hl opt">.</span>options |<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaUpdateRefs</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi_handle<span class="hl opt">,</span> <span class="hl num">1</span><span class="hl opt">,</span> r<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_finalise</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Finalise the join, mark us synchronised and setup secrets db.&quot;&quot;&quot;</span>

        <span class="hl slc"># FIXME we shouldn&#39;t do this in all cases</span>
        <span class="hl slc"># If for some reasons we joined in another site than the one of</span>
        <span class="hl slc"># DC we just replicated from then we don&#39;t need to send the updatereplicateref</span>
        <span class="hl slc"># as replication between sites is time based and on the initiative of the</span>
        <span class="hl slc"># requesting DC</span>
        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Sending DsReplicaUpdateRefs for all the replicated partitions&quot;</span><span class="hl opt">)</span>
        <span class="hl kwa">for</span> nc <span class="hl kwa">in</span> ctx<span class="hl opt">.</span>nc_list<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">send_DsReplicaUpdateRefs</span><span class="hl opt">(</span>nc<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Setting RODC invocationId&quot;</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">set_invocation_id</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">))</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">set_opaque_integer</span><span class="hl opt">(</span><span class="hl str">&quot;domainFunctionality&quot;</span><span class="hl opt">,</span>
                                               ctx<span class="hl opt">.</span>behavior_version<span class="hl opt">)</span>
            m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
            m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">,</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">)</span>
            m<span class="hl opt">[</span><span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>invocation_id<span class="hl opt">),</span>
                                                   ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span>
                                                   <span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

            <span class="hl slc"># Note: as RODC the invocationId is only stored</span>
            <span class="hl slc"># on the RODC itself, the other DCs never see it.</span>
            <span class="hl slc">#</span>
            <span class="hl slc"># Thats is why we fix up the replPropertyMetaData stamp</span>
            <span class="hl slc"># for the &#39;invocationId&#39; attribute, we need to change</span>
            <span class="hl slc"># the &#39;version&#39; to &#39;0&#39;, this is what windows 2008r2 does as RODC</span>
            <span class="hl slc">#</span>
            <span class="hl slc"># This means if the object on a RWDC ever gets a invocationId</span>
            <span class="hl slc"># attribute, it will have version &#39;1&#39; (or higher), which will</span>
            <span class="hl slc"># will overwrite the RODC local value.</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">set_attribute_replmetadata_version</span><span class="hl opt">(</span>m<span class="hl opt">.</span>dn<span class="hl opt">,</span>
                                                               <span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">,</span>
                                                               <span class="hl num">0</span><span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Setting isSynchronized and dsServiceName&quot;</span><span class="hl opt">)</span>
        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">,</span> <span class="hl str">&#39;&#64;ROOTDSE&#39;</span><span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;isSynchronized&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span> ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span> <span class="hl str">&quot;isSynchronized&quot;</span><span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;dsServiceName&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl str">&quot;&lt;GUID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">),</span>
                                                ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span> <span class="hl str">&quot;dsServiceName&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
            <span class="hl kwa">return</span>

        secrets_ldb <span class="hl opt">=</span> <span class="hl kwd">Ldb</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>paths<span class="hl opt">.</span>secrets<span class="hl opt">,</span> session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Setting up secrets database&quot;</span><span class="hl opt">)</span>
        <span class="hl kwd">secretsdb_self_join</span><span class="hl opt">(</span>secrets_ldb<span class="hl opt">,</span> domain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                            realm<span class="hl opt">=</span>ctx<span class="hl opt">.</span>realm<span class="hl opt">,</span>
                            dnsdomain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">,</span>
                            netbiosname<span class="hl opt">=</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                            domainsid<span class="hl opt">=</span>security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                            machinepass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span>
                            secure_channel_type<span class="hl opt">=</span>ctx<span class="hl opt">.</span>secure_channel_type<span class="hl opt">,</span>
                            key_version_number<span class="hl opt">=</span>ctx<span class="hl opt">.</span>key_version_number<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>dns_backend<span class="hl opt">.</span><span class="hl kwd">startswith</span><span class="hl opt">(</span><span class="hl str">&quot;BIND9_&quot;</span><span class="hl opt">):</span>
            <span class="hl kwd">setup_bind9_dns</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">,</span> secrets_ldb<span class="hl opt">,</span> security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                            ctx<span class="hl opt">.</span>names<span class="hl opt">,</span> ctx<span class="hl opt">.</span>paths<span class="hl opt">,</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ctx<span class="hl opt">.</span>logger<span class="hl opt">,</span>
                            dns_backend<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dns_backend<span class="hl opt">,</span>
                            dnspass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dnspass<span class="hl opt">,</span> os_level<span class="hl opt">=</span>ctx<span class="hl opt">.</span>behavior_version<span class="hl opt">,</span>
                            targetdir<span class="hl opt">=</span>ctx<span class="hl opt">.</span>targetdir<span class="hl opt">,</span>
                            key_version_number<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dns_key_version_number<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_setup_trusts</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;provision the local SAM.&quot;&quot;&quot;</span>

        <span class="hl kwa">def</span> <span class="hl kwd">arcfour_encrypt</span><span class="hl opt">(</span>key<span class="hl opt">,</span> data<span class="hl opt">):</span>
            <span class="hl kwa">from</span> Crypto<span class="hl opt">.</span>Cipher <span class="hl kwa">import</span> ARC4
            c <span class="hl opt">=</span> ARC4<span class="hl opt">.</span><span class="hl kwd">new</span><span class="hl opt">(</span>key<span class="hl opt">)</span>
            <span class="hl kwa">return</span> c<span class="hl opt">.</span><span class="hl kwd">encrypt</span><span class="hl opt">(</span>data<span class="hl opt">)</span>

        <span class="hl kwa">def</span> <span class="hl kwd">string_to_array</span><span class="hl opt">(</span>string<span class="hl opt">):</span>
            blob <span class="hl opt">= [</span><span class="hl num">0</span><span class="hl opt">] *</span> <span class="hl kwb">len</span><span class="hl opt">(</span>string<span class="hl opt">)</span>

            <span class="hl kwa">for</span> i <span class="hl kwa">in</span> <span class="hl kwb">range</span><span class="hl opt">(</span><span class="hl kwb">len</span><span class="hl opt">(</span>string<span class="hl opt">)):</span>
                blob<span class="hl opt">[</span>i<span class="hl opt">] =</span> <span class="hl kwb">ord</span><span class="hl opt">(</span>string<span class="hl opt">[</span>i<span class="hl opt">])</span>

            <span class="hl kwa">return</span> blob

        <span class="hl kwa">print</span> <span class="hl str">&quot;Setup domain trusts with server</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server
        binding_options <span class="hl opt">=</span> <span class="hl str">&quot;&quot;</span>  <span class="hl slc"># why doesn&#39;t signing work here? w2k8r2 claims no session key</span>
        lsaconn <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">lsarpc</span><span class="hl opt">(</span><span class="hl str">&quot;ncacn_np:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">),</span>
                             ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ctx<span class="hl opt">.</span>creds<span class="hl opt">)</span>

        objectAttr <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">ObjectAttribute</span><span class="hl opt">()</span>
        objectAttr<span class="hl opt">.</span>sec_qos <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">QosInfo</span><span class="hl opt">()</span>

        pol_handle <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">OpenPolicy2</span><span class="hl opt">(</span><span class="hl str">&#39;&#39;</span><span class="hl opt">.</span><span class="hl kwd">decode</span><span class="hl opt">(</span><span class="hl str">&#39;utf-8&#39;</span><span class="hl opt">),</span>
                                         objectAttr<span class="hl opt">,</span> security<span class="hl opt">.</span>SEC_FLAG_MAXIMUM_ALLOWED<span class="hl opt">)</span>

        info <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">TrustDomainInfoInfoEx</span><span class="hl opt">()</span>
        info<span class="hl opt">.</span>domain_name<span class="hl opt">.</span>string <span class="hl opt">=</span> ctx<span class="hl opt">.</span>dnsdomain
        info<span class="hl opt">.</span>netbios_name<span class="hl opt">.</span>string <span class="hl opt">=</span> ctx<span class="hl opt">.</span>domain_name
        info<span class="hl opt">.</span>sid <span class="hl opt">=</span> security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">)</span>
        info<span class="hl opt">.</span>trust_direction <span class="hl opt">=</span> lsa<span class="hl opt">.</span>LSA_TRUST_DIRECTION_INBOUND | lsa<span class="hl opt">.</span>LSA_TRUST_DIRECTION_OUTBOUND
        info<span class="hl opt">.</span>trust_type <span class="hl opt">=</span> lsa<span class="hl opt">.</span>LSA_TRUST_TYPE_UPLEVEL
        info<span class="hl opt">.</span>trust_attributes <span class="hl opt">=</span> lsa<span class="hl opt">.</span>LSA_TRUST_ATTRIBUTE_WITHIN_FOREST

        <span class="hl kwa">try</span><span class="hl opt">:</span>
            oldname <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">String</span><span class="hl opt">()</span>
            oldname<span class="hl opt">.</span>string <span class="hl opt">=</span> ctx<span class="hl opt">.</span>dnsdomain
            oldinfo <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">QueryTrustedDomainInfoByName</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> oldname<span class="hl opt">,</span>
                                                           lsa<span class="hl opt">.</span>LSA_TRUSTED_DOMAIN_INFO_FULL_INFO<span class="hl opt">)</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Removing old trust record for</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">)&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">,</span> oldinfo<span class="hl opt">.</span>info_ex<span class="hl opt">.</span>sid<span class="hl opt">))</span>
            lsaconn<span class="hl opt">.</span><span class="hl kwd">DeleteTrustedDomain</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span> oldinfo<span class="hl opt">.</span>info_ex<span class="hl opt">.</span>sid<span class="hl opt">)</span>
        <span class="hl kwa">except</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">:</span>
            <span class="hl kwa">pass</span>

        password_blob <span class="hl opt">=</span> <span class="hl kwd">string_to_array</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>trustdom_pass<span class="hl opt">.</span><span class="hl kwd">encode</span><span class="hl opt">(</span><span class="hl str">&#39;utf-16-le&#39;</span><span class="hl opt">))</span>

        clear_value <span class="hl opt">=</span> drsblobs<span class="hl opt">.</span><span class="hl kwd">AuthInfoClear</span><span class="hl opt">()</span>
        clear_value<span class="hl opt">.</span>size <span class="hl opt">=</span> <span class="hl kwb">len</span><span class="hl opt">(</span>password_blob<span class="hl opt">)</span>
        clear_value<span class="hl opt">.</span>password <span class="hl opt">=</span> password_blob

        clear_authentication_information <span class="hl opt">=</span> drsblobs<span class="hl opt">.</span><span class="hl kwd">AuthenticationInformation</span><span class="hl opt">()</span>
        clear_authentication_information<span class="hl opt">.</span>LastUpdateTime <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">unix2nttime</span><span class="hl opt">(</span><span class="hl kwb">int</span><span class="hl opt">(</span>time<span class="hl opt">.</span><span class="hl kwd">time</span><span class="hl opt">()))</span>
        clear_authentication_information<span class="hl opt">.</span>AuthType <span class="hl opt">=</span> lsa<span class="hl opt">.</span>TRUST_AUTH_TYPE_CLEAR
        clear_authentication_information<span class="hl opt">.</span>AuthInfo <span class="hl opt">=</span> clear_value

        authentication_information_array <span class="hl opt">=</span> drsblobs<span class="hl opt">.</span><span class="hl kwd">AuthenticationInformationArray</span><span class="hl opt">()</span>
        authentication_information_array<span class="hl opt">.</span>count <span class="hl opt">=</span> <span class="hl num">1</span>
        authentication_information_array<span class="hl opt">.</span>array <span class="hl opt">= [</span>clear_authentication_information<span class="hl opt">]</span>

        outgoing <span class="hl opt">=</span> drsblobs<span class="hl opt">.</span><span class="hl kwd">trustAuthInOutBlob</span><span class="hl opt">()</span>
        outgoing<span class="hl opt">.</span>count <span class="hl opt">=</span> <span class="hl num">1</span>
        outgoing<span class="hl opt">.</span>current <span class="hl opt">=</span> authentication_information_array

        trustpass <span class="hl opt">=</span> drsblobs<span class="hl opt">.</span><span class="hl kwd">trustDomainPasswords</span><span class="hl opt">()</span>
        confounder <span class="hl opt">= [</span><span class="hl num">3</span><span class="hl opt">] *</span> <span class="hl num">512</span>

        <span class="hl kwa">for</span> i <span class="hl kwa">in</span> <span class="hl kwb">range</span><span class="hl opt">(</span><span class="hl num">512</span><span class="hl opt">):</span>
            confounder<span class="hl opt">[</span>i<span class="hl opt">] =</span> random<span class="hl opt">.</span><span class="hl kwd">randint</span><span class="hl opt">(</span><span class="hl num">0</span><span class="hl opt">,</span> <span class="hl num">255</span><span class="hl opt">)</span>

        trustpass<span class="hl opt">.</span>confounder <span class="hl opt">=</span> confounder

        trustpass<span class="hl opt">.</span>outgoing <span class="hl opt">=</span> outgoing
        trustpass<span class="hl opt">.</span>incoming <span class="hl opt">=</span> outgoing

        trustpass_blob <span class="hl opt">=</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>trustpass<span class="hl opt">)</span>

        encrypted_trustpass <span class="hl opt">=</span> <span class="hl kwd">arcfour_encrypt</span><span class="hl opt">(</span>lsaconn<span class="hl opt">.</span>session_key<span class="hl opt">,</span> trustpass_blob<span class="hl opt">)</span>

        auth_blob <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">DATA_BUF2</span><span class="hl opt">()</span>
        auth_blob<span class="hl opt">.</span>size <span class="hl opt">=</span> <span class="hl kwb">len</span><span class="hl opt">(</span>encrypted_trustpass<span class="hl opt">)</span>
        auth_blob<span class="hl opt">.</span>data <span class="hl opt">=</span> <span class="hl kwd">string_to_array</span><span class="hl opt">(</span>encrypted_trustpass<span class="hl opt">)</span>

        auth_info <span class="hl opt">=</span> lsa<span class="hl opt">.</span><span class="hl kwd">TrustDomainInfoAuthInfoInternal</span><span class="hl opt">()</span>
        auth_info<span class="hl opt">.</span>auth_blob <span class="hl opt">=</span> auth_blob

        trustdom_handle <span class="hl opt">=</span> lsaconn<span class="hl opt">.</span><span class="hl kwd">CreateTrustedDomainEx2</span><span class="hl opt">(</span>pol_handle<span class="hl opt">,</span>
                                                         info<span class="hl opt">,</span>
                                                         auth_info<span class="hl opt">,</span>
                                                         security<span class="hl opt">.</span>SEC_STD_DELETE<span class="hl opt">)</span>

        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;cn=</span><span class="hl ipl">%s</span><span class="hl str">,cn=system,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>dnsforest<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">),</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;trustedDomain&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;trustType&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>info<span class="hl opt">.</span>trust_type<span class="hl opt">),</span>
            <span class="hl str">&quot;trustAttributes&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>info<span class="hl opt">.</span>trust_attributes<span class="hl opt">),</span>
            <span class="hl str">&quot;trustDirection&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>info<span class="hl opt">.</span>trust_direction<span class="hl opt">),</span>
            <span class="hl str">&quot;flatname&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>forest_domain_name<span class="hl opt">,</span>
            <span class="hl str">&quot;trustPartner&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnsforest<span class="hl opt">,</span>
            <span class="hl str">&quot;trustAuthIncoming&quot;</span> <span class="hl opt">:</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>outgoing<span class="hl opt">),</span>
            <span class="hl str">&quot;trustAuthOutgoing&quot;</span> <span class="hl opt">:</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>outgoing<span class="hl opt">)</span>
            <span class="hl opt">}</span>
        ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;cn=</span><span class="hl ipl">%s</span><span class="hl str">$,cn=users,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>forest_domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">),</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;user&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;userAccountControl&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_INTERDOMAIN_TRUST_ACCOUNT<span class="hl opt">),</span>
            <span class="hl str">&quot;clearTextPassword&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>trustdom_pass<span class="hl opt">.</span><span class="hl kwd">encode</span><span class="hl opt">(</span><span class="hl str">&#39;utf-16-le&#39;</span><span class="hl opt">)</span>
            <span class="hl opt">}</span>
        ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>


    <span class="hl kwa">def</span> <span class="hl kwd">do_join</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl slc"># full_nc_list is the list of naming context (NC) for which we will</span>
        <span class="hl slc"># send a updateRef command to the partner DC</span>
        ctx<span class="hl opt">.</span>nc_list <span class="hl opt">= [</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>

        <span class="hl kwa">if not</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>nc_list <span class="hl opt">+= [</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">]</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>dns_backend <span class="hl opt">!=</span> <span class="hl str">&quot;NONE&quot;</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>nc_list <span class="hl opt">+= [</span>ctx<span class="hl opt">.</span>domaindns_zone<span class="hl opt">]</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>dns_backend <span class="hl opt">!=</span> <span class="hl str">&quot;NONE&quot;</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>nc_list <span class="hl opt">+= [</span>ctx<span class="hl opt">.</span>forestdns_zone<span class="hl opt">]</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>promote_existing<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">promote_possible</span><span class="hl opt">()</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">cleanup_old_join</span><span class="hl opt">()</span>

        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_add_objects</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_provision</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_replicate</span><span class="hl opt">()</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>subdomain<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">join_add_objects2</span><span class="hl opt">()</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">join_provision_own_domain</span><span class="hl opt">()</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">join_setup_trusts</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_finalise</span><span class="hl opt">()</span>
        <span class="hl kwa">except</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Join failed - cleaning up&quot;</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">cleanup_old_join</span><span class="hl opt">()</span>
            <span class="hl kwa">raise</span>


<span class="hl kwa">def</span> <span class="hl kwd">join_RODC</span><span class="hl opt">(</span>logger<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
              targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain_critical_only<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
              machinepass<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> use_ntvfs<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span> dns_backend<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
              promote_existing<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;Join as a RODC.&quot;&quot;&quot;</span>

    ctx <span class="hl opt">=</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span>logger<span class="hl opt">,</span> server<span class="hl opt">,</span> creds<span class="hl opt">,</span> lp<span class="hl opt">,</span> site<span class="hl opt">,</span> netbios_name<span class="hl opt">,</span> targetdir<span class="hl opt">,</span> domain<span class="hl opt">,</span>
                  machinepass<span class="hl opt">,</span> use_ntvfs<span class="hl opt">,</span> dns_backend<span class="hl opt">,</span> promote_existing<span class="hl opt">)</span>

    lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>
    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>

    lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;realm&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>
    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;realm is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=krbtgt_</span><span class="hl ipl">%s</span><span class="hl str">,CN=Users,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>

    <span class="hl slc"># setup some defaults for accounts that should be replicated to this RODC</span>
    ctx<span class="hl opt">.</span>never_reveal_sid <span class="hl opt">= [</span>
        <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s-%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span> security<span class="hl opt">.</span>DOMAIN_RID_RODC_DENY<span class="hl opt">),</span>
        <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_ADMINISTRATORS<span class="hl opt">,</span>
        <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_SERVER_OPERATORS<span class="hl opt">,</span>
        <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_BACKUP_OPERATORS<span class="hl opt">,</span>
        <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_ACCOUNT_OPERATORS<span class="hl opt">]</span>
    ctx<span class="hl opt">.</span>reveal_sid <span class="hl opt">=</span> <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s-%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span> security<span class="hl opt">.</span>DOMAIN_RID_RODC_ALLOW<span class="hl opt">)</span>

    mysid <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_mysid</span><span class="hl opt">()</span>
    admin_dn <span class="hl opt">=</span> <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> mysid
    ctx<span class="hl opt">.</span>managedby <span class="hl opt">=</span> admin_dn

    ctx<span class="hl opt">.</span>userAccountControl <span class="hl opt">= (</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_WORKSTATION_TRUST_ACCOUNT |
                              samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |
                              samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_PARTIAL_SECRETS_ACCOUNT<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>SPNs<span class="hl opt">.</span><span class="hl kwd">extend</span><span class="hl opt">([</span> <span class="hl str">&quot;RestrictedKrbHost/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                      <span class="hl str">&quot;RestrictedKrbHost/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname <span class="hl opt">])</span>

    ctx<span class="hl opt">.</span>connection_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=RODC Connection (FRS),</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>ntds_dn
    ctx<span class="hl opt">.</span>secure_channel_type <span class="hl opt">=</span> misc<span class="hl opt">.</span>SEC_CHAN_RODC
    ctx<span class="hl opt">.</span>RODC <span class="hl opt">=</span> <span class="hl kwa">True</span>
    ctx<span class="hl opt">.</span>replica_flags  <span class="hl opt">=  (</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_INIT_SYNC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_PER_SYNC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ANC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_NEVER_SYNCED |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>domain_replica_flags <span class="hl opt">=</span> ctx<span class="hl opt">.</span>replica_flags
    <span class="hl kwa">if</span> domain_critical_only<span class="hl opt">:</span>
        ctx<span class="hl opt">.</span>domain_replica_flags |<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_CRITICAL_ONLY

    ctx<span class="hl opt">.</span><span class="hl kwd">do_join</span><span class="hl opt">()</span>

    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Joined domain</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">) as an RODC&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>domsid<span class="hl opt">))</span>


<span class="hl kwa">def</span> <span class="hl kwd">join_DC</span><span class="hl opt">(</span>logger<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
            targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain_critical_only<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
            machinepass<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> use_ntvfs<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span> dns_backend<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
            promote_existing<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;Join as a DC.&quot;&quot;&quot;</span>
    ctx <span class="hl opt">=</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span>logger<span class="hl opt">,</span> server<span class="hl opt">,</span> creds<span class="hl opt">,</span> lp<span class="hl opt">,</span> site<span class="hl opt">,</span> netbios_name<span class="hl opt">,</span> targetdir<span class="hl opt">,</span> domain<span class="hl opt">,</span>
                  machinepass<span class="hl opt">,</span> use_ntvfs<span class="hl opt">,</span> dns_backend<span class="hl opt">,</span> promote_existing<span class="hl opt">)</span>

    lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>
    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>

    lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;realm&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>
    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;realm is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>userAccountControl <span class="hl opt">=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_SERVER_TRUST_ACCOUNT | samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_TRUSTED_FOR_DELEGATION

    ctx<span class="hl opt">.</span>SPNs<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>secure_channel_type <span class="hl opt">=</span> misc<span class="hl opt">.</span>SEC_CHAN_BDC

    ctx<span class="hl opt">.</span>replica_flags <span class="hl opt">= (</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_INIT_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_PER_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_NEVER_SYNCED<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>domain_replica_flags <span class="hl opt">=</span> ctx<span class="hl opt">.</span>replica_flags
    <span class="hl kwa">if</span> domain_critical_only<span class="hl opt">:</span>
        ctx<span class="hl opt">.</span>domain_replica_flags |<span class="hl opt">=</span> drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_CRITICAL_ONLY

    ctx<span class="hl opt">.</span><span class="hl kwd">do_join</span><span class="hl opt">()</span>
    logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Joined domain</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">) as a DC&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>domsid<span class="hl opt">))</span>

<span class="hl kwa">def</span> <span class="hl kwd">join_subdomain</span><span class="hl opt">(</span>logger<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
        netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> parent_domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> dnsdomain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
        netbios_domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> machinepass<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> adminpass<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> use_ntvfs<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
        dns_backend<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;Join as a DC.&quot;&quot;&quot;</span>
    ctx <span class="hl opt">=</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span>logger<span class="hl opt">,</span> server<span class="hl opt">,</span> creds<span class="hl opt">,</span> lp<span class="hl opt">,</span> site<span class="hl opt">,</span> netbios_name<span class="hl opt">,</span> targetdir<span class="hl opt">,</span> parent_domain<span class="hl opt">,</span>
                  machinepass<span class="hl opt">,</span> use_ntvfs<span class="hl opt">,</span> dns_backend<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>subdomain <span class="hl opt">=</span> <span class="hl kwa">True</span>
    <span class="hl kwa">if</span> adminpass <span class="hl kwa">is None</span><span class="hl opt">:</span>
        ctx<span class="hl opt">.</span>adminpass <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">generate_random_password</span><span class="hl opt">(</span><span class="hl num">12</span><span class="hl opt">,</span> <span class="hl num">32</span><span class="hl opt">)</span>
    <span class="hl kwa">else</span><span class="hl opt">:</span>
        ctx<span class="hl opt">.</span>adminpass <span class="hl opt">=</span> adminpass
    ctx<span class="hl opt">.</span>parent_domain_name <span class="hl opt">=</span> ctx<span class="hl opt">.</span>domain_name
    ctx<span class="hl opt">.</span>domain_name <span class="hl opt">=</span> netbios_domain
    ctx<span class="hl opt">.</span>realm <span class="hl opt">=</span> dnsdomain
    ctx<span class="hl opt">.</span>parent_dnsdomain <span class="hl opt">=</span> ctx<span class="hl opt">.</span>dnsdomain
    ctx<span class="hl opt">.</span>parent_partition_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_parent_partition_dn</span><span class="hl opt">()</span>
    ctx<span class="hl opt">.</span>dnsdomain <span class="hl opt">=</span> dnsdomain
    ctx<span class="hl opt">.</span>partition_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Partitions,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>naming_master <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_naming_master</span><span class="hl opt">()</span>
    <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>naming_master <span class="hl opt">!=</span> ctx<span class="hl opt">.</span>server<span class="hl opt">:</span>
        logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Reconnecting to naming master</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>naming_master<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> ctx<span class="hl opt">.</span>naming_master
        ctx<span class="hl opt">.</span>samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>url<span class="hl opt">=</span><span class="hl str">&quot;ldap://</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">,</span>
                          session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span>
                          credentials<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&#39;dnsHostName&#39;</span><span class="hl opt">],</span>
                               controls<span class="hl opt">=[])</span>
        ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;dnsHostName&quot;</span><span class="hl opt">]</span>
        logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;DNS name of new naming master is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>base_dn <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">dn_from_dns_name</span><span class="hl opt">(</span>dnsdomain<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>domsid <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>security<span class="hl opt">.</span><span class="hl kwd">random_sid</span><span class="hl opt">())</span>
    ctx<span class="hl opt">.</span>acct_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>
    ctx<span class="hl opt">.</span>dnshostname <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">.</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>trustdom_pass <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">generate_random_password</span><span class="hl opt">(</span><span class="hl num">128</span><span class="hl opt">,</span> <span class="hl num">128</span><span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>userAccountControl <span class="hl opt">=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_SERVER_TRUST_ACCOUNT | samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_TRUSTED_FOR_DELEGATION

    ctx<span class="hl opt">.</span>SPNs<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>secure_channel_type <span class="hl opt">=</span> misc<span class="hl opt">.</span>SEC_CHAN_BDC

    ctx<span class="hl opt">.</span>replica_flags <span class="hl opt">= (</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_INIT_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_PER_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_NEVER_SYNCED<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>domain_replica_flags <span class="hl opt">=</span> ctx<span class="hl opt">.</span>replica_flags

    ctx<span class="hl opt">.</span><span class="hl kwd">do_join</span><span class="hl opt">()</span>
    ctx<span class="hl opt">.</span>logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span><span class="hl str">&quot;Created domain</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">) as a DC&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>domsid<span class="hl opt">))</span>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit </a> (<a href='https://git-scm.com/'>git 2.34.1</a>) at 2026-03-27 22:49:35 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>