/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
 * Copyright (C) 1998 by the FundsXpress, INC.
 *
 * All rights reserved.
 *
 * Export of this software from the United States of America may require
 * a specific license from the United States Government.  It is the
 * responsibility of any person or organization contemplating export to
 * obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of FundsXpress. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  FundsXpress makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 */

#include "k5-int.h"
#include "aead.h"

/*
 * Because our built-in HMAC implementation doesn't need to invoke any
 * encryption or keyed hash functions, it is simplest to define it in terms of
 * keyblocks, and then supply a simple wrapper for the "normal" krb5_key-using
 * interfaces.  The keyblock interfaces are useful for code which creates
 * intermediate keyblocks.
 */

/*
 * The HMAC transform looks like:
 *
 * H(K XOR opad, H(K XOR ipad, text))
 *
 * where H is a cryptographic hash
 * K is an n byte key
 * ipad is the byte 0x36 repeated blocksize times
 * opad is the byte 0x5c repeated blocksize times
 * and text is the data being protected
 */

krb5_error_code
krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
                      const krb5_keyblock *keyblock,
                      const krb5_crypto_iov *data, size_t num_data,
                      krb5_data *output)
{
    unsigned char *xorkey = NULL, *ihash = NULL;
    unsigned int i;
    krb5_crypto_iov *ihash_iov = NULL, ohash_iov[2];
    krb5_data hashout;
    krb5_error_code ret;

    if (keyblock->length > hash->blocksize)
        return KRB5_CRYPTO_INTERNAL;
    if (output->length < hash->hashsize)
        return KRB5_BAD_MSIZE;

    /* Allocate space for the xor key, hash input vector, and inner hash */
    xorkey = k5alloc(hash->blocksize, &ret);
    if (xorkey == NULL)
        goto cleanup;
    ihash = k5alloc(hash->hashsize, &ret);
    if (ihash == NULL)
        goto cleanup;
    ihash_iov = k5alloc((num_data + 1) * sizeof(krb5_crypto_iov), &ret);
    if (ihash_iov == NULL)
        goto cleanup;

    /* Create the inner padded key. */
    memset(xorkey, 0x36, hash->blocksize);
    for (i = 0; i < keyblock->length; i++)
        xorkey[i] ^= keyblock->contents[i];

    /* Compute the inner hash over the inner key and input data. */
    ihash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
    ihash_iov[0].data = make_data(xorkey, hash->blocksize);
    memcpy(ihash_iov + 1, data, num_data * sizeof(krb5_crypto_iov));
    hashout = make_data(ihash, hash->hashsize);
    ret = hash->hash(ihash_iov, num_data + 1, &hashout);
    if (ret != 0)
        goto cleanup;

    /* Create the outer padded key. */
    memset(xorkey, 0x5c, hash->blocksize);
    for (i = 0; i < keyblock->length; i++)
        xorkey[i] ^= keyblock->contents[i];

    /* Compute the outer hash over the outer key and inner hash value. */
    ohash_iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
    ohash_iov[0].data = make_data(xorkey, hash->blocksize);
    ohash_iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
    ohash_iov[1].data = make_data(ihash, hash->hashsize);
    output->length = hash->hashsize;
    ret = hash->hash(ohash_iov, 2, output);
    if (ret != 0)
        memset(output->data, 0, output->length);

cleanup:
    zapfree(xorkey, hash->blocksize);
    zapfree(ihash, hash->hashsize);
    free(ihash_iov);
    return ret;
}

krb5_error_code
krb5int_hmac(const struct krb5_hash_provider *hash, krb5_key key,
             const krb5_crypto_iov *data, size_t num_data,
             krb5_data *output)
{
    return krb5int_hmac_keyblock(hash, &key->keyblock, data, num_data, output);
}
</a>
<a id='n15' href='#n15'>15</a>
<a id='n16' href='#n16'>16</a>
<a id='n17' href='#n17'>17</a>
<a id='n18' href='#n18'>18</a>
<a id='n19' href='#n19'>19</a>
<a id='n20' href='#n20'>20</a>
<a id='n21' href='#n21'>21</a>
<a id='n22' href='#n22'>22</a>
<a id='n23' href='#n23'>23</a>
<a id='n24' href='#n24'>24</a>
<a id='n25' href='#n25'>25</a>
<a id='n26' href='#n26'>26</a>
<a id='n27' href='#n27'>27</a>
<a id='n28' href='#n28'>28</a>
<a id='n29' href='#n29'>29</a>
<a id='n30' href='#n30'>30</a>
<a id='n31' href='#n31'>31</a>
<a id='n32' href='#n32'>32</a>
<a id='n33' href='#n33'>33</a>
<a id='n34' href='#n34'>34</a>
<a id='n35' href='#n35'>35</a>
<a id='n36' href='#n36'>36</a>
<a id='n37' href='#n37'>37</a>
<a id='n38' href='#n38'>38</a>
<a id='n39' href='#n39'>39</a>
<a id='n40' href='#n40'>40</a>
<a id='n41' href='#n41'>41</a>
<a id='n42' href='#n42'>42</a>
<a id='n43' href='#n43'>43</a>
<a id='n44' href='#n44'>44</a>
<a id='n45' href='#n45'>45</a>
<a id='n46' href='#n46'>46</a>
<a id='n47' href='#n47'>47</a>
<a id='n48' href='#n48'>48</a>
<a id='n49' href='#n49'>49</a>
<a id='n50' href='#n50'>50</a>
<a id='n51' href='#n51'>51</a>
<a id='n52' href='#n52'>52</a>
<a id='n53' href='#n53'>53</a>
<a id='n54' href='#n54'>54</a>
<a id='n55' href='#n55'>55</a>
<a id='n56' href='#n56'>56</a>
<a id='n57' href='#n57'>57</a>
<a id='n58' href='#n58'>58</a>
<a id='n59' href='#n59'>59</a>
<a id='n60' href='#n60'>60</a>
<a id='n61' href='#n61'>61</a>
<a id='n62' href='#n62'>62</a>
<a id='n63' href='#n63'>63</a>
<a id='n64' href='#n64'>64</a>
<a id='n65' href='#n65'>65</a>
<a id='n66' href='#n66'>66</a>
<a id='n67' href='#n67'>67</a>
<a id='n68' href='#n68'>68</a>
<a id='n69' href='#n69'>69</a>
<a id='n70' href='#n70'>70</a>
<a id='n71' href='#n71'>71</a>
<a id='n72' href='#n72'>72</a>
<a id='n73' href='#n73'>73</a>
<a id='n74' href='#n74'>74</a>
<a id='n75' href='#n75'>75</a>
<a id='n76' href='#n76'>76</a>
<a id='n77' href='#n77'>77</a>
<a id='n78' href='#n78'>78</a>
<a id='n79' href='#n79'>79</a>
<a id='n80' href='#n80'>80</a>
<a id='n81' href='#n81'>81</a>
<a id='n82' href='#n82'>82</a>
<a id='n83' href='#n83'>83</a>
<a id='n84' href='#n84'>84</a>
<a id='n85' href='#n85'>85</a>
<a id='n86' href='#n86'>86</a>
<a id='n87' href='#n87'>87</a>
<a id='n88' href='#n88'>88</a>
<a id='n89' href='#n89'>89</a>
<a id='n90' href='#n90'>90</a>
<a id='n91' href='#n91'>91</a>
<a id='n92' href='#n92'>92</a>
<a id='n93' href='#n93'>93</a>
<a id='n94' href='#n94'>94</a>
<a id='n95' href='#n95'>95</a>
<a id='n96' href='#n96'>96</a>
<a id='n97' href='#n97'>97</a>
<a id='n98' href='#n98'>98</a>
<a id='n99' href='#n99'>99</a>
<a id='n100' href='#n100'>100</a>
<a id='n101' href='#n101'>101</a>
<a id='n102' href='#n102'>102</a>
<a id='n103' href='#n103'>103</a>
<a id='n104' href='#n104'>104</a>
<a id='n105' href='#n105'>105</a>
<a id='n106' href='#n106'>106</a>
<a id='n107' href='#n107'>107</a>
<a id='n108' href='#n108'>108</a>
<a id='n109' href='#n109'>109</a>
<a id='n110' href='#n110'>110</a>
<a id='n111' href='#n111'>111</a>
<a id='n112' href='#n112'>112</a>
<a id='n113' href='#n113'>113</a>
<a id='n114' href='#n114'>114</a>
<a id='n115' href='#n115'>115</a>
<a id='n116' href='#n116'>116</a>
<a id='n117' href='#n117'>117</a>
<a id='n118' href='#n118'>118</a>
<a id='n119' href='#n119'>119</a>
<a id='n120' href='#n120'>120</a>
<a id='n121' href='#n121'>121</a>
<a id='n122' href='#n122'>122</a>
<a id='n123' href='#n123'>123</a>
<a id='n124' href='#n124'>124</a>
<a id='n125' href='#n125'>125</a>
<a id='n126' href='#n126'>126</a>
<a id='n127' href='#n127'>127</a>
<a id='n128' href='#n128'>128</a>
<a id='n129' href='#n129'>129</a>
<a id='n130' href='#n130'>130</a>
<a id='n131' href='#n131'>131</a>
<a id='n132' href='#n132'>132</a>
<a id='n133' href='#n133'>133</a>
<a id='n134' href='#n134'>134</a>
<a id='n135' href='#n135'>135</a>
<a id='n136' href='#n136'>136</a>
<a id='n137' href='#n137'>137</a>
<a id='n138' href='#n138'>138</a>
<a id='n139' href='#n139'>139</a>
<a id='n140' href='#n140'>140</a>
<a id='n141' href='#n141'>141</a>
<a id='n142' href='#n142'>142</a>
<a id='n143' href='#n143'>143</a>
<a id='n144' href='#n144'>144</a>
<a id='n145' href='#n145'>145</a>
<a id='n146' href='#n146'>146</a>
<a id='n147' href='#n147'>147</a>
<a id='n148' href='#n148'>148</a>
<a id='n149' href='#n149'>149</a>
<a id='n150' href='#n150'>150</a>
<a id='n151' href='#n151'>151</a>
<a id='n152' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
<a id='n312' href='#n312'>312</a>
<a id='n313' href='#n313'>313</a>
<a id='n314' href='#n314'>314</a>
<a id='n315' href='#n315'>315</a>
<a id='n316' href='#n316'>316</a>
<a id='n317' href='#n317'>317</a>
<a id='n318' href='#n318'>318</a>
<a id='n319' href='#n319'>319</a>
<a id='n320' href='#n320'>320</a>
<a id='n321' href='#n321'>321</a>
<a id='n322' href='#n322'>322</a>
<a id='n323' href='#n323'>323</a>
<a id='n324' href='#n324'>324</a>
<a id='n325' href='#n325'>325</a>
<a id='n326' href='#n326'>326</a>
<a id='n327' href='#n327'>327</a>
<a id='n328' href='#n328'>328</a>
<a id='n329' href='#n329'>329</a>
<a id='n330' href='#n330'>330</a>
<a id='n331' href='#n331'>331</a>
<a id='n332' href='#n332'>332</a>
<a id='n333' href='#n333'>333</a>
<a id='n334' href='#n334'>334</a>
<a id='n335' href='#n335'>335</a>
<a id='n336' href='#n336'>336</a>
<a id='n337' href='#n337'>337</a>
<a id='n338' href='#n338'>338</a>
<a id='n339' href='#n339'>339</a>
<a id='n340' href='#n340'>340</a>
<a id='n341' href='#n341'>341</a>
<a id='n342' href='#n342'>342</a>
<a id='n343' href='#n343'>343</a>
<a id='n344' href='#n344'>344</a>
<a id='n345' href='#n345'>345</a>
<a id='n346' href='#n346'>346</a>
<a id='n347' href='#n347'>347</a>
<a id='n348' href='#n348'>348</a>
<a id='n349' href='#n349'>349</a>
<a id='n350' href='#n350'>350</a>
<a id='n351' href='#n351'>351</a>
<a id='n352' href='#n352'>352</a>
<a id='n353' href='#n353'>353</a>
<a id='n354' href='#n354'>354</a>
<a id='n355' href='#n355'>355</a>
<a id='n356' href='#n356'>356</a>
<a id='n357' href='#n357'>357</a>
<a id='n358' href='#n358'>358</a>
<a id='n359' href='#n359'>359</a>
<a id='n360' href='#n360'>360</a>
<a id='n361' href='#n361'>361</a>
<a id='n362' href='#n362'>362</a>
<a id='n363' href='#n363'>363</a>
<a id='n364' href='#n364'>364</a>
<a id='n365' href='#n365'>365</a>
<a id='n366' href='#n366'>366</a>
<a id='n367' href='#n367'>367</a>
<a id='n368' href='#n368'>368</a>
<a id='n369' href='#n369'>369</a>
<a id='n370' href='#n370'>370</a>
<a id='n371' href='#n371'>371</a>
<a id='n372' href='#n372'>372</a>
<a id='n373' href='#n373'>373</a>
<a id='n374' href='#n374'>374</a>
<a id='n375' href='#n375'>375</a>
<a id='n376' href='#n376'>376</a>
<a id='n377' href='#n377'>377</a>
<a id='n378' href='#n378'>378</a>
<a id='n379' href='#n379'>379</a>
<a id='n380' href='#n380'>380</a>
<a id='n381' href='#n381'>381</a>
<a id='n382' href='#n382'>382</a>
<a id='n383' href='#n383'>383</a>
<a id='n384' href='#n384'>384</a>
<a id='n385' href='#n385'>385</a>
<a id='n386' href='#n386'>386</a>
<a id='n387' href='#n387'>387</a>
<a id='n388' href='#n388'>388</a>
<a id='n389' href='#n389'>389</a>
<a id='n390' href='#n390'>390</a>
<a id='n391' href='#n391'>391</a>
<a id='n392' href='#n392'>392</a>
<a id='n393' href='#n393'>393</a>
<a id='n394' href='#n394'>394</a>
<a id='n395' href='#n395'>395</a>
<a id='n396' href='#n396'>396</a>
<a id='n397' href='#n397'>397</a>
<a id='n398' href='#n398'>398</a>
<a id='n399' href='#n399'>399</a>
<a id='n400' href='#n400'>400</a>
<a id='n401' href='#n401'>401</a>
<a id='n402' href='#n402'>402</a>
<a id='n403' href='#n403'>403</a>
<a id='n404' href='#n404'>404</a>
<a id='n405' href='#n405'>405</a>
<a id='n406' href='#n406'>406</a>
<a id='n407' href='#n407'>407</a>
<a id='n408' href='#n408'>408</a>
<a id='n409' href='#n409'>409</a>
<a id='n410' href='#n410'>410</a>
<a id='n411' href='#n411'>411</a>
<a id='n412' href='#n412'>412</a>
<a id='n413' href='#n413'>413</a>
<a id='n414' href='#n414'>414</a>
<a id='n415' href='#n415'>415</a>
<a id='n416' href='#n416'>416</a>
<a id='n417' href='#n417'>417</a>
<a id='n418' href='#n418'>418</a>
<a id='n419' href='#n419'>419</a>
<a id='n420' href='#n420'>420</a>
<a id='n421' href='#n421'>421</a>
<a id='n422' href='#n422'>422</a>
<a id='n423' href='#n423'>423</a>
<a id='n424' href='#n424'>424</a>
<a id='n425' href='#n425'>425</a>
<a id='n426' href='#n426'>426</a>
<a id='n427' href='#n427'>427</a>
<a id='n428' href='#n428'>428</a>
<a id='n429' href='#n429'>429</a>
<a id='n430' href='#n430'>430</a>
<a id='n431' href='#n431'>431</a>
<a id='n432' href='#n432'>432</a>
<a id='n433' href='#n433'>433</a>
<a id='n434' href='#n434'>434</a>
<a id='n435' href='#n435'>435</a>
<a id='n436' href='#n436'>436</a>
<a id='n437' href='#n437'>437</a>
<a id='n438' href='#n438'>438</a>
<a id='n439' href='#n439'>439</a>
<a id='n440' href='#n440'>440</a>
<a id='n441' href='#n441'>441</a>
<a id='n442' href='#n442'>442</a>
<a id='n443' href='#n443'>443</a>
<a id='n444' href='#n444'>444</a>
<a id='n445' href='#n445'>445</a>
<a id='n446' href='#n446'>446</a>
<a id='n447' href='#n447'>447</a>
<a id='n448' href='#n448'>448</a>
<a id='n449' href='#n449'>449</a>
<a id='n450' href='#n450'>450</a>
<a id='n451' href='#n451'>451</a>
<a id='n452' href='#n452'>452</a>
<a id='n453' href='#n453'>453</a>
<a id='n454' href='#n454'>454</a>
<a id='n455' href='#n455'>455</a>
<a id='n456' href='#n456'>456</a>
<a id='n457' href='#n457'>457</a>
<a id='n458' href='#n458'>458</a>
<a id='n459' href='#n459'>459</a>
<a id='n460' href='#n460'>460</a>
<a id='n461' href='#n461'>461</a>
<a id='n462' href='#n462'>462</a>
<a id='n463' href='#n463'>463</a>
<a id='n464' href='#n464'>464</a>
<a id='n465' href='#n465'>465</a>
<a id='n466' href='#n466'>466</a>
<a id='n467' href='#n467'>467</a>
<a id='n468' href='#n468'>468</a>
<a id='n469' href='#n469'>469</a>
<a id='n470' href='#n470'>470</a>
<a id='n471' href='#n471'>471</a>
<a id='n472' href='#n472'>472</a>
<a id='n473' href='#n473'>473</a>
<a id='n474' href='#n474'>474</a>
<a id='n475' href='#n475'>475</a>
<a id='n476' href='#n476'>476</a>
<a id='n477' href='#n477'>477</a>
<a id='n478' href='#n478'>478</a>
<a id='n479' href='#n479'>479</a>
<a id='n480' href='#n480'>480</a>
<a id='n481' href='#n481'>481</a>
<a id='n482' href='#n482'>482</a>
<a id='n483' href='#n483'>483</a>
<a id='n484' href='#n484'>484</a>
<a id='n485' href='#n485'>485</a>
<a id='n486' href='#n486'>486</a>
<a id='n487' href='#n487'>487</a>
<a id='n488' href='#n488'>488</a>
<a id='n489' href='#n489'>489</a>
<a id='n490' href='#n490'>490</a>
<a id='n491' href='#n491'>491</a>
<a id='n492' href='#n492'>492</a>
<a id='n493' href='#n493'>493</a>
<a id='n494' href='#n494'>494</a>
<a id='n495' href='#n495'>495</a>
<a id='n496' href='#n496'>496</a>
<a id='n497' href='#n497'>497</a>
<a id='n498' href='#n498'>498</a>
<a id='n499' href='#n499'>499</a>
<a id='n500' href='#n500'>500</a>
<a id='n501' href='#n501'>501</a>
<a id='n502' href='#n502'>502</a>
<a id='n503' href='#n503'>503</a>
<a id='n504' href='#n504'>504</a>
<a id='n505' href='#n505'>505</a>
<a id='n506' href='#n506'>506</a>
<a id='n507' href='#n507'>507</a>
<a id='n508' href='#n508'>508</a>
<a id='n509' href='#n509'>509</a>
<a id='n510' href='#n510'>510</a>
<a id='n511' href='#n511'>511</a>
<a id='n512' href='#n512'>512</a>
<a id='n513' href='#n513'>513</a>
<a id='n514' href='#n514'>514</a>
<a id='n515' href='#n515'>515</a>
<a id='n516' href='#n516'>516</a>
<a id='n517' href='#n517'>517</a>
<a id='n518' href='#n518'>518</a>
<a id='n519' href='#n519'>519</a>
<a id='n520' href='#n520'>520</a>
<a id='n521' href='#n521'>521</a>
<a id='n522' href='#n522'>522</a>
<a id='n523' href='#n523'>523</a>
<a id='n524' href='#n524'>524</a>
<a id='n525' href='#n525'>525</a>
<a id='n526' href='#n526'>526</a>
<a id='n527' href='#n527'>527</a>
<a id='n528' href='#n528'>528</a>
<a id='n529' href='#n529'>529</a>
<a id='n530' href='#n530'>530</a>
<a id='n531' href='#n531'>531</a>
<a id='n532' href='#n532'>532</a>
<a id='n533' href='#n533'>533</a>
<a id='n534' href='#n534'>534</a>
<a id='n535' href='#n535'>535</a>
<a id='n536' href='#n536'>536</a>
<a id='n537' href='#n537'>537</a>
<a id='n538' href='#n538'>538</a>
<a id='n539' href='#n539'>539</a>
<a id='n540' href='#n540'>540</a>
<a id='n541' href='#n541'>541</a>
<a id='n542' href='#n542'>542</a>
<a id='n543' href='#n543'>543</a>
<a id='n544' href='#n544'>544</a>
<a id='n545' href='#n545'>545</a>
<a id='n546' href='#n546'>546</a>
<a id='n547' href='#n547'>547</a>
<a id='n548' href='#n548'>548</a>
<a id='n549' href='#n549'>549</a>
<a id='n550' href='#n550'>550</a>
<a id='n551' href='#n551'>551</a>
<a id='n552' href='#n552'>552</a>
<a id='n553' href='#n553'>553</a>
<a id='n554' href='#n554'>554</a>
<a id='n555' href='#n555'>555</a>
<a id='n556' href='#n556'>556</a>
<a id='n557' href='#n557'>557</a>
<a id='n558' href='#n558'>558</a>
<a id='n559' href='#n559'>559</a>
<a id='n560' href='#n560'>560</a>
<a id='n561' href='#n561'>561</a>
<a id='n562' href='#n562'>562</a>
<a id='n563' href='#n563'>563</a>
<a id='n564' href='#n564'>564</a>
<a id='n565' href='#n565'>565</a>
<a id='n566' href='#n566'>566</a>
<a id='n567' href='#n567'>567</a>
<a id='n568' href='#n568'>568</a>
<a id='n569' href='#n569'>569</a>
<a id='n570' href='#n570'>570</a>
<a id='n571' href='#n571'>571</a>
<a id='n572' href='#n572'>572</a>
<a id='n573' href='#n573'>573</a>
<a id='n574' href='#n574'>574</a>
<a id='n575' href='#n575'>575</a>
<a id='n576' href='#n576'>576</a>
<a id='n577' href='#n577'>577</a>
<a id='n578' href='#n578'>578</a>
<a id='n579' href='#n579'>579</a>
<a id='n580' href='#n580'>580</a>
<a id='n581' href='#n581'>581</a>
<a id='n582' href='#n582'>582</a>
</pre></td>
<td class='lines'><pre><code><span class="hl slc">#!/usr/bin/env python</span>
<span class="hl slc">#</span>
<span class="hl slc"># python join code</span>
<span class="hl slc"># Copyright Andrew Tridgell 2010</span>
<span class="hl slc"># Copyright Andrew Bartlett 2010</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is free software; you can redistribute it and/or modify</span>
<span class="hl slc"># it under the terms of the GNU General Public License as published by</span>
<span class="hl slc"># the Free Software Foundation; either version 3 of the License, or</span>
<span class="hl slc"># (at your option) any later version.</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is distributed in the hope that it will be useful,</span>
<span class="hl slc"># but WITHOUT ANY WARRANTY; without even the implied warranty of</span>
<span class="hl slc"># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the</span>
<span class="hl slc"># GNU General Public License for more details.</span>
<span class="hl slc">#</span>
<span class="hl slc"># You should have received a copy of the GNU General Public License</span>
<span class="hl slc"># along with this program.  If not, see &lt;http://www.gnu.org/licenses/&gt;.</span>
<span class="hl slc">#</span>

<span class="hl str">&quot;&quot;&quot;Joining a domain.&quot;&quot;&quot;</span>

<span class="hl kwa">from</span> samba<span class="hl opt">.</span>auth <span class="hl kwa">import</span> system_session
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>samdb <span class="hl kwa">import</span> SamDB
<span class="hl kwa">from</span> samba <span class="hl kwa">import</span> gensec<span class="hl opt">,</span> Ldb<span class="hl opt">,</span> drs_utils
<span class="hl kwa">import</span> ldb<span class="hl opt">,</span> samba<span class="hl opt">,</span> sys<span class="hl opt">,</span> os<span class="hl opt">,</span> uuid
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>ndr <span class="hl kwa">import</span> ndr_pack
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>dcerpc <span class="hl kwa">import</span> security<span class="hl opt">,</span> drsuapi<span class="hl opt">,</span> misc<span class="hl opt">,</span> nbt
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>credentials <span class="hl kwa">import</span> Credentials<span class="hl opt">,</span> DONT_USE_KERBEROS
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>provision <span class="hl kwa">import</span> secretsdb_self_join<span class="hl opt">,</span> provision<span class="hl opt">,</span> FILL_DRS
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>schema <span class="hl kwa">import</span> Schema
<span class="hl kwa">from</span> samba<span class="hl opt">.</span>net <span class="hl kwa">import</span> Net
<span class="hl kwa">import</span> logging
<span class="hl kwa">import</span> talloc

<span class="hl slc"># this makes debugging easier</span>
talloc<span class="hl opt">.</span><span class="hl kwd">enable_null_tracking</span><span class="hl opt">()</span>


<span class="hl kwa">class</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span><span class="hl kwb">object</span><span class="hl opt">):</span>
    <span class="hl str">&#39;&#39;&#39;perform a DC join&#39;&#39;&#39;</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__init__</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
            netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">):</span>
        ctx<span class="hl opt">.</span>creds <span class="hl opt">=</span> creds
        ctx<span class="hl opt">.</span>lp <span class="hl opt">=</span> lp
        ctx<span class="hl opt">.</span>site <span class="hl opt">=</span> site
        ctx<span class="hl opt">.</span>netbios_name <span class="hl opt">=</span> netbios_name
        ctx<span class="hl opt">.</span>targetdir <span class="hl opt">=</span> targetdir

        ctx<span class="hl opt">.</span>creds<span class="hl opt">.</span><span class="hl kwd">set_gensec_features</span><span class="hl opt">(</span>creds<span class="hl opt">.</span><span class="hl kwd">get_gensec_features</span><span class="hl opt">()</span> | gensec<span class="hl opt">.</span>FEATURE_SEAL<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>net <span class="hl opt">=</span> <span class="hl kwd">Net</span><span class="hl opt">(</span>creds<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        <span class="hl kwa">if</span> server <span class="hl kwa">is not None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> server
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Finding a writeable DC for domain &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;&quot;</span> <span class="hl opt">%</span> domain<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span>server <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">find_dc</span><span class="hl opt">(</span>domain<span class="hl opt">)</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Found DC</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>url<span class="hl opt">=</span><span class="hl str">&quot;ldap://</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server<span class="hl opt">,</span>
                          session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span>
                          credentials<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>myname <span class="hl opt">=</span> netbios_name
        ctx<span class="hl opt">.</span>samname <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">$&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname
        ctx<span class="hl opt">.</span>base_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>root_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_root_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_schema_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>config_dn <span class="hl opt">=</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_config_basedn</span><span class="hl opt">())</span>
        ctx<span class="hl opt">.</span>domsid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_domain_sid</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>domain_name <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_domain_name</span><span class="hl opt">()</span>

        lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>
        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;workgroup is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>domain_name<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>dc_ntds_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_dsServiceName</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>dc_dnsHostName <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_dnsHostName</span><span class="hl opt">()</span>
        ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_behavior_version</span><span class="hl opt">()</span>

        ctx<span class="hl opt">.</span>acct_pass <span class="hl opt">=</span> samba<span class="hl opt">.</span><span class="hl kwd">generate_random_password</span><span class="hl opt">(</span><span class="hl num">32</span><span class="hl opt">,</span> <span class="hl num">40</span><span class="hl opt">)</span>

        <span class="hl slc"># work out the DNs of all the objects we will be adding</span>
        ctx<span class="hl opt">.</span>server_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Servers,CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Sites,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>site<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>ntds_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=NTDS Settings,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server_dn
        topology_base <span class="hl opt">=</span> <span class="hl str">&quot;CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>base_dn
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span><span class="hl kwd">dn_exists</span><span class="hl opt">(</span>topology_base<span class="hl opt">):</span>
            ctx<span class="hl opt">.</span>topology_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> topology_base<span class="hl opt">)</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>topology_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>

        ctx<span class="hl opt">.</span>dnsdomain <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">).</span><span class="hl kwd">canonical_str</span><span class="hl opt">().</span><span class="hl kwd">split</span><span class="hl opt">(</span><span class="hl str">&#39;/&#39;</span><span class="hl opt">)[</span><span class="hl num">0</span><span class="hl opt">]</span>

        ctx<span class="hl opt">.</span>realm <span class="hl opt">=</span> ctx<span class="hl opt">.</span>dnsdomain
        lp<span class="hl opt">.</span><span class="hl kwb">set</span><span class="hl opt">(</span><span class="hl str">&quot;realm&quot;</span><span class="hl opt">,</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>

        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;realm is</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>realm<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>dnshostname <span class="hl opt">=</span> <span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">.</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">.</span><span class="hl kwd">lower</span><span class="hl opt">(),</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>acct_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,OU=Domain Controllers,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>tmp_samdb <span class="hl opt">=</span> <span class="hl kwa">None</span>

        ctx<span class="hl opt">.</span>SPNs <span class="hl opt">= [</span> <span class="hl str">&quot;HOST/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                     <span class="hl str">&quot;HOST/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">,</span>
                     <span class="hl str">&quot;GC/</span><span class="hl ipl">%s</span><span class="hl str">/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">) ]</span>

        <span class="hl slc"># these elements are optional</span>
        ctx<span class="hl opt">.</span>never_reveal_sid <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>reveal_sid <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>connection_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>RODC <span class="hl opt">=</span> <span class="hl kwa">False</span>
        ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>drsuapi <span class="hl opt">=</span> <span class="hl kwa">None</span>
        ctx<span class="hl opt">.</span>managedby <span class="hl opt">=</span> <span class="hl kwa">None</span>


    <span class="hl kwa">def</span> <span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
        <span class="hl kwa">if</span> recursive<span class="hl opt">:</span>
            <span class="hl kwa">try</span><span class="hl opt">:</span>
                res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dn&quot;</span><span class="hl opt">])</span>
            <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
                <span class="hl kwa">return</span>
            <span class="hl kwa">for</span> r <span class="hl kwa">in</span> res<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>r<span class="hl opt">.</span>dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">delete</span><span class="hl opt">(</span>dn<span class="hl opt">)</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Deleted</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> dn
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">pass</span>

    <span class="hl kwa">def</span> <span class="hl kwd">cleanup_old_join</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;remove any DNs from a previous join&#39;&#39;&#39;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            <span class="hl slc"># find the krbtgt link</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;checking samaccountname&quot;</span><span class="hl opt">)</span>
            res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">(),</span>
                                   expression<span class="hl opt">=</span><span class="hl str">&#39;samAccountName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
                                   attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">])</span>
            <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">].</span>dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>connection_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>connection_dn<span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">)</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span> recursive<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">)</span>
            <span class="hl kwa">if</span> res<span class="hl opt">:</span>
                ctx<span class="hl opt">.</span>new_krbtgt_dn <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-Krbtgtlink&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>
                ctx<span class="hl opt">.</span><span class="hl kwd">del_noerror</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">pass</span>

    <span class="hl kwa">def</span> <span class="hl kwd">find_dc</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> domain<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;find a writeable DC for the given domain&#39;&#39;&#39;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>cldap_ret <span class="hl opt">=</span> ctx<span class="hl opt">.</span>net<span class="hl opt">.</span><span class="hl kwd">finddc</span><span class="hl opt">(</span>domain<span class="hl opt">,</span> nbt<span class="hl opt">.</span>NBT_SERVER_LDAP | nbt<span class="hl opt">.</span>NBT_SERVER_DS | nbt<span class="hl opt">.</span>NBT_SERVER_WRITABLE<span class="hl opt">)</span>
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">Exception</span><span class="hl opt">(</span><span class="hl str">&quot;Failed to find a writeable DC for domain &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;&quot;</span> <span class="hl opt">%</span> domain<span class="hl opt">)</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site <span class="hl kwa">is not None and</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site <span class="hl opt">!=</span> <span class="hl str">&quot;&quot;</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>site <span class="hl opt">=</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>client_site
        <span class="hl kwa">return</span> ctx<span class="hl opt">.</span>cldap_ret<span class="hl opt">.</span>pdc_dns_name


    <span class="hl kwa">def</span> <span class="hl kwd">get_dsServiceName</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dsServiceName&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;dsServiceName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_behavior_version</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">if</span> <span class="hl str">&quot;msDS-Behavior-Version&quot;</span> <span class="hl kwa">in</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]:</span>
            <span class="hl kwa">return</span> <span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            <span class="hl kwa">return</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2000

    <span class="hl kwa">def</span> <span class="hl kwd">get_dnsHostName</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;dnsHostName&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;dnsHostName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_domain_name</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get netbios name of the domain from the partitions record&#39;&#39;&#39;</span>
        partitions_dn <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_partitions_dn</span><span class="hl opt">()</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>partitions_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_ONELEVEL<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">],</span>
                               expression<span class="hl opt">=</span><span class="hl str">&#39;ncName=</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_default_basedn</span><span class="hl opt">())</span>
        <span class="hl kwa">return</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;nETBIOSName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

    <span class="hl kwa">def</span> <span class="hl kwd">get_mysid</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;get the SID of the connected user. Only works with w2k8 and later,</span>
<span class="hl str">           so only used for RODC join&#39;&#39;&#39;</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span><span class="hl str">&quot;&quot;</span><span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;tokenGroups&quot;</span><span class="hl opt">])</span>
        binsid <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;tokenGroups&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>
        <span class="hl kwa">return</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">schema_format_value</span><span class="hl opt">(</span><span class="hl str">&quot;objectSID&quot;</span><span class="hl opt">,</span> binsid<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">dn_exists</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> dn<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;check if a DN exists&#39;&#39;&#39;</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[])</span>
        <span class="hl kwa">except</span> ldb<span class="hl opt">.</span>LdbError<span class="hl opt">, (</span>enum<span class="hl opt">,</span> estr<span class="hl opt">):</span>
            <span class="hl kwa">if</span> enum <span class="hl opt">==</span> ldb<span class="hl opt">.</span>ERR_NO_SUCH_OBJECT<span class="hl opt">:</span>
                <span class="hl kwa">return False</span>
            <span class="hl kwa">raise</span>
        <span class="hl kwa">return True</span>

    <span class="hl kwa">def</span> <span class="hl kwd">add_krbtgt_account</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;RODCs need a special krbtgt account&#39;&#39;&#39;</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>krbtgt_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;user&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;useraccountcontrol&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_NORMAL_ACCOUNT |
                                       samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_ACCOUNTDISABLE<span class="hl opt">),</span>
            <span class="hl str">&quot;showinadvancedviewonly&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;description&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;krbtgt for</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">}</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">, [</span><span class="hl str">&quot;rodc_join:1:1&quot;</span><span class="hl opt">])</span>

        <span class="hl slc"># now we need to search for the samAccountName attribute on the krbtgt DN,</span>
        <span class="hl slc"># as this will have been magically set to the krbtgt number</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;samAccountName&quot;</span><span class="hl opt">])</span>
        ctx<span class="hl opt">.</span>krbtgt_name <span class="hl opt">=</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;samAccountName&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Got krbtgt_name=</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>krbtgt_name

        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span>
                                                  ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span> <span class="hl str">&quot;msDS-krbTgtLink&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        ctx<span class="hl opt">.</span>new_krbtgt_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=</span><span class="hl ipl">%s</span><span class="hl str">,CN=Users,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>krbtgt_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Renaming</span> <span class="hl ipl">%s</span> <span class="hl str">to</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">rename</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">drsuapi_connect</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;make a DRSUAPI connection to the server&#39;&#39;&#39;</span>
        binding_options <span class="hl opt">=</span> <span class="hl str">&quot;seal&quot;</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span><span class="hl kwd">get</span><span class="hl opt">(</span><span class="hl str">&quot;log level&quot;</span><span class="hl opt">) &gt;=</span> <span class="hl num">5</span><span class="hl opt">:</span>
            binding_options <span class="hl opt">+=</span> <span class="hl str">&quot;,print&quot;</span>
        binding_string <span class="hl opt">=</span> <span class="hl str">&quot;ncacn_ip_tcp:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>drsuapi <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">drsuapi</span><span class="hl opt">(</span>binding_string<span class="hl opt">,</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> ctx<span class="hl opt">.</span>creds<span class="hl opt">)</span>
        <span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi_handle<span class="hl opt">,</span> ctx<span class="hl opt">.</span>bind_supported_extensions<span class="hl opt">) =</span> drs_utils<span class="hl opt">.</span><span class="hl kwd">drs_DsBind</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">create_tmp_samdb</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;create a temporary samdb object for schema queries&#39;&#39;&#39;</span>
        ctx<span class="hl opt">.</span>tmp_schema <span class="hl opt">=</span> <span class="hl kwd">Schema</span><span class="hl opt">(</span>security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                                schemadn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>tmp_samdb <span class="hl opt">=</span> <span class="hl kwd">SamDB</span><span class="hl opt">(</span>session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span> url<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> auto_connect<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                              credentials<span class="hl opt">=</span>ctx<span class="hl opt">.</span>creds<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> global_schema<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                              am_rodc<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">set_schema</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>tmp_schema<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">build_DsReplicaAttribute</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> attrname<span class="hl opt">,</span> attrvalue<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;build a DsReplicaAttributeCtr object&#39;&#39;&#39;</span>
        r <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaAttribute</span><span class="hl opt">()</span>
        r<span class="hl opt">.</span>attid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">get_attid_from_lDAPDisplayName</span><span class="hl opt">(</span>attrname<span class="hl opt">)</span>
        r<span class="hl opt">.</span>value_ctr <span class="hl opt">=</span> <span class="hl num">1</span>


    <span class="hl kwa">def</span> <span class="hl kwd">DsAddEntry</span><span class="hl opt">(</span>ctx<span class="hl opt">,</span> rec<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;add a record via the DRSUAPI DsAddEntry call&#39;&#39;&#39;</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>drsuapi <span class="hl kwa">is None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">drsuapi_connect</span><span class="hl opt">()</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>tmp_samdb <span class="hl kwa">is None</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">create_tmp_samdb</span><span class="hl opt">()</span>

        <span class="hl kwb">id</span> <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObjectIdentifier</span><span class="hl opt">()</span>
        <span class="hl kwb">id</span><span class="hl opt">.</span>dn <span class="hl opt">=</span> rec<span class="hl opt">[</span><span class="hl str">&#39;dn&#39;</span><span class="hl opt">]</span>

        attrs <span class="hl opt">= []</span>
        <span class="hl kwa">for</span> a <span class="hl kwa">in</span> rec<span class="hl opt">:</span>
            <span class="hl kwa">if</span> a <span class="hl opt">==</span> <span class="hl str">&#39;dn&#39;</span><span class="hl opt">:</span>
                <span class="hl kwa">continue</span>
            <span class="hl kwa">if not</span> <span class="hl kwb">isinstance</span><span class="hl opt">(</span>rec<span class="hl opt">[</span>a<span class="hl opt">],</span> <span class="hl kwb">list</span><span class="hl opt">):</span>
                v <span class="hl opt">= [</span>rec<span class="hl opt">[</span>a<span class="hl opt">]]</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                v <span class="hl opt">=</span> rec<span class="hl opt">[</span>a<span class="hl opt">]</span>
            rattr <span class="hl opt">=</span> ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">.</span><span class="hl kwd">dsdb_DsReplicaAttribute</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>tmp_samdb<span class="hl opt">,</span> a<span class="hl opt">,</span> v<span class="hl opt">)</span>
            attrs<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span>rattr<span class="hl opt">)</span>

        attribute_ctr <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaAttributeCtr</span><span class="hl opt">()</span>
        attribute_ctr<span class="hl opt">.</span>num_attributes <span class="hl opt">=</span> <span class="hl kwb">len</span><span class="hl opt">(</span>attrs<span class="hl opt">)</span>
        attribute_ctr<span class="hl opt">.</span>attributes <span class="hl opt">=</span> attrs

        <span class="hl kwb">object</span> <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObject</span><span class="hl opt">()</span>
        <span class="hl kwb">object</span><span class="hl opt">.</span>identifier <span class="hl opt">=</span> <span class="hl kwb">id</span>
        <span class="hl kwb">object</span><span class="hl opt">.</span>attribute_ctr <span class="hl opt">=</span> attribute_ctr

        first_object <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsReplicaObjectListItem</span><span class="hl opt">()</span>
        first_object<span class="hl opt">.</span><span class="hl kwb">object</span> <span class="hl opt">=</span> <span class="hl kwb">object</span>

        req2 <span class="hl opt">=</span> drsuapi<span class="hl opt">.</span><span class="hl kwd">DsAddEntryRequest2</span><span class="hl opt">()</span>
        req2<span class="hl opt">.</span>first_object <span class="hl opt">=</span> first_object

        <span class="hl opt">(</span>level<span class="hl opt">,</span> ctr<span class="hl opt">) =</span> ctx<span class="hl opt">.</span>drsuapi<span class="hl opt">.</span><span class="hl kwd">DsAddEntry</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>drsuapi_handle<span class="hl opt">,</span> <span class="hl num">2</span><span class="hl opt">,</span> req2<span class="hl opt">)</span>
        <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>err_ver <span class="hl opt">!=</span> <span class="hl num">1</span><span class="hl opt">:</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;expected err_ver 1, got</span> <span class="hl ipl">%u</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctr<span class="hl opt">.</span>err_ver<span class="hl opt">)</span>
        <span class="hl kwa">if</span> ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>status <span class="hl opt">!= (</span><span class="hl num">0</span><span class="hl opt">,</span> <span class="hl str">&#39;WERR_OK&#39;</span><span class="hl opt">):</span>
            <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed with status</span> <span class="hl ipl">%s</span> <span class="hl str">info</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>status<span class="hl opt">,</span>
                                                                ctr<span class="hl opt">.</span>err_data<span class="hl opt">.</span>info<span class="hl opt">.</span>extended_err<span class="hl opt">))</span>
            <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;DsAddEntry failed&quot;</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_add_objects</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;add the various objects needed for the join&#39;&#39;&#39;</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>acct_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectClass&quot;</span><span class="hl opt">:</span> <span class="hl str">&quot;computer&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;displayname&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
            <span class="hl str">&quot;samaccountname&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
            <span class="hl str">&quot;userAccountControl&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>userAccountControl | samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_ACCOUNTDISABLE<span class="hl opt">),</span>
            <span class="hl str">&quot;dnshostname&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">}</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2008<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&#39;msDS-SupportedEncryptionTypes&#39;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>ENC_ALL_TYPES<span class="hl opt">)</span>
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>managedby<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;managedby&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>managedby
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>never_reveal_sid<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-NeverRevealGroup&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>never_reveal_sid
        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>reveal_sid<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-RevealOnDemandGroup&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>reveal_sid
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>krbtgt_dn<span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">add_krbtgt_account</span><span class="hl opt">()</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>server_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span><span class="hl opt">:</span> ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;server&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CONFIG_ALLOW_RENAME |
                                samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE |
                                samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE<span class="hl opt">),</span>
            <span class="hl str">&quot;serverReference&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;dnsHostName&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dnshostname<span class="hl opt">}</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl slc"># FIXME: the partition (NC) assignment has to be made dynamic</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>ntds_dn
        rec <span class="hl opt">= {</span>
            <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span>
            <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;nTDSDSA&quot;</span><span class="hl opt">,</span>
            <span class="hl str">&quot;systemFlags&quot;</span> <span class="hl opt">:</span> <span class="hl kwb">str</span><span class="hl opt">(</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE<span class="hl opt">),</span>
            <span class="hl str">&quot;dMDLocation&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">}</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-Behavior-Version&quot;</span><span class="hl opt">] =</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>behavior_version<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasDomainNCs&quot;</span><span class="hl opt">] =</span> ctx<span class="hl opt">.</span>base_dn

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;objectCategory&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;CN=NTDS-DSA-RO,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn
            rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasFullReplicaNCs&quot;</span><span class="hl opt">] = [</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;options&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;37&quot;</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">, [</span><span class="hl str">&quot;rodc_join:1:1&quot;</span><span class="hl opt">])</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;objectCategory&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;CN=NTDS-DSA,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>schema_dn
            rec<span class="hl opt">[</span><span class="hl str">&quot;HasMasterNCs&quot;</span><span class="hl opt">]      = [</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>behavior_version <span class="hl opt">&gt;=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>DS_DOMAIN_FUNCTION_2003<span class="hl opt">:</span>
                rec<span class="hl opt">[</span><span class="hl str">&quot;msDS-HasMasterNCs&quot;</span><span class="hl opt">] = [</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> ctx<span class="hl opt">.</span>schema_dn <span class="hl opt">]</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;options&quot;</span><span class="hl opt">] =</span> <span class="hl str">&quot;1&quot;</span>
            rec<span class="hl opt">[</span><span class="hl str">&quot;invocationId&quot;</span><span class="hl opt">] =</span> <span class="hl kwd">ndr_pack</span><span class="hl opt">(</span>misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>uuid<span class="hl opt">.</span><span class="hl kwd">uuid4</span><span class="hl opt">())))</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">DsAddEntry</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl slc"># find the GUID of our NTDS DN</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">])</span>
        ctx<span class="hl opt">.</span>ntds_guid <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">schema_format_value</span><span class="hl opt">(</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">,</span> res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;objectGUID&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]))</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>connection_dn <span class="hl kwa">is not None</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>connection_dn
            rec <span class="hl opt">= {</span>
                <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>connection_dn<span class="hl opt">,</span>
                <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;nTDSConnection&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;enabledconnection&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;options&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;65&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;fromServer&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>dc_ntds_dn<span class="hl opt">}</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>topology_dn
            rec <span class="hl opt">= {</span>
                <span class="hl str">&quot;dn&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>topology_dn<span class="hl opt">,</span>
                <span class="hl str">&quot;objectclass&quot;</span> <span class="hl opt">:</span> <span class="hl str">&quot;msDFSR-Member&quot;</span><span class="hl opt">,</span>
                <span class="hl str">&quot;msDFSR-ComputerReference&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span>
                <span class="hl str">&quot;serverReference&quot;</span> <span class="hl opt">:</span> ctx<span class="hl opt">.</span>ntds_dn<span class="hl opt">}</span>
            ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">add</span><span class="hl opt">(</span>rec<span class="hl opt">)</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Adding SPNs to</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>acct_dn
        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
        <span class="hl kwa">for</span> i <span class="hl kwa">in</span> <span class="hl kwb">range</span><span class="hl opt">(</span><span class="hl kwb">len</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>SPNs<span class="hl opt">)):</span>
            ctx<span class="hl opt">.</span>SPNs<span class="hl opt">[</span>i<span class="hl opt">] =</span> ctx<span class="hl opt">.</span>SPNs<span class="hl opt">[</span>i<span class="hl opt">].</span><span class="hl kwd">replace</span><span class="hl opt">(</span><span class="hl str">&quot;$NTDSGUID&quot;</span><span class="hl opt">,</span> <span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>ntds_guid<span class="hl opt">))</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;servicePrincipalName&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>SPNs<span class="hl opt">,</span>
                                                       ldb<span class="hl opt">.</span>FLAG_MOD_ADD<span class="hl opt">,</span>
                                                       <span class="hl str">&quot;servicePrincipalName&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Setting account password for</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">setpassword</span><span class="hl opt">(</span><span class="hl str">&quot;(&amp;(objectClass=user)(sAMAccountName=</span><span class="hl ipl">%s</span><span class="hl str">))&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>samname<span class="hl opt">,</span>
                              ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span>
                              force_change_at_next_login<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span>
                              username<span class="hl opt">=</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
        res <span class="hl opt">=</span> ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">search</span><span class="hl opt">(</span>base<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span> scope<span class="hl opt">=</span>ldb<span class="hl opt">.</span>SCOPE_BASE<span class="hl opt">,</span> attrs<span class="hl opt">=[</span><span class="hl str">&quot;msDS-keyVersionNumber&quot;</span><span class="hl opt">])</span>
        ctx<span class="hl opt">.</span>key_version_number <span class="hl opt">=</span> <span class="hl kwb">int</span><span class="hl opt">(</span>res<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl str">&quot;msDS-keyVersionNumber&quot;</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">])</span>

        <span class="hl kwa">print</span><span class="hl opt">(</span><span class="hl str">&quot;Enabling account&quot;</span><span class="hl opt">)</span>
        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl kwb">str</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>userAccountControl<span class="hl opt">),</span>
                                                     ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span>
                                                     <span class="hl str">&quot;userAccountControl&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">join_provision</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;provision the local SAM&#39;&#39;&#39;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Calling bare provision&quot;</span>

        logger <span class="hl opt">=</span> logging<span class="hl opt">.</span><span class="hl kwd">getLogger</span><span class="hl opt">(</span><span class="hl str">&quot;provision&quot;</span><span class="hl opt">)</span>
        logger<span class="hl opt">.</span><span class="hl kwd">addHandler</span><span class="hl opt">(</span>logging<span class="hl opt">.</span><span class="hl kwd">StreamHandler</span><span class="hl opt">(</span>sys<span class="hl opt">.</span>stdout<span class="hl opt">))</span>
        smbconf <span class="hl opt">=</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span>configfile

        presult <span class="hl opt">=</span> <span class="hl kwd">provision</span><span class="hl opt">(</span>logger<span class="hl opt">,</span> <span class="hl kwd">system_session</span><span class="hl opt">(),</span> <span class="hl kwa">None</span><span class="hl opt">,</span>
                            smbconf<span class="hl opt">=</span>smbconf<span class="hl opt">,</span> targetdir<span class="hl opt">=</span>ctx<span class="hl opt">.</span>targetdir<span class="hl opt">,</span> samdb_fill<span class="hl opt">=</span>FILL_DRS<span class="hl opt">,</span>
                            realm<span class="hl opt">=</span>ctx<span class="hl opt">.</span>realm<span class="hl opt">,</span> rootdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>root_dn<span class="hl opt">,</span> domaindn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span>
                            schemadn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">,</span>
                            configdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span>
                            serverdn<span class="hl opt">=</span>ctx<span class="hl opt">.</span>server_dn<span class="hl opt">,</span> domain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                            hostname<span class="hl opt">=</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> domainsid<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span>
                            machinepass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span> serverrole<span class="hl opt">=</span><span class="hl str">&quot;domain controller&quot;</span><span class="hl opt">,</span>
                            sitename<span class="hl opt">=</span>ctx<span class="hl opt">.</span>site<span class="hl opt">,</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>
        <span class="hl kwa">print</span> <span class="hl str">&quot;Provision OK for domain DN</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> presult<span class="hl opt">.</span>domaindn
        ctx<span class="hl opt">.</span>local_samdb <span class="hl opt">=</span> presult<span class="hl opt">.</span>samdb
        ctx<span class="hl opt">.</span>lp          <span class="hl opt">=</span> presult<span class="hl opt">.</span>lp
        ctx<span class="hl opt">.</span>paths       <span class="hl opt">=</span> presult<span class="hl opt">.</span>paths


    <span class="hl kwa">def</span> <span class="hl kwd">join_replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;replicate the SAM&#39;&#39;&#39;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Starting replication&quot;</span>
        ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_start</span><span class="hl opt">()</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            source_dsa_invocation_id <span class="hl opt">=</span> misc<span class="hl opt">.</span><span class="hl kwd">GUID</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">get_invocation_id</span><span class="hl opt">())</span>
            destination_dsa_guid <span class="hl opt">=</span> ctx<span class="hl opt">.</span>ntds_guid

            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
                repl_creds <span class="hl opt">=</span> <span class="hl kwd">Credentials</span><span class="hl opt">()</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">guess</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_kerberos_state</span><span class="hl opt">(</span>DONT_USE_KERBEROS<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_username</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samname<span class="hl opt">)</span>
                repl_creds<span class="hl opt">.</span><span class="hl kwd">set_password</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">)</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                repl_creds <span class="hl opt">=</span> ctx<span class="hl opt">.</span>creds

            binding_options <span class="hl opt">=</span> <span class="hl str">&quot;seal&quot;</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>lp<span class="hl opt">.</span><span class="hl kwd">get</span><span class="hl opt">(</span><span class="hl str">&quot;debug level&quot;</span><span class="hl opt">) &gt;=</span> <span class="hl num">5</span><span class="hl opt">:</span>
                binding_options <span class="hl opt">+=</span> <span class="hl str">&quot;,print&quot;</span>
            repl <span class="hl opt">=</span> drs_utils<span class="hl opt">.</span><span class="hl kwd">drs_Replicate</span><span class="hl opt">(</span>
                <span class="hl str">&quot;ncacn_ip_tcp:</span><span class="hl ipl">%s</span><span class="hl str">[</span><span class="hl ipl">%s</span><span class="hl str">]&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>server<span class="hl opt">,</span> binding_options<span class="hl opt">),</span>
                ctx<span class="hl opt">.</span>lp<span class="hl opt">,</span> repl_creds<span class="hl opt">,</span> ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">)</span>

            repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>schema_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                    destination_dsa_guid<span class="hl opt">,</span> schema<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>
            repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>config_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                    destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>
            repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>base_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                    destination_dsa_guid<span class="hl opt">,</span> rodc<span class="hl opt">=</span>ctx<span class="hl opt">.</span>RODC<span class="hl opt">,</span>
                    replica_flags<span class="hl opt">=</span>ctx<span class="hl opt">.</span>replica_flags<span class="hl opt">)</span>
            <span class="hl kwa">if</span> ctx<span class="hl opt">.</span>RODC<span class="hl opt">:</span>
                repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>acct_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                        destination_dsa_guid<span class="hl opt">,</span>
                        exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_SECRET<span class="hl opt">,</span> rodc<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>
                repl<span class="hl opt">.</span><span class="hl kwd">replicate</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>new_krbtgt_dn<span class="hl opt">,</span> source_dsa_invocation_id<span class="hl opt">,</span>
                        destination_dsa_guid<span class="hl opt">,</span>
                        exop<span class="hl opt">=</span>drsuapi<span class="hl opt">.</span>DRSUAPI_EXOP_REPL_SECRET<span class="hl opt">,</span> rodc<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>

            <span class="hl kwa">print</span> <span class="hl str">&quot;Committing SAM database&quot;</span>
        <span class="hl kwa">except</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_cancel</span><span class="hl opt">()</span>
            <span class="hl kwa">raise</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span>local_samdb<span class="hl opt">.</span><span class="hl kwd">transaction_commit</span><span class="hl opt">()</span>


    <span class="hl kwa">def</span> <span class="hl kwd">join_finalise</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        <span class="hl str">&#39;&#39;&#39;finalise the join, mark us synchronised and setup secrets db&#39;&#39;&#39;</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Setting isSynchronized&quot;</span>
        m <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Message</span><span class="hl opt">()</span>
        m<span class="hl opt">.</span>dn <span class="hl opt">=</span> ldb<span class="hl opt">.</span><span class="hl kwd">Dn</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>samdb<span class="hl opt">,</span> <span class="hl str">&#39;&#64;ROOTDSE&#39;</span><span class="hl opt">)</span>
        m<span class="hl opt">[</span><span class="hl str">&quot;isSynchronized&quot;</span><span class="hl opt">] =</span> ldb<span class="hl opt">.</span><span class="hl kwd">MessageElement</span><span class="hl opt">(</span><span class="hl str">&quot;TRUE&quot;</span><span class="hl opt">,</span> ldb<span class="hl opt">.</span>FLAG_MOD_REPLACE<span class="hl opt">,</span> <span class="hl str">&quot;isSynchronized&quot;</span><span class="hl opt">)</span>
        ctx<span class="hl opt">.</span>samdb<span class="hl opt">.</span><span class="hl kwd">modify</span><span class="hl opt">(</span>m<span class="hl opt">)</span>

        secrets_ldb <span class="hl opt">=</span> <span class="hl kwd">Ldb</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>paths<span class="hl opt">.</span>secrets<span class="hl opt">,</span> session_info<span class="hl opt">=</span><span class="hl kwd">system_session</span><span class="hl opt">(),</span> lp<span class="hl opt">=</span>ctx<span class="hl opt">.</span>lp<span class="hl opt">)</span>

        <span class="hl kwa">print</span> <span class="hl str">&quot;Setting up secrets database&quot;</span>
        <span class="hl kwd">secretsdb_self_join</span><span class="hl opt">(</span>secrets_ldb<span class="hl opt">,</span> domain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span>
                            realm<span class="hl opt">=</span>ctx<span class="hl opt">.</span>realm<span class="hl opt">,</span>
                            dnsdomain<span class="hl opt">=</span>ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">,</span>
                            netbiosname<span class="hl opt">=</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                            domainsid<span class="hl opt">=</span>security<span class="hl opt">.</span><span class="hl kwd">dom_sid</span><span class="hl opt">(</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">),</span>
                            machinepass<span class="hl opt">=</span>ctx<span class="hl opt">.</span>acct_pass<span class="hl opt">,</span>
                            secure_channel_type<span class="hl opt">=</span>ctx<span class="hl opt">.</span>secure_channel_type<span class="hl opt">,</span>
                            key_version_number<span class="hl opt">=</span>ctx<span class="hl opt">.</span>key_version_number<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">do_join</span><span class="hl opt">(</span>ctx<span class="hl opt">):</span>
        ctx<span class="hl opt">.</span><span class="hl kwd">cleanup_old_join</span><span class="hl opt">()</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_add_objects</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_provision</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_replicate</span><span class="hl opt">()</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">join_finalise</span><span class="hl opt">()</span>
        <span class="hl kwa">except</span> <span class="hl kwc">Exception</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Join failed - cleaning up&quot;</span>
            ctx<span class="hl opt">.</span><span class="hl kwd">cleanup_old_join</span><span class="hl opt">()</span>
            <span class="hl kwa">raise</span>


<span class="hl kwa">def</span> <span class="hl kwd">join_RODC</span><span class="hl opt">(</span>server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
              targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;join as a RODC&quot;&quot;&quot;</span>

    ctx <span class="hl opt">=</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span>server<span class="hl opt">,</span> creds<span class="hl opt">,</span> lp<span class="hl opt">,</span> site<span class="hl opt">,</span> netbios_name<span class="hl opt">,</span> targetdir<span class="hl opt">,</span> domain<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>krbtgt_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=krbtgt_</span><span class="hl ipl">%s</span><span class="hl str">,CN=Users,</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span> ctx<span class="hl opt">.</span>base_dn<span class="hl opt">)</span>

    <span class="hl slc"># setup some defaults for accounts that should be replicated to this RODC</span>
    ctx<span class="hl opt">.</span>never_reveal_sid <span class="hl opt">= [</span> <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s-%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span> security<span class="hl opt">.</span>DOMAIN_RID_RODC_DENY<span class="hl opt">),</span>
                             <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_ADMINISTRATORS<span class="hl opt">,</span>
                             <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_SERVER_OPERATORS<span class="hl opt">,</span>
                             <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_BACKUP_OPERATORS<span class="hl opt">,</span>
                             <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> security<span class="hl opt">.</span>SID_BUILTIN_ACCOUNT_OPERATORS <span class="hl opt">]</span>
    ctx<span class="hl opt">.</span>reveal_sid <span class="hl opt">=</span> <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s-%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domsid<span class="hl opt">,</span> security<span class="hl opt">.</span>DOMAIN_RID_RODC_ALLOW<span class="hl opt">)</span>

    mysid <span class="hl opt">=</span> ctx<span class="hl opt">.</span><span class="hl kwd">get_mysid</span><span class="hl opt">()</span>
    admin_dn <span class="hl opt">=</span> <span class="hl str">&quot;&lt;SID=</span><span class="hl ipl">%s</span><span class="hl str">&gt;&quot;</span> <span class="hl opt">%</span> mysid
    ctx<span class="hl opt">.</span>managedby <span class="hl opt">=</span> admin_dn

    ctx<span class="hl opt">.</span>userAccountControl <span class="hl opt">= (</span>samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_WORKSTATION_TRUST_ACCOUNT |
                              samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |
                              samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_PARTIAL_SECRETS_ACCOUNT<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>SPNs<span class="hl opt">.</span><span class="hl kwd">extend</span><span class="hl opt">([</span> <span class="hl str">&quot;RestrictedKrbHost/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>myname<span class="hl opt">,</span>
                      <span class="hl str">&quot;RestrictedKrbHost/</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnshostname <span class="hl opt">])</span>

    ctx<span class="hl opt">.</span>connection_dn <span class="hl opt">=</span> <span class="hl str">&quot;CN=RODC Connection (FRS),</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>ntds_dn
    ctx<span class="hl opt">.</span>secure_channel_type <span class="hl opt">=</span> misc<span class="hl opt">.</span>SEC_CHAN_RODC
    ctx<span class="hl opt">.</span>RODC <span class="hl opt">=</span> <span class="hl kwa">True</span>
    ctx<span class="hl opt">.</span>replica_flags  <span class="hl opt">=  (</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_INIT_SYNC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_PER_SYNC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ANC |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_NEVER_SYNCED |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
                           drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span><span class="hl kwd">do_join</span><span class="hl opt">()</span>


    <span class="hl kwa">print</span> <span class="hl str">&quot;Joined domain</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">) as an RODC&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>domsid<span class="hl opt">)</span>


<span class="hl kwa">def</span> <span class="hl kwd">join_DC</span><span class="hl opt">(</span>server<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> creds<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> lp<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> site<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> netbios_name<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span>
            targetdir<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> domain<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">):</span>
    <span class="hl str">&quot;&quot;&quot;join as a DC&quot;&quot;&quot;</span>
    ctx <span class="hl opt">=</span> <span class="hl kwd">dc_join</span><span class="hl opt">(</span>server<span class="hl opt">,</span> creds<span class="hl opt">,</span> lp<span class="hl opt">,</span> site<span class="hl opt">,</span> netbios_name<span class="hl opt">,</span> targetdir<span class="hl opt">,</span> domain<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span>userAccountControl <span class="hl opt">=</span> samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_SERVER_TRUST_ACCOUNT | samba<span class="hl opt">.</span>dsdb<span class="hl opt">.</span>UF_TRUSTED_FOR_DELEGATION

    ctx<span class="hl opt">.</span>SPNs<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;E3514235-4B06-11D1-AB04-00C04FC2DCD2/$NTDSGUID/</span><span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> ctx<span class="hl opt">.</span>dnsdomain<span class="hl opt">)</span>
    ctx<span class="hl opt">.</span>secure_channel_type <span class="hl opt">=</span> misc<span class="hl opt">.</span>SEC_CHAN_BDC

    ctx<span class="hl opt">.</span>replica_flags <span class="hl opt">= (</span>drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_WRIT_REP |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_INIT_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_PER_SYNC |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
                         drsuapi<span class="hl opt">.</span>DRSUAPI_DRS_NEVER_SYNCED<span class="hl opt">)</span>

    ctx<span class="hl opt">.</span><span class="hl kwd">do_join</span><span class="hl opt">()</span>
    <span class="hl kwa">print</span> <span class="hl str">&quot;Joined domain</span> <span class="hl ipl">%s</span> <span class="hl str">(SID</span> <span class="hl ipl">%s</span><span class="hl str">) as a DC&quot;</span> <span class="hl opt">% (</span>ctx<span class="hl opt">.</span>domain_name<span class="hl opt">,</span> ctx<span class="hl opt">.</span>domsid<span class="hl opt">)</span>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit </a> (<a href='https://git-scm.com/'>git 2.34.1</a>) at 2026-01-22 18:08:27 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>