1#!/usr/bin/env python3
2#
3# Compute our KCC topology
4#
5# Copyright (C) Dave Craft 2011
6# Copyright (C) Andrew Bartlett 2015
7#
8# Andrew Bartlett's alleged work performed by his underlings Douglas
9# Bagnall and Garming Sam.
10#
11# This program is free software; you can redistribute it and/or modify
12# it under the terms of the GNU General Public License as published by
13# the Free Software Foundation; either version 3 of the License, or
14# (at your option) any later version.
15#
16# This program is distributed in the hope that it will be useful,
17# but WITHOUT ANY WARRANTY; without even the implied warranty of
18# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19# GNU General Public License for more details.
20#
21# You should have received a copy of the GNU General Public License
22# along with this program.  If not, see <http://www.gnu.org/licenses/>.
23from __future__ import print_function
24
25import os
26import sys
27import random
28
29# ensure we get messages out immediately, so they get in the samba logs,
30# and don't get swallowed by a timeout
31os.environ['PYTHONUNBUFFERED'] = '1'
32
33# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
34# heimdal can get mutual authentication errors due to the 24 second difference
35# between UTC and GMT when using some zone files (eg. the PDT zone from
36# the US)
37os.environ["TZ"] = "GMT"
38
39# Find right directory when running from source tree
40sys.path.insert(0, "bin/python")
41
42import optparse
43import time
44
45from samba import getopt as options
46
47from samba.kcc.graph_utils import verify_and_dot, list_verify_tests
48from samba.kcc.graph_utils import GraphError
49
50import logging
51from samba.kcc.debug import logger, DEBUG, DEBUG_FN
52from samba.kcc import KCC
53
54# If DEFAULT_RNG_SEED is None, /dev/urandom or system time is used.
55DEFAULT_RNG_SEED = None
56
57
58def test_all_reps_from(kcc, dburl, lp, creds, unix_now, rng_seed=None,
59                       ldif_file=None):
60    """Run the KCC from all DSAs in read-only mode
61
62    The behaviour depends on the global opts variable which contains
63    command line variables. Usually you will want to run it with
64    opt.dot_file_dir set (via --dot-file-dir) to see the graphs that
65    would be created from each DC.
66
67    :param lp: a loadparm object.
68    :param creds: a Credentials object.
69    :param unix_now: the unix epoch time as an integer
70    :param rng_seed: a seed for the random number generator
71    :return None:
72    """
73    # This implies readonly and attempt_live_connections
74    dsas = kcc.list_dsas()
75    samdb = kcc.samdb
76    needed_parts = {}
77    current_parts = {}
78
79    guid_to_dnstr = {}
80    for site in kcc.site_table.values():
81        guid_to_dnstr.update((str(dsa.dsa_guid), dnstr)
82                             for dnstr, dsa in site.dsa_table.items())
83
84    dot_edges = []
85    dot_vertices = []
86    colours = []
87    vertex_colours = []
88
89    for dsa_dn in dsas:
90        if rng_seed is not None:
91            random.seed(rng_seed)
92        kcc = KCC(unix_now, readonly=True,
93                  verify=opts.verify, debug=opts.debug,
94                  dot_file_dir=opts.dot_file_dir)
95        if ldif_file is not None:
96            try:
97                # The dburl in this case is a temporary database.
98                # Its non-existence is ensured at the script startup.
99                # If it exists, it is from a previous iteration of
100                # this loop -- unless we're in an unfortunate race.
101                # Because this database is temporary, it lacks some
102                # detail and needs to be re-created anew to set the
103                # local dsa.
104                os.unlink(dburl)
105            except OSError:
106                pass
107
108            kcc.import_ldif(dburl, lp, ldif_file, dsa_dn)
109        else:
110            kcc.samdb = samdb
111        kcc.run(dburl, lp, creds, forced_local_dsa=dsa_dn,
112                forget_local_links=opts.forget_local_links,
113                forget_intersite_links=opts.forget_intersite_links,
114                attempt_live_connections=opts.attempt_live_connections)
115
116        current, needed = kcc.my_dsa.get_rep_tables()
117
118        for dsa in kcc.my_site.dsa_table.values():
119            if dsa is kcc.my_dsa:
120                continue
121            kcc.translate_ntdsconn(dsa)
122            c, n = dsa.get_rep_tables()
123            current.update(c)
124            needed.update(n)
125
126        for name, rep_table, rep_parts in (
127                ('needed', needed, needed_parts),
128                ('current', current, current_parts)):
129            for part, nc_rep in rep_table.items():
130                edges = rep_parts.setdefault(part, [])
131                for reps_from in nc_rep.rep_repsFrom:
132                    source = guid_to_dnstr[str(reps_from.source_dsa_obj_guid)]
133                    dest = guid_to_dnstr[str(nc_rep.rep_dsa_guid)]
134                    edges.append((source, dest))
135
136        for site in kcc.site_table.values():
137            for dsa in site.dsa_table.values():
138                if dsa.is_ro():
139                    vertex_colours.append('#cc0000')
140                else:
141                    vertex_colours.append('#0000cc')
142                dot_vertices.append(dsa.dsa_dnstr)
143                if dsa.connect_table:
144                    DEBUG_FN("DSA %s %s connections:\n%s" %
145                             (dsa.dsa_dnstr, len(dsa.connect_table),
146                              [x.from_dnstr for x in
147                               dsa.connect_table.values()]))
148                for con in dsa.connect_table.values():
149                    if con.is_rodc_topology():
150                        colours.append('red')
151                    else:
152                        colours.append('blue')
153                    dot_edges.append((con.from_dnstr, dsa.dsa_dnstr))
154
155    verify_and_dot('all-dsa-connections', dot_edges, vertices=dot_vertices,
156                   label="all dsa NTDSConnections", properties=(),
157                   debug=DEBUG, verify=opts.verify,
158                   dot_file_dir=opts.dot_file_dir,
159                   directed=True, edge_colors=colours,
160                   vertex_colors=vertex_colours)
161
162    for name, rep_parts in (('needed', needed_parts),
163                            ('current', current_parts)):
164        for part, edges in rep_parts.items():
165            verify_and_dot('all-repsFrom_%s__%s' % (name, part), edges,
166                           directed=True, label=part,
167                           properties=(), debug=DEBUG, verify=opts.verify,
168                           dot_file_dir=opts.dot_file_dir)
169
170##################################################
171# samba_kcc entry point
172##################################################
173
174
175parser = optparse.OptionParser("samba_kcc [options]")
176sambaopts = options.SambaOptions(parser)
177credopts = options.CredentialsOptions(parser)
178
179parser.add_option_group(sambaopts)
180parser.add_option_group(credopts)
181parser.add_option_group(options.VersionOptions(parser))
182
183parser.add_option("--readonly", default=False,
184                  help="compute topology but do not update database",
185                  action="store_true")
186
187parser.add_option("--debug",
188                  help="debug output",
189                  action="store_true")
190
191parser.add_option("--verify",
192                  help="verify that assorted invariants are kept",
193                  action="store_true")
194
195parser.add_option("--list-verify-tests",
196                  help=("list what verification actions are available "
197                        "and do nothing else"),
198                  action="store_true")
199
200parser.add_option("--dot-file-dir", default=None,
201                  help="Write Graphviz .dot files to this directory")
202
203parser.add_option("--seed",
204                  help="random number seed",
205                  type=int, default=DEFAULT_RNG_SEED)
206
207parser.add_option("--importldif",
208                  help="import topology ldif file",
209                  type=str, metavar="<file>")
210
211parser.add_option("--exportldif",
212                  help="export topology ldif file",
213                  type=str, metavar="<file>")
214
215parser.add_option("-H", "--URL",
216                  help="LDB URL for database or target server",
217                  type=str, metavar="<URL>", dest="dburl")
218
219parser.add_option("--tmpdb",
220                  help="schemaless database file to create for ldif import",
221                  type=str, metavar="<file>")
222
223parser.add_option("--now",
224                  help=("assume current time is this ('YYYYmmddHHMMSS[tz]',"
225                        " default: system time)"),
226                  type=str, metavar="<date>")
227
228parser.add_option("--forced-local-dsa",
229                  help="run calculations assuming the DSA is this DN",
230                  type=str, metavar="<DSA>")
231
232parser.add_option("--attempt-live-connections", default=False,
233                  help="Attempt to connect to other DSAs to test links",
234                  action="store_true")
235
236parser.add_option("--list-valid-dsas", default=False,
237                  help=("Print a list of DSA dnstrs that could be"
238                        " used in --forced-local-dsa"),
239                  action="store_true")
240
241parser.add_option("--test-all-reps-from", default=False,
242                  help="Create and verify a graph of reps-from for every DSA",
243                  action="store_true")
244
245parser.add_option("--forget-local-links", default=False,
246                  help="pretend not to know the existing local topology",
247                  action="store_true")
248
249parser.add_option("--forget-intersite-links", default=False,
250                  help="pretend not to know the existing intersite topology",
251                  action="store_true")
252
253opts, args = parser.parse_args()
254
255
256if opts.list_verify_tests:
257    list_verify_tests()
258    sys.exit(0)
259
260if opts.test_all_reps_from:
261    opts.readonly = True
262
263if opts.debug:
264    logger.setLevel(logging.DEBUG)
265elif opts.readonly:
266    logger.setLevel(logging.INFO)
267else:
268    logger.setLevel(logging.WARNING)
269
270random.seed(opts.seed)
271
272if opts.now:
273    for timeformat in ("%Y%m%d%H%M%S%Z", "%Y%m%d%H%M%S"):
274        try:
275            now_tuple = time.strptime(opts.now, timeformat)
276            break
277        except ValueError:
278            pass
279    else:
280        # else happens if break doesn't --> no match
281        print("could not parse time '%s'" % (opts.now), file = sys.stderr)
282        sys.exit(1)
283    unix_now = int(time.mktime(now_tuple))
284else:
285    unix_now = int(time.time())
286
287lp = sambaopts.get_loadparm()
288# only log warnings/errors by default, unless the user has specified otherwise
289if opts.debug is None:
290    lp.set('log level', '1')
291
292creds = credopts.get_credentials(lp, fallback_machine=True)
293
294if opts.dburl is None:
295    if opts.importldif:
296        opts.dburl = opts.tmpdb
297    else:
298        opts.dburl = lp.samdb_url()
299elif opts.importldif:
300    logger.error("Don't use -H/--URL with --importldif, use --tmpdb instead")
301    sys.exit(1)
302
303# Instantiate Knowledge Consistency Checker and perform run
304kcc = KCC(unix_now, readonly=opts.readonly, verify=opts.verify,
305          debug=opts.debug, dot_file_dir=opts.dot_file_dir)
306
307if opts.exportldif:
308    rc = kcc.export_ldif(opts.dburl, lp, creds, opts.exportldif)
309    sys.exit(rc)
310
311if opts.importldif:
312    if opts.tmpdb is None or opts.tmpdb.startswith('ldap'):
313        logger.error("Specify a target temp database file with --tmpdb option")
314        sys.exit(1)
315    if os.path.exists(opts.tmpdb):
316        logger.error("The temp database file (%s) specified with --tmpdb "
317                     "already exists. We refuse to clobber it." % opts.tmpdb)
318        sys.exit(1)
319
320    rc = kcc.import_ldif(opts.tmpdb, lp, opts.importldif,
321                         forced_local_dsa=opts.forced_local_dsa)
322    if rc != 0:
323        sys.exit(rc)
324
325
326kcc.load_samdb(opts.dburl, lp, creds, force=False)
327
328if opts.test_all_reps_from:
329    test_all_reps_from(kcc, opts.dburl, lp, creds, unix_now,
330                       rng_seed=opts.seed,
331                       ldif_file=opts.importldif)
332    sys.exit()
333
334if opts.list_valid_dsas:
335    print('\n'.join(kcc.list_dsas()))
336    sys.exit()
337
338try:
339    rc = kcc.run(opts.dburl, lp, creds, opts.forced_local_dsa,
340                 opts.forget_local_links, opts.forget_intersite_links,
341                 attempt_live_connections=opts.attempt_live_connections)
342    sys.exit(rc)
343
344except GraphError as e:
345    print( e)
346    sys.exit(1)
347