1#!/usr/bin/env python3 2# 3# update our servicePrincipalName names from spn_update_list 4# 5# Copyright (C) Andrew Tridgell 2010 6# Copyright (C) Matthieu Patou <mat@matws.net> 2012 7# 8# This program is free software; you can redistribute it and/or modify 9# it under the terms of the GNU General Public License as published by 10# the Free Software Foundation; either version 3 of the License, or 11# (at your option) any later version. 12# 13# This program is distributed in the hope that it will be useful, 14# but WITHOUT ANY WARRANTY; without even the implied warranty of 15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16# GNU General Public License for more details. 17# 18# You should have received a copy of the GNU General Public License 19# along with this program. If not, see <http://www.gnu.org/licenses/>. 20 21 22import os, sys, re 23 24# ensure we get messages out immediately, so they get in the samba logs, 25# and don't get swallowed by a timeout 26os.environ['PYTHONUNBUFFERED'] = '1' 27 28# forcing GMT avoids a problem in some timezones with kerberos. Both MIT 29# heimdal can get mutual authentication errors due to the 24 second difference 30# between UTC and GMT when using some zone files (eg. the PDT zone from 31# the US) 32os.environ["TZ"] = "GMT" 33 34# Find right directory when running from source tree 35sys.path.insert(0, "bin/python") 36 37import samba, ldb 38import optparse 39from samba import Ldb 40from samba import getopt as options 41from samba.auth import system_session 42from samba.samdb import SamDB 43from samba.credentials import Credentials, DONT_USE_KERBEROS 44from samba.compat import get_string 45 46parser = optparse.OptionParser("samba_spnupdate") 47sambaopts = options.SambaOptions(parser) 48parser.add_option_group(sambaopts) 49parser.add_option_group(options.VersionOptions(parser)) 50parser.add_option("--verbose", action="store_true") 51 52credopts = options.CredentialsOptions(parser) 53parser.add_option_group(credopts) 54 55ccachename = None 56 57opts, args = parser.parse_args() 58 59if len(args) != 0: 60 parser.print_usage() 61 sys.exit(1) 62 63lp = sambaopts.get_loadparm() 64creds = credopts.get_credentials(lp) 65 66domain = lp.get("realm") 67host = lp.get("netbios name") 68 69 70# get the list of substitution vars 71def get_subst_vars(samdb): 72 global lp 73 vars = {} 74 75 vars['DNSDOMAIN'] = samdb.domain_dns_name() 76 vars['DNSFOREST'] = samdb.forest_dns_name() 77 vars['HOSTNAME'] = samdb.host_dns_name() 78 vars['NETBIOSNAME'] = lp.get('netbios name').upper() 79 vars['WORKGROUP'] = lp.get('workgroup') 80 vars['NTDSGUID'] = samdb.get_ntds_GUID() 81 res = samdb.search(base=samdb.get_default_basedn(), scope=ldb.SCOPE_BASE, attrs=["objectGUID"]) 82 guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0]) 83 vars['DOMAINGUID'] = get_string(guid) 84 return vars 85 86try: 87 private_dir = lp.get("private dir") 88 secrets_path = os.path.join(private_dir, "secrets.ldb") 89 90 secrets_db = Ldb(url=secrets_path, session_info=system_session(), 91 credentials=creds, lp=lp) 92 res = secrets_db.search(base=None, 93 expression="(&(objectclass=ldapSecret)(cn=SAMDB Credentials))", 94 attrs=["samAccountName", "secret"]) 95 96 if len(res) == 1: 97 credentials = Credentials() 98 credentials.set_kerberos_state(DONT_USE_KERBEROS) 99 100 if "samAccountName" in res[0]: 101 credentials.set_username(res[0]["samAccountName"][0]) 102 103 if "secret" in res[0]: 104 credentials.set_password(res[0]["secret"][0]) 105 106 else: 107 credentials = None 108 109 samdb = SamDB(url=lp.samdb_url(), session_info=system_session(), credentials=credentials, lp=lp) 110except ldb.LdbError as e: 111 (num, msg) = e.args 112 print("Unable to open sam database %s : %s" % (lp.samdb_url(), msg)) 113 sys.exit(1) 114 115 116# get the substitution dictionary 117sub_vars = get_subst_vars(samdb) 118 119# get the list of SPN entries we should have 120spn_update_list = lp.private_path('spn_update_list') 121 122file = open(spn_update_list, "r") 123 124spn_list = [] 125 126has_forest_dns = False 127has_domain_dns = False 128# check if we "are DNS server" 129res = samdb.search(base=samdb.get_config_basedn(), 130 expression='(objectguid=%s)' % sub_vars['NTDSGUID'], 131 attrs=["msDS-hasMasterNCs"]) 132 133basedn = str(samdb.get_default_basedn()) 134if len(res) == 1: 135 if "msDS-hasMasterNCs" in res[0]: 136 for e in res[0]["msDS-hasMasterNCs"]: 137 if str(e) == "DC=DomainDnsZones,%s" % basedn: 138 has_domain_dns = True 139 if str(e) == "DC=ForestDnsZones,%s" % basedn: 140 has_forest_dns = True 141 142 143# build the spn list 144for line in file: 145 line = line.strip() 146 if line == '' or line[0] == "#": 147 continue 148 if re.match(r".*/DomainDnsZones\..*", line) and not has_domain_dns: 149 continue 150 if re.match(r".*/ForestDnsZones\..*", line) and not has_forest_dns: 151 continue 152 line = samba.substitute_var(line, sub_vars) 153 spn_list.append(line) 154 155# get the current list of SPNs in our sam 156res = samdb.search(base=samdb.get_default_basedn(), 157 expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'], 158 attrs=["servicePrincipalName"]) 159if not res or len(res) != 1: 160 print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME']) 161 sys.exit(1) 162 163machine_dn = res[0]["dn"] 164 165old_spns = [] 166if "servicePrincipalName" in res[0]: 167 for s in res[0]["servicePrincipalName"]: 168 old_spns.append(str(s)) 169 170if opts.verbose: 171 print("Existing SPNs: %s" % old_spns) 172 173add_list = [] 174 175# work out what needs to be added 176for s in spn_list: 177 in_list = False 178 for s2 in old_spns: 179 if s2.upper() == s.upper(): 180 in_list = True 181 break 182 if not in_list: 183 add_list.append(s) 184 185if opts.verbose: 186 print("New SPNs: %s" % add_list) 187 188if add_list == []: 189 if opts.verbose: 190 print("Nothing to add") 191 sys.exit(0) 192 193def local_update(add_list): 194 '''store locally''' 195 global res 196 msg = ldb.Message() 197 msg.dn = res[0]['dn'] 198 msg[""] = ldb.MessageElement(add_list, 199 ldb.FLAG_MOD_ADD, "servicePrincipalName") 200 res = samdb.modify(msg) 201 202def call_rodc_update(d): 203 '''RODCs need to use the writeSPN DRS call''' 204 global lp, sub_vars 205 from samba import drs_utils 206 from samba.dcerpc import drsuapi, nbt 207 from samba.net import Net 208 209 if opts.verbose: 210 print("Using RODC SPN update") 211 212 creds = credopts.get_credentials(lp) 213 creds.set_machine_account(lp) 214 215 net = Net(creds=creds, lp=lp) 216 try: 217 cldap_ret = net.finddc(domain=domain, flags=nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE) 218 except Exception as reason: 219 print("Unable to find writeable DC for domain '%s' to send DRS writeSPN to : %s" % (domain, reason)) 220 sys.exit(1) 221 server = cldap_ret.pdc_dns_name 222 try: 223 binding_options = "seal" 224 if lp.log_level() >= 5: 225 binding_options += ",print" 226 drs = drsuapi.drsuapi('ncacn_ip_tcp:%s[%s]' % (server, binding_options), lp, creds) 227 (drs_handle, supported_extensions) = drs_utils.drs_DsBind(drs) 228 except Exception as reason: 229 print("Unable to connect to DC '%s' for domain '%s' : %s" % (server, domain, reason)) 230 sys.exit(1) 231 req1 = drsuapi.DsWriteAccountSpnRequest1() 232 req1.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD 233 req1.object_dn = str(machine_dn) 234 req1.count = 0 235 spn_names = [] 236 for n in add_list: 237 if n.find('E3514235-4B06-11D1-AB04-00C04FC2DCD2') != -1: 238 # this one isn't allowed for RODCs, but we don't know why yet 239 continue 240 ns = drsuapi.DsNameString() 241 ns.str = n 242 spn_names.append(ns) 243 req1.count = req1.count + 1 244 if spn_names == []: 245 return 246 req1.spn_names = spn_names 247 (level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1) 248 if (res.status != (0, 'WERR_OK')): 249 print("WriteAccountSpn has failed with error %s" % str(res.status)) 250 251if samdb.am_rodc(): 252 call_rodc_update(add_list) 253else: 254 local_update(add_list) 255