gRSSKrSSKrSSKJr SSKrSSKJrJr SSKJrJ r J r SSK J r SSK Jr SSKJrJr SSKJrJrJrJr SS KJrJrJrJr SS KJrJrJr SS KJr SS K J!r! SS K"J#r# SSK$J%r% SSKJ&r&J'r' SSKJ(r( SSK)J*r*J+r+J,r, SSK$J-r- SSK.J/r/ Sr0Sr1"SS\25r3g)N) cmp_to_key) unix2nttime nttime2unix)ldbdsdb drs_utils)system_session)SamDB)drsuapimisc)Site Partition TransportSiteLink) NCReplicaNCType nctype_lut GraphNode) RepsFromToKCCErrorKCCFailedObject)convert_schedule_to_repltimes)ndr_pack)verify_and_dot)ldif_import_export) setup_graphget_spanning_tree_edges)Vertex)DEBUGDEBUG_FNlogger)debug)cmpcUR5(aUR5(dgUR5(dUR5(ag[[UR5[UR55$)zHelper to sort DSAs by guid global catalog status GC DSAs come before non-GC DSAs, other than that, the guids are sorted in NDR form. :param dsa1: A DSA object :param dsa2: Another DSA :return: -1, 0, or 1, indicating sort order. )is_gcr#rdsa_guid)dsa1dsa2s 4/usr/lib/python3/dist-packages/samba/kcc/__init__.pysort_dsa_by_gc_and_guidr,2sS zz||DJJLL ::<CCc[XR5nURUR5 [ UR 5nX0R ;amX R U'URRUR5 URRSURR555 UR U$)zHelper for load_my_site and load_all_sites. Put all the site's DSAs into the KCC indices. :param dn_str: a site dn_str :return: the Site object pertaining to the dn_str c3P# UHn[UR5U4v M g7fNr\r(.0xs r+ KCC.load_site..s%$F-D&)_a$8-Ds$&) r rG load_siterFr\ site_guidr6r9update dsa_tabler:values)rLdn_strsiteguids r+rz KCC.load_sitesFMM* tzz" 4>>"  &$(OOD !    $ $T^^ 4    # #$F-1^^-B-B-D$F Ft$$r-cSURR5<SURR5<3UlUR UR5Ulg)z7Load the Site object for the local DSA. :return: None zCN=z ,CN=Sites,N)rFserver_site_namerXrDrzrErLs r+ load_my_siteKCC.load_my_sitesF JJ ' ' ) JJ ( ( *,~~d&8&89 r-c\URRSURR5-[RSS9nUH)n[UR5nURU5 M+ g![R a!nUR up4[SU-5eSnAff=f)zdDiscover all sites and create Site objects. :return: None :raise: KCCError if sites can't be found z CN=Sites,%sz(objectClass=site)rQzUnable to find sites - (%s)N) rFrWrXrrYrZr[rr\r]rz)rLrae4rcrdresitestrs r+load_all_sitesKCC.load_all_sitess  A**##M$(JJ$@$@$B%C*-*;*;/C$ECC#&&kG NN7 # || A77LT84?@ @ AsAA66B+ B&&B+c SURR5-n[R"URU5nURR U[R S/S9n[U5S:wa[SUR5-5e[R"URR55n [R"US SS 5U :wa [S5e[US R 5UlUR$R'UR"5UlUR"UR*;a}[,R."SUR"-5 UR(UR*UR"'UR(UR0[UR(R25'g g ![R anURupV[SU<SU<SU<S35 URR S[R S /S9n[R"URUS S S RS 55nURR U[R S/S9nS nAGN4![R a!nURupV[S U-5eS nAff=fS nAff=f)zdDiscover my nTDSDSA dn thru the rootDSE entry :return: None :raise: KCCError if DSA can't be found z objectGUID)baserRattrszSearch for dn 'z' [from z ] failed: zL. This typically happens in --importldif mode due to lack of module support. dsServiceNamerutf8z Unable to find my nTDSDSA - (%s)Nr&zUnable to find my nTDSDSA at %sz>Did not find the GUID we expected, perhaps due to --importldifzmy_dsa %s isn't in self.dsas_by_dnstr: it must be RODC. Let's add it, because my_dsa is special! (likewise for self.dsa_by_guid))rF get_ntds_GUIDrDnrW SCOPE_BASErZr[r decoderlen extended_strr GUIDr\r]rBrEr=rCr9r"DEBUG_DARK_YELLOWr:r() rLdn_queryr]rae5rcrdservice_name_rese ntds_guids r+ load_my_dsaKCC.load_my_dsas| !9!9!;; VVDJJ ) J**##3>>+7.$:C4 s8q=<??,-. .IIdjj6689 99SVL)!, - ::; ; A Nll**4+<+<=   D$5$5 5  # #%H%)$5$5 %6 7 48;;D  d// 0:>++D  S!5!56 7 6K|| J77LT 574I J J$(::#4#4";>>><< J vv ADHII J) Js7*GK$&K B JK2KKKKcURRSURR5-[RSS9nUH]n[UR5nX`R;aM)[U5nURUR5 XpRU'M_ g![R a!nUR up4[SU-5eSnAff=f)zDiscover and load all partitions. Each NC is inserted into the part_table by partition dn string (not the nCName dn string) :return: None :raise: KCCError if partitions can't be found zCN=Partitions,%sz(objectClass=crossRef)rQz Unable to find partitions - (%s)N) rFrWrXrrYrZr[rr\r]r5rload_partition)rLrae6rcrdrepartstrparts r+load_all_partitionsKCC.load_all_partitions5s F**##$6$(JJ$@$@$B%C*-*;*;/G$ICC#&&kG//)W%D    +'+OOG $ || F77LT=DE E Frpc H0UlURR5up#UR5HnURHnUR nUS::aM[ UR5nURnURn URn URRU5n U c[XvXU 5n XRU'M[U RU5U l[U R U5U lXlM M [%5n Ub^['S5 UR(HBn U"U R*5(aU R-U 5 M-U =RS- slMD O ['S5 UR(R/U 5 g)zEnsure the failed links list is up to date Based on MS-ADTS 6.2.2.1 :param ping: An oracle function of remote site availability :return: None rNz6refresh_failed_links: checking if links are still downr&zdrefresh_failed_links: not checking live links because we weren't asked to --attempt-live-connections)r>rCget_rep_tablesr~ rep_repsFromconsecutive_sync_failuresr\source_dsa_obj_guid last_success last_attempt dns_name1r;rmax failure_countmintime_first_failure last_resultr?rr@dns_nameadddifference_update)rLpingcurrentneededreplica reps_fromrr(rrrfrestore_connections connections r+ refresh_failed_links_connections$KCC.refresh_failed_links_connectionsSsw!#++446~~'G$11 ) C C  A%y<<=%.%;%;"'44 $..))--h79'(:(02A78))(3&)!//=&IAO+.q/C/C/A,CA($/M)2(2"e   J K"99  ++,,'++J7,,1, : @ A ##556IJr-c*URR[UR55nU(a^URS:aN[ UR 5nX0R:a[R"S5 URU- S:agg)aCheck whether a link to a remote DSA is stale Used in MS-ADTS 6.2.2.2 Intrasite Connection Creation Returns True if the remote seems to have been down for at least two hours, otherwise False. :param target_dsa: the remote DSA object :return: True if link is stale, otherwise False rz>The last success time attribute for repsFrom is in the future!i TF) r>r;r\r(rrrrGr!error)rL target_dsa failed_linkunix_first_failures r+is_stale_link_connectionKCC.is_stale_link_connections++//J4G4G0HI ((1, > >?#& 5LL">?MM$66+E r-cgrsr/rs r+(remove_unneeded_failed_links_connections,KCC.remove_unneeded_failed_links_connectionss r-c UHnURbMUR(aJ[R"[ [ R "555UlURUlMmURUR5 M g)a$Load or fake-load NTDSConnections lacking GUIDs New connections don't have GUIDs and created times which are needed for sorting. If we're in read-only mode, we make fake GUIDs, otherwise we ask SamDB to do it for us. :param connections: an iterable of NTDSConnection objects. :return: None N) rrIr rr\uuiduuid4rH whenCreatedload_connectionrF)rL connectionscn_conns r+_ensure_connections_are_loaded"KCC._ensure_connections_are_loadedsX#G||#==#'99S->#?GL*.++G'++DJJ7 #r-cURRR5H;nUR5nUbM[ UR<SU<35 SUlM= g)zFind NTDS Connections that lack a remote I'm not sure how they appear. Let's be rid of them by marking them with the to_be_deleted attribute. :return: None Nz has phantom connection T)rC connect_tabler~get_from_dnstrr to_be_deleted)rLrs_dnstrs r+_mark_broken_ntdsconnKCC._mark_broken_ntdsconnsT{{00779G,,.G4;;;BDE(,% :r-cURR5(a[SUR-5 gURnUR UR R 55 /nUR R 5HnUR5nX@RR;dM.UR5=(d UR5(+n[UR5nURX4Xe45 M [!U5S:ag["R$"US5H_upxUup4peUuppU(aXJ:XaUR&U R&:d#UR&U R&:XdMQXk:dMXSUlMa g![a UR5(agGNQf=f)zFind unneeded intrasite NTDS Connections for removal Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. Every DC removes its own unnecessary intrasite connections. This function tags them with the to_be_deleted attribute. :return: None z>not doing ntdsconn cleanup for site %s, because it is disabledNT)rEis_cleanup_ntdsconn_disabledr rCrrr~ris_rorr} is_generatedis_rodc_topologyrrappendr itertools permutationsrr) rLmydsalocal_connectionsrr removable packed_guidabcn_conn2s_dnstr2 packed_guid2 removable2s r+_mark_unneeded_local_ntdsconn!KCC._mark_unneeded_local_ntdsconns << 4 4 6 6 .04 = >     / /0C0C0J0J0L M **113G,,.G,,000!(!5!5!7"n XR&;dMUH$upn XJLdM XR&;dMSUlM& M@ M g)afind unneeded intersite NTDS Connections for removal Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. The intersite topology generator removes links for all DCs in its site. Here we just tag them with the to_be_deleted attribute. :return: None N\0ADELz+DSA appears deleted, removing connection %sTc3*# UH oSv M g7f)rNr/rus r+rx8KCC._mark_unneeded_intersite_ntdsconn..'s+O:NQaD:Ns)rCrrEr}r~rrrr=r!inforrrrrAis_bridgehead_failed dsa_dnstrr6 rw_dsa_table) rL local_dsasconnections_and_dsasdsacnrfrom_dsato_dsa from_dnstrrcn2to_dsa2 from_dsa2s r+!_mark_unneeded_intersite_ntdsconn%KCC._mark_unneeded_intersite_ntdsconns ;;     \\++ !$$&C''..0##++-?,#||G4H'9+? $Q&-%./+/( (//(0CD1'" +++O:N+OO$8 B??$$(;(;(=(=+++..vt<<..x>> "++J..0!2!223G/iM%):)::/3B,4H1%9r-cUR5(dUR(aURR5HnUR(a[ R "SU-5 UR(a[ R "SU-5 UR(dMj[ R "SU-5 M URURSS9 gURUR5 g)NTO BE DELETED: %sTO BE ADDED: %sTO BE MODIFIED: %sTro) rrIrr~rr!r to_be_addedto_be_modifiedcommit_connectionsrF)rLrconnects r+_commit_changesKCC._commit_changes>s 99;;$--,,335((KK 4w >?&&KK 2W <=)))KK 5 ?@ 6  " "4::$ " 7  " "4:: .r-c(UR5 UR5 URR5(aU(aUR 5 UR R R5HnURU5 M g)zRemove unneeded NTDS Connections once topology is calculated Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections :param all_connected: indicates whether all sites are connected :return: None N) rrrCis_istgrrEr}r~r)rL all_connectedrs r+remove_unneeded_ntdsconnKCC.remove_unneeded_ntdsconnOsj ""$ **, ;;   ]  2 2 4<<))002C   %3r-cURnX`RR;n[UR5nXR:waXlUR [ R-S:Xa#U=R [ R-slUR5(aDUR [ R-S:Xa#U=R [ R-slU(dURU5(aDUR [ R-S:Xa#U=R [ R-slUR[R-S:wafUR[R-S:XaDUR [ R -S:Xa#U=R [ R -slOKU(dDUR [ R -S:Xa#U=R [ R -slU(deUR[R"-S:XaDUR [ R$-S:Xa#U=R [ R$-slUR[R&-S:waDUR [ R(-S:Xa#U=R [ R(-slUR+5(dUR [ R,-S:Xa#U=R [ R,-slUR [ R.-S:Xa#U=R [ R.-slUR0<SUR2R55<3n UR [ R6-S:wa$U=R [ R6)-sl[8R:"5UlUR>U :waXlUR@S:aURBU :waXl!URE5(a[GSU-5 gg)aUpdate an repsFrom object if required. Part of MS-ADTS 6.2.2.5. Update t_repsFrom if necessary to satisfy requirements. Such updates are typically required when the IDL_DRSGetNCChanges server has moved from one site to another--for example, to enable compression when the server is moved from the client's site to another site. The repsFrom.update_flags bit field may be modified auto-magically if any changes are made here. See kcc_utils.RepsFromTo for gory details. :param n_rep: NC replica we need :param t_repsFrom: repsFrom tuple to modify :param s_rep: NC replica at source DSA :param s_dsa: source DSA :param cn_conn: Local DSA NTDSConnection child :return: None rz._msdcs.r&zmodify_repsFrom(): %sN)$rrEr}rschedule replica_flagsr DRSUAPI_DRS_ADD_REF!is_schedule_minimum_once_per_weekDRSUAPI_DRS_PER_SYNCis_fsmo_role_ownerDRSUAPI_DRS_INIT_SYNCoptionsr$NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULTNTDSCONN_OPT_USE_NOTIFYDRSUAPI_DRS_NEVER_NOTIFY*NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSIONDRSUAPI_DRS_USE_COMPRESSIONNTDSCONN_OPT_TWOWAY_SYNCDRSUAPI_DRS_TWOWAY_SYNC is_enabledDRSUAPI_DRS_DISABLE_AUTO_SYNC!DRSUAPI_DRS_DISABLE_PERIODIC_SYNCr(rFforest_dns_nameDRSUAPI_DRS_MAIL_REPr rtransport_guidrversion dns_name2 is_modifiedr ) rLn_rep t_repsFroms_reps_dsarr same_sitetimesnastrs r+modify_repsFromKCC.modify_repsFromas0//||555 .g.>.>? '' '"'  % %  ( ()-0 1  $ $(C(C C $  4 4 6 6))--.256((G,H,HH( 0099))../367((G,I,II(__  6 67;> ?$">">>3F --556:=>,,889,))11269:((G,L,LL( __  < <=AD E))4459<=((G,O,OO( OOd;; ; C))001589((G,K,KK(!!##))667;>?((99:())::;?BC((==>(~#(..$**2L2L2NO  % %  ) )*.1 2  $ $)E)E(E E $$(IIK !   5 (#(    # (<(<(E#(  ! ! # # ,z9 : $r-cbUR5(aUR5(agUR5nURU5nUcgUR UR 5nUbAUR 5(a,UR5(aUR5(aU$g)aIf a connection imply a replica, find the relevant DSA Given a NC replica and NTDS Connection, determine if the connection implies a repsFrom tuple should be present from the source DSA listed in the connection to the naming context. If it should be, return the DSA; otherwise return None. Based on part of MS-ADTS 6.2.2.5 :param n_rep: NC replica :param cn_conn: NTDS Connection :return: source DSA or None N) r(rrr=get_current_replicanc_dnstr is_presentr is_partial)rLr1rrr4r3s r+get_dsa_for_implied_replicaKCC.get_dsa_for_implied_replica0s*!!##w'?'?'A'A((* W% =))%..9       %"2"2"4"4Lr-c  SnUc URnUR5(aSnUR5(a [S5 g[S5 UR 5up4[ 5nUHnU(aX6nUR UR5 URHon[R[R-[R-[R-[R-n URU :wdMiXlMq UR!URUR"S9 MXd;dMUR%U5 M [S['U5['U5['U54-5 U(a[)SU-5 UHnX6 M UR+5GH n U R UR5 U R-UR5 U RGHn[/UR05n UR3U 5n U c"[4R6"S U -5 SUlMOU R:n UR=U 5nUHnUR?5(aM O SUlMU RAU RB5nUb?URE5(a*U R5(dURG5(a SUlMURIXUX5 GM URJR+5HnURMX5n U cMU RH/n[/UR05n XR3U 5LdM-Sn O U cM][OU RB5nU RPUlU RAU RB5nURIXUX5 URS5(dMU RRUU5 M UR"(dU(a}U RW5nU(a[4RX"S U-5 U R[5nU(a[4RX"S U-5 U R!URSS9 GMU R!UR5 GM U(agUR+5GHln U R]UR5 U R^Hn[/UR05n UR3U 5n U c"[4R6"S U -5 SUlMNU R:n S U ;a"[4R6"SU -5 SUlMU R=UR`5n['U5S:aMSUlM UR"(a\U R^H/nUR8(dM[4RX"SU-5 M1 U RcURSS9 GMQU RcUR5 GMo g)a#Adjust repsFrom to match NTDSConnections This function adjusts values of repsFrom abstract attributes of NC replicas on the local DC to match those implied by nTDSConnection objects. Based on [MS-ADTS] 6.2.2.5 :param current_dsa: optional DSA on whose behalf we are acting. :return: None FNTz;skipping translate_ntdsconn() because disabling flag is setztranslate_ntdsconn(): enterr zcurrent %d needed %d delete %dzdeleting these reps: %sz'repsFrom source DSA guid (%s) not foundrr z%repsTo source DSA guid (%s) not foundrz+repsTo source DSA guid (%s) appears deletedrzREMOVING REPS-TO: %s)2rCris_translate_ntdsconn_disabledr rr? load_repsFromrFrr rrr%DRSUAPI_DRS_SPECIAL_SECRET_PROCESSINGDRSUAPI_DRS_NONGC_RO_REPrcommit_repsFromrIrrrr~load_fsmo_rolesr\rr<r!r`rrget_connection_by_from_dnstrrr;r<r=r>r8rr?rr(r0rdumpstr_to_be_deletedrdumpstr_to_be_modified load_repsTo rep_repsTorB commit_repsTo)rL current_dsar current_rep_tableneeded_rep_table delete_repsrfc_repr2rr1guidstrr4rrrr3textt_repsTorts r+translate_ntdsconnKCC.translate_ntdsconnWs  ++K     B  5 5 7 7 5 6 ./.9.H.H.J+e "'E)0##DJJ/"'"4"4J%,%B%B%,%A%A&B%,%@%@&A&-%R%R&S&-%E%E &FM "//=@3@0#5%%djjT]]%C0OOE*!'$ 1S9J5K%&K(85:: ;  +k9 :$%,%&,,.E    +  ! !$** - $00 j<<=//8=NN#L#*$+,/3J,  //)FFwO *G"3355 + 04J,11%..A=(8(8(:(: %*:*:*<*B}}224KK 4t ;<335KK 5 <=%%djjT%:%%djj1W/h  %,,.E   djj ) ",,h::;//8=NN#J#*$+,-1H*  //'NN#P#*$+,-1H*#@@ARARS {#a'.2H*?-B}}**B''' $:R$?@+ ##DJJ4#8##DJJ/k/r-cNUb[R"S5 g[S5 g)aMerge of kCCFailedLinks and kCCFailedLinks from bridgeheads. The KCC on a writable DC attempts to merge the link and connection failure information from bridgehead DCs in its own site to help it identify failed bridgehead DCs. Based on MS-ADTS 6.2.2.3.2 "Merge of kCCFailedLinks and kCCFailedLinks from Bridgeheads" :param ping: An oracle of current bridgehead availability :return: None Nz'merge_failed_links() is NOT IMPLEMENTEDz}skipping merge_failed_links() because it requires real network connections and we weren't asked to --attempt-live-connections)r" DEBUG_REDr )rLrs r+merge_failed_linksKCC.merge_failed_linksVs&$   OOE F J Kr-c tURRS-S:gn[URR5n[ XR UURU5nUR(d URb/nURHhn[R"URS5H@upxURURR URR 45 MB Mj Sn SUR"-n [%XSUR&U [(URURS9 U$)aSet up an intersite graph An intersite graph has a Vertex for each site object, a MultiEdge for each SiteLink object, and a MutliEdgeSet for each siteLinkBridge object (or implied siteLinkBridge). It reflects the intersite topology in a slightly more abstract graph form. Roughly corresponds to MS-ADTS 6.2.2.3.4.3 :param part: a Partition object :returns: an InterSiteGraph object irrr/z site_edges_%sFdirectedlabel propertiesr"rJrK)rE site_optionsr\r7rrr6r8rJrKedgesr combinationsverticesrr site_dnstrrrrBr) rLrbridges_requiredr-g dot_edgesedgerrverify_propertiesr_s r+rKCC.setup_graphos& <<44zAQFT..334 oo~++-= ? ;;$++7I%224==!DDA$$aff&7&79J9J%KLE !# "T\\1D 4U!%!2!2&7u"&++(,(9(9  ; r-cURXUXE5nU(d$[R"SUR-5 g[R"SUR<SUSR <35 US$)aHGet a bridghead DC for a site. Part of MS-ADTS 6.2.2.3.4.4 :param site: site object representing for which a bridgehead DC is desired. :param part: crossRef for NC to replicate. :param transport: interSiteTransport object for replication traffic. :param partial_ok: True if a DC containing a partial replica or a full replica will suffice, False if only a full replica will suffice. :param detect_failed: True to detect failed DCs and route replication traffic around them, False to assume no DC has failed. :return: dsa object for the bridgehead DC or None z"get_bridgehead FAILED: sitedn = %sNzget_bridgehead: sitedn = z bhdn = r)get_all_bridgeheadsr" DEBUG_MAGENTArf DEBUG_GREENr)rLrrrg partial_ok detect_failedbhss r+get_bridgeheadKCC.get_bridgeheadsn&&&t9'1B    E $!0 1 ??CF,<,<> ?1v r-c/nURS:wa[SUR<35e[UR5 URR 5GHnUR 5n[ UR5S:waXR;aM>URRU5(aGURU5upn U (aU (a U(dMURUR5n O"U5 U$)axGet all bridghead DCs on a site satisfying the given criteria Part of MS-ADTS 6.2.2.3.4.4 :param site: site object representing the site for which bridgehead DCs are desired. :param part: partition for NC to replicate. :param transport: interSiteTransport object for replication traffic. :param partial_ok: True if a DC containing a partial replica or a full replica will suffice, False if only a full replica will suffice. :param detect_failed: True to detect failed DCs and route replication traffic around them, FALSE to assume no DC has failed. :return: list of dsa object for available bridgehead DCs rTz5get_all_bridgeheads has run into a non-IP transport! rzbridgehead is failedzfound a bridgehead: %skey) r_rr rr~get_parent_dnstrrbridgehead_listrEr5should_be_presentr;r<r>rCr is_defaultis_minimum_behaviorrDS_DOMAIN_FUNCTION_2008rrrris_random_bridgehead_disabledsortrr,randomshuffler" DEBUG_YELLOW) rLrrrgrqrrrsrpdnstrrr partialreps r+rnKCC.get_all_bridgeheadss& >>T !'nn/0 0 ""#$$++-C))+F Y../14888||%%c**&*&<&>#3#3J {{  ""s3>>;K;K..t/K/KLL((<<,- - = > JJsO_.n  - - / / HH$; 1, and the current time - z.TimeFirstFailure > 2 hours RETURN TRUE ELSE RETURN detectFailedDCs ENDIF } where you will see detectFailedDCs is not behaving as advertised -- it is acting as a default return code in the event that a failure is not detected, not a switch turning detection on or off. Elsewhere the documentation seems to concur with the comment rather than the code. F)rErbr)rLrrrs r+rKCC.is_bridgehead_faileds3P << $ $z 1,,S11r-c $URX1UU S5n [SU 55n [R"S[ U 5<SU V s/sHoR PM sn <35 URXaUU S5nUR 5(aURU5 [R"S[ U5<SUV s/sHoR PM sn <35 UGHnURR5GHnU RUR5nUcM$[R"SUR -5 UR5(dM^UR5(aMuURUR :XdMUR#5(d.UR%U5(dUUlUR)S5 UR+5(asUR-5(a^U[.R0-S :XaFU=R2[.R4[.R6-)-slUR)S5 O\U[.R0-S :waEU=R2[.R4[.R6--slUR)S5 UR95(aMU[.R:-S :Xa5U=R2[.R<)-slUR)S5 OKU[.R:-S :wa4U=R2[.R<-slUR)S5 UR?5(aMU[.R@-S :Xa5U=R2[.RB)-slUR)S5 OKU[.R@-S :wa4U=R2[.RB-slUR)S5 URD(dUR 5(aGURF(a[HRJ"S U-5 URMURNSS 9 GMURMURN5 GM GM S nUHnURR5HnU RUR5nUcM#[R"S UR -5 UR5(aURUR :XdMwUR5(aMURQUU 5(dURQX5(dUS - nURRRUU5 M M [RV"SU-5 [YSURR<35 US :XGa[.RZnU[.R0-S :wa$U[.R4[.R6--nU[.R:-S :waU[.R<-nU[.R@-S :waU[.RB-n[]SUR^R -5 [.R`[.Rb-nUReUUUUR U5nURD(dUR 5(aEURf(a[HRJ"SU-5 URMURNSS 9 OURMURN5 URRRUU5 ggs sn fs sn f)aCreate an nTDSConnection object as specified if it doesn't exist. Part of MS-ADTS 6.2.2.3.4.5 :param part: crossRef object for the NC to replicate. :param rbh: nTDSDSA object for DC to act as the IDL_DRSGetNCChanges server (which is in a site other than the local DC's site). :param rsite: site of the rbh :param transport: interSiteTransport object for the transport to use for replication traffic. :param lbh: nTDSDSA object for DC to act as the IDL_DRSGetNCChanges client (which is in the local DC's site). :param lsite: site of the lbh :param link_opt: Replication parameters (aggregated siteLink options, etc.) :param link_sched: Schedule specifying the times at which to begin replicating. :partial_ok: True if bridgehead DCs containing partial replicas of the NC are acceptable. :param detect_failed: True to detect failed DCs and route replication traffic around them, FALSE to assume no DC has failed. Fc3<# UHoRU4v M g7frsrrus r+rx(KCC.create_connection..^s<8a++q)8sz rbhs_all:  z lbhs_all: Nz rdsa is %sTrr r zround 2: rdsa is %sr&zvalid connections %dzkept_connections: znew connection, KCC dsa: %sr )4rndictr" DEBUG_GREYrrrrrr~r;rrrrr-ris_user_owned_scheduleis_equivalent_scheduler set_modifiedis_override_notify_default is_use_notifyrNTDSSITELINK_OPT_USE_NOTIFYr r!r"is_twoway_syncNTDSSITELINK_OPT_TWOWAY_SYNCr&!is_intersite_compression_disabled$NTDSSITELINK_OPT_DISABLE_COMPRESSIONr$rIrr!rrrFrrArrZrNTDSCONN_OPT_IS_GENERATEDr rCSYSTEM_FLAG_CONFIG_ALLOW_RENAMESYSTEM_FLAG_CONFIG_ALLOW_MOVEnew_connectionr )rLrrbhrsiterglbhlsitelink_opt link_schedrqrrrbhs_all rbh_tablerwlbhs_allldsarrdsavalid_connectionsopt system_flagss r+create_connectionKCC.create_connectionAs 6++E,6?<8<<  c(mDL.MHq{{H.MO P++E,6? 99;; OOC  c(mDL.MHq{{H.MO PD((//1 }}R]]3<'' t~~(EF__&&,,..&&)..8  668866zBB&0 -4466''))%t'G'GGAMJJ"&"K"K"&">">#?!@@JOOD1%t'G'GGAMJJ!%!J!J!%!=!=">?JOOD1((** %t'H'HHQNJJ4+H+H*HHJOOD1%t'H'HHQNJJ$*G*GGJOOD1;;==&!FFGKLMJJ!%!P!P PQJOOD1&!FFGKLMJJ $ O OPJOOD1}} ,,"KK(=(BC// t/D// ;]2dD((//1 }}R]]3<''(=(NO //++''9>>9,,.."66t]KK!66tKK)Q.)))--b192@ .1BBC )>)>@A  !00C 4;;;AAA4456 4<<<Bt444 ::;?@AtFFF 2T[[5J5JJ K @@ >>?L##Cy$'MM:?B}} >>KK 2R 78&&tzzd&;&&tzz2  ! ! % %b )[ "[/N/Ns ^^ c^/Ul/UlSnXR;a[URR 5nUR URURURUR5U5nUc>URR5(aURRU5 O9SnO6URRU5 URRU5 URRS5 URRS5 U$)a&Build a Vertex's transport lists Each vertex has accept_red_red and accept_black lists that list what transports they accept under various conditions. The only transport that is ever accepted is IP, and a dummy extra transport called "EDGE_TYPE_ALL". Part of MS-ADTS 6.2.2.3.4.3 -- ColorVertices :param vertex: the remote vertex we are thinking about :param local_vertex: the vertex relating to the local site. :param graph: the intersite graph :param detect_failed: whether to detect failed links :return: True if some bridgeheads were not found FT EDGE_TYPE_ALL) accept_red_red accept_blackconnected_verticesr\r7rrtrris_black is_rodc_siter)rLvertex local_vertexgraphrr found_failedt_guidbhs r+add_transportsKCC.add_transports=s2!#  -- -**//0F$$V[[&++%)%6%6%+__%6 GBz;;++--))008#'L%%,,V4##**62 $$_5""?3r-c SnSn[SUR<SU<35 [URU5nUR 5 UR H.nUR 5 UR XvX5(dM,SnM0 UR5(aXE4$[UURURS9up[SURU 4-5 U S:aSnUR5n URn [SU-5 UGHn U R(a(U R S RURLaM=U R S RURLaU R SRn OU R S Rn XRLa [S 5 MURXU X5nUcMUR R#5(aURnUR nOURnURXU X5nUc[$R&"S 5 g [SU<SU <35 [SU R <35 [$R("SU<SU<SS<35 U R*nUcS nS nOUR,nUR.nUR1X.XUUUUX5 GM XE4$)aCreate intersite NTDSConnections as needed by a partition Construct an NC replica graph for the NC identified by the given crossRef, then create any additional nTDSConnection objects required. :param graph: site graph. :param part: crossRef object for NC. :param detect_failed: True to detect failed DCs and route replication traffic around them, False to assume no DC has failed. Modifies self.kept_connections by adding any connections deemed to be "in use". :return: (all_connected, found_failed_dc) (all_connected) True if the resulting NC replica graph connects all sites that need to be connected. (found_failed_dc) True if one or more failed DCs were detected. TFz$create_connections(): enter partdn=z detect_failed=)r`z%s Number of components: %dr&z edge_list %srzrsite is my_siteNzDISASTER! lbh is None)FTzlsite: z rsite: z vertices z bridgeheads  zF----------------------------------------------------------------------)r r<rrE color_vertexreris_whiterrrr7rr_rrtrCrr"rZ DEBUG_BLUE site_linkr rr)rLrrrrrr my_vertexv edge_list n_componentsrqrgrrrrrrmrrs r+create_connectionsKCC.create_connectionsos,  --0 14<<.  A NN ""1FF#        . ."9%:>,,@D #N  .--./ 0 ! !M'') %%  ny()Azzajjm00DLL@zz!}!!T\\1 1 ** 1 ** $()%%e9&0AC{{{  "" kk ))%y*4E{ 78" ue< = ajj2 3   #sHM N{{H! #++%..  " "4e#&x#- >ip**r-cSn[5UlURR5HnUR 5(dMUR 5(aM1UR U5nSnURUUS5upT[SU<SU<35 U(aMuSnU(dMURX2S5 M U$)aCreate NTDSConnections as necessary for all partitions. Computes an NC replica graph for each NC replica that "should be present" on the local DC or "is present" on any DC in the same site as the local DC. For each edge directed to an NC replica on such a DC from an NC replica on a DC in another site, the KCC creates an nTDSConnection object to imply that edge if one does not already exist. Modifies self.kept_connections - A set of nTDSConnection objects for edges that are directed to the local DC's site in one or more NC replica graphs. :return: True if spanning trees were created for all NC replica graphs, otherwise False. TFzwith detect_failed: connected z Found failed ) r?rAr5r~r( is_foreignrrr)rLrrrr connecteds r+create_intersite_connections KCC.create_intersite_connectionss" #OO**,D??$$  $$T*E!L&*&=&=e>BD'J #I l, -9 % <++E?3-6r-cURnURnSn[S5 UR(aUR UR USS9 OUR UR USS9 UR 5(a[SU-5 U$UR5(d[SU-5 U$URU5 UR5n[SU-5 U$)aGenerate the inter-site KCC replica graph and nTDSConnections As per MS-ADTS 6.2.2.3. If self.readonly is False, the connections are added to self.samdb. Produces self.kept_connections which is a set of NTDS Connections that should be kept during subsequent pruning process. After this has run, all sites should be connected in a minimum spanning tree. :param ping: An oracle function of remote site availability :return (True or False): (True) if the produced NC replica graph connects all sites that need to be connected Tzintersite(): enterr Fz+intersite(): exit disabled all_connected=%dz+intersite(): exit not istg all_connected=%dz"intersite(): exit all_connected=%d) rCrEr rI select_istgrFis_intersite_topology_disabledrr[r)rLrrmysiters r+ intersite KCC.intersite%s(  %& ==   tzz5T  :   tzz5U  ;  0 0 2 2 B"# $ }} B"# $  %99; 5 EFr-cURR5(dgURRR5nUVs/sHo3R 5(dMUPM nnUVs/sH nX4;dM UPM nnU(adU(a\UH1nUSnUR UlUR UlSUlM3 URRURUS9 gggs snfs snf)z_Updates the RODC NTFRS connection object. If the local DSA is not an RODC, this does nothing. NrTr ) rCrrr~rrrrrrF)rLr all_connectionsrwro_connectionsrw_connectionsconrs r+update_rodc_connectionKCC.update_rodc_connection`s {{  "" ++33::<%4M_8J8J8L!_M%46_4_6 n%$Q'!$"|| %)" & KK * *4::" * =->N6s C2%C21 C7>C7c\SnUSX"--SU--S-::aOUS-nMUS-nUS:aU$g)aFind the maximum number of edges directed to an intrasite node The KCC does not create more than 50 edges directed to a single DC. To optimize replication, we compute that each node should have n+2 total edges directed to it such that (n) is the smallest non-negative integer satisfying (node_count <= 2*(n*n) + 6*n + 7) (If the number of edges is m (i.e. n + 2), that is the same as 2 * m*m - 2 * m + 3). We think in terms of n because that is the number of extra connections over the double directed ring that exists by default. edges n nodecount 2 0 7 3 1 15 4 2 27 5 3 43 ... 50 48 4903 :param node_count: total number of nodes in the replica graph The intention is that there should be no more than 3 hops between any two DSAs at a site. With up to 7 nodes the 2 edges of the ring are enough; any configuration of extra edges with 8 nodes will be enough. It is less clear that the 3 hop guarantee holds at e.g. 15 nodes in degenerate cases, but those are quite unlikely given the extra edges are randomly arranged. :param node_count: the number of nodes in the site "return: The desired maximum number of connections rrr&2r/)rL node_countns r+intrasite_max_node_edgesKCC.intrasite_max_node_edgessTF a15kQU3a78AA E r6Hr-c n^URU5upgn[R"SSU--SU--SU--SU--SU--SU--5 U(d$[R"SUR-5 g [ X#R5n U R TR5 XlXyl URU 5 /n TRRR5GH#n URU R;aM U RURn U R5(aMPU R!5(dMgU R5(dXLaMU(aU R#5(dMU(aKU(dDUR$[&R(:Xa&U R+[,R.5(dMU(aTR1U 5(aGMU R3U 5 GM& U(aTRRR5Hn URU R;aMU RURn U R55(dMOU R!5(dMfU R5(dXLaMU(aU R#5(dMU(aTR1U 5(aMU R3U 5 M U R3U 5 U R7S S 9 [9U 5nTR;U5n/nU H*n[=UR>U5nUR3U5 M, S nUUS - :aU UR55(aU US -R55(a$UUS -RAU UR>5 U US -R55(aU UR55(a$UURAU US -R>5 US -nUUS - :aMXS - R55(aU S R55(a#US RAXS - R>5 U S R55(aXS - R55(a$UUS - RAU S R>5 [CS[9U 5-5 [CSRESU 555 TRFS L=(a TRnTRH(dU(Gae/n[K5nUH_nURMURN5 URPH1nUR3UURN45 URMU5 M3 Ma Sn[SSUUURT<S[VUR$<SUR<3U[BTRHTRFSS9 [KU4SjU55nUVVs/sHunnUU;dMUU;dMUU4PM nnnSn[SSUUURT<S[VUR$<SUR<3U[BTRHTRFSS9 UHnTRRURNn U RXR5H<n!U!RZn"U"TRR;dM+URAU"5 M> M [CSSRESU 55-5 [CSSRESU55-5 UGHn#US:GajU#R]5(GdTUV$s/sH(n$U$U#LdM U$RNU#RP;dM&U$PM* n%n$[R^"SU#RNU[9U5[9U%54-5 [CS U%V$s/sHn$U$RNPM sn$-5 U%(aU#R]5(d[`Rb"U%5n&[CS!U&RN-5 U#RAU&RN5(d#[R"S"U&RN-5 U%ReU&5 U%(aU#R]5(dMOB[gS#U#RN<S$U<S%[9U#RP5<S&U#Rh<35 [gS'U#-5 U#RNURN:XdGMU#RkUTRl5 GM TRH(dU(Gaf/n[K5nUH_nURMURN5 URPH1nUR3UURN45 URMU5 M3 Ma Sn[SS(UUURT<S[VUR$<SUR<3U[BTRHTRFSS9 [KU4S)jU55nUVVs/sHunnUU;dMUU;dMUU4PM nnnSn[SS*UUURT<S[VUR$<SUR<3U[BTRHTRFSS9 g g s snnfs sn$fs sn$fs snnf)+aCreate an intrasite graph using given parameters This might be called a number of times per site with different parameters. Based on [MS-ADTS] 6.2.2.2 :param site_local: site for which we are working :param dc_local: local DC that potentially needs a replica :param nc_x: naming context (x) that we are testing if it "should be present" on the local DC :param gc_only: Boolean - only consider global catalog servers :param detect_stale: Boolean - check whether links seems down :return: None z"construct_intrasite_graph(): enterz gc_only=%dz detect_stale=%dz needed=%sz ro=%sz partial=%sz %szH%s lacks 'should be present' status, aborting construct_intrasite_graph!Nc,[UR5$rs)r rep_dsa_guid)rs r+/KCC.construct_intrasite_graph..sHS-=-=$>r-rwrr&zr_list is length %src3d# UH&n[URUR45v M( g7frs)r\r rep_dsa_dnstrrus r+rx0KCC.construct_intrasite_graph..s,)!'AQ^^Q__=>>!'s.0rintrasite_pre_ntdscon__T)r`rar"rJrKr_c3t># UH-nTRU5R5(aM)Uv M/ g7frsr=rrvrwrLs r+rxr-"B\)-a)>)>)@#$!\(8 8)rdirected_double_ring_or_smallintrasite_rw_pre_ntdsconz reps are: %sz c38# UHoRv M g7frs)rrus r+rxrs*KFq??Fz dsas are: %sc38# UHoRv M g7frsrrus r+rxrs*K 1;; rzDlooking for random link for %s. r_len %d, graph len %d candidates %dz candidates %sztrying to add candidate %szcould not add %sznot adding links to z: nodes z , links is /z%sintrasite_post_ntdsconc3t># UH-nTRU5R5(aM)Uv M/ g7frsrrs r+rxr' rrintrasite_rw_post_ntdscon)7r{r"rrZr<ridentify_by_basednrF rep_partialrep_roadd_needed_replicarEr}r~rOrr=r'nc_typerdomainr}rr~rrr>rrrrr add_edge_fromrjoinrKrJr?rr edge_fromrrfrrrhas_sufficient_edgesrrchoiceremover max_edgesadd_connections_from_edgesr7)'rL site_localdc_localnc_xgc_only detect_stalerr rl_of_xr_listdc_sf_of_xp_of_xr_lenmax_node_edges graph_listrnodei do_dot_filesri dot_verticesv1v2rkrw_dot_verticesrr rw_dot_edgesrw_verify_propertiesrrrremotetnoderw candidatesothers'` r+construct_intrasite_graphKCC.construct_intrasite_graphs F#44X>G ?+g560<?@+V34'+ , ,g5 6 "D= ) * OOB MM* + 8]]3!!$**-$  ##F+0 LL**113D}}D$:$::++DMM:F||~~ $$&& zz||t/ tzz||('dllfmm&C//0L0LMM  = =d C C MM& !}4X  ..557 ==(>(>>// >((** ((** ::<<4#3 4::<<  D$A$A$$G$G f%U8\  f > ?F 66u= CS..?D   d # 519o!9''))VAqD\-D-D-F-F1q5!//q 0G0GH!a%=++--1E1E1G1G1 ++F1q5M,G,GHAA519oai ++--1E1E1G1G qM ' 'qy(9(G(G Hay##%%q)9)D)D)F)F uqy ! / /q 0G0G H #c&k12 dii)!')) *((4C ;;,I5L   .,,B$$b",,%78 $$R('! !/  2I|1;1F1F1;DLL1I15"@'8u"&++(,(9(9$( *""B\"BBO/8Kytq!0#56/5I#QFyLK$E 5|*1;1F1F1;DLL1I15"@';%"&++(,(9(9$( *!F,,(()9)9:C,,335 ++T\\333((06! o *KF*K KKL o *K *K KKLEz%"<"<">">)3DA ~  {{%//A  D  ">$)OOUC O$' O$5"56 oj(Ijj(IIJ )C)C)E)E"MM*5E6HI ..u??(:U__(LM%%e, !)C)C)E)E//5#eoo2F//+, TE\ " ("4"44004;L;LMY \ ;;,I5L   .,,B$$b",,%78 $$R('! !/  3Y 1;1F1F1;DLL1I15"@'8u"&++(,(9(9$( *""B\"BBO/8Kytq!0#56/5I#QFyLK$E 6 *1;1F1F1;DLL1I15"@';%"&++(,(9(9$( *3'UKVD)JVKs< l! l!(l! l'l',l'7l, l11l19l1cURn[S5 URnUR5(agUR 5(+nUR R 5H/nUR(dM[R"SU-5 M1 URR5HfupVURX!USU5 UR R 5H/nUR(dM[R"SU-5 M1 Mh UR R 5H/nUR(dM[R"SU-5 M1 URR5H0upVUR5(dMURX!USU5 M2 UR R 5H/nUR(dM[R"SU-5 M1 URR5HupVURX!USS5 M UR R 5H/nUR(dM[R "SU-5 M1 URR5H0upVUR5(dMURX!USS5 M2 UR#U5 g)aqGenerate the intrasite KCC connections As per MS-ADTS 6.2.2.2. If self.readonly is False, the connections are added to self.samdb. After this call, all DCs in each site with more than 3 DCs should be connected in a bidirectional ring. If a site has 2 DCs, they will bidirectionally connected. Sites with many DCs may have arbitrary extra connections. :return: None zintrasite(): enterNr FT)rCr rEis_intrasite_topology_disabledis_detect_stale_disabledrr~r r" DEBUG_CYANr5itemsr'rr is_configrZr)rLrrrrpartdnrs r+ intrasite KCC.intrasite7 sW %&  0 0 2 2 ";;== **113G"""  !3g!=>4 !OO113LF  * *6$+7 9 ..557&&&$$%7'%AB84**113G"""""#5#?@4 !OO113LF~~..vdD/;=4**113G"""  !3g!=>4 !OO113LF  * *6$+0 24**113G""" 2W <=4!OO113LF~~..vdD/464 U#r-c UR5 UR5 UR5 UR5 UR 5 UR 5 /nUR R5HXnURURR5Vs/sH nURRSSS5PM" sn5 MZ U$s snf)zCompile a comprehensive list of DSA DNs These are all the DSAs on all the sites that KCC would be dealing with. This method is not idempotent and may not work correctly in sequence with KCC.run(). :return: a list of DSA DN strings. zCN=NTDS Settings,rr&) rrrrrhrnr6r~extendr}rreplace)rLdsasrrs r+ list_dsas KCC.list_dsas s      "   !OO**,D KK$(NN$9$9$;=$;S../BBJ$;= >- =s''C cU(d URc[U[5X2S9Ulgg![Ra&nUR upg[ SU<SU<35eSnAff=f)aLoad the database using an url, loadparm, and credentials If force is False, the samdb won't be reloaded if it already exists. :param dburl: a database url. :param lp: a loadparm object. :param creds: a Credentials object. :param force: a boolean indicating whether to overwrite. N)url session_info credentialslpzUnable to open sam database z : )rFr r rrZr[r)rLdburlr<credsforcee1numres r+ load_samdbKCC.load_samdb si DJJ& -"u0>0@/4= ' << -WW  %s ,-- -s0A*!A%%A*cU=(a URnU(dURcg/n/n/n/nURR5HnUR UR 5 UR 5(aUR S5 OUR S5 URR5Hbn U R5(aUR S5 OUR S5 UR U RUR 45 Md M [XUURU[X0RSUUS9 g)zHelper function to plot and verify NTDSConnections :param basename: an identifying string to use in filenames and logs. :param verify_properties: properties to verify (default empty) Nz#cc0000z#0000ccredblueT) rer`rar"rJrKr_ edge_colors vertex_colors) rJrKr9r~rrrrrrrrBr) rLbasenamerkrJrir edge_coloursvertex_coloursrrs r+plot_all_connectionsKCC.plot_all_connections s #2t{{$++3    $$++-C    .yy{{%%i0%%i0((//1'')) ''. ''/  #..#--!@A 2 . x\!.."35$3D3D $,%3  5r-c ^^"TRc [SU<35 TRXUSS9 U(aTRRSU-5 TR 5 TR 5 TR 5 TR5 TR5 TR5 TR(dTRGb0nTRR5H3m"URST"RR!555 M5 TR#S5 /n TR$R'5upU R!5H:up[)SU -5 U R+TR$R,U 45 M< [/S U S TR0S [(TRTRS 9 /n TRR5Hm"T"RR5HnUR'5upU R!5H^unnUR2HHn[)S U-5 [5UR65nUUnU R+UR,U45 MJ M` M M [/SU S TR0S [(TRTRS 9 /n /nTR8R5HnSSKJn UR>RAS5nSU"U5RC5SS-n[DRF"URHS5H0unnU R+USUS45 UR+U5 M2 M Sn[/SU STR0U[(TRTRUS9 U(anTRJRR5H5n[MU4SjURNR!555Ul'M7 TR#S5 U(aTRR5HWm"T"RR5H6n[MUU"4SjURNR!555Ul'M8 MY TR#S5 U(aSnOSnTRQU5 TRS5 TRUU5nTRWU5 TRY5 TR[5 TR]5 TR(dTRGbTR#SS5 [^R`"S[cW5-5 /n /nTR$R,nTR$R'5upU R!5Hnun n U R2HXn[5UR65n!U R+UUU!45 UR+S[5U Rd5SS-5 MZ Mp [/S U S TR0S [(TRTRUS9 /n TRR5Hm"T"RR5HvnUR'5upU R5HMn U R2H:n[5UR65nUUnU R+UR,U45 M< MO Mx M [/S!U S TR0S [(TRTRS 9 g! e=f)"aZPerform a KCC run, possibly updating repsFrom topology :param dburl: url of the database to work with. :param lp: a loadparm object. :param creds: a Credentials object. :param forced_local_dsa: pretend to be on the DSA with this dn_str :param forget_local_links: calculate as if no connections existed (boolean, default False) :param forget_intersite_links: calculate with only intrasite connection (boolean, default False) :param attempt_live_connections: attempt to connect to remote DSAs to determine link availability (boolean, default False) :return: 1 on error, 0 otherwise Nz"samdb is None; let's load it from F)r?zCN=NTDS Settings,%sc3T# UHup[UR5U4v M g7frsrt)rvrfrs r+rxKCC.run.. s+)D,B.8U+.cll*;U)C,Bs&( dsa_initialzc_rep %sdsa_repsFrom_initialTr/r^zrep %sdsa_repsFrom_initial_allr)md5r#rrr&rdsa_sitelink_initial)r_r`rar"rJrKrGc3># UHEupUR5(d&URTRR;dM@X4v MG g7frs)rrrEr})rvkrrLs r+rxrP2 sK-G-F9=010B0B0D0D./ll.2ll.D.D/E.4aV-Fs ?A Adsa_forgotten_localc3~># UH2upTTRLdMUR5(dM-X4v M4 g7frs)rEr)rvrXrrLrs r+rxrP< sB1G1J=AA48DLL4H28231C1C1E28!1Js == =dsa_forgotten_allc[R"XRUR5 g![Ra gf=f)NFT)rdrsuapi_connectr<r> drsException)rLdnsnames r+rKCC.run..pingF s>%!11'77DJJO %11%$%s+.AA dsa_finalzthere are %d dsa guidsdsa_repsFrom_finaldsa_repsFrom_final_all)3rFr rBset_ntds_settings_dnrrrrrhrnrJrKr6r~r|r}r-rLrCrrrrrrBrr\rr8hashlibrTrfencode hexdigestrrd site_listrErrrr0rrrWrrr"rornc_guid)#rLr=r<r>forced_local_dsaforget_local_linksforget_intersite_linksattempt_live_connections guid_to_dnstrri current_reps needed_repsrfrRrrrrr(dsa_dn dot_colourslinkrTtmp_strcolourrrrarrrGmy_dnstrr1guid_strrs#` @r+runKCC.run sn" ::  uF G OOEuEO :  JJ + +,A,<-= >]             !  $ $ &  " " $  # # %{{d//; "  OO224D!(()D,0NN,@,@,B)DD5 ))-8 ,0KK,F,F,H) $0$6$6$8LE*u,-$$dkk&;&;U%CD%95y(,D4E4E*,E$++,0,=,=?   OO224D#~~446474F4F4H1 +7+=+=+?KFC-0-=-= %hn 5+.y/L/L+M)6x)@ ) 0 0#--1H I .>,@ 7599(,D4E4E*,E$++,0,=,=?    //668D+"jj//7G 3w<#9#9#;BQ#??F ) 6 6t~~q I1!((!A$!6#**62!J 9, 5y(-%)%6%6:%*4;;,0,=,=+6 8"<<1188:C(,-G-0->->-D-D-F-G)GC%; ))*?@% OO224D#~~446,01G141B1B1H1H1J1G-G) 75))*=>'   1 1$ 7 NN !NN40M  ) )- 8  # # %  9 9 ;  ' ' ){{d//;))+*8:##$<$' $6%78  ;;00,0KK,F,F,H) $/$5$5$7LE5%*%7%7 #&y'D'D#E!(((M(4K)LM#**3U]]1CBQ1G+GH&8%8 3Y%)%6%6*,E$++,0,=,=+6 8   OO224D#~~446474F4F4H1 %0%7%7%9E-2-?-? +.y/L/L+M)6x)@ ) 0 0#--1H I.@&: 757(,D4E4E*,E$++,0,=,=?  s \]'']*c[R"XUU5Ulg![Ra n[R "U5 SnAgSnAff=f)aImport relevant objects and attributes from an LDIF file. The point of this function is to allow a programmer/debugger to import an LDIF file with non-security relevant information that was previously extracted from a DC database. The LDIF file is used to create a temporary abbreviated database. The KCC algorithm can then run against this abbreviated database for debug or test verification that the topology generated is computationally the same between different OSes and algorithms. :param dburl: path to the temporary abbreviated db to create :param lp: a loadparm object. :param ldif_file: path to the ldif file to import :param forced_local_dsa: perform KCC from this DSA's point of view :return: zero on success, 1 on error Nr&r)r ldif_to_samdbrF LdifErrorr!critical)rLr=r< ldif_filerjrs r+ import_ldifKCC.import_ldif sM" +99%Y:JLDJ "++  OOA  s AAAc[R"URXUU5 g![Ra n[R "U5 SnAgSnAff=f)aSave KCC relevant details to an ldif file The point of this function is to allow a programmer/debugger to extract an LDIF file with non-security relevant information from a DC database. The LDIF file can then be used to "import" via the import_ldif() function this file into a temporary abbreviated database. The KCC algorithm can then run against this abbreviated database for debug or test verification that the topology generated is computationally the same between different OSes and algorithms. :param dburl: LDAP database URL to extract info from :param lp: a loadparm object. :param cred: a Credentials object. :param ldif_file: output LDIF file name to create :return: zero on success, 1 on error Nr&r)rsamdb_to_ldif_filerFr|r!r})rLr=r<r>r~rs r+ export_ldifKCC.export_ldif sN"   1 1$**e2; = "++  OOA  s#&AAA)r"rKr9r:r=r<r7r@r>rArCrBrErDrHr5rIrFr6r8rGrJ)FFFNrs)T)F)r/)NFFF).__name__ __module__ __qualname____firstlineno____doc__rMrhrnrzrrrrrrrrrrrrrr8r?rWr[rrtrnrrrrrrrrr'r0r6rBrLrxrr__static_attributes__r/r-r+r2r2Ns FK"()T!GF2<%. :$&8Ft,<2KhB 8$ -2-h74r/"&$M;^%Nz0~K2&PH+ZD*L N$`0-,!5F6:=B%*xt2r-r2)4rr functoolsrrsambarrrrr samba.authr samba.samdbr samba.dcerpcr r samba.kcc.kcc_utilsr rrrrrrrrrrsamba.kcc.graphr samba.ndrrsamba.kcc.graph_utilsr samba.kccrrrrsamba.kcc.debugrr r!r" samba.commonr#r,r0objectr2r/r-r+rsn, *&&%&DDHHEE90(@"33A"t)&t)r-