2010-11-28 14:09:30 +01:00
# backend code for upgrading from Samba3
# Copyright Jelmer Vernooij 2005-2007
2011-11-01 12:59:02 +11:00
# Copyright Andrew Bartlett 2011
2007-12-10 09:29:00 +01:00
#
2010-11-28 14:09:30 +01:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2007-12-10 09:29:00 +01:00
#
""" Support code for upgrading from Samba 3 to Samba 4. """
2008-05-22 17:42:18 +02:00
__docformat__ = " restructuredText "
2007-12-27 03:09:49 -06:00
import ldb
2008-02-09 17:37:42 +01:00
import time
2007-12-10 09:29:00 +01:00
import pwd
2010-01-25 15:17:56 +01:00
from samba import Ldb , registry
2009-07-19 18:51:15 +02:00
from samba . param import LoadParm
2013-09-09 11:54:23 +12:00
from samba . provision import provision , ProvisioningError , setsysvolacl
from samba . provision . common import FILL_FULL
2011-08-12 11:37:57 +10:00
from samba . samba3 import passdb
from samba . samba3 import param as s3param
2011-09-05 11:10:36 +10:00
from samba . dcerpc import lsa , samr , security
2011-08-18 15:21:32 +10:00
from samba . dcerpc . security import dom_sid
2012-07-21 13:33:33 +02:00
from samba . credentials import Credentials
2011-08-18 15:21:32 +10:00
from samba import dsdb
from samba . ndr import ndr_pack
2011-09-07 12:21:00 +10:00
from samba import unix2nttime
2012-12-22 09:28:05 +11:00
from samba import generate_random_password
2007-12-10 09:29:00 +01:00
2011-09-13 01:27:50 +02:00
2011-08-25 17:20:05 +10:00
def import_sam_policy ( samdb , policy , logger ) :
""" Import a Samba 3 policy.
2010-11-28 14:09:30 +01:00
2011-08-25 17:20:05 +10:00
: param samdb : Samba4 SAM database
: param policy : Samba3 account policy
: param logger : Logger object
"""
2007-12-10 09:29:00 +01:00
2011-08-25 17:20:05 +10:00
# Following entries are used -
# min password length, password history, minimum password age,
# maximum password age, lockout duration
#
# Following entries are not used -
# reset count minutes, user must logon to change password,
# bad lockout minutes, disconnect time
2007-12-10 09:29:00 +01:00
2011-08-25 17:20:05 +10:00
m = ldb . Message ( )
m . dn = samdb . get_default_basedn ( )
2012-08-13 01:08:36 +00:00
if ' min password length ' in policy :
m [ ' a01 ' ] = ldb . MessageElement ( str ( policy [ ' min password length ' ] ) ,
2018-07-30 18:16:12 +12:00
ldb . FLAG_MOD_REPLACE , ' minPwdLength ' )
2012-08-13 01:08:36 +00:00
if ' password history ' in policy :
m [ ' a02 ' ] = ldb . MessageElement ( str ( policy [ ' password history ' ] ) ,
2018-07-30 18:16:12 +12:00
ldb . FLAG_MOD_REPLACE , ' pwdHistoryLength ' )
2012-08-13 01:08:36 +00:00
if ' minimum password age ' in policy :
min_pw_age_unix = policy [ ' minimum password age ' ]
min_pw_age_nt = int ( - min_pw_age_unix * ( 1e7 ) )
m [ ' a03 ' ] = ldb . MessageElement ( str ( min_pw_age_nt ) , ldb . FLAG_MOD_REPLACE ,
2018-07-30 18:16:12 +12:00
' minPwdAge ' )
2012-08-13 01:08:36 +00:00
if ' maximum password age ' in policy :
max_pw_age_unix = policy [ ' maximum password age ' ]
2021-02-05 12:47:01 +01:00
if max_pw_age_unix == - 1 or max_pw_age_unix == 0 or max_pw_age_unix == 0xFFFFFFFF :
2012-08-13 01:08:36 +00:00
max_pw_age_nt = - 0x8000000000000000
else :
max_pw_age_nt = int ( - max_pw_age_unix * ( 1e7 ) )
m [ ' a04 ' ] = ldb . MessageElement ( str ( max_pw_age_nt ) , ldb . FLAG_MOD_REPLACE ,
' maxPwdAge ' )
if ' lockout duration ' in policy :
lockout_duration_mins = policy [ ' lockout duration ' ]
lockout_duration_nt = unix2nttime ( lockout_duration_mins * 60 )
m [ ' a05 ' ] = ldb . MessageElement ( str ( lockout_duration_nt ) ,
2018-07-30 18:16:12 +12:00
ldb . FLAG_MOD_REPLACE , ' lockoutDuration ' )
2010-11-28 14:09:30 +01:00
2011-08-25 17:20:05 +10:00
try :
samdb . modify ( m )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2011-08-25 17:20:05 +10:00
logger . warn ( " Could not set account policy, ( %s ) " , str ( e ) )
2007-12-27 03:09:49 -06:00
2012-09-16 14:18:51 +02:00
def add_posix_attrs ( logger , samdb , sid , name , nisdomain , xid_type , home = None ,
2018-07-30 18:16:12 +12:00
shell = None , pgid = None ) :
2012-07-21 13:33:33 +02:00
""" Add posix attributes for the user/group
: param samdb : Samba4 sam . ldb database
: param sid : user / group sid
: param sid : user / group name
: param nisdomain : name of the ( fake ) NIS domain
: param xid_type : type of id ( ID_TYPE_UID / ID_TYPE_GID )
: param home : user homedir ( Unix homepath )
: param shell : user shell
: param pgid : users primary group id
"""
try :
m = ldb . Message ( )
m . dn = ldb . Dn ( samdb , " <SID= %s > " % str ( sid ) )
if xid_type == " ID_TYPE_UID " :
m [ ' unixHomeDirectory ' ] = ldb . MessageElement (
str ( home ) , ldb . FLAG_MOD_REPLACE , ' unixHomeDirectory ' )
m [ ' loginShell ' ] = ldb . MessageElement (
str ( shell ) , ldb . FLAG_MOD_REPLACE , ' loginShell ' )
m [ ' gidNumber ' ] = ldb . MessageElement (
str ( pgid ) , ldb . FLAG_MOD_REPLACE , ' gidNumber ' )
m [ ' msSFU30NisDomain ' ] = ldb . MessageElement (
str ( nisdomain ) , ldb . FLAG_MOD_REPLACE , ' msSFU30NisDomain ' )
samdb . modify ( m )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2012-07-21 13:33:33 +02:00
logger . warn (
' Could not add posix attrs for AD entry for sid= %s , ( %s ) ' ,
str ( sid ) , str ( e ) )
2009-11-28 16:59:18 +01:00
2018-07-30 18:20:39 +12:00
2012-06-10 20:42:25 +10:00
def add_ad_posix_idmap_entry ( samdb , sid , xid , xid_type , logger ) :
""" Create idmap entry
: param samdb : Samba4 sam . ldb database
: param sid : user / group sid
: param xid : user / group id
: param xid_type : type of id ( ID_TYPE_UID / ID_TYPE_GID )
: param logger : Logger object
"""
try :
m = ldb . Message ( )
m . dn = ldb . Dn ( samdb , " <SID= %s > " % str ( sid ) )
if xid_type == " ID_TYPE_UID " :
m [ ' uidNumber ' ] = ldb . MessageElement (
str ( xid ) , ldb . FLAG_MOD_REPLACE , ' uidNumber ' )
m [ ' objectClass ' ] = ldb . MessageElement (
" posixAccount " , ldb . FLAG_MOD_ADD , ' objectClass ' )
elif xid_type == " ID_TYPE_GID " :
m [ ' gidNumber ' ] = ldb . MessageElement (
str ( xid ) , ldb . FLAG_MOD_REPLACE , ' gidNumber ' )
m [ ' objectClass ' ] = ldb . MessageElement (
" posixGroup " , ldb . FLAG_MOD_ADD , ' objectClass ' )
samdb . modify ( m )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2012-06-10 20:42:25 +10:00
logger . warn (
' Could not modify AD idmap entry for sid= %s , id= %s , type= %s ( %s ) ' ,
str ( sid ) , str ( xid ) , xid_type , str ( e ) )
2012-09-16 14:18:51 +02:00
2011-08-18 15:21:32 +10:00
def add_idmap_entry ( idmapdb , sid , xid , xid_type , logger ) :
2011-08-22 09:42:13 +10:00
""" Create idmap entry
: param idmapdb : Samba4 IDMAP database
: param sid : user / group sid
: param xid : user / group id
2011-11-17 16:08:16 +11:00
: param xid_type : type of id ( ID_TYPE_UID / ID_TYPE_GID )
2011-08-22 09:42:13 +10:00
: param logger : Logger object
"""
2011-08-18 15:21:32 +10:00
# First try to see if we already have this entry
found = False
2011-08-22 09:43:20 +10:00
msg = idmapdb . search ( expression = ' objectSid= %s ' % str ( sid ) )
if msg . count == 1 :
found = True
2011-08-18 15:21:32 +10:00
if found :
try :
m = ldb . Message ( )
2011-09-05 11:09:14 +10:00
m . dn = msg [ 0 ] [ ' dn ' ]
2011-09-13 01:27:50 +02:00
m [ ' xidNumber ' ] = ldb . MessageElement (
str ( xid ) , ldb . FLAG_MOD_REPLACE , ' xidNumber ' )
m [ ' type ' ] = ldb . MessageElement (
xid_type , ldb . FLAG_MOD_REPLACE , ' type ' )
2011-08-18 15:21:32 +10:00
idmapdb . modify ( m )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2011-09-13 01:27:50 +02:00
logger . warn (
' Could not modify idmap entry for sid= %s , id= %s , type= %s ( %s ) ' ,
str ( sid ) , str ( xid ) , xid_type , str ( e ) )
2011-08-18 15:21:32 +10:00
else :
try :
idmapdb . add ( { " dn " : " CN= %s " % str ( sid ) ,
2018-07-30 18:16:12 +12:00
" cn " : str ( sid ) ,
" objectClass " : " sidMap " ,
" objectSid " : ndr_pack ( sid ) ,
" type " : xid_type ,
" xidNumber " : str ( xid ) } )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2011-09-13 01:27:50 +02:00
logger . warn (
' Could not add idmap entry for sid= %s , id= %s , type= %s ( %s ) ' ,
str ( sid ) , str ( xid ) , xid_type , str ( e ) )
2011-08-18 15:21:32 +10:00
2011-09-04 12:10:36 +10:00
def import_idmap ( idmapdb , samba3 , logger ) :
2007-12-27 03:09:49 -06:00
""" Import idmap data.
2011-08-22 09:42:13 +10:00
: param idmapdb : Samba4 IDMAP database
: param samba3_idmap : Samba3 IDMAP database to import from
: param logger : Logger object
2007-12-27 03:09:49 -06:00
"""
2011-09-04 12:10:36 +10:00
try :
samba3_idmap = samba3 . get_idmap_db ( )
2018-02-14 10:18:36 +13:00
except IOError as e :
2011-09-09 12:44:56 +10:00
logger . warn ( ' Cannot open idmap database, Ignoring: %s ' , str ( e ) )
2011-09-04 12:10:36 +10:00
return
2011-08-18 15:21:32 +10:00
currentxid = max ( samba3_idmap . get_user_hwm ( ) , samba3_idmap . get_group_hwm ( ) )
lowerbound = currentxid
# FIXME: upperbound
m = ldb . Message ( )
m . dn = ldb . Dn ( idmapdb , ' CN=CONFIG ' )
2011-09-13 01:27:50 +02:00
m [ ' lowerbound ' ] = ldb . MessageElement (
str ( lowerbound ) , ldb . FLAG_MOD_REPLACE , ' lowerBound ' )
m [ ' xidNumber ' ] = ldb . MessageElement (
str ( currentxid ) , ldb . FLAG_MOD_REPLACE , ' xidNumber ' )
2011-08-18 15:21:32 +10:00
idmapdb . modify ( m )
for id_type , xid in samba3_idmap . ids ( ) :
if id_type == ' UID ' :
xid_type = ' ID_TYPE_UID '
elif id_type == ' GID ' :
xid_type = ' ID_TYPE_GID '
else :
logger . warn ( ' Wrong type of entry in idmap ( %s ), Ignoring ' , id_type )
continue
sid = samba3_idmap . get_sid ( xid , id_type )
add_idmap_entry ( idmapdb , dom_sid ( sid ) , xid , xid_type , logger )
def add_group_from_mapping_entry ( samdb , groupmap , logger ) :
2011-08-22 09:42:13 +10:00
""" Add or modify group from group mapping entry
param samdb : Samba4 SAM database
param groupmap : Groupmap entry
param logger : Logger object
"""
2011-08-18 15:21:32 +10:00
# First try to see if we already have this entry
try :
2011-09-13 01:27:50 +02:00
msg = samdb . search (
base = ' <SID= %s > ' % str ( groupmap . sid ) , scope = ldb . SCOPE_BASE )
2011-08-18 15:21:32 +10:00
found = True
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e1 :
( ecode , emsg ) = e1 . args
2011-08-18 15:21:32 +10:00
if ecode == ldb . ERR_NO_SUCH_OBJECT :
found = False
else :
raise ldb . LdbError ( ecode , emsg )
if found :
logger . warn ( ' Group already exists sid= %s , groupname= %s existing_groupname= %s , Ignoring. ' ,
2018-07-30 18:15:34 +12:00
str ( groupmap . sid ) , groupmap . nt_name , msg [ 0 ] [ ' sAMAccountName ' ] [ 0 ] )
2011-08-18 15:21:32 +10:00
else :
if groupmap . sid_name_use == lsa . SID_NAME_WKN_GRP :
2011-09-05 11:10:36 +10:00
# In a lot of Samba3 databases, aliases are marked as well known groups
2011-09-13 01:27:50 +02:00
( group_dom_sid , rid ) = groupmap . sid . split ( )
2011-09-05 11:10:36 +10:00
if ( group_dom_sid != security . dom_sid ( security . SID_BUILTIN ) ) :
return
2011-08-18 15:21:32 +10:00
m = ldb . Message ( )
2015-09-24 07:41:22 +12:00
# We avoid using the format string to avoid needing to escape the CN values
m . dn = ldb . Dn ( samdb , " CN=X,CN=Users " )
m . dn . set_component ( 0 , " CN " , groupmap . nt_name )
m . dn . add_base ( samdb . get_default_basedn ( ) )
2011-11-16 10:17:50 +11:00
m [ ' objectClass ' ] = ldb . MessageElement ( ' group ' , ldb . FLAG_MOD_ADD , ' objectClass ' )
m [ ' objectSid ' ] = ldb . MessageElement ( ndr_pack ( groupmap . sid ) , ldb . FLAG_MOD_ADD ,
2018-07-30 18:16:12 +12:00
' objectSid ' )
2011-11-16 10:17:50 +11:00
m [ ' sAMAccountName ' ] = ldb . MessageElement ( groupmap . nt_name , ldb . FLAG_MOD_ADD ,
2018-07-30 18:16:12 +12:00
' sAMAccountName ' )
2011-11-16 10:17:50 +11:00
if groupmap . comment :
m [ ' description ' ] = ldb . MessageElement ( groupmap . comment , ldb . FLAG_MOD_ADD ,
2018-07-30 18:16:12 +12:00
' description ' )
2011-08-18 15:21:32 +10:00
2011-09-05 11:10:36 +10:00
# Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
if groupmap . sid_name_use == lsa . SID_NAME_ALIAS or groupmap . sid_name_use == lsa . SID_NAME_WKN_GRP :
2011-11-16 10:17:50 +11:00
m [ ' groupType ' ] = ldb . MessageElement ( str ( dsdb . GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ) ,
2018-07-30 18:16:12 +12:00
ldb . FLAG_MOD_ADD , ' groupType ' )
2011-08-18 15:21:32 +10:00
try :
samdb . add ( m , controls = [ " relax:0 " ] )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2011-08-18 15:21:32 +10:00
logger . warn ( ' Could not add group name= %s ( %s ) ' , groupmap . nt_name , str ( e ) )
2011-08-19 15:53:28 +10:00
def add_users_to_group ( samdb , group , members , logger ) :
2011-08-22 09:42:13 +10:00
""" Add user/member to group/alias
2007-12-10 09:29:00 +01:00
2011-08-22 09:42:13 +10:00
param samdb : Samba4 SAM database
param group : Groupmap object
param members : List of member SIDs
param logger : Logger object
"""
2011-08-18 15:21:32 +10:00
for member_sid in members :
m = ldb . Message ( )
2011-09-05 22:38:15 +10:00
m . dn = ldb . Dn ( samdb , " <SID= %s > " % str ( group . sid ) )
m [ ' a01 ' ] = ldb . MessageElement ( " <SID= %s > " % str ( member_sid ) , ldb . FLAG_MOD_ADD , ' member ' )
2011-08-18 15:21:32 +10:00
try :
samdb . modify ( m )
2018-02-23 14:29:05 +00:00
except ldb . LdbError as e :
( ecode , emsg ) = e . args
2011-09-06 08:14:35 +10:00
if ecode == ldb . ERR_ENTRY_ALREADY_EXISTS :
2011-11-17 18:51:14 +11:00
logger . debug ( " skipped re-adding member ' %s ' to group ' %s ' : %s " , member_sid , group . sid , emsg )
2011-09-06 08:14:35 +10:00
elif ecode == ldb . ERR_NO_SUCH_OBJECT :
raise ProvisioningError ( " Could not add member ' %s ' to group ' %s ' as either group or user record doesn ' t exist: %s " % ( member_sid , group . sid , emsg ) )
2011-09-05 18:10:37 +10:00
else :
2011-09-06 08:14:35 +10:00
raise ProvisioningError ( " Could not add member ' %s ' to group ' %s ' : %s " % ( member_sid , group . sid , emsg ) )
2007-12-10 09:29:00 +01:00
2009-11-28 16:59:18 +01:00
2007-12-26 20:55:05 -06:00
def import_wins ( samba4_winsdb , samba3_winsdb ) :
2007-12-27 03:09:49 -06:00
""" Import settings from a Samba3 WINS database.
2010-11-28 14:09:30 +01:00
2007-12-27 03:09:49 -06:00
: param samba4_winsdb : WINS database to import to
: param samba3_winsdb : WINS database to import from
"""
2011-10-19 09:31:16 +11:00
2007-12-26 20:55:05 -06:00
version_id = 0
for ( name , ( ttl , ips , nb_flags ) ) in samba3_winsdb . items ( ) :
2011-09-13 01:27:50 +02:00
version_id + = 1
2007-12-10 09:29:00 +01:00
2007-12-26 20:55:05 -06:00
type = int ( name . split ( " # " , 1 ) [ 1 ] , 16 )
if type == 0x1C :
2007-12-17 12:19:45 +01:00
rType = 0x2
2007-12-26 20:55:05 -06:00
elif type & 0x80 :
if len ( ips ) > 1 :
2007-12-17 12:19:45 +01:00
rType = 0x2
2007-12-10 09:29:00 +01:00
else :
2007-12-17 12:19:45 +01:00
rType = 0x1
2007-12-10 09:29:00 +01:00
else :
2007-12-26 20:55:05 -06:00
if len ( ips ) > 1 :
2007-12-17 12:19:45 +01:00
rType = 0x3
2007-12-10 09:29:00 +01:00
else :
2007-12-17 12:19:45 +01:00
rType = 0x0
2007-12-10 09:29:00 +01:00
2007-12-26 20:55:05 -06:00
if ttl > time . time ( ) :
2018-07-30 18:19:33 +12:00
rState = 0x0 # active
2007-12-10 09:29:00 +01:00
else :
2018-07-30 18:19:33 +12:00
rState = 0x1 # released
2007-12-10 09:29:00 +01:00
2011-09-13 01:27:50 +02:00
nType = ( ( nb_flags & 0x60 ) >> 5 )
2007-12-10 09:29:00 +01:00
2007-12-27 03:09:49 -06:00
samba4_winsdb . add ( { " dn " : " name= %s ,type=0x %s " % tuple ( name . split ( " # " ) ) ,
2007-12-26 20:55:05 -06:00
" type " : name . split ( " # " ) [ 1 ] ,
" name " : name . split ( " # " ) [ 0 ] ,
" objectClass " : " winsRecord " ,
" recordType " : str ( rType ) ,
" recordState " : str ( rState ) ,
" nodeType " : str ( nType ) ,
2007-12-27 03:09:49 -06:00
" expireTime " : ldb . timestring ( ttl ) ,
2007-12-26 20:55:05 -06:00
" isStatic " : " 0 " ,
" versionID " : str ( version_id ) ,
" address " : ips } )
2008-02-09 22:29:42 +01:00
samba4_winsdb . add ( { " dn " : " cn=VERSION " ,
" cn " : " VERSION " ,
2007-12-26 20:55:05 -06:00
" objectClass " : " winsMaxVersion " ,
" maxVersion " : str ( version_id ) } )
2007-12-10 09:29:00 +01:00
2011-09-13 01:27:50 +02:00
2007-12-26 20:55:05 -06:00
SAMBA3_PREDEF_NAMES = {
' HKLM ' : registry . HKEY_LOCAL_MACHINE ,
}
2011-09-13 01:27:50 +02:00
2007-12-26 20:55:05 -06:00
def import_registry ( samba4_registry , samba3_regdb ) :
""" Import a Samba 3 registry database into the Samba 4 registry.
: param samba4_registry : Samba 4 registry handle .
: param samba3_regdb : Samba 3 registry database handle .
"""
def ensure_key_exists ( keypath ) :
( predef_name , keypath ) = keypath . split ( " / " , 1 )
predef_id = SAMBA3_PREDEF_NAMES [ predef_name ]
keypath = keypath . replace ( " / " , " \\ " )
return samba4_registry . create_key ( predef_id , keypath )
for key in samba3_regdb . keys ( ) :
key_handle = ensure_key_exists ( key )
for subkey in samba3_regdb . subkeys ( key ) :
ensure_key_exists ( subkey )
for ( value_name , ( value_type , value_data ) ) in samba3_regdb . values ( key ) . items ( ) :
key_handle . set_value ( value_name , value_type , value_data )
2018-07-30 18:20:39 +12:00
2012-07-21 13:33:33 +02:00
def get_posix_attr_from_ldap_backend ( logger , ldb_object , base_dn , user , attr ) :
""" Get posix attributes from a samba3 ldap backend
: param ldbs : a list of ldb connection objects
: param base_dn : the base_dn of the connection
: param user : the user to get the attribute for
: param attr : the attribute to be retrieved
"""
try :
msg = ldb_object . search ( base_dn , scope = ldb . SCOPE_SUBTREE ,
2018-07-30 18:16:12 +12:00
expression = ( " (&(objectClass=posixAccount)(uid= %s )) "
% ( user ) ) , attrs = [ attr ] )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2015-08-14 16:43:41 +12:00
raise ProvisioningError ( " Failed to retrieve attribute %s for user %s , the error is: %s " % ( attr , user , e ) )
2012-07-21 13:33:33 +02:00
else :
2012-11-11 11:35:02 +11:00
if msg . count < = 1 :
# This will raise KeyError (which is what we want) if there isn't a entry for this user
2012-07-21 13:33:33 +02:00
return msg [ 0 ] [ attr ] [ 0 ]
else :
logger . warning ( " LDAP entry for user %s contains more than one %s " , user , attr )
2012-11-11 11:35:02 +11:00
raise KeyError
2007-12-26 20:55:05 -06:00
2012-09-16 14:18:51 +02:00
def upgrade_from_samba3 ( samba3 , logger , targetdir , session_info = None ,
2018-07-30 18:16:12 +12:00
useeadb = False , dns_backend = None , use_ntvfs = False ) :
2011-08-12 11:37:57 +10:00
""" Upgrade from samba3 database to samba4 AD database
2011-08-25 17:20:05 +10:00
: param samba3 : samba3 object
: param logger : Logger object
: param targetdir : samba4 database directory
: param session_info : Session information
"""
2011-11-10 16:26:57 +11:00
serverrole = samba3 . lp . server_role ( )
2009-11-27 15:50:26 +01:00
2011-08-25 17:20:05 +10:00
domainname = samba3 . lp . get ( " workgroup " )
realm = samba3 . lp . get ( " realm " )
netbiosname = samba3 . lp . get ( " netbios name " )
2009-11-27 15:50:26 +01:00
2012-05-02 16:05:25 +10:00
if samba3 . lp . get ( " ldapsam:trusted " ) is None :
samba3 . lp . set ( " ldapsam:trusted " , " yes " )
2011-08-12 11:37:57 +10:00
# secrets db
2011-10-17 12:22:44 +11:00
try :
secrets_db = samba3 . get_secrets_db ( )
2018-02-14 10:18:36 +13:00
except IOError as e :
2011-10-19 09:37:47 +11:00
raise ProvisioningError ( " Could not open ' %s ' , the Samba3 secrets database: %s . Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option? " % ( samba3 . privatedir_path ( " secrets.tdb " ) , str ( e ) ) )
2010-11-28 14:09:30 +01:00
2011-08-12 11:37:57 +10:00
if not domainname :
2009-11-27 15:50:26 +01:00
domainname = secrets_db . domains ( ) [ 0 ]
2011-08-25 17:20:05 +10:00
logger . warning ( " No workgroup specified in smb.conf file, assuming ' %s ' " ,
2018-07-30 18:16:12 +12:00
domainname )
2010-11-28 14:09:30 +01:00
2011-08-12 11:37:57 +10:00
if not realm :
2011-11-10 16:26:57 +11:00
if serverrole == " ROLE_DOMAIN_BDC " or serverrole == " ROLE_DOMAIN_PDC " :
2011-09-05 11:07:39 +10:00
raise ProvisioningError ( " No realm specified in smb.conf file and being a DC. That upgrade path doesn ' t work! Please add a ' realm ' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create. " )
2009-11-27 15:50:26 +01:00
else :
realm = domainname . upper ( )
2010-06-13 15:05:50 +02:00
logger . warning ( " No realm specified in smb.conf file, assuming ' %s ' " ,
2018-07-30 18:16:12 +12:00
realm )
2009-11-27 15:50:26 +01:00
2011-08-12 11:37:57 +10:00
# Find machine account and password
2011-08-13 13:32:18 +10:00
next_rid = 1000
2011-08-12 11:37:57 +10:00
try :
machinepass = secrets_db . get_machine_password ( netbiosname )
2011-10-08 14:07:18 +02:00
except KeyError :
machinepass = None
2011-08-12 11:37:57 +10:00
2012-07-21 13:33:33 +02:00
if samba3 . lp . get ( " passdb backend " ) . split ( " : " ) [ 0 ] . strip ( ) == " ldapsam " :
2018-07-30 18:17:44 +12:00
base_dn = samba3 . lp . get ( " ldap suffix " )
2012-07-21 13:33:33 +02:00
ldapuser = samba3 . lp . get ( " ldap admin dn " )
2013-01-15 21:53:30 +11:00
ldappass = secrets_db . get_ldap_bind_pw ( ldapuser )
if ldappass is None :
raise ProvisioningError ( " ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s . Please point this tool at the secrets.tdb that was used by the previous installation. " )
2019-09-21 13:24:59 +02:00
ldappass = ldappass . decode ( ' utf-8 ' ) . strip ( ' \x00 ' )
2012-07-21 13:33:33 +02:00
ldap = True
else :
ldapuser = None
ldappass = None
ldap = False
2011-08-12 11:37:57 +10:00
# We must close the direct pytdb database before the C code loads it
secrets_db . close ( )
2011-08-25 17:20:05 +10:00
# Connect to old password backend
passdb . set_secrets_dir ( samba3 . lp . get ( " private dir " ) )
s3db = samba3 . get_sam_db ( )
2011-08-12 11:37:57 +10:00
2011-08-18 15:21:32 +10:00
# Get domain sid
2011-08-12 11:37:57 +10:00
try :
2011-08-18 15:21:32 +10:00
domainsid = passdb . get_global_sam_sid ( )
2011-08-22 09:43:20 +10:00
except passdb . error :
2011-08-18 15:21:32 +10:00
raise Exception ( " Can ' t find domain sid for ' %s ' , Exiting. " % domainname )
2011-08-12 11:37:57 +10:00
2011-08-18 15:21:32 +10:00
# Get machine account, sid, rid
2011-08-12 11:37:57 +10:00
try :
2011-08-25 17:20:05 +10:00
machineacct = s3db . getsampwnam ( ' %s $ ' % netbiosname )
2011-10-08 14:07:18 +02:00
except passdb . error :
machinerid = None
machinesid = None
else :
2011-08-12 11:37:57 +10:00
machinesid , machinerid = machineacct . user_sid . split ( )
2011-08-25 17:20:05 +10:00
# Export account policy
logger . info ( " Exporting account policy " )
policy = s3db . get_account_policy ( )
2011-08-18 15:21:32 +10:00
2011-08-25 17:20:05 +10:00
# Export groups from old passdb backend
2011-08-18 15:21:32 +10:00
logger . info ( " Exporting groups " )
2011-08-25 17:20:05 +10:00
grouplist = s3db . enum_group_mapping ( )
2011-08-18 15:21:32 +10:00
groupmembers = { }
for group in grouplist :
sid , rid = group . sid . split ( )
if sid == domainsid :
if rid > = next_rid :
2011-09-13 01:27:50 +02:00
next_rid = rid + 1
2011-08-18 15:21:32 +10:00
# Get members for each group/alias
2011-09-04 11:58:34 +10:00
if group . sid_name_use == lsa . SID_NAME_ALIAS :
2012-04-19 09:59:40 +10:00
try :
members = s3db . enum_aliasmem ( group . sid )
2012-05-02 13:01:29 +10:00
groupmembers [ str ( group . sid ) ] = members
2018-02-14 10:18:36 +13:00
except passdb . error as e :
2012-04-19 09:59:40 +10:00
logger . warn ( " Ignoring group ' %s ' %s listed but then not found: %s " ,
2012-04-24 10:01:01 +10:00
group . nt_name , group . sid , e )
2012-04-19 09:59:40 +10:00
continue
2011-08-18 15:21:32 +10:00
elif group . sid_name_use == lsa . SID_NAME_DOM_GRP :
try :
2011-08-25 17:20:05 +10:00
members = s3db . enum_group_members ( group . sid )
2012-05-02 13:01:29 +10:00
groupmembers [ str ( group . sid ) ] = members
2018-02-14 10:18:36 +13:00
except passdb . error as e :
2012-04-19 09:59:40 +10:00
logger . warn ( " Ignoring group ' %s ' %s listed but then not found: %s " ,
2012-04-24 10:01:01 +10:00
group . nt_name , group . sid , e )
2011-08-18 15:21:32 +10:00
continue
2011-09-04 11:58:34 +10:00
elif group . sid_name_use == lsa . SID_NAME_WKN_GRP :
2011-09-05 11:10:36 +10:00
( group_dom_sid , rid ) = group . sid . split ( )
if ( group_dom_sid != security . dom_sid ( security . SID_BUILTIN ) ) :
logger . warn ( " Ignoring ' well known ' group ' %s ' (should already be in AD, and have no members) " ,
group . nt_name )
continue
# A number of buggy databases mix up well known groups and aliases.
2012-04-19 09:59:40 +10:00
try :
members = s3db . enum_aliasmem ( group . sid )
2012-05-02 13:01:29 +10:00
groupmembers [ str ( group . sid ) ] = members
2018-02-14 10:18:36 +13:00
except passdb . error as e :
2012-04-19 09:59:40 +10:00
logger . warn ( " Ignoring group ' %s ' %s listed but then not found: %s " ,
2012-04-24 10:01:01 +10:00
group . nt_name , group . sid , e )
2012-04-19 09:59:40 +10:00
continue
2011-08-18 15:21:32 +10:00
else :
2012-05-02 13:01:29 +10:00
logger . warn ( " Ignoring group ' %s ' %s with sid_name_use= %d " ,
group . nt_name , group . sid , group . sid_name_use )
2011-08-18 15:21:32 +10:00
continue
2011-08-25 17:20:05 +10:00
# Export users from old passdb backend
2011-08-18 15:21:32 +10:00
logger . info ( " Exporting users " )
2011-08-25 17:20:05 +10:00
userlist = s3db . search_users ( 0 )
2011-08-12 11:37:57 +10:00
userdata = { }
2011-08-18 15:21:32 +10:00
uids = { }
2011-08-19 15:53:28 +10:00
admin_user = None
2011-08-12 11:37:57 +10:00
for entry in userlist :
2011-08-13 13:32:18 +10:00
if machinerid and machinerid == entry [ ' rid ' ] :
2011-08-12 11:37:57 +10:00
continue
username = entry [ ' account_name ' ]
if entry [ ' rid ' ] < 1000 :
2011-08-18 15:21:32 +10:00
logger . info ( " Skipping wellknown rid= %d (for username= %s ) " , entry [ ' rid ' ] , username )
2011-08-12 11:37:57 +10:00
continue
2011-08-13 13:32:18 +10:00
if entry [ ' rid ' ] > = next_rid :
next_rid = entry [ ' rid ' ] + 1
2011-09-05 11:10:36 +10:00
user = s3db . getsampwnam ( username )
2018-08-22 18:26:09 +12:00
acct_type = ( user . acct_ctrl & ( samr . ACB_NORMAL |
samr . ACB_WSTRUST |
samr . ACB_SVRTRUST |
samr . ACB_DOMTRUST ) )
2013-04-11 09:32:13 +10:00
if acct_type == samr . ACB_SVRTRUST :
2013-04-11 18:13:16 +10:00
logger . warn ( " Demoting BDC account trust for %s , this DC must be elevated to an AD DC using ' samba-tool domain dcpromo ' " % username [ : - 1 ] )
2012-07-06 15:40:02 +10:00
user . acct_ctrl = ( user . acct_ctrl & ~ samr . ACB_SVRTRUST ) | samr . ACB_WSTRUST
2011-09-05 11:10:36 +10:00
elif acct_type == samr . ACB_DOMTRUST :
logger . warn ( " Skipping inter-domain trust from domain %s , this trust must be re-created as an AD trust " % username [ : - 1 ] )
2013-04-11 09:33:16 +10:00
continue
2012-07-06 15:40:02 +10:00
2013-04-11 09:32:13 +10:00
elif acct_type == ( samr . ACB_WSTRUST ) and username [ - 1 ] != ' $ ' :
logger . warn ( " Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration. " % username )
continue
2018-08-22 18:26:09 +12:00
elif acct_type == ( samr . ACB_NORMAL | samr . ACB_WSTRUST ) and username [ - 1 ] == ' $ ' :
2011-09-05 11:10:36 +10:00
logger . warn ( " Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member " % username )
user . acct_ctrl = ( user . acct_ctrl & ~ samr . ACB_NORMAL )
2012-07-06 15:40:02 +10:00
2018-08-22 18:26:09 +12:00
elif acct_type == ( samr . ACB_NORMAL | samr . ACB_SVRTRUST ) and username [ - 1 ] == ' $ ' :
2012-07-06 15:40:02 +10:00
logger . warn ( " Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member " % username )
user . acct_ctrl = ( user . acct_ctrl & ~ samr . ACB_NORMAL )
2013-04-11 09:32:13 +10:00
elif acct_type == 0 and username [ - 1 ] != ' $ ' :
user . acct_ctrl = ( user . acct_ctrl | samr . ACB_NORMAL )
elif ( acct_type == samr . ACB_NORMAL or acct_type == samr . ACB_WSTRUST ) :
pass
2011-09-05 11:10:36 +10:00
else :
raise ProvisioningError ( """ Failed to upgrade due to invalid account %s , account control flags 0x %08X must have exactly one of
ACB_NORMAL ( N , 0 x % 08 X ) , ACB_WSTRUST ( W 0 x % 08 X ) , ACB_SVRTRUST ( S 0 x % 08 X ) or ACB_DOMTRUST ( D 0 x % 08 X ) .
Please fix this account before attempting to upgrade again
"""
2013-02-12 09:20:03 +11:00
% ( username , user . acct_ctrl ,
2011-09-05 11:10:36 +10:00
samr . ACB_NORMAL , samr . ACB_WSTRUST , samr . ACB_SVRTRUST , samr . ACB_DOMTRUST ) )
2011-09-13 01:27:50 +02:00
2011-09-05 11:10:36 +10:00
userdata [ username ] = user
2011-08-18 15:21:32 +10:00
try :
2011-09-05 11:10:36 +10:00
uids [ username ] = s3db . sid_to_id ( user . user_sid ) [ 0 ]
2011-10-08 14:07:18 +02:00
except passdb . error :
2011-08-18 15:21:32 +10:00
try :
uids [ username ] = pwd . getpwnam ( username ) . pw_uid
2011-10-10 13:09:30 +11:00
except KeyError :
2011-08-18 15:21:32 +10:00
pass
2011-08-19 15:53:28 +10:00
if not admin_user and username . lower ( ) == ' root ' :
admin_user = username
if username . lower ( ) == ' administrator ' :
admin_user = username
2012-05-02 13:01:29 +10:00
try :
2018-07-30 18:22:11 +12:00
group_memberships = s3db . enum_group_memberships ( user )
2012-05-02 13:01:29 +10:00
for group in group_memberships :
if str ( group ) in groupmembers :
if user . user_sid not in groupmembers [ str ( group ) ] :
groupmembers [ str ( group ) ] . append ( user . user_sid )
else :
2018-07-30 18:22:11 +12:00
groupmembers [ str ( group ) ] = [ user . user_sid ]
2018-02-14 10:18:36 +13:00
except passdb . error as e :
2012-05-02 13:01:29 +10:00
logger . warn ( " Ignoring group memberships of ' %s ' %s : %s " ,
username , user . user_sid , e )
2011-08-18 15:21:32 +10:00
logger . info ( " Next rid = %d " , next_rid )
2011-08-12 11:37:57 +10:00
2011-09-12 12:14:00 +10:00
# Check for same username/groupname
2011-10-12 20:12:26 +02:00
group_names = set ( [ g . nt_name for g in grouplist ] )
user_names = set ( [ u [ ' account_name ' ] for u in userlist ] )
2011-09-12 12:14:00 +10:00
common_names = group_names . intersection ( user_names )
if common_names :
logger . error ( " Following names are both user names and group names: " )
for name in common_names :
logger . error ( " %s " % name )
raise ProvisioningError ( " Please remove common user/group names before upgrade. " )
2011-09-12 15:09:49 +10:00
# Check for same user sid/group sid
2011-10-12 20:12:26 +02:00
group_sids = set ( [ str ( g . sid ) for g in grouplist ] )
2012-01-30 12:13:28 +11:00
if len ( grouplist ) != len ( group_sids ) :
raise ProvisioningError ( " Please remove duplicate group sid entries before upgrade. " )
2011-10-12 20:12:26 +02:00
user_sids = set ( [ " %s - %u " % ( domainsid , u [ ' rid ' ] ) for u in userlist ] )
2012-01-30 12:13:28 +11:00
if len ( userlist ) != len ( user_sids ) :
raise ProvisioningError ( " Please remove duplicate user sid entries before upgrade. " )
2011-09-12 15:09:49 +10:00
common_sids = group_sids . intersection ( user_sids )
if common_sids :
logger . error ( " Following sids are both user and group sids: " )
for sid in common_sids :
logger . error ( " %s " % str ( sid ) )
raise ProvisioningError ( " Please remove duplicate sid entries before upgrade. " )
2012-07-21 13:33:33 +02:00
# Get posix attributes from ldap or the os
homes = { }
shells = { }
pgids = { }
if ldap :
creds = Credentials ( )
2012-08-28 11:19:04 +10:00
creds . guess ( samba3 . lp )
2012-07-21 13:33:33 +02:00
creds . set_bind_dn ( ldapuser )
creds . set_password ( ldappass )
2018-07-30 18:19:05 +12:00
urls = samba3 . lp . get ( " passdb backend " ) . split ( " : " , 1 ) [ 1 ] . strip ( ' " ' )
2012-07-21 13:33:33 +02:00
for url in urls . split ( ) :
try :
2012-08-28 11:19:04 +10:00
ldb_object = Ldb ( url , credentials = creds )
2018-02-14 10:18:36 +13:00
except ldb . LdbError as e :
2014-04-21 03:47:40 +02:00
raise ProvisioningError ( " Could not open ldb connection to %s , the error message is: %s " % ( url , e ) )
2012-07-21 13:33:33 +02:00
else :
break
logger . info ( " Exporting posix attributes " )
userlist = s3db . search_users ( 0 )
for entry in userlist :
username = entry [ ' account_name ' ]
if username in uids . keys ( ) :
2012-11-11 11:35:02 +11:00
try :
if ldap :
homes [ username ] = get_posix_attr_from_ldap_backend ( logger , ldb_object , base_dn , username , " homeDirectory " )
else :
2012-07-21 13:33:33 +02:00
homes [ username ] = pwd . getpwnam ( username ) . pw_dir
2012-11-11 11:35:02 +11:00
except KeyError :
pass
2012-12-05 10:35:50 +11:00
except IndexError :
pass
2012-11-11 11:35:02 +11:00
try :
if ldap :
shells [ username ] = get_posix_attr_from_ldap_backend ( logger , ldb_object , base_dn , username , " loginShell " )
else :
2012-07-21 13:33:33 +02:00
shells [ username ] = pwd . getpwnam ( username ) . pw_shell
2012-11-11 11:35:02 +11:00
except KeyError :
pass
2012-12-05 10:35:50 +11:00
except IndexError :
pass
2012-11-11 11:35:02 +11:00
try :
if ldap :
pgids [ username ] = get_posix_attr_from_ldap_backend ( logger , ldb_object , base_dn , username , " gidNumber " )
else :
2012-07-21 13:33:33 +02:00
pgids [ username ] = pwd . getpwnam ( username ) . pw_gid
2012-11-11 11:35:02 +11:00
except KeyError :
pass
2012-12-05 10:35:50 +11:00
except IndexError :
pass
2012-07-21 13:33:33 +02:00
2012-08-27 17:27:16 +10:00
logger . info ( " Reading WINS database " )
samba3_winsdb = None
try :
samba3_winsdb = samba3 . get_wins_db ( )
2018-02-14 10:18:36 +13:00
except IOError as e :
2012-08-27 17:27:16 +10:00
logger . warn ( ' Cannot open wins database, Ignoring: %s ' , str ( e ) )
2012-08-27 17:20:51 +10:00
if not ( serverrole == " ROLE_DOMAIN_BDC " or serverrole == " ROLE_DOMAIN_PDC " ) :
dns_backend = " NONE "
2012-12-22 09:28:05 +11:00
# If we found an admin user, set a fake pw that we will override.
# This avoids us printing out an admin password that we won't actually
# set.
if admin_user :
adminpass = generate_random_password ( 12 , 32 )
else :
adminpass = None
2012-08-27 17:20:51 +10:00
# Do full provision
2013-09-26 10:19:18 -07:00
result = provision ( logger , session_info ,
2012-08-27 17:20:51 +10:00
targetdir = targetdir , realm = realm , domain = domainname ,
2014-08-11 11:23:57 +12:00
domainsid = domainsid , next_rid = next_rid ,
2018-07-30 18:19:21 +12:00
dc_rid = machinerid , adminpass = adminpass ,
2012-08-27 17:20:51 +10:00
dom_for_fun_level = dsdb . DS_DOMAIN_FUNCTION_2003 ,
hostname = netbiosname . lower ( ) , machinepass = machinepass ,
serverrole = serverrole , samdb_fill = FILL_FULL ,
useeadb = useeadb , dns_backend = dns_backend , use_rfc2307 = True ,
2012-08-27 22:38:53 +10:00
use_ntvfs = use_ntvfs , skip_sysvolacl = True )
2012-08-27 17:20:51 +10:00
result . report_logger ( logger )
# Import WINS database
logger . info ( " Importing WINS database " )
if samba3_winsdb :
import_wins ( Ldb ( result . paths . winsdb ) , samba3_winsdb )
# Set Account policy
logger . info ( " Importing Account policy " )
import_sam_policy ( result . samdb , policy , logger )
# Migrate IDMAP database
logger . info ( " Importing idmap database " )
import_idmap ( result . idmap , samba3 , logger )
2011-08-25 17:20:05 +10:00
# Set the s3 context for samba4 configuration
new_lp_ctx = s3param . get_context ( )
new_lp_ctx . load ( result . lp . configfile )
new_lp_ctx . set ( " private dir " , result . lp . get ( " private dir " ) )
new_lp_ctx . set ( " state directory " , result . lp . get ( " state directory " ) )
2011-08-26 10:01:29 +10:00
new_lp_ctx . set ( " lock directory " , result . lp . get ( " lock directory " ) )
2011-08-25 17:20:05 +10:00
2011-08-18 15:21:32 +10:00
# Connect to samba4 backend
2011-08-25 17:20:05 +10:00
s4_passdb = passdb . PDB ( new_lp_ctx . get ( " passdb backend " ) )
2009-11-27 15:50:26 +01:00
2013-04-14 14:36:08 +10:00
# Start a new transaction (should speed this up a little, due to index churn)
result . samdb . transaction_start ( )
logger . info ( " Adding groups " )
try :
# Export groups to samba4 backend
logger . info ( " Importing groups " )
for g in grouplist :
# Ignore uninitialized groups (gid = -1)
if g . gid != - 1 :
add_group_from_mapping_entry ( result . samdb , g , logger )
add_ad_posix_idmap_entry ( result . samdb , g . sid , g . gid , " ID_TYPE_GID " , logger )
add_posix_attrs ( samdb = result . samdb , sid = g . sid , name = g . nt_name , nisdomain = domainname . lower ( ) , xid_type = " ID_TYPE_GID " , logger = logger )
except :
# We need this, so that we do not give even more errors due to not cancelling the transaction
result . samdb . transaction_cancel ( )
raise
2014-03-30 04:02:39 +02:00
logger . info ( " Committing ' add groups ' transaction to disk " )
2013-04-14 14:36:08 +10:00
result . samdb . transaction_commit ( )
logger . info ( " Adding users " )
2012-06-16 14:19:42 +10:00
2018-03-23 13:05:55 +13:00
# Export users to samba4 backend
logger . info ( " Importing users " )
for username in userdata :
if username . lower ( ) == ' administrator ' :
if userdata [ username ] . user_sid != dom_sid ( str ( domainsid ) + " -500 " ) :
logger . error ( " User ' Administrator ' in your existing directory has SID %s , expected it to be %s " % ( userdata [ username ] . user_sid , dom_sid ( str ( domainsid ) + " -500 " ) ) )
raise ProvisioningError ( " User ' Administrator ' in your existing directory does not have SID ending in -500 " )
if username . lower ( ) == ' root ' :
if userdata [ username ] . user_sid == dom_sid ( str ( domainsid ) + " -500 " ) :
logger . warn ( ' User root has been replaced by Administrator ' )
else :
logger . warn ( ' User root has been kept in the directory, it should be removed in favour of the Administrator user ' )
2013-04-14 14:36:08 +10:00
2018-03-23 13:05:55 +13:00
s4_passdb . add_sam_account ( userdata [ username ] )
if username in uids :
add_ad_posix_idmap_entry ( result . samdb , userdata [ username ] . user_sid , uids [ username ] , " ID_TYPE_UID " , logger )
if ( username in homes ) and ( homes [ username ] is not None ) and \
( username in shells ) and ( shells [ username ] is not None ) and \
( username in pgids ) and ( pgids [ username ] is not None ) :
add_posix_attrs ( samdb = result . samdb , sid = userdata [ username ] . user_sid , name = username , nisdomain = domainname . lower ( ) , xid_type = " ID_TYPE_UID " , home = homes [ username ] , shell = shells [ username ] , pgid = pgids [ username ] , logger = logger )
2013-04-14 14:36:08 +10:00
2011-08-18 15:21:32 +10:00
logger . info ( " Adding users to groups " )
2013-04-14 14:36:08 +10:00
# Start a new transaction (should speed this up a little, due to index churn)
result . samdb . transaction_start ( )
try :
for g in grouplist :
if str ( g . sid ) in groupmembers :
add_users_to_group ( result . samdb , g , groupmembers [ str ( g . sid ) ] , logger )
except :
# We need this, so that we do not give even more errors due to not cancelling the transaction
result . samdb . transaction_cancel ( )
raise
2014-03-30 04:02:39 +02:00
logger . info ( " Committing ' add users to groups ' transaction to disk " )
2013-04-14 14:36:08 +10:00
result . samdb . transaction_commit ( )
2011-08-19 15:53:28 +10:00
# Set password for administrator
if admin_user :
logger . info ( " Setting password for administrator " )
2011-08-25 17:20:05 +10:00
admin_userdata = s4_passdb . getsampwnam ( " administrator " )
2011-08-19 15:53:28 +10:00
admin_userdata . nt_passwd = userdata [ admin_user ] . nt_passwd
if userdata [ admin_user ] . lanman_passwd :
admin_userdata . lanman_passwd = userdata [ admin_user ] . lanman_passwd
admin_userdata . pass_last_set_time = userdata [ admin_user ] . pass_last_set_time
if userdata [ admin_user ] . pw_history :
admin_userdata . pw_history = userdata [ admin_user ] . pw_history
2011-08-25 17:20:05 +10:00
s4_passdb . update_sam_account ( admin_userdata )
2011-08-19 15:53:28 +10:00
logger . info ( " Administrator password has been set to password of user ' %s ' " , admin_user )
2011-08-18 15:21:32 +10:00
2012-08-27 22:38:53 +10:00
if result . server_role == " active directory domain controller " :
2012-09-16 14:18:51 +02:00
setsysvolacl ( result . samdb , result . paths . netlogon , result . paths . sysvol ,
2018-07-30 18:16:12 +12:00
result . paths . root_uid , result . paths . root_gid ,
security . dom_sid ( result . domainsid ) , result . names . dnsdomain ,
result . names . domaindn , result . lp , use_ntvfs )
2012-08-27 22:38:53 +10:00
2011-08-18 15:21:32 +10:00
# FIXME: import_registry(registry.Registry(), samba3.get_registry())
2011-08-25 17:20:05 +10:00
# FIXME: shares