sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-11-06 08:23:50 +03:00
Code Activity

r26366: Import provision scripts in Python.

Browse Source
This commit is contained in:
Jelmer Vernooij
2007-12-10 09:29:00 +01:00
committed by Stefan Metzmacher
parent f28c1623e2
commit 090c799f98
3 changed files with 1583 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

842
source/scripting/python/samba/provision.py Normal file
View File

@@ -0,0 +1,842 @@
#
# backend code for provisioning a Samba4 server
# Copyright Andrew Tridgell 2005
# Copyright Jelmer Vernooij 2007
# Released under the GNU GPL v2 or later
#
from base64 import b64encode
import os
import pwd
import grp
import time
import uuid, sid, misc
from socket import gethostname, gethostbyname
import param
import registry
from samba import Ldb, substitute_var
from ldb import Dn, SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, \
LDB_ERR_NO_SUCH_OBJECT, timestring
class InvalidNetbiosName(Exception):
def __init__(self, name):
super(InvalidNetbiosName, self).__init__("The name '%r' is not a valid NetBIOS name" % name)
class ProvisionSettings(object):
def __init__(self, realm=None, domain=None, hostname=None, hostip=None):
self.realm = realm
self.domain = domain
self.hostname = hostname
self.hostip = hostip
self.domainsid = None
self.invocationid = None
self.krbtgtpass = None
self.machinepass = None
self.adminpass = None
self.defaultsite = "Default-First-Site-Name"
self.datestring = None
self.root = None
self.nobody = None
self.nogroup = None
self.wheel = None
self.backup = None
self.users = None
self.dnsdomain = None
self.dnsname = None
self.domaindn = None
self.domaindn_ldb = None
self.rootdn = None
self.configdn = None
self.configdn_ldb = None
self.schemedn = None
self.schemedn_ldb = None
self.s4_ldapi_path = None
self.policyguid = None
def subst_vars(self):
return {"SCHEMADN": self.schemadn,
"SCHEMADN_LDB": self.schemadn_ldb,
"SCHEMADN_MOD": "schema_fsmo",
"SCHEMADN_MOD2": ",objectguid",
"CONFIGDN": self.configdn,
"TDB_MODULES_LIST": ","+",".join(self.tdb_modules_list)
"MODULES_LIST2": ",".join(self.modules_list2)
"CONFIGDN_LDB": self.configdn_ldb,
"DOMAINDN": self.domaindn,
"DOMAINDN_LDB": self.domaindn_ldb,
"DOMAINDN_MOD": "pdc_fsmo,password_hash",
"DOMAINDN_MOD2": ",objectguid",
"DOMAINSID": self.domainsid,
"MODULES_LIST": ",".join(self.modules_list),
"CONFIGDN_MOD": "naming_fsmo",
"CONFIGDN_MOD2": ",objectguid",
"NETBIOSNAME": self.netbiosname,
"DNSNAME": self.dnsname,
"ROOTDN": self.rootdn,
"DNSDOMAIN": self.dnsdomain,
"REALM": self.realm,
"DEFAULTSITE": self.defaultsite,
"MACHINEPASS_B64": b64encode(self.machinepass),
"ADMINPASS_B64": b64encode(self.adminpass),
"DNSPASS_B64": b64encode(self.dnspass),
"KRBTGTPASS_B64": b64encode(self.krbtgtpass),
"S4_LDAPI_URI": "ldapi://%s" % self.s4_ldapi_path.replace("/", "%2F"),
"LDAPTIME": timestring(int(time.time())),
"POLICYGUID": self.policyguid,
"RDN_DC": self.rdn_dc,
"DOMAINGUID_MOD": self.domainguid_mod,
}
def fix(self, paths):
self.realm = self.realm.upper()
self.hostname = self.hostname.lower()
self.domain = self.domain.upper()
if not valid_netbios_name(self.domain):
raise InvalidNetbiosName(self.domain)
self.netbiosname = self.hostname.upper()
if not valid_netbios_name(self.netbiosname):
raise InvalidNetbiosName(self.netbiosname)
rdns = self.domaindn.split(",")
self.rdn_dc = rdns[0][len("DC="):]
self.sam_ldb = paths.samdb
self.secrets_ldb = paths.secrets
self.secrets_keytab = paths.keytab
self.s4_ldapi_path = paths.s4_ldapi_path
def validate(self, lp):
if not valid_netbios_name(self.domain):
raise InvalidNetbiosName(self.domain)
if not valid_netbios_name(self.netbiosname):
raise InvalidNetbiosName(self.netbiosname)
if lp.get("workgroup").upper() != self.domain.upper():
raise Error("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
lp.get("workgroup"), self.domain)
if lp.get("realm").upper() != self.realm.upper():
raise Error("realm '%s' in smb.conf must match chosen realm '%s'\n" %
(lp.get("realm"), self.realm))
class ProvisionPaths:
def __init__(self):
self.smbconf = None
self.shareconf = None
self.hklm = None
self.hkcu = None
self.hkcr = None
self.hku = None
self.hkpd = None
self.hkpt = None
self.samdb = None
self.secrets = None
self.keytab = None
self.dns = None
self.winsdb = None
self.ldap_basedn_ldif = None
self.ldap_config_basedn_ldif = None
self.ldap_schema_basedn_ldif = None
self.s4_ldapi_path = None
def install_ok(lp, session_info, credentials):
"""Check whether the current install seems ok."""
if lp.get("realm") == "":
return False
ldb = Ldb(lp.get("sam database"), session_info=session_info,
credentials=credentials)
if len(ldb.search("(cn=Administrator)")) != 1:
return False
return True
def findnss(nssfn, *names):
"""Find a user or group from a list of possibilities."""
for name in names:
try:
return nssfn(name)
except KeyError:
pass
raise Exception("Unable to find user/group for %s" % arguments[1])
def add_foreign(ldb, subobj, sid, desc):
"""Add a foreign security principle."""
add = """
dn: CN=%s,CN=ForeignSecurityPrincipals,%s
objectClass: top
objectClass: foreignSecurityPrincipal
description: %s
""" % (sid, subobj.domaindn, desc)
# deliberately ignore errors from this, as the records may
# already exist
for msg in ldb.parse_ldif(add):
ldb.add(msg[1])
def setup_name_mapping(subobj, ldb, sid, unixname):
"""Setup a mapping between a sam name and a unix name."""
res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_SUBTREE,
"objectSid=%s" % sid, ["dn"])
assert len(res) == 1, "Failed to find record for objectSid %s" % sid
mod = """
dn: %s
changetype: modify
replace: unixName
unixName: %s
""" % (res[0].dn, unixname)
ldb.modify(ldb.parse_ldif(mod).next()[1])
def hostip():
"""return first host IP."""
return gethostbyname(hostname())
def hostname():
"""return first part of hostname."""
return gethostname().split(".")[0]
def ldb_delete(ldb):
"""Delete a LDB file.
This may be necessary if the ldb is in bad shape, possibly due to being
built from an incompatible previous version of the code, so delete it
completely.
"""
print "Deleting %s\n" % ldb.filename
os.unlink(ldb.filename)
ldb.connect(ldb.filename)
def ldb_erase(ldb):
"""Erase an ldb, removing all records."""
# delete the specials
for attr in ["@INDEXLIST", "@ATTRIBUTES", "@SUBCLASSES", "@MODULES",
"@OPTIONS", "@PARTITION", "@KLUDGEACL"]:
try:
ldb.delete(Dn(ldb, attr))
except LdbError, (LDB_ERR_NO_SUCH_OBJECT, _):
# Ignore missing dn errors
pass
basedn = Dn(ldb, "")
# and the rest
for msg in ldb.search(basedn, SCOPE_SUBTREE,
"(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))",
["dn"]):
ldb.delete(msg.dn)
res = ldb.search(basedn, SCOPE_SUBTREE, "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", ["dn"])
assert len(res) == 0
def ldb_erase_partitions(subobj, message, ldb, ldapbackend):
"""Erase an ldb, removing all records."""
assert ldb is not None
res = ldb.search(Dn(ldb, ""), SCOPE_BASE, "(objectClass=*)",
["namingContexts"])
assert len(res) == 1
if not "namingContexts" in res[0]:
return
for basedn in res[0]["namingContexts"]:
anything = "(|(objectclass=*)(dn=*))"
previous_remaining = 1
current_remaining = 0
if ldapbackend and (basedn == subobj.domaindn):
# Only delete objects that were created by provision
anything = "(objectcategory=*)"
k = 0
while ++k < 10 and (previous_remaining != current_remaining):
# and the rest
res2 = ldb.search(Dn(ldb, basedn), SCOPE_SUBTREE, anything, ["dn"])
previous_remaining = current_remaining
current_remaining = len(res2)
for msg in res2:
try:
ldb.delete(msg.dn)
except LdbError, (_, text):
message("Unable to delete %s: %s" % (msg.dn, text))
def open_ldb(session_info, credentials, dbname):
assert session_info is not None
try:
return Ldb(dbname, session_info=session_info, credentials=credentials)
except LdbError, e:
print e
os.unlink(dbname)
return Ldb(dbname, session_info=session_info, credentials=credentials)
def setup_add_ldif(setup_dir, ldif, subobj, ldb):
"""Setup a ldb in the private dir."""
assert isinstance(ldif, str)
assert isinstance(setup_dir, str)
src = os.path.join(setup_dir, ldif)
data = open(src, 'r').read()
data = substitute_var(data, subobj.subst_vars())
for msg in ldb.parse_ldif(data):
ldb.add(msg[1])
def setup_modify_ldif(setup_dir, ldif, subobj, ldb):
src = os.path.join(setup_dir, ldif)
data = open(src, 'r').read()
data = substitute_var(data, subobj.subst_vars())
for (changetype, msg) in ldb.parse_ldif(data):
ldb.modify(msg)
def setup_ldb(setup_dir, ldif, session_info, credentials, subobj, dbname,
erase=True):
assert dbname is not None
ldb = open_ldb(session_info, credentials, dbname)
assert ldb is not None
ldb.transaction_start()
try:
if erase:
ldb_erase(ldb);
setup_add_ldif(setup_dir, ldif, subobj, ldb)
except:
ldb.transaction_cancel()
raise
ldb.transaction_commit()
def setup_ldb_modify(setup_dir, ldif, subobj, ldb):
"""Modify a ldb in the private dir."""
src = os.path.join(setup_dir, ldif)
data = open(src, 'r').read()
data = substitute_var(data, subobj.subst_vars())
assert not "${" in data
for (changetype, msg) in ldb.parse_ldif(data):
ldb.modify(msg)
def setup_file(setup_dir, template, message, fname, subobj):
"""Setup a file in the private dir."""
f = fname
src = os.path.join(setup_dir, template)
os.unlink(f)
data = open(src, 'r').read()
data = substitute_var(data, subobj.subst_vars())
assert not "${" in data
open(f, 'w').write(data)
def provision_default_paths(lp, subobj):
"""Set the default paths for provisioning.
:param lp: Loadparm context.
:param subobj: Object
"""
paths = ProvisionPaths()
private_dir = lp.get("private dir")
paths.shareconf = os.path.join(private_dir, "share.ldb")
paths.samdb = lp.get("sam database") or os.path.join(private_dir, "samdb.ldb")
paths.secrets = lp.get("secrets database") or os.path.join(private_dir, "secrets.ldb")
paths.templates = os.path.join(private_dir, "templates.ldb")
paths.keytab = os.path.join(private_dir, "secrets.keytab")
paths.dns = os.path.join(private_dir, subobj.dnsdomain + ".zone")
paths.winsdb = os.path.join(private_dir, "wins.ldb")
paths.ldap_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + ".ldif")
paths.ldap_config_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + "-config.ldif")
paths.ldap_schema_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + "-schema.ldif")
paths.s4_ldapi_path = os.path.join(private_dir, "ldapi")
paths.phpldapadminconfig = os.path.join(private_dir, "phpldapadmin-config.php")
paths.hklm = os.path.join(private_dir, "hklm.ldb")
return paths
def setup_name_mappings(subobj, ldb):
"""setup reasonable name mappings for sam names to unix names."""
res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_BASE, "objectSid=*",
["objectSid"])
assert len(res) == 1
assert "objectSid" in res[0]
sid = list(res[0]["objectSid"])[0]
# add some foreign sids if they are not present already
add_foreign(ldb, subobj, "S-1-5-7", "Anonymous")
add_foreign(ldb, subobj, "S-1-1-0", "World")
add_foreign(ldb, subobj, "S-1-5-2", "Network")
add_foreign(ldb, subobj, "S-1-5-18", "System")
add_foreign(ldb, subobj, "S-1-5-11", "Authenticated Users")
# some well known sids
setup_name_mapping(subobj, ldb, "S-1-5-7", subobj.nobody)
setup_name_mapping(subobj, ldb, "S-1-1-0", subobj.nogroup)
setup_name_mapping(subobj, ldb, "S-1-5-2", subobj.nogroup)
setup_name_mapping(subobj, ldb, "S-1-5-18", subobj.root)
setup_name_mapping(subobj, ldb, "S-1-5-11", subobj.users)
setup_name_mapping(subobj, ldb, "S-1-5-32-544", subobj.wheel)
setup_name_mapping(subobj, ldb, "S-1-5-32-545", subobj.users)
setup_name_mapping(subobj, ldb, "S-1-5-32-546", subobj.nogroup)
setup_name_mapping(subobj, ldb, "S-1-5-32-551", subobj.backup)
# and some well known domain rids
setup_name_mapping(subobj, ldb, sid + "-500", subobj.root)
setup_name_mapping(subobj, ldb, sid + "-518", subobj.wheel)
setup_name_mapping(subobj, ldb, sid + "-519", subobj.wheel)
setup_name_mapping(subobj, ldb, sid + "-512", subobj.wheel)
setup_name_mapping(subobj, ldb, sid + "-513", subobj.users)
setup_name_mapping(subobj, ldb, sid + "-520", subobj.wheel)
def provision_become_dc(setup_dir, subobj, message, paths, session_info,
credentials):
assert session_info is not None
subobj.fix(paths)
message("Setting up templates into %s" % paths.templates)
setup_ldb(setup_dir, "provision_templates.ldif", session_info,
credentials, subobj, paths.templates)
# Also wipes the database
message("Setting up %s partitions" % paths.samdb)
setup_ldb(setup_dir, "provision_partitions.ldif", session_info,
credentials, subobj, paths.samdb)
samdb = open_ldb(session_info, credentials, paths.samdb)
ldb.transaction_start()
try:
message("Setting up %s attributes" % paths.samdb)
setup_add_ldif(setup_dir, "provision_init.ldif", subobj, samdb)
message("Setting up %s rootDSE" % paths.samdb)
setup_add_ldif(setup_dir, "provision_rootdse_add.ldif", subobj, samdb)
message("Erasing data from partitions")
ldb_erase_partitions(subobj, message, samdb, undefined)
message("Setting up %s indexes" % paths.samdb)
setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb)
except:
samdb.transaction_cancel()
raise
samdb.transaction_commit()
message("Setting up %s" % paths.secrets)
setup_ldb(setup_dir, "secrets_init.ldif", session_info, credentials,
subobj, paths.secrets)
setup_ldb(setup_dir, "secrets.ldif", session_info, credentials, subobj,
paths.secrets, False)
def provision(lp, setup_dir, subobj, message, blank, paths, session_info,
credentials, ldapbackend):
"""Provision samba4
:note: caution, this wipes all existing data!
"""
subobj.fix(paths)
if subobj.domain_guid is not None:
subobj.domainguid_mod = "replace: objectGUID\nobjectGUID: %s\n-" % subobj.domain_guid
else:
subobj.domainguid_mod = ""
if subobj.host_guid is not None:
subobj.hostguid_add = "objectGUID: %s" % subobj.host_guid
else:
subobj.hostguid_add = ""
assert paths.smbconf is not None
# only install a new smb.conf if there isn't one there already
if not os.path.exists(paths.smbconf):
message("Setting up smb.conf")
setup_file(setup_dir, "provision.smb.conf", message, paths.smbconf, subobj)
lp.reload()
# only install a new shares config db if there is none
if not os.path.exists(paths.shareconf):
message("Setting up share.ldb")
setup_ldb(setup_dir, "share.ldif", session_info, credentials, subobj, paths.shareconf)
message("Setting up %s" % paths.secrets)
setup_ldb(setup_dir, "secrets_init.ldif", session_info, credentials, subobj, paths.secrets)
setup_ldb(setup_dir, "secrets.ldif", session_info, credentials, subobj, paths.secrets, False)
message("Setting up registry")
reg = registry.Registry()
# FIXME: Still fails for some reason:
#reg.mount(paths.hklm, registry.HKEY_LOCAL_MACHINE, [])
#reg.apply_patchfile(os.path.join(setup_dir, "provision.reg"))
message("Setting up templates into %s" % paths.templates)
setup_ldb(setup_dir, "provision_templates.ldif", session_info, credentials, subobj, paths.templates)
message("Setting up sam.ldb partitions")
setup_ldb(setup_dir, "provision_partitions.ldif", session_info,
credentials, subobj, paths.samdb)
samdb = open_ldb(session_info, credentials, paths.samdb)
samdb.transaction_start()
try:
message("Setting up sam.ldb attributes")
setup_add_ldif(setup_dir, "provision_init.ldif", subobj, samdb)
message("Setting up sam.ldb rootDSE")
setup_add_ldif(setup_dir, "provision_rootdse_add.ldif", subobj, samdb)
message("Erasing data from partitions")
ldb_erase_partitions(subobj, message, samdb, ldapbackend)
except:
samdb.transaction_cancel()
raise
samdb.transaction_commit()
message("Pre-loading the Samba 4 and AD schema")
samdb = open_ldb(session_info, credentials, paths.samdb)
samdb.set_domain_sid(subobj.domainsid)
load_schema(setup_dir, subobj, samdb)
samdb.transaction_start()
try:
message("Adding DomainDN: %s (permitted to fail)" % subobj.domaindn)
setup_add_ldif(setup_dir, "provision_basedn.ldif", subobj, samdb)
message("Modifying DomainDN: " + subobj.domaindn + "")
setup_ldb_modify(setup_dir, "provision_basedn_modify.ldif", subobj, samdb)
message("Adding configuration container (permitted to fail)")
setup_add_ldif(setup_dir, "provision_configuration_basedn.ldif", subobj, samdb)
message("Modifying configuration container")
setup_ldb_modify(setup_dir, "provision_configuration_basedn_modify.ldif", subobj, samdb)
message("Adding schema container (permitted to fail)")
setup_add_ldif(setup_dir, "provision_schema_basedn.ldif", subobj, samdb)
message("Modifying schema container")
setup_ldb_modify(setup_dir, "provision_schema_basedn_modify.ldif", subobj, samdb)
message("Setting up sam.ldb Samba4 schema")
setup_add_ldif(setup_dir, "schema_samba4.ldif", subobj, samdb)
message("Setting up sam.ldb AD schema")
setup_add_ldif(setup_dir, "schema.ldif", subobj, samdb)
message("Setting up sam.ldb configuration data")
setup_add_ldif(setup_dir, "provision_configuration.ldif", subobj, samdb)
message("Setting up display specifiers")
setup_add_ldif(setup_dir, "display_specifiers.ldif", subobj, samdb)
message("Adding users container (permitted to fail)")
setup_add_ldif(setup_dir, "provision_users_add.ldif", subobj, samdb)
message("Modifying users container")
setup_ldb_modify(setup_dir, "provision_users_modify.ldif", subobj, samdb)
message("Adding computers container (permitted to fail)")
setup_add_ldif(setup_dir, "provision_computers_add.ldif", subobj, samdb)
message("Modifying computers container")
setup_ldb_modify(setup_dir, "provision_computers_modify.ldif", subobj, samdb)
message("Setting up sam.ldb data")
setup_add_ldif(setup_dir, "provision.ldif", subobj, samdb)
if blank:
message("Setting up sam.ldb index")
setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb)
message("Setting up sam.ldb rootDSE marking as syncronized")
setup_modify_ldif(setup_dir, "provision_rootdse_modify.ldif", subobj, samdb)
samdb.transaction_commit()
return
# message("Activate schema module")
# setup_modify_ldif("schema_activation.ldif", info, samdb, False)
#
# // (hack) Reload, now we have the schema loaded.
# commit_ok = samdb.transaction_commit()
# if (!commit_ok) {
# message("samdb commit failed: " + samdb.errstring() + "\n")
# assert(commit_ok)
# }
# samdb.close()
#
# samdb = open_ldb(info, paths.samdb, False)
#
message("Setting up sam.ldb users and groups")
setup_add_ldif(setup_dir, "provision_users.ldif", subobj, samdb)
setup_name_mappings(subobj, samdb)
message("Setting up sam.ldb index")
setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb)
message("Setting up sam.ldb rootDSE marking as syncronized")
setup_modify_ldif(setup_dir, "provision_rootdse_modify.ldif", subobj, samdb)
except:
samdb.transaction_cancel()
raise
samdb.transaction_commit()
message("Setting up phpLDAPadmin configuration")
setup_file(setup_dir, "phpldapadmin-config.php", message,
paths.phpldapadminconfig, subobj)
message("Please install the phpLDAPadmin configuration located at %s into /etc/phpldapadmin/config.php" % paths.phpldapadminconfig)
def provision_dns(setup_dir, subobj, message, paths, session_info, credentials):
"""Write out a DNS zone file, from the info in the current database."""
message("Setting up DNS zone: %s" % subobj.dnsdomain)
# connect to the sam
ldb = Ldb(paths.samdb, session_info=session_info, credentials=credentials)
# These values may have changed, due to an incoming SamSync,
# or may not have been specified, so fetch them from the database
res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_BASE, "objectGUID=*",
["objectGUID"])
assert(len(res) == 1)
assert(res[0]["objectGUID"] is not None)
subobj.domainguid = res[0]["objectGUID"]
subobj.host_guid = searchone(ldb, subobj.domaindn,
"(&(objectClass=computer)(cn=%s))" % subobj.netbiosname, "objectGUID")
assert subobj.host_guid is not None
setup_file(setup_dir, "provision.zone", message, paths.dns, subobj)
message("Please install the zone located in %s into your DNS server" % paths.dns)
def provision_ldapbase(setup_dir, subobj, message, paths):
"""Write out a DNS zone file, from the info in the current database."""
message("Setting up LDAP base entry: %s" % subobj.domaindn)
rdns = subobj.domaindn.split(",")
subobj.extensibleobject = "objectClass: extensibleObject"
subobj.rdn_dc = rdns[0][len("DC="):]
setup_file(setup_dir, "provision_basedn.ldif",
message, paths.ldap_basedn_ldif,
subobj)
setup_file(setup_dir, "provision_configuration_basedn.ldif",
message, paths.ldap_config_basedn_ldif,
subobj)
setup_file(setup_dir, "provision_schema_basedn.ldif",
message, paths.ldap_schema_basedn_ldif,
subobj)
message("Please install the LDIF located in " + paths.ldap_basedn_ldif + ", " + paths.ldap_config_basedn_ldif + " and " + paths.ldap_schema_basedn_ldif + " into your LDAP server, and re-run with --ldap-backend=ldap://my.ldap.server")
def provision_guess(lp):
"""guess reasonably default options for provisioning."""
subobj = ProvisionSettings(realm=lp.get("realm").upper(),
domain=lp.get("workgroup"),
hostname=hostname(),
hostip=hostip())
assert subobj.realm is not None
assert subobj.domain is not None
assert subobj.hostname is not None
subobj.domainsid = sid.random()
subobj.invocationid = uuid.random()
subobj.policyguid = uuid.random()
subobj.krbtgtpass = misc.random_password(12)
subobj.machinepass = misc.random_password(12)
subobj.adminpass = misc.random_password(12)
subobj.dnspass = misc.random_password(12)
subobj.datestring = time.strftime("%Y%m%d%H")
subobj.root = findnss(pwd.getpwnam, "root")[4]
subobj.nobody = findnss(pwd.getpwnam, "nobody")[4]
subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2]
subobj.wheel = findnss(grp.getgrnam, "wheel", "root", "staff", "adm")[2]
subobj.backup = findnss(grp.getgrnam, "backup", "wheel", "root", "staff")[2]
subobj.users = findnss(grp.getgrnam, "users", "guest", "other", "unknown", "usr")[2]
subobj.dnsdomain = subobj.realm.lower()
subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain)
subobj.domaindn = "DC=" + subobj.dnsdomain.replace(".", ",DC=")
subobj.domaindn_ldb = "users.ldb"
subobj.rootdn = subobj.domaindn
subobj.configdn = "CN=Configuration," + subobj.rootdn
subobj.configdn_ldb = "configuration.ldb"
subobj.schemadn = "CN=Schema," + subobj.configdn
subobj.schemadn_ldb = "schema.ldb"
#Add modules to the list to activate them by default
#beware often order is important
#
# Some Known ordering constraints:
# - rootdse must be first, as it makes redirects from "" -> cn=rootdse
# - objectclass must be before password_hash, because password_hash checks
# that the objectclass is of type person (filled in by objectclass
# module when expanding the objectclass list)
# - partition must be last
# - each partition has its own module list then
subobj.modules_list = ["rootdse",
"paged_results",
"ranged_results",
"server_sort",
"extended_dn",
"asq",
"samldb",
"rdn_name",
"objectclass",
"kludge_acl",
"operational"]
subobj.tdb_modules_list = [
"subtree_rename",
"subtree_delete",
"linked_attributes"]
subobj.modules_list2 = ["show_deleted",
"partition"]
subobj.extensibleobject = "# no objectClass: extensibleObject for local ldb"
subobj.aci = "# no aci for local ldb"
return subobj
def searchone(ldb, basedn, expression, attribute):
"""search for one attribute as a string."""
res = ldb.search(basedn, SCOPE_SUBTREE, expression, [attribute])
if len(res) != 1 or res[0][attribute] is None:
return None
return res[0][attribute]
def load_schema(setup_dir, subobj, samdb):
"""Load schema."""
src = os.path.join(setup_dir, "schema.ldif")
schema_data = open(src, 'r').read()
src = os.path.join(setup_dir, "schema_samba4.ldif")
schema_data += open(src, 'r').read()
schema_data = substitute_var(schema_data, subobj.subst_vars())
src = os.path.join(setup_dir, "provision_schema_basedn_modify.ldif")
head_data = open(src, 'r').read()
head_data = substitute_var(head_data, subobj.subst_vars())
samdb.attach_dsdb_schema_from_ldif(head_data, schema_data)
def enable_account(ldb, user_dn):
"""enable the account."""
res = ldb.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"])
assert len(res) == 1
userAccountControl = res[0].userAccountControl
userAccountControl = userAccountControl - 2 # remove disabled bit
mod = """
dn: %s
changetype: modify
replace: userAccountControl
userAccountControl: %u
""" % (user_dn, userAccountControl)
ldb.modify(mod)
def newuser(sam, username, unixname, password, message, session_info,
credentials):
"""add a new user record"""
# connect to the sam
ldb.transaction_start()
# find the DNs for the domain and the domain users group
res = ldb.search("", SCOPE_BASE, "defaultNamingContext=*",
["defaultNamingContext"])
assert(len(res) == 1 and res[0].defaultNamingContext is not None)
domain_dn = res[0].defaultNamingContext
assert(domain_dn is not None)
dom_users = searchone(ldb, domain_dn, "name=Domain Users", "dn")
assert(dom_users is not None)
user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn)
#
# the new user record. note the reliance on the samdb module to fill
# in a sid, guid etc
#
ldif = """
dn: %s
sAMAccountName: %s
unixName: %s
sambaPassword: %s
objectClass: user
""" % (user_dn, username, unixname, password)
# add the user to the users group as well
modgroup = """
dn: %s
changetype: modify
add: member
member: %s
""" % (dom_users, user_dn)
# now the real work
message("Adding user %s" % user_dn)
ldb.add(ldif)
message("Modifying group %s" % dom_users)
ldb.modify(modgroup)
# modify the userAccountControl to remove the disabled bit
enable_account(ldb, user_dn)
ldb.transaction_commit()
def valid_netbios_name(name):
"""Check whether a name is valid as a NetBIOS name. """
# FIXME: There are probably more constraints here.
# crh has a paragraph on this in his book (1.4.1.1)
if len(name) > 13:
return False
return True
def join_domain(domain, netbios_name, join_type, creds, message):
ctx = NetContext(creds)
joindom = object()
joindom.domain = domain
joindom.join_type = join_type
joindom.netbios_name = netbios_name
if not ctx.JoinDomain(joindom):
raise Exception("Domain Join failed: " + joindom.error_string)
def vampire(domain, session_info, credentials, message):
"""Vampire a remote domain.
Session info and credentials are required for for
access to our local database (might be remote ldap)
"""
ctx = NetContext(credentials)
vampire_ctx = object()
machine_creds = credentials_init()
machine_creds.set_domain(form.domain)
if not machine_creds.set_machine_account():
raise Exception("Failed to access domain join information!")
vampire_ctx.machine_creds = machine_creds
vampire_ctx.session_info = session_info
if not ctx.SamSyncLdb(vampire_ctx):
raise Exception("Migration of remote domain to Samba failed: %s " % vampire_ctx.error_string)

561
source/scripting/python/samba/upgrade.py Normal file
View File

@@ -0,0 +1,561 @@
#!/usr/bin/python
#
# backend code for upgrading from Samba3
# Copyright Jelmer Vernooij 2005-2007
# Released under the GNU GPL v3 or later
#
"""Support code for upgrading from Samba 3 to Samba 4."""
from provision import findnss
import provision
import grp
import pwd
from uuid import uuid4
from param import default_configuration
def regkey_to_dn(name):
dn = "hive=NONE"
for el in name.split("/")[1:]:
dn = "key=%s," % el + dn
return dn
# Where prefix is any of:
# - HKLM
# HKU
# HKCR
# HKPD
# HKPT
#
def upgrade_registry(regdb,prefix,ldb):
"""Migrate registry contents."""
assert regdb is not None:
prefix_up = prefix.upper()
ldif = []
for rk in regdb.keys:
pts = rk.name.split("/")
# Only handle selected hive
if pts[0].upper() != prefix_up:
continue
keydn = regkey_to_dn(rk.name)
pts = rk.name.split("/")
# Convert key name to dn
ldif[rk.name] = """
dn: %s
name: %s
""" % (keydn, pts[0])
for rv in rk.values:
ldif[rk.name + " (" + rv.name + ")"] = """
dn: %s,value=%s
value: %s
type: %d
data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data))
return ldif
def upgrade_sam_policy(samba3,dn):
ldif = """
dn: %s
changetype: modify
replace: minPwdLength
minPwdLength: %d
pwdHistoryLength: %d
minPwdAge: %d
maxPwdAge: %d
lockoutDuration: %d
samba3ResetCountMinutes: %d
samba3UserMustLogonToChangePassword: %d
samba3BadLockoutMinutes: %d
samba3DisconnectTime: %d
""" % (dn, samba3.policy.min_password_length,
samba3.policy.password_history, samba3.policy.minimum_password_age,
samba3.policy.maximum_password_age, samba3.policy.lockout_duration,
samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password,
samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time)
return ldif
def upgrade_sam_account(ldb,acc,domaindn,domainsid):
"""Upgrade a SAM account."""
if acc.nt_username is None or acc.nt_username == "":
acc.nt_username = acc.username
if acc.fullname is None:
acc.fullname = pwd.getpwnam(acc.fullname)[4]
acc.fullname = acc.fullname.split(",")[0]
if acc.fullname is None:
acc.fullname = acc.username
assert acc.fullname is not None
assert acc.nt_username is not None
ldif = """dn: cn=%s,%s
objectClass: top
objectClass: user
lastLogon: %d
lastLogoff: %d
unixName: %s
sAMAccountName: %s
cn: %s
description: %s
primaryGroupID: %d
badPwdcount: %d
logonCount: %d
samba3Domain: %s
samba3DirDrive: %s
samba3MungedDial: %s
samba3Homedir: %s
samba3LogonScript: %s
samba3ProfilePath: %s
samba3Workstations: %s
samba3KickOffTime: %d
samba3BadPwdTime: %d
samba3PassLastSetTime: %d
samba3PassCanChangeTime: %d
samba3PassMustChangeTime: %d
objectSid: %s-%d
lmPwdHash:: %s
ntPwdHash:: %s
""" % (ldb.dn_escape(acc.fullname), domaindn, acc.logon_time, acc.logoff_time, acc.username, acc.nt_username, acc.nt_username,
acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count,
acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script,
acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time,
acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid,
ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw))
return ldif
def upgrade_sam_group(group,domaindn):
"""Upgrade a SAM group."""
if group.sid_name_use == 5: # Well-known group
return None
if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"):
return None
if group.gid == -1:
gr = grp.getgrnam(grp.nt_name)
else:
gr = grp.getgrgid(grp.gid)
if gr is None:
group.unixname = "UNKNOWN"
else:
group.unixname = gr.gr_name
assert group.unixname is not None
ldif = """dn: cn=%s,%s
objectClass: top
objectClass: group
description: %s
cn: %s
objectSid: %s
unixName: %s
samba3SidNameUse: %d
""" % (group.nt_name, domaindn,
group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use)
return ldif
def upgrade_winbind(samba3,domaindn):
ldif = """
dn: dc=none
userHwm: %d
groupHwm: %d
""" % (samba3.idmap.user_hwm, samba3.idmap.group_hwm)
for m in samba3.idmap.mappings:
ldif += """
dn: SID=%s,%s
SID: %s
type: %d
unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id)
return ldif
def upgrade_wins(samba3):
ldif = ""
version_id = 0
for e in samba3.winsentries:
now = sys.nttime()
ttl = sys.unix2nttime(e.ttl)
version_id+=1
numIPs = len(e.ips)
if e.type == 0x1C:
rType = 0x2
elif e.type & 0x80:
if numIPs > 1:
rType = 0x2
else:
rType = 0x1
else:
if numIPs > 1:
rType = 0x3
else:
rType = 0x0
if ttl > now:
rState = 0x0 # active
else:
rState = 0x1 # released
nType = ((e.nb_flags & 0x60)>>5)
ldif += """
dn: name=%s,type=0x%02X
type: 0x%02X
name: %s
objectClass: winsRecord
recordType: %u
recordState: %u
nodeType: %u
isStatic: 0
expireTime: %s
versionID: %llu
""" % (e.name, e.type, e.type, e.name,
rType, rState, nType,
ldaptime(ttl), version_id)
for ip in e.ips:
ldif += "address: %s\n" % ip
ldif += """
dn: CN=VERSION
objectClass: winsMaxVersion
maxVersion: %llu
""" % version_id
return ldif
def upgrade_provision(lp, samba3):
subobj = Object()
domainname = samba3.configuration.get("workgroup")
if domainname is None:
domainname = samba3.secrets.domains[0].name
print "No domain specified in smb.conf file, assuming '%s'\n" % domainname
domsec = samba3.find_domainsecrets(domainname)
hostsec = samba3.find_domainsecrets(hostname())
realm = samba3.configuration.get("realm")
if realm is None:
realm = domainname
print "No realm specified in smb.conf file, assuming '%s'\n" % realm
random_init(local)
subobj.realm = realm
subobj.domain = domainname
subobj.hostname = hostname()
assert subobj.realm is not None
assert subobj.domain is not None
assert subobj.hostname is not None
subobj.HOSTIP = hostip()
if domsec is not None:
subobj.DOMAINGUID = domsec.guid
subobj.DOMAINSID = domsec.sid
else:
print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname
subobj.DOMAINGUID = uuid4()
subobj.DOMAINSID = randsid()
if hostsec:
subobj.HOSTGUID = hostsec.guid
else:
subobj.HOSTGUID = uuid4()
subobj.invocationid = uuid4()
subobj.krbtgtpass = randpass(12)
subobj.machinepass = randpass(12)
subobj.adminpass = randpass(12)
subobj.datestring = datestring()
subobj.root = findnss(pwd.getpwnam, "root")[4]
subobj.nobody = findnss(pwd.getpwnam, "nobody")[4]
subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2]
subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2]
subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2]
subobj.dnsdomain = subobj.realm.lower()
subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain)
subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split("."))
rdn_list = subobj.dnsdomain.split(".")
subobj.domaindn = "DC=" + ",DC=".join(rdn_list)
subobj.domaindn_ldb = "users.ldb"
subobj.rootdn = subobj.domaindn
modules_list = ["rootdse",
"kludge_acl",
"paged_results",
"server_sort",
"extended_dn",
"asq",
"samldb",
"password_hash",
"operational",
"objectclass",
"rdn_name",
"show_deleted",
"partition"]
subobj.modules_list = ",".join(modules_list)
return subobj
smbconf_keep = [
"dos charset",
"unix charset",
"display charset",
"comment",
"path",
"directory",
"workgroup",
"realm",
"netbios name",
"netbios aliases",
"netbios scope",
"server string",
"interfaces",
"bind interfaces only",
"security",
"auth methods",
"encrypt passwords",
"null passwords",
"obey pam restrictions",
"password server",
"smb passwd file",
"private dir",
"passwd chat",
"password level",
"lanman auth",
"ntlm auth",
"client NTLMv2 auth",
"client lanman auth",
"client plaintext auth",
"read only",
"hosts allow",
"hosts deny",
"log level",
"debuglevel",
"log file",
"smb ports",
"large readwrite",
"max protocol",
"min protocol",
"unicode",
"read raw",
"write raw",
"disable netbios",
"nt status support",
"announce version",
"announce as",
"max mux",
"max xmit",
"name resolve order",
"max wins ttl",
"min wins ttl",
"time server",
"unix extensions",
"use spnego",
"server signing",
"client signing",
"max connections",
"paranoid server security",
"socket options",
"strict sync",
"max print jobs",
"printable",
"print ok",
"printer name",
"printer",
"map system",
"map hidden",
"map archive",
"preferred master",
"prefered master",
"local master",
"browseable",
"browsable",
"wins server",
"wins support",
"csc policy",
"strict locking",
"preload",
"auto services",
"lock dir",
"lock directory",
"pid directory",
"socket address",
"copy",
"include",
"available",
"volume",
"fstype",
"panic action",
"msdfs root",
"host msdfs",
"winbind separator"]
#
# Remove configuration variables not present in Samba4
# oldconf: Old configuration structure
# mark: Whether removed configuration variables should be
# kept in the new configuration as "samba3:<name>"
def upgrade_smbconf(oldconf,mark):
data = oldconf.data()
newconf = param_init()
for (s in data) {
for (p in data[s]) {
keep = False
for (k in smbconf_keep) {
if smbconf_keep[k] == p:
keep = True
break
}
if keep:
newconf.set(s, p, oldconf.get(s, p))
elif mark:
newconf.set(s, "samba3:"+p, oldconf.get(s,p))
}
}
if oldconf.get("domain logons") == "True":
newconf.set("server role", "domain controller")
else:
if oldconf.get("security") == "user":
newconf.set("server role", "standalone")
else:
newconf.set("server role", "member server")
return newconf
def upgrade(subobj, samba3, message, paths, session_info, credentials):
ret = 0
lp = loadparm_init()
samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials)
message("Writing configuration")
newconf = upgrade_smbconf(samba3.configuration,True)
newconf.save(paths.smbconf)
message("Importing account policies")
ldif = upgrade_sam_policy(samba3,subobj.BASEDN)
samdb.modify(ldif)
regdb = Ldb(paths.hklm)
regdb.modify("
dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE
replace: type
type: 4
replace: data
data: %d
" % samba3.policy.refuse_machine_password_change)
message("Importing users")
for account in samba3.samaccounts:
msg = "... " + account.username
ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID)
try:
samdb.add(ldif)
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1;
message(msg)
message("Importing groups")
for mapping in samba3.groupmappings:
msg = "... " + mapping.nt_name
ldif = upgrade_sam_group(mapping, subobj.BASEDN)
if ldif is not None:
try:
samdb.add(ldif)
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1
message(msg)
message("Importing registry data")
for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]:
message("... " + hive)
regdb = Ldb(paths[hive])
ldif = upgrade_registry(samba3.registry, hive, regdb)
for (var j in ldif) {
var msg = "... ... " + j
try:
regdb.add(ldif[j])
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1
message(msg)
message("Importing WINS data")
winsdb = Ldb(paths.winsdb)
ldb_erase(winsdb)
ldif = upgrade_wins(samba3)
winsdb.add(ldif)
# figure out ldapurl, if applicable
ldapurl = None
pdb = samba3.configuration.get_list("passdb backend")
if pdb is not None:
for backend in pdb:
if len(backend) >= 7 and backend[0:7] == "ldapsam":
ldapurl = backend[7:]
# URL was not specified in passdb backend but ldap /is/ used
if ldapurl == "":
ldapurl = "ldap://%s" % samba3.configuration.get("ldap server")
# Enable samba3sam module if original passdb backend was ldap
if ldapurl is not None:
message("Enabling Samba3 LDAP mappings for SAM database")
samdb.modify("""
dn: @MODULES
changetype: modify
replace: @LIST
@LIST: samldb,operational,objectguid,rdn_name,samba3sam
""")
samdb.add("""
dn: @MAP=samba3sam
@MAP_URL: %s""", ldapurl))
return ret
def upgrade_verify(subobj, samba3, paths, message):
message("Verifying account policies")
samldb = Ldb(paths.samdb)
for account in samba3.samaccounts:
msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))")
assert(len(msg) >= 1)
# FIXME