1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

provision: Use names.domainsid and names.domainguid

This is better than passing around parameters to functions all over
the provision stack and makes it easier to pass in a seperate forest
SID when we start to support subdomains.

Change-Id: I3787f4f3433ca04628f888135c7c0c8195379542
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
This commit is contained in:
Andrew Bartlett 2014-08-08 18:43:47 +12:00
parent 79ee8fc82c
commit 204337f454
3 changed files with 55 additions and 46 deletions

View File

@ -95,6 +95,7 @@ class dc_join(object):
ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
ctx.config_dn = str(ctx.samdb.get_config_basedn())
ctx.domsid = ctx.samdb.get_domain_sid()
ctx.forestsid = ctx.domsid
ctx.domain_name = ctx.get_domain_name()
ctx.forest_domain_name = ctx.get_forest_domain_name()
ctx.invocation_id = misc.GUID(str(uuid.uuid4()))
@ -729,6 +730,9 @@ class dc_join(object):
ctx.paths = presult.paths
ctx.names = presult.names
# Fix up the forestsid, it may be different if we are joining as a subdomain
ctx.names.forestsid = ctx.forestsid
def join_provision_own_domain(ctx):
"""Provision the local SAM."""
@ -750,19 +754,18 @@ class dc_join(object):
raise DCJoinException("Can't find naming context on partition DN %s in %s" % (ctx.partition_dn, ctx.samdb.url))
try:
domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
ctx.names.domainguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
except KeyError:
raise DCJoinException("Can't find GUID in naming master on partition DN %s" % res[0]['ncName'][0])
ctx.logger.info("Got domain GUID %s" % domguid)
ctx.logger.info("Got domain GUID %s" % ctx.names.domainguid)
ctx.logger.info("Calling own domain provision")
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
presult = provision_fill(ctx.local_samdb, secrets_ldb,
ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
domainguid=domguid,
ctx.logger, ctx.names, ctx.paths,
dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
@ -927,7 +930,7 @@ class dc_join(object):
key_version_number=ctx.key_version_number)
if ctx.dns_backend.startswith("BIND9_"):
setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
setup_bind9_dns(ctx.local_samdb, secrets_ldb,
ctx.names, ctx.paths, ctx.lp, ctx.logger,
dns_backend=ctx.dns_backend,
dnspass=ctx.dnspass, os_level=ctx.behavior_version,
@ -1206,6 +1209,7 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
logger.info("DNS name of new naming master is %s" % ctx.server)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
ctx.forestsid = ctx.domsid
ctx.domsid = str(security.random_sid())
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)

View File

@ -164,6 +164,9 @@ class ProvisionNames(object):
self.hostname = None
self.sitename = None
self.smbconf = None
self.domainsid = None
self.forestsid = None
self.domainguid = None
self.name_map = {}
@ -262,6 +265,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
"objectSid","msDS-Behavior-Version" ])
names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
if res6[0].get("msDS-Behavior-Version") is None or \
int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
names.domainlevel = DS_DOMAIN_FUNCTION_2000
@ -1219,7 +1223,7 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
return samdb
def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
def fill_samdb(samdb, lp, names, logger, policyguid,
policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
@ -1266,23 +1270,23 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
samdb.set_opaque_integer("domainControllerFunctionality",
domainControllerFunctionality)
samdb.set_domain_sid(str(domainsid))
samdb.set_domain_sid(str(names.domainsid))
samdb.set_invocation_id(invocationid)
logger.info("Adding DomainDN: %s" % names.domaindn)
# impersonate domain admin
admin_session_info = admin_session(lp, str(domainsid))
admin_session_info = admin_session(lp, str(names.domainsid))
samdb.set_session_info(admin_session_info)
if domainguid is not None:
domainguid_line = "objectGUID: %s\n-" % domainguid
if names.domainguid is not None:
domainguid_line = "objectGUID: %s\n-" % names.domainguid
else:
domainguid_line = ""
descr = b64encode(get_domain_descriptor(domainsid))
descr = b64encode(get_domain_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
"DOMAINDN": names.domaindn,
"DOMAINSID": str(domainsid),
"DOMAINSID": str(names.domainsid),
"DESCRIPTOR": descr,
"DOMAINGUID": domainguid_line
})
@ -1301,7 +1305,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
logger.info("Adding configuration container")
descr = b64encode(get_config_descriptor(domainsid))
descr = b64encode(get_config_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
"CONFIGDN": names.configdn,
"DESCRIPTOR": descr,
@ -1335,12 +1339,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
if fill == FILL_FULL:
logger.info("Setting up sam.ldb configuration data")
partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
sites_descr = b64encode(get_config_sites_descriptor(domainsid))
ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid))
protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid))
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid))
partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid))
sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid))
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
@ -1379,7 +1383,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
})
logger.info("Adding users container")
users_desc = b64encode(get_domain_users_descriptor(domainsid))
users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
"DOMAINDN": names.domaindn,
"USERS_DESCRIPTOR": users_desc
@ -1388,7 +1392,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Adding computers container")
computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
"DOMAINDN": names.domaindn,
"COMPUTERS_DESCRIPTOR": computers_desc
@ -1398,11 +1402,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
setup_path("provision_computers_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Setting up sam.ldb data")
infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(domainsid))
system_desc = b64encode(get_domain_delete_protected1_descriptor(domainsid))
builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid))
lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
@ -1427,7 +1431,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"SCHEMADN": names.schemadn})
logger.info("Setting up well known security principals")
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
"CONFIGDN": names.configdn,
"WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
@ -1441,7 +1445,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
logger.info("Setting up sam.ldb users and groups")
setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
"DOMAINDN": names.domaindn,
"DOMAINSID": str(domainsid),
"DOMAINSID": str(names.domainsid),
"ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
})
@ -1452,7 +1456,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
dns_backend=dns_backend,
dnspass=dnspass,
machinepass=machinepass,
domainsid=domainsid,
domainsid=names.domainsid,
next_rid=next_rid,
dc_rid=dc_rid,
policyguid=policyguid,
@ -1747,7 +1751,7 @@ def interface_ips_v6(lp):
def provision_fill(samdb, secrets_ldb, logger, names, paths,
domainsid, schema=None,
schema=None,
targetdir=None, samdb_fill=FILL_FULL,
hostip=None, hostip6=None,
next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
@ -1778,7 +1782,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
dnspass = samba.generate_random_password(128, 255)
samdb = fill_samdb(samdb, lp, names, logger=logger,
domainsid=domainsid, schema=schema, domainguid=domainguid,
schema=schema,
policyguid=policyguid, policyguid_dc=policyguid_dc,
fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid, machinepass=machinepass,
@ -1795,14 +1799,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
policyguid_dc)
if not skip_sysvolacl:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
paths.root_gid, domainsid, names.dnsdomain,
paths.root_gid, names.domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
logger.info("Setting acl on sysvol skipped")
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm, dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname, domainsid=domainsid,
netbiosname=names.netbiosname, domainsid=names.domainsid,
machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
# Now set up the right msDS-SupportedEncryptionTypes into the DB
@ -1823,7 +1827,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
# It might be that this attribute does not exist in this schema
raise
setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
dnspass=dnspass, os_level=dom_for_fun_level,
targetdir=targetdir, fill_level=samdb_fill)
@ -2049,6 +2053,9 @@ def provision(logger, session_info, smbconf=None,
names.hostip = hostip
names.hostip6 = hostip6
names.domainguid = domainguid
names.domainsid = domainsid
names.forestsid = domainsid
if serverrole is None:
serverrole = lp.get("server role")
@ -2152,9 +2159,9 @@ def provision(logger, session_info, smbconf=None,
if samdb_fill == FILL_FULL:
provision_fill(samdb, secrets_ldb, logger, names, paths,
schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
hostip=hostip, hostip6=hostip6, domainsid=domainsid,
hostip=hostip, hostip6=hostip6,
next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
krbtgtpass=krbtgtpass, domainguid=domainguid,
krbtgtpass=krbtgtpass,
policyguid=policyguid, policyguid_dc=policyguid_dc,
invocationid=invocationid, machinepass=machinepass,
ntdsguid=ntdsguid, dns_backend=dns_backend,

View File

@ -1033,14 +1033,13 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
domainguid, ntdsguid)
def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, dnspass=None, hostip=None, hostip6=None,
targetdir=None, fill_level=FILL_FULL):
"""Provision DNS information (assuming GC role)
:param samdb: LDB object connected to sam.ldb file
:param secretsdb: LDB object connected to secrets.ldb file
:param domainsid: Domain SID (as dom_sid object)
:param names: Names shortcut
:param paths: Paths shortcut
:param lp: Loadparm object
@ -1097,12 +1096,12 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
# Create CN=System
logger.info("Creating CN=MicrosoftDNS,CN=System,%s" % domaindn)
create_dns_legacy(samdb, domainsid, domaindn, dnsadmins_sid)
create_dns_legacy(samdb, names.domainsid, domaindn, dnsadmins_sid)
if os_level == DS_DOMAIN_FUNCTION_2000:
# Populating legacy dns
logger.info("Populating CN=MicrosoftDNS,CN=System,%s" % domaindn)
fill_dns_data_legacy(samdb, domainsid, domaindn, dnsdomain, site,
fill_dns_data_legacy(samdb, names.domainsid, domaindn, dnsdomain, site,
hostname, hostip, hostip6, dnsadmins_sid)
elif dns_backend in ("SAMBA_INTERNAL", "BIND9_DLZ") and \
@ -1110,30 +1109,29 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
# Create DNS partitions
logger.info("Creating DomainDnsZones and ForestDnsZones partitions")
create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
create_dns_partitions(samdb, names.domainsid, names, domaindn, forestdn,
dnsadmins_sid, fill_level)
# Populating dns partitions
logger.info("Populating DomainDnsZones and ForestDnsZones partitions")
fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
fill_dns_data_partitions(samdb, names.domainsid, site, domaindn, forestdn,
dnsdomain, dnsforest, hostname, hostip, hostip6,
domainguid, names.ntdsguid, dnsadmins_sid,
fill_level=fill_level)
if dns_backend.startswith("BIND9_"):
setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip,
hostip6=hostip6, targetdir=targetdir)
def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
dns_backend, os_level, site=None, dnspass=None, hostip=None,
hostip6=None, targetdir=None, key_version_number=None):
"""Provision DNS information (assuming BIND9 backend in DC role)
:param samdb: LDB object connected to sam.ldb file
:param secretsdb: LDB object connected to secrets.ldb file
:param domainsid: Domain SID (as dom_sid object)
:param names: Names shortcut
:param paths: Paths shortcut
:param lp: Loadparm object
@ -1174,7 +1172,7 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
ntdsguid=names.ntdsguid)
if dns_backend == "BIND9_DLZ" and os_level >= DS_DOMAIN_FUNCTION_2003:
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
create_samdb_copy(samdb, logger, paths, names, names.domainsid, domainguid)
create_named_conf(paths, realm=names.realm,
dnsdomain=names.dnsdomain, dns_backend=dns_backend,