mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
provision: Use names.domainsid and names.domainguid
This is better than passing around parameters to functions all over the provision stack and makes it easier to pass in a seperate forest SID when we start to support subdomains. Change-Id: I3787f4f3433ca04628f888135c7c0c8195379542 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
This commit is contained in:
parent
79ee8fc82c
commit
204337f454
@ -95,6 +95,7 @@ class dc_join(object):
|
||||
ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
|
||||
ctx.config_dn = str(ctx.samdb.get_config_basedn())
|
||||
ctx.domsid = ctx.samdb.get_domain_sid()
|
||||
ctx.forestsid = ctx.domsid
|
||||
ctx.domain_name = ctx.get_domain_name()
|
||||
ctx.forest_domain_name = ctx.get_forest_domain_name()
|
||||
ctx.invocation_id = misc.GUID(str(uuid.uuid4()))
|
||||
@ -729,6 +730,9 @@ class dc_join(object):
|
||||
ctx.paths = presult.paths
|
||||
ctx.names = presult.names
|
||||
|
||||
# Fix up the forestsid, it may be different if we are joining as a subdomain
|
||||
ctx.names.forestsid = ctx.forestsid
|
||||
|
||||
def join_provision_own_domain(ctx):
|
||||
"""Provision the local SAM."""
|
||||
|
||||
@ -750,19 +754,18 @@ class dc_join(object):
|
||||
raise DCJoinException("Can't find naming context on partition DN %s in %s" % (ctx.partition_dn, ctx.samdb.url))
|
||||
|
||||
try:
|
||||
domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
|
||||
ctx.names.domainguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
|
||||
except KeyError:
|
||||
raise DCJoinException("Can't find GUID in naming master on partition DN %s" % res[0]['ncName'][0])
|
||||
|
||||
ctx.logger.info("Got domain GUID %s" % domguid)
|
||||
ctx.logger.info("Got domain GUID %s" % ctx.names.domainguid)
|
||||
|
||||
ctx.logger.info("Calling own domain provision")
|
||||
|
||||
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
|
||||
|
||||
presult = provision_fill(ctx.local_samdb, secrets_ldb,
|
||||
ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
|
||||
domainguid=domguid,
|
||||
ctx.logger, ctx.names, ctx.paths,
|
||||
dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
|
||||
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
|
||||
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
|
||||
@ -927,7 +930,7 @@ class dc_join(object):
|
||||
key_version_number=ctx.key_version_number)
|
||||
|
||||
if ctx.dns_backend.startswith("BIND9_"):
|
||||
setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
|
||||
setup_bind9_dns(ctx.local_samdb, secrets_ldb,
|
||||
ctx.names, ctx.paths, ctx.lp, ctx.logger,
|
||||
dns_backend=ctx.dns_backend,
|
||||
dnspass=ctx.dnspass, os_level=ctx.behavior_version,
|
||||
@ -1206,6 +1209,7 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
|
||||
logger.info("DNS name of new naming master is %s" % ctx.server)
|
||||
|
||||
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
|
||||
ctx.forestsid = ctx.domsid
|
||||
ctx.domsid = str(security.random_sid())
|
||||
ctx.acct_dn = None
|
||||
ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)
|
||||
|
@ -164,6 +164,9 @@ class ProvisionNames(object):
|
||||
self.hostname = None
|
||||
self.sitename = None
|
||||
self.smbconf = None
|
||||
self.domainsid = None
|
||||
self.forestsid = None
|
||||
self.domainguid = None
|
||||
self.name_map = {}
|
||||
|
||||
|
||||
@ -262,6 +265,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
|
||||
"objectSid","msDS-Behavior-Version" ])
|
||||
names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
|
||||
names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
|
||||
names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
|
||||
if res6[0].get("msDS-Behavior-Version") is None or \
|
||||
int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
|
||||
names.domainlevel = DS_DOMAIN_FUNCTION_2000
|
||||
@ -1219,7 +1223,7 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
|
||||
return samdb
|
||||
|
||||
|
||||
def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
def fill_samdb(samdb, lp, names, logger, policyguid,
|
||||
policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
|
||||
dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
|
||||
dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
|
||||
@ -1266,23 +1270,23 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
samdb.set_opaque_integer("domainControllerFunctionality",
|
||||
domainControllerFunctionality)
|
||||
|
||||
samdb.set_domain_sid(str(domainsid))
|
||||
samdb.set_domain_sid(str(names.domainsid))
|
||||
samdb.set_invocation_id(invocationid)
|
||||
|
||||
logger.info("Adding DomainDN: %s" % names.domaindn)
|
||||
|
||||
# impersonate domain admin
|
||||
admin_session_info = admin_session(lp, str(domainsid))
|
||||
admin_session_info = admin_session(lp, str(names.domainsid))
|
||||
samdb.set_session_info(admin_session_info)
|
||||
if domainguid is not None:
|
||||
domainguid_line = "objectGUID: %s\n-" % domainguid
|
||||
if names.domainguid is not None:
|
||||
domainguid_line = "objectGUID: %s\n-" % names.domainguid
|
||||
else:
|
||||
domainguid_line = ""
|
||||
|
||||
descr = b64encode(get_domain_descriptor(domainsid))
|
||||
descr = b64encode(get_domain_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
|
||||
"DOMAINDN": names.domaindn,
|
||||
"DOMAINSID": str(domainsid),
|
||||
"DOMAINSID": str(names.domainsid),
|
||||
"DESCRIPTOR": descr,
|
||||
"DOMAINGUID": domainguid_line
|
||||
})
|
||||
@ -1301,7 +1305,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
|
||||
if fill == FILL_FULL:
|
||||
logger.info("Adding configuration container")
|
||||
descr = b64encode(get_config_descriptor(domainsid))
|
||||
descr = b64encode(get_config_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
|
||||
"CONFIGDN": names.configdn,
|
||||
"DESCRIPTOR": descr,
|
||||
@ -1335,12 +1339,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
if fill == FILL_FULL:
|
||||
logger.info("Setting up sam.ldb configuration data")
|
||||
|
||||
partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
|
||||
sites_descr = b64encode(get_config_sites_descriptor(domainsid))
|
||||
ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid))
|
||||
protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid))
|
||||
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
|
||||
protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid))
|
||||
partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid))
|
||||
sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
|
||||
ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
|
||||
protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid))
|
||||
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
|
||||
protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid))
|
||||
|
||||
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
|
||||
"CONFIGDN": names.configdn,
|
||||
@ -1379,7 +1383,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
})
|
||||
|
||||
logger.info("Adding users container")
|
||||
users_desc = b64encode(get_domain_users_descriptor(domainsid))
|
||||
users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
|
||||
"DOMAINDN": names.domaindn,
|
||||
"USERS_DESCRIPTOR": users_desc
|
||||
@ -1388,7 +1392,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
|
||||
"DOMAINDN": names.domaindn})
|
||||
logger.info("Adding computers container")
|
||||
computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
|
||||
computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
|
||||
"DOMAINDN": names.domaindn,
|
||||
"COMPUTERS_DESCRIPTOR": computers_desc
|
||||
@ -1398,11 +1402,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
setup_path("provision_computers_modify.ldif"), {
|
||||
"DOMAINDN": names.domaindn})
|
||||
logger.info("Setting up sam.ldb data")
|
||||
infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
|
||||
lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(domainsid))
|
||||
system_desc = b64encode(get_domain_delete_protected1_descriptor(domainsid))
|
||||
builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
|
||||
controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
|
||||
infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid))
|
||||
lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
|
||||
system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
|
||||
builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
|
||||
controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision.ldif"), {
|
||||
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
|
||||
"DOMAINDN": names.domaindn,
|
||||
@ -1427,7 +1431,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
"SCHEMADN": names.schemadn})
|
||||
|
||||
logger.info("Setting up well known security principals")
|
||||
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
|
||||
protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
|
||||
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
|
||||
"CONFIGDN": names.configdn,
|
||||
"WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
|
||||
@ -1441,7 +1445,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
logger.info("Setting up sam.ldb users and groups")
|
||||
setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
|
||||
"DOMAINDN": names.domaindn,
|
||||
"DOMAINSID": str(domainsid),
|
||||
"DOMAINSID": str(names.domainsid),
|
||||
"ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
|
||||
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
|
||||
})
|
||||
@ -1452,7 +1456,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
|
||||
dns_backend=dns_backend,
|
||||
dnspass=dnspass,
|
||||
machinepass=machinepass,
|
||||
domainsid=domainsid,
|
||||
domainsid=names.domainsid,
|
||||
next_rid=next_rid,
|
||||
dc_rid=dc_rid,
|
||||
policyguid=policyguid,
|
||||
@ -1747,7 +1751,7 @@ def interface_ips_v6(lp):
|
||||
|
||||
|
||||
def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
domainsid, schema=None,
|
||||
schema=None,
|
||||
targetdir=None, samdb_fill=FILL_FULL,
|
||||
hostip=None, hostip6=None,
|
||||
next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
|
||||
@ -1778,7 +1782,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
dnspass = samba.generate_random_password(128, 255)
|
||||
|
||||
samdb = fill_samdb(samdb, lp, names, logger=logger,
|
||||
domainsid=domainsid, schema=schema, domainguid=domainguid,
|
||||
schema=schema,
|
||||
policyguid=policyguid, policyguid_dc=policyguid_dc,
|
||||
fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
|
||||
invocationid=invocationid, machinepass=machinepass,
|
||||
@ -1795,14 +1799,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
policyguid_dc)
|
||||
if not skip_sysvolacl:
|
||||
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
|
||||
paths.root_gid, domainsid, names.dnsdomain,
|
||||
paths.root_gid, names.domainsid, names.dnsdomain,
|
||||
names.domaindn, lp, use_ntvfs)
|
||||
else:
|
||||
logger.info("Setting acl on sysvol skipped")
|
||||
|
||||
secretsdb_self_join(secrets_ldb, domain=names.domain,
|
||||
realm=names.realm, dnsdomain=names.dnsdomain,
|
||||
netbiosname=names.netbiosname, domainsid=domainsid,
|
||||
netbiosname=names.netbiosname, domainsid=names.domainsid,
|
||||
machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
|
||||
|
||||
# Now set up the right msDS-SupportedEncryptionTypes into the DB
|
||||
@ -1823,7 +1827,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
# It might be that this attribute does not exist in this schema
|
||||
raise
|
||||
|
||||
setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
|
||||
setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
|
||||
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
|
||||
dnspass=dnspass, os_level=dom_for_fun_level,
|
||||
targetdir=targetdir, fill_level=samdb_fill)
|
||||
@ -2049,6 +2053,9 @@ def provision(logger, session_info, smbconf=None,
|
||||
|
||||
names.hostip = hostip
|
||||
names.hostip6 = hostip6
|
||||
names.domainguid = domainguid
|
||||
names.domainsid = domainsid
|
||||
names.forestsid = domainsid
|
||||
|
||||
if serverrole is None:
|
||||
serverrole = lp.get("server role")
|
||||
@ -2152,9 +2159,9 @@ def provision(logger, session_info, smbconf=None,
|
||||
if samdb_fill == FILL_FULL:
|
||||
provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
|
||||
hostip=hostip, hostip6=hostip6, domainsid=domainsid,
|
||||
hostip=hostip, hostip6=hostip6,
|
||||
next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
|
||||
krbtgtpass=krbtgtpass, domainguid=domainguid,
|
||||
krbtgtpass=krbtgtpass,
|
||||
policyguid=policyguid, policyguid_dc=policyguid_dc,
|
||||
invocationid=invocationid, machinepass=machinepass,
|
||||
ntdsguid=ntdsguid, dns_backend=dns_backend,
|
||||
|
@ -1033,14 +1033,13 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
domainguid, ntdsguid)
|
||||
|
||||
|
||||
def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger,
|
||||
dns_backend, os_level, dnspass=None, hostip=None, hostip6=None,
|
||||
targetdir=None, fill_level=FILL_FULL):
|
||||
"""Provision DNS information (assuming GC role)
|
||||
|
||||
:param samdb: LDB object connected to sam.ldb file
|
||||
:param secretsdb: LDB object connected to secrets.ldb file
|
||||
:param domainsid: Domain SID (as dom_sid object)
|
||||
:param names: Names shortcut
|
||||
:param paths: Paths shortcut
|
||||
:param lp: Loadparm object
|
||||
@ -1097,12 +1096,12 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
|
||||
# Create CN=System
|
||||
logger.info("Creating CN=MicrosoftDNS,CN=System,%s" % domaindn)
|
||||
create_dns_legacy(samdb, domainsid, domaindn, dnsadmins_sid)
|
||||
create_dns_legacy(samdb, names.domainsid, domaindn, dnsadmins_sid)
|
||||
|
||||
if os_level == DS_DOMAIN_FUNCTION_2000:
|
||||
# Populating legacy dns
|
||||
logger.info("Populating CN=MicrosoftDNS,CN=System,%s" % domaindn)
|
||||
fill_dns_data_legacy(samdb, domainsid, domaindn, dnsdomain, site,
|
||||
fill_dns_data_legacy(samdb, names.domainsid, domaindn, dnsdomain, site,
|
||||
hostname, hostip, hostip6, dnsadmins_sid)
|
||||
|
||||
elif dns_backend in ("SAMBA_INTERNAL", "BIND9_DLZ") and \
|
||||
@ -1110,30 +1109,29 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
|
||||
# Create DNS partitions
|
||||
logger.info("Creating DomainDnsZones and ForestDnsZones partitions")
|
||||
create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
|
||||
create_dns_partitions(samdb, names.domainsid, names, domaindn, forestdn,
|
||||
dnsadmins_sid, fill_level)
|
||||
|
||||
# Populating dns partitions
|
||||
logger.info("Populating DomainDnsZones and ForestDnsZones partitions")
|
||||
fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
|
||||
fill_dns_data_partitions(samdb, names.domainsid, site, domaindn, forestdn,
|
||||
dnsdomain, dnsforest, hostname, hostip, hostip6,
|
||||
domainguid, names.ntdsguid, dnsadmins_sid,
|
||||
fill_level=fill_level)
|
||||
|
||||
if dns_backend.startswith("BIND9_"):
|
||||
setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
|
||||
dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip,
|
||||
hostip6=hostip6, targetdir=targetdir)
|
||||
|
||||
|
||||
def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger,
|
||||
dns_backend, os_level, site=None, dnspass=None, hostip=None,
|
||||
hostip6=None, targetdir=None, key_version_number=None):
|
||||
"""Provision DNS information (assuming BIND9 backend in DC role)
|
||||
|
||||
:param samdb: LDB object connected to sam.ldb file
|
||||
:param secretsdb: LDB object connected to secrets.ldb file
|
||||
:param domainsid: Domain SID (as dom_sid object)
|
||||
:param names: Names shortcut
|
||||
:param paths: Paths shortcut
|
||||
:param lp: Loadparm object
|
||||
@ -1174,7 +1172,7 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
|
||||
ntdsguid=names.ntdsguid)
|
||||
|
||||
if dns_backend == "BIND9_DLZ" and os_level >= DS_DOMAIN_FUNCTION_2003:
|
||||
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
|
||||
create_samdb_copy(samdb, logger, paths, names, names.domainsid, domainguid)
|
||||
|
||||
create_named_conf(paths, realm=names.realm,
|
||||
dnsdomain=names.dnsdomain, dns_backend=dns_backend,
|
||||
|
Loading…
Reference in New Issue
Block a user