diff --git a/source/scripting/libjs/provision.js b/source/scripting/libjs/provision.js index ef6fe312856..90bc0823416 100644 --- a/source/scripting/libjs/provision.js +++ b/source/scripting/libjs/provision.js @@ -52,24 +52,50 @@ function findnss() /* add a foreign security principle */ -function add_foreign(str, sid, desc, unixname) +function add_foreign(str, sid, desc) { var add = " dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN} objectClass: top objectClass: foreignSecurityPrincipal description: ${DESC} -unixName: ${UNIXNAME} uSNCreated: 1 uSNChanged: 1 "; var sub = new Object(); sub.SID = sid; sub.DESC = desc; - sub.UNIXNAME = unixname; return str + substitute_var(add, sub); } + +/* + setup a mapping between a sam name and a unix name + */ +function setup_name_mapping(info, ldb, sid, unixname) +{ + var attrs = new Array("dn"); + var res = ldb.search(sprintf("objectSid=%s", sid), + NULL, ldb.SCOPE_DEFAULT, attrs); + if (res.length != 1) { + return false; + } + var mod = sprintf(" +dn: %s +changetype: modify +replace: unixName +unixName: %s +", + res[0].dn, unixname); + var ok = ldb.modify(mod); + if (!ok) { + info.message("name mapping for %s failed - %s\n", + sid, ldb.errstring()); + return false; + } + return true; +} + /* return current time as a nt time string */ @@ -258,6 +284,42 @@ function provision_default_paths(subobj) return paths; } + +/* + setup reasonable name mappings for sam names to unix names +*/ +function setup_name_mappings(info, subobj, session_info, credentials) +{ + var lp = loadparm_init(); + var ldb = ldb_init(); + ldb.session_info = session_info; + ldb.credentials = credentials; + var ok = ldb.connect(lp.get("sam database")); + if (!ok) { + return false; + } + + /* some well known sids */ + setup_name_mapping(info, ldb, "S-1-5-7", subobj.NOBODY); + setup_name_mapping(info, ldb, "S-1-1-0", subobj.NOGROUP); + setup_name_mapping(info, ldb, "S-1-5-2", subobj.NOGROUP); + setup_name_mapping(info, ldb, "S-1-5-18", subobj.ROOT); + setup_name_mapping(info, ldb, "S-1-5-11", subobj.USERS); + setup_name_mapping(info, ldb, "S-1-5-32-544", subobj.WHEEL); + setup_name_mapping(info, ldb, "S-1-5-32-546", subobj.NOGROUP); + + /* and some well known domain rids */ + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-500", subobj.ROOT); + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-518", subobj.WHEEL); + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-519", subobj.WHEEL); + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-512", subobj.WHEEL); + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-513", subobj.USERS); + setup_name_mapping(info, ldb, subobj.DOMAINSID + "-520", subobj.WHEEL); + + return true; +} + + /* provision samba4 - caution, this wipes all existing data! */ @@ -319,10 +381,17 @@ function provision(subobj, message, blank, paths, session_info, credentials) setup_ldb("provision_templates.ldif", info, paths.samdb, NULL, false); message("Setting up sam.ldb data\n"); setup_ldb("provision.ldif", info, paths.samdb, NULL, false); - if (blank == false) { - message("Setting up sam.ldb users and groups\n"); - setup_ldb("provision_users.ldif", info, paths.samdb, data, false); + if (blank != false) { + return true; } + + message("Setting up sam.ldb users and groups\n"); + setup_ldb("provision_users.ldif", info, paths.samdb, data, false); + + if (setup_name_mappings(info, subobj, session_info, credentials) == false) { + return false; + } + return true; } diff --git a/source/setup/provision_users.ldif b/source/setup/provision_users.ldif index dfb31783e48..45b2382c17b 100644 --- a/source/setup/provision_users.ldif +++ b/source/setup/provision_users.ldif @@ -16,7 +16,6 @@ accountExpires: -1 sAMAccountName: Administrator isCriticalSystemObject: TRUE sambaPassword: ${ADMINPASS} -unixName: ${ROOT} dn: CN=Guest,CN=Users,${BASEDN} objectClass: user @@ -49,7 +48,6 @@ systemFlags: 0x8c000000 groupType: 0x80000005 objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE -unixName: ${WHEEL} privilege: SeSecurityPrivilege privilege: SeBackupPrivilege privilege: SeRestorePrivilege @@ -133,7 +131,6 @@ systemFlags: 0x8c000000 groupType: 0x80000005 objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE -unixName: ${NOGROUP} dn: CN=Print Operators,CN=Builtin,${BASEDN} objectClass: top @@ -306,7 +303,6 @@ objectSid: ${DOMAINSID}-518 adminCount: 1 sAMAccountName: Schema Admins isCriticalSystemObject: TRUE -unixName: ${WHEEL} dn: CN=Enterprise Admins,CN=Users,${BASEDN} objectClass: top @@ -321,7 +317,6 @@ objectSid: ${DOMAINSID}-519 adminCount: 1 sAMAccountName: Enterprise Admins isCriticalSystemObject: TRUE -unixName: ${WHEEL} dn: CN=Cert Publishers,CN=Users,${BASEDN} objectClass: top @@ -350,7 +345,6 @@ objectSid: ${DOMAINSID}-512 adminCount: 1 sAMAccountName: Domain Admins isCriticalSystemObject: TRUE -unixName: ${WHEEL} dn: CN=Domain Users,CN=Users,${BASEDN} objectClass: top @@ -363,7 +357,6 @@ uSNChanged: 1 objectSid: ${DOMAINSID}-513 sAMAccountName: Domain Users isCriticalSystemObject: TRUE -unixName: ${USERS} dn: CN=Domain Guests,CN=Users,${BASEDN} objectClass: top @@ -389,7 +382,6 @@ objectSid: ${DOMAINSID}-520 sAMAccountName: Group Policy Creator Owners objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE -unixName: ${WHEEL} dn: CN=RAS and IAS Servers,CN=Users,${BASEDN} objectClass: top