#!/usr/bin/python # # backend code for upgrading from Samba3 # Copyright Jelmer Vernooij 2005-2007 # Released under the GNU GPL v3 or later # """Support code for upgrading from Samba 3 to Samba 4.""" from provision import findnss, provision import provision import grp import pwd import uuid def regkey_to_dn(name): """Convert a registry key to a DN. :name: The registry key name. :return: A matching DN.""" dn = "hive=NONE" if name == "": return dn for el in name.split("/"): dn = "key=%s," % el + dn return dn # Where prefix is any of: # - HKLM # HKU # HKCR # HKPD # HKPT # def upgrade_registry(regdb,prefix,ldb): """Migrate registry contents.""" assert regdb is not None prefix_up = prefix.upper() ldif = [] for rk in regdb.keys: pts = rk.name.split("/") # Only handle selected hive if pts[0].upper() != prefix_up: continue keydn = regkey_to_dn(rk.name) pts = rk.name.split("/") # Convert key name to dn ldif[rk.name] = """ dn: %s name: %s """ % (keydn, pts[0]) for rv in rk.values: ldif[rk.name + " (" + rv.name + ")"] = """ dn: %s,value=%s value: %s type: %d data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data)) return ldif def upgrade_sam_policy(policy,dn): ldif = """ dn: %s changetype: modify replace: minPwdLength minPwdLength: %d pwdHistoryLength: %d minPwdAge: %d maxPwdAge: %d lockoutDuration: %d samba3ResetCountMinutes: %d samba3UserMustLogonToChangePassword: %d samba3BadLockoutMinutes: %d samba3DisconnectTime: %d """ % (dn, policy.min_password_length, policy.password_history, policy.minimum_password_age, policy.maximum_password_age, policy.lockout_duration, policy.reset_count_minutes, policy.user_must_logon_to_change_password, policy.bad_lockout_minutes, policy.disconnect_time) return ldif def upgrade_sam_account(ldb,acc,domaindn,domainsid): """Upgrade a SAM account.""" if acc.nt_username is None or acc.nt_username == "": acc.nt_username = acc.username if acc.fullname is None: acc.fullname = pwd.getpwnam(acc.fullname)[4] acc.fullname = acc.fullname.split(",")[0] if acc.fullname is None: acc.fullname = acc.username assert acc.fullname is not None assert acc.nt_username is not None ldif = """dn: cn=%s,%s objectClass: top objectClass: user lastLogon: %d lastLogoff: %d unixName: %s sAMAccountName: %s cn: %s description: %s primaryGroupID: %d badPwdcount: %d logonCount: %d samba3Domain: %s samba3DirDrive: %s samba3MungedDial: %s samba3Homedir: %s samba3LogonScript: %s samba3ProfilePath: %s samba3Workstations: %s samba3KickOffTime: %d samba3BadPwdTime: %d samba3PassLastSetTime: %d samba3PassCanChangeTime: %d samba3PassMustChangeTime: %d objectSid: %s-%d lmPwdHash:: %s ntPwdHash:: %s """ % (ldb.dn_escape(acc.fullname), domaindn, acc.logon_time, acc.logoff_time, acc.username, acc.nt_username, acc.nt_username, acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count, acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script, acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time, acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid, ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw)) return ldif def upgrade_sam_group(group,domaindn): """Upgrade a SAM group.""" if group.sid_name_use == 5: # Well-known group return None if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"): return None if group.gid == -1: gr = grp.getgrnam(grp.nt_name) else: gr = grp.getgrgid(grp.gid) if gr is None: group.unixname = "UNKNOWN" else: group.unixname = gr.gr_name assert group.unixname is not None ldif = """dn: cn=%s,%s objectClass: top objectClass: group description: %s cn: %s objectSid: %s unixName: %s samba3SidNameUse: %d """ % (group.nt_name, domaindn, group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use) return ldif def upgrade_winbind(samba3,domaindn): ldif = """ dn: dc=none userHwm: %d groupHwm: %d """ % (samba3.idmap.user_hwm, samba3.idmap.group_hwm) for m in samba3.idmap.mappings: ldif += """ dn: SID=%s,%s SID: %s type: %d unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id) return ldif def upgrade_wins(samba3): """Upgrade the WINS database.""" ldif = "" version_id = 0 for e in samba3.winsentries: now = sys.nttime() ttl = sys.unix2nttime(e.ttl) version_id+=1 numIPs = len(e.ips) if e.type == 0x1C: rType = 0x2 elif e.type & 0x80: if numIPs > 1: rType = 0x2 else: rType = 0x1 else: if numIPs > 1: rType = 0x3 else: rType = 0x0 if ttl > now: rState = 0x0 # active else: rState = 0x1 # released nType = ((e.nb_flags & 0x60)>>5) ldif += """ dn: name=%s,type=0x%02X type: 0x%02X name: %s objectClass: winsRecord recordType: %u recordState: %u nodeType: %u isStatic: 0 expireTime: %s versionID: %llu """ % (e.name, e.type, e.type, e.name, rType, rState, nType, ldaptime(ttl), version_id) for ip in e.ips: ldif += "address: %s\n" % ip ldif += """ dn: CN=VERSION objectClass: winsMaxVersion maxVersion: %llu """ % version_id return ldif def upgrade_provision(lp, samba3): domainname = samba3.configuration.get("workgroup") if domainname is None: domainname = samba3.secrets.domains[0].name print "No domain specified in smb.conf file, assuming '%s'\n" % domainname domsec = samba3.find_domainsecrets(domainname) hostsec = samba3.find_domainsecrets(hostname()) realm = samba3.configuration.get("realm") if realm is None: realm = domainname print "No realm specified in smb.conf file, assuming '%s'\n" % realm random_init(local) subobj.realm = realm subobj.domain = domainname if domsec is not None: subobj.DOMAINGUID = domsec.guid subobj.DOMAINSID = domsec.sid else: print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname subobj.DOMAINGUID = uuid.random() subobj.DOMAINSID = randsid() if hostsec: hostguid = hostsec.guid subobj.krbtgtpass = randpass(12) subobj.machinepass = randpass(12) subobj.adminpass = randpass(12) subobj.datestring = datestring() subobj.root = findnss(pwd.getpwnam, "root")[4] subobj.nobody = findnss(pwd.getpwnam, "nobody")[4] subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2] subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2] subobj.dnsdomain = subobj.realm.lower() subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain) subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split(".")) rdn_list = subobj.dnsdomain.split(".") subobj.domaindn = "DC=" + ",DC=".join(rdn_list) subobj.domaindn_ldb = "users.ldb" subobj.rootdn = subobj.domaindn modules_list = ["rootdse", "kludge_acl", "paged_results", "server_sort", "extended_dn", "asq", "samldb", "password_hash", "operational", "objectclass", "rdn_name", "show_deleted", "partition"] subobj.modules_list = ",".join(modules_list) return subobj smbconf_keep = [ "dos charset", "unix charset", "display charset", "comment", "path", "directory", "workgroup", "realm", "netbios name", "netbios aliases", "netbios scope", "server string", "interfaces", "bind interfaces only", "security", "auth methods", "encrypt passwords", "null passwords", "obey pam restrictions", "password server", "smb passwd file", "private dir", "passwd chat", "password level", "lanman auth", "ntlm auth", "client NTLMv2 auth", "client lanman auth", "client plaintext auth", "read only", "hosts allow", "hosts deny", "log level", "debuglevel", "log file", "smb ports", "large readwrite", "max protocol", "min protocol", "unicode", "read raw", "write raw", "disable netbios", "nt status support", "announce version", "announce as", "max mux", "max xmit", "name resolve order", "max wins ttl", "min wins ttl", "time server", "unix extensions", "use spnego", "server signing", "client signing", "max connections", "paranoid server security", "socket options", "strict sync", "max print jobs", "printable", "print ok", "printer name", "printer", "map system", "map hidden", "map archive", "preferred master", "prefered master", "local master", "browseable", "browsable", "wins server", "wins support", "csc policy", "strict locking", "preload", "auto services", "lock dir", "lock directory", "pid directory", "socket address", "copy", "include", "available", "volume", "fstype", "panic action", "msdfs root", "host msdfs", "winbind separator"] def upgrade_smbconf(oldconf,mark): """Remove configuration variables not present in Samba4 :param oldconf: Old configuration structure :param mark: Whether removed configuration variables should be kept in the new configuration as "samba3:" """ data = oldconf.data() newconf = param_init() for s in data: for p in data[s]: keep = False for k in smbconf_keep: if smbconf_keep[k] == p: keep = True break if keep: newconf.set(s, p, oldconf.get(s, p)) elif mark: newconf.set(s, "samba3:"+p, oldconf.get(s,p)) if oldconf.get("domain logons") == "True": newconf.set("server role", "domain controller") else: if oldconf.get("security") == "user": newconf.set("server role", "standalone") else: newconf.set("server role", "member server") return newconf def upgrade(subobj, samba3, message, paths, session_info, credentials): ret = 0 lp = loadparm_init() samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) message("Writing configuration") newconf = upgrade_smbconf(samba3.configuration,True) newconf.save(paths.smbconf) message("Importing account policies") ldif = upgrade_sam_policy(samba3,subobj.BASEDN) samdb.modify(ldif) regdb = Ldb(paths.hklm) regdb.modify(""" dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE replace: type type: 4 replace: data data: %d """ % policy.refuse_machine_password_change) message("Importing users") for account in samba3.samaccounts: msg = "... " + account.username ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID) try: samdb.add(ldif) except LdbError, e: # FIXME: Ignore 'Record exists' errors msg += "... error: " + str(e) ret += 1; message(msg) message("Importing groups") for mapping in samba3.groupmappings: msg = "... " + mapping.nt_name ldif = upgrade_sam_group(mapping, subobj.BASEDN) if ldif is not None: try: samdb.add(ldif) except LdbError, e: # FIXME: Ignore 'Record exists' errors msg += "... error: " + str(e) ret += 1 message(msg) message("Importing registry data") for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]: message("... " + hive) regdb = Ldb(paths[hive]) ldif = upgrade_registry(samba3.registry, hive, regdb) for j in ldif: msg = "... ... " + j try: regdb.add(ldif[j]) except LdbError, e: # FIXME: Ignore 'Record exists' errors msg += "... error: " + str(e) ret += 1 message(msg) message("Importing WINS data") winsdb = Ldb(paths.winsdb) ldb_erase(winsdb) ldif = upgrade_wins(samba3) winsdb.add(ldif) # figure out ldapurl, if applicable ldapurl = None pdb = samba3.configuration.get_list("passdb backend") if pdb is not None: for backend in pdb: if len(backend) >= 7 and backend[0:7] == "ldapsam": ldapurl = backend[7:] # URL was not specified in passdb backend but ldap /is/ used if ldapurl == "": ldapurl = "ldap://%s" % samba3.configuration.get("ldap server") # Enable samba3sam module if original passdb backend was ldap if ldapurl is not None: message("Enabling Samba3 LDAP mappings for SAM database") samdb.modify(""" dn: @MODULES changetype: modify replace: @LIST @LIST: samldb,operational,objectguid,rdn_name,samba3sam """) samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl}) return ret def upgrade_verify(subobj, samba3, paths, message): message("Verifying account policies") samldb = Ldb(paths.samdb) for account in samba3.samaccounts: msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))") assert(len(msg) >= 1) # FIXME