mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
269 lines
11 KiB
Python
Executable File
269 lines
11 KiB
Python
Executable File
#!/usr/bin/env python
|
|
#
|
|
# Unix SMB/CIFS implementation.
|
|
# provision a Samba4 server
|
|
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
|
|
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
|
|
#
|
|
# Based on the original in EJS:
|
|
# Copyright (C) Andrew Tridgell 2005
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import logging
|
|
import optparse
|
|
import sys
|
|
import tempfile
|
|
|
|
# Find right directory when running from source tree
|
|
sys.path.insert(0, "bin/python")
|
|
|
|
import samba
|
|
import samba.ntacls
|
|
import os
|
|
from samba.credentials import DONT_USE_KERBEROS
|
|
from samba.auth import system_session
|
|
import samba.getopt as options
|
|
from samba.provision import (
|
|
provision,
|
|
FILL_FULL,
|
|
FILL_NT4SYNC,
|
|
FILL_DRS,
|
|
ProvisioningError,
|
|
)
|
|
from samba.dsdb import (
|
|
DS_DOMAIN_FUNCTION_2000,
|
|
DS_DOMAIN_FUNCTION_2003,
|
|
DS_DOMAIN_FUNCTION_2008,
|
|
DS_DOMAIN_FUNCTION_2008_R2,
|
|
)
|
|
|
|
# how do we make this case insensitive??
|
|
|
|
parser = optparse.OptionParser("provision [options]")
|
|
sambaopts = options.SambaOptions(parser)
|
|
parser.add_option_group(sambaopts)
|
|
parser.add_option_group(options.VersionOptions(parser))
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
parser.add_option("--interactive", help="Ask for names", action="store_true")
|
|
parser.add_option("--domain", type="string", metavar="DOMAIN",
|
|
help="set domain")
|
|
parser.add_option("--domain-guid", type="string", metavar="GUID",
|
|
help="set domainguid (otherwise random)")
|
|
parser.add_option("--domain-sid", type="string", metavar="SID",
|
|
help="set domainsid (otherwise random)")
|
|
parser.add_option("--ntds-guid", type="string", metavar="GUID",
|
|
help="set NTDS object GUID (otherwise random)")
|
|
parser.add_option("--invocationid", type="string", metavar="GUID",
|
|
help="set invocationid (otherwise random)")
|
|
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
|
|
help="set hostname")
|
|
parser.add_option("--host-ip", type="string", metavar="IPADDRESS",
|
|
help="set IPv4 ipaddress")
|
|
parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS",
|
|
help="set IPv6 ipaddress")
|
|
parser.add_option("--adminpass", type="string", metavar="PASSWORD",
|
|
help="choose admin password (otherwise random)")
|
|
parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD",
|
|
help="choose krbtgt password (otherwise random)")
|
|
parser.add_option("--machinepass", type="string", metavar="PASSWORD",
|
|
help="choose machine password (otherwise random)")
|
|
parser.add_option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
|
|
choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
|
|
help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
|
|
"BIND9_FLATFILE uses bind9 text database to store zone information, " \
|
|
"BIND9_DLZ uses samba4 AD to store zone information (default), " \
|
|
"NONE skips the DNS setup entirely (not recommended)",
|
|
default="BIND9_DLZ")
|
|
parser.add_option("--dnspass", type="string", metavar="PASSWORD",
|
|
help="choose dns password (otherwise random)")
|
|
parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD",
|
|
help="choose password to set between Samba and it's LDAP backend (otherwise random)")
|
|
parser.add_option("--root", type="string", metavar="USERNAME",
|
|
help="choose 'root' unix username")
|
|
parser.add_option("--nobody", type="string", metavar="USERNAME",
|
|
help="choose 'nobody' user")
|
|
parser.add_option("--wheel", type="string", metavar="GROUPNAME",
|
|
help="choose 'wheel' privileged group")
|
|
parser.add_option("--users", type="string", metavar="GROUPNAME",
|
|
help="choose 'users' group")
|
|
parser.add_option("--quiet", help="Be quiet", action="store_true")
|
|
parser.add_option("--blank", action="store_true",
|
|
help="do not add users or groups, just the structure")
|
|
parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
|
|
help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
|
|
choices=["fedora-ds", "openldap"])
|
|
parser.add_option("--server-role", type="choice", metavar="ROLE",
|
|
choices=["domain controller", "dc", "member server", "member", "standalone"],
|
|
help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
|
|
default="domain controller")
|
|
parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
|
|
choices=["2000", "2003", "2008", "2008_R2"],
|
|
help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.",
|
|
default="2003")
|
|
parser.add_option("--next-rid", type="int", metavar="NEXTRID", default=1000,
|
|
help="The initial nextRid value (only needed for upgrades). Default is 1000.")
|
|
parser.add_option("--partitions-only",
|
|
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
|
|
parser.add_option("--targetdir", type="string", metavar="DIR",
|
|
help="Set target directory")
|
|
parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
|
|
help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\"")
|
|
parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
|
|
help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.")
|
|
parser.add_option("--use-xattrs", type="choice", choices=["yes", "no", "auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto")
|
|
parser.add_option("--use-s3fs", action="store_true", help="Use s3fs for the fileserver (default = no)")
|
|
|
|
opts = parser.parse_args()[0]
|
|
|
|
logger = logging.getLogger("provision")
|
|
logger.addHandler(logging.StreamHandler(sys.stdout))
|
|
if opts.quiet:
|
|
logger.setLevel(logging.WARNING)
|
|
else:
|
|
logger.setLevel(logging.INFO)
|
|
|
|
if len(sys.argv) == 1:
|
|
opts.interactive = True
|
|
|
|
if opts.interactive:
|
|
from getpass import getpass
|
|
import socket
|
|
|
|
def ask(prompt, default=None):
|
|
if default is not None:
|
|
print "%s [%s]: " % (prompt, default),
|
|
else:
|
|
print "%s: " % (prompt,),
|
|
return sys.stdin.readline().rstrip("\n") or default
|
|
try:
|
|
default = socket.getfqdn().split(".", 1)[1].upper()
|
|
except IndexError:
|
|
default = None
|
|
opts.realm = ask("Realm", default)
|
|
if opts.realm in (None, ""):
|
|
print >>sys.stderr, "No realm set!"
|
|
sys.exit(1)
|
|
|
|
try:
|
|
default = opts.realm.split(".")[0]
|
|
except IndexError:
|
|
default = None
|
|
opts.domain = ask("Domain", default)
|
|
if opts.domain is None:
|
|
print >> sys.stderr, "No domain set!"
|
|
sys.exit(1)
|
|
|
|
opts.server_role = ask("Server Role (dc, member, standalone)", "dc")
|
|
while True:
|
|
adminpass = getpass("Administrator password: ")
|
|
if not adminpass:
|
|
print >>sys.stderr, "Invalid administrator password."
|
|
else:
|
|
adminpassverify = getpass("Retype password: ")
|
|
if not adminpass == adminpassverify:
|
|
print >>sys.stderr, "Sorry, passwords do not match."
|
|
else:
|
|
opts.adminpass = adminpass
|
|
break
|
|
|
|
else:
|
|
if opts.realm in (None, ""):
|
|
opts.realm = sambaopts._lp.get('realm')
|
|
if opts.realm is None or opts.domain is None:
|
|
if opts.realm is None:
|
|
print >>sys.stderr, "No realm set!"
|
|
if opts.domain is None:
|
|
print >> sys.stderr, "No domain set!"
|
|
parser.print_usage()
|
|
sys.exit(1)
|
|
|
|
if not opts.adminpass:
|
|
logger.info("Administrator password will be set randomly!")
|
|
|
|
lp = sambaopts.get_loadparm()
|
|
smbconf = lp.configfile
|
|
|
|
if opts.function_level == "2000":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2000
|
|
elif opts.function_level == "2003":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
|
|
elif opts.function_level == "2008":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
|
|
elif opts.function_level == "2008_R2":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
|
|
|
|
creds = credopts.get_credentials(lp)
|
|
|
|
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|
|
|
samdb_fill = FILL_FULL
|
|
if opts.blank:
|
|
samdb_fill = FILL_NT4SYNC
|
|
elif opts.partitions_only:
|
|
samdb_fill = FILL_DRS
|
|
|
|
if opts.targetdir is not None:
|
|
if not os.path.isdir(opts.targetdir):
|
|
os.mkdir(opts.targetdir)
|
|
|
|
eadb = True
|
|
|
|
if opts.use_xattrs == "yes":
|
|
eadb = False
|
|
elif opts.use_xattrs == "auto" and not lp.get("posix:eadb"):
|
|
if opts.targetdir:
|
|
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(opts.targetdir))
|
|
else:
|
|
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
|
|
try:
|
|
try:
|
|
samba.ntacls.setntacl(lp, file.name,
|
|
"O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
|
|
eadb = False
|
|
except Exception:
|
|
logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. ")
|
|
finally:
|
|
file.close()
|
|
|
|
if eadb:
|
|
logger.info("not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
|
|
|
|
session = system_session()
|
|
try:
|
|
result = provision(logger,
|
|
session, creds, smbconf=smbconf, targetdir=opts.targetdir,
|
|
samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain,
|
|
domainguid=opts.domain_guid, domainsid=opts.domain_sid,
|
|
hostname=opts.host_name,
|
|
hostip=opts.host_ip, hostip6=opts.host_ip6,
|
|
ntdsguid=opts.ntds_guid,
|
|
invocationid=opts.invocationid, adminpass=opts.adminpass,
|
|
krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
|
|
dns_backend=opts.dns_backend,
|
|
dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody,
|
|
wheel=opts.wheel, users=opts.users,
|
|
serverrole=opts.server_role, dom_for_fun_level=dom_for_fun_level,
|
|
backend_type=opts.ldap_backend_type,
|
|
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
|
|
slapd_path=opts.slapd_path,
|
|
useeadb=eadb, next_rid=opts.next_rid, lp=lp, use_ntvfs=(not opts.use_s3fs))
|
|
except ProvisioningError, e:
|
|
print str(e)
|
|
sys.exit(1)
|
|
|
|
result.report_logger(logger)
|