mirror of
https://github.com/samba-team/samba.git
synced 2025-03-12 20:58:37 +03:00
abb2c7fef4
With s3fs now well settled into master, we now throw the swtich and make it the default. There is still much to do, but we need to be using s3fs by default to find out exactly what that is. Andrew Bartlett
269 lines
11 KiB
Python
Executable File
269 lines
11 KiB
Python
Executable File
#!/usr/bin/env python
|
|
#
|
|
# Unix SMB/CIFS implementation.
|
|
# provision a Samba4 server
|
|
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
|
|
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
|
|
#
|
|
# Based on the original in EJS:
|
|
# Copyright (C) Andrew Tridgell 2005
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import logging
|
|
import optparse
|
|
import sys
|
|
import tempfile
|
|
|
|
# Find right directory when running from source tree
|
|
sys.path.insert(0, "bin/python")
|
|
|
|
import samba
|
|
import samba.ntacls
|
|
import os
|
|
from samba.credentials import DONT_USE_KERBEROS
|
|
from samba.auth import system_session
|
|
import samba.getopt as options
|
|
from samba.provision import (
|
|
provision,
|
|
FILL_FULL,
|
|
FILL_NT4SYNC,
|
|
FILL_DRS,
|
|
ProvisioningError,
|
|
)
|
|
from samba.dsdb import (
|
|
DS_DOMAIN_FUNCTION_2000,
|
|
DS_DOMAIN_FUNCTION_2003,
|
|
DS_DOMAIN_FUNCTION_2008,
|
|
DS_DOMAIN_FUNCTION_2008_R2,
|
|
)
|
|
|
|
# how do we make this case insensitive??
|
|
|
|
parser = optparse.OptionParser("provision [options]")
|
|
sambaopts = options.SambaOptions(parser)
|
|
parser.add_option_group(sambaopts)
|
|
parser.add_option_group(options.VersionOptions(parser))
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
parser.add_option("--interactive", help="Ask for names", action="store_true")
|
|
parser.add_option("--domain", type="string", metavar="DOMAIN",
|
|
help="set domain")
|
|
parser.add_option("--domain-guid", type="string", metavar="GUID",
|
|
help="set domainguid (otherwise random)")
|
|
parser.add_option("--domain-sid", type="string", metavar="SID",
|
|
help="set domainsid (otherwise random)")
|
|
parser.add_option("--ntds-guid", type="string", metavar="GUID",
|
|
help="set NTDS object GUID (otherwise random)")
|
|
parser.add_option("--invocationid", type="string", metavar="GUID",
|
|
help="set invocationid (otherwise random)")
|
|
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
|
|
help="set hostname")
|
|
parser.add_option("--host-ip", type="string", metavar="IPADDRESS",
|
|
help="set IPv4 ipaddress")
|
|
parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS",
|
|
help="set IPv6 ipaddress")
|
|
parser.add_option("--adminpass", type="string", metavar="PASSWORD",
|
|
help="choose admin password (otherwise random)")
|
|
parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD",
|
|
help="choose krbtgt password (otherwise random)")
|
|
parser.add_option("--machinepass", type="string", metavar="PASSWORD",
|
|
help="choose machine password (otherwise random)")
|
|
parser.add_option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
|
|
choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
|
|
help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
|
|
"BIND9_FLATFILE uses bind9 text database to store zone information, " \
|
|
"BIND9_DLZ uses samba4 AD to store zone information (default), " \
|
|
"NONE skips the DNS setup entirely (not recommended)",
|
|
default="BIND9_DLZ")
|
|
parser.add_option("--dnspass", type="string", metavar="PASSWORD",
|
|
help="choose dns password (otherwise random)")
|
|
parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD",
|
|
help="choose password to set between Samba and it's LDAP backend (otherwise random)")
|
|
parser.add_option("--root", type="string", metavar="USERNAME",
|
|
help="choose 'root' unix username")
|
|
parser.add_option("--nobody", type="string", metavar="USERNAME",
|
|
help="choose 'nobody' user")
|
|
parser.add_option("--wheel", type="string", metavar="GROUPNAME",
|
|
help="choose 'wheel' privileged group")
|
|
parser.add_option("--users", type="string", metavar="GROUPNAME",
|
|
help="choose 'users' group")
|
|
parser.add_option("--quiet", help="Be quiet", action="store_true")
|
|
parser.add_option("--blank", action="store_true",
|
|
help="do not add users or groups, just the structure")
|
|
parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
|
|
help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
|
|
choices=["fedora-ds", "openldap"])
|
|
parser.add_option("--server-role", type="choice", metavar="ROLE",
|
|
choices=["domain controller", "dc", "member server", "member", "standalone"],
|
|
help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
|
|
default="domain controller")
|
|
parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
|
|
choices=["2000", "2003", "2008", "2008_R2"],
|
|
help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.",
|
|
default="2003")
|
|
parser.add_option("--next-rid", type="int", metavar="NEXTRID", default=1000,
|
|
help="The initial nextRid value (only needed for upgrades). Default is 1000.")
|
|
parser.add_option("--partitions-only",
|
|
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
|
|
parser.add_option("--targetdir", type="string", metavar="DIR",
|
|
help="Set target directory")
|
|
parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
|
|
help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\"")
|
|
parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
|
|
help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.")
|
|
parser.add_option("--use-xattrs", type="choice", choices=["yes", "no", "auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto")
|
|
parser.add_option("--use-ntvfs", action="store_true", help="Use NTVFS for the fileserver (default = no)")
|
|
|
|
opts = parser.parse_args()[0]
|
|
|
|
logger = logging.getLogger("provision")
|
|
logger.addHandler(logging.StreamHandler(sys.stdout))
|
|
if opts.quiet:
|
|
logger.setLevel(logging.WARNING)
|
|
else:
|
|
logger.setLevel(logging.INFO)
|
|
|
|
if len(sys.argv) == 1:
|
|
opts.interactive = True
|
|
|
|
if opts.interactive:
|
|
from getpass import getpass
|
|
import socket
|
|
|
|
def ask(prompt, default=None):
|
|
if default is not None:
|
|
print "%s [%s]: " % (prompt, default),
|
|
else:
|
|
print "%s: " % (prompt,),
|
|
return sys.stdin.readline().rstrip("\n") or default
|
|
try:
|
|
default = socket.getfqdn().split(".", 1)[1].upper()
|
|
except IndexError:
|
|
default = None
|
|
opts.realm = ask("Realm", default)
|
|
if opts.realm in (None, ""):
|
|
print >>sys.stderr, "No realm set!"
|
|
sys.exit(1)
|
|
|
|
try:
|
|
default = opts.realm.split(".")[0]
|
|
except IndexError:
|
|
default = None
|
|
opts.domain = ask("Domain", default)
|
|
if opts.domain is None:
|
|
print >> sys.stderr, "No domain set!"
|
|
sys.exit(1)
|
|
|
|
opts.server_role = ask("Server Role (dc, member, standalone)", "dc")
|
|
while True:
|
|
adminpass = getpass("Administrator password: ")
|
|
if not adminpass:
|
|
print >>sys.stderr, "Invalid administrator password."
|
|
else:
|
|
adminpassverify = getpass("Retype password: ")
|
|
if not adminpass == adminpassverify:
|
|
print >>sys.stderr, "Sorry, passwords do not match."
|
|
else:
|
|
opts.adminpass = adminpass
|
|
break
|
|
|
|
else:
|
|
if opts.realm in (None, ""):
|
|
opts.realm = sambaopts._lp.get('realm')
|
|
if opts.realm is None or opts.domain is None:
|
|
if opts.realm is None:
|
|
print >>sys.stderr, "No realm set!"
|
|
if opts.domain is None:
|
|
print >> sys.stderr, "No domain set!"
|
|
parser.print_usage()
|
|
sys.exit(1)
|
|
|
|
if not opts.adminpass:
|
|
logger.info("Administrator password will be set randomly!")
|
|
|
|
lp = sambaopts.get_loadparm()
|
|
smbconf = lp.configfile
|
|
|
|
if opts.function_level == "2000":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2000
|
|
elif opts.function_level == "2003":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
|
|
elif opts.function_level == "2008":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
|
|
elif opts.function_level == "2008_R2":
|
|
dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
|
|
|
|
creds = credopts.get_credentials(lp)
|
|
|
|
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|
|
|
samdb_fill = FILL_FULL
|
|
if opts.blank:
|
|
samdb_fill = FILL_NT4SYNC
|
|
elif opts.partitions_only:
|
|
samdb_fill = FILL_DRS
|
|
|
|
if opts.targetdir is not None:
|
|
if not os.path.isdir(opts.targetdir):
|
|
os.mkdir(opts.targetdir)
|
|
|
|
eadb = True
|
|
|
|
if opts.use_xattrs == "yes":
|
|
eadb = False
|
|
elif opts.use_xattrs == "auto" and not lp.get("posix:eadb"):
|
|
if opts.targetdir:
|
|
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(opts.targetdir))
|
|
else:
|
|
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
|
|
try:
|
|
try:
|
|
samba.ntacls.setntacl(lp, file.name,
|
|
"O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
|
|
eadb = False
|
|
except Exception:
|
|
logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. ")
|
|
finally:
|
|
file.close()
|
|
|
|
if eadb:
|
|
logger.info("not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
|
|
|
|
session = system_session()
|
|
try:
|
|
result = provision(logger,
|
|
session, creds, smbconf=smbconf, targetdir=opts.targetdir,
|
|
samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain,
|
|
domainguid=opts.domain_guid, domainsid=opts.domain_sid,
|
|
hostname=opts.host_name,
|
|
hostip=opts.host_ip, hostip6=opts.host_ip6,
|
|
ntdsguid=opts.ntds_guid,
|
|
invocationid=opts.invocationid, adminpass=opts.adminpass,
|
|
krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
|
|
dns_backend=opts.dns_backend,
|
|
dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody,
|
|
wheel=opts.wheel, users=opts.users,
|
|
serverrole=opts.server_role, dom_for_fun_level=dom_for_fun_level,
|
|
backend_type=opts.ldap_backend_type,
|
|
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
|
|
slapd_path=opts.slapd_path,
|
|
useeadb=eadb, next_rid=opts.next_rid, lp=lp, use_ntvfs=(opts.use_ntvfs))
|
|
except ProvisioningError, e:
|
|
print str(e)
|
|
sys.exit(1)
|
|
|
|
result.report_logger(logger)
|