provision: introduce use-xattr parameter for defining where to store attributes

This option allow simple user (non root) to invoke provision without facing an error while insuring that ACL on shared files will always be set
author: Matthieu Patou <mat@matws.net> 2010-01-08 17:00:54 +0300
committer: Andrew Bartlett <abartlet@samba.org> 2010-01-21 07:11:17 +1300
commit: d4514a6539052b6944582ef8e5e1930b5f42ffd7 (patch)
tree: c19dfb082ebb18fb04a2f09ab96c3a87baa51224 /source4/scripting
parent: 711c7606a5a2c36ea252ffd6d3aafc06fa5b675c (diff)
download: samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.tar.gz
samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.tar.bz2
samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.zip
1 files changed, 35 insertions, 25 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f4a30412ab..036890d45d 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -47,7 +47,7 @@ from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTI
 from samba.samdb import SamDB
 from samba.idmap import IDmapDB
 from samba.dcerpc import security
-from samba.misc import setntacl,dsacl2fsacl
+from samba.ntacls import setntacl,dsacl2fsacl
 from samba.ndr import ndr_pack,ndr_unpack
 import urllib
 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
@@ -435,7 +435,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
     
 
 def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole, 
-                 targetdir, sid_generator):
+                 targetdir, sid_generator,eadb):
     """Create a new smb.conf file based on a couple of basic settings.
     """
     assert smbconf is not None
@@ -467,7 +467,11 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
     #Load non-existant file
     if os.path.exists(smbconf):
         default_lp.load(smbconf)
-    
+    if eadb:
+        posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(os.path.join(targetdir, "private"),"eadb.tdb"))
+    else:
+        posixeadb_line = ""
+
     if targetdir is not None:
         privatedir_line = "private dir = " + os.path.abspath(os.path.join(targetdir, "private"))
         lockdir_line = "lock dir = " + os.path.abspath(targetdir)
@@ -495,7 +499,8 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
             "SYSVOLPATH": sysvol,
             "SIDGENERATOR_LINE": sid_generator_line,
             "PRIVATEDIR_LINE": privatedir_line,
-            "LOCKDIR_LINE": lockdir_line
+            "LOCKDIR_LINE": lockdir_line,
+			"POSIXEADB_LINE": posixeadb_line
             })
 
 
@@ -1056,39 +1061,45 @@ FILL_DRS = "DRS"
 SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
 POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
 
-def set_gpo_acl(path,acl):
-	setntacl(path,acl)
+def set_gpo_acl(path,acl,lp,domsid):
+	setntacl(lp,path,acl,domsid)
 	for root, dirs, files in os.walk(path, topdown=False):
 		for name in files:
-			setntacl(os.path.join(root, name),acl)
+			setntacl(lp,os.path.join(root, name),acl,domsid)
 		for name in dirs:
-			setntacl(os.path.join(root, name),acl)
+			setntacl(lp,os.path.join(root, name),acl,domsid)
 
-def setdiracl(samdb,names,netlogon,sysvol,gid,domainsid):
+def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
+	canchown = 1
 	acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
-	os.chown(sysvol,-1,gid)
-	setntacl(sysvol,acl)
+	try:
+		os.chown(sysvol,-1,gid)
+	except:
+		canchown = 0
+
+	setntacl(lp,sysvol,acl,str(domainsid))
 	for root, dirs, files in os.walk(sysvol, topdown=False):
 		for name in files:
-			os.chown(os.path.join(root, name),-1,gid)
-			setntacl(os.path.join(root, name),acl)
+			if canchown:
+				os.chown(os.path.join(root, name),-1,gid)
+			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
 		for name in dirs:
-			os.chown(os.path.join(root, name),-1,gid)
-			setntacl(os.path.join(root, name),acl)
+			if canchown:
+				os.chown(os.path.join(root, name),-1,gid)
+			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
 
 	# Set ACL for GPO
 	policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
 	acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
-	set_gpo_acl(policy_path,dsacl2fsacl(acl))
+	set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
 	res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
 						attrs=["cn","nTSecurityDescriptor"],
 						expression="", scope=SCOPE_ONELEVEL)
-	security.dom_sid("S-1-5-21-1")
 	for policy in res:
 		acl = ndr_unpack(security.descriptor,str(policy["nTSecurityDescriptor"])).as_sddl()
 		policy_path = os.path.join(sysvol, names.dnsdomain, "Policies",
 									 str(policy["cn"]))
-		set_gpo_acl(policy_path,dsacl2fsacl(acl))
+		set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
 
 
 
@@ -1109,7 +1120,7 @@ def provision(setup_dir, message, session_info,
               sitename=None,
               ol_mmr_urls=None, ol_olc=None, 
               setup_ds_path=None, slapd_path=None, nosync=False,
-              ldap_dryrun_mode=False,setfileacl=False):
+              ldap_dryrun_mode=False,useeadb=False):
     """Provision samba4
     
     :note: caution, this wipes all existing data!
@@ -1168,7 +1179,7 @@ def provision(setup_dir, message, session_info,
     # only install a new smb.conf if there isn't one there already
     if not os.path.exists(smbconf):
         make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole, 
-                     targetdir, sid_generator)
+                     targetdir, sid_generator,useeadb)
 
     lp = param.LoadParm()
     lp.load(smbconf)
@@ -1316,11 +1327,10 @@ def provision(setup_dir, message, session_info,
                             root_uid=root_uid, nobody_uid=nobody_uid,
                             users_gid=users_gid, wheel_gid=wheel_gid)
 
-        setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
-
-        if setfileacl:
-            setdiracl(samdb,names,paths.netlogon,paths.sysvol,wheel_gid,domainsid)
-        # Set up group policies (domain policy and domain controller policy)
+        if serverrole == "domain controller":
+            # Set up group policies (domain policy and domain controller policy)
+            setup_gpo(paths,names,samdb,policyguid,policyguid_dc,domainsid)
+            setsysvolacl(samdb,names,paths.netlogon,paths.sysvol,wheel_gid,domainsid,lp)
 
         message("Setting up sam.ldb rootDSE marking as synchronized")
         setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))
author	Matthieu Patou <mat@matws.net>	2010-01-08 17:00:54 +0300
committer	Andrew Bartlett <abartlet@samba.org>	2010-01-21 07:11:17 +1300
commit	d4514a6539052b6944582ef8e5e1930b5f42ffd7 (patch)
tree	c19dfb082ebb18fb04a2f09ab96c3a87baa51224 /source4/scripting
parent	711c7606a5a2c36ea252ffd6d3aafc06fa5b675c (diff)
download	samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.tar.gz samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.tar.bz2 samba-d4514a6539052b6944582ef8e5e1930b5f42ffd7.zip