summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--python/samba/join.py2
-rw-r--r--python/samba/netcmd/domain.py9
-rw-r--r--python/samba/provision/__init__.py12
-rw-r--r--python/samba/provision/common.py5
-rw-r--r--python/samba/provision/sambadns.py90
-rw-r--r--python/samba/upgrade.py3
-rw-r--r--python/samba/upgradehelpers.py3
-rwxr-xr-xsource4/scripting/bin/samba_upgradedns5
-rw-r--r--source4/setup/provision_dnszones_add.ldif51
-rw-r--r--source4/setup/provision_dnszones_modify.ldif31
-rw-r--r--source4/setup/provision_dnszones_partitions.ldif9
11 files changed, 99 insertions, 121 deletions
diff --git a/python/samba/join.py b/python/samba/join.py
index 1785ab3e88..9cac8f5ed2 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -24,6 +24,7 @@ from samba import gensec, Ldb, drs_utils
import ldb, samba, sys, uuid
from samba.ndr import ndr_pack
from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003
from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
from samba.provision.common import setup_path
@@ -765,6 +766,7 @@ class dc_join(object):
presult = provision_fill(ctx.local_samdb, secrets_ldb,
ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
domainguid=domguid,
+ dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6,
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 217b5369b7..9824da1610 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -67,11 +67,14 @@ from samba.dsdb import (
from samba.credentials import DONT_USE_KERBEROS
from samba.provision import (
provision,
+ ProvisioningError
+ )
+
+from samba.provision.common import (
FILL_FULL,
FILL_NT4SYNC,
- FILL_DRS,
- ProvisioningError,
- )
+ FILL_DRS
+)
def get_testparm_var(testparm, smbconf, varname):
cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 698df94f34..d8f353f54a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -101,7 +101,11 @@ from samba.provision.common import (
setup_path,
setup_add_ldif,
setup_modify_ldif,
- )
+ FILL_FULL,
+ FILL_SUBDOMAIN,
+ FILL_NT4SYNC,
+ FILL_DRS
+)
from samba.provision.sambadns import (
get_dnsadmins_sid,
setup_ad_dns,
@@ -1462,10 +1466,6 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
return samdb
-FILL_FULL = "FULL"
-FILL_SUBDOMAIN = "SUBDOMAIN"
-FILL_NT4SYNC = "NT4SYNC"
-FILL_DRS = "DRS"
SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
SYSVOL_SERVICE="sysvol"
@@ -1795,7 +1795,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
dnspass=dnspass, os_level=dom_for_fun_level,
- targetdir=targetdir, site=DEFAULTSITE)
+ targetdir=targetdir, site=DEFAULTSITE, fill_level=samdb_fill)
domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
attribute="objectGUID")
diff --git a/python/samba/provision/common.py b/python/samba/provision/common.py
index f96704bcce..03e2278951 100644
--- a/python/samba/provision/common.py
+++ b/python/samba/provision/common.py
@@ -31,6 +31,11 @@ import os
from samba import read_and_sub_file
from samba.param import setup_dir
+FILL_FULL = "FULL"
+FILL_SUBDOMAIN = "SUBDOMAIN"
+FILL_NT4SYNC = "NT4SYNC"
+FILL_DRS = "DRS"
+
def setup_path(file):
"""Return an absolute path to the provision tempate file specified by file"""
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 46cfc89f4c..5fd3805786 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -48,7 +48,11 @@ from samba.provision.common import (
setup_path,
setup_add_ldif,
setup_modify_ldif,
- setup_ldb
+ setup_ldb,
+ FILL_FULL,
+ FILL_SUBDOMAIN,
+ FILL_NT4SYNC,
+ FILL_DRS,
)
@@ -230,15 +234,20 @@ class AgingEnabledTimeProperty(dnsp.DnsProperty):
def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
- serverdn):
+ serverdn, fill_level):
domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
descriptor = get_dns_partition_descriptor(domainsid)
+
setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
- "DOMAINZONE_DN": domainzone_dn,
- "FORESTZONE_DN": forestzone_dn,
+ "ZONE_DN": domainzone_dn,
"SECDESC" : b64encode(descriptor)
})
+ if fill_level != FILL_SUBDOMAIN:
+ setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
+ "ZONE_DN": forestzone_dn,
+ "SECDESC" : b64encode(descriptor)
+ })
domainzone_guid = get_domainguid(samdb, domainzone_dn)
forestzone_guid = get_domainguid(samdb, forestzone_dn)
@@ -252,25 +261,36 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
protected1_desc = get_domain_delete_protected1_descriptor(domainsid)
protected2_desc = get_domain_delete_protected2_descriptor(domainsid)
setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
- "DOMAINZONE_DN": domainzone_dn,
- "FORESTZONE_DN": forestzone_dn,
- "DOMAINZONE_GUID": domainzone_guid,
- "FORESTZONE_GUID": forestzone_guid,
- "DOMAINZONE_DNS": domainzone_dns,
- "FORESTZONE_DNS": forestzone_dns,
+ "ZONE_DN": domainzone_dn,
+ "ZONE_GUID": domainzone_guid,
+ "ZONE_DNS": domainzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
"LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
"INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
})
-
setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
"CONFIGDN": configdn,
"SERVERDN": serverdn,
- "DOMAINZONE_DN": domainzone_dn,
- "FORESTZONE_DN": forestzone_dn,
+ "ZONE_DN": domainzone_dn,
})
+ if fill_level != FILL_SUBDOMAIN:
+ setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
+ "ZONE_DN": forestzone_dn,
+ "ZONE_GUID": forestzone_guid,
+ "ZONE_DNS": forestzone_dns,
+ "CONFIGDN": configdn,
+ "SERVERDN": serverdn,
+ "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
+ "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
+ })
+ setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
+ "CONFIGDN": configdn,
+ "SERVERDN": serverdn,
+ "ZONE_DN": forestzone_dn,
+ })
+
def add_dns_accounts(samdb, domaindn):
setup_add_ldif(samdb, setup_path("provision_dns_accounts_add.ldif"), {
@@ -928,21 +948,23 @@ def fill_dns_data_legacy(samdb, domainsid, forestdn, dnsdomain, site, hostname,
def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
- dnsadmins_sid):
+ dnsadmins_sid, fill_level):
# Set up additional partitions (DomainDnsZones, ForstDnsZones)
setup_dns_partitions(samdb, domainsid, domaindn, forestdn,
- names.configdn, names.serverdn)
+ names.configdn, names.serverdn, fill_level)
# Set up MicrosoftDNS containers
add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid,
dnsadmins_sid)
- add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid,
- dnsadmins_sid, forest=True)
+ if fill_level != FILL_SUBDOMAIN:
+ add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid,
+ dnsadmins_sid, forest=True)
def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
- dnsdomain, dnsforest, hostname, hostip, hostip6,
- domainguid, ntdsguid, dnsadmins_sid, autofill=True):
+ dnsdomain, dnsforest, hostname, hostip, hostip6,
+ domainguid, ntdsguid, dnsadmins_sid, autofill=True,
+ fill_level=FILL_FULL):
"""Fill data in various AD partitions
:param samdb: LDB object connected to sam.ldb file
@@ -974,20 +996,21 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
add_dc_domain_records(samdb, domaindn, "DC=DomainDnsZones", site,
dnsdomain, hostname, hostip, hostip6)
- ##### Set up DC=ForestDnsZones,<DOMAINDN>
- # Add _msdcs record
- add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest)
+ if fill_level != FILL_SUBDOMAIN:
+ ##### Set up DC=ForestDnsZones,<FORESTDN>
+ # Add _msdcs record
+ add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest)
- # Add DNS records for a DC in forest
- if autofill:
- add_dc_msdcs_records(samdb, forestdn, "DC=ForestDnsZones", site,
- dnsforest, hostname, hostip, hostip6,
- domainguid, ntdsguid)
+ # Add DNS records for a DC in forest
+ if autofill:
+ add_dc_msdcs_records(samdb, forestdn, "DC=ForestDnsZones", site,
+ dnsforest, hostname, hostip, hostip6,
+ domainguid, ntdsguid)
def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
dns_backend, os_level, site, dnspass=None, hostip=None, hostip6=None,
- targetdir=None):
+ targetdir=None, fill_level=FILL_FULL):
"""Provision DNS information (assuming GC role)
:param samdb: LDB object connected to sam.ldb file
@@ -1062,18 +1085,19 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
# Create DNS partitions
logger.info("Creating DomainDnsZones and ForestDnsZones partitions")
create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
- dnsadmins_sid)
+ dnsadmins_sid, fill_level)
# Populating dns partitions
logger.info("Populating DomainDnsZones and ForestDnsZones partitions")
fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
- dnsdomain, dnsforest, hostname, hostip, hostip6,
- domainguid, names.ntdsguid, dnsadmins_sid)
+ dnsdomain, dnsforest, hostname, hostip, hostip6,
+ domainguid, names.ntdsguid, dnsadmins_sid,
+ fill_level=fill_level)
if dns_backend.startswith("BIND9_"):
setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
- dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip,
- hostip6=hostip6, targetdir=targetdir)
+ dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip,
+ hostip6=hostip6, targetdir=targetdir)
def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py
index 6b55ed76a7..ff5990c667 100644
--- a/python/samba/upgrade.py
+++ b/python/samba/upgrade.py
@@ -26,7 +26,8 @@ import pwd
from samba import Ldb, registry
from samba.param import LoadParm
-from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
+from samba.provision import provision, ProvisioningError, setsysvolacl
+from samba.provision.common import FILL_FULL
from samba.samba3 import passdb
from samba.samba3 import param as s3param
from samba.dcerpc import lsa, samr, security
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index b6750eb430..d2b0a1872f 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -31,8 +31,9 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
import ldb
from samba.provision import (provision_paths_from_lp,
getpolicypath, set_gpos_acl, create_gpo_struct,
- FILL_FULL, provision, ProvisioningError,
+ provision, ProvisioningError,
setsysvolacl, secretsdb_self_join)
+from samba.provision.common import FILL_FULL
from samba.dcerpc import xattr, drsblobs, security
from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.ndr import ndr_unpack
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 6b208c927f..d2c96cc1c2 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -46,7 +46,8 @@ from samba.provision import (
interface_ips_v6 )
from samba.provision.common import (
setup_path,
- setup_add_ldif )
+ setup_add_ldif,
+ FILL_FULL)
from samba.provision.sambadns import (
ARecord,
AAAARecord,
@@ -339,7 +340,7 @@ if __name__ == '__main__':
logger.debug("IPv6 addresses: %s" % hostip6)
create_dns_partitions(ldbs.sam, domainsid, names, domaindn, forestdn,
- dnsadmins_sid)
+ dnsadmins_sid, FILL_FULL)
logger.info("Populating DNS partitions")
fill_dns_data_partitions(ldbs.sam, domainsid, site, domaindn, forestdn,
diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
index bf872f0b64..860aa4b72b 100644
--- a/source4/setup/provision_dnszones_add.ldif
+++ b/source4/setup/provision_dnszones_add.ldif
@@ -1,7 +1,7 @@
#################################
# Required objectclasses
#################################
-dn: CN=Deleted Objects,${DOMAINZONE_DN}
+dn: CN=Deleted Objects,${ZONE_DN}
objectClass: top
objectClass: container
description: Deleted objects
@@ -9,71 +9,34 @@ isDeleted: TRUE
isCriticalSystemObject: TRUE
systemFlags: -1946157056
-dn: CN=LostAndFound,${DOMAINZONE_DN}
+dn: CN=LostAndFound,${ZONE_DN}
objectClass: top
objectClass: lostAndFound
isCriticalSystemObject: TRUE
systemFlags: -1946157056
nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
-dn: CN=Infrastructure,${DOMAINZONE_DN}
+dn: CN=Infrastructure,${ZONE_DN}
objectClass: top
objectClass: infrastructureUpdate
isCriticalSystemObject: TRUE
systemFlags: -1946157056
nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
-dn: CN=NTDS Quotas,${DOMAINZONE_DN}
+dn: CN=NTDS Quotas,${ZONE_DN}
objectClass: top
objectClass: msDS-QuotaContainer
isCriticalSystemObject: TRUE
systemFlags: -1946157056
-dn: CN=Deleted Objects,${FORESTZONE_DN}
-objectClass: top
-objectClass: container
-description: Deleted objects
-isDeleted: TRUE
-isCriticalSystemObject: TRUE
-systemFlags: -1946157056
-
-dn: CN=LostAndFound,${FORESTZONE_DN}
-objectClass: top
-objectClass: lostAndFound
-isCriticalSystemObject: TRUE
-systemFlags: -1946157056
-nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
-
-dn: CN=Infrastructure,${FORESTZONE_DN}
-objectClass: top
-objectClass: infrastructureUpdate
-isCriticalSystemObject: TRUE
-systemFlags: -1946157056
-nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
-
-dn: CN=NTDS Quotas,${FORESTZONE_DN}
-objectClass: top
-objectClass: msDS-QuotaContainer
-isCriticalSystemObject: TRUE
-systemFlags: -1946157056
-
#################################
# Configure partitions
#################################
-dn: CN=${DOMAINZONE_GUID},CN=Partitions,${CONFIGDN}
+dn: CN=${ZONE_GUID},CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-nCName: ${DOMAINZONE_DN}
-dnsRoot: ${DOMAINZONE_DNS}
+nCName: ${ZONE_DN}
+dnsRoot: ${ZONE_DNS}
systemFlags: 5
msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN}
-
-dn: CN=${FORESTZONE_GUID},CN=Partitions,${CONFIGDN}
-objectClass: top
-objectClass: crossRef
-nCName: ${FORESTZONE_DN}
-dnsRoot: ${FORESTZONE_DNS}
-systemFlags: 5
-msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN}
-
diff --git a/source4/setup/provision_dnszones_modify.ldif b/source4/setup/provision_dnszones_modify.ldif
index 0dc942ff1e..108d8b8b1b 100644
--- a/source4/setup/provision_dnszones_modify.ldif
+++ b/source4/setup/provision_dnszones_modify.ldif
@@ -1,36 +1,21 @@
-dn: ${DOMAINZONE_DN}
+dn: ${ZONE_DN}
changetype: modify
add: wellKnownObjects
-wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${DOMAINZONE_DN}
-wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${DOMAINZONE_DN}
-wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${DOMAINZONE_DN}
-wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${DOMAINZONE_DN}
+wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${ZONE_DN}
+wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${ZONE_DN}
+wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${ZONE_DN}
+wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${ZONE_DN}
-dn: CN=Infrastructure,${DOMAINZONE_DN}
+dn: CN=Infrastructure,${ZONE_DN}
changetype: modify
add: fSMORoleOwner
fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-dn: CN=Infrastructure,${FORESTZONE_DN}
-changetype: modify
-add: fSMORoleOwner
-fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-
-dn: ${FORESTZONE_DN}
-changetype: modify
-add: wellKnownObjects
-wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${FORESTZONE_DN}
-wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${FORESTZONE_DN}
-wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${FORESTZONE_DN}
-wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${FORESTZONE_DN}
-
dn: CN=NTDS Settings,${SERVERDN}
changetype: modify
add: msDS-HasInstantiatedNCs
-msDS-HasInstantiatedNCs: B:8:0000000D:${DOMAINZONE_DN}
-msDS-HasInstantiatedNCs: B:8:0000000D:${FORESTZONE_DN}
+msDS-HasInstantiatedNCs: B:8:0000000D:${ZONE_DN}
-
add: msDS-hasMasterNCs
-msDS-hasMasterNCs: ${DOMAINZONE_DN}
-msDS-hasMasterNCs: ${FORESTZONE_DN}
+msDS-hasMasterNCs: ${ZONE_DN}
-
diff --git a/source4/setup/provision_dnszones_partitions.ldif b/source4/setup/provision_dnszones_partitions.ldif
index 4ab7aedd90..c022bd02aa 100644
--- a/source4/setup/provision_dnszones_partitions.ldif
+++ b/source4/setup/provision_dnszones_partitions.ldif
@@ -1,7 +1,7 @@
################################
## DNSZones Naming Context
################################
-dn: ${DOMAINZONE_DN}
+dn: ${ZONE_DN}
objectClass: top
objectClass: domainDNS
description: Microsoft DNS Directory
@@ -9,10 +9,3 @@ msDS-NcType: 0
instanceType: 13
ntSecurityDescriptor:: ${SECDESC}
-dn: ${FORESTZONE_DN}
-objectClass: top
-objectClass: domainDNS
-description: Microsoft DNS Directory
-msDS-NcType: 0
-instanceType: 13
-ntSecurityDescriptor:: ${SECDESC}