diff options
-rw-r--r-- | source4/scripting/python/samba/provision.py | 346 |
1 files changed, 182 insertions, 164 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index a4a9e7ac46..f516e73893 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -354,150 +354,21 @@ def setup_samdb_partitions(samdb, setup_path, schemadn, configdn, domaindn): }) - -def provision(lp, setup_dir, message, blank, paths, session_info, - credentials, ldapbackend, realm=None, domain=None, hostname=None, - hostip=None, domainsid=None, hostguid=None, adminpass=None, - krbtgtpass=None, domainguid=None, policyguid=None, - invocationid=None, machinepass=None, dnspass=None, root=None, - nobody=None, nogroup=None, users=None, wheel=None, backup=None, - aci=None, serverrole=None): - """Provision samba4 - - :note: caution, this wipes all existing data! - """ - - def setup_path(file): - return os.path.join(setup_dir, file) - - erase = False - - if domainsid is None: - domainsid = security.random_sid() - if policyguid is None: - policyguid = uuid.random() - if invocationid is None: - invocationid = uuid.random() - if adminpass is None: - adminpass = misc.random_password(12) - if krbtgtpass is None: - krbtgtpass = misc.random_password(12) - if machinepass is None: - machinepass = misc.random_password(12) - if dnspass is None: - dnspass = misc.random_password(12) - if root is None: - root = findnss(pwd.getpwnam, "root")[4] - if nobody is None: - nobody = findnss(pwd.getpwnam, "nobody")[4] - if nogroup is None: - nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] - if users is None: - users = findnss(grp.getgrnam, "users", "guest", "other", "unknown", "usr")[2] - if wheel is None: - wheel = findnss(grp.getgrnam, "wheel", "root", "staff", "adm")[2] - if backup is None: - backup = findnss(grp.getgrnam, "backup", "wheel", "root", "staff")[2] - if aci is None: - aci = "# no aci for local ldb" - if serverrole is None: - serverrole = lp.get("server role") - - if realm is None: - realm = lp.get("realm") - else: - if lp.get("realm").upper() != realm.upper(): - raise Error("realm '%s' in smb.conf must match chosen realm '%s'\n" % - (lp.get("realm"), realm)) - - assert realm is not None - realm = realm.upper() - - if domain is None: - domain = lp.get("workgroup") - else: - if lp.get("workgroup").upper() != domain.upper(): - raise Error("workgroup '%s' in smb.conf must match chosen domain '%s'\n", - lp.get("workgroup"), domain) - - assert domain is not None - domain = domain.upper() - if not valid_netbios_name(domain): - raise InvalidNetbiosName(domain) - - if hostname is None: - hostname = gethostname().split(".")[0].lower() - - if hostip is None: - hostip = gethostbyname(hostname) - - netbiosname = hostname.upper() - if not valid_netbios_name(netbiosname): - raise InvalidNetbiosName(netbiosname) - - dnsdomain = realm.lower() - domaindn = "DC=" + dnsdomain.replace(".", ",DC=") - rootdn = domaindn - configdn = "CN=Configuration," + rootdn - schemadn = "CN=Schema," + configdn - - rdn_dc = domaindn.split(",")[0][len("DC="):] - - message("set DOMAIN SID: %s" % str(domainsid)) - message("Provisioning for %s in realm %s" % (domain, realm)) - message("Using administrator password: %s" % adminpass) - - assert paths.smbconf is not None - - # only install a new smb.conf if there isn't one there already - if not os.path.exists(paths.smbconf): - message("Setting up smb.conf") - if serverrole == "domain controller": - smbconfsuffix = "dc" - elif serverrole == "member": - smbconfsuffix = "member" - else: - assert "Invalid server role setting: %s" % serverrole - setup_file(setup_path("provision.smb.conf.%s" % smbconfsuffix), paths.smbconf, { - "HOSTNAME": hostname, - "DOMAIN_CONF": domain, - "REALM_CONF": realm, - "SERVERROLE": serverrole, - "NETLOGONPATH": paths.netlogon, - "SYSVOLPATH": paths.sysvol, - }) - lp.reload() - - # only install a new shares config db if there is none - if not os.path.exists(paths.shareconf): - message("Setting up share.ldb") - share_ldb = Ldb(paths.shareconf, session_info=session_info, - credentials=credentials, lp=lp) - share_ldb.load_ldif_file_add(setup_path("share.ldif")) - - message("Setting up secrets.ldb") - secrets_ldb = setup_secretsdb(paths.secrets, setup_path, - session_info=session_info, - credentials=credentials, lp=lp) - - message("Setting up the registry") - # FIXME: Still fails for some reason - #setup_registry(paths.hklm, setup_path, session_info, - # credentials=credentials, lp=lp) - - message("Setting up templates db") - setup_templatesdb(paths.templates, setup_path, session_info=session_info, - credentials=credentials, lp=lp) - +def setup_samdb(path, setup_path, session_info, credentials, lp, + schemadn, configdn, domaindn, dnsdomain, realm, + netbiosname, message, hostname, rootdn, erase, + domainsid, aci, rdn_dc, domainguid, policyguid, + domainname, blank, adminpass, krbtgtpass, + machinepass, hostguid, invocationid, dnspass): # Also wipes the database message("Setting up sam.ldb") - samdb = SamDB(paths.samdb, session_info=session_info, + samdb = SamDB(path, session_info=session_info, credentials=credentials, lp=lp) message("Setting up sam.ldb partitions") setup_samdb_partitions(samdb, setup_path, schemadn, configdn, domaindn) - samdb = SamDB(paths.samdb, session_info=session_info, + samdb = SamDB(path, session_info=session_info, credentials=credentials, lp=lp) samdb.transaction_start() @@ -520,7 +391,7 @@ def provision(lp, setup_dir, message, blank, paths, session_info, samdb.transaction_commit() message("Pre-loading the Samba 4 and AD schema") - samdb = SamDB(paths.samdb, session_info=session_info, + samdb = SamDB(path, session_info=session_info, credentials=credentials, lp=lp) samdb.set_domain_sid(domainsid) load_schema(setup_path, samdb, schemadn, netbiosname, configdn) @@ -594,7 +465,7 @@ def provision(lp, setup_dir, message, blank, paths, session_info, "NETBIOSNAME": netbiosname, "DEFAULTSITE": DEFAULTSITE, "DNSDOMAIN": dnsdomain, - "DOMAIN": domain, + "DOMAIN": domainname, "SCHEMADN": schemadn, "DOMAINDN": domaindn, }) @@ -651,7 +522,7 @@ def provision(lp, setup_dir, message, blank, paths, session_info, "MACHINEPASS_B64": b64encode(machinepass), "DNSPASS_B64": b64encode(dnspass), "REALM": realm, - "DOMAIN": domain, + "DOMAIN": domainname, "HOSTGUID_ADD": hostguid_add, "DNSDOMAIN": dnsdomain}) setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), { @@ -660,30 +531,6 @@ def provision(lp, setup_dir, message, blank, paths, session_info, "DOMAINSID": str(domainsid), "DOMAINDN": domaindn}) - os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}"), 0755) - os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}", "Machine"), 0755) - os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}", "User"), 0755) - if not os.path.isdir(paths.netlogon): - os.makedirs(paths.netlogon, 0755) - setup_ldb(secrets_ldb, setup_path("secrets_dc.ldif"), { - "MACHINEPASS_B64": b64encode(machinepass), - "DOMAIN": domain, - "REALM": realm, - "LDAPTIME": timestring(int(time.time())), - "DNSDOMAIN": dnsdomain, - "DOMAINSID": str(domainsid), - "SECRETS_KEYTAB": paths.keytab, - "NETBIOSNAME": netbiosname, - "SAM_LDB": paths.samdb, - "DNS_KEYTAB": paths.dns_keytab, - "DNSPASS_B64": b64encode(dnspass), - }) - - setup_name_mappings(samdb, str(domainsid), - domaindn, root=root, nobody=nobody, - nogroup=nogroup, wheel=wheel, users=users, - backup=backup) - message("Setting up sam.ldb index") samdb.load_ldif_file_add(setup_path("provision_index.ldif")) @@ -694,6 +541,177 @@ def provision(lp, setup_dir, message, blank, paths, session_info, raise samdb.transaction_commit() + return samdb + + +def provision(lp, setup_dir, message, blank, paths, session_info, + credentials, ldapbackend, realm=None, domain=None, hostname=None, + hostip=None, domainsid=None, hostguid=None, adminpass=None, + krbtgtpass=None, domainguid=None, policyguid=None, + invocationid=None, machinepass=None, dnspass=None, root=None, + nobody=None, nogroup=None, users=None, wheel=None, backup=None, + aci=None, serverrole=None): + """Provision samba4 + + :note: caution, this wipes all existing data! + """ + + def setup_path(file): + return os.path.join(setup_dir, file) + + erase = False + + if domainsid is None: + domainsid = security.random_sid() + if policyguid is None: + policyguid = uuid.random() + if invocationid is None: + invocationid = uuid.random() + if adminpass is None: + adminpass = misc.random_password(12) + if krbtgtpass is None: + krbtgtpass = misc.random_password(12) + if machinepass is None: + machinepass = misc.random_password(12) + if dnspass is None: + dnspass = misc.random_password(12) + if root is None: + root = findnss(pwd.getpwnam, "root")[4] + if nobody is None: + nobody = findnss(pwd.getpwnam, "nobody")[4] + if nogroup is None: + nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] + if users is None: + users = findnss(grp.getgrnam, "users", "guest", "other", "unknown", "usr")[2] + if wheel is None: + wheel = findnss(grp.getgrnam, "wheel", "root", "staff", "adm")[2] + if backup is None: + backup = findnss(grp.getgrnam, "backup", "wheel", "root", "staff")[2] + if aci is None: + aci = "# no aci for local ldb" + if serverrole is None: + serverrole = lp.get("server role") + + if realm is None: + realm = lp.get("realm") + else: + if lp.get("realm").upper() != realm.upper(): + raise Error("realm '%s' in smb.conf must match chosen realm '%s'\n" % + (lp.get("realm"), realm)) + + assert realm is not None + realm = realm.upper() + + if domain is None: + domain = lp.get("workgroup") + else: + if lp.get("workgroup").upper() != domain.upper(): + raise Error("workgroup '%s' in smb.conf must match chosen domain '%s'\n", + lp.get("workgroup"), domain) + + assert domain is not None + domain = domain.upper() + if not valid_netbios_name(domain): + raise InvalidNetbiosName(domain) + + if hostname is None: + hostname = gethostname().split(".")[0].lower() + + if hostip is None: + hostip = gethostbyname(hostname) + + netbiosname = hostname.upper() + if not valid_netbios_name(netbiosname): + raise InvalidNetbiosName(netbiosname) + + dnsdomain = realm.lower() + domaindn = "DC=" + dnsdomain.replace(".", ",DC=") + rootdn = domaindn + configdn = "CN=Configuration," + rootdn + schemadn = "CN=Schema," + configdn + + rdn_dc = domaindn.split(",")[0][len("DC="):] + + message("set DOMAIN SID: %s" % str(domainsid)) + message("Provisioning for %s in realm %s" % (domain, realm)) + message("Using administrator password: %s" % adminpass) + + assert paths.smbconf is not None + + # only install a new smb.conf if there isn't one there already + if not os.path.exists(paths.smbconf): + message("Setting up smb.conf") + if serverrole == "domain controller": + smbconfsuffix = "dc" + elif serverrole == "member": + smbconfsuffix = "member" + else: + assert "Invalid server role setting: %s" % serverrole + setup_file(setup_path("provision.smb.conf.%s" % smbconfsuffix), paths.smbconf, { + "HOSTNAME": hostname, + "DOMAIN_CONF": domain, + "REALM_CONF": realm, + "SERVERROLE": serverrole, + "NETLOGONPATH": paths.netlogon, + "SYSVOLPATH": paths.sysvol, + }) + lp.reload() + + # only install a new shares config db if there is none + if not os.path.exists(paths.shareconf): + message("Setting up share.ldb") + share_ldb = Ldb(paths.shareconf, session_info=session_info, + credentials=credentials, lp=lp) + share_ldb.load_ldif_file_add(setup_path("share.ldif")) + + message("Setting up secrets.ldb") + secrets_ldb = setup_secretsdb(paths.secrets, setup_path, + session_info=session_info, + credentials=credentials, lp=lp) + + message("Setting up the registry") + # FIXME: Still fails for some reason + #setup_registry(paths.hklm, setup_path, session_info, + # credentials=credentials, lp=lp) + + message("Setting up templates db") + setup_templatesdb(paths.templates, setup_path, session_info=session_info, + credentials=credentials, lp=lp) + + samdb = setup_samdb(paths.samdb, setup_path, session_info=session_info, credentials=credentials, + lp=lp, schemadn=schemadn, configdn=configdn, domaindn=domaindn, + dnsdomain=dnsdomain, netbiosname=netbiosname, realm=realm, message=message, + hostname=hostname, rootdn=rootdn, erase=erase, domainsid=domainsid, aci=aci, + rdn_dc=rdn_dc, domainguid=domainguid, policyguid=policyguid, + domainname=domain, blank=blank, adminpass=adminpass, krbtgtpass=krbtgtpass, + hostguid=hostguid, invocationid=invocationid, machinepass=machinepass, + dnspass=dnspass) + + if lp.get("server role") == "domain controller": + os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}"), 0755) + os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}", "Machine"), 0755) + os.makedirs(os.path.join(paths.sysvol, dnsdomain, "Policies", "{" + policyguid + "}", "User"), 0755) + if not os.path.isdir(paths.netlogon): + os.makedirs(paths.netlogon, 0755) + setup_ldb(secrets_ldb, setup_path("secrets_dc.ldif"), { + "MACHINEPASS_B64": b64encode(machinepass), + "DOMAIN": domain, + "REALM": realm, + "LDAPTIME": timestring(int(time.time())), + "DNSDOMAIN": dnsdomain, + "DOMAINSID": str(domainsid), + "SECRETS_KEYTAB": paths.keytab, + "NETBIOSNAME": netbiosname, + "SAM_LDB": paths.samdb, + "DNS_KEYTAB": paths.dns_keytab, + "DNSPASS_B64": b64encode(dnspass), + }) + + if not blank: + setup_name_mappings(samdb, str(domainsid), + domaindn, root=root, nobody=nobody, + nogroup=nogroup, wheel=wheel, users=users, + backup=backup) message("Setting up phpLDAPadmin configuration") create_phplpapdadmin_config(paths.phpldapadminconfig, setup_path, paths.s4_ldapi_path) |