diff options
Diffstat (limited to 'source4/scripting')
-rw-r--r-- | source4/scripting/python/samba/tests/upgrade.py | 2 | ||||
-rw-r--r-- | source4/scripting/python/samba/upgrade.py | 602 |
2 files changed, 302 insertions, 302 deletions
diff --git a/source4/scripting/python/samba/tests/upgrade.py b/source4/scripting/python/samba/tests/upgrade.py index f46d869656..a25743425b 100644 --- a/source4/scripting/python/samba/tests/upgrade.py +++ b/source4/scripting/python/samba/tests/upgrade.py @@ -25,4 +25,4 @@ class RegkeyDnTests(TestCase): self.assertEquals("hive=NONE", regkey_to_dn("")) def test_nested(self): - self.assertEquals("key=foo,key=bar,hive=NONE", regkey_to_dn("foo/bar")) + self.assertEquals("key=bar,key=foo,hive=NONE", regkey_to_dn("foo/bar")) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index 1908e3ea55..783cc008d5 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -11,17 +11,19 @@ from provision import findnss import provision import grp import pwd -from uuid import uuid4 -from param import default_configuration +import uuid def regkey_to_dn(name): """Convert a registry key to a DN.""" - dn = "hive=NONE" + dn = "hive=NONE" - for el in name.split("/")[1:]: + if name == "": + return dn + + for el in name.split("/"): dn = "key=%s," % el + dn - return dn + return dn # Where prefix is any of: # - HKLM @@ -33,39 +35,39 @@ def regkey_to_dn(name): def upgrade_registry(regdb,prefix,ldb): """Migrate registry contents.""" - assert regdb is not None: - prefix_up = prefix.upper() - ldif = [] + assert regdb is not None + prefix_up = prefix.upper() + ldif = [] for rk in regdb.keys: - pts = rk.name.split("/") + pts = rk.name.split("/") - # Only handle selected hive + # Only handle selected hive if pts[0].upper() != prefix_up: - continue + continue - keydn = regkey_to_dn(rk.name) + keydn = regkey_to_dn(rk.name) - pts = rk.name.split("/") + pts = rk.name.split("/") - # Convert key name to dn - ldif[rk.name] = """ + # Convert key name to dn + ldif[rk.name] = """ dn: %s name: %s """ % (keydn, pts[0]) - + for rv in rk.values: - ldif[rk.name + " (" + rv.name + ")"] = """ + ldif[rk.name + " (" + rv.name + ")"] = """ dn: %s,value=%s value: %s type: %d data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data)) - return ldif + return ldif def upgrade_sam_policy(samba3,dn): - ldif = """ + ldif = """ dn: %s changetype: modify replace: minPwdLength @@ -80,30 +82,30 @@ samba3BadLockoutMinutes: %d samba3DisconnectTime: %d """ % (dn, samba3.policy.min_password_length, - samba3.policy.password_history, samba3.policy.minimum_password_age, - samba3.policy.maximum_password_age, samba3.policy.lockout_duration, - samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password, - samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time) - - return ldif + samba3.policy.password_history, samba3.policy.minimum_password_age, + samba3.policy.maximum_password_age, samba3.policy.lockout_duration, + samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password, + samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time) + + return ldif def upgrade_sam_account(ldb,acc,domaindn,domainsid): """Upgrade a SAM account.""" if acc.nt_username is None or acc.nt_username == "": - acc.nt_username = acc.username + acc.nt_username = acc.username if acc.fullname is None: - acc.fullname = pwd.getpwnam(acc.fullname)[4] + acc.fullname = pwd.getpwnam(acc.fullname)[4] - acc.fullname = acc.fullname.split(",")[0] + acc.fullname = acc.fullname.split(",")[0] if acc.fullname is None: - acc.fullname = acc.username - - assert acc.fullname is not None - assert acc.nt_username is not None + acc.fullname = acc.username + + assert acc.fullname is not None + assert acc.nt_username is not None - ldif = """dn: cn=%s,%s + ldif = """dn: cn=%s,%s objectClass: top objectClass: user lastLogon: %d @@ -136,31 +138,31 @@ acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count, acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script, acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time, acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid, - ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw)) + ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw)) - return ldif + return ldif def upgrade_sam_group(group,domaindn): """Upgrade a SAM group.""" - if group.sid_name_use == 5: # Well-known group - return None + if group.sid_name_use == 5: # Well-known group + return None if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"): - return None - + return None + if group.gid == -1: - gr = grp.getgrnam(grp.nt_name) + gr = grp.getgrnam(grp.nt_name) else: - gr = grp.getgrgid(grp.gid) + gr = grp.getgrgid(grp.gid) if gr is None: - group.unixname = "UNKNOWN" + group.unixname = "UNKNOWN" else: - group.unixname = gr.gr_name + group.unixname = gr.gr_name - assert group.unixname is not None - - ldif = """dn: cn=%s,%s + assert group.unixname is not None + + ldif = """dn: cn=%s,%s objectClass: top objectClass: group description: %s @@ -171,11 +173,11 @@ samba3SidNameUse: %d """ % (group.nt_name, domaindn, group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use) - return ldif + return ldif def upgrade_winbind(samba3,domaindn): - ldif = """ - + ldif = """ + dn: dc=none userHwm: %d groupHwm: %d @@ -183,48 +185,48 @@ groupHwm: %d """ % (samba3.idmap.user_hwm, samba3.idmap.group_hwm) for m in samba3.idmap.mappings: - ldif += """ + ldif += """ dn: SID=%s,%s SID: %s type: %d unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id) - - return ldif + + return ldif def upgrade_wins(samba3): """Upgrade the WINS database.""" - ldif = "" - version_id = 0 + ldif = "" + version_id = 0 for e in samba3.winsentries: - now = sys.nttime() - ttl = sys.unix2nttime(e.ttl) + now = sys.nttime() + ttl = sys.unix2nttime(e.ttl) - version_id+=1 + version_id+=1 numIPs = len(e.ips) if e.type == 0x1C: - rType = 0x2 + rType = 0x2 elif e.type & 0x80: if numIPs > 1: - rType = 0x2 + rType = 0x2 else: - rType = 0x1 + rType = 0x1 else: if numIPs > 1: - rType = 0x3 + rType = 0x3 else: - rType = 0x0 + rType = 0x0 if ttl > now: - rState = 0x0 # active + rState = 0x0 # active else: - rState = 0x1 # released + rState = 0x1 # released - nType = ((e.nb_flags & 0x60)>>5) + nType = ((e.nb_flags & 0x60)>>5) - ldif += """ + ldif += """ dn: name=%s,type=0x%02X type: 0x%02X name: %s @@ -240,324 +242,322 @@ versionID: %llu ldaptime(ttl), version_id) for ip in e.ips: - ldif += "address: %s\n" % ip + ldif += "address: %s\n" % ip - ldif += """ + ldif += """ dn: CN=VERSION objectClass: winsMaxVersion maxVersion: %llu """ % version_id - return ldif + return ldif def upgrade_provision(lp, samba3): - subobj = Object() + subobj = Object() - domainname = samba3.configuration.get("workgroup") - + domainname = samba3.configuration.get("workgroup") + if domainname is None: - domainname = samba3.secrets.domains[0].name - print "No domain specified in smb.conf file, assuming '%s'\n" % domainname - - domsec = samba3.find_domainsecrets(domainname) - hostsec = samba3.find_domainsecrets(hostname()) - realm = samba3.configuration.get("realm") + domainname = samba3.secrets.domains[0].name + print "No domain specified in smb.conf file, assuming '%s'\n" % domainname + + domsec = samba3.find_domainsecrets(domainname) + hostsec = samba3.find_domainsecrets(hostname()) + realm = samba3.configuration.get("realm") if realm is None: - realm = domainname - print "No realm specified in smb.conf file, assuming '%s'\n" % realm - random_init(local) + realm = domainname + print "No realm specified in smb.conf file, assuming '%s'\n" % realm + random_init(local) - subobj.realm = realm - subobj.domain = domainname - subobj.hostname = hostname() + subobj.realm = realm + subobj.domain = domainname + subobj.hostname = hostname() - assert subobj.realm is not None - assert subobj.domain is not None - assert subobj.hostname is not None + assert subobj.realm is not None + assert subobj.domain is not None + assert subobj.hostname is not None - subobj.HOSTIP = hostip() + subobj.HOSTIP = hostip() if domsec is not None: - subobj.DOMAINGUID = domsec.guid - subobj.DOMAINSID = domsec.sid + subobj.DOMAINGUID = domsec.guid + subobj.DOMAINSID = domsec.sid else: - print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname - subobj.DOMAINGUID = uuid4() - subobj.DOMAINSID = randsid() - + print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname + subobj.DOMAINGUID = uuid.random() + subobj.DOMAINSID = randsid() + if hostsec: - subobj.HOSTGUID = hostsec.guid + subobj.HOSTGUID = hostsec.guid else: - subobj.HOSTGUID = uuid4() - subobj.invocationid = uuid4() - subobj.krbtgtpass = randpass(12) - subobj.machinepass = randpass(12) - subobj.adminpass = randpass(12) - subobj.datestring = datestring() - subobj.root = findnss(pwd.getpwnam, "root")[4] - subobj.nobody = findnss(pwd.getpwnam, "nobody")[4] - subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] - subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2] - subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2] - subobj.dnsdomain = subobj.realm.lower() - subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain) - subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split(".")) - rdn_list = subobj.dnsdomain.split(".") - subobj.domaindn = "DC=" + ",DC=".join(rdn_list) - subobj.domaindn_ldb = "users.ldb" - subobj.rootdn = subobj.domaindn - - modules_list = ["rootdse", - "kludge_acl", - "paged_results", - "server_sort", - "extended_dn", - "asq", - "samldb", - "password_hash", - "operational", - "objectclass", - "rdn_name", - "show_deleted", - "partition"] - subobj.modules_list = ",".join(modules_list) - - return subobj + subobj.HOSTGUID = uuid.random() + subobj.invocationid = uuid.random() + subobj.krbtgtpass = randpass(12) + subobj.machinepass = randpass(12) + subobj.adminpass = randpass(12) + subobj.datestring = datestring() + subobj.root = findnss(pwd.getpwnam, "root")[4] + subobj.nobody = findnss(pwd.getpwnam, "nobody")[4] + subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] + subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2] + subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2] + subobj.dnsdomain = subobj.realm.lower() + subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain) + subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split(".")) + rdn_list = subobj.dnsdomain.split(".") + subobj.domaindn = "DC=" + ",DC=".join(rdn_list) + subobj.domaindn_ldb = "users.ldb" + subobj.rootdn = subobj.domaindn + + modules_list = ["rootdse", + "kludge_acl", + "paged_results", + "server_sort", + "extended_dn", + "asq", + "samldb", + "password_hash", + "operational", + "objectclass", + "rdn_name", + "show_deleted", + "partition"] + subobj.modules_list = ",".join(modules_list) + + return subobj smbconf_keep = [ - "dos charset", - "unix charset", - "display charset", - "comment", - "path", - "directory", - "workgroup", - "realm", - "netbios name", - "netbios aliases", - "netbios scope", - "server string", - "interfaces", - "bind interfaces only", - "security", - "auth methods", - "encrypt passwords", - "null passwords", - "obey pam restrictions", - "password server", - "smb passwd file", - "private dir", - "passwd chat", - "password level", - "lanman auth", - "ntlm auth", - "client NTLMv2 auth", - "client lanman auth", - "client plaintext auth", - "read only", - "hosts allow", - "hosts deny", - "log level", - "debuglevel", - "log file", - "smb ports", - "large readwrite", - "max protocol", - "min protocol", - "unicode", - "read raw", - "write raw", - "disable netbios", - "nt status support", - "announce version", - "announce as", - "max mux", - "max xmit", - "name resolve order", - "max wins ttl", - "min wins ttl", - "time server", - "unix extensions", - "use spnego", - "server signing", - "client signing", - "max connections", - "paranoid server security", - "socket options", - "strict sync", - "max print jobs", - "printable", - "print ok", - "printer name", - "printer", - "map system", - "map hidden", - "map archive", - "preferred master", - "prefered master", - "local master", - "browseable", - "browsable", - "wins server", - "wins support", - "csc policy", - "strict locking", - "preload", - "auto services", - "lock dir", - "lock directory", - "pid directory", - "socket address", - "copy", - "include", - "available", - "volume", - "fstype", - "panic action", - "msdfs root", - "host msdfs", - "winbind separator"] + "dos charset", + "unix charset", + "display charset", + "comment", + "path", + "directory", + "workgroup", + "realm", + "netbios name", + "netbios aliases", + "netbios scope", + "server string", + "interfaces", + "bind interfaces only", + "security", + "auth methods", + "encrypt passwords", + "null passwords", + "obey pam restrictions", + "password server", + "smb passwd file", + "private dir", + "passwd chat", + "password level", + "lanman auth", + "ntlm auth", + "client NTLMv2 auth", + "client lanman auth", + "client plaintext auth", + "read only", + "hosts allow", + "hosts deny", + "log level", + "debuglevel", + "log file", + "smb ports", + "large readwrite", + "max protocol", + "min protocol", + "unicode", + "read raw", + "write raw", + "disable netbios", + "nt status support", + "announce version", + "announce as", + "max mux", + "max xmit", + "name resolve order", + "max wins ttl", + "min wins ttl", + "time server", + "unix extensions", + "use spnego", + "server signing", + "client signing", + "max connections", + "paranoid server security", + "socket options", + "strict sync", + "max print jobs", + "printable", + "print ok", + "printer name", + "printer", + "map system", + "map hidden", + "map archive", + "preferred master", + "prefered master", + "local master", + "browseable", + "browsable", + "wins server", + "wins support", + "csc policy", + "strict locking", + "preload", + "auto services", + "lock dir", + "lock directory", + "pid directory", + "socket address", + "copy", + "include", + "available", + "volume", + "fstype", + "panic action", + "msdfs root", + "host msdfs", + "winbind separator"] -# -# Remove configuration variables not present in Samba4 -# oldconf: Old configuration structure -# mark: Whether removed configuration variables should be -# kept in the new configuration as "samba3:<name>" def upgrade_smbconf(oldconf,mark): - data = oldconf.data() - newconf = param_init() - - for (s in data) { - for (p in data[s]) { - keep = False - for (k in smbconf_keep) { + """Remove configuration variables not present in Samba4 + + :param oldconf: Old configuration structure + :param mark: Whether removed configuration variables should be + kept in the new configuration as "samba3:<name>" + """ + data = oldconf.data() + newconf = param_init() + + for s in data: + for p in data[s]: + keep = False + for k in smbconf_keep: if smbconf_keep[k] == p: - keep = True - break - } + keep = True + break if keep: - newconf.set(s, p, oldconf.get(s, p)) + newconf.set(s, p, oldconf.get(s, p)) elif mark: - newconf.set(s, "samba3:"+p, oldconf.get(s,p)) - } - } + newconf.set(s, "samba3:"+p, oldconf.get(s,p)) if oldconf.get("domain logons") == "True": - newconf.set("server role", "domain controller") + newconf.set("server role", "domain controller") else: if oldconf.get("security") == "user": - newconf.set("server role", "standalone") + newconf.set("server role", "standalone") else: - newconf.set("server role", "member server") + newconf.set("server role", "member server") - return newconf + return newconf def upgrade(subobj, samba3, message, paths, session_info, credentials): - ret = 0 - lp = loadparm_init() - samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) + ret = 0 + lp = loadparm_init() + samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) - message("Writing configuration") - newconf = upgrade_smbconf(samba3.configuration,True) - newconf.save(paths.smbconf) + message("Writing configuration") + newconf = upgrade_smbconf(samba3.configuration,True) + newconf.save(paths.smbconf) - message("Importing account policies") - ldif = upgrade_sam_policy(samba3,subobj.BASEDN) - samdb.modify(ldif) - regdb = Ldb(paths.hklm) + message("Importing account policies") + ldif = upgrade_sam_policy(samba3,subobj.BASEDN) + samdb.modify(ldif) + regdb = Ldb(paths.hklm) - regdb.modify(" + regdb.modify(""" dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE replace: type type: 4 replace: data data: %d -" % samba3.policy.refuse_machine_password_change) +""" % samba3.policy.refuse_machine_password_change) - message("Importing users") + message("Importing users") for account in samba3.samaccounts: - msg = "... " + account.username - ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID) + msg = "... " + account.username + ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID) try: samdb.add(ldif) except LdbError, e: # FIXME: Ignore 'Record exists' errors - msg += "... error: " + str(e) - ret += 1; - message(msg) + msg += "... error: " + str(e) + ret += 1; + message(msg) - message("Importing groups") + message("Importing groups") for mapping in samba3.groupmappings: - msg = "... " + mapping.nt_name - ldif = upgrade_sam_group(mapping, subobj.BASEDN) + msg = "... " + mapping.nt_name + ldif = upgrade_sam_group(mapping, subobj.BASEDN) if ldif is not None: try: - samdb.add(ldif) + samdb.add(ldif) except LdbError, e: # FIXME: Ignore 'Record exists' errors - msg += "... error: " + str(e) - ret += 1 - message(msg) + msg += "... error: " + str(e) + ret += 1 + message(msg) - message("Importing registry data") + message("Importing registry data") for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]: - message("... " + hive) - regdb = Ldb(paths[hive]) - ldif = upgrade_registry(samba3.registry, hive, regdb) - for (var j in ldif) { - var msg = "... ... " + j + message("... " + hive) + regdb = Ldb(paths[hive]) + ldif = upgrade_registry(samba3.registry, hive, regdb) + for j in ldif: + msg = "... ... " + j try: regdb.add(ldif[j]) except LdbError, e: # FIXME: Ignore 'Record exists' errors - msg += "... error: " + str(e) - ret += 1 - message(msg) + msg += "... error: " + str(e) + ret += 1 + message(msg) - message("Importing WINS data") - winsdb = Ldb(paths.winsdb) - ldb_erase(winsdb) + message("Importing WINS data") + winsdb = Ldb(paths.winsdb) + ldb_erase(winsdb) - ldif = upgrade_wins(samba3) - winsdb.add(ldif) + ldif = upgrade_wins(samba3) + winsdb.add(ldif) - # figure out ldapurl, if applicable - ldapurl = None - pdb = samba3.configuration.get_list("passdb backend") + # figure out ldapurl, if applicable + ldapurl = None + pdb = samba3.configuration.get_list("passdb backend") if pdb is not None: for backend in pdb: if len(backend) >= 7 and backend[0:7] == "ldapsam": ldapurl = backend[7:] - # URL was not specified in passdb backend but ldap /is/ used + # URL was not specified in passdb backend but ldap /is/ used if ldapurl == "": - ldapurl = "ldap://%s" % samba3.configuration.get("ldap server") + ldapurl = "ldap://%s" % samba3.configuration.get("ldap server") - # Enable samba3sam module if original passdb backend was ldap + # Enable samba3sam module if original passdb backend was ldap if ldapurl is not None: - message("Enabling Samba3 LDAP mappings for SAM database") + message("Enabling Samba3 LDAP mappings for SAM database") - samdb.modify(""" + samdb.modify(""" dn: @MODULES changetype: modify replace: @LIST @LIST: samldb,operational,objectguid,rdn_name,samba3sam """) - samdb.add(""" + samdb.add(""" dn: @MAP=samba3sam -@MAP_URL: %s""", ldapurl)) +@MAP_URL: %s""" % ldapurl) - return ret + return ret def upgrade_verify(subobj, samba3, paths, message): - message("Verifying account policies") + message("Verifying account policies") - samldb = Ldb(paths.samdb) + samldb = Ldb(paths.samdb) for account in samba3.samaccounts: - msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))") - assert(len(msg) >= 1) - - # FIXME + msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))") + assert(len(msg) >= 1) + + # FIXME |