diff options
Diffstat (limited to 'source4/scripting')
-rw-r--r-- | source4/scripting/python/samba/provision.py | 842 | ||||
-rw-r--r-- | source4/scripting/python/samba/upgrade.py | 561 |
2 files changed, 1403 insertions, 0 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py new file mode 100644 index 0000000000..3d391863da --- /dev/null +++ b/source4/scripting/python/samba/provision.py @@ -0,0 +1,842 @@ +# +# backend code for provisioning a Samba4 server +# Copyright Andrew Tridgell 2005 +# Copyright Jelmer Vernooij 2007 +# Released under the GNU GPL v2 or later +# + +from base64 import b64encode +import os +import pwd +import grp +import time +import uuid, sid, misc +from socket import gethostname, gethostbyname +import param +import registry +from samba import Ldb, substitute_var +from ldb import Dn, SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, \ + LDB_ERR_NO_SUCH_OBJECT, timestring + + +class InvalidNetbiosName(Exception): + def __init__(self, name): + super(InvalidNetbiosName, self).__init__("The name '%r' is not a valid NetBIOS name" % name) + + +class ProvisionSettings(object): + def __init__(self, realm=None, domain=None, hostname=None, hostip=None): + self.realm = realm + self.domain = domain + self.hostname = hostname + self.hostip = hostip + self.domainsid = None + self.invocationid = None + self.krbtgtpass = None + self.machinepass = None + self.adminpass = None + self.defaultsite = "Default-First-Site-Name" + self.datestring = None + self.root = None + self.nobody = None + self.nogroup = None + self.wheel = None + self.backup = None + self.users = None + self.dnsdomain = None + self.dnsname = None + self.domaindn = None + self.domaindn_ldb = None + self.rootdn = None + self.configdn = None + self.configdn_ldb = None + self.schemedn = None + self.schemedn_ldb = None + self.s4_ldapi_path = None + self.policyguid = None + + def subst_vars(self): + return {"SCHEMADN": self.schemadn, + "SCHEMADN_LDB": self.schemadn_ldb, + "SCHEMADN_MOD": "schema_fsmo", + "SCHEMADN_MOD2": ",objectguid", + "CONFIGDN": self.configdn, + "TDB_MODULES_LIST": ","+",".join(self.tdb_modules_list) + "MODULES_LIST2": ",".join(self.modules_list2) + "CONFIGDN_LDB": self.configdn_ldb, + "DOMAINDN": self.domaindn, + "DOMAINDN_LDB": self.domaindn_ldb, + "DOMAINDN_MOD": "pdc_fsmo,password_hash", + "DOMAINDN_MOD2": ",objectguid", + "DOMAINSID": self.domainsid, + "MODULES_LIST": ",".join(self.modules_list), + "CONFIGDN_MOD": "naming_fsmo", + "CONFIGDN_MOD2": ",objectguid", + "NETBIOSNAME": self.netbiosname, + "DNSNAME": self.dnsname, + "ROOTDN": self.rootdn, + "DNSDOMAIN": self.dnsdomain, + "REALM": self.realm, + "DEFAULTSITE": self.defaultsite, + "MACHINEPASS_B64": b64encode(self.machinepass), + "ADMINPASS_B64": b64encode(self.adminpass), + "DNSPASS_B64": b64encode(self.dnspass), + "KRBTGTPASS_B64": b64encode(self.krbtgtpass), + "S4_LDAPI_URI": "ldapi://%s" % self.s4_ldapi_path.replace("/", "%2F"), + "LDAPTIME": timestring(int(time.time())), + "POLICYGUID": self.policyguid, + "RDN_DC": self.rdn_dc, + "DOMAINGUID_MOD": self.domainguid_mod, + } + + def fix(self, paths): + self.realm = self.realm.upper() + self.hostname = self.hostname.lower() + self.domain = self.domain.upper() + if not valid_netbios_name(self.domain): + raise InvalidNetbiosName(self.domain) + self.netbiosname = self.hostname.upper() + if not valid_netbios_name(self.netbiosname): + raise InvalidNetbiosName(self.netbiosname) + rdns = self.domaindn.split(",") + self.rdn_dc = rdns[0][len("DC="):] + + self.sam_ldb = paths.samdb + self.secrets_ldb = paths.secrets + self.secrets_keytab = paths.keytab + + self.s4_ldapi_path = paths.s4_ldapi_path + + def validate(self, lp): + if not valid_netbios_name(self.domain): + raise InvalidNetbiosName(self.domain) + + if not valid_netbios_name(self.netbiosname): + raise InvalidNetbiosName(self.netbiosname) + + if lp.get("workgroup").upper() != self.domain.upper(): + raise Error("workgroup '%s' in smb.conf must match chosen domain '%s'\n", + lp.get("workgroup"), self.domain) + + if lp.get("realm").upper() != self.realm.upper(): + raise Error("realm '%s' in smb.conf must match chosen realm '%s'\n" % + (lp.get("realm"), self.realm)) + + +class ProvisionPaths: + def __init__(self): + self.smbconf = None + self.shareconf = None + self.hklm = None + self.hkcu = None + self.hkcr = None + self.hku = None + self.hkpd = None + self.hkpt = None + self.samdb = None + self.secrets = None + self.keytab = None + self.dns = None + self.winsdb = None + self.ldap_basedn_ldif = None + self.ldap_config_basedn_ldif = None + self.ldap_schema_basedn_ldif = None + self.s4_ldapi_path = None + + +def install_ok(lp, session_info, credentials): + """Check whether the current install seems ok.""" + if lp.get("realm") == "": + return False + ldb = Ldb(lp.get("sam database"), session_info=session_info, + credentials=credentials) + if len(ldb.search("(cn=Administrator)")) != 1: + return False + return True + + +def findnss(nssfn, *names): + """Find a user or group from a list of possibilities.""" + for name in names: + try: + return nssfn(name) + except KeyError: + pass + raise Exception("Unable to find user/group for %s" % arguments[1]) + +def add_foreign(ldb, subobj, sid, desc): + """Add a foreign security principle.""" + add = """ +dn: CN=%s,CN=ForeignSecurityPrincipals,%s +objectClass: top +objectClass: foreignSecurityPrincipal +description: %s +""" % (sid, subobj.domaindn, desc) + # deliberately ignore errors from this, as the records may + # already exist + for msg in ldb.parse_ldif(add): + ldb.add(msg[1]) + +def setup_name_mapping(subobj, ldb, sid, unixname): + """Setup a mapping between a sam name and a unix name.""" + res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_SUBTREE, + "objectSid=%s" % sid, ["dn"]) + assert len(res) == 1, "Failed to find record for objectSid %s" % sid + + mod = """ +dn: %s +changetype: modify +replace: unixName +unixName: %s +""" % (res[0].dn, unixname) + ldb.modify(ldb.parse_ldif(mod).next()[1]) + +def hostip(): + """return first host IP.""" + return gethostbyname(hostname()) + +def hostname(): + """return first part of hostname.""" + return gethostname().split(".")[0] + +def ldb_delete(ldb): + """Delete a LDB file. + + This may be necessary if the ldb is in bad shape, possibly due to being + built from an incompatible previous version of the code, so delete it + completely. + """ + print "Deleting %s\n" % ldb.filename + os.unlink(ldb.filename) + ldb.connect(ldb.filename) + + +def ldb_erase(ldb): + """Erase an ldb, removing all records.""" + # delete the specials + for attr in ["@INDEXLIST", "@ATTRIBUTES", "@SUBCLASSES", "@MODULES", + "@OPTIONS", "@PARTITION", "@KLUDGEACL"]: + try: + ldb.delete(Dn(ldb, attr)) + except LdbError, (LDB_ERR_NO_SUCH_OBJECT, _): + # Ignore missing dn errors + pass + + basedn = Dn(ldb, "") + # and the rest + for msg in ldb.search(basedn, SCOPE_SUBTREE, + "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", + ["dn"]): + ldb.delete(msg.dn) + + res = ldb.search(basedn, SCOPE_SUBTREE, "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", ["dn"]) + assert len(res) == 0 + + +def ldb_erase_partitions(subobj, message, ldb, ldapbackend): + """Erase an ldb, removing all records.""" + assert ldb is not None + res = ldb.search(Dn(ldb, ""), SCOPE_BASE, "(objectClass=*)", + ["namingContexts"]) + assert len(res) == 1 + if not "namingContexts" in res[0]: + return + for basedn in res[0]["namingContexts"]: + anything = "(|(objectclass=*)(dn=*))" + previous_remaining = 1 + current_remaining = 0 + + if ldapbackend and (basedn == subobj.domaindn): + # Only delete objects that were created by provision + anything = "(objectcategory=*)" + + k = 0 + while ++k < 10 and (previous_remaining != current_remaining): + # and the rest + res2 = ldb.search(Dn(ldb, basedn), SCOPE_SUBTREE, anything, ["dn"]) + previous_remaining = current_remaining + current_remaining = len(res2) + for msg in res2: + try: + ldb.delete(msg.dn) + except LdbError, (_, text): + message("Unable to delete %s: %s" % (msg.dn, text)) + + +def open_ldb(session_info, credentials, dbname): + assert session_info is not None + try: + return Ldb(dbname, session_info=session_info, credentials=credentials) + except LdbError, e: + print e + os.unlink(dbname) + return Ldb(dbname, session_info=session_info, credentials=credentials) + + +def setup_add_ldif(setup_dir, ldif, subobj, ldb): + """Setup a ldb in the private dir.""" + assert isinstance(ldif, str) + assert isinstance(setup_dir, str) + src = os.path.join(setup_dir, ldif) + + data = open(src, 'r').read() + data = substitute_var(data, subobj.subst_vars()) + + for msg in ldb.parse_ldif(data): + ldb.add(msg[1]) + + +def setup_modify_ldif(setup_dir, ldif, subobj, ldb): + src = os.path.join(setup_dir, ldif) + + data = open(src, 'r').read() + data = substitute_var(data, subobj.subst_vars()) + + for (changetype, msg) in ldb.parse_ldif(data): + ldb.modify(msg) + + +def setup_ldb(setup_dir, ldif, session_info, credentials, subobj, dbname, + erase=True): + assert dbname is not None + ldb = open_ldb(session_info, credentials, dbname) + assert ldb is not None + ldb.transaction_start() + try: + if erase: + ldb_erase(ldb); + setup_add_ldif(setup_dir, ldif, subobj, ldb) + except: + ldb.transaction_cancel() + raise + ldb.transaction_commit() + + +def setup_ldb_modify(setup_dir, ldif, subobj, ldb): + """Modify a ldb in the private dir.""" + src = os.path.join(setup_dir, ldif) + + data = open(src, 'r').read() + data = substitute_var(data, subobj.subst_vars()) + assert not "${" in data + + for (changetype, msg) in ldb.parse_ldif(data): + ldb.modify(msg) + + +def setup_file(setup_dir, template, message, fname, subobj): + """Setup a file in the private dir.""" + f = fname + src = os.path.join(setup_dir, template) + + os.unlink(f) + + data = open(src, 'r').read() + data = substitute_var(data, subobj.subst_vars()) + assert not "${" in data + + open(f, 'w').write(data) + + +def provision_default_paths(lp, subobj): + """Set the default paths for provisioning. + + :param lp: Loadparm context. + :param subobj: Object + """ + paths = ProvisionPaths() + private_dir = lp.get("private dir") + paths.shareconf = os.path.join(private_dir, "share.ldb") + paths.samdb = lp.get("sam database") or os.path.join(private_dir, "samdb.ldb") + paths.secrets = lp.get("secrets database") or os.path.join(private_dir, "secrets.ldb") + paths.templates = os.path.join(private_dir, "templates.ldb") + paths.keytab = os.path.join(private_dir, "secrets.keytab") + paths.dns = os.path.join(private_dir, subobj.dnsdomain + ".zone") + paths.winsdb = os.path.join(private_dir, "wins.ldb") + paths.ldap_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + ".ldif") + paths.ldap_config_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + "-config.ldif") + paths.ldap_schema_basedn_ldif = os.path.join(private_dir, subobj.dnsdomain + "-schema.ldif") + paths.s4_ldapi_path = os.path.join(private_dir, "ldapi") + paths.phpldapadminconfig = os.path.join(private_dir, "phpldapadmin-config.php") + paths.hklm = os.path.join(private_dir, "hklm.ldb") + return paths + + +def setup_name_mappings(subobj, ldb): + """setup reasonable name mappings for sam names to unix names.""" + res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_BASE, "objectSid=*", + ["objectSid"]) + assert len(res) == 1 + assert "objectSid" in res[0] + sid = list(res[0]["objectSid"])[0] + + # add some foreign sids if they are not present already + add_foreign(ldb, subobj, "S-1-5-7", "Anonymous") + add_foreign(ldb, subobj, "S-1-1-0", "World") + add_foreign(ldb, subobj, "S-1-5-2", "Network") + add_foreign(ldb, subobj, "S-1-5-18", "System") + add_foreign(ldb, subobj, "S-1-5-11", "Authenticated Users") + + # some well known sids + setup_name_mapping(subobj, ldb, "S-1-5-7", subobj.nobody) + setup_name_mapping(subobj, ldb, "S-1-1-0", subobj.nogroup) + setup_name_mapping(subobj, ldb, "S-1-5-2", subobj.nogroup) + setup_name_mapping(subobj, ldb, "S-1-5-18", subobj.root) + setup_name_mapping(subobj, ldb, "S-1-5-11", subobj.users) + setup_name_mapping(subobj, ldb, "S-1-5-32-544", subobj.wheel) + setup_name_mapping(subobj, ldb, "S-1-5-32-545", subobj.users) + setup_name_mapping(subobj, ldb, "S-1-5-32-546", subobj.nogroup) + setup_name_mapping(subobj, ldb, "S-1-5-32-551", subobj.backup) + + # and some well known domain rids + setup_name_mapping(subobj, ldb, sid + "-500", subobj.root) + setup_name_mapping(subobj, ldb, sid + "-518", subobj.wheel) + setup_name_mapping(subobj, ldb, sid + "-519", subobj.wheel) + setup_name_mapping(subobj, ldb, sid + "-512", subobj.wheel) + setup_name_mapping(subobj, ldb, sid + "-513", subobj.users) + setup_name_mapping(subobj, ldb, sid + "-520", subobj.wheel) + + +def provision_become_dc(setup_dir, subobj, message, paths, session_info, + credentials): + assert session_info is not None + subobj.fix(paths) + + message("Setting up templates into %s" % paths.templates) + setup_ldb(setup_dir, "provision_templates.ldif", session_info, + credentials, subobj, paths.templates) + + # Also wipes the database + message("Setting up %s partitions" % paths.samdb) + setup_ldb(setup_dir, "provision_partitions.ldif", session_info, + credentials, subobj, paths.samdb) + + samdb = open_ldb(session_info, credentials, paths.samdb) + ldb.transaction_start() + try: + message("Setting up %s attributes" % paths.samdb) + setup_add_ldif(setup_dir, "provision_init.ldif", subobj, samdb) + + message("Setting up %s rootDSE" % paths.samdb) + setup_add_ldif(setup_dir, "provision_rootdse_add.ldif", subobj, samdb) + + message("Erasing data from partitions") + ldb_erase_partitions(subobj, message, samdb, undefined) + + message("Setting up %s indexes" % paths.samdb) + setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb) + except: + samdb.transaction_cancel() + raise + + samdb.transaction_commit() + + message("Setting up %s" % paths.secrets) + setup_ldb(setup_dir, "secrets_init.ldif", session_info, credentials, + subobj, paths.secrets) + + setup_ldb(setup_dir, "secrets.ldif", session_info, credentials, subobj, + paths.secrets, False) + + +def provision(lp, setup_dir, subobj, message, blank, paths, session_info, + credentials, ldapbackend): + """Provision samba4 + + :note: caution, this wipes all existing data! + """ + subobj.fix(paths) + + if subobj.domain_guid is not None: + subobj.domainguid_mod = "replace: objectGUID\nobjectGUID: %s\n-" % subobj.domain_guid + else: + subobj.domainguid_mod = "" + + if subobj.host_guid is not None: + subobj.hostguid_add = "objectGUID: %s" % subobj.host_guid + else: + subobj.hostguid_add = "" + + assert paths.smbconf is not None + + # only install a new smb.conf if there isn't one there already + if not os.path.exists(paths.smbconf): + message("Setting up smb.conf") + setup_file(setup_dir, "provision.smb.conf", message, paths.smbconf, subobj) + lp.reload() + + # only install a new shares config db if there is none + if not os.path.exists(paths.shareconf): + message("Setting up share.ldb") + setup_ldb(setup_dir, "share.ldif", session_info, credentials, subobj, paths.shareconf) + + message("Setting up %s" % paths.secrets) + setup_ldb(setup_dir, "secrets_init.ldif", session_info, credentials, subobj, paths.secrets) + setup_ldb(setup_dir, "secrets.ldif", session_info, credentials, subobj, paths.secrets, False) + + message("Setting up registry") + reg = registry.Registry() + # FIXME: Still fails for some reason: + #reg.mount(paths.hklm, registry.HKEY_LOCAL_MACHINE, []) + #reg.apply_patchfile(os.path.join(setup_dir, "provision.reg")) + + message("Setting up templates into %s" % paths.templates) + setup_ldb(setup_dir, "provision_templates.ldif", session_info, credentials, subobj, paths.templates) + + message("Setting up sam.ldb partitions") + setup_ldb(setup_dir, "provision_partitions.ldif", session_info, + credentials, subobj, paths.samdb) + + samdb = open_ldb(session_info, credentials, paths.samdb) + samdb.transaction_start() + try: + message("Setting up sam.ldb attributes") + setup_add_ldif(setup_dir, "provision_init.ldif", subobj, samdb) + + message("Setting up sam.ldb rootDSE") + setup_add_ldif(setup_dir, "provision_rootdse_add.ldif", subobj, samdb) + + message("Erasing data from partitions") + ldb_erase_partitions(subobj, message, samdb, ldapbackend) + except: + samdb.transaction_cancel() + raise + + samdb.transaction_commit() + + message("Pre-loading the Samba 4 and AD schema") + + samdb = open_ldb(session_info, credentials, paths.samdb) + + samdb.set_domain_sid(subobj.domainsid) + + load_schema(setup_dir, subobj, samdb) + + samdb.transaction_start() + + try: + message("Adding DomainDN: %s (permitted to fail)" % subobj.domaindn) + setup_add_ldif(setup_dir, "provision_basedn.ldif", subobj, samdb) + message("Modifying DomainDN: " + subobj.domaindn + "") + setup_ldb_modify(setup_dir, "provision_basedn_modify.ldif", subobj, samdb) + + message("Adding configuration container (permitted to fail)") + setup_add_ldif(setup_dir, "provision_configuration_basedn.ldif", subobj, samdb) + message("Modifying configuration container") + setup_ldb_modify(setup_dir, "provision_configuration_basedn_modify.ldif", subobj, samdb) + + message("Adding schema container (permitted to fail)") + setup_add_ldif(setup_dir, "provision_schema_basedn.ldif", subobj, samdb) + message("Modifying schema container") + setup_ldb_modify(setup_dir, "provision_schema_basedn_modify.ldif", subobj, samdb) + message("Setting up sam.ldb Samba4 schema") + setup_add_ldif(setup_dir, "schema_samba4.ldif", subobj, samdb) + message("Setting up sam.ldb AD schema") + setup_add_ldif(setup_dir, "schema.ldif", subobj, samdb) + + message("Setting up sam.ldb configuration data") + setup_add_ldif(setup_dir, "provision_configuration.ldif", subobj, samdb) + + message("Setting up display specifiers") + setup_add_ldif(setup_dir, "display_specifiers.ldif", subobj, samdb) + + message("Adding users container (permitted to fail)") + setup_add_ldif(setup_dir, "provision_users_add.ldif", subobj, samdb) + message("Modifying users container") + setup_ldb_modify(setup_dir, "provision_users_modify.ldif", subobj, samdb) + message("Adding computers container (permitted to fail)") + setup_add_ldif(setup_dir, "provision_computers_add.ldif", subobj, samdb) + message("Modifying computers container") + setup_ldb_modify(setup_dir, "provision_computers_modify.ldif", subobj, samdb) + message("Setting up sam.ldb data") + setup_add_ldif(setup_dir, "provision.ldif", subobj, samdb) + + if blank: + message("Setting up sam.ldb index") + setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb) + + message("Setting up sam.ldb rootDSE marking as syncronized") + setup_modify_ldif(setup_dir, "provision_rootdse_modify.ldif", subobj, samdb) + + samdb.transaction_commit() + return + + # message("Activate schema module") + # setup_modify_ldif("schema_activation.ldif", info, samdb, False) + # + # // (hack) Reload, now we have the schema loaded. + # commit_ok = samdb.transaction_commit() + # if (!commit_ok) { + # message("samdb commit failed: " + samdb.errstring() + "\n") + # assert(commit_ok) + # } + # samdb.close() + # + # samdb = open_ldb(info, paths.samdb, False) + # + message("Setting up sam.ldb users and groups") + setup_add_ldif(setup_dir, "provision_users.ldif", subobj, samdb) + + setup_name_mappings(subobj, samdb) + + message("Setting up sam.ldb index") + setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb) + + message("Setting up sam.ldb rootDSE marking as syncronized") + setup_modify_ldif(setup_dir, "provision_rootdse_modify.ldif", subobj, samdb) + except: + samdb.transaction_cancel() + raise + + samdb.transaction_commit() + + message("Setting up phpLDAPadmin configuration") + setup_file(setup_dir, "phpldapadmin-config.php", message, + paths.phpldapadminconfig, subobj) + message("Please install the phpLDAPadmin configuration located at %s into /etc/phpldapadmin/config.php" % paths.phpldapadminconfig) + + +def provision_dns(setup_dir, subobj, message, paths, session_info, credentials): + """Write out a DNS zone file, from the info in the current database.""" + message("Setting up DNS zone: %s" % subobj.dnsdomain) + # connect to the sam + ldb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) + + # These values may have changed, due to an incoming SamSync, + # or may not have been specified, so fetch them from the database + + res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_BASE, "objectGUID=*", + ["objectGUID"]) + assert(len(res) == 1) + assert(res[0]["objectGUID"] is not None) + subobj.domainguid = res[0]["objectGUID"] + + subobj.host_guid = searchone(ldb, subobj.domaindn, + "(&(objectClass=computer)(cn=%s))" % subobj.netbiosname, "objectGUID") + assert subobj.host_guid is not None + + setup_file(setup_dir, "provision.zone", message, paths.dns, subobj) + + message("Please install the zone located in %s into your DNS server" % paths.dns) + + +def provision_ldapbase(setup_dir, subobj, message, paths): + """Write out a DNS zone file, from the info in the current database.""" + message("Setting up LDAP base entry: %s" % subobj.domaindn) + rdns = subobj.domaindn.split(",") + subobj.extensibleobject = "objectClass: extensibleObject" + + subobj.rdn_dc = rdns[0][len("DC="):] + + setup_file(setup_dir, "provision_basedn.ldif", + message, paths.ldap_basedn_ldif, + subobj) + + setup_file(setup_dir, "provision_configuration_basedn.ldif", + message, paths.ldap_config_basedn_ldif, + subobj) + + setup_file(setup_dir, "provision_schema_basedn.ldif", + message, paths.ldap_schema_basedn_ldif, + subobj) + + message("Please install the LDIF located in " + paths.ldap_basedn_ldif + ", " + paths.ldap_config_basedn_ldif + " and " + paths.ldap_schema_basedn_ldif + " into your LDAP server, and re-run with --ldap-backend=ldap://my.ldap.server") + + +def provision_guess(lp): + """guess reasonably default options for provisioning.""" + subobj = ProvisionSettings(realm=lp.get("realm").upper(), + domain=lp.get("workgroup"), + hostname=hostname(), + hostip=hostip()) + + assert subobj.realm is not None + assert subobj.domain is not None + assert subobj.hostname is not None + + subobj.domainsid = sid.random() + subobj.invocationid = uuid.random() + subobj.policyguid = uuid.random() + subobj.krbtgtpass = misc.random_password(12) + subobj.machinepass = misc.random_password(12) + subobj.adminpass = misc.random_password(12) + subobj.dnspass = misc.random_password(12) + subobj.datestring = time.strftime("%Y%m%d%H") + subobj.root = findnss(pwd.getpwnam, "root")[4] + subobj.nobody = findnss(pwd.getpwnam, "nobody")[4] + subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] + subobj.wheel = findnss(grp.getgrnam, "wheel", "root", "staff", "adm")[2] + subobj.backup = findnss(grp.getgrnam, "backup", "wheel", "root", "staff")[2] + subobj.users = findnss(grp.getgrnam, "users", "guest", "other", "unknown", "usr")[2] + + subobj.dnsdomain = subobj.realm.lower() + subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain) + subobj.domaindn = "DC=" + subobj.dnsdomain.replace(".", ",DC=") + subobj.domaindn_ldb = "users.ldb" + subobj.rootdn = subobj.domaindn + subobj.configdn = "CN=Configuration," + subobj.rootdn + subobj.configdn_ldb = "configuration.ldb" + subobj.schemadn = "CN=Schema," + subobj.configdn + subobj.schemadn_ldb = "schema.ldb" + + #Add modules to the list to activate them by default + #beware often order is important + # + # Some Known ordering constraints: + # - rootdse must be first, as it makes redirects from "" -> cn=rootdse + # - objectclass must be before password_hash, because password_hash checks + # that the objectclass is of type person (filled in by objectclass + # module when expanding the objectclass list) + # - partition must be last + # - each partition has its own module list then + subobj.modules_list = ["rootdse", + "paged_results", + "ranged_results", + "server_sort", + "extended_dn", + "asq", + "samldb", + "rdn_name", + "objectclass", + "kludge_acl", + "operational"] + subobj.tdb_modules_list = [ + "subtree_rename", + "subtree_delete", + "linked_attributes"] + subobj.modules_list2 = ["show_deleted", + "partition"] + + subobj.extensibleobject = "# no objectClass: extensibleObject for local ldb" + subobj.aci = "# no aci for local ldb" + return subobj + + +def searchone(ldb, basedn, expression, attribute): + """search for one attribute as a string.""" + res = ldb.search(basedn, SCOPE_SUBTREE, expression, [attribute]) + if len(res) != 1 or res[0][attribute] is None: + return None + return res[0][attribute] + + +def load_schema(setup_dir, subobj, samdb): + """Load schema.""" + src = os.path.join(setup_dir, "schema.ldif") + + schema_data = open(src, 'r').read() + + src = os.path.join(setup_dir, "schema_samba4.ldif") + + schema_data += open(src, 'r').read() + + schema_data = substitute_var(schema_data, subobj.subst_vars()) + + src = os.path.join(setup_dir, "provision_schema_basedn_modify.ldif") + + head_data = open(src, 'r').read() + + head_data = substitute_var(head_data, subobj.subst_vars()) + + samdb.attach_dsdb_schema_from_ldif(head_data, schema_data) + + +def enable_account(ldb, user_dn): + """enable the account.""" + res = ldb.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) + assert len(res) == 1 + userAccountControl = res[0].userAccountControl + userAccountControl = userAccountControl - 2 # remove disabled bit + mod = """ +dn: %s +changetype: modify +replace: userAccountControl +userAccountControl: %u +""" % (user_dn, userAccountControl) + ldb.modify(mod) + + +def newuser(sam, username, unixname, password, message, session_info, + credentials): + """add a new user record""" + # connect to the sam + ldb.transaction_start() + + # find the DNs for the domain and the domain users group + res = ldb.search("", SCOPE_BASE, "defaultNamingContext=*", + ["defaultNamingContext"]) + assert(len(res) == 1 and res[0].defaultNamingContext is not None) + domain_dn = res[0].defaultNamingContext + assert(domain_dn is not None) + dom_users = searchone(ldb, domain_dn, "name=Domain Users", "dn") + assert(dom_users is not None) + + user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) + + # + # the new user record. note the reliance on the samdb module to fill + # in a sid, guid etc + # + ldif = """ +dn: %s +sAMAccountName: %s +unixName: %s +sambaPassword: %s +objectClass: user +""" % (user_dn, username, unixname, password) + # add the user to the users group as well + modgroup = """ +dn: %s +changetype: modify +add: member +member: %s +""" % (dom_users, user_dn) + + + # now the real work + message("Adding user %s" % user_dn) + ldb.add(ldif) + + message("Modifying group %s" % dom_users) + ldb.modify(modgroup) + + # modify the userAccountControl to remove the disabled bit + enable_account(ldb, user_dn) + ldb.transaction_commit() + + +def valid_netbios_name(name): + """Check whether a name is valid as a NetBIOS name. """ + # FIXME: There are probably more constraints here. + # crh has a paragraph on this in his book (1.4.1.1) + if len(name) > 13: + return False + return True + + +def join_domain(domain, netbios_name, join_type, creds, message): + ctx = NetContext(creds) + joindom = object() + joindom.domain = domain + joindom.join_type = join_type + joindom.netbios_name = netbios_name + if not ctx.JoinDomain(joindom): + raise Exception("Domain Join failed: " + joindom.error_string) + + +def vampire(domain, session_info, credentials, message): + """Vampire a remote domain. + + Session info and credentials are required for for + access to our local database (might be remote ldap) + """ + ctx = NetContext(credentials) + vampire_ctx = object() + machine_creds = credentials_init() + machine_creds.set_domain(form.domain) + if not machine_creds.set_machine_account(): + raise Exception("Failed to access domain join information!") + vampire_ctx.machine_creds = machine_creds + vampire_ctx.session_info = session_info + if not ctx.SamSyncLdb(vampire_ctx): + raise Exception("Migration of remote domain to Samba failed: %s " % vampire_ctx.error_string) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py new file mode 100644 index 0000000000..49aee3f94d --- /dev/null +++ b/source4/scripting/python/samba/upgrade.py @@ -0,0 +1,561 @@ +#!/usr/bin/python +# +# backend code for upgrading from Samba3 +# Copyright Jelmer Vernooij 2005-2007 +# Released under the GNU GPL v3 or later +# + +"""Support code for upgrading from Samba 3 to Samba 4.""" + +from provision import findnss +import provision +import grp +import pwd +from uuid import uuid4 +from param import default_configuration + +def regkey_to_dn(name): + dn = "hive=NONE" + + for el in name.split("/")[1:]: + dn = "key=%s," % el + dn + + return dn + +# Where prefix is any of: +# - HKLM +# HKU +# HKCR +# HKPD +# HKPT +# + +def upgrade_registry(regdb,prefix,ldb): + """Migrate registry contents.""" + assert regdb is not None: + prefix_up = prefix.upper() + ldif = [] + + for rk in regdb.keys: + pts = rk.name.split("/") + + # Only handle selected hive + if pts[0].upper() != prefix_up: + continue + + keydn = regkey_to_dn(rk.name) + + pts = rk.name.split("/") + + # Convert key name to dn + ldif[rk.name] = """ +dn: %s +name: %s + +""" % (keydn, pts[0]) + + for rv in rk.values: + ldif[rk.name + " (" + rv.name + ")"] = """ +dn: %s,value=%s +value: %s +type: %d +data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data)) + + return ldif + +def upgrade_sam_policy(samba3,dn): + ldif = """ +dn: %s +changetype: modify +replace: minPwdLength +minPwdLength: %d +pwdHistoryLength: %d +minPwdAge: %d +maxPwdAge: %d +lockoutDuration: %d +samba3ResetCountMinutes: %d +samba3UserMustLogonToChangePassword: %d +samba3BadLockoutMinutes: %d +samba3DisconnectTime: %d + +""" % (dn, samba3.policy.min_password_length, + samba3.policy.password_history, samba3.policy.minimum_password_age, + samba3.policy.maximum_password_age, samba3.policy.lockout_duration, + samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password, + samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time) + + return ldif + +def upgrade_sam_account(ldb,acc,domaindn,domainsid): + """Upgrade a SAM account.""" + if acc.nt_username is None or acc.nt_username == "": + acc.nt_username = acc.username + + if acc.fullname is None: + acc.fullname = pwd.getpwnam(acc.fullname)[4] + + acc.fullname = acc.fullname.split(",")[0] + + if acc.fullname is None: + acc.fullname = acc.username + + assert acc.fullname is not None + assert acc.nt_username is not None + + ldif = """dn: cn=%s,%s +objectClass: top +objectClass: user +lastLogon: %d +lastLogoff: %d +unixName: %s +sAMAccountName: %s +cn: %s +description: %s +primaryGroupID: %d +badPwdcount: %d +logonCount: %d +samba3Domain: %s +samba3DirDrive: %s +samba3MungedDial: %s +samba3Homedir: %s +samba3LogonScript: %s +samba3ProfilePath: %s +samba3Workstations: %s +samba3KickOffTime: %d +samba3BadPwdTime: %d +samba3PassLastSetTime: %d +samba3PassCanChangeTime: %d +samba3PassMustChangeTime: %d +objectSid: %s-%d +lmPwdHash:: %s +ntPwdHash:: %s + +""" % (ldb.dn_escape(acc.fullname), domaindn, acc.logon_time, acc.logoff_time, acc.username, acc.nt_username, acc.nt_username, +acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count, +acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script, +acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time, +acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid, + ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw)) + + return ldif + +def upgrade_sam_group(group,domaindn): + """Upgrade a SAM group.""" + if group.sid_name_use == 5: # Well-known group + return None + + if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"): + return None + + if group.gid == -1: + gr = grp.getgrnam(grp.nt_name) + else: + gr = grp.getgrgid(grp.gid) + + if gr is None: + group.unixname = "UNKNOWN" + else: + group.unixname = gr.gr_name + + assert group.unixname is not None + + ldif = """dn: cn=%s,%s +objectClass: top +objectClass: group +description: %s +cn: %s +objectSid: %s +unixName: %s +samba3SidNameUse: %d +""" % (group.nt_name, domaindn, +group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use) + + return ldif + +def upgrade_winbind(samba3,domaindn): + ldif = """ + +dn: dc=none +userHwm: %d +groupHwm: %d + +""" % (samba3.idmap.user_hwm, samba3.idmap.group_hwm) + + for m in samba3.idmap.mappings: + ldif += """ +dn: SID=%s,%s +SID: %s +type: %d +unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id) + + return ldif + +def upgrade_wins(samba3): + ldif = "" + version_id = 0 + + for e in samba3.winsentries: + now = sys.nttime() + ttl = sys.unix2nttime(e.ttl) + + version_id+=1 + + numIPs = len(e.ips) + + if e.type == 0x1C: + rType = 0x2 + elif e.type & 0x80: + if numIPs > 1: + rType = 0x2 + else: + rType = 0x1 + else: + if numIPs > 1: + rType = 0x3 + else: + rType = 0x0 + + if ttl > now: + rState = 0x0 # active + else: + rState = 0x1 # released + + nType = ((e.nb_flags & 0x60)>>5) + + ldif += """ +dn: name=%s,type=0x%02X +type: 0x%02X +name: %s +objectClass: winsRecord +recordType: %u +recordState: %u +nodeType: %u +isStatic: 0 +expireTime: %s +versionID: %llu +""" % (e.name, e.type, e.type, e.name, + rType, rState, nType, + ldaptime(ttl), version_id) + + for ip in e.ips: + ldif += "address: %s\n" % ip + + ldif += """ +dn: CN=VERSION +objectClass: winsMaxVersion +maxVersion: %llu +""" % version_id + + return ldif + +def upgrade_provision(lp, samba3): + subobj = Object() + + domainname = samba3.configuration.get("workgroup") + + if domainname is None: + domainname = samba3.secrets.domains[0].name + print "No domain specified in smb.conf file, assuming '%s'\n" % domainname + + domsec = samba3.find_domainsecrets(domainname) + hostsec = samba3.find_domainsecrets(hostname()) + realm = samba3.configuration.get("realm") + + if realm is None: + realm = domainname + print "No realm specified in smb.conf file, assuming '%s'\n" % realm + random_init(local) + + subobj.realm = realm + subobj.domain = domainname + subobj.hostname = hostname() + + assert subobj.realm is not None + assert subobj.domain is not None + assert subobj.hostname is not None + + subobj.HOSTIP = hostip() + if domsec is not None: + subobj.DOMAINGUID = domsec.guid + subobj.DOMAINSID = domsec.sid + else: + print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname + subobj.DOMAINGUID = uuid4() + subobj.DOMAINSID = randsid() + + if hostsec: + subobj.HOSTGUID = hostsec.guid + else: + subobj.HOSTGUID = uuid4() + subobj.invocationid = uuid4() + subobj.krbtgtpass = randpass(12) + subobj.machinepass = randpass(12) + subobj.adminpass = randpass(12) + subobj.datestring = datestring() + subobj.root = findnss(pwd.getpwnam, "root")[4] + subobj.nobody = findnss(pwd.getpwnam, "nobody")[4] + subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2] + subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2] + subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2] + subobj.dnsdomain = subobj.realm.lower() + subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain) + subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split(".")) + rdn_list = subobj.dnsdomain.split(".") + subobj.domaindn = "DC=" + ",DC=".join(rdn_list) + subobj.domaindn_ldb = "users.ldb" + subobj.rootdn = subobj.domaindn + + modules_list = ["rootdse", + "kludge_acl", + "paged_results", + "server_sort", + "extended_dn", + "asq", + "samldb", + "password_hash", + "operational", + "objectclass", + "rdn_name", + "show_deleted", + "partition"] + subobj.modules_list = ",".join(modules_list) + + return subobj + +smbconf_keep = [ + "dos charset", + "unix charset", + "display charset", + "comment", + "path", + "directory", + "workgroup", + "realm", + "netbios name", + "netbios aliases", + "netbios scope", + "server string", + "interfaces", + "bind interfaces only", + "security", + "auth methods", + "encrypt passwords", + "null passwords", + "obey pam restrictions", + "password server", + "smb passwd file", + "private dir", + "passwd chat", + "password level", + "lanman auth", + "ntlm auth", + "client NTLMv2 auth", + "client lanman auth", + "client plaintext auth", + "read only", + "hosts allow", + "hosts deny", + "log level", + "debuglevel", + "log file", + "smb ports", + "large readwrite", + "max protocol", + "min protocol", + "unicode", + "read raw", + "write raw", + "disable netbios", + "nt status support", + "announce version", + "announce as", + "max mux", + "max xmit", + "name resolve order", + "max wins ttl", + "min wins ttl", + "time server", + "unix extensions", + "use spnego", + "server signing", + "client signing", + "max connections", + "paranoid server security", + "socket options", + "strict sync", + "max print jobs", + "printable", + "print ok", + "printer name", + "printer", + "map system", + "map hidden", + "map archive", + "preferred master", + "prefered master", + "local master", + "browseable", + "browsable", + "wins server", + "wins support", + "csc policy", + "strict locking", + "preload", + "auto services", + "lock dir", + "lock directory", + "pid directory", + "socket address", + "copy", + "include", + "available", + "volume", + "fstype", + "panic action", + "msdfs root", + "host msdfs", + "winbind separator"] + +# +# Remove configuration variables not present in Samba4 +# oldconf: Old configuration structure +# mark: Whether removed configuration variables should be +# kept in the new configuration as "samba3:<name>" +def upgrade_smbconf(oldconf,mark): + data = oldconf.data() + newconf = param_init() + + for (s in data) { + for (p in data[s]) { + keep = False + for (k in smbconf_keep) { + if smbconf_keep[k] == p: + keep = True + break + } + + if keep: + newconf.set(s, p, oldconf.get(s, p)) + elif mark: + newconf.set(s, "samba3:"+p, oldconf.get(s,p)) + } + } + + if oldconf.get("domain logons") == "True": + newconf.set("server role", "domain controller") + else: + if oldconf.get("security") == "user": + newconf.set("server role", "standalone") + else: + newconf.set("server role", "member server") + + return newconf + +def upgrade(subobj, samba3, message, paths, session_info, credentials): + ret = 0 + lp = loadparm_init() + samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) + + message("Writing configuration") + newconf = upgrade_smbconf(samba3.configuration,True) + newconf.save(paths.smbconf) + + message("Importing account policies") + ldif = upgrade_sam_policy(samba3,subobj.BASEDN) + samdb.modify(ldif) + regdb = Ldb(paths.hklm) + + regdb.modify(" +dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE +replace: type +type: 4 +replace: data +data: %d +" % samba3.policy.refuse_machine_password_change) + + message("Importing users") + for account in samba3.samaccounts: + msg = "... " + account.username + ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID) + try: + samdb.add(ldif) + except LdbError, e: + # FIXME: Ignore 'Record exists' errors + msg += "... error: " + str(e) + ret += 1; + message(msg) + + message("Importing groups") + for mapping in samba3.groupmappings: + msg = "... " + mapping.nt_name + ldif = upgrade_sam_group(mapping, subobj.BASEDN) + if ldif is not None: + try: + samdb.add(ldif) + except LdbError, e: + # FIXME: Ignore 'Record exists' errors + msg += "... error: " + str(e) + ret += 1 + message(msg) + + message("Importing registry data") + for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]: + message("... " + hive) + regdb = Ldb(paths[hive]) + ldif = upgrade_registry(samba3.registry, hive, regdb) + for (var j in ldif) { + var msg = "... ... " + j + try: + regdb.add(ldif[j]) + except LdbError, e: + # FIXME: Ignore 'Record exists' errors + msg += "... error: " + str(e) + ret += 1 + message(msg) + + message("Importing WINS data") + winsdb = Ldb(paths.winsdb) + ldb_erase(winsdb) + + ldif = upgrade_wins(samba3) + winsdb.add(ldif) + + # figure out ldapurl, if applicable + ldapurl = None + pdb = samba3.configuration.get_list("passdb backend") + if pdb is not None: + for backend in pdb: + if len(backend) >= 7 and backend[0:7] == "ldapsam": + ldapurl = backend[7:] + + # URL was not specified in passdb backend but ldap /is/ used + if ldapurl == "": + ldapurl = "ldap://%s" % samba3.configuration.get("ldap server") + + # Enable samba3sam module if original passdb backend was ldap + if ldapurl is not None: + message("Enabling Samba3 LDAP mappings for SAM database") + + samdb.modify(""" +dn: @MODULES +changetype: modify +replace: @LIST +@LIST: samldb,operational,objectguid,rdn_name,samba3sam +""") + + samdb.add(""" +dn: @MAP=samba3sam +@MAP_URL: %s""", ldapurl)) + + return ret + +def upgrade_verify(subobj, samba3, paths, message): + message("Verifying account policies") + + samldb = Ldb(paths.samdb) + + for account in samba3.samaccounts: + msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))") + assert(len(msg) >= 1) + + # FIXME |