diff options
Diffstat (limited to 'source4/setup/provision')
-rwxr-xr-x | source4/setup/provision | 319 |
1 files changed, 163 insertions, 156 deletions
diff --git a/source4/setup/provision b/source4/setup/provision index 39ef62d4b3..315de78821 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -7,17 +7,17 @@ # # Based on the original in EJS: # Copyright (C) Andrew Tridgell 2005 -# +# # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # @@ -35,13 +35,19 @@ import samba.ntacls from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session import samba.getopt as options -from samba.provision import provision, FILL_FULL, FILL_NT4SYNC, FILL_DRS, ProvisioningError +from samba.provision import ( + provision, + FILL_FULL, + FILL_NT4SYNC, + FILL_DRS, + ProvisioningError, + ) from samba.dsdb import ( - DS_DOMAIN_FUNCTION_2000, - DS_DOMAIN_FUNCTION_2003, - DS_DOMAIN_FUNCTION_2008, - DS_DOMAIN_FUNCTION_2008_R2, - ) + DS_DOMAIN_FUNCTION_2000, + DS_DOMAIN_FUNCTION_2003, + DS_DOMAIN_FUNCTION_2008, + DS_DOMAIN_FUNCTION_2008_R2, + ) # how do we make this case insensitive?? @@ -53,72 +59,72 @@ credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--interactive", help="Ask for names", action="store_true") parser.add_option("--domain", type="string", metavar="DOMAIN", - help="set domain") -parser.add_option("--domain-guid", type="string", metavar="GUID", - help="set domainguid (otherwise random)") -parser.add_option("--domain-sid", type="string", metavar="SID", - help="set domainsid (otherwise random)") -parser.add_option("--ntds-guid", type="string", metavar="GUID", - help="set NTDS object GUID (otherwise random)") -parser.add_option("--invocationid", type="string", metavar="GUID", - help="set invocationid (otherwise random)") -parser.add_option("--host-name", type="string", metavar="HOSTNAME", - help="set hostname") -parser.add_option("--host-ip", type="string", metavar="IPADDRESS", - help="set IPv4 ipaddress") -parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS", - help="set IPv6 ipaddress") -parser.add_option("--adminpass", type="string", metavar="PASSWORD", - help="choose admin password (otherwise random)") -parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD", - help="choose krbtgt password (otherwise random)") -parser.add_option("--machinepass", type="string", metavar="PASSWORD", - help="choose machine password (otherwise random)") + help="set domain") +parser.add_option("--domain-guid", type="string", metavar="GUID", + help="set domainguid (otherwise random)") +parser.add_option("--domain-sid", type="string", metavar="SID", + help="set domainsid (otherwise random)") +parser.add_option("--ntds-guid", type="string", metavar="GUID", + help="set NTDS object GUID (otherwise random)") +parser.add_option("--invocationid", type="string", metavar="GUID", + help="set invocationid (otherwise random)") +parser.add_option("--host-name", type="string", metavar="HOSTNAME", + help="set hostname") +parser.add_option("--host-ip", type="string", metavar="IPADDRESS", + help="set IPv4 ipaddress") +parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS", + help="set IPv6 ipaddress") +parser.add_option("--adminpass", type="string", metavar="PASSWORD", + help="choose admin password (otherwise random)") +parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD", + help="choose krbtgt password (otherwise random)") +parser.add_option("--machinepass", type="string", metavar="PASSWORD", + help="choose machine password (otherwise random)") parser.add_option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND", - choices=["SAMBA", "BIND9", "BIND9_DLZ"], + choices=["SAMBA", "BIND9", "BIND9_DLZ"], help="The DNS server backend. SAMBA is the builtin name server (experimental), BIND9 uses bind9 text database to store zone information (default), BIND9_DLZ uses samba4 AD to store zone information (recommended)") -parser.add_option("--dnspass", type="string", metavar="PASSWORD", - help="choose dns password (otherwise random)") -parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD", - help="choose password to set between Samba and it's LDAP backend (otherwise random)") -parser.add_option("--root", type="string", metavar="USERNAME", - help="choose 'root' unix username") -parser.add_option("--nobody", type="string", metavar="USERNAME", - help="choose 'nobody' user") -parser.add_option("--wheel", type="string", metavar="GROUPNAME", - help="choose 'wheel' privileged group") -parser.add_option("--users", type="string", metavar="GROUPNAME", - help="choose 'users' group") +parser.add_option("--dnspass", type="string", metavar="PASSWORD", + help="choose dns password (otherwise random)") +parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD", + help="choose password to set between Samba and it's LDAP backend (otherwise random)") +parser.add_option("--root", type="string", metavar="USERNAME", + help="choose 'root' unix username") +parser.add_option("--nobody", type="string", metavar="USERNAME", + help="choose 'nobody' user") +parser.add_option("--wheel", type="string", metavar="GROUPNAME", + help="choose 'wheel' privileged group") +parser.add_option("--users", type="string", metavar="GROUPNAME", + help="choose 'users' group") parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--blank", action="store_true", - help="do not add users or groups, just the structure") -parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT", - help="Additional TCP port for LDAP backend server (to use for replication)") -parser.add_option("--ldap-backend-forced-uri", type="string", metavar="LDAP-BACKEND-FORCED-URI", - help="Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDAP traffic") -parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", - help="LDAP backend type (fedora-ds or openldap)", - choices=["fedora-ds", "openldap"]) + help="do not add users or groups, just the structure") +parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT", + help="Additional TCP port for LDAP backend server (to use for replication)") +parser.add_option("--ldap-backend-forced-uri", type="string", metavar="LDAP-BACKEND-FORCED-URI", + help="Force the LDAP backend connection to be to a particular URI. Use this ONLY for 'existing' backends, or when debugging the interaction with the LDAP backend and you need to intercept the LDAP traffic") +parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", + help="LDAP backend type (fedora-ds or openldap)", + choices=["fedora-ds", "openldap"]) parser.add_option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") parser.add_option("--server-role", type="choice", metavar="ROLE", - choices=["domain controller", "dc", "member server", "member", "standalone"], - help="The server role (domain controller | dc | member server | member | standalone). Default is standalone.") + choices=["domain controller", "dc", "member server", "member", "standalone"], + help="The server role (domain controller | dc | member server | member | standalone). Default is standalone.") parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL", - choices=["2000", "2003", "2008", "2008_R2"], - help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.") + choices=["2000", "2003", "2008", "2008_R2"], + help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.") parser.add_option("--next-rid", type="int", metavar="NEXTRID", default=1000, - help="The initial nextRid value (only needed for upgrades). Default is 1000.") -parser.add_option("--partitions-only", - help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true") -parser.add_option("--targetdir", type="string", metavar="DIR", - help="Set target directory") + help="The initial nextRid value (only needed for upgrades). Default is 1000.") +parser.add_option("--partitions-only", + help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true") +parser.add_option("--targetdir", type="string", metavar="DIR", + help="Set target directory") parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER", help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\"") -parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH", - help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.") -parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", - help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") -parser.add_option("--use-xattrs", type="choice", choices=["yes","no","auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto") +parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH", + help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.") +parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH", + help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.") +parser.add_option("--use-xattrs", type="choice", choices=["yes", "no", "auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto") parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true") opts = parser.parse_args()[0] @@ -126,81 +132,82 @@ opts = parser.parse_args()[0] logger = logging.getLogger("provision") logger.addHandler(logging.StreamHandler(sys.stdout)) if opts.quiet: - logger.setLevel(logging.WARNING) + logger.setLevel(logging.WARNING) else: - logger.setLevel(logging.INFO) + logger.setLevel(logging.INFO) if len(sys.argv) == 1: - opts.interactive = True + opts.interactive = True if opts.interactive: - from getpass import getpass - import socket - def ask(prompt, default=None): - if default is not None: - print "%s [%s]: " % (prompt,default), - else: - print "%s: " % (prompt,), - return sys.stdin.readline().rstrip("\n") or default - try: - default = socket.getfqdn().split(".", 1)[1].upper() - except IndexError: - default = None - opts.realm = ask("Realm", default) - if opts.realm in (None, ""): - print >>sys.stderr, "No realm set!" - sys.exit(1) + from getpass import getpass + import socket - try: - default = opts.realm.split(".")[0] - except IndexError: - default = None - opts.domain = ask("Domain", default) - if opts.domain is None: - print >> sys.stderr, "No domain set!" - sys.exit(1) + def ask(prompt, default=None): + if default is not None: + print "%s [%s]: " % (prompt, default), + else: + print "%s: " % (prompt,), + return sys.stdin.readline().rstrip("\n") or default + try: + default = socket.getfqdn().split(".", 1)[1].upper() + except IndexError: + default = None + opts.realm = ask("Realm", default) + if opts.realm in (None, ""): + print >>sys.stderr, "No realm set!" + sys.exit(1) - opts.server_role = ask("Server Role (dc, member, standalone)", "dc") - for i in range(3): - opts.adminpass = getpass("Administrator password: ") - if not opts.adminpass: - print >>sys.stderr, "Invalid administrator password." - else: - break + try: + default = opts.realm.split(".")[0] + except IndexError: + default = None + opts.domain = ask("Domain", default) + if opts.domain is None: + print >> sys.stderr, "No domain set!" + sys.exit(1) + + opts.server_role = ask("Server Role (dc, member, standalone)", "dc") + for i in range(3): + opts.adminpass = getpass("Administrator password: ") + if not opts.adminpass: + print >>sys.stderr, "Invalid administrator password." + else: + break else: - if opts.realm in (None, ""): - opts.realm = sambaopts._lp.get('realm') - if opts.realm is None or opts.domain is None: - if opts.realm is None: - print >>sys.stderr, "No realm set!" - if opts.domain is None: - print >> sys.stderr, "No domain set!" - parser.print_usage() - sys.exit(1) + if opts.realm in (None, ""): + opts.realm = sambaopts._lp.get('realm') + if opts.realm is None or opts.domain is None: + if opts.realm is None: + print >>sys.stderr, "No realm set!" + if opts.domain is None: + print >> sys.stderr, "No domain set!" + parser.print_usage() + sys.exit(1) if not opts.adminpass: - logger.info("Administrator password will be set randomly!") + logger.info("Administrator password will be set randomly!") lp = sambaopts.get_loadparm() smbconf = lp.configfile if opts.server_role == "dc": - server_role = "domain controller" + server_role = "domain controller" elif opts.server_role == "member": - server_role = "member server" + server_role = "member server" else: - server_role = opts.server_role + server_role = opts.server_role if opts.function_level is None: - dom_for_fun_level = None + dom_for_fun_level = None elif opts.function_level == "2000": - dom_for_fun_level = DS_DOMAIN_FUNCTION_2000 + dom_for_fun_level = DS_DOMAIN_FUNCTION_2000 elif opts.function_level == "2003": - dom_for_fun_level = DS_DOMAIN_FUNCTION_2003 + dom_for_fun_level = DS_DOMAIN_FUNCTION_2003 elif opts.function_level == "2008": - dom_for_fun_level = DS_DOMAIN_FUNCTION_2008 + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008 elif opts.function_level == "2008_R2": - dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2 + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2 creds = credopts.get_credentials(lp) @@ -214,50 +221,50 @@ elif opts.partitions_only: eadb = True if opts.use_xattrs == "yes": - eadb = False + eadb = False elif opts.use_xattrs == "auto" and not lp.get("posix:eadb"): - file = tempfile.NamedTemporaryFile() - try: - samba.ntacls.setntacl(lp, file.name, - "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native") - eadb = False - except: - logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. " - "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.") - file.close() + file = tempfile.NamedTemporaryFile() + try: + samba.ntacls.setntacl(lp, file.name, + "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native") + eadb = False + except: + logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. " + "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.") + file.close() if opts.ldap_backend_type == "existing": - if opts.ldap_backend_forced_uri is not None: - logger.warn("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at %s" % opts.ldap_backend_forced_uri) - else: - logger.info("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at the default location") + if opts.ldap_backend_forced_uri is not None: + logger.warn("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at %s" % opts.ldap_backend_forced_uri) + else: + logger.info("You have specified to use an existing LDAP server as the backend, please make sure an LDAP server is running at the default location") else: - if opts.ldap_backend_forced_uri is not None: - logger.warn("You have specified to use an fixed URI %s for connecting to your LDAP server backend. This is NOT RECOMMENDED, as our default communiation over ldapi:// is more secure and much less prone to unexpected failure or interaction" % opts.ldap_backend_forced_uri) - + if opts.ldap_backend_forced_uri is not None: + logger.warn("You have specified to use an fixed URI %s for connecting to your LDAP server backend. This is NOT RECOMMENDED, as our default communiation over ldapi:// is more secure and much less prone to unexpected failure or interaction" % opts.ldap_backend_forced_uri) + session = system_session() try: - provision(logger, - session, creds, smbconf=smbconf, targetdir=opts.targetdir, - samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain, - domainguid=opts.domain_guid, domainsid=opts.domain_sid, - hostname=opts.host_name, - hostip=opts.host_ip, hostip6=opts.host_ip6, - ntdsguid=opts.ntds_guid, - invocationid=opts.invocationid, adminpass=opts.adminpass, - krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass, - dns_backend=opts.dns_backend, - dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody, - wheel=opts.wheel, users=opts.users, - serverrole=server_role, dom_for_fun_level=dom_for_fun_level, - ldap_backend_extra_port=opts.ldap_backend_extra_port, - ldap_backend_forced_uri=opts.ldap_backend_forced_uri, - backend_type=opts.ldap_backend_type, - ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls, - slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path, - nosync=opts.ldap_backend_nosync, ldap_dryrun_mode=opts.ldap_dryrun_mode, - useeadb=eadb, next_rid=opts.next_rid, lp=lp) + provision(logger, + session, creds, smbconf=smbconf, targetdir=opts.targetdir, + samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain, + domainguid=opts.domain_guid, domainsid=opts.domain_sid, + hostname=opts.host_name, + hostip=opts.host_ip, hostip6=opts.host_ip6, + ntdsguid=opts.ntds_guid, + invocationid=opts.invocationid, adminpass=opts.adminpass, + krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass, + dns_backend=opts.dns_backend, + dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody, + wheel=opts.wheel, users=opts.users, + serverrole=server_role, dom_for_fun_level=dom_for_fun_level, + ldap_backend_extra_port=opts.ldap_backend_extra_port, + ldap_backend_forced_uri=opts.ldap_backend_forced_uri, + backend_type=opts.ldap_backend_type, + ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls, + slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path, + nosync=opts.ldap_backend_nosync, ldap_dryrun_mode=opts.ldap_dryrun_mode, + useeadb=eadb, next_rid=opts.next_rid, lp=lp) except ProvisioningError, e: - print str(e) - sys.exit(1) + print str(e) + sys.exit(1) |