diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/provision.py | 33 | ||||
-rwxr-xr-x | source4/setup/provision | 25 |
2 files changed, 40 insertions, 18 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 64491c2b18..3fb6ed641c 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS from auth import system_session, admin_session from samba import version, Ldb, substitute_var, valid_netbios_name from samba import check_all_substituted -from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008, DS_DC_FUNCTION_2008_R2 +from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008 from samba.samdb import SamDB from samba.idmap import IDmapDB from samba.dcerpc import security @@ -926,22 +926,33 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, domainsid, domainguid, policyguid, policyguid_dc, fill, adminpass, krbtgtpass, machinepass, invocationid, dnspass, - serverrole, schema=None, ldap_backend=None): + serverrole, dom_for_fun_level=None, + schema=None, ldap_backend=None): """Setup a complete SAM Database. :note: This will wipe the main SAM database file! """ - # Do NOT change these default values without discussion with the team and reslease manager. - domainFunctionality = DS_DOMAIN_FUNCTION_2008 - forestFunctionality = DS_DOMAIN_FUNCTION_2008 + # ATTENTION: Do NOT change these default values without discussion with the + # team and/or release manager. They have a big impact on the whole program! domainControllerFunctionality = DS_DC_FUNCTION_2008 + if dom_for_fun_level is None: + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008 + if dom_for_fun_level < DS_DOMAIN_FUNCTION_2003: + raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level lower than Windows 2003 (Native). This isn't supported!") + + if dom_for_fun_level > domainControllerFunctionality: + raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008). This won't work!") + + domainFunctionality = dom_for_fun_level + forestFunctionality = dom_for_fun_level + # Also wipes the database setup_samdb_partitions(path, setup_path, message=message, lp=lp, credentials=credentials, session_info=session_info, - names=names, - ldap_backend=ldap_backend, serverrole=serverrole) + names=names, ldap_backend=ldap_backend, + serverrole=serverrole) if (schema == None): schema = Schema(setup_path, domainsid, schemadn=names.schemadn, serverdn=names.serverdn, @@ -1136,7 +1147,8 @@ def provision(setup_dir, message, session_info, policyguid=None, policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None, root=None, nobody=None, users=None, - wheel=None, backup=None, aci=None, serverrole=None, + wheel=None, backup=None, aci=None, serverrole=None, + dom_for_fun_level=None, ldap_backend_extra_port=None, ldap_backend_type=None, sitename=None, ol_mmr_urls=None, ol_olc=None, @@ -1155,7 +1167,6 @@ def provision(setup_dir, message, session_info, else: domainsid = security.dom_sid(domainsid) - # create/adapt the group policy GUIDs if policyguid is None: policyguid = str(uuid.uuid4()) @@ -1289,7 +1300,9 @@ def provision(setup_dir, message, session_info, adminpass=adminpass, krbtgtpass=krbtgtpass, invocationid=invocationid, machinepass=machinepass, dnspass=dnspass, - serverrole=serverrole, ldap_backend=provision_backend) + serverrole=serverrole, + dom_for_fun_level=dom_for_fun_level, + ldap_backend=provision_backend) if serverrole == "domain controller": if paths.netlogon is None: diff --git a/source4/setup/provision b/source4/setup/provision index 8bf08b9e39..9912138fa3 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -93,7 +93,10 @@ parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TY parser.add_option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true") parser.add_option("--server-role", type="choice", metavar="ROLE", choices=["domain controller", "dc", "member server", "member", "standalone"], - help="Set server role to provision for (default standalone)") + help="The server role (domain controller | dc | member server | member | standalone). Default is standalone.") +parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL", + choices=["2003", "2008", "2008_R2"], + help="The domain and forest function level (2003 | 2008 | 2008_R2). Default is (Windows) 2008 (Native).") parser.add_option("--partitions-only", help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true") parser.add_option("--targetdir", type="string", metavar="DIR", @@ -164,6 +167,15 @@ elif opts.server_role == "member": else: server_role = opts.server_role +if opts.function_level is None: + dom_for_fun_level = None +elif opts.function_level == "2003": + dom_for_fun_level = DS_DOMAIN_FUNCTION_2003 +elif opts.function_level == "2008": + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008 +elif opts.function_level == "2008_R2": + dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2 + creds = credopts.get_credentials(lp) creds.set_kerberos_state(DONT_USE_KERBEROS) @@ -190,12 +202,9 @@ provision(setup_dir, message, krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass, dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody, wheel=opts.wheel, users=opts.users, - serverrole=server_role, + serverrole=server_role, dom_for_fun_level=dom_for_fun_level, ldap_backend_extra_port=opts.ldap_backend_extra_port, ldap_backend_type=opts.ldap_backend_type, - ldapadminpass=opts.ldapadminpass, - ol_mmr_urls=opts.ol_mmr_urls, - slapd_path=opts.slapd_path, - setup_ds_path=opts.setup_ds_path, - nosync=opts.nosync, - ldap_dryrun_mode=opts.ldap_dryrun_mode) + ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls, + slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path, + nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode) |