summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/scripting/python/samba/provision.py33
-rwxr-xr-xsource4/setup/provision25
2 files changed, 40 insertions, 18 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 64491c2b18..3fb6ed641c 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS
from auth import system_session, admin_session
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted
-from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
+from samba import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
@@ -926,22 +926,33 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
domainsid, domainguid, policyguid, policyguid_dc,
fill, adminpass, krbtgtpass,
machinepass, invocationid, dnspass,
- serverrole, schema=None, ldap_backend=None):
+ serverrole, dom_for_fun_level=None,
+ schema=None, ldap_backend=None):
"""Setup a complete SAM Database.
:note: This will wipe the main SAM database file!
"""
- # Do NOT change these default values without discussion with the team and reslease manager.
- domainFunctionality = DS_DOMAIN_FUNCTION_2008
- forestFunctionality = DS_DOMAIN_FUNCTION_2008
+ # ATTENTION: Do NOT change these default values without discussion with the
+ # team and/or release manager. They have a big impact on the whole program!
domainControllerFunctionality = DS_DC_FUNCTION_2008
+ if dom_for_fun_level is None:
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
+ if dom_for_fun_level < DS_DOMAIN_FUNCTION_2003:
+ raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level lower than Windows 2003 (Native). This isn't supported!")
+
+ if dom_for_fun_level > domainControllerFunctionality:
+ raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008). This won't work!")
+
+ domainFunctionality = dom_for_fun_level
+ forestFunctionality = dom_for_fun_level
+
# Also wipes the database
setup_samdb_partitions(path, setup_path, message=message, lp=lp,
credentials=credentials, session_info=session_info,
- names=names,
- ldap_backend=ldap_backend, serverrole=serverrole)
+ names=names, ldap_backend=ldap_backend,
+ serverrole=serverrole)
if (schema == None):
schema = Schema(setup_path, domainsid, schemadn=names.schemadn, serverdn=names.serverdn,
@@ -1136,7 +1147,8 @@ def provision(setup_dir, message, session_info,
policyguid=None, policyguid_dc=None, invocationid=None,
machinepass=None,
dnspass=None, root=None, nobody=None, users=None,
- wheel=None, backup=None, aci=None, serverrole=None,
+ wheel=None, backup=None, aci=None, serverrole=None,
+ dom_for_fun_level=None,
ldap_backend_extra_port=None, ldap_backend_type=None,
sitename=None,
ol_mmr_urls=None, ol_olc=None,
@@ -1155,7 +1167,6 @@ def provision(setup_dir, message, session_info,
else:
domainsid = security.dom_sid(domainsid)
-
# create/adapt the group policy GUIDs
if policyguid is None:
policyguid = str(uuid.uuid4())
@@ -1289,7 +1300,9 @@ def provision(setup_dir, message, session_info,
adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid,
machinepass=machinepass, dnspass=dnspass,
- serverrole=serverrole, ldap_backend=provision_backend)
+ serverrole=serverrole,
+ dom_for_fun_level=dom_for_fun_level,
+ ldap_backend=provision_backend)
if serverrole == "domain controller":
if paths.netlogon is None:
diff --git a/source4/setup/provision b/source4/setup/provision
index 8bf08b9e39..9912138fa3 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -93,7 +93,10 @@ parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TY
parser.add_option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true")
parser.add_option("--server-role", type="choice", metavar="ROLE",
choices=["domain controller", "dc", "member server", "member", "standalone"],
- help="Set server role to provision for (default standalone)")
+ help="The server role (domain controller | dc | member server | member | standalone). Default is standalone.")
+parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
+ choices=["2003", "2008", "2008_R2"],
+ help="The domain and forest function level (2003 | 2008 | 2008_R2). Default is (Windows) 2008 (Native).")
parser.add_option("--partitions-only",
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
parser.add_option("--targetdir", type="string", metavar="DIR",
@@ -164,6 +167,15 @@ elif opts.server_role == "member":
else:
server_role = opts.server_role
+if opts.function_level is None:
+ dom_for_fun_level = None
+elif opts.function_level == "2003":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
+elif opts.function_level == "2008":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
+elif opts.function_level == "2008_R2":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
+
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
@@ -190,12 +202,9 @@ provision(setup_dir, message,
krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody,
wheel=opts.wheel, users=opts.users,
- serverrole=server_role,
+ serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
ldap_backend_extra_port=opts.ldap_backend_extra_port,
ldap_backend_type=opts.ldap_backend_type,
- ldapadminpass=opts.ldapadminpass,
- ol_mmr_urls=opts.ol_mmr_urls,
- slapd_path=opts.slapd_path,
- setup_ds_path=opts.setup_ds_path,
- nosync=opts.nosync,
- ldap_dryrun_mode=opts.ldap_dryrun_mode)
+ ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
+ slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
+ nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode)