summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/scripting/libjs/provision.js81
-rw-r--r--source4/setup/provision_users.ldif8
2 files changed, 75 insertions, 14 deletions
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index ef6fe31285..90bc082341 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -52,24 +52,50 @@ function findnss()
/*
add a foreign security principle
*/
-function add_foreign(str, sid, desc, unixname)
+function add_foreign(str, sid, desc)
{
var add = "
dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
objectClass: top
objectClass: foreignSecurityPrincipal
description: ${DESC}
-unixName: ${UNIXNAME}
uSNCreated: 1
uSNChanged: 1
";
var sub = new Object();
sub.SID = sid;
sub.DESC = desc;
- sub.UNIXNAME = unixname;
return str + substitute_var(add, sub);
}
+
+/*
+ setup a mapping between a sam name and a unix name
+ */
+function setup_name_mapping(info, ldb, sid, unixname)
+{
+ var attrs = new Array("dn");
+ var res = ldb.search(sprintf("objectSid=%s", sid),
+ NULL, ldb.SCOPE_DEFAULT, attrs);
+ if (res.length != 1) {
+ return false;
+ }
+ var mod = sprintf("
+dn: %s
+changetype: modify
+replace: unixName
+unixName: %s
+",
+ res[0].dn, unixname);
+ var ok = ldb.modify(mod);
+ if (!ok) {
+ info.message("name mapping for %s failed - %s\n",
+ sid, ldb.errstring());
+ return false;
+ }
+ return true;
+}
+
/*
return current time as a nt time string
*/
@@ -258,6 +284,42 @@ function provision_default_paths(subobj)
return paths;
}
+
+/*
+ setup reasonable name mappings for sam names to unix names
+*/
+function setup_name_mappings(info, subobj, session_info, credentials)
+{
+ var lp = loadparm_init();
+ var ldb = ldb_init();
+ ldb.session_info = session_info;
+ ldb.credentials = credentials;
+ var ok = ldb.connect(lp.get("sam database"));
+ if (!ok) {
+ return false;
+ }
+
+ /* some well known sids */
+ setup_name_mapping(info, ldb, "S-1-5-7", subobj.NOBODY);
+ setup_name_mapping(info, ldb, "S-1-1-0", subobj.NOGROUP);
+ setup_name_mapping(info, ldb, "S-1-5-2", subobj.NOGROUP);
+ setup_name_mapping(info, ldb, "S-1-5-18", subobj.ROOT);
+ setup_name_mapping(info, ldb, "S-1-5-11", subobj.USERS);
+ setup_name_mapping(info, ldb, "S-1-5-32-544", subobj.WHEEL);
+ setup_name_mapping(info, ldb, "S-1-5-32-546", subobj.NOGROUP);
+
+ /* and some well known domain rids */
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-500", subobj.ROOT);
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-518", subobj.WHEEL);
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-519", subobj.WHEEL);
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-512", subobj.WHEEL);
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-513", subobj.USERS);
+ setup_name_mapping(info, ldb, subobj.DOMAINSID + "-520", subobj.WHEEL);
+
+ return true;
+}
+
+
/*
provision samba4 - caution, this wipes all existing data!
*/
@@ -319,10 +381,17 @@ function provision(subobj, message, blank, paths, session_info, credentials)
setup_ldb("provision_templates.ldif", info, paths.samdb, NULL, false);
message("Setting up sam.ldb data\n");
setup_ldb("provision.ldif", info, paths.samdb, NULL, false);
- if (blank == false) {
- message("Setting up sam.ldb users and groups\n");
- setup_ldb("provision_users.ldif", info, paths.samdb, data, false);
+ if (blank != false) {
+ return true;
}
+
+ message("Setting up sam.ldb users and groups\n");
+ setup_ldb("provision_users.ldif", info, paths.samdb, data, false);
+
+ if (setup_name_mappings(info, subobj, session_info, credentials) == false) {
+ return false;
+ }
+
return true;
}
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index dfb31783e4..45b2382c17 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -16,7 +16,6 @@ accountExpires: -1
sAMAccountName: Administrator
isCriticalSystemObject: TRUE
sambaPassword: ${ADMINPASS}
-unixName: ${ROOT}
dn: CN=Guest,CN=Users,${BASEDN}
objectClass: user
@@ -49,7 +48,6 @@ systemFlags: 0x8c000000
groupType: 0x80000005
objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
privilege: SeSecurityPrivilege
privilege: SeBackupPrivilege
privilege: SeRestorePrivilege
@@ -133,7 +131,6 @@ systemFlags: 0x8c000000
groupType: 0x80000005
objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
dn: CN=Print Operators,CN=Builtin,${BASEDN}
objectClass: top
@@ -306,7 +303,6 @@ objectSid: ${DOMAINSID}-518
adminCount: 1
sAMAccountName: Schema Admins
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
dn: CN=Enterprise Admins,CN=Users,${BASEDN}
objectClass: top
@@ -321,7 +317,6 @@ objectSid: ${DOMAINSID}-519
adminCount: 1
sAMAccountName: Enterprise Admins
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
dn: CN=Cert Publishers,CN=Users,${BASEDN}
objectClass: top
@@ -350,7 +345,6 @@ objectSid: ${DOMAINSID}-512
adminCount: 1
sAMAccountName: Domain Admins
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
dn: CN=Domain Users,CN=Users,${BASEDN}
objectClass: top
@@ -363,7 +357,6 @@ uSNChanged: 1
objectSid: ${DOMAINSID}-513
sAMAccountName: Domain Users
isCriticalSystemObject: TRUE
-unixName: ${USERS}
dn: CN=Domain Guests,CN=Users,${BASEDN}
objectClass: top
@@ -389,7 +382,6 @@ objectSid: ${DOMAINSID}-520
sAMAccountName: Group Policy Creator Owners
objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
objectClass: top