From af3138e9b6813ef88698c3e6eeb280c6e988c4cc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 9 Sep 2013 11:54:23 +1200 Subject: samba-tool domain join subdomain: Rework sambadns.py to allow setup of DomainDNSZone only This skips handling the ForestDNSZone when we are setting up a subdomain. Andrew Bartlett Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Oct 11 10:27:49 CEST 2013 on sn-devel-104 --- python/samba/join.py | 2 + python/samba/netcmd/domain.py | 9 ++- python/samba/provision/__init__.py | 12 ++-- python/samba/provision/common.py | 5 ++ python/samba/provision/sambadns.py | 90 +++++++++++++++--------- python/samba/upgrade.py | 3 +- python/samba/upgradehelpers.py | 3 +- source4/scripting/bin/samba_upgradedns | 5 +- source4/setup/provision_dnszones_add.ldif | 51 ++------------ source4/setup/provision_dnszones_modify.ldif | 31 +++----- source4/setup/provision_dnszones_partitions.ldif | 9 +-- 11 files changed, 99 insertions(+), 121 deletions(-) diff --git a/python/samba/join.py b/python/samba/join.py index 1785ab3e88..9cac8f5ed2 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -24,6 +24,7 @@ from samba import gensec, Ldb, drs_utils import ldb, samba, sys, uuid from samba.ndr import ndr_pack from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs +from samba.dsdb import DS_DOMAIN_FUNCTION_2003 from samba.credentials import Credentials, DONT_USE_KERBEROS from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN from samba.provision.common import setup_path @@ -765,6 +766,7 @@ class dc_join(object): presult = provision_fill(ctx.local_samdb, secrets_ldb, ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid), domainguid=domguid, + dom_for_fun_level=DS_DOMAIN_FUNCTION_2003, targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN, machinepass=ctx.acct_pass, serverrole="active directory domain controller", lp=ctx.lp, hostip=ctx.names.hostip, hostip6=ctx.names.hostip6, diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index 217b5369b7..9824da1610 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -67,11 +67,14 @@ from samba.dsdb import ( from samba.credentials import DONT_USE_KERBEROS from samba.provision import ( provision, + ProvisioningError + ) + +from samba.provision.common import ( FILL_FULL, FILL_NT4SYNC, - FILL_DRS, - ProvisioningError, - ) + FILL_DRS +) def get_testparm_var(testparm, smbconf, varname): cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 698df94f34..d8f353f54a 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -101,7 +101,11 @@ from samba.provision.common import ( setup_path, setup_add_ldif, setup_modify_ldif, - ) + FILL_FULL, + FILL_SUBDOMAIN, + FILL_NT4SYNC, + FILL_DRS +) from samba.provision.sambadns import ( get_dnsadmins_sid, setup_ad_dns, @@ -1462,10 +1466,6 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, return samdb -FILL_FULL = "FULL" -FILL_SUBDOMAIN = "SUBDOMAIN" -FILL_NT4SYNC = "NT4SYNC" -FILL_DRS = "DRS" SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)" SYSVOL_SERVICE="sysvol" @@ -1795,7 +1795,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger, hostip=hostip, hostip6=hostip6, dns_backend=dns_backend, dnspass=dnspass, os_level=dom_for_fun_level, - targetdir=targetdir, site=DEFAULTSITE) + targetdir=targetdir, site=DEFAULTSITE, fill_level=samdb_fill) domainguid = samdb.searchone(basedn=samdb.get_default_basedn(), attribute="objectGUID") diff --git a/python/samba/provision/common.py b/python/samba/provision/common.py index f96704bcce..03e2278951 100644 --- a/python/samba/provision/common.py +++ b/python/samba/provision/common.py @@ -31,6 +31,11 @@ import os from samba import read_and_sub_file from samba.param import setup_dir +FILL_FULL = "FULL" +FILL_SUBDOMAIN = "SUBDOMAIN" +FILL_NT4SYNC = "NT4SYNC" +FILL_DRS = "DRS" + def setup_path(file): """Return an absolute path to the provision tempate file specified by file""" diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 46cfc89f4c..5fd3805786 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -48,7 +48,11 @@ from samba.provision.common import ( setup_path, setup_add_ldif, setup_modify_ldif, - setup_ldb + setup_ldb, + FILL_FULL, + FILL_SUBDOMAIN, + FILL_NT4SYNC, + FILL_DRS, ) @@ -230,15 +234,20 @@ class AgingEnabledTimeProperty(dnsp.DnsProperty): def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, - serverdn): + serverdn, fill_level): domainzone_dn = "DC=DomainDnsZones,%s" % domaindn forestzone_dn = "DC=ForestDnsZones,%s" % forestdn descriptor = get_dns_partition_descriptor(domainsid) + setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { - "DOMAINZONE_DN": domainzone_dn, - "FORESTZONE_DN": forestzone_dn, + "ZONE_DN": domainzone_dn, "SECDESC" : b64encode(descriptor) }) + if fill_level != FILL_SUBDOMAIN: + setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { + "ZONE_DN": forestzone_dn, + "SECDESC" : b64encode(descriptor) + }) domainzone_guid = get_domainguid(samdb, domainzone_dn) forestzone_guid = get_domainguid(samdb, forestzone_dn) @@ -252,25 +261,36 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, protected1_desc = get_domain_delete_protected1_descriptor(domainsid) protected2_desc = get_domain_delete_protected2_descriptor(domainsid) setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), { - "DOMAINZONE_DN": domainzone_dn, - "FORESTZONE_DN": forestzone_dn, - "DOMAINZONE_GUID": domainzone_guid, - "FORESTZONE_GUID": forestzone_guid, - "DOMAINZONE_DNS": domainzone_dns, - "FORESTZONE_DNS": forestzone_dns, + "ZONE_DN": domainzone_dn, + "ZONE_GUID": domainzone_guid, + "ZONE_DNS": domainzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc), "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc), }) - setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), { "CONFIGDN": configdn, "SERVERDN": serverdn, - "DOMAINZONE_DN": domainzone_dn, - "FORESTZONE_DN": forestzone_dn, + "ZONE_DN": domainzone_dn, }) + if fill_level != FILL_SUBDOMAIN: + setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), { + "ZONE_DN": forestzone_dn, + "ZONE_GUID": forestzone_guid, + "ZONE_DNS": forestzone_dns, + "CONFIGDN": configdn, + "SERVERDN": serverdn, + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc), + }) + setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), { + "CONFIGDN": configdn, + "SERVERDN": serverdn, + "ZONE_DN": forestzone_dn, + }) + def add_dns_accounts(samdb, domaindn): setup_add_ldif(samdb, setup_path("provision_dns_accounts_add.ldif"), { @@ -928,21 +948,23 @@ def fill_dns_data_legacy(samdb, domainsid, forestdn, dnsdomain, site, hostname, def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn, - dnsadmins_sid): + dnsadmins_sid, fill_level): # Set up additional partitions (DomainDnsZones, ForstDnsZones) setup_dns_partitions(samdb, domainsid, domaindn, forestdn, - names.configdn, names.serverdn) + names.configdn, names.serverdn, fill_level) # Set up MicrosoftDNS containers add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid, dnsadmins_sid) - add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid, - dnsadmins_sid, forest=True) + if fill_level != FILL_SUBDOMAIN: + add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid, + dnsadmins_sid, forest=True) def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, - dnsdomain, dnsforest, hostname, hostip, hostip6, - domainguid, ntdsguid, dnsadmins_sid, autofill=True): + dnsdomain, dnsforest, hostname, hostip, hostip6, + domainguid, ntdsguid, dnsadmins_sid, autofill=True, + fill_level=FILL_FULL): """Fill data in various AD partitions :param samdb: LDB object connected to sam.ldb file @@ -974,20 +996,21 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, add_dc_domain_records(samdb, domaindn, "DC=DomainDnsZones", site, dnsdomain, hostname, hostip, hostip6) - ##### Set up DC=ForestDnsZones, - # Add _msdcs record - add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest) + if fill_level != FILL_SUBDOMAIN: + ##### Set up DC=ForestDnsZones, + # Add _msdcs record + add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest) - # Add DNS records for a DC in forest - if autofill: - add_dc_msdcs_records(samdb, forestdn, "DC=ForestDnsZones", site, - dnsforest, hostname, hostip, hostip6, - domainguid, ntdsguid) + # Add DNS records for a DC in forest + if autofill: + add_dc_msdcs_records(samdb, forestdn, "DC=ForestDnsZones", site, + dnsforest, hostname, hostip, hostip6, + domainguid, ntdsguid) def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, dns_backend, os_level, site, dnspass=None, hostip=None, hostip6=None, - targetdir=None): + targetdir=None, fill_level=FILL_FULL): """Provision DNS information (assuming GC role) :param samdb: LDB object connected to sam.ldb file @@ -1062,18 +1085,19 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, # Create DNS partitions logger.info("Creating DomainDnsZones and ForestDnsZones partitions") create_dns_partitions(samdb, domainsid, names, domaindn, forestdn, - dnsadmins_sid) + dnsadmins_sid, fill_level) # Populating dns partitions logger.info("Populating DomainDnsZones and ForestDnsZones partitions") fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, - dnsdomain, dnsforest, hostname, hostip, hostip6, - domainguid, names.ntdsguid, dnsadmins_sid) + dnsdomain, dnsforest, hostname, hostip, hostip6, + domainguid, names.ntdsguid, dnsadmins_sid, + fill_level=fill_level) if dns_backend.startswith("BIND9_"): setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, - dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip, - hostip6=hostip6, targetdir=targetdir) + dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip, + hostip6=hostip6, targetdir=targetdir) def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py index 6b55ed76a7..ff5990c667 100644 --- a/python/samba/upgrade.py +++ b/python/samba/upgrade.py @@ -26,7 +26,8 @@ import pwd from samba import Ldb, registry from samba.param import LoadParm -from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl +from samba.provision import provision, ProvisioningError, setsysvolacl +from samba.provision.common import FILL_FULL from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py index b6750eb430..d2b0a1872f 100644 --- a/python/samba/upgradehelpers.py +++ b/python/samba/upgradehelpers.py @@ -31,8 +31,9 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE import ldb from samba.provision import (provision_paths_from_lp, getpolicypath, set_gpos_acl, create_gpo_struct, - FILL_FULL, provision, ProvisioningError, + provision, ProvisioningError, setsysvolacl, secretsdb_self_join) +from samba.provision.common import FILL_FULL from samba.dcerpc import xattr, drsblobs, security from samba.dcerpc.misc import SEC_CHAN_BDC from samba.ndr import ndr_unpack diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 6b208c927f..d2c96cc1c2 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -46,7 +46,8 @@ from samba.provision import ( interface_ips_v6 ) from samba.provision.common import ( setup_path, - setup_add_ldif ) + setup_add_ldif, + FILL_FULL) from samba.provision.sambadns import ( ARecord, AAAARecord, @@ -339,7 +340,7 @@ if __name__ == '__main__': logger.debug("IPv6 addresses: %s" % hostip6) create_dns_partitions(ldbs.sam, domainsid, names, domaindn, forestdn, - dnsadmins_sid) + dnsadmins_sid, FILL_FULL) logger.info("Populating DNS partitions") fill_dns_data_partitions(ldbs.sam, domainsid, site, domaindn, forestdn, diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif index bf872f0b64..860aa4b72b 100644 --- a/source4/setup/provision_dnszones_add.ldif +++ b/source4/setup/provision_dnszones_add.ldif @@ -1,7 +1,7 @@ ################################# # Required objectclasses ################################# -dn: CN=Deleted Objects,${DOMAINZONE_DN} +dn: CN=Deleted Objects,${ZONE_DN} objectClass: top objectClass: container description: Deleted objects @@ -9,71 +9,34 @@ isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 -dn: CN=LostAndFound,${DOMAINZONE_DN} +dn: CN=LostAndFound,${ZONE_DN} objectClass: top objectClass: lostAndFound isCriticalSystemObject: TRUE systemFlags: -1946157056 nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} -dn: CN=Infrastructure,${DOMAINZONE_DN} +dn: CN=Infrastructure,${ZONE_DN} objectClass: top objectClass: infrastructureUpdate isCriticalSystemObject: TRUE systemFlags: -1946157056 nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} -dn: CN=NTDS Quotas,${DOMAINZONE_DN} +dn: CN=NTDS Quotas,${ZONE_DN} objectClass: top objectClass: msDS-QuotaContainer isCriticalSystemObject: TRUE systemFlags: -1946157056 -dn: CN=Deleted Objects,${FORESTZONE_DN} -objectClass: top -objectClass: container -description: Deleted objects -isDeleted: TRUE -isCriticalSystemObject: TRUE -systemFlags: -1946157056 - -dn: CN=LostAndFound,${FORESTZONE_DN} -objectClass: top -objectClass: lostAndFound -isCriticalSystemObject: TRUE -systemFlags: -1946157056 -nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} - -dn: CN=Infrastructure,${FORESTZONE_DN} -objectClass: top -objectClass: infrastructureUpdate -isCriticalSystemObject: TRUE -systemFlags: -1946157056 -nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} - -dn: CN=NTDS Quotas,${FORESTZONE_DN} -objectClass: top -objectClass: msDS-QuotaContainer -isCriticalSystemObject: TRUE -systemFlags: -1946157056 - ################################# # Configure partitions ################################# -dn: CN=${DOMAINZONE_GUID},CN=Partitions,${CONFIGDN} +dn: CN=${ZONE_GUID},CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRef -nCName: ${DOMAINZONE_DN} -dnsRoot: ${DOMAINZONE_DNS} +nCName: ${ZONE_DN} +dnsRoot: ${ZONE_DNS} systemFlags: 5 msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN} - -dn: CN=${FORESTZONE_GUID},CN=Partitions,${CONFIGDN} -objectClass: top -objectClass: crossRef -nCName: ${FORESTZONE_DN} -dnsRoot: ${FORESTZONE_DNS} -systemFlags: 5 -msDS-NC-Replica-Locations: CN=NTDS Settings,${SERVERDN} - diff --git a/source4/setup/provision_dnszones_modify.ldif b/source4/setup/provision_dnszones_modify.ldif index 0dc942ff1e..108d8b8b1b 100644 --- a/source4/setup/provision_dnszones_modify.ldif +++ b/source4/setup/provision_dnszones_modify.ldif @@ -1,36 +1,21 @@ -dn: ${DOMAINZONE_DN} +dn: ${ZONE_DN} changetype: modify add: wellKnownObjects -wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${DOMAINZONE_DN} -wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${DOMAINZONE_DN} -wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${DOMAINZONE_DN} -wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${DOMAINZONE_DN} +wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${ZONE_DN} +wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${ZONE_DN} +wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${ZONE_DN} +wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${ZONE_DN} -dn: CN=Infrastructure,${DOMAINZONE_DN} +dn: CN=Infrastructure,${ZONE_DN} changetype: modify add: fSMORoleOwner fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -dn: CN=Infrastructure,${FORESTZONE_DN} -changetype: modify -add: fSMORoleOwner -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} - -dn: ${FORESTZONE_DN} -changetype: modify -add: wellKnownObjects -wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,${FORESTZONE_DN} -wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,${FORESTZONE_DN} -wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,${FORESTZONE_DN} -wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,${FORESTZONE_DN} - dn: CN=NTDS Settings,${SERVERDN} changetype: modify add: msDS-HasInstantiatedNCs -msDS-HasInstantiatedNCs: B:8:0000000D:${DOMAINZONE_DN} -msDS-HasInstantiatedNCs: B:8:0000000D:${FORESTZONE_DN} +msDS-HasInstantiatedNCs: B:8:0000000D:${ZONE_DN} - add: msDS-hasMasterNCs -msDS-hasMasterNCs: ${DOMAINZONE_DN} -msDS-hasMasterNCs: ${FORESTZONE_DN} +msDS-hasMasterNCs: ${ZONE_DN} - diff --git a/source4/setup/provision_dnszones_partitions.ldif b/source4/setup/provision_dnszones_partitions.ldif index 4ab7aedd90..c022bd02aa 100644 --- a/source4/setup/provision_dnszones_partitions.ldif +++ b/source4/setup/provision_dnszones_partitions.ldif @@ -1,7 +1,7 @@ ################################ ## DNSZones Naming Context ################################ -dn: ${DOMAINZONE_DN} +dn: ${ZONE_DN} objectClass: top objectClass: domainDNS description: Microsoft DNS Directory @@ -9,10 +9,3 @@ msDS-NcType: 0 instanceType: 13 ntSecurityDescriptor:: ${SECDESC} -dn: ${FORESTZONE_DN} -objectClass: top -objectClass: domainDNS -description: Microsoft DNS Directory -msDS-NcType: 0 -instanceType: 13 -ntSecurityDescriptor:: ${SECDESC} -- cgit