From fa4023d6f73920765aa5fdbcdd6fd934782258cf Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Thu, 17 Sep 2009 21:19:24 +0200 Subject: s4:provision - Some rework (continuation) - Fix up "servicePrincipalNames" attributes on the DC object - Add some informative comments (most in "provision_self_join.ldif") - Add also comments where objects are missing which we may add later when we support the feature (mainly for FRS) - Add "domain updates" objects also under "CN=Configuration" (they exist twice) - Add the default services under "Services" to allow interoperability with some MS client tools - Smaller changes --- source4/scripting/python/samba/provision.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 4840efcb63..ca9850304e 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -978,6 +978,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, "DOMAINDN": names.domaindn}) message("Setting up sam.ldb data") setup_add_ldif(samdb, setup_path("provision.ldif"), { + "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks "DOMAINDN": names.domaindn, "NETBIOSNAME": names.netbiosname, "DEFAULTSITE": names.sitename, @@ -1005,10 +1006,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, policyguid_dc=policyguid_dc, setup_path=setup_path, domainControllerFunctionality=domainControllerFunctionality) - # add the NTDSGUID based SPNs + ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn) - names.ntdsguid = samdb.searchone(basedn=ntds_dn, attribute="objectGUID", - expression="", scope=SCOPE_BASE) + names.ntdsguid = samdb.searchone(basedn=ntds_dn, + attribute="objectGUID", expression="", scope=SCOPE_BASE) assert isinstance(names.ntdsguid, str) except: -- cgit From 89f5df6fa7cca1aaec81e29b8777bab5b4068003 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Fri, 18 Sep 2009 16:21:29 +0200 Subject: s4:provision - Bump down the domain and forest level to Windows 2000 - The DC level we keep on Windows Server 2008 R2 (we should call ourself always the newest server type) - The domain/forest level we set to the minimum (Windows 2000 native) to allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed" mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is set always to 0 - I'll add a script which allows to bump the DC level (basically sets the "msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and on the "DC" object) --- source4/scripting/python/samba/provision.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index ca9850304e..065677fa68 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS from auth import system_session, admin_session from samba import version, Ldb, substitute_var, valid_netbios_name from samba import check_all_substituted -from samba import DS_DOMAIN_FUNCTION_2008_R2, DS_DC_FUNCTION_2008_R2 +from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2 from samba.samdb import SamDB from samba.idmap import IDmapDB from samba.dcerpc import security @@ -835,8 +835,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, :note: This will wipe the main SAM database file! """ - domainFunctionality = DS_DOMAIN_FUNCTION_2008_R2 - forestFunctionality = DS_DOMAIN_FUNCTION_2008_R2 + domainFunctionality = DS_DOMAIN_FUNCTION_2000 + forestFunctionality = DS_DOMAIN_FUNCTION_2000 domainControllerFunctionality = DS_DC_FUNCTION_2008_R2 # Also wipes the database -- cgit From a873ea42caae61162e9d334442e521f7ebbf4935 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Fri, 18 Sep 2009 20:16:05 +0200 Subject: s4:samdb.py - Unification of the interfaces - When a user account is requested by a call always the search filter will be passed as argument. This helps us to unify the API - Add/fix some comments; in particular new comments inform the developer which requirements exist if he wants to use calls which manipulate the "userPassword" attribute (On s4 no problem - but on certain domain levels on Windows Server) --- source4/scripting/python/samba/idmap.py | 2 +- source4/scripting/python/samba/samdb.py | 90 +++++++++++++++++++-------------- 2 files changed, 54 insertions(+), 38 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/idmap.py b/source4/scripting/python/samba/idmap.py index acc98a56e8..ad209f42de 100644 --- a/source4/scripting/python/samba/idmap.py +++ b/source4/scripting/python/samba/idmap.py @@ -34,7 +34,7 @@ class IDmapDB(samba.Ldb): def __init__(self, url=None, lp=None, modules_dir=None, session_info=None, credentials=None, flags=0, options=None): - """Opens the IDmap Database. + """Opens the IDMap Database For parameter meanings see the super class (samba.Ldb) """ diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index a58d6c5b12..ef2a0b1644 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -37,7 +37,7 @@ class SamDB(samba.Ldb): def __init__(self, url=None, lp=None, modules_dir=None, session_info=None, credentials=None, flags=0, options=None): - """Opens the Sam Database. + """Opens the SAM Database For parameter meanings see the super class (samba.Ldb) """ @@ -55,13 +55,25 @@ class SamDB(samba.Ldb): super(SamDB, self).connect(url=self.lp.private_path(url), flags=flags, options=options) - def enable_account(self, user_dn): - """Enable an account. + def domain_dn(self): + # find the DNs for the domain + res = self.search(base="", + scope=ldb.SCOPE_BASE, + expression="(defaultNamingContext=*)", + attrs=["defaultNamingContext"]) + assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) + return res[0]["defaultNamingContext"][0] + + def enable_account(self, filter): + """Enables an account - :param user_dn: Dn of the account to enable. + :param filter: LDAP filter to find the user (eg samccountname=name) """ - res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"]) - assert len(res) == 1 + res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, + expression=filter, attrs=["userAccountControl"]) + assert(len(res) == 1) + user_dn = res[0].dn + userAccountControl = int(res[0]["userAccountControl"][0]) if (userAccountControl & 0x2): userAccountControl = userAccountControl & ~0x2 # remove disabled bit @@ -76,11 +88,16 @@ userAccountControl: %u """ % (user_dn, userAccountControl) self.modify_ldif(mod) - def force_password_change_at_next_login(self, user_dn): - """Force a password change at next login + def force_password_change_at_next_login(self, filter): + """Forces a password change at next login - :param user_dn: Dn of the account to force password change on + :param filter: LDAP filter to find the user (eg samccountname=name) """ + res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, + expression=filter, attrs=[]) + assert(len(res) == 1) + user_dn = res[0].dn + mod = """ dn: %s changetype: modify @@ -89,17 +106,12 @@ pwdLastSet: 0 """ % (user_dn) self.modify_ldif(mod) - def domain_dn(self): - # find the DNs for the domain - res = self.search(base="", - scope=ldb.SCOPE_BASE, - expression="(defaultNamingContext=*)", - attrs=["defaultNamingContext"]) - assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None) - return res[0]["defaultNamingContext"][0] - def newuser(self, username, unixname, password, force_password_change_at_next_login=False): - """add a new user record. + """Adds a new user + + Note: This call uses the "userPassword" attribute to set the password. + This works correctly on SAMBA 4 DCs and on Windows DCs with + "2003 Native" or higer domain function level. :param username: Name of the new user. :param unixname: Name of the unix user to map to. @@ -110,11 +122,8 @@ pwdLastSet: 0 try: user_dn = "CN=%s,CN=Users,%s" % (username, self.domain_dn()) - # - # the new user record. note the reliance on the samdb module to - # fill in a sid, guid etc - # - # now the real work + # The new user record. Note the reliance on the SAMLDB module which + # fills in the default informations self.add({"dn": user_dn, "sAMAccountName": username, "userPassword": password, @@ -130,30 +139,34 @@ pwdLastSet: 0 idmap = IDmapDB(lp=self.lp) user = pwd.getpwnam(unixname) + # setup ID mapping for this UID - idmap.setup_name_mapping(user_sid, idmap.TYPE_UID, user[2]) except KeyError: pass if force_password_change_at_next_login: - self.force_password_change_at_next_login(user_dn) + self.force_password_change_at_next_login("(dn=" + user_dn + ")") # modify the userAccountControl to remove the disabled bit - self.enable_account(user_dn) + self.enable_account("(dn=" + user_dn + ")") except: self.transaction_cancel() raise self.transaction_commit() def setpassword(self, filter, password, force_password_change_at_next_login=False): - """Set a password on a user record + """Sets the password for a user + Note: This call uses the "userPassword" attribute to set the password. + This works correctly on SAMBA 4 DCs and on Windows DCs with + "2003 Native" or higer domain function level. + :param filter: LDAP filter to find the user (eg samccountname=name) :param password: Password for the user + :param force_password_change_at_next_login: Force password change """ - # connect to the sam self.transaction_start() try: res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, @@ -174,24 +187,27 @@ userPassword:: %s self.force_password_change_at_next_login(user_dn) # modify the userAccountControl to remove the disabled bit - self.enable_account(user_dn) + self.enable_account(filter) except: self.transaction_cancel() raise self.transaction_commit() - def setexpiry(self, user, expiry_seconds, noexpiry): - """Set the account expiry for a user + def setexpiry(self, filter, expiry_seconds, noexpiry=False): + """Sets the account expiry for a user + :param filter: LDAP filter to find the user (eg samccountname=name) :param expiry_seconds: expiry time from now in seconds :param noexpiry: if set, then don't expire password """ self.transaction_start() try: res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, - expression=("(samAccountName=%s)" % user), + expression=filter, attrs=["userAccountControl", "accountExpires"]) assert len(res) == 1 + user_dn = res[0].dn + userAccountControl = int(res[0]["userAccountControl"][0]) accountExpires = int(res[0]["accountExpires"][0]) if noexpiry: @@ -201,16 +217,16 @@ userPassword:: %s userAccountControl = userAccountControl & ~0x10000 accountExpires = glue.unix2nttime(expiry_seconds + int(time.time())) - mod = """ + setexp = """ dn: %s changetype: modify replace: userAccountControl userAccountControl: %u replace: accountExpires accountExpires: %u -""" % (res[0].dn, userAccountControl, accountExpires) - # now change the database - self.modify_ldif(mod) +""" % (user_dn, userAccountControl, accountExpires) + + self.modify_ldif(setexp) except: self.transaction_cancel() raise -- cgit