From b0360e3a8617c59661d0b0fd805666e6cefcd811 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 17 Dec 2007 08:20:20 +0100 Subject: r26496: Move some provision functions to a new SamDB class, support setting session_info on a ldb context from python. (This used to be commit 75cfb0d609687538048a7d72a499a5205af46a34) --- source4/scripting/python/misc.i | 2 - source4/scripting/python/misc.py | 1 + source4/scripting/python/misc_wrap.c | 96 ++++++++---- source4/scripting/python/samba/__init__.py | 104 +++++++++---- source4/scripting/python/samba/provision.py | 230 +++++++--------------------- source4/scripting/python/samba/samdb.py | 117 ++++++++++++++ 6 files changed, 316 insertions(+), 234 deletions(-) create mode 100644 source4/scripting/python/samba/samdb.py (limited to 'source4/scripting') diff --git a/source4/scripting/python/misc.i b/source4/scripting/python/misc.i index b2a7ad8ee8..0a94fcdc29 100644 --- a/source4/scripting/python/misc.i +++ b/source4/scripting/python/misc.i @@ -40,12 +40,10 @@ void ldb_set_credentials(struct ldb_context *ldb, struct cli_credentials *creds) ldb_set_opaque(ldb, "credentials", creds); } -#if 0 /* Fails to link.. */ void ldb_set_session_info(struct ldb_context *ldb, struct auth_session_info *session_info) { ldb_set_opaque(ldb, "sessionInfo", session_info); } -#endif void ldb_set_loadparm(struct ldb_context *ldb, struct loadparm_context *lp_ctx) { diff --git a/source4/scripting/python/misc.py b/source4/scripting/python/misc.py index 8a8ff80107..7628dbcb15 100644 --- a/source4/scripting/python/misc.py +++ b/source4/scripting/python/misc.py @@ -62,6 +62,7 @@ import credentials import param random_password = _misc.random_password ldb_set_credentials = _misc.ldb_set_credentials +ldb_set_session_info = _misc.ldb_set_session_info ldb_set_loadparm = _misc.ldb_set_loadparm diff --git a/source4/scripting/python/misc_wrap.c b/source4/scripting/python/misc_wrap.c index af0f32fcb2..f5e23d0407 100644 --- a/source4/scripting/python/misc_wrap.c +++ b/source4/scripting/python/misc_wrap.c @@ -2460,29 +2460,30 @@ SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) /* -------- TYPES TABLE (BEGIN) -------- */ #define SWIGTYPE_p_TALLOC_CTX swig_types[0] -#define SWIGTYPE_p_char swig_types[1] -#define SWIGTYPE_p_cli_credentials swig_types[2] -#define SWIGTYPE_p_int swig_types[3] -#define SWIGTYPE_p_ldb_context swig_types[4] -#define SWIGTYPE_p_ldb_dn swig_types[5] -#define SWIGTYPE_p_ldb_ldif swig_types[6] -#define SWIGTYPE_p_ldb_message swig_types[7] -#define SWIGTYPE_p_ldb_message_element swig_types[8] -#define SWIGTYPE_p_ldb_result swig_types[9] -#define SWIGTYPE_p_loadparm_context swig_types[10] -#define SWIGTYPE_p_loadparm_service swig_types[11] -#define SWIGTYPE_p_long_long swig_types[12] -#define SWIGTYPE_p_param_context swig_types[13] -#define SWIGTYPE_p_param_section swig_types[14] -#define SWIGTYPE_p_short swig_types[15] -#define SWIGTYPE_p_signed_char swig_types[16] -#define SWIGTYPE_p_unsigned_char swig_types[17] -#define SWIGTYPE_p_unsigned_int swig_types[18] -#define SWIGTYPE_p_unsigned_long swig_types[19] -#define SWIGTYPE_p_unsigned_long_long swig_types[20] -#define SWIGTYPE_p_unsigned_short swig_types[21] -static swig_type_info *swig_types[23]; -static swig_module_info swig_module = {swig_types, 22, 0, 0, 0, 0}; +#define SWIGTYPE_p_auth_session_info swig_types[1] +#define SWIGTYPE_p_char swig_types[2] +#define SWIGTYPE_p_cli_credentials swig_types[3] +#define SWIGTYPE_p_int swig_types[4] +#define SWIGTYPE_p_ldb_context swig_types[5] +#define SWIGTYPE_p_ldb_dn swig_types[6] +#define SWIGTYPE_p_ldb_ldif swig_types[7] +#define SWIGTYPE_p_ldb_message swig_types[8] +#define SWIGTYPE_p_ldb_message_element swig_types[9] +#define SWIGTYPE_p_ldb_result swig_types[10] +#define SWIGTYPE_p_loadparm_context swig_types[11] +#define SWIGTYPE_p_loadparm_service swig_types[12] +#define SWIGTYPE_p_long_long swig_types[13] +#define SWIGTYPE_p_param_context swig_types[14] +#define SWIGTYPE_p_param_section swig_types[15] +#define SWIGTYPE_p_short swig_types[16] +#define SWIGTYPE_p_signed_char swig_types[17] +#define SWIGTYPE_p_unsigned_char swig_types[18] +#define SWIGTYPE_p_unsigned_int swig_types[19] +#define SWIGTYPE_p_unsigned_long swig_types[20] +#define SWIGTYPE_p_unsigned_long_long swig_types[21] +#define SWIGTYPE_p_unsigned_short swig_types[22] +static swig_type_info *swig_types[24]; +static swig_module_info swig_module = {swig_types, 23, 0, 0, 0, 0}; #define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name) #define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name) @@ -2703,12 +2704,10 @@ void ldb_set_credentials(struct ldb_context *ldb, struct cli_credentials *creds) ldb_set_opaque(ldb, "credentials", creds); } -#if 0 /* Fails to link.. */ void ldb_set_session_info(struct ldb_context *ldb, struct auth_session_info *session_info) { ldb_set_opaque(ldb, "sessionInfo", session_info); } -#endif void ldb_set_loadparm(struct ldb_context *ldb, struct loadparm_context *lp_ctx) { @@ -2758,7 +2757,7 @@ SWIGINTERN PyObject *_wrap_ldb_set_credentials(PyObject *SWIGUNUSEDPARM(self), P PyObject * obj0 = 0 ; PyObject * obj1 = 0 ; char * kwnames[] = { - (char *) "Ldb",(char *) "creds", NULL + (char *) "ldb",(char *) "creds", NULL }; { @@ -2790,6 +2789,44 @@ fail: } +SWIGINTERN PyObject *_wrap_ldb_set_session_info(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { + PyObject *resultobj = 0; + struct ldb_context *arg1 = (struct ldb_context *) 0 ; + struct auth_session_info *arg2 = (struct auth_session_info *) 0 ; + void *argp1 = 0 ; + int res1 = 0 ; + void *argp2 = 0 ; + int res2 = 0 ; + PyObject * obj0 = 0 ; + PyObject * obj1 = 0 ; + char * kwnames[] = { + (char *) "ldb",(char *) "session_info", NULL + }; + + if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:ldb_set_session_info",kwnames,&obj0,&obj1)) SWIG_fail; + res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_ldb_context, 0 | 0 ); + if (!SWIG_IsOK(res1)) { + SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "ldb_set_session_info" "', argument " "1"" of type '" "struct ldb_context *""'"); + } + arg1 = (struct ldb_context *)(argp1); + res2 = SWIG_ConvertPtr(obj1, &argp2,SWIGTYPE_p_auth_session_info, 0 | 0 ); + if (!SWIG_IsOK(res2)) { + SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "ldb_set_session_info" "', argument " "2"" of type '" "struct auth_session_info *""'"); + } + arg2 = (struct auth_session_info *)(argp2); + { + if (arg1 == NULL) + SWIG_exception(SWIG_ValueError, + "ldb context must be non-NULL"); + } + ldb_set_session_info(arg1,arg2); + resultobj = SWIG_Py_Void(); + return resultobj; +fail: + return NULL; +} + + SWIGINTERN PyObject *_wrap_ldb_set_loadparm(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) { PyObject *resultobj = 0; struct ldb_context *arg1 = (struct ldb_context *) 0 ; @@ -2801,7 +2838,7 @@ SWIGINTERN PyObject *_wrap_ldb_set_loadparm(PyObject *SWIGUNUSEDPARM(self), PyOb PyObject * obj0 = 0 ; PyObject * obj1 = 0 ; char * kwnames[] = { - (char *) "Ldb",(char *) "lp_ctx", NULL + (char *) "ldb",(char *) "lp_ctx", NULL }; { @@ -2836,6 +2873,7 @@ fail: static PyMethodDef SwigMethods[] = { { (char *)"random_password", (PyCFunction) _wrap_random_password, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"ldb_set_credentials", (PyCFunction) _wrap_ldb_set_credentials, METH_VARARGS | METH_KEYWORDS, NULL}, + { (char *)"ldb_set_session_info", (PyCFunction) _wrap_ldb_set_session_info, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"ldb_set_loadparm", (PyCFunction) _wrap_ldb_set_loadparm, METH_VARARGS | METH_KEYWORDS, NULL}, { NULL, NULL, 0, NULL } }; @@ -2844,6 +2882,7 @@ static PyMethodDef SwigMethods[] = { /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */ static swig_type_info _swigt__p_TALLOC_CTX = {"_p_TALLOC_CTX", "TALLOC_CTX *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_auth_session_info = {"_p_auth_session_info", "struct auth_session_info *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_cli_credentials = {"_p_cli_credentials", "struct cli_credentials *|cli_credentials *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_int = {"_p_int", "intptr_t *|int *|int_least32_t *|int_fast32_t *|int32_t *|int_fast16_t *", 0, 0, (void*)0, 0}; @@ -2868,6 +2907,7 @@ static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned static swig_type_info *swig_type_initial[] = { &_swigt__p_TALLOC_CTX, + &_swigt__p_auth_session_info, &_swigt__p_char, &_swigt__p_cli_credentials, &_swigt__p_int, @@ -2892,6 +2932,7 @@ static swig_type_info *swig_type_initial[] = { }; static swig_cast_info _swigc__p_TALLOC_CTX[] = { {&_swigt__p_TALLOC_CTX, 0, 0, 0},{0, 0, 0, 0}}; +static swig_cast_info _swigc__p_auth_session_info[] = { {&_swigt__p_auth_session_info, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_char[] = { {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_cli_credentials[] = { {&_swigt__p_cli_credentials, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_int[] = { {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}}; @@ -2916,6 +2957,7 @@ static swig_cast_info _swigc__p_unsigned_short[] = { {&_swigt__p_unsigned_short static swig_cast_info *swig_cast_initial[] = { _swigc__p_TALLOC_CTX, + _swigc__p_auth_session_info, _swigc__p_char, _swigc__p_cli_credentials, _swigc__p_int, diff --git a/source4/scripting/python/samba/__init__.py b/source4/scripting/python/samba/__init__.py index 08a262eec8..56adce4473 100644 --- a/source4/scripting/python/samba/__init__.py +++ b/source4/scripting/python/samba/__init__.py @@ -35,40 +35,78 @@ if _in_source_tree(): import misc import ldb -ldb.ldb.set_credentials = misc.ldb_set_credentials -#FIXME: ldb.ldb.set_session_info = misc.ldb_set_session_info -ldb.ldb.set_loadparm = misc.ldb_set_loadparm - -def Ldb(url, session_info=None, credentials=None, modules_dir=None, lp=None): - """Open a Samba Ldb file. - - :param url: LDB Url to open - :param session_info: Optional session information - :param credentials: Optional credentials, defaults to anonymous. - :param modules_dir: Modules directory, automatically set if not specified. - :param lp: Loadparm object, optional. - - This is different from a regular Ldb file in that the Samba-specific - modules-dir is used by default and that credentials and session_info - can be passed through (required by some modules). +ldb.Ldb.set_credentials = misc.ldb_set_credentials +ldb.Ldb.set_session_info = misc.ldb_set_session_info +ldb.Ldb.set_loadparm = misc.ldb_set_loadparm + +class Ldb(ldb.Ldb): + """Simple Samba-specific LDB subclass that takes care + of setting up the modules dir, credentials pointers, etc. + + Please note that this is intended to be for all Samba LDB files, + not necessarily the Sam database. For Sam-specific helper + functions see samdb.py. """ - import ldb - ret = ldb.Ldb() - if modules_dir is None: - modules_dir = default_ldb_modules_dir - if modules_dir is not None: - ret.set_modules_dir(modules_dir) - def samba_debug(level,text): - print "%d %s" % (level, text) - if credentials is not None: - ldb.set_credentials(credentials) - if session_info is not None: - ldb.set_session_info(session_info) - if lp is not None: - ldb.set_loadparm(lp) - #ret.set_debug(samba_debug) - ret.connect(url) - return ret + def __init__(url, session_info=None, credentials=None, modules_dir=None, + lp=None): + """Open a Samba Ldb file. + + :param url: LDB Url to open + :param session_info: Optional session information + :param credentials: Optional credentials, defaults to anonymous. + :param modules_dir: Modules directory, automatically set if not specified. + :param lp: Loadparm object, optional. + + This is different from a regular Ldb file in that the Samba-specific + modules-dir is used by default and that credentials and session_info + can be passed through (required by some modules). + """ + super(self, Ldb).__init__() + import ldb + ret = ldb.Ldb() + if modules_dir is None: + modules_dir = default_ldb_modules_dir + if modules_dir is not None: + ret.set_modules_dir(modules_dir) + def samba_debug(level,text): + print "%d %s" % (level, text) + if credentials is not None: + ldb.set_credentials(credentials) + if session_info is not None: + ldb.set_session_info(session_info) + if lp is not None: + ldb.set_loadparm(lp) + #ret.set_debug(samba_debug) + ret.connect(url) + return ret + + def searchone(self, basedn, expression, attribute): + """Search for one attribute as a string.""" + res = self.search(basedn, SCOPE_SUBTREE, expression, [attribute]) + if len(res) != 1 or res[0][attribute] is None: + return None + return res[0][attribute] + + def erase(self): + """Erase an ldb, removing all records.""" + # delete the specials + for attr in ["@INDEXLIST", "@ATTRIBUTES", "@SUBCLASSES", "@MODULES", + "@OPTIONS", "@PARTITION", "@KLUDGEACL"]: + try: + self.delete(Dn(self, attr)) + except LdbError, (LDB_ERR_NO_SUCH_OBJECT, _): + # Ignore missing dn errors + pass + + basedn = Dn(self, "") + # and the rest + for msg in self.search(basedn, SCOPE_SUBTREE, + "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", + ["dn"]): + self.delete(msg.dn) + + res = self.search(basedn, SCOPE_SUBTREE, "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", ["dn"]) + assert len(res) == 0 def substitute_var(text, values): diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index ce496a8bc1..63e50897fe 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -15,6 +15,7 @@ from socket import gethostname, gethostbyname import param import registry from samba import Ldb, substitute_var, valid_netbios_name +from samba.samdb import SamDB from ldb import Dn, SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, \ LDB_ERR_NO_SUCH_OBJECT, timestring @@ -164,32 +165,6 @@ def findnss(nssfn, *names): pass raise Exception("Unable to find user/group for %s" % arguments[1]) -def add_foreign(ldb, subobj, sid, desc): - """Add a foreign security principle.""" - add = """ -dn: CN=%s,CN=ForeignSecurityPrincipals,%s -objectClass: top -objectClass: foreignSecurityPrincipal -description: %s -""" % (sid, subobj.domaindn, desc) - # deliberately ignore errors from this, as the records may - # already exist - for msg in ldb.parse_ldif(add): - ldb.add(msg[1]) - -def setup_name_mapping(subobj, ldb, sid, unixname): - """Setup a mapping between a sam name and a unix name.""" - res = ldb.search(Dn(ldb, subobj.domaindn), SCOPE_SUBTREE, - "objectSid=%s" % sid, ["dn"]) - assert len(res) == 1, "Failed to find record for objectSid %s" % sid - - mod = """ -dn: %s -changetype: modify -replace: unixName -unixName: %s -""" % (res[0].dn, unixname) - ldb.modify(ldb.parse_ldif(mod).next()[1]) def hostip(): @@ -214,57 +189,6 @@ def ldb_delete(ldb): ldb.connect(ldb.filename) -def ldb_erase(ldb): - """Erase an ldb, removing all records.""" - # delete the specials - for attr in ["@INDEXLIST", "@ATTRIBUTES", "@SUBCLASSES", "@MODULES", - "@OPTIONS", "@PARTITION", "@KLUDGEACL"]: - try: - ldb.delete(Dn(ldb, attr)) - except LdbError, (LDB_ERR_NO_SUCH_OBJECT, _): - # Ignore missing dn errors - pass - - basedn = Dn(ldb, "") - # and the rest - for msg in ldb.search(basedn, SCOPE_SUBTREE, - "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", - ["dn"]): - ldb.delete(msg.dn) - - res = ldb.search(basedn, SCOPE_SUBTREE, "(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", ["dn"]) - assert len(res) == 0 - - -def ldb_erase_partitions(subobj, message, ldb, ldapbackend): - """Erase an ldb, removing all records.""" - assert ldb is not None - res = ldb.search(Dn(ldb, ""), SCOPE_BASE, "(objectClass=*)", - ["namingContexts"]) - assert len(res) == 1 - if not "namingContexts" in res[0]: - return - for basedn in res[0]["namingContexts"]: - anything = "(|(objectclass=*)(dn=*))" - previous_remaining = 1 - current_remaining = 0 - - if ldapbackend and (basedn == subobj.domaindn): - # Only delete objects that were created by provision - anything = "(objectcategory=*)" - - k = 0 - while ++k < 10 and (previous_remaining != current_remaining): - # and the rest - res2 = ldb.search(Dn(ldb, basedn), SCOPE_SUBTREE, anything, ["dn"]) - previous_remaining = current_remaining - current_remaining = len(res2) - for msg in res2: - try: - ldb.delete(msg.dn) - except LdbError, (_, text): - message("Unable to delete %s: %s" % (msg.dn, text)) - def open_ldb(session_info, credentials, dbname): assert session_info is not None @@ -374,30 +298,30 @@ def setup_name_mappings(subobj, ldb): sid = list(res[0]["objectSid"])[0] # add some foreign sids if they are not present already - add_foreign(ldb, subobj, "S-1-5-7", "Anonymous") - add_foreign(ldb, subobj, "S-1-1-0", "World") - add_foreign(ldb, subobj, "S-1-5-2", "Network") - add_foreign(ldb, subobj, "S-1-5-18", "System") - add_foreign(ldb, subobj, "S-1-5-11", "Authenticated Users") + ldb.add_foreign(subobj.domaindn, "S-1-5-7", "Anonymous") + ldb.add_foreign(subobj.domaindn, "S-1-1-0", "World") + ldb.add_foreign(subobj.domaindn, "S-1-5-2", "Network") + ldb.add_foreign(subobj.domaindn, "S-1-5-18", "System") + ldb.add_foreign(subobj.domaindn, "S-1-5-11", "Authenticated Users") # some well known sids - setup_name_mapping(subobj, ldb, "S-1-5-7", subobj.nobody) - setup_name_mapping(subobj, ldb, "S-1-1-0", subobj.nogroup) - setup_name_mapping(subobj, ldb, "S-1-5-2", subobj.nogroup) - setup_name_mapping(subobj, ldb, "S-1-5-18", subobj.root) - setup_name_mapping(subobj, ldb, "S-1-5-11", subobj.users) - setup_name_mapping(subobj, ldb, "S-1-5-32-544", subobj.wheel) - setup_name_mapping(subobj, ldb, "S-1-5-32-545", subobj.users) - setup_name_mapping(subobj, ldb, "S-1-5-32-546", subobj.nogroup) - setup_name_mapping(subobj, ldb, "S-1-5-32-551", subobj.backup) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-7", subobj.nobody) + ldb.setup_name_mapping(subobj.domaindn, "S-1-1-0", subobj.nogroup) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-2", subobj.nogroup) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-18", subobj.root) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-11", subobj.users) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-32-544", subobj.wheel) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-32-545", subobj.users) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-32-546", subobj.nogroup) + ldb.setup_name_mapping(subobj.domaindn, "S-1-5-32-551", subobj.backup) # and some well known domain rids - setup_name_mapping(subobj, ldb, sid + "-500", subobj.root) - setup_name_mapping(subobj, ldb, sid + "-518", subobj.wheel) - setup_name_mapping(subobj, ldb, sid + "-519", subobj.wheel) - setup_name_mapping(subobj, ldb, sid + "-512", subobj.wheel) - setup_name_mapping(subobj, ldb, sid + "-513", subobj.users) - setup_name_mapping(subobj, ldb, sid + "-520", subobj.wheel) + ldb.setup_name_mapping(subobj.domaindn, sid + "-500", subobj.root) + ldb.setup_name_mapping(subobj.domaindn, sid + "-518", subobj.wheel) + ldb.setup_name_mapping(subobj.domaindn, sid + "-519", subobj.wheel) + ldb.setup_name_mapping(subobj.domaindn, sid + "-512", subobj.wheel) + ldb.setup_name_mapping(subobj.domaindn, sid + "-513", subobj.users) + ldb.setup_name_mapping(subobj.domaindn, sid + "-520", subobj.wheel) def provision_become_dc(setup_dir, subobj, message, paths, session_info, @@ -414,7 +338,8 @@ def provision_become_dc(setup_dir, subobj, message, paths, session_info, setup_ldb(setup_dir, "provision_partitions.ldif", session_info, credentials, subobj, paths.samdb) - samdb = open_ldb(session_info, credentials, paths.samdb) + samdb = SamDB(paths.samdb, session_info=session_info, + credentials=credentials) ldb.transaction_start() try: message("Setting up %s attributes" % paths.samdb) @@ -424,7 +349,7 @@ def provision_become_dc(setup_dir, subobj, message, paths, session_info, setup_add_ldif(setup_dir, "provision_rootdse_add.ldif", subobj, samdb) message("Erasing data from partitions") - ldb_erase_partitions(subobj, message, samdb, undefined) + ldb_erase_partitions(subobj, message, samdb, None) message("Setting up %s indexes" % paths.samdb) setup_add_ldif(setup_dir, "provision_index.ldif", subobj, samdb) @@ -603,7 +528,7 @@ def provision_dns(setup_dir, subobj, message, paths, session_info, credentials): """Write out a DNS zone file, from the info in the current database.""" message("Setting up DNS zone: %s" % subobj.dnsdomain) # connect to the sam - ldb = Ldb(paths.samdb, session_info=session_info, credentials=credentials) + ldb = SamDB(paths.samdb, session_info=session_info, credentials=credentials) # These values may have changed, due to an incoming SamSync, # or may not have been specified, so fetch them from the database @@ -614,7 +539,7 @@ def provision_dns(setup_dir, subobj, message, paths, session_info, credentials): assert(res[0]["objectGUID"] is not None) subobj.domainguid = res[0]["objectGUID"] - subobj.host_guid = searchone(ldb, subobj.domaindn, + subobj.host_guid = ldb.searchone(subobj.domaindn, "(&(objectClass=computer)(cn=%s))" % subobj.netbiosname, "objectGUID") assert subobj.host_guid is not None @@ -716,13 +641,6 @@ def provision_guess(lp): return subobj -def searchone(ldb, basedn, expression, attribute): - """search for one attribute as a string.""" - res = ldb.search(basedn, SCOPE_SUBTREE, expression, [attribute]) - if len(res) != 1 or res[0][attribute] is None: - return None - return res[0][attribute] - def load_schema(setup_dir, subobj, samdb): """Load schema.""" @@ -745,70 +663,6 @@ def load_schema(setup_dir, subobj, samdb): samdb.attach_dsdb_schema_from_ldif(head_data, schema_data) -def enable_account(ldb, user_dn): - """enable the account.""" - res = ldb.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) - assert len(res) == 1 - userAccountControl = res[0].userAccountControl - userAccountControl = userAccountControl - 2 # remove disabled bit - mod = """ -dn: %s -changetype: modify -replace: userAccountControl -userAccountControl: %u -""" % (user_dn, userAccountControl) - ldb.modify(mod) - - -def newuser(sam, username, unixname, password, message, session_info, - credentials): - """add a new user record""" - # connect to the sam - ldb.transaction_start() - - # find the DNs for the domain and the domain users group - res = ldb.search("", SCOPE_BASE, "defaultNamingContext=*", - ["defaultNamingContext"]) - assert(len(res) == 1 and res[0].defaultNamingContext is not None) - domain_dn = res[0].defaultNamingContext - assert(domain_dn is not None) - dom_users = searchone(ldb, domain_dn, "name=Domain Users", "dn") - assert(dom_users is not None) - - user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) - - # - # the new user record. note the reliance on the samdb module to fill - # in a sid, guid etc - # - ldif = """ -dn: %s -sAMAccountName: %s -unixName: %s -sambaPassword: %s -objectClass: user -""" % (user_dn, username, unixname, password) - # add the user to the users group as well - modgroup = """ -dn: %s -changetype: modify -add: member -member: %s -""" % (dom_users, user_dn) - - - # now the real work - message("Adding user %s" % user_dn) - ldb.add(ldif) - - message("Modifying group %s" % dom_users) - ldb.modify(modgroup) - - # modify the userAccountControl to remove the disabled bit - enable_account(ldb, user_dn) - ldb.transaction_commit() - - def join_domain(domain, netbios_name, join_type, creds, message): ctx = NetContext(creds) joindom = object() @@ -835,3 +689,35 @@ def vampire(domain, session_info, credentials, message): vampire_ctx.session_info = session_info if not ctx.SamSyncLdb(vampire_ctx): raise Exception("Migration of remote domain to Samba failed: %s " % vampire_ctx.error_string) + + +def ldb_erase_partitions(subobj, message, ldb, ldapbackend): + """Erase an ldb, removing all records.""" + assert ldb is not None + res = ldb.search(Dn(ldb, ""), SCOPE_BASE, "(objectClass=*)", + ["namingContexts"]) + assert len(res) == 1 + if not "namingContexts" in res[0]: + return + for basedn in res[0]["namingContexts"]: + anything = "(|(objectclass=*)(dn=*))" + previous_remaining = 1 + current_remaining = 0 + + if ldapbackend and (basedn == subobj.domaindn): + # Only delete objects that were created by provision + anything = "(objectcategory=*)" + + k = 0 + while ++k < 10 and (previous_remaining != current_remaining): + # and the rest + res2 = ldb.search(Dn(ldb, basedn), SCOPE_SUBTREE, anything, ["dn"]) + previous_remaining = current_remaining + current_remaining = len(res2) + for msg in res2: + try: + ldb.delete(msg.dn) + except LdbError, (_, text): + message("Unable to delete %s: %s" % (msg.dn, text)) + + diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py new file mode 100644 index 0000000000..50164bf590 --- /dev/null +++ b/source4/scripting/python/samba/samdb.py @@ -0,0 +1,117 @@ +#!/usr/bin/python + +# Unix SMB/CIFS implementation. +# Copyright (C) Jelmer Vernooij 2007 +# +# Based on the original in EJS: +# Copyright (C) Andrew Tridgell 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import samba + +class SamDB(samba.Ldb): + def add_foreign(self, domaindn, sid, desc): + """Add a foreign security principle.""" + add = """ +dn: CN=%s,CN=ForeignSecurityPrincipals,%s +objectClass: top +objectClass: foreignSecurityPrincipal +description: %s + """ % (sid, domaindn, desc) + # deliberately ignore errors from this, as the records may + # already exist + for msg in self.parse_ldif(add): + self.add(msg[1]) + + def setup_name_mapping(self, domaindn, sid, unixname): + """Setup a mapping between a sam name and a unix name.""" + res = self.search(Dn(ldb, domaindn), SCOPE_SUBTREE, + "objectSid=%s" % sid, ["dn"]) + assert len(res) == 1, "Failed to find record for objectSid %s" % sid + + mod = """ +dn: %s +changetype: modify +replace: unixName +unixName: %s +""" % (res[0].dn, unixname) + self.modify(self.parse_ldif(mod).next()[1]) + + def enable_account(self, user_dn): + """enable the account. + + :param user_dn: Dn of the account to enable. + """ + res = self.search(user_dn, SCOPE_ONELEVEL, None, ["userAccountControl"]) + assert len(res) == 1 + userAccountControl = res[0].userAccountControl + userAccountControl = userAccountControl - 2 # remove disabled bit + mod = """ +dn: %s +changetype: modify +replace: userAccountControl +userAccountControl: %u +""" % (user_dn, userAccountControl) + self.modify(mod) + + def newuser(self, username, unixname, password, message): + """add a new user record""" + # connect to the sam + self.transaction_start() + + # find the DNs for the domain and the domain users group + res = self.search("", SCOPE_BASE, "defaultNamingContext=*", + ["defaultNamingContext"]) + assert(len(res) == 1 and res[0].defaultNamingContext is not None) + domain_dn = res[0].defaultNamingContext + assert(domain_dn is not None) + dom_users = searchone(self, domain_dn, "name=Domain Users", "dn") + assert(dom_users is not None) + + user_dn = "CN=%s,CN=Users,%s" % (username, domain_dn) + + # + # the new user record. note the reliance on the samdb module to fill + # in a sid, guid etc + # + ldif = """ +dn: %s +sAMAccountName: %s +unixName: %s +sambaPassword: %s +objectClass: user + """ % (user_dn, username, unixname, password) + # add the user to the users group as well + modgroup = """ +dn: %s +changetype: modify +add: member +member: %s +""" % (dom_users, user_dn) + + + # now the real work + message("Adding user %s" % user_dn) + self.add(ldif) + + message("Modifying group %s" % dom_users) + self.modify(modgroup) + + # modify the userAccountControl to remove the disabled bit + enable_account(self, user_dn) + self.transaction_commit() + + -- cgit