2 backend code for provisioning a Samba4 server
3 Copyright Andrew Tridgell 2005
4 Released under the GNU GPL v2 or later
7 /* used to generate sequence numbers for records */
8 provision_next_usn = 1;
13 find a user or group from a list of possibilities
18 assert(arguments.length >= 2);
19 var nssfn = arguments[0];
20 for (i=1;i<arguments.length;i++) {
21 if (nssfn(arguments[i]) != undefined) {
25 printf("Unable to find user/group for %s\n", arguments[1]);
26 assert(i<arguments.length);
30 add a foreign security principle
32 function add_foreign(str, sid, desc, unixname)
35 dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
37 objectClass: foreignSecurityPrincipal
41 whenCreated: ${LDAPTIME}
42 whenChanged: ${LDAPTIME}
45 showInAdvancedViewOnly: TRUE
47 objectGUID: ${NEWGUID}
49 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
52 var sub = new Object();
55 sub.UNIXNAME = unixname;
56 return str + substitute_var(add, sub);
60 return current time as a nt time string
64 return "" + sys.nttime();
68 return current time as a ldap time string
72 return sys.ldaptime(sys.nttime());
76 return a date string suitable for a dns zone serial number
80 var t = sys.gmtime(sys.nttime());
81 return sprintf("%04u%02u%02u%02u",
82 t.tm_year+1900, t.tm_mon+1, t.tm_mday, t.tm_hour);
90 var list = sys.interfaces();
95 return current time as a ldap time string
99 provision_next_usn = provision_next_usn+1;
100 return provision_next_usn;
104 return first part of hostname
108 var s = split(".", sys.hostname());
114 erase an ldb, removing all records
116 function ldb_erase(ldb)
118 var attrs = new Array("dn");
120 /* delete the specials */
121 ldb.del("@INDEXLIST");
122 ldb.del("@ATTRIBUTES");
123 ldb.del("@SUBCLASSES");
127 var res = ldb.search("(|(objectclass=*)(dn=*))", attrs);
129 for (i=0;i<res.length;i++) {
132 res = ldb.search("(objectclass=*)", attrs);
133 assert(res.length == 0);
138 setup a ldb in the private dir
140 function setup_ldb(ldif, dbname, subobj)
143 var ldb = ldb_init();
144 var lp = loadparm_init();
146 if (arguments.length == 4) {
147 extra = arguments[3];
151 var src = lp.get("setup directory") + "/" + ldif;
153 var data = sys.file_load(src);
155 data = substitute_var(data, subobj);
157 var ok = ldb.connect(dbfile);
167 setup a file in the private dir
169 function setup_file(template, fname, subobj)
171 var lp = loadparm_init();
172 var f = lp.get("private dir") + "/" + fname;
173 var src = lp.get("setup directory") + "/" + template;
177 var data = sys.file_load(src);
178 data = substitute_var(data, subobj);
180 ok = sys.file_save(f, data);
185 provision samba4 - caution, this wipes all existing data!
187 function provision(subobj, message)
192 some options need to be upper/lower case
194 subobj.REALM = strlower(subobj.REALM);
195 subobj.HOSTNAME = strlower(subobj.HOSTNAME);
196 subobj.DOMAIN = strupper(subobj.DOMAIN);
197 subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
199 data = add_foreign(data, "S-1-5-7", "Anonymous", "${NOBODY}");
200 data = add_foreign(data, "S-1-1-0", "World", "${NOGROUP}");
201 data = add_foreign(data, "S-1-5-2", "Network", "${NOGROUP}");
202 data = add_foreign(data, "S-1-5-18", "System", "${ROOT}");
203 data = add_foreign(data, "S-1-5-11", "Authenticated Users", "${USERS}");
205 provision_next_usn = 1;
207 message("Setting up hklm.ldb\n");
208 setup_ldb("hklm.ldif", "hklm.ldb", subobj);
209 message("Setting up sam.ldb\n");
210 setup_ldb("provision.ldif", "sam.ldb", subobj, data);
211 message("Setting up rootdse.ldb\n");
212 setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
213 message("Setting up secrets.ldb\n");
214 setup_ldb("secrets.ldif", "secrets.ldb", subobj);
215 message("Setting up DNS zone file\n");
216 setup_file("provision.zone", subobj.DNSDOMAIN + ".zone", subobj);
220 guess reasonably default options for provisioning
222 function provision_guess()
224 var subobj = new Object();
225 var nss = nss_init();
226 var lp = loadparm_init();
228 subobj.REALM = lp.get("realm");
229 subobj.DOMAIN = lp.get("workgroup");
230 subobj.HOSTNAME = hostname();
231 subobj.HOSTIP = hostip();
232 subobj.DOMAINGUID = randguid();
233 subobj.DOMAINSID = randsid();
234 subobj.HOSTGUID = randguid();
235 subobj.INVOCATIONID = randguid();
236 subobj.KRBTGTPASS = randpass(12);
237 subobj.MACHINEPASS = randpass(12);
238 subobj.ADMINPASS = randpass(12);
239 subobj.DEFAULTSITE = "Default-First-Site-Name";
240 subobj.NEWGUID = randguid;
241 subobj.NTTIME = nttime;
242 subobj.LDAPTIME = ldaptime;
243 subobj.DATESTRING = datestring;
244 subobj.USN = nextusn;
245 subobj.ROOT = findnss(nss.getpwnam, "root");
246 subobj.NOBODY = findnss(nss.getpwnam, "nobody");
247 subobj.NOGROUP = findnss(nss.getgrnam, "nogroup", "nobody");
248 subobj.WHEEL = findnss(nss.getgrnam, "wheel", "root");
249 subobj.USERS = findnss(nss.getgrnam, "users", "guest", "other");
250 subobj.DNSDOMAIN = strlower(subobj.REALM);
251 subobj.DNSNAME = sprintf("%s.%s",
252 strlower(subobj.HOSTNAME),
254 subobj.BASEDN = "DC=" + join(",DC=", split(".", subobj.REALM));
259 search for one attribute as a string
261 function searchone(ldb, expression, attribute)
263 var attrs = new Array(attribute);
264 res = ldb.search(expression, attrs);
265 if (res.length != 1 ||
266 res[0][attribute] == undefined) {
269 return res[0][attribute];
273 add a new user record
275 function newuser(username, unixname, password, message)
277 var lp = loadparm_init();
278 var samdb = lp.get("sam database");
279 var ldb = ldb_init();
281 /* connect to the sam */
282 var ok = ldb.connect(samdb);
285 /* find the DNs for the domain and the domain users group */
286 var domain_dn = searchone(ldb, "objectClass=domainDNS", "dn");
287 assert(domain_dn != undefined);
288 var dom_users = searchone(ldb, "name=Domain Users", "dn");
289 assert(dom_users != undefined);
291 var user_dn = sprintf("CN=%s,CN=Users,%s", username, domain_dn);
295 the new user record. note the reliance on the samdb module to fill
308 user_dn, username, username, dom_users,
309 unixname, randguid(), password);
311 add the user to the users group as well
313 var modgroup = sprintf("
325 message("Adding user %s\n", user_dn);
328 message("Failed to add %s - %s\n", user_dn, ldb.errstring());
332 message("Modifying group %s\n", dom_users);
333 ok = ldb.modify(modgroup);
335 message("Failed to modify %s - %s\n", dom_users, ldb.errstring());