"""Support code for upgrading from Samba 3 to Samba 4."""
-from provision import findnss
-import provision
+from provision import findnss, provision, FILL_DRS
import grp
+import ldb
import pwd
import uuid
+import registry
+from samba import Ldb
+from samba.samdb import SamDB
-def regkey_to_dn(name):
- """Convert a registry key to a DN.
-
- :name: The registry key name.
- :return: A matching DN."""
- dn = "hive=NONE"
-
- if name == "":
- return dn
-
- for el in name.split("/"):
- dn = "key=%s," % el + dn
-
- return dn
-
-# Where prefix is any of:
-# - HKLM
-# HKU
-# HKCR
-# HKPD
-# HKPT
-#
-
-def upgrade_registry(regdb,prefix,ldb):
- """Migrate registry contents."""
- assert regdb is not None
- prefix_up = prefix.upper()
- ldif = []
-
- for rk in regdb.keys:
- pts = rk.name.split("/")
-
- # Only handle selected hive
- if pts[0].upper() != prefix_up:
- continue
-
- keydn = regkey_to_dn(rk.name)
-
- pts = rk.name.split("/")
-
- # Convert key name to dn
- ldif[rk.name] = """
-dn: %s
-name: %s
-
-""" % (keydn, pts[0])
-
- for rv in rk.values:
- ldif[rk.name + " (" + rv.name + ")"] = """
-dn: %s,value=%s
-value: %s
-type: %d
-data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data))
-
- return ldif
-
-def upgrade_sam_policy(samba3,dn):
- ldif = """
+def import_sam_policy(samldb, samba3_policy, domaindn):
+ samldb.modify_ldif("""
dn: %s
changetype: modify
replace: minPwdLength
samba3BadLockoutMinutes: %d
samba3DisconnectTime: %d
-""" % (dn, samba3.policy.min_password_length,
- samba3.policy.password_history, samba3.policy.minimum_password_age,
- samba3.policy.maximum_password_age, samba3.policy.lockout_duration,
- samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password,
- samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time)
-
- return ldif
+""" % (dn, policy.min_password_length,
+ policy.password_history, policy.minimum_password_age,
+ policy.maximum_password_age, policy.lockout_duration,
+ policy.reset_count_minutes, policy.user_must_logon_to_change_password,
+ policy.bad_lockout_minutes, policy.disconnect_time))
-def upgrade_sam_account(ldb,acc,domaindn,domainsid):
- """Upgrade a SAM account."""
+
+def import_sam_account(samldb,acc,domaindn,domainsid):
+ """Import a Samba 3 SAM account.
+
+ :param samldb: Samba 4 SAM Database handle
+ :param acc: Samba 3 account
+ :param domaindn: Domain DN
+ :param domainsid: Domain SID."""
if acc.nt_username is None or acc.nt_username == "":
acc.nt_username = acc.username
if acc.fullname is None:
- acc.fullname = pwd.getpwnam(acc.fullname)[4]
-
- acc.fullname = acc.fullname.split(",")[0]
+ try:
+ acc.fullname = pwd.getpwnam(acc.username)[4].split(",")[0]
+ except KeyError:
+ pass
if acc.fullname is None:
acc.fullname = acc.username
assert acc.fullname is not None
assert acc.nt_username is not None
- ldif = """dn: cn=%s,%s
-objectClass: top
-objectClass: user
-lastLogon: %d
-lastLogoff: %d
-unixName: %s
-sAMAccountName: %s
-cn: %s
-description: %s
-primaryGroupID: %d
-badPwdcount: %d
-logonCount: %d
-samba3Domain: %s
-samba3DirDrive: %s
-samba3MungedDial: %s
-samba3Homedir: %s
-samba3LogonScript: %s
-samba3ProfilePath: %s
-samba3Workstations: %s
-samba3KickOffTime: %d
-samba3BadPwdTime: %d
-samba3PassLastSetTime: %d
-samba3PassCanChangeTime: %d
-samba3PassMustChangeTime: %d
-objectSid: %s-%d
-lmPwdHash:: %s
-ntPwdHash:: %s
-
-""" % (ldb.dn_escape(acc.fullname), domaindn, acc.logon_time, acc.logoff_time, acc.username, acc.nt_username, acc.nt_username,
-acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count,
-acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script,
-acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time,
-acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid,
- ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw))
-
- return ldif
-
-def upgrade_sam_group(group,domaindn):
- """Upgrade a SAM group."""
- if group.sid_name_use == 5: # Well-known group
+ samldb.add({
+ "dn": "cn=%s,%s" % (acc.fullname, domaindn),
+ "objectClass": ["top", "user"],
+ "lastLogon": str(acc.logon_time),
+ "lastLogoff": str(acc.logoff_time),
+ "unixName": acc.username,
+ "sAMAccountName": acc.nt_username,
+ "cn": acc.nt_username,
+ "description": acc.acct_desc,
+ "primaryGroupID": str(acc.group_rid),
+ "badPwdcount": str(acc.bad_password_count),
+ "logonCount": str(acc.logon_count),
+ "samba3Domain": acc.domain,
+ "samba3DirDrive": acc.dir_drive,
+ "samba3MungedDial": acc.munged_dial,
+ "samba3Homedir": acc.homedir,
+ "samba3LogonScript": acc.logon_script,
+ "samba3ProfilePath": acc.profile_path,
+ "samba3Workstations": acc.workstations,
+ "samba3KickOffTime": str(acc.kickoff_time),
+ "samba3BadPwdTime": str(acc.bad_password_time),
+ "samba3PassLastSetTime": str(acc.pass_last_set_time),
+ "samba3PassCanChangeTime": str(acc.pass_can_change_time),
+ "samba3PassMustChangeTime": str(acc.pass_must_change_time),
+ "objectSid": "%s-%d" % (domainsid, acc.user_rid),
+ "lmPwdHash:": acc.lm_password,
+ "ntPwdHash:": acc.nt_password,
+ })
+
+
+def import_sam_group(samldb, sid, gid, sid_name_use, nt_name, comment, domaindn):
+ """Upgrade a SAM group.
+
+ :param samldb: SAM database.
+ :param gid: Group GID
+ :param sid_name_use: SID name use
+ :param nt_name: NT Group Name
+ :param comment: NT Group Comment
+ :param domaindn: Domain DN
+ """
+
+ if sid_name_use == 5: # Well-known group
return None
- if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"):
+ if nt_name in ("Domain Guests", "Domain Users", "Domain Admins"):
return None
- if group.gid == -1:
- gr = grp.getgrnam(grp.nt_name)
+ if gid == -1:
+ gr = grp.getgrnam(nt_name)
else:
- gr = grp.getgrgid(grp.gid)
+ gr = grp.getgrgid(gid)
if gr is None:
- group.unixname = "UNKNOWN"
+ unixname = "UNKNOWN"
else:
- group.unixname = gr.gr_name
+ unixname = gr.gr_name
- assert group.unixname is not None
+ assert unixname is not None
- ldif = """dn: cn=%s,%s
-objectClass: top
-objectClass: group
-description: %s
-cn: %s
-objectSid: %s
-unixName: %s
-samba3SidNameUse: %d
-""" % (group.nt_name, domaindn,
-group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use)
-
- return ldif
-
-def upgrade_winbind(samba3,domaindn):
- ldif = """
-
-dn: dc=none
-userHwm: %d
-groupHwm: %d
-
-""" % (samba3.idmap.user_hwm, samba3.idmap.group_hwm)
-
- for m in samba3.idmap.mappings:
- ldif += """
-dn: SID=%s,%s
-SID: %s
-type: %d
-unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id)
+ samldb.add({
+ "dn": "cn=%s,%s" % (nt_name, domaindn),
+ "objectClass": ["top", "group"],
+ "description": comment,
+ "cn": nt_name,
+ "objectSid": sid,
+ "unixName": unixname,
+ "samba3SidNameUse": str(sid_name_use)
+ })
+
+
+def import_idmap(samdb,samba3_idmap,domaindn):
+ """Import idmap data.
+
+ :param samdb: SamDB handle.
+ :param samba3_idmap: Samba 3 IDMAP database to import from
+ :param domaindn: Domain DN.
+ """
+ samdb.add({
+ "dn": domaindn,
+ "userHwm": str(samba3_idmap.get_user_hwm()),
+ "groupHwm": str(samba3_idmap.get_group_hwm())})
+
+ for uid in samba3_idmap.uids():
+ samdb.add({"dn": "SID=%s,%s" % (samba3_idmap.get_user_sid(uid), domaindn),
+ "SID": samba3_idmap.get_user_sid(uid),
+ "type": "user",
+ "unixID": str(uid)})
+
+ for gid in samba3_idmap.uids():
+ samdb.add({"dn": "SID=%s,%s" % (samba3_idmap.get_group_sid(gid), domaindn),
+ "SID": samba3_idmap.get_group_sid(gid),
+ "type": "group",
+ "unixID": str(gid)})
+
+
+def import_wins(samba4_winsdb, samba3_winsdb):
+ """Import settings from a Samba3 WINS database.
- return ldif
-
-def upgrade_wins(samba3):
- """Upgrade the WINS database."""
- ldif = ""
+ :param samba4_winsdb: WINS database to import to
+ :param samba3_winsdb: WINS database to import from
+ """
version_id = 0
+ import time
- for e in samba3.winsentries:
- now = sys.nttime()
- ttl = sys.unix2nttime(e.ttl)
-
+ for (name, (ttl, ips, nb_flags)) in samba3_winsdb.items():
version_id+=1
- numIPs = len(e.ips)
+ type = int(name.split("#", 1)[1], 16)
- if e.type == 0x1C:
+ if type == 0x1C:
rType = 0x2
- elif e.type & 0x80:
- if numIPs > 1:
+ elif type & 0x80:
+ if len(ips) > 1:
rType = 0x2
else:
rType = 0x1
else:
- if numIPs > 1:
+ if len(ips) > 1:
rType = 0x3
else:
rType = 0x0
- if ttl > now:
+ if ttl > time.time():
rState = 0x0 # active
else:
rState = 0x1 # released
- nType = ((e.nb_flags & 0x60)>>5)
-
- ldif += """
-dn: name=%s,type=0x%02X
-type: 0x%02X
-name: %s
-objectClass: winsRecord
-recordType: %u
-recordState: %u
-nodeType: %u
-isStatic: 0
-expireTime: %s
-versionID: %llu
-""" % (e.name, e.type, e.type, e.name,
- rType, rState, nType,
- ldaptime(ttl), version_id)
-
- for ip in e.ips:
- ldif += "address: %s\n" % ip
-
- ldif += """
-dn: CN=VERSION
-objectClass: winsMaxVersion
-maxVersion: %llu
-""" % version_id
-
- return ldif
-
-def upgrade_provision(lp, samba3):
- domainname = samba3.configuration.get("workgroup")
+ nType = ((nb_flags & 0x60)>>5)
+
+ samba4_winsdb.add({"dn": "name=%s,type=0x%s" % tuple(name.split("#")),
+ "type": name.split("#")[1],
+ "name": name.split("#")[0],
+ "objectClass": "winsRecord",
+ "recordType": str(rType),
+ "recordState": str(rState),
+ "nodeType": str(nType),
+ "expireTime": ldb.timestring(ttl),
+ "isStatic": "0",
+ "versionID": str(version_id),
+ "address": ips})
+
+ samba4_winsdb.add({"dn": "CN=VERSION",
+ "objectClass": "winsMaxVersion",
+ "maxVersion": str(version_id)})
+
+def upgrade_provision(samba3, setup_dir, message, credentials, session_info, lp, paths):
+ oldconf = samba3.get_conf()
+
+ if oldconf.get("domain logons") == "True":
+ serverrole = "domain controller"
+ else:
+ if oldconf.get("security") == "user":
+ serverrole = "standalone"
+ else:
+ serverrole = "member server"
+
+ lp.set("server role", serverrole)
+ domainname = oldconf.get("workgroup")
+ if domainname:
+ domainname = str(domainname)
+ lp.set("workgroup", domainname)
+ realm = oldconf.get("realm")
+ netbiosname = oldconf.get("netbios name")
+
+ secrets_db = samba3.get_secrets_db()
if domainname is None:
- domainname = samba3.secrets.domains[0].name
- print "No domain specified in smb.conf file, assuming '%s'\n" % domainname
+ domainname = secrets_db.domains()[0]
+ message("No domain specified in smb.conf file, assuming '%s'" % domainname)
- domsec = samba3.find_domainsecrets(domainname)
- hostsec = samba3.find_domainsecrets(hostname())
- realm = samba3.configuration.get("realm")
-
if realm is None:
- realm = domainname
- print "No realm specified in smb.conf file, assuming '%s'\n" % realm
- random_init(local)
+ realm = domainname.lower()
+ message("No realm specified in smb.conf file, assuming '%s'\n" % realm)
+ lp.set("realm", realm)
+
+ domainguid = secrets_db.get_domain_guid(domainname)
+ domainsid = secrets_db.get_sid(domainname)
+ if domainsid is None:
+ message("Can't find domain secrets for '%s'; using random SID\n" % domainname)
+
+ if netbiosname is not None:
+ machinepass = secrets_db.get_machine_password(netbiosname)
+ else:
+ machinepass = None
+
+ domaindn = provision(lp=lp, setup_dir=setup_dir, message=message,
+ samdb_fill=FILL_DRS, paths=paths, session_info=session_info,
+ credentials=credentials, realm=realm,
+ domain=domainname, domainsid=domainsid, domainguid=domainguid,
+ machinepass=machinepass, serverrole=serverrole)
- subobj.realm = realm
- subobj.domain = domainname
+ samdb = SamDB(paths.samdb, credentials=credentials, lp=lp, session_info=session_info)
- if domsec is not None:
- subobj.DOMAINGUID = domsec.guid
- subobj.DOMAINSID = domsec.sid
- else:
- print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname
- subobj.DOMAINGUID = uuid.random()
- subobj.DOMAINSID = randsid()
+ import_wins(Ldb(paths.winsdb), samba3.get_wins_db())
+
+ # FIXME: import_registry(registry.Registry(), samba3.get_registry())
+
+ # FIXME: import_idmap(samdb,samba3.get_idmap_db(),domaindn)
- if hostsec:
- hostguid = hostsec.guid
- subobj.krbtgtpass = randpass(12)
- subobj.machinepass = randpass(12)
- subobj.adminpass = randpass(12)
- subobj.datestring = datestring()
- subobj.root = findnss(pwd.getpwnam, "root")[4]
- subobj.nobody = findnss(pwd.getpwnam, "nobody")[4]
- subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2]
- subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2]
- subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2]
- subobj.dnsdomain = subobj.realm.lower()
- subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain)
- subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split("."))
- rdn_list = subobj.dnsdomain.split(".")
- subobj.domaindn = "DC=" + ",DC=".join(rdn_list)
- subobj.domaindn_ldb = "users.ldb"
- subobj.rootdn = subobj.domaindn
-
- modules_list = ["rootdse",
- "kludge_acl",
- "paged_results",
- "server_sort",
- "extended_dn",
- "asq",
- "samldb",
- "password_hash",
- "operational",
- "objectclass",
- "rdn_name",
- "show_deleted",
- "partition"]
- subobj.modules_list = ",".join(modules_list)
-
- return subobj
+ groupdb = samba3.get_groupmapping_db()
+ for sid in groupdb.groupsids():
+ (gid, sid_name_use, nt_name, comment) = groupdb.get_group(sid)
+ # FIXME: import_sam_group(samdb, sid, gid, sid_name_use, nt_name, comment, domaindn)
+
+ # FIXME: Aliases
+
+ passdb = samba3.get_sam_db()
+ for name in passdb:
+ user = passdb[name]
+ #FIXME: import_sam_account(samdb, user, domaindn, domainsid)
+
+ if hasattr(passdb, 'ldap_url'):
+ message("Enabling Samba3 LDAP mappings for SAM database")
+
+ enable_samba3sam(samdb, passdb.ldap_url)
+
+
+def enable_samba3sam(samdb, ldapurl):
+ """Enable Samba 3 LDAP URL database.
+
+ :param samdb: SAM Database.
+ :param ldapurl: Samba 3 LDAP URL
+ """
+ samdb.modify_ldif("""
+dn: @MODULES
+changetype: modify
+replace: @LIST
+@LIST: samldb,operational,objectguid,rdn_name,samba3sam
+""")
+
+ samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
+
smbconf_keep = [
"dos charset",
elif mark:
newconf.set(s, "samba3:"+p, oldconf.get(s,p))
- if oldconf.get("domain logons") == "True":
- newconf.set("server role", "domain controller")
- else:
- if oldconf.get("security") == "user":
- newconf.set("server role", "standalone")
- else:
- newconf.set("server role", "member server")
-
return newconf
-def upgrade(subobj, samba3, message, paths, session_info, credentials):
- ret = 0
- lp = loadparm_init()
- samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials)
-
- message("Writing configuration")
- newconf = upgrade_smbconf(samba3.configuration,True)
- newconf.save(paths.smbconf)
-
- message("Importing account policies")
- ldif = upgrade_sam_policy(samba3,subobj.BASEDN)
- samdb.modify(ldif)
- regdb = Ldb(paths.hklm)
-
- regdb.modify("""
-dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE
-replace: type
-type: 4
-replace: data
-data: %d
-""" % samba3.policy.refuse_machine_password_change)
-
- message("Importing users")
- for account in samba3.samaccounts:
- msg = "... " + account.username
- ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID)
- try:
- samdb.add(ldif)
- except LdbError, e:
- # FIXME: Ignore 'Record exists' errors
- msg += "... error: " + str(e)
- ret += 1;
- message(msg)
-
- message("Importing groups")
- for mapping in samba3.groupmappings:
- msg = "... " + mapping.nt_name
- ldif = upgrade_sam_group(mapping, subobj.BASEDN)
- if ldif is not None:
- try:
- samdb.add(ldif)
- except LdbError, e:
- # FIXME: Ignore 'Record exists' errors
- msg += "... error: " + str(e)
- ret += 1
- message(msg)
-
- message("Importing registry data")
- for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]:
- message("... " + hive)
- regdb = Ldb(paths[hive])
- ldif = upgrade_registry(samba3.registry, hive, regdb)
- for j in ldif:
- msg = "... ... " + j
- try:
- regdb.add(ldif[j])
- except LdbError, e:
- # FIXME: Ignore 'Record exists' errors
- msg += "... error: " + str(e)
- ret += 1
- message(msg)
-
- message("Importing WINS data")
- winsdb = Ldb(paths.winsdb)
- ldb_erase(winsdb)
-
- ldif = upgrade_wins(samba3)
- winsdb.add(ldif)
-
- # figure out ldapurl, if applicable
- ldapurl = None
- pdb = samba3.configuration.get_list("passdb backend")
- if pdb is not None:
- for backend in pdb:
- if len(backend) >= 7 and backend[0:7] == "ldapsam":
- ldapurl = backend[7:]
-
- # URL was not specified in passdb backend but ldap /is/ used
- if ldapurl == "":
- ldapurl = "ldap://%s" % samba3.configuration.get("ldap server")
-
- # Enable samba3sam module if original passdb backend was ldap
- if ldapurl is not None:
- message("Enabling Samba3 LDAP mappings for SAM database")
+SAMBA3_PREDEF_NAMES = {
+ 'HKLM': registry.HKEY_LOCAL_MACHINE,
+}
- samdb.modify("""
-dn: @MODULES
-changetype: modify
-replace: @LIST
-@LIST: samldb,operational,objectguid,rdn_name,samba3sam
-""")
-
- samdb.add("""
-dn: @MAP=samba3sam
-@MAP_URL: %s""" % ldapurl)
+def import_registry(samba4_registry, samba3_regdb):
+ """Import a Samba 3 registry database into the Samba 4 registry.
- return ret
+ :param samba4_registry: Samba 4 registry handle.
+ :param samba3_regdb: Samba 3 registry database handle.
+ """
+ def ensure_key_exists(keypath):
+ (predef_name, keypath) = keypath.split("/", 1)
+ predef_id = SAMBA3_PREDEF_NAMES[predef_name]
+ keypath = keypath.replace("/", "\\")
+ return samba4_registry.create_key(predef_id, keypath)
-def upgrade_verify(subobj, samba3, paths, message):
- message("Verifying account policies")
+ for key in samba3_regdb.keys():
+ key_handle = ensure_key_exists(key)
+ for subkey in samba3_regdb.subkeys(key):
+ ensure_key_exists(subkey)
+ for (value_name, (value_type, value_data)) in samba3_regdb.values(key).items():
+ key_handle.set_value(value_name, value_type, value_data)
- samldb = Ldb(paths.samdb)
- for account in samba3.samaccounts:
- msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))")
- assert(len(msg) >= 1)
-
- # FIXME