import shutil
from credentials import Credentials, DONT_USE_KERBEROS
from auth import system_session, admin_session
-from samba import version, Ldb, substitute_var, valid_netbios_name, check_all_substituted, \
- DS_BEHAVIOR_WIN2008
+from samba import version, Ldb, substitute_var, valid_netbios_name
+from samba import check_all_substituted
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
+from samba.ndr import ndr_pack
import urllib
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, timestring
from ms_schema import read_ms_schema
return ret
raise Exception("Unable to find setup directory.")
+def get_schema_descriptor(domain_sid):
+ sddl = "O:SAG:SAD:(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)" \
+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+ "S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \
+ "(AU;CISA;WP;;;WD)(AU;SA;CR;;;BA)" \
+ "(AU;SA;CR;;;DU)(OU;SA;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;WD)" \
+ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return b64encode(ndr_pack(sec))
+
+def get_config_descriptor(domain_sid):
+ sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3191434175-1265308384-3577286990-498)" \
+ "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \
+ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return b64encode(ndr_pack(sec))
+
DEFAULTSITE = "Default-First-Site-Name"
self.samdb = None
class Schema(object):
- def __init__(self, setup_path, schemadn=None,
+ def __init__(self, setup_path, domain_sid, schemadn=None,
serverdn=None, sambadn=None, ldap_backend_type=None):
"""Load schema for the SamDB from the AD schema files and samba4_schema.ldif
{"SCHEMADN": schemadn,
"SERVERDN": serverdn,
})
+
+ descr = get_schema_descriptor(domain_sid)
self.schema_dn_add = read_and_sub_file(setup_path("provision_schema_basedn.ldif"),
- {"SCHEMADN": schemadn
+ {"SCHEMADN": schemadn,
+ "DESCRIPTOR": descr
})
prefixmap = open(setup_path("prefixMap.txt"), 'r').read()
if not valid_netbios_name(domain):
raise InvalidNetbiosName(domain)
+ if netbiosname.upper() == realm.upper():
+ raise Exception("realm %s must not be equal to netbios domain name %s", realm, netbiosname)
+
+ if hostname.upper() == realm.upper():
+ raise Exception("realm %s must not be equal to hostname %s", realm, hostname)
+
+ if domain.upper() == realm.upper():
+ raise Exception("realm %s must not be equal to domain name %s", realm, domain)
+
if rootdn is None:
rootdn = domaindn
# module when expanding the objectclass list)
# - partition must be last
# - each partition has its own module list then
- modules_list = ["rootdse",
+ modules_list = ["resolve_oids",
+ "rootdse",
"paged_results",
"ranged_results",
"anr",
"extended_dn_in",
"rdn_name",
"objectclass",
+ "descriptor",
"samldb",
"password_hash",
- "operational"]
+ "operational",
+ "kludge_acl"]
tdb_modules_list = [
"subtree_rename",
"subtree_delete",
"linked_attributes",
"extended_dn_out_ldb"]
modules_list2 = ["show_deleted",
- "kludge_acl",
"partition"]
domaindn_ldb = "users.ldb"
def setup_self_join(samdb, names,
machinepass, dnspass,
domainsid, invocationid, setup_path,
- policyguid, domainControllerFunctionality):
+ policyguid, policyguid_dc, domainControllerFunctionality):
"""Join a host to its own domain."""
assert isinstance(invocationid, str)
setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
"POLICYGUID": policyguid,
+ "POLICYGUID_DC": policyguid_dc,
"DNSDOMAIN": names.dnsdomain,
"DOMAINSID": str(domainsid),
"DOMAINDN": names.domaindn})
+
+ # add the NTDSGUID based SPNs
+ ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
+ names.ntdsguid = samdb.searchone(basedn=ntds_dn, attribute="objectGUID",
+ expression="", scope=SCOPE_BASE)
+ assert isinstance(names.ntdsguid, str)
# Setup fSMORoleOwner entries to point at the newly created DC entry
setup_modify_ldif(samdb, setup_path("provision_self_join_modify.ldif"), {
+ "DOMAIN": names.domain,
+ "DNSDOMAIN": names.dnsdomain,
"DOMAINDN": names.domaindn,
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
"DEFAULTSITE": names.sitename,
- "SERVERDN": names.serverdn
+ "SERVERDN": names.serverdn,
+ "NETBIOSNAME": names.netbiosname,
+ "NTDSGUID": names.ntdsguid
})
def setup_samdb(path, setup_path, session_info, credentials, lp,
names, message,
- domainsid, domainguid, policyguid,
+ domainsid, domainguid, policyguid, policyguid_dc,
fill, adminpass, krbtgtpass,
machinepass, invocationid, dnspass,
serverrole, schema=None, ldap_backend=None):
:note: This will wipe the main SAM database file!
"""
- domainFunctionality = DS_BEHAVIOR_WIN2008
- forestFunctionality = DS_BEHAVIOR_WIN2008
- domainControllerFunctionality = DS_BEHAVIOR_WIN2008
+ domainFunctionality = DS_DOMAIN_FUNCTION_2000
+ forestFunctionality = DS_DOMAIN_FUNCTION_2000
+ domainControllerFunctionality = DS_DC_FUNCTION_2008_R2
# Also wipes the database
setup_samdb_partitions(path, setup_path, message=message, lp=lp,
ldap_backend=ldap_backend, serverrole=serverrole)
if (schema == None):
- schema = Schema(setup_path, schemadn=names.schemadn, serverdn=names.serverdn,
+ schema = Schema(setup_path, domainsid, schemadn=names.schemadn, serverdn=names.serverdn,
sambadn=names.sambadn, ldap_backend_type=ldap_backend.ldap_backend_type)
# Load the database, but importantly, use Ldb not SamDB as we don't want to load the global schema
domainguid_mod = ""
setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
- "LDAPTIME": timestring(int(time.time())),
+ "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
"DOMAINSID": str(domainsid),
"SCHEMADN": names.schemadn,
"NETBIOSNAME": names.netbiosname,
"POLICYGUID": policyguid,
"DOMAINDN": names.domaindn,
"DOMAINGUID_MOD": domainguid_mod,
- "DOMAIN_FUNCTIONALITY": str(domainFunctionality)
+ "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+ "SAMBA_VERSION_STRING": version
})
message("Adding configuration container")
+ descr = get_config_descriptor(domainsid);
setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
"CONFIGDN": names.configdn,
+ "DESCRIPTOR": descr,
})
message("Modifying configuration container")
setup_modify_ldif(samdb, setup_path("provision_configuration_basedn_modify.ldif"), {
"DOMAINDN": names.domaindn})
message("Setting up sam.ldb data")
setup_add_ldif(samdb, setup_path("provision.ldif"), {
+ "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
"DOMAINDN": names.domaindn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
"CONFIGDN": names.configdn,
- "SERVERDN": names.serverdn
+ "SERVERDN": names.serverdn,
+ "POLICYGUID_DC": policyguid_dc
})
if fill == FILL_FULL:
dnspass=dnspass,
machinepass=machinepass,
domainsid=domainsid, policyguid=policyguid,
+ policyguid_dc=policyguid_dc,
setup_path=setup_path,
domainControllerFunctionality=domainControllerFunctionality)
+ ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
+ names.ntdsguid = samdb.searchone(basedn=ntds_dn,
+ attribute="objectGUID", expression="", scope=SCOPE_BASE)
+ assert isinstance(names.ntdsguid, str)
+
except:
samdb.transaction_cancel()
raise
domain=None, hostname=None, hostip=None, hostip6=None,
domainsid=None, adminpass=None, ldapadminpass=None,
krbtgtpass=None, domainguid=None,
- policyguid=None, invocationid=None, machinepass=None,
+ policyguid=None, policyguid_dc=None, invocationid=None,
+ machinepass=None,
dnspass=None, root=None, nobody=None, users=None,
wheel=None, backup=None, aci=None, serverrole=None,
ldap_backend_extra_port=None, ldap_backend_type=None,
"""
def setup_path(file):
- return os.path.join(setup_dir, file)
+ return os.path.join(setup_dir, file)
if domainsid is None:
- domainsid = security.random_sid()
+ domainsid = security.random_sid()
+ else:
+ domainsid = security.dom_sid(domainsid)
+
+ # create/adapt the group policy GUIDs
if policyguid is None:
policyguid = str(uuid.uuid4())
+ policyguid = policyguid.upper()
+ if policyguid_dc is None:
+ policyguid_dc = str(uuid.uuid4())
+ policyguid_dc = policyguid_dc.upper()
+
if adminpass is None:
adminpass = glue.generate_random_str(12)
if krbtgtpass is None:
ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
- schema = Schema(setup_path, schemadn=names.schemadn, serverdn=names.serverdn,
+ schema = Schema(setup_path, domainsid, schemadn=names.schemadn, serverdn=names.serverdn,
sambadn=names.sambadn, ldap_backend_type=ldap_backend_type)
secrets_credentials = credentials
# Now use the backend credentials to access the databases
credentials = provision_backend.credentials
secrets_credentials = provision_backend.adminCredentials
+ ldapi_url = provision_backend.ldapi_uri
# only install a new shares config db if there is none
if not os.path.exists(paths.shareconf):
credentials=credentials, lp=lp, names=names,
message=message,
domainsid=domainsid,
- schema=schema, domainguid=domainguid, policyguid=policyguid,
+ schema=schema, domainguid=domainguid,
+ policyguid=policyguid, policyguid_dc=policyguid_dc,
fill=samdb_fill,
adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid,
(paths.smbconf, setup_path("provision.smb.conf.dc")))
assert(paths.sysvol is not None)
- policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
+ # Set up group policies (domain policy and domain controller policy)
+
+ policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
"{" + policyguid + "}")
os.makedirs(policy_path, 0755)
- open(os.path.join(policy_path, "GPT.INI"), 'w').write("")
- os.makedirs(os.path.join(policy_path, "Machine"), 0755)
- os.makedirs(os.path.join(policy_path, "User"), 0755)
+ open(os.path.join(policy_path, "GPT.INI"), 'w').write(
+ "[General]\r\nVersion=65543")
+ os.makedirs(os.path.join(policy_path, "MACHINE"), 0755)
+ os.makedirs(os.path.join(policy_path, "USER"), 0755)
+
+ policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
+ "{" + policyguid_dc + "}")
+ os.makedirs(policy_path_dc, 0755)
+ open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write(
+ "[General]\r\nVersion=2")
+ os.makedirs(os.path.join(policy_path_dc, "MACHINE"), 0755)
+ os.makedirs(os.path.join(policy_path_dc, "USER"), 0755)
+
if not os.path.isdir(paths.netlogon):
os.makedirs(paths.netlogon, 0755)
domainguid = samdb.searchone(basedn=domaindn, attribute="objectGUID")
assert isinstance(domainguid, str)
- hostguid = samdb.searchone(basedn=domaindn, attribute="objectGUID",
- expression="(&(objectClass=computer)(cn=%s))" % names.hostname,
- scope=SCOPE_SUBTREE)
- assert isinstance(hostguid, str)
create_zone_file(paths.dns, setup_path, dnsdomain=names.dnsdomain,
domaindn=names.domaindn, hostip=hostip,
hostip6=hostip6, hostname=names.hostname,
dnspass=dnspass, realm=names.realm,
- domainguid=domainguid, hostguid=hostguid)
+ domainguid=domainguid, ntdsguid=names.ntdsguid)
create_named_conf(paths.namedconf, setup_path, realm=names.realm,
dnsdomain=names.dnsdomain, private_dir=paths.private_dir)
message("A Kerberos configuration suitable for Samba 4 has been generated at %s" % paths.krb5conf)
- ldapi_db = Ldb(provision_backend.ldapi_uri, lp=lp, credentials=credentials)
+ if provision_backend is not None:
+ if ldap_backend_type == "fedora-ds":
+ ldapi_db = Ldb(provision_backend.ldapi_uri, lp=lp, credentials=credentials)
- # delete default SASL mappings
- res = ldapi_db.search(expression="(!(cn=samba-admin mapping))", base="cn=mapping,cn=sasl,cn=config", scope=SCOPE_ONELEVEL, attrs=["dn"])
+ # delete default SASL mappings
+ res = ldapi_db.search(expression="(!(cn=samba-admin mapping))", base="cn=mapping,cn=sasl,cn=config", scope=SCOPE_ONELEVEL, attrs=["dn"])
- for i in range (0, len(res)):
- dn = str(res[i]["dn"])
- ldapi_db.delete(dn)
-
- # configure aci
- if ldap_backend_type == "fedora-ds":
-
- aci = """(targetattr = "*") (version 3.0;acl "full access to all by samba-admin";allow (all)(userdn = "ldap:///CN=samba-admin,%s");)""" % names.sambadn
+ # configure in-directory access control on Fedora DS via the aci attribute (over a direct ldapi:// socket)
+ for i in range (0, len(res)):
+ dn = str(res[i]["dn"])
+ ldapi_db.delete(dn)
- m = ldb.Message()
- m["aci"] = ldb.MessageElement([aci], ldb.FLAG_MOD_REPLACE, "aci")
+ aci = """(targetattr = "*") (version 3.0;acl "full access to all by samba-admin";allow (all)(userdn = "ldap:///CN=samba-admin,%s");)""" % names.sambadn
- m.dn = ldb.Dn(1, names.domaindn)
- ldapi_db.modify(m)
+ m = ldb.Message()
+ m["aci"] = ldb.MessageElement([aci], ldb.FLAG_MOD_REPLACE, "aci")
+
+ m.dn = ldb.Dn(1, names.domaindn)
+ ldapi_db.modify(m)
- m.dn = ldb.Dn(1, names.configdn)
- ldapi_db.modify(m)
+ m.dn = ldb.Dn(1, names.configdn)
+ ldapi_db.modify(m)
- m.dn = ldb.Dn(1, names.schemadn)
- ldapi_db.modify(m)
+ m.dn = ldb.Dn(1, names.schemadn)
+ ldapi_db.modify(m)
- # if backend is openldap, terminate slapd after final provision and check its proper termination
- if provision_backend is not None and provision_backend.slapd is not None:
- if provision_backend.slapd.poll() is None:
- #Kill the slapd
- if hasattr(provision_backend.slapd, "terminate"):
- provision_backend.slapd.terminate()
- else:
- import signal
- os.kill(provision_backend.slapd.pid, signal.SIGTERM)
+ # if an LDAP backend is in use, terminate slapd after final provision and check its proper termination
+ if provision_backend.slapd.poll() is None:
+ #Kill the slapd
+ if hasattr(provision_backend.slapd, "terminate"):
+ provision_backend.slapd.terminate()
+ else:
+ # Older python versions don't have .terminate()
+ import signal
+ os.kill(provision_backend.slapd.pid, signal.SIGTERM)
- #and now wait for it to die
- provision_backend.slapd.communicate()
+ #and now wait for it to die
+ provision_backend.slapd.communicate()
# now display slapd_command_file.txt to show how slapd must be started next time
message("Use later the following commandline to start slapd, then Samba:")
configdn=None, serverdn=None,
domain=None, hostname=None, domainsid=None,
adminpass=None, krbtgtpass=None, domainguid=None,
- policyguid=None, invocationid=None, machinepass=None,
+ policyguid=None, policyguid_dc=None, invocationid=None,
+ machinepass=None,
dnspass=None, root=None, nobody=None, users=None,
wheel=None, backup=None, serverrole=None,
ldap_backend=None, ldap_backend_type=None,
def create_zone_file(path, setup_path, dnsdomain, domaindn,
hostip, hostip6, hostname, dnspass, realm, domainguid,
- hostguid):
+ ntdsguid):
"""Write out a DNS zone file, from the info in the current database.
:param path: Path of the new zone file.
:param dnspass: Password for DNS
:param realm: Realm name
:param domainguid: GUID of the domain.
- :param hostguid: GUID of the host.
+ :param ntdsguid: GUID of the hosts nTDSDSA record.
"""
assert isinstance(domainguid, str)
"DOMAINGUID": domainguid,
"DATESTRING": time.strftime("%Y%m%d%H"),
"DEFAULTSITE": DEFAULTSITE,
- "HOSTGUID": hostguid,
+ "NTDSGUID": ntdsguid,
"HOSTIP6_BASE_LINE": hostip6_base_line,
"HOSTIP6_HOST_LINE": hostip6_host_line,
})
git.samba.org / ira / wip.git / blobdiff