self.fedoradsinf = None
self.fedoradspartitions = None
self.fedoradssasl = None
+ self.fedoradspam = None
+ self.fedoradsrefint = None
+ self.fedoradslinkedattributes = None
+ self.fedoradsindex = None
+ self.fedoradssamba = None
self.olmmron = None
self.olmmrserveridsconf = None
self.olmmrsyncreplconf = None
ldb.transaction_commit()
-def setup_file(template, fname, subst_vars):
+def setup_file(template, fname, subst_vars=None):
"""Setup a file in the private dir.
:param template: Path of the template file.
paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb")
paths.idmapdb = os.path.join(paths.private_dir, lp.get("idmap database") or "idmap.ldb")
paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
+ paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
"fedorads-partitions.ldif")
paths.fedoradssasl = os.path.join(paths.ldapdir,
"fedorads-sasl.ldif")
+ paths.fedoradspam = os.path.join(paths.ldapdir,
+ "fedorads-pam.ldif")
+ paths.fedoradsrefint = os.path.join(paths.ldapdir,
+ "fedorads-refint.ldif")
+ paths.fedoradslinkedattributes = os.path.join(paths.ldapdir,
+ "fedorads-linked-attributes.ldif")
+ paths.fedoradsindex = os.path.join(paths.ldapdir,
+ "fedorads-index.ldif")
paths.fedoradssamba = os.path.join(paths.ldapdir,
- "fedorads-samba.ldif")
+ "fedorads-samba.ldif")
paths.olmmrserveridsconf = os.path.join(paths.ldapdir,
"mmr_serverids.conf")
paths.olmmrsyncreplconf = os.path.join(paths.ldapdir,
"""Guess configuration settings to use."""
if hostname is None:
- hostname = socket.gethostname().split(".")[0].lower()
+ hostname = socket.gethostname().split(".")[0]
- netbiosname = hostname.upper()
+ netbiosname = lp.get("netbios name")
+ if netbiosname is None:
+ netbiosname = hostname
+ assert netbiosname is not None
+ netbiosname = netbiosname.upper()
if not valid_netbios_name(netbiosname):
raise InvalidNetbiosName(netbiosname)
- hostname = hostname.lower()
-
if dnsdomain is None:
dnsdomain = lp.get("realm")
+ assert dnsdomain is not None
+ dnsdomain = dnsdomain.lower()
if serverrole is None:
serverrole = lp.get("server role")
+ assert serverrole is not None
+ serverrole = serverrole.lower()
- assert dnsdomain is not None
realm = dnsdomain.upper()
if lp.get("realm").upper() != realm:
- raise Exception("realm '%s' in %s must match chosen realm '%s'" %
- (lp.get("realm"), lp.configfile, realm))
-
- dnsdomain = dnsdomain.lower()
+ raise ProvisioningError("guess_names: Realm '%s' in smb.conf must match chosen realm '%s'!", lp.get("realm").upper(), realm)
if serverrole == "domain controller":
if domain is None:
domain = lp.get("workgroup")
+ assert domain is not None
+ domain = domain.upper()
+
+ if lp.get("workgroup").upper() != domain:
+ raise ProvisioningError("guess_names: Workgroup '%s' in smb.conf must match chosen domain '%s'!", lp.get("workgroup").upper(), domain)
+
if domaindn is None:
domaindn = "DC=" + dnsdomain.replace(".", ",DC=")
- if lp.get("workgroup").upper() != domain.upper():
- raise Exception("workgroup '%s' in smb.conf must match chosen domain '%s'",
- lp.get("workgroup"), domain)
else:
domain = netbiosname
if domaindn is None:
- domaindn = "CN=" + netbiosname
+ domaindn = "DC=" + netbiosname
- assert domain is not None
- domain = domain.upper()
if not valid_netbios_name(domain):
raise InvalidNetbiosName(domain)
- if netbiosname.upper() == realm.upper():
- raise Exception("realm %s must not be equal to netbios domain name %s", realm, netbiosname)
-
- if hostname.upper() == realm.upper():
- raise Exception("realm %s must not be equal to hostname %s", realm, hostname)
-
- if domain.upper() == realm.upper():
- raise Exception("realm %s must not be equal to domain name %s", realm, domain)
+ if hostname.upper() == realm:
+ raise ProvisioningError("guess_names: Realm '%s' must not be equal to hostname '%s'!", realm, hostname)
+ if netbiosname == realm:
+ raise ProvisioningError("guess_names: Realm '%s' must not be equal to netbios hostname '%s'!", realm, netbiosname)
+ if domain == realm:
+ raise ProvisioningError("guess_names: Realm '%s' must not be equal to short domain name '%s'!", realm, domain)
if rootdn is None:
rootdn = domaindn
"""
assert smbconf is not None
if hostname is None:
- hostname = socket.gethostname().split(".")[0].lower()
+ hostname = socket.gethostname().split(".")[0]
+ netbiosname = hostname.upper()
if serverrole is None:
serverrole = "standalone"
smbconfsuffix = "standalone"
assert domain is not None
+ domain = domain.upper()
+
assert realm is not None
+ realm = realm.upper()
default_lp = param.LoadParm()
#Load non-existant file
setup_file(setup_path("provision.smb.conf.%s" % smbconfsuffix),
smbconf, {
- "HOSTNAME": hostname,
+ "NETBIOS_NAME": netbiosname,
"DOMAIN": domain,
"REALM": realm,
"SERVERROLE": serverrole,
idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
def setup_samdb_partitions(samdb_path, setup_path, message, lp, session_info,
- credentials, names,
+ credentials, names, schema,
serverrole, ldap_backend=None,
erase=False):
"""Setup the partitions for the SAM database.
:note: This function always removes the local SAM LDB file. The erase
parameter controls whether to erase the existing data, which
may not be stored locally but in LDAP.
+
"""
assert session_info is not None
+ old_partitions = None
+ new_partitions = None
+
# We use options=["modules:"] to stop the modules loading - we
# just want to wipe and re-initialise the database, not start it up
try:
samdb = Ldb(url=samdb_path, session_info=session_info,
credentials=credentials, lp=lp, options=["modules:"])
+ res = samdb.search(base="@PARTITION", scope=SCOPE_BASE, attrs=["partition"], expression="partition=*")
+ if len(res) == 1:
+ try:
+ old_partitions = res[0]["partition"]
+ except KeyError:
+ pass
+
+ if old_partitions is not None:
+ new_partitions = [];
+ for old_partition in old_partitions:
+ new_partition = old_partition
+ if old_partition.endswith(".ldb"):
+ p = old_partition.split(":")[0]
+ dn = ldb.Dn(schema.ldb, p)
+ new_partition = dn.get_casefold()
+ new_partitions.append(new_partition)
+
# Wipes the database
samdb.erase_except_schema_controlled()
except LdbError:
credentials=credentials, lp=lp, options=["modules:"])
# Wipes the database
samdb.erase_except_schema_controlled()
-
#Add modules to the list to activate them by default
#beware often order is important
"samldb",
"password_hash",
"operational",
- "kludge_acl"]
+ "kludge_acl",
+ "instancetype"]
tdb_modules_list = [
"subtree_rename",
"subtree_delete",
"linked_attributes",
"extended_dn_out_ldb"]
modules_list2 = ["show_deleted",
- "partition"]
-
- domaindn_ldb = "users.ldb"
- configdn_ldb = "configuration.ldb"
- schemadn_ldb = "schema.ldb"
+ "schema_load",
+ "new_partition",
+ "partition"]
+ ldap_backend_line = "# No LDAP backend"
if ldap_backend is not None:
- domaindn_ldb = ldap_backend.ldapi_uri
- configdn_ldb = ldap_backend.ldapi_uri
- schemadn_ldb = ldap_backend.ldapi_uri
+ ldap_backend_line = "ldapBackend: %s" % ldap_backend.ldapi_uri
if ldap_backend.ldap_backend_type == "fedora-ds":
backend_modules = ["nsuniqueid", "paged_searches"]
# We can handle linked attributes here, as we don't have directory-side subtree operations
- tdb_modules_list = ["linked_attributes", "extended_dn_out_dereference"]
+ tdb_modules_list = ["extended_dn_out_fds"]
elif ldap_backend.ldap_backend_type == "openldap":
backend_modules = ["entryuuid", "paged_searches"]
# OpenLDAP handles subtree renames, so we don't want to do any of these things
- tdb_modules_list = ["extended_dn_out_dereference"]
+ tdb_modules_list = ["extended_dn_out_openldap"]
elif serverrole == "domain controller":
tdb_modules_list.insert(0, "repl_meta_data")
try:
message("Setting up sam.ldb partitions and settings")
setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
- "SCHEMADN": names.schemadn,
- "SCHEMADN_LDB": schemadn_ldb,
+ "SCHEMADN": ldb.Dn(schema.ldb, names.schemadn).get_casefold(),
"SCHEMADN_MOD2": ",objectguid",
- "CONFIGDN": names.configdn,
- "CONFIGDN_LDB": configdn_ldb,
- "DOMAINDN": names.domaindn,
- "DOMAINDN_LDB": domaindn_ldb,
- "SCHEMADN_MOD": "schema_fsmo,instancetype",
- "CONFIGDN_MOD": "naming_fsmo,instancetype",
- "DOMAINDN_MOD": "pdc_fsmo,instancetype",
+ "CONFIGDN": ldb.Dn(schema.ldb, names.configdn).get_casefold(),
+ "DOMAINDN": ldb.Dn(schema.ldb, names.domaindn).get_casefold(),
+ "SCHEMADN_MOD": "schema_data",
+ "CONFIGDN_MOD": "naming_fsmo",
+ "DOMAINDN_MOD": "pdc_fsmo",
"MODULES_LIST": ",".join(modules_list),
"TDB_MODULES_LIST": tdb_modules_list_as_string,
"MODULES_LIST2": ",".join(modules_list2),
"BACKEND_MOD": ",".join(backend_modules),
+ "LDAP_BACKEND_LINE": ldap_backend_line,
})
+
+ if new_partitions is not None:
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, "@PARTITION")
+
+ m["partition"] = ldb.MessageElement(new_partitions, ldb.FLAG_MOD_ADD, "partition")
+ samdb.modify(m)
+
samdb.load_ldif_file_add(setup_path("provision_init.ldif"))
message("Setting up sam.ldb rootDSE")
raise
samdb.transaction_commit()
-
+
+
def secretsdb_self_join(secretsdb, domain,
netbiosname, domainsid, machinepass,
realm=None, dnsdomain=None,
return secrets_ldb
+def setup_privileges(path, setup_path, session_info, lp):
+ """Setup the privileges database.
+
+ :param path: Path to the privileges database.
+ :param setup_path: Get the path to a setup file.
+ :param session_info: Session info.
+ :param credentials: Credentials
+ :param lp: Loadparm context
+ :return: LDB handle for the created secrets database
+ """
+ if os.path.exists(path):
+ os.unlink(path)
+ privilege_ldb = Ldb(path, session_info=session_info, lp=lp)
+ privilege_ldb.erase()
+ privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif"))
+
+
def setup_registry(path, setup_path, session_info, lp):
"""Setup the registry.
def setup_self_join(samdb, names,
machinepass, dnspass,
domainsid, invocationid, setup_path,
- policyguid, policyguid_dc, domainControllerFunctionality,ntdsguid):
+ policyguid, policyguid_dc, domainControllerFunctionality,
+ ntdsguid):
"""Join a host to its own domain."""
assert isinstance(invocationid, str)
if ntdsguid is not None:
- ntdsguid_mod = "objectGUID: %s\n"%ntdsguid
+ ntdsguid_line = "objectGUID: %s\n"%ntdsguid
else:
- ntdsguid_mod = ""
+ ntdsguid_line = ""
setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
"DOMAIN": names.domain,
"DNSDOMAIN": names.dnsdomain,
"SAMBA_VERSION_STRING": version,
- "NTDSGUID": ntdsguid_mod,
+ "NTDSGUID": ntdsguid_line,
"DOMAIN_CONTROLLER_FUNCTIONALITY": str(domainControllerFunctionality)})
setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
setup_samdb_partitions(path, setup_path, message=message, lp=lp,
credentials=credentials, session_info=session_info,
names=names, ldap_backend=ldap_backend,
- serverrole=serverrole)
+ serverrole=serverrole, schema=schema)
if (schema == None):
schema = Schema(setup_path, domainsid, schemadn=names.schemadn, serverdn=names.serverdn,
# And now we can connect to the DB - the schema won't be loaded from the DB
samdb.connect(path)
- # Load @OPTIONS
- samdb.load_ldif_file_add(setup_path("provision_options.ldif"))
-
if fill == FILL_DRS:
return samdb
-
+
samdb.transaction_start()
try:
message("Erasing data from partitions")
samdb.set_invocation_id(invocationid)
message("Adding DomainDN: %s" % names.domaindn)
- if serverrole == "domain controller":
- domain_oc = "domainDNS"
- else:
- domain_oc = "samba4LocalDomain"
#impersonate domain admin
admin_session_info = admin_session(lp, str(domainsid))
samdb.set_session_info(admin_session_info)
if domainguid is not None:
- domainguid_mod = "objectGUID: %s\n-" % domainguid
+ domainguid_line = "objectGUID: %s\n-" % domainguid
else:
- domainguid_mod = ""
+ domainguid_line = ""
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
"DOMAINDN": names.domaindn,
- "DOMAIN_OC": domain_oc,
- "DOMAINGUID": domainguid_mod
+ "DOMAINGUID": domainguid_line
})
setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
- "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
+ "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
"DOMAINSID": str(domainsid),
"SCHEMADN": names.schemadn,
"NETBIOSNAME": names.netbiosname,
"DOMAINDN": names.domaindn})
message("Setting up sam.ldb data")
setup_add_ldif(samdb, setup_path("provision.ldif"), {
- "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
+ "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
"DOMAINDN": names.domaindn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
domainsid=domainsid, policyguid=policyguid,
policyguid_dc=policyguid_dc,
setup_path=setup_path,
- domainControllerFunctionality=domainControllerFunctionality,ntdsguid=ntdsguid)
+ domainControllerFunctionality=domainControllerFunctionality,
+ ntdsguid=ntdsguid)
ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
names.ntdsguid = samdb.searchone(basedn=ntds_dn,
domainsid=None, adminpass=None, ldapadminpass=None,
krbtgtpass=None, domainguid=None,
policyguid=None, policyguid_dc=None, invocationid=None,
- machinepass=None,ntdsguid=None,
+ machinepass=None, ntdsguid=None,
dnspass=None, root=None, nobody=None, users=None,
wheel=None, backup=None, aci=None, serverrole=None,
dom_for_fun_level=None,
lp = param.LoadParm()
lp.load(smbconf)
- names = guess_names(lp=lp, hostname=hostname, domain=domain,
- dnsdomain=realm, serverrole=serverrole, sitename=sitename,
- rootdn=rootdn, domaindn=domaindn, configdn=configdn, schemadn=schemadn,
- serverdn=serverdn)
+ names = guess_names(lp=lp, hostname=hostname, domain=domain,
+ dnsdomain=realm, serverrole=serverrole,
+ domaindn=domaindn, configdn=configdn, schemadn=schemadn,
+ serverdn=serverdn, sitename=sitename)
paths = provision_paths_from_lp(lp, names.dnsdomain)
setup_registry(paths.hklm, setup_path, session_info,
lp=lp)
+ message("Setting up the privileges database")
+ setup_privileges(paths.privilege, setup_path, session_info, lp=lp)
+
message("Setting up idmap db")
idmap = setup_idmapdb(paths.idmapdb, setup_path, session_info=session_info,
lp=lp)
adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid,
machinepass=machinepass, dnspass=dnspass,
- ntdsguid=ntdsguid,
- serverrole=serverrole,
+ ntdsguid=ntdsguid, serverrole=serverrole,
dom_for_fun_level=dom_for_fun_level,
ldap_backend=provision_backend)
assert isinstance(domainguid, str)
create_zone_file(paths.dns, setup_path, dnsdomain=names.dnsdomain,
- domaindn=names.domaindn, hostip=hostip,
+ hostip=hostip,
hostip6=hostip6, hostname=names.hostname,
- dnspass=dnspass, realm=names.realm,
+ realm=names.realm,
domainguid=domainguid, ntdsguid=names.ntdsguid)
create_named_conf(paths.namedconf, setup_path, realm=names.realm,
{"SAMBADN": names.sambadn,
})
+ setup_file(setup_path("fedorads-pam.ldif"), paths.fedoradspam)
+
+ lnkattr = get_linked_attributes(names.schemadn,schema.ldb)
+
+ refint_config = data = open(setup_path("fedorads-refint-delete.ldif"), 'r').read()
+ memberof_config = ""
+ index_config = ""
+ argnum = 3
+
+ for attr in lnkattr.keys():
+ if lnkattr[attr] is not None:
+ refint_config += read_and_sub_file(setup_path("fedorads-refint-add.ldif"),
+ { "ARG_NUMBER" : str(argnum) ,
+ "LINK_ATTR" : attr })
+ memberof_config += read_and_sub_file(setup_path("fedorads-linked-attributes.ldif"),
+ { "MEMBER_ATTR" : attr ,
+ "MEMBEROF_ATTR" : lnkattr[attr] })
+ index_config += read_and_sub_file(setup_path("fedorads-index.ldif"),
+ { "ATTR" : attr })
+ argnum += 1
+
+ open(paths.fedoradsrefint, 'w').write(refint_config)
+ open(paths.fedoradslinkedattributes, 'w').write(memberof_config)
+
+ attrs = ["lDAPDisplayName"]
+ res = schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
+
+ for i in range (0, len(res)):
+ attr = res[i]["lDAPDisplayName"][0]
+
+ if attr == "objectGUID":
+ attr = "nsUniqueId"
+
+ index_config += read_and_sub_file(setup_path("fedorads-index.ldif"),
+ { "ATTR" : attr })
+
+ open(paths.fedoradsindex, 'w').write(index_config)
+
setup_file(setup_path("fedorads-samba.ldif"), paths.fedoradssamba,
{"SAMBADN": names.sambadn,
"LDAPADMINPASS": ldapadminpass
{"S4_LDAPI_URI": ldapi_uri})
-def create_zone_file(path, setup_path, dnsdomain, domaindn,
- hostip, hostip6, hostname, dnspass, realm, domainguid,
+def create_zone_file(path, setup_path, dnsdomain,
+ hostip, hostip6, hostname, realm, domainguid,
ntdsguid):
"""Write out a DNS zone file, from the info in the current database.
:param hostip: Local IPv4 IP
:param hostip6: Local IPv6 IP
:param hostname: Local hostname
- :param dnspass: Password for DNS
:param realm: Realm name
:param domainguid: GUID of the domain.
:param ntdsguid: GUID of the hosts nTDSDSA record.
hostip_host_line = ""
setup_file(setup_path("provision.zone"), path, {
- "DNSPASS_B64": b64encode(dnspass),
"HOSTNAME": hostname,
"DNSDOMAIN": dnsdomain,
"REALM": realm,