2 backend code for provisioning a Samba4 server
3 Copyright Andrew Tridgell 2005
4 Released under the GNU GPL v2 or later
7 /* used to generate sequence numbers for records */
8 provision_next_usn = 1;
13 return true if the current install seems to be OK
17 var lp = loadparm_init();
19 if (lp.get("realm") == "") {
22 var ok = ldb.connect(lp.get("sam database"));
26 var res = ldb.search("(name=Administrator)");
27 if (res.length != 1) {
34 find a user or group from a list of possibilities
39 assert(arguments.length >= 2);
40 var nssfn = arguments[0];
41 for (i=1;i<arguments.length;i++) {
42 if (nssfn(arguments[i]) != undefined) {
46 printf("Unable to find user/group for %s\n", arguments[1]);
47 assert(i<arguments.length);
51 add a foreign security principle
53 function add_foreign(str, sid, desc, unixname)
56 dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
58 objectClass: foreignSecurityPrincipal
64 var sub = new Object();
67 sub.UNIXNAME = unixname;
68 return str + substitute_var(add, sub);
72 return current time as a nt time string
76 return "" + sys.nttime();
80 return current time as a ldap time string
84 return sys.ldaptime(sys.nttime());
88 return a date string suitable for a dns zone serial number
92 var t = sys.gmtime(sys.nttime());
93 return sprintf("%04u%02u%02u%02u",
94 t.tm_year+1900, t.tm_mon+1, t.tm_mday, t.tm_hour);
102 var list = sys.interfaces();
107 return next USN in the sequence
111 provision_next_usn = provision_next_usn+1;
112 return provision_next_usn;
116 return first part of hostname
120 var s = split(".", sys.hostname());
125 /* the ldb is in bad shape, possibly due to being built from an
126 incompatible previous version of the code, so delete it
128 function ldb_delete(ldb)
130 println("Deleting " + ldb.filename);
131 var lp = loadparm_init();
132 sys.unlink(sprintf("%s/%s", lp.get("private dir"), ldb.filename));
133 ldb.transaction_cancel();
135 var ok = ldb.connect(ldb.filename);
136 ldb.transaction_start();
141 erase an ldb, removing all records
143 function ldb_erase(ldb)
145 var attrs = new Array("dn");
147 /* delete the specials */
148 ldb.del("@INDEXLIST");
149 ldb.del("@ATTRIBUTES");
150 ldb.del("@SUBCLASSES");
154 var res = ldb.search("(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", attrs);
156 if (typeof(res) == "undefined") {
160 for (i=0;i<res.length;i++) {
163 /* extra hack to ensure it's gone on remote ldap */
164 ldb.del("cn=ROOTDSE");
166 var res = ldb.search("(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", attrs);
167 if (res.length != 0) {
171 assert(res.length == 0);
175 setup a ldb in the private dir
177 function setup_ldb(ldif, dbname, subobj)
181 var ldb = ldb_init();
182 var lp = loadparm_init();
184 if (arguments.length >= 4) {
185 extra = arguments[3];
188 if (arguments.length == 5) {
189 erase = arguments[4];
192 var src = lp.get("setup directory") + "/" + ldif;
194 var data = sys.file_load(src);
196 data = substitute_var(data, subobj);
198 ldb.filename = dbname;
200 var connect_ok = ldb.connect(dbname);
203 ldb.transaction_start();
209 var add_ok = ldb.add(data);
211 message("ldb load failed: " + ldb.errstring() + "\n");
214 var commit_ok = ldb.transaction_commit();
216 message("ldb commit failed: " + ldb.errstring() + "\n");
222 setup a file in the private dir
224 function setup_file(template, fname, subobj)
226 var lp = loadparm_init();
228 var src = lp.get("setup directory") + "/" + template;
232 var data = sys.file_load(src);
233 data = substitute_var(data, subobj);
235 ok = sys.file_save(f, data);
239 function provision_default_paths(subobj)
241 var lp = loadparm_init();
242 var paths = new Object();
243 paths.smbconf = lp.get("config file");
244 paths.hklm = "hklm.ldb";
245 paths.hkcu = "hkcu.ldb";
246 paths.hkcr = "hkcr.ldb";
247 paths.hku = "hku.ldb";
248 paths.hkpd = "hkpd.ldb";
249 paths.hkpt = "hkpt.ldb";
250 paths.samdb = lp.get("sam database");
251 paths.secrets = "secrets.ldb";
252 paths.dns = lp.get("private dir") + "/" + subobj.DNSDOMAIN + ".zone";
253 paths.winsdb = "wins.ldb";
258 provision samba4 - caution, this wipes all existing data!
260 function provision(subobj, message, blank, paths)
263 var lp = loadparm_init();
264 var sys = sys_init();
267 some options need to be upper/lower case
269 subobj.REALM = strupper(subobj.REALM);
270 subobj.HOSTNAME = strlower(subobj.HOSTNAME);
271 subobj.DOMAIN = strupper(subobj.DOMAIN);
272 assert(valid_netbios_name(subobj.DOMAIN));
273 subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
274 assert(valid_netbios_name(subobj.NETBIOSNAME));
275 var rdns = split(",", subobj.BASEDN);
276 subobj.RDN_DC = substr(rdns[0], strlen("DC="));
278 data = add_foreign(data, "S-1-5-7", "Anonymous", "${NOBODY}");
279 data = add_foreign(data, "S-1-1-0", "World", "${NOGROUP}");
280 data = add_foreign(data, "S-1-5-2", "Network", "${NOGROUP}");
281 data = add_foreign(data, "S-1-5-18", "System", "${ROOT}");
282 data = add_foreign(data, "S-1-5-11", "Authenticated Users", "${USERS}");
284 provision_next_usn = 1;
286 /* only install a new smb.conf if there isn't one there already */
287 var st = sys.stat(paths.smbconf);
288 if (st == undefined) {
289 message("Setting up smb.conf\n");
290 setup_file("provision.smb.conf", paths.smbconf, subobj);
293 message("Setting up secrets.ldb\n");
294 setup_ldb("secrets.ldif", paths.secrets, subobj);
295 message("Setting up DNS zone file\n");
296 setup_file("provision.zone",
299 message("Setting up keytabs\n");
300 var keytab_ok = credentials_update_all_keytabs();
302 message("Setting up hklm.ldb\n");
303 setup_ldb("hklm.ldif", paths.hklm, subobj);
304 message("Setting up sam.ldb attributes\n");
305 setup_ldb("provision_init.ldif", paths.samdb, subobj);
306 message("Setting up sam.ldb schema\n");
307 setup_ldb("schema.ldif", paths.samdb, subobj, NULL, false);
308 message("Setting up display specifiers\n");
309 setup_ldb("display_specifiers.ldif", paths.samdb, subobj, NULL, false);
310 message("Setting up sam.ldb templates\n");
311 setup_ldb("provision_templates.ldif", paths.samdb, subobj, NULL, false);
312 message("Setting up sam.ldb data\n");
313 setup_ldb("provision.ldif", paths.samdb, subobj, NULL, false);
314 if (blank == false) {
315 message("Setting up sam.ldb users and groups\n");
316 setup_ldb("provision_users.ldif", paths.samdb, subobj, data, false);
321 guess reasonably default options for provisioning
323 function provision_guess()
325 var subobj = new Object();
326 var nss = nss_init();
327 var lp = loadparm_init();
331 subobj.REALM = strupper(lp.get("realm"));
332 subobj.DOMAIN = lp.get("workgroup");
333 subobj.HOSTNAME = hostname();
335 assert(subobj.REALM);
336 assert(subobj.DOMAIN);
337 assert(subobj.HOSTNAME);
339 subobj.HOSTIP = hostip();
340 subobj.DOMAINGUID = randguid();
341 subobj.DOMAINSID = randsid();
342 subobj.HOSTGUID = randguid();
343 subobj.INVOCATIONID = randguid();
344 subobj.KRBTGTPASS = randpass(12);
345 subobj.MACHINEPASS = randpass(12);
346 subobj.ADMINPASS = randpass(12);
347 subobj.DEFAULTSITE = "Default-First-Site-Name";
348 subobj.NEWGUID = randguid;
349 subobj.NTTIME = nttime;
350 subobj.LDAPTIME = ldaptime;
351 subobj.DATESTRING = datestring;
352 subobj.USN = nextusn;
353 subobj.ROOT = findnss(nss.getpwnam, "root");
354 subobj.NOBODY = findnss(nss.getpwnam, "nobody");
355 subobj.NOGROUP = findnss(nss.getgrnam, "nogroup", "nobody");
356 subobj.WHEEL = findnss(nss.getgrnam, "wheel", "root", "staff");
357 subobj.USERS = findnss(nss.getgrnam, "users", "guest", "other");
358 subobj.DNSDOMAIN = strlower(subobj.REALM);
359 subobj.DNSNAME = sprintf("%s.%s",
360 strlower(subobj.HOSTNAME),
362 rdn_list = split(".", subobj.DNSDOMAIN);
363 subobj.BASEDN = "DC=" + join(",DC=", rdn_list);
368 search for one attribute as a string
370 function searchone(ldb, expression, attribute)
372 var attrs = new Array(attribute);
373 res = ldb.search(expression, attrs);
374 if (res.length != 1 ||
375 res[0][attribute] == undefined) {
378 return res[0][attribute];
382 modify an account to remove the
384 function enable_account(ldb, user_dn)
386 var attrs = new Array("userAccountControl");
387 var res = ldb.search(NULL, user_dn, ldb.SCOPE_ONELEVEL, attrs);
388 assert(res.length == 1);
389 var userAccountControl = res[0].userAccountControl;
390 userAccountControl = userAccountControl - 2; /* remove disabled bit */
394 replace: userAccountControl
395 userAccountControl: %u
397 user_dn, userAccountControl);
398 var ok = ldb.modify(mod);
404 add a new user record
406 function newuser(username, unixname, password, message)
408 var lp = loadparm_init();
409 var samdb = lp.get("sam database");
410 var ldb = ldb_init();
413 /* connect to the sam */
414 var ok = ldb.connect(samdb);
417 ldb.transaction_start();
419 /* find the DNs for the domain and the domain users group */
420 var domain_dn = searchone(ldb, "objectClass=domainDNS", "dn");
421 assert(domain_dn != undefined);
422 var dom_users = searchone(ldb, "name=Domain Users", "dn");
423 assert(dom_users != undefined);
425 var user_dn = sprintf("CN=%s,CN=Users,%s", username, domain_dn);
429 the new user record. note the reliance on the samdb module to fill
442 user_dn, username, username, dom_users,
443 unixname, randguid(), password);
445 add the user to the users group as well
447 var modgroup = sprintf("
459 message("Adding user %s\n", user_dn);
462 message("Failed to add %s - %s\n", user_dn, ldb.errstring());
466 message("Modifying group %s\n", dom_users);
467 ok = ldb.modify(modgroup);
469 message("Failed to modify %s - %s\n", dom_users, ldb.errstring());
474 modify the userAccountControl to remove the disabled bit
476 ok = enable_account(ldb, user_dn);
478 ldb.transaction_commit();
483 // Check whether a name is valid as a NetBIOS name.
484 // FIXME: There are probably more constraints here
485 function valid_netbios_name(name)
487 if (strlen(name) > 13) return false;
488 if (strstr(name, ".")) return false;
492 function provision_validate(subobj, message)
494 if (!valid_netbios_name(subobj.DOMAIN)) {
495 message("Invalid NetBIOS name for domain\n");
499 if (!valid_netbios_name(subobj.NETBIOSNAME)) {
500 message("Invalid NetBIOS name for host\n");
git.samba.org / jra / samba / .git / blob