2 backend code for provisioning a Samba4 server
3 Copyright Andrew Tridgell 2005
4 Released under the GNU GPL v2 or later
7 /* used to generate sequence numbers for records */
8 provision_next_usn = 1;
13 find a user or group from a list of possibilities
18 assert(arguments.length >= 2);
19 var nssfn = arguments[0];
20 for (i=1;i<arguments.length;i++) {
21 if (nssfn(arguments[i]) != undefined) {
25 printf("Unable to find user/group for %s\n", arguments[1]);
26 assert(i<arguments.length);
30 add a foreign security principle
32 function add_foreign(str, sid, desc, unixname)
35 dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
37 objectClass: foreignSecurityPrincipal
41 whenCreated: ${LDAPTIME}
42 whenChanged: ${LDAPTIME}
45 showInAdvancedViewOnly: TRUE
47 objectGUID: ${NEWGUID}
49 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
52 var sub = new Object();
55 sub.UNIXNAME = unixname;
56 return str + substitute_var(add, sub);
60 return current time as a nt time string
64 return "" + sys.nttime();
68 return current time as a ldap time string
72 return sys.ldaptime(sys.nttime());
76 return a date string suitable for a dns zone serial number
80 var t = sys.gmtime(sys.nttime());
81 return sprintf("%04u%02u%02u%02u",
82 t.tm_year+1900, t.tm_mon+1, t.tm_mday, t.tm_hour);
90 var list = sys.interfaces();
95 return current time as a ldap time string
99 provision_next_usn = provision_next_usn+1;
100 return provision_next_usn;
104 return first part of hostname
108 var s = split(".", sys.hostname());
114 erase an ldb, removing all records
116 function ldb_erase(ldb)
118 var attrs = new Array("dn");
120 /* delete the specials */
121 ldb.del("@INDEXLIST");
122 ldb.del("@ATTRIBUTES");
123 ldb.del("@SUBCLASSES");
127 var res = ldb.search("(|(objectclass=*)(dn=*))", attrs);
129 for (i=0;i<res.length;i++) {
132 res = ldb.search("(objectclass=*)", attrs);
133 assert(res.length == 0);
138 setup a ldb in the private dir
140 function setup_ldb(ldif, dbname, subobj)
143 var ldb = ldb_init();
145 if (arguments.length == 4) {
146 extra = arguments[3];
150 var src = lpGet("setup directory") + "/" + ldif;
152 var data = sys.file_load(src);
154 data = substitute_var(data, subobj);
156 var ok = ldb.connect(dbfile);
166 setup a file in the private dir
168 function setup_file(template, fname, subobj)
170 var f = lpGet("private dir") + "/" + fname;
171 var src = lpGet("setup directory") + "/" + template;
175 var data = sys.file_load(src);
176 data = substitute_var(data, subobj);
178 ok = sys.file_save(f, data);
183 provision samba4 - caution, this wipes all existing data!
185 function provision(subobj, message)
190 some options need to be upper/lower case
192 subobj.REALM = strlower(subobj.REALM);
193 subobj.HOSTNAME = strlower(subobj.HOSTNAME);
194 subobj.DOMAIN = strupper(subobj.DOMAIN);
195 subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
197 data = add_foreign(data, "S-1-5-7", "Anonymous", "${NOBODY}");
198 data = add_foreign(data, "S-1-1-0", "World", "${NOGROUP}");
199 data = add_foreign(data, "S-1-5-2", "Network", "${NOGROUP}");
200 data = add_foreign(data, "S-1-5-18", "System", "${ROOT}");
201 data = add_foreign(data, "S-1-5-11", "Authenticated Users", "${USERS}");
203 provision_next_usn = 1;
205 message("Setting up hklm.ldb\n");
206 setup_ldb("hklm.ldif", "hklm.ldb", subobj);
207 message("Setting up sam.ldb\n");
208 setup_ldb("provision.ldif", "sam.ldb", subobj, data);
209 message("Setting up rootdse.ldb\n");
210 setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
211 message("Setting up secrets.ldb\n");
212 setup_ldb("secrets.ldif", "secrets.ldb", subobj);
213 message("Setting up DNS zone file\n");
214 setup_file("provision.zone", subobj.DNSDOMAIN + ".zone", subobj);
218 guess reasonably default options for provisioning
220 function provision_guess()
222 var subobj = new Object();
223 var nss = nss_init();
225 subobj.REALM = lpGet("realm");
226 subobj.DOMAIN = lpGet("workgroup");
227 subobj.HOSTNAME = hostname();
228 subobj.HOSTIP = hostip();
229 subobj.DOMAINGUID = randguid();
230 subobj.DOMAINSID = randsid();
231 subobj.HOSTGUID = randguid();
232 subobj.INVOCATIONID = randguid();
233 subobj.KRBTGTPASS = randpass(12);
234 subobj.MACHINEPASS = randpass(12);
235 subobj.ADMINPASS = randpass(12);
236 subobj.DEFAULTSITE = "Default-First-Site-Name";
237 subobj.NEWGUID = randguid;
238 subobj.NTTIME = nttime;
239 subobj.LDAPTIME = ldaptime;
240 subobj.DATESTRING = datestring;
241 subobj.USN = nextusn;
242 subobj.ROOT = findnss(nss.getpwnam, "root");
243 subobj.NOBODY = findnss(nss.getpwnam, "nobody");
244 subobj.NOGROUP = findnss(nss.getgrnam, "nogroup", "nobody");
245 subobj.WHEEL = findnss(nss.getgrnam, "wheel", "root");
246 subobj.USERS = findnss(nss.getgrnam, "users", "guest", "other");
247 subobj.DNSDOMAIN = strlower(subobj.REALM);
248 subobj.DNSNAME = sprintf("%s.%s",
249 strlower(subobj.HOSTNAME),
251 subobj.BASEDN = "DC=" + join(",DC=", split(".", subobj.REALM));
256 search for one attribute as a string
258 function searchone(ldb, expression, attribute)
260 var attrs = new Array(attribute);
261 res = ldb.search(expression, attrs);
262 if (res.length != 1 ||
263 res[0][attribute] == undefined) {
266 return res[0][attribute];
270 add a new user record
272 function newuser(username, unixname, password, message)
274 var samdb = lpGet("sam database");
275 var ldb = ldb_init();
277 /* connect to the sam */
278 var ok = ldb.connect(samdb);
281 /* find the DNs for the domain and the domain users group */
282 var domain_dn = searchone(ldb, "objectClass=domainDNS", "dn");
283 assert(domain_dn != undefined);
284 var dom_users = searchone(ldb, "name=Domain Users", "dn");
285 assert(dom_users != undefined);
287 var user_dn = sprintf("CN=%s,CN=Users,%s", username, domain_dn);
291 the new user record. note the reliance on the samdb module to fill
304 user_dn, username, username, dom_users,
305 unixname, randguid(), password);
307 add the user to the users group as well
309 var modgroup = sprintf("
321 message("Adding user %s\n", user_dn);
324 message("Failed to add %s - %s\n", user_dn, ldb.errstring());
328 message("Modifying group %s\n", dom_users);
329 ok = ldb.modify(modgroup);
331 message("Failed to modify %s - %s\n", dom_users, ldb.errstring());