provision: Use names.domainsid and names.domainguid
[nivanova/samba-autobuild/.git] / python / samba / provision / __init__.py
1 # Unix SMB/CIFS implementation.
2 # backend code for provisioning a Samba4 server
3
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2012
5 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
6 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
7 #
8 # Based on the original in EJS:
9 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 #
24
25 """Functions for setting up a Samba configuration."""
26
27 __docformat__ = "restructuredText"
28
29 from base64 import b64encode
30 import os
31 import re
32 import pwd
33 import grp
34 import logging
35 import time
36 import uuid
37 import socket
38 import urllib
39 import string
40 import tempfile
41
42 import ldb
43
44 from samba.auth import system_session, admin_session
45 import samba
46 from samba.samba3 import smbd, passdb
47 from samba.samba3 import param as s3param
48 from samba.dsdb import DS_DOMAIN_FUNCTION_2000
49 from samba import (
50     Ldb,
51     MAX_NETBIOS_NAME_LEN,
52     check_all_substituted,
53     is_valid_netbios_char,
54     setup_file,
55     substitute_var,
56     valid_netbios_name,
57     version,
58     )
59 from samba.dcerpc import security, misc
60 from samba.dcerpc.misc import (
61     SEC_CHAN_BDC,
62     SEC_CHAN_WKSTA,
63     )
64 from samba.dsdb import (
65     DS_DOMAIN_FUNCTION_2003,
66     DS_DOMAIN_FUNCTION_2008_R2,
67     ENC_ALL_TYPES,
68     )
69 from samba.idmap import IDmapDB
70 from samba.ms_display_specifiers import read_ms_ldif
71 from samba.ntacls import setntacl, getntacl, dsacl2fsacl
72 from samba.ndr import ndr_pack, ndr_unpack
73 from samba.provision.backend import (
74     ExistingBackend,
75     FDSBackend,
76     LDBBackend,
77     OpenLDAPBackend,
78     )
79 from samba.descriptor import (
80     get_empty_descriptor,
81     get_config_descriptor,
82     get_config_partitions_descriptor,
83     get_config_sites_descriptor,
84     get_config_ntds_quotas_descriptor,
85     get_config_delete_protected1_descriptor,
86     get_config_delete_protected1wd_descriptor,
87     get_config_delete_protected2_descriptor,
88     get_domain_descriptor,
89     get_domain_infrastructure_descriptor,
90     get_domain_builtin_descriptor,
91     get_domain_computers_descriptor,
92     get_domain_users_descriptor,
93     get_domain_controllers_descriptor,
94     get_domain_delete_protected1_descriptor,
95     get_domain_delete_protected2_descriptor,
96     get_dns_partition_descriptor,
97     get_dns_forest_microsoft_dns_descriptor,
98     get_dns_domain_microsoft_dns_descriptor,
99     )
100 from samba.provision.common import (
101     setup_path,
102     setup_add_ldif,
103     setup_modify_ldif,
104     FILL_FULL,
105     FILL_SUBDOMAIN,
106     FILL_NT4SYNC,
107     FILL_DRS
108 )
109 from samba.provision.sambadns import (
110     get_dnsadmins_sid,
111     setup_ad_dns,
112     create_dns_update_list
113     )
114
115 import samba.param
116 import samba.registry
117 from samba.schema import Schema
118 from samba.samdb import SamDB
119 from samba.dbchecker import dbcheck
120
121
122 DEFAULT_POLICY_GUID = "31B2F340-016D-11D2-945F-00C04FB984F9"
123 DEFAULT_DC_POLICY_GUID = "6AC1786C-016F-11D2-945F-00C04fB984F9"
124 DEFAULTSITE = "Default-First-Site-Name"
125 LAST_PROVISION_USN_ATTRIBUTE = "lastProvisionUSN"
126
127
128 class ProvisionPaths(object):
129
130     def __init__(self):
131         self.shareconf = None
132         self.hklm = None
133         self.hkcu = None
134         self.hkcr = None
135         self.hku = None
136         self.hkpd = None
137         self.hkpt = None
138         self.samdb = None
139         self.idmapdb = None
140         self.secrets = None
141         self.keytab = None
142         self.dns_keytab = None
143         self.dns = None
144         self.winsdb = None
145         self.private_dir = None
146         self.state_dir = None
147
148
149 class ProvisionNames(object):
150
151     def __init__(self):
152         self.ncs = None
153         self.rootdn = None
154         self.domaindn = None
155         self.configdn = None
156         self.schemadn = None
157         self.dnsforestdn = None
158         self.dnsdomaindn = None
159         self.ldapmanagerdn = None
160         self.dnsdomain = None
161         self.realm = None
162         self.netbiosname = None
163         self.domain = None
164         self.hostname = None
165         self.sitename = None
166         self.smbconf = None
167         self.domainsid = None
168         self.forestsid = None
169         self.domainguid = None
170         self.name_map = {}
171
172
173 def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
174         lp):
175     """Get key provision parameters (realm, domain, ...) from a given provision
176
177     :param samdb: An LDB object connected to the sam.ldb file
178     :param secretsdb: An LDB object connected to the secrets.ldb file
179     :param idmapdb: An LDB object connected to the idmap.ldb file
180     :param paths: A list of path to provision object
181     :param smbconf: Path to the smb.conf file
182     :param lp: A LoadParm object
183     :return: A list of key provision parameters
184     """
185     names = ProvisionNames()
186     names.adminpass = None
187
188     # NT domain, kerberos realm, root dn, domain dn, domain dns name
189     names.domain = string.upper(lp.get("workgroup"))
190     names.realm = lp.get("realm")
191     names.dnsdomain = names.realm.lower()
192     basedn = samba.dn_from_dns_name(names.dnsdomain)
193     names.realm = string.upper(names.realm)
194     # netbiosname
195     # Get the netbiosname first (could be obtained from smb.conf in theory)
196     res = secretsdb.search(expression="(flatname=%s)" %
197                             names.domain,base="CN=Primary Domains",
198                             scope=ldb.SCOPE_SUBTREE, attrs=["sAMAccountName"])
199     names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
200
201     names.smbconf = smbconf
202
203     # That's a bit simplistic but it's ok as long as we have only 3
204     # partitions
205     current = samdb.search(expression="(objectClass=*)",
206         base="", scope=ldb.SCOPE_BASE,
207         attrs=["defaultNamingContext", "schemaNamingContext",
208                "configurationNamingContext","rootDomainNamingContext",
209                "namingContexts"])
210
211     names.configdn = current[0]["configurationNamingContext"][0]
212     names.schemadn = current[0]["schemaNamingContext"][0]
213     if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
214                                        current[0]["defaultNamingContext"][0]))):
215         raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
216                                  "is not the same ..." % (paths.samdb,
217                                     str(current[0]["defaultNamingContext"][0]),
218                                     paths.smbconf, basedn)))
219
220     names.domaindn=current[0]["defaultNamingContext"][0]
221     names.rootdn=current[0]["rootDomainNamingContext"][0]
222     names.ncs=current[0]["namingContexts"]
223     names.dnsforestdn = None
224     names.dnsdomaindn = None
225
226     for i in range(0, len(names.ncs)):
227         nc = names.ncs[i]
228
229         dnsforestdn = "DC=ForestDnsZones,%s" % (str(names.rootdn))
230         if nc == dnsforestdn:
231             names.dnsforestdn = dnsforestdn
232             continue
233
234         dnsdomaindn = "DC=DomainDnsZones,%s" % (str(names.domaindn))
235         if nc == dnsdomaindn:
236             names.dnsdomaindn = dnsdomaindn
237             continue
238
239     # default site name
240     res3 = samdb.search(expression="(objectClass=site)",
241         base="CN=Sites," + names.configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
242     names.sitename = str(res3[0]["cn"])
243
244     # dns hostname and server dn
245     res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
246                             base="OU=Domain Controllers,%s" % basedn,
247                             scope=ldb.SCOPE_ONELEVEL, attrs=["dNSHostName"])
248     names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "")
249
250     server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
251                                 attrs=[], base=names.configdn)
252     names.serverdn = str(server_res[0].dn)
253
254     # invocation id/objectguid
255     res5 = samdb.search(expression="(objectClass=*)",
256             base="CN=NTDS Settings,%s" % str(names.serverdn),
257             scope=ldb.SCOPE_BASE,
258             attrs=["invocationID", "objectGUID"])
259     names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
260     names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
261
262     # domain guid/sid
263     res6 = samdb.search(expression="(objectClass=*)", base=basedn,
264             scope=ldb.SCOPE_BASE, attrs=["objectGUID",
265                 "objectSid","msDS-Behavior-Version" ])
266     names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
267     names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
268     names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
269     if res6[0].get("msDS-Behavior-Version") is None or \
270         int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
271         names.domainlevel = DS_DOMAIN_FUNCTION_2000
272     else:
273         names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
274
275     # policy guid
276     res7 = samdb.search(expression="(displayName=Default Domain Policy)",
277                         base="CN=Policies,CN=System," + basedn,
278                         scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
279     names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
280     # dc policy guid
281     res8 = samdb.search(expression="(displayName=Default Domain Controllers"
282                                    " Policy)",
283                             base="CN=Policies,CN=System," + basedn,
284                             scope=ldb.SCOPE_ONELEVEL,
285                             attrs=["cn","displayName"])
286     if len(res8) == 1:
287         names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
288     else:
289         names.policyid_dc = None
290
291     res9 = idmapdb.search(expression="(cn=%s-%s)" %
292                           (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR),
293                           attrs=["xidNumber", "type"])
294     if len(res9) != 1:
295         raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
296     if res9[0]["type"][0] == "ID_TYPE_BOTH":
297         names.root_gid = res9[0]["xidNumber"][0]
298     else:
299         names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid
300
301     res10 = samdb.search(expression="(samaccountname=dns)",
302                          scope=ldb.SCOPE_SUBTREE, attrs=["dn"],
303                          controls=["search_options:1:2"])
304     if (len(res10) > 0):
305         has_legacy_dns_account = True
306     else:
307         has_legacy_dns_account = False
308
309     res11 = samdb.search(expression="(samaccountname=dns-%s)" % names.netbiosname,
310                          scope=ldb.SCOPE_SUBTREE, attrs=["dn"],
311                          controls=["search_options:1:2"])
312     if (len(res11) > 0):
313         has_dns_account = True
314     else:
315         has_dns_account = False
316
317     if names.dnsdomaindn is not None:
318         if has_dns_account:
319             names.dns_backend = 'BIND9_DLZ'
320         else:
321             names.dns_backend = 'SAMBA_INTERNAL'
322     elif has_dns_account or has_legacy_dns_account:
323         names.dns_backend = 'BIND9_FLATFILE'
324     else:
325         names.dns_backend = 'NONE'
326
327     dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn)
328     names.name_map['DnsAdmins'] = str(dns_admins_sid)
329
330     return names
331
332
333 def update_provision_usn(samdb, low, high, id, replace=False):
334     """Update the field provisionUSN in sam.ldb
335
336     This field is used to track range of USN modified by provision and
337     upgradeprovision.
338     This value is used afterward by next provision to figure out if
339     the field have been modified since last provision.
340
341     :param samdb: An LDB object connect to sam.ldb
342     :param low: The lowest USN modified by this upgrade
343     :param high: The highest USN modified by this upgrade
344     :param id: The invocation id of the samba's dc
345     :param replace: A boolean indicating if the range should replace any
346                     existing one or appended (default)
347     """
348
349     tab = []
350     if not replace:
351         entry = samdb.search(base="@PROVISION",
352                              scope=ldb.SCOPE_BASE,
353                              attrs=[LAST_PROVISION_USN_ATTRIBUTE, "dn"])
354         for e in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
355             if not re.search(';', e):
356                 e = "%s;%s" % (e, id)
357             tab.append(str(e))
358
359     tab.append("%s-%s;%s" % (low, high, id))
360     delta = ldb.Message()
361     delta.dn = ldb.Dn(samdb, "@PROVISION")
362     delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
363         ldb.FLAG_MOD_REPLACE, LAST_PROVISION_USN_ATTRIBUTE)
364     entry = samdb.search(expression='provisionnerID=*',
365                          base="@PROVISION", scope=ldb.SCOPE_BASE,
366                          attrs=["provisionnerID"])
367     if len(entry) == 0 or len(entry[0]) == 0:
368         delta["provisionnerID"] = ldb.MessageElement(id, ldb.FLAG_MOD_ADD, "provisionnerID")
369     samdb.modify(delta)
370
371
372 def set_provision_usn(samdb, low, high, id):
373     """Set the field provisionUSN in sam.ldb
374     This field is used to track range of USN modified by provision and
375     upgradeprovision.
376     This value is used afterward by next provision to figure out if
377     the field have been modified since last provision.
378
379     :param samdb: An LDB object connect to sam.ldb
380     :param low: The lowest USN modified by this upgrade
381     :param high: The highest USN modified by this upgrade
382     :param id: The invocationId of the provision"""
383
384     tab = []
385     tab.append("%s-%s;%s" % (low, high, id))
386
387     delta = ldb.Message()
388     delta.dn = ldb.Dn(samdb, "@PROVISION")
389     delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
390         ldb.FLAG_MOD_ADD, LAST_PROVISION_USN_ATTRIBUTE)
391     samdb.add(delta)
392
393
394 def get_max_usn(samdb,basedn):
395     """ This function return the biggest USN present in the provision
396
397     :param samdb: A LDB object pointing to the sam.ldb
398     :param basedn: A string containing the base DN of the provision
399                     (ie. DC=foo, DC=bar)
400     :return: The biggest USN in the provision"""
401
402     res = samdb.search(expression="objectClass=*",base=basedn,
403                          scope=ldb.SCOPE_SUBTREE,attrs=["uSNChanged"],
404                          controls=["search_options:1:2",
405                                    "server_sort:1:1:uSNChanged",
406                                    "paged_results:1:1"])
407     return res[0]["uSNChanged"]
408
409
410 def get_last_provision_usn(sam):
411     """Get USNs ranges modified by a provision or an upgradeprovision
412
413     :param sam: An LDB object pointing to the sam.ldb
414     :return: a dictionary which keys are invocation id and values are an array
415              of integer representing the different ranges
416     """
417     try:
418         entry = sam.search(expression="%s=*" % LAST_PROVISION_USN_ATTRIBUTE,
419                        base="@PROVISION", scope=ldb.SCOPE_BASE,
420                        attrs=[LAST_PROVISION_USN_ATTRIBUTE, "provisionnerID"])
421     except ldb.LdbError, (ecode, emsg):
422         if ecode == ldb.ERR_NO_SUCH_OBJECT:
423             return None
424         raise
425     if len(entry) > 0:
426         myids = []
427         range = {}
428         p = re.compile(r'-')
429         if entry[0].get("provisionnerID"):
430             for e in entry[0]["provisionnerID"]:
431                 myids.append(str(e))
432         for r in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
433             tab1 = str(r).split(';')
434             if len(tab1) == 2:
435                 id = tab1[1]
436             else:
437                 id = "default"
438             if (len(myids) > 0 and id not in myids):
439                 continue
440             tab2 = p.split(tab1[0])
441             if range.get(id) is None:
442                 range[id] = []
443             range[id].append(tab2[0])
444             range[id].append(tab2[1])
445         return range
446     else:
447         return None
448
449
450 class ProvisionResult(object):
451     """Result of a provision.
452
453     :ivar server_role: The server role
454     :ivar paths: ProvisionPaths instance
455     :ivar domaindn: The domain dn, as string
456     """
457
458     def __init__(self):
459         self.server_role = None
460         self.paths = None
461         self.domaindn = None
462         self.lp = None
463         self.samdb = None
464         self.idmap = None
465         self.names = None
466         self.domainsid = None
467         self.adminpass_generated = None
468         self.adminpass = None
469         self.backend_result = None
470
471     def report_logger(self, logger):
472         """Report this provision result to a logger."""
473         logger.info(
474             "Once the above files are installed, your Samba4 server will "
475             "be ready to use")
476         if self.adminpass_generated:
477             logger.info("Admin password:        %s", self.adminpass)
478         logger.info("Server Role:           %s", self.server_role)
479         logger.info("Hostname:              %s", self.names.hostname)
480         logger.info("NetBIOS Domain:        %s", self.names.domain)
481         logger.info("DNS Domain:            %s", self.names.dnsdomain)
482         logger.info("DOMAIN SID:            %s", self.domainsid)
483
484         if self.backend_result:
485             self.backend_result.report_logger(logger)
486
487
488 def check_install(lp, session_info, credentials):
489     """Check whether the current install seems ok.
490
491     :param lp: Loadparm context
492     :param session_info: Session information
493     :param credentials: Credentials
494     """
495     if lp.get("realm") == "":
496         raise Exception("Realm empty")
497     samdb = Ldb(lp.samdb_url(), session_info=session_info,
498             credentials=credentials, lp=lp)
499     if len(samdb.search("(cn=Administrator)")) != 1:
500         raise ProvisioningError("No administrator account found")
501
502
503 def findnss(nssfn, names):
504     """Find a user or group from a list of possibilities.
505
506     :param nssfn: NSS Function to try (should raise KeyError if not found)
507     :param names: Names to check.
508     :return: Value return by first names list.
509     """
510     for name in names:
511         try:
512             return nssfn(name)
513         except KeyError:
514             pass
515     raise KeyError("Unable to find user/group in %r" % names)
516
517
518 findnss_uid = lambda names: findnss(pwd.getpwnam, names)[2]
519 findnss_gid = lambda names: findnss(grp.getgrnam, names)[2]
520
521
522 def provision_paths_from_lp(lp, dnsdomain):
523     """Set the default paths for provisioning.
524
525     :param lp: Loadparm context.
526     :param dnsdomain: DNS Domain name
527     """
528     paths = ProvisionPaths()
529     paths.private_dir = lp.get("private dir")
530     paths.state_dir = lp.get("state directory")
531
532     # This is stored without path prefix for the "privateKeytab" attribute in
533     # "secrets_dns.ldif".
534     paths.dns_keytab = "dns.keytab"
535     paths.keytab = "secrets.keytab"
536
537     paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
538     paths.samdb = os.path.join(paths.private_dir, "sam.ldb")
539     paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
540     paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
541     paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
542     paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
543     paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
544     paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
545     paths.namedconf = os.path.join(paths.private_dir, "named.conf")
546     paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
547     paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
548     paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
549     paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
550     paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
551     paths.hklm = "hklm.ldb"
552     paths.hkcr = "hkcr.ldb"
553     paths.hkcu = "hkcu.ldb"
554     paths.hku = "hku.ldb"
555     paths.hkpd = "hkpd.ldb"
556     paths.hkpt = "hkpt.ldb"
557     paths.sysvol = lp.get("path", "sysvol")
558     paths.netlogon = lp.get("path", "netlogon")
559     paths.smbconf = lp.configfile
560     return paths
561
562
563 def determine_netbios_name(hostname):
564     """Determine a netbios name from a hostname."""
565     # remove forbidden chars and force the length to be <16
566     netbiosname = "".join([x for x in hostname if is_valid_netbios_char(x)])
567     return netbiosname[:MAX_NETBIOS_NAME_LEN].upper()
568
569
570 def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
571                 serverrole=None, rootdn=None, domaindn=None, configdn=None,
572                 schemadn=None, serverdn=None, sitename=None,
573                 domain_names_forced=False):
574     """Guess configuration settings to use."""
575
576     if hostname is None:
577         hostname = socket.gethostname().split(".")[0]
578
579     netbiosname = lp.get("netbios name")
580     if netbiosname is None:
581         netbiosname = determine_netbios_name(hostname)
582     netbiosname = netbiosname.upper()
583     if not valid_netbios_name(netbiosname):
584         raise InvalidNetbiosName(netbiosname)
585
586     if dnsdomain is None:
587         dnsdomain = lp.get("realm")
588         if dnsdomain is None or dnsdomain == "":
589             raise ProvisioningError("guess_names: 'realm' not specified in supplied %s!", lp.configfile)
590
591     dnsdomain = dnsdomain.lower()
592
593     if serverrole is None:
594         serverrole = lp.get("server role")
595         if serverrole is None:
596             raise ProvisioningError("guess_names: 'server role' not specified in supplied %s!" % lp.configfile)
597
598     serverrole = serverrole.lower()
599
600     realm = dnsdomain.upper()
601
602     if lp.get("realm") == "":
603         raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s.  Please remove the smb.conf file and let provision generate it" % lp.configfile)
604
605     if lp.get("realm").upper() != realm:
606         raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'!  Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), lp.configfile, realm))
607
608     if lp.get("server role").lower() != serverrole:
609         raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'!  Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
610
611     if serverrole == "active directory domain controller":
612         if domain is None:
613             # This will, for better or worse, default to 'WORKGROUP'
614             domain = lp.get("workgroup")
615         domain = domain.upper()
616
617         if lp.get("workgroup").upper() != domain:
618             raise ProvisioningError("guess_names: Workgroup '%s' in smb.conf must match chosen domain '%s'!  Please remove the %s file and let provision generate it" % (lp.get("workgroup").upper(), domain, lp.configfile))
619
620         if domaindn is None:
621             domaindn = samba.dn_from_dns_name(dnsdomain)
622
623         if domain == netbiosname:
624             raise ProvisioningError("guess_names: Domain '%s' must not be equal to short host name '%s'!" % (domain, netbiosname))
625     else:
626         domain = netbiosname
627         if domaindn is None:
628             domaindn = "DC=" + netbiosname
629
630     if not valid_netbios_name(domain):
631         raise InvalidNetbiosName(domain)
632
633     if hostname.upper() == realm:
634         raise ProvisioningError("guess_names: Realm '%s' must not be equal to hostname '%s'!" % (realm, hostname))
635     if netbiosname.upper() == realm:
636         raise ProvisioningError("guess_names: Realm '%s' must not be equal to NetBIOS hostname '%s'!" % (realm, netbiosname))
637     if domain == realm and not domain_names_forced:
638         raise ProvisioningError("guess_names: Realm '%s' must not be equal to short domain name '%s'!" % (realm, domain))
639
640     if rootdn is None:
641        rootdn = domaindn
642
643     if configdn is None:
644         configdn = "CN=Configuration," + rootdn
645     if schemadn is None:
646         schemadn = "CN=Schema," + configdn
647
648     if sitename is None:
649         sitename = DEFAULTSITE
650
651     names = ProvisionNames()
652     names.rootdn = rootdn
653     names.domaindn = domaindn
654     names.configdn = configdn
655     names.schemadn = schemadn
656     names.ldapmanagerdn = "CN=Manager," + rootdn
657     names.dnsdomain = dnsdomain
658     names.domain = domain
659     names.realm = realm
660     names.netbiosname = netbiosname
661     names.hostname = hostname
662     names.sitename = sitename
663     names.serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (
664         netbiosname, sitename, configdn)
665
666     return names
667
668
669 def make_smbconf(smbconf, hostname, domain, realm, targetdir,
670                  serverrole=None, eadb=False, use_ntvfs=False, lp=None,
671                  global_param=None):
672     """Create a new smb.conf file based on a couple of basic settings.
673     """
674     assert smbconf is not None
675
676     if hostname is None:
677         hostname = socket.gethostname().split(".")[0]
678
679     netbiosname = determine_netbios_name(hostname)
680
681     if serverrole is None:
682         serverrole = "standalone server"
683
684     assert domain is not None
685     domain = domain.upper()
686
687     assert realm is not None
688     realm = realm.upper()
689
690     global_settings = {
691         "netbios name": netbiosname,
692         "workgroup": domain,
693         "realm": realm,
694         "server role": serverrole,
695         }
696
697     if lp is None:
698         lp = samba.param.LoadParm()
699     #Load non-existent file
700     if os.path.exists(smbconf):
701         lp.load(smbconf)
702
703     if global_param is not None:
704         for ent in global_param:
705             if global_param[ent] is not None:
706                 global_settings[ent] = " ".join(global_param[ent])
707
708     if targetdir is not None:
709         global_settings["private dir"] = os.path.abspath(os.path.join(targetdir, "private"))
710         global_settings["lock dir"] = os.path.abspath(targetdir)
711         global_settings["state directory"] = os.path.abspath(os.path.join(targetdir, "state"))
712         global_settings["cache directory"] = os.path.abspath(os.path.join(targetdir, "cache"))
713
714         lp.set("lock dir", os.path.abspath(targetdir))
715         lp.set("state directory",  global_settings["state directory"])
716         lp.set("cache directory", global_settings["cache directory"])
717
718     if eadb:
719         if use_ntvfs and not lp.get("posix:eadb"):
720             if targetdir is not None:
721                 privdir = os.path.join(targetdir, "private")
722             else:
723                 privdir = lp.get("private dir")
724             lp.set("posix:eadb", os.path.abspath(os.path.join(privdir, "eadb.tdb")))
725         elif not use_ntvfs and not lp.get("xattr_tdb:file"):
726             if targetdir is not None:
727                 statedir = os.path.join(targetdir, "state")
728             else:
729                 statedir = lp.get("state directory")
730             lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
731
732     shares = {}
733     if serverrole == "active directory domain controller":
734         shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
735         shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
736             "scripts")
737     else:
738         global_settings["passdb backend"] = "samba_dsdb"
739
740     f = open(smbconf, 'w')
741     try:
742         f.write("[globals]\n")
743         for key, val in global_settings.iteritems():
744             f.write("\t%s = %s\n" % (key, val))
745         f.write("\n")
746
747         for name, path in shares.iteritems():
748             f.write("[%s]\n" % name)
749             f.write("\tpath = %s\n" % path)
750             f.write("\tread only = no\n")
751             f.write("\n")
752     finally:
753         f.close()
754     # reload the smb.conf
755     lp.load(smbconf)
756
757     # and dump it without any values that are the default
758     # this ensures that any smb.conf parameters that were set
759     # on the provision/join command line are set in the resulting smb.conf
760     f = open(smbconf, mode='w')
761     try:
762         lp.dump(f, False)
763     finally:
764         f.close()
765
766
767 def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
768                         users_gid, root_gid):
769     """setup reasonable name mappings for sam names to unix names.
770
771     :param samdb: SamDB object.
772     :param idmap: IDmap db object.
773     :param sid: The domain sid.
774     :param domaindn: The domain DN.
775     :param root_uid: uid of the UNIX root user.
776     :param nobody_uid: uid of the UNIX nobody user.
777     :param users_gid: gid of the UNIX users group.
778     :param root_gid: gid of the UNIX root group.
779     """
780     idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
781
782     idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
783     idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
784
785
786 def setup_samdb_partitions(samdb_path, logger, lp, session_info,
787                            provision_backend, names, schema, serverrole,
788                            erase=False):
789     """Setup the partitions for the SAM database.
790
791     Alternatively, provision() may call this, and then populate the database.
792
793     :note: This will wipe the Sam Database!
794
795     :note: This function always removes the local SAM LDB file. The erase
796         parameter controls whether to erase the existing data, which
797         may not be stored locally but in LDAP.
798
799     """
800     assert session_info is not None
801
802     # We use options=["modules:"] to stop the modules loading - we
803     # just want to wipe and re-initialise the database, not start it up
804
805     try:
806         os.unlink(samdb_path)
807     except OSError:
808         pass
809
810     samdb = Ldb(url=samdb_path, session_info=session_info,
811                 lp=lp, options=["modules:"])
812
813     ldap_backend_line = "# No LDAP backend"
814     if provision_backend.type != "ldb":
815         ldap_backend_line = "ldapBackend: %s" % provision_backend.ldap_uri
816
817     samdb.transaction_start()
818     try:
819         logger.info("Setting up sam.ldb partitions and settings")
820         setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
821                 "LDAP_BACKEND_LINE": ldap_backend_line
822         })
823
824
825         setup_add_ldif(samdb, setup_path("provision_init.ldif"), {
826                 "BACKEND_TYPE": provision_backend.type,
827                 "SERVER_ROLE": serverrole
828                 })
829
830         logger.info("Setting up sam.ldb rootDSE")
831         setup_samdb_rootdse(samdb, names)
832     except:
833         samdb.transaction_cancel()
834         raise
835     else:
836         samdb.transaction_commit()
837
838
839 def secretsdb_self_join(secretsdb, domain,
840                         netbiosname, machinepass, domainsid=None,
841                         realm=None, dnsdomain=None,
842                         keytab_path=None,
843                         key_version_number=1,
844                         secure_channel_type=SEC_CHAN_WKSTA):
845     """Add domain join-specific bits to a secrets database.
846
847     :param secretsdb: Ldb Handle to the secrets database
848     :param machinepass: Machine password
849     """
850     attrs = ["whenChanged",
851            "secret",
852            "priorSecret",
853            "priorChanged",
854            "krb5Keytab",
855            "privateKeytab"]
856
857     if realm is not None:
858         if dnsdomain is None:
859             dnsdomain = realm.lower()
860         dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
861     else:
862         dnsname = None
863     shortname = netbiosname.lower()
864
865     # We don't need to set msg["flatname"] here, because rdn_name will handle
866     # it, and it causes problems for modifies anyway
867     msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
868     msg["secureChannelType"] = [str(secure_channel_type)]
869     msg["objectClass"] = ["top", "primaryDomain"]
870     if dnsname is not None:
871         msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
872         msg["realm"] = [realm]
873         msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
874         msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
875         msg["privateKeytab"] = ["secrets.keytab"]
876
877     msg["secret"] = [machinepass]
878     msg["samAccountName"] = ["%s$" % netbiosname]
879     msg["secureChannelType"] = [str(secure_channel_type)]
880     if domainsid is not None:
881         msg["objectSid"] = [ndr_pack(domainsid)]
882
883     # This complex expression tries to ensure that we don't have more
884     # than one record for this SID, realm or netbios domain at a time,
885     # but we don't delete the old record that we are about to modify,
886     # because that would delete the keytab and previous password.
887     res = secretsdb.search(base="cn=Primary Domains", attrs=attrs,
888         expression=("(&(|(flatname=%s)(realm=%s)(objectSid=%s))(objectclass=primaryDomain)(!(distinguishedName=%s)))" % (domain, realm, str(domainsid), str(msg.dn))),
889         scope=ldb.SCOPE_ONELEVEL)
890
891     for del_msg in res:
892         secretsdb.delete(del_msg.dn)
893
894     res = secretsdb.search(base=msg.dn, attrs=attrs, scope=ldb.SCOPE_BASE)
895
896     if len(res) == 1:
897         msg["priorSecret"] = [res[0]["secret"][0]]
898         msg["priorWhenChanged"] = [res[0]["whenChanged"][0]]
899
900         try:
901             msg["privateKeytab"] = [res[0]["privateKeytab"][0]]
902         except KeyError:
903             pass
904
905         try:
906             msg["krb5Keytab"] = [res[0]["krb5Keytab"][0]]
907         except KeyError:
908             pass
909
910         for el in msg:
911             if el != 'dn':
912                 msg[el].set_flags(ldb.FLAG_MOD_REPLACE)
913         secretsdb.modify(msg)
914         secretsdb.rename(res[0].dn, msg.dn)
915     else:
916         spn = [ 'HOST/%s' % shortname ]
917         if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
918             # we are a domain controller then we add servicePrincipalName
919             # entries for the keytab code to update.
920             spn.extend([ 'HOST/%s' % dnsname ])
921         msg["servicePrincipalName"] = spn
922
923         secretsdb.add(msg)
924
925
926 def setup_secretsdb(paths, session_info, backend_credentials, lp):
927     """Setup the secrets database.
928
929    :note: This function does not handle exceptions and transaction on purpose,
930        it's up to the caller to do this job.
931
932     :param path: Path to the secrets database.
933     :param session_info: Session info.
934     :param credentials: Credentials
935     :param lp: Loadparm context
936     :return: LDB handle for the created secrets database
937     """
938     if os.path.exists(paths.secrets):
939         os.unlink(paths.secrets)
940
941     keytab_path = os.path.join(paths.private_dir, paths.keytab)
942     if os.path.exists(keytab_path):
943         os.unlink(keytab_path)
944
945     dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
946     if os.path.exists(dns_keytab_path):
947         os.unlink(dns_keytab_path)
948
949     path = paths.secrets
950
951     secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
952     secrets_ldb.erase()
953     secrets_ldb.load_ldif_file_add(setup_path("secrets_init.ldif"))
954     secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
955     secrets_ldb.transaction_start()
956     try:
957         secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
958
959         if (backend_credentials is not None and
960             backend_credentials.authentication_requested()):
961             if backend_credentials.get_bind_dn() is not None:
962                 setup_add_ldif(secrets_ldb,
963                     setup_path("secrets_simple_ldap.ldif"), {
964                         "LDAPMANAGERDN": backend_credentials.get_bind_dn(),
965                         "LDAPMANAGERPASS_B64": b64encode(backend_credentials.get_password())
966                         })
967             else:
968                 setup_add_ldif(secrets_ldb,
969                     setup_path("secrets_sasl_ldap.ldif"), {
970                         "LDAPADMINUSER": backend_credentials.get_username(),
971                         "LDAPADMINREALM": backend_credentials.get_realm(),
972                         "LDAPADMINPASS_B64": b64encode(backend_credentials.get_password())
973                         })
974     except:
975         secrets_ldb.transaction_cancel()
976         raise
977     return secrets_ldb
978
979
980 def setup_privileges(path, session_info, lp):
981     """Setup the privileges database.
982
983     :param path: Path to the privileges database.
984     :param session_info: Session info.
985     :param credentials: Credentials
986     :param lp: Loadparm context
987     :return: LDB handle for the created secrets database
988     """
989     if os.path.exists(path):
990         os.unlink(path)
991     privilege_ldb = Ldb(path, session_info=session_info, lp=lp)
992     privilege_ldb.erase()
993     privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif"))
994
995
996 def setup_registry(path, session_info, lp):
997     """Setup the registry.
998
999     :param path: Path to the registry database
1000     :param session_info: Session information
1001     :param credentials: Credentials
1002     :param lp: Loadparm context
1003     """
1004     reg = samba.registry.Registry()
1005     hive = samba.registry.open_ldb(path, session_info=session_info, lp_ctx=lp)
1006     reg.mount_hive(hive, samba.registry.HKEY_LOCAL_MACHINE)
1007     provision_reg = setup_path("provision.reg")
1008     assert os.path.exists(provision_reg)
1009     reg.diff_apply(provision_reg)
1010
1011
1012 def setup_idmapdb(path, session_info, lp):
1013     """Setup the idmap database.
1014
1015     :param path: path to the idmap database
1016     :param session_info: Session information
1017     :param credentials: Credentials
1018     :param lp: Loadparm context
1019     """
1020     if os.path.exists(path):
1021         os.unlink(path)
1022
1023     idmap_ldb = IDmapDB(path, session_info=session_info, lp=lp)
1024     idmap_ldb.erase()
1025     idmap_ldb.load_ldif_file_add(setup_path("idmap_init.ldif"))
1026     return idmap_ldb
1027
1028
1029 def setup_samdb_rootdse(samdb, names):
1030     """Setup the SamDB rootdse.
1031
1032     :param samdb: Sam Database handle
1033     """
1034     setup_add_ldif(samdb, setup_path("provision_rootdse_add.ldif"), {
1035         "SCHEMADN": names.schemadn,
1036         "DOMAINDN": names.domaindn,
1037         "ROOTDN"  : names.rootdn,
1038         "CONFIGDN": names.configdn,
1039         "SERVERDN": names.serverdn,
1040         })
1041
1042
1043 def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
1044         dns_backend, dnspass, domainsid, next_rid, invocationid,
1045         policyguid, policyguid_dc,
1046         domainControllerFunctionality, ntdsguid=None, dc_rid=None):
1047     """Join a host to its own domain."""
1048     assert isinstance(invocationid, str)
1049     if ntdsguid is not None:
1050         ntdsguid_line = "objectGUID: %s\n"%ntdsguid
1051     else:
1052         ntdsguid_line = ""
1053
1054     if dc_rid is None:
1055         dc_rid = next_rid
1056
1057     setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
1058               "CONFIGDN": names.configdn,
1059               "SCHEMADN": names.schemadn,
1060               "DOMAINDN": names.domaindn,
1061               "SERVERDN": names.serverdn,
1062               "INVOCATIONID": invocationid,
1063               "NETBIOSNAME": names.netbiosname,
1064               "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
1065               "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')),
1066               "DOMAINSID": str(domainsid),
1067               "DCRID": str(dc_rid),
1068               "SAMBA_VERSION_STRING": version,
1069               "NTDSGUID": ntdsguid_line,
1070               "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
1071                   domainControllerFunctionality),
1072               "RIDALLOCATIONSTART": str(next_rid + 100),
1073               "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
1074
1075     setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
1076               "POLICYGUID": policyguid,
1077               "POLICYGUID_DC": policyguid_dc,
1078               "DNSDOMAIN": names.dnsdomain,
1079               "DOMAINDN": names.domaindn})
1080
1081     # If we are setting up a subdomain, then this has been replicated in, so we
1082     # don't need to add it
1083     if fill == FILL_FULL:
1084         setup_add_ldif(samdb, setup_path("provision_self_join_config.ldif"), {
1085                 "CONFIGDN": names.configdn,
1086                 "SCHEMADN": names.schemadn,
1087                 "DOMAINDN": names.domaindn,
1088                 "SERVERDN": names.serverdn,
1089                 "INVOCATIONID": invocationid,
1090                 "NETBIOSNAME": names.netbiosname,
1091                 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
1092                 "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')),
1093                 "DOMAINSID": str(domainsid),
1094                 "DCRID": str(dc_rid),
1095                 "SAMBA_VERSION_STRING": version,
1096                 "NTDSGUID": ntdsguid_line,
1097                 "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
1098                     domainControllerFunctionality)})
1099
1100     # Setup fSMORoleOwner entries to point at the newly created DC entry
1101         setup_modify_ldif(samdb,
1102             setup_path("provision_self_join_modify_config.ldif"), {
1103                 "CONFIGDN": names.configdn,
1104                 "SCHEMADN": names.schemadn,
1105                 "DEFAULTSITE": names.sitename,
1106                 "NETBIOSNAME": names.netbiosname,
1107                 "SERVERDN": names.serverdn,
1108                 })
1109
1110     system_session_info = system_session()
1111     samdb.set_session_info(system_session_info)
1112     # Setup fSMORoleOwner entries to point at the newly created DC entry to
1113     # modify a serverReference under cn=config when we are a subdomain, we must
1114     # be system due to ACLs
1115     setup_modify_ldif(samdb, setup_path("provision_self_join_modify.ldif"), {
1116               "DOMAINDN": names.domaindn,
1117               "SERVERDN": names.serverdn,
1118               "NETBIOSNAME": names.netbiosname,
1119               })
1120
1121     samdb.set_session_info(admin_session_info)
1122
1123     if dns_backend != "SAMBA_INTERNAL":
1124         # This is Samba4 specific and should be replaced by the correct
1125         # DNS AD-style setup
1126         setup_add_ldif(samdb, setup_path("provision_dns_add_samba.ldif"), {
1127               "DNSDOMAIN": names.dnsdomain,
1128               "DOMAINDN": names.domaindn,
1129               "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
1130               "HOSTNAME" : names.hostname,
1131               "DNSNAME" : '%s.%s' % (
1132                   names.netbiosname.lower(), names.dnsdomain.lower())
1133               })
1134
1135
1136 def getpolicypath(sysvolpath, dnsdomain, guid):
1137     """Return the physical path of policy given its guid.
1138
1139     :param sysvolpath: Path to the sysvol folder
1140     :param dnsdomain: DNS name of the AD domain
1141     :param guid: The GUID of the policy
1142     :return: A string with the complete path to the policy folder
1143     """
1144     if guid[0] != "{":
1145         guid = "{%s}" % guid
1146     policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid)
1147     return policy_path
1148
1149
1150 def create_gpo_struct(policy_path):
1151     if not os.path.exists(policy_path):
1152         os.makedirs(policy_path, 0775)
1153     f = open(os.path.join(policy_path, "GPT.INI"), 'w')
1154     try:
1155         f.write("[General]\r\nVersion=0")
1156     finally:
1157         f.close()
1158     p = os.path.join(policy_path, "MACHINE")
1159     if not os.path.exists(p):
1160         os.makedirs(p, 0775)
1161     p = os.path.join(policy_path, "USER")
1162     if not os.path.exists(p):
1163         os.makedirs(p, 0775)
1164
1165
1166 def create_default_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
1167     """Create the default GPO for a domain
1168
1169     :param sysvolpath: Physical path for the sysvol folder
1170     :param dnsdomain: DNS domain name of the AD domain
1171     :param policyguid: GUID of the default domain policy
1172     :param policyguid_dc: GUID of the default domain controler policy
1173     """
1174     policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid)
1175     create_gpo_struct(policy_path)
1176
1177     policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid_dc)
1178     create_gpo_struct(policy_path)
1179
1180
1181 def setup_samdb(path, session_info, provision_backend, lp, names,
1182         logger, fill, serverrole, schema, am_rodc=False):
1183     """Setup a complete SAM Database.
1184
1185     :note: This will wipe the main SAM database file!
1186     """
1187
1188     # Also wipes the database
1189     setup_samdb_partitions(path, logger=logger, lp=lp,
1190         provision_backend=provision_backend, session_info=session_info,
1191         names=names, serverrole=serverrole, schema=schema)
1192
1193     # Load the database, but don's load the global schema and don't connect
1194     # quite yet
1195     samdb = SamDB(session_info=session_info, url=None, auto_connect=False,
1196                   credentials=provision_backend.credentials, lp=lp,
1197                   global_schema=False, am_rodc=am_rodc)
1198
1199     logger.info("Pre-loading the Samba 4 and AD schema")
1200
1201     # Load the schema from the one we computed earlier
1202     samdb.set_schema(schema, write_indices_and_attributes=False)
1203
1204     # Set the NTDS settings DN manually - in order to have it already around
1205     # before the provisioned tree exists and we connect
1206     samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1207
1208     # And now we can connect to the DB - the schema won't be loaded from the
1209     # DB
1210     try:
1211         samdb.connect(path)
1212     except ldb.LdbError, (num, string_error):
1213         if (num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS):
1214             raise ProvisioningError("Permission denied connecting to %s, are you running as root?" % path)
1215         else:
1216             raise
1217
1218     # But we have to give it one more kick to have it use the schema
1219     # during provision - it needs, now that it is connected, to write
1220     # the schema @ATTRIBUTES and @INDEXLIST records to the database.
1221     samdb.set_schema(schema, write_indices_and_attributes=True)
1222
1223     return samdb
1224
1225
1226 def fill_samdb(samdb, lp, names, logger, policyguid,
1227         policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
1228         dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
1229         dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
1230
1231     if next_rid is None:
1232         next_rid = 1000
1233
1234     # Provision does not make much sense values larger than 1000000000
1235     # as the upper range of the rIDAvailablePool is 1073741823 and
1236     # we don't want to create a domain that cannot allocate rids.
1237     if next_rid < 1000 or next_rid > 1000000000:
1238         error = "You want to run SAMBA 4 with a next_rid of %u, " % (next_rid)
1239         error += "the valid range is %u-%u. The default is %u." % (
1240             1000, 1000000000, 1000)
1241         raise ProvisioningError(error)
1242
1243     # ATTENTION: Do NOT change these default values without discussion with the
1244     # team and/or release manager. They have a big impact on the whole program!
1245     domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2
1246
1247     if dom_for_fun_level is None:
1248         dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
1249
1250     if dom_for_fun_level > domainControllerFunctionality:
1251         raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!")
1252
1253     domainFunctionality = dom_for_fun_level
1254     forestFunctionality = dom_for_fun_level
1255
1256     # Set the NTDS settings DN manually - in order to have it already around
1257     # before the provisioned tree exists and we connect
1258     samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1259
1260     samdb.transaction_start()
1261     try:
1262         # Set the domain functionality levels onto the database.
1263         # Various module (the password_hash module in particular) need
1264         # to know what level of AD we are emulating.
1265
1266         # These will be fixed into the database via the database
1267         # modifictions below, but we need them set from the start.
1268         samdb.set_opaque_integer("domainFunctionality", domainFunctionality)
1269         samdb.set_opaque_integer("forestFunctionality", forestFunctionality)
1270         samdb.set_opaque_integer("domainControllerFunctionality",
1271             domainControllerFunctionality)
1272
1273         samdb.set_domain_sid(str(names.domainsid))
1274         samdb.set_invocation_id(invocationid)
1275
1276         logger.info("Adding DomainDN: %s" % names.domaindn)
1277
1278         # impersonate domain admin
1279         admin_session_info = admin_session(lp, str(names.domainsid))
1280         samdb.set_session_info(admin_session_info)
1281         if names.domainguid is not None:
1282             domainguid_line = "objectGUID: %s\n-" % names.domainguid
1283         else:
1284             domainguid_line = ""
1285
1286         descr = b64encode(get_domain_descriptor(names.domainsid))
1287         setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
1288                 "DOMAINDN": names.domaindn,
1289                 "DOMAINSID": str(names.domainsid),
1290                 "DESCRIPTOR": descr,
1291                 "DOMAINGUID": domainguid_line
1292                 })
1293
1294         setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
1295             "DOMAINDN": names.domaindn,
1296             "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1297             "NEXTRID": str(next_rid),
1298             "DEFAULTSITE": names.sitename,
1299             "CONFIGDN": names.configdn,
1300             "POLICYGUID": policyguid,
1301             "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1302             "SAMBA_VERSION_STRING": version
1303             })
1304
1305         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1306         if fill == FILL_FULL:
1307             logger.info("Adding configuration container")
1308             descr = b64encode(get_config_descriptor(names.domainsid))
1309             setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
1310                     "CONFIGDN": names.configdn,
1311                     "DESCRIPTOR": descr,
1312                     })
1313
1314             # The LDIF here was created when the Schema object was constructed
1315             logger.info("Setting up sam.ldb schema")
1316             samdb.add_ldif(schema.schema_dn_add, controls=["relax:0"])
1317             samdb.modify_ldif(schema.schema_dn_modify)
1318             samdb.write_prefixes_from_schema()
1319             samdb.add_ldif(schema.schema_data, controls=["relax:0"])
1320             setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
1321                            {"SCHEMADN": names.schemadn})
1322
1323         # Now register this container in the root of the forest
1324         msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
1325         msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
1326                     "subRefs")
1327
1328     except:
1329         samdb.transaction_cancel()
1330         raise
1331     else:
1332         samdb.transaction_commit()
1333
1334     samdb.transaction_start()
1335     try:
1336         samdb.invocation_id = invocationid
1337
1338         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1339         if fill == FILL_FULL:
1340             logger.info("Setting up sam.ldb configuration data")
1341
1342             partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid))
1343             sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
1344             ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
1345             protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid))
1346             protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
1347             protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid))
1348
1349             setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
1350                     "CONFIGDN": names.configdn,
1351                     "NETBIOSNAME": names.netbiosname,
1352                     "DEFAULTSITE": names.sitename,
1353                     "DNSDOMAIN": names.dnsdomain,
1354                     "DOMAIN": names.domain,
1355                     "SCHEMADN": names.schemadn,
1356                     "DOMAINDN": names.domaindn,
1357                     "SERVERDN": names.serverdn,
1358                     "FOREST_FUNCTIONALITY": str(forestFunctionality),
1359                     "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1360                     "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
1361                     "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
1362                     "SERVICES_DESCRIPTOR": protected1_descr,
1363                     "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
1364                     "FORESTUPDATES_DESCRIPTOR": protected1wd_descr,
1365                     "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr,
1366                     "PARTITIONS_DESCRIPTOR": partitions_descr,
1367                     "SITES_DESCRIPTOR": sites_descr,
1368                     })
1369
1370             logger.info("Setting up display specifiers")
1371             display_specifiers_ldif = read_ms_ldif(
1372                 setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt'))
1373             display_specifiers_ldif = substitute_var(display_specifiers_ldif,
1374                                                      {"CONFIGDN": names.configdn})
1375             check_all_substituted(display_specifiers_ldif)
1376             samdb.add_ldif(display_specifiers_ldif)
1377
1378             logger.info("Modifying display specifiers")
1379             setup_modify_ldif(samdb,
1380                 setup_path("provision_configuration_modify.ldif"), {
1381                 "CONFIGDN": names.configdn,
1382                 "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr
1383                 })
1384
1385         logger.info("Adding users container")
1386         users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
1387         setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
1388                 "DOMAINDN": names.domaindn,
1389                 "USERS_DESCRIPTOR": users_desc
1390                 })
1391         logger.info("Modifying users container")
1392         setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
1393                 "DOMAINDN": names.domaindn})
1394         logger.info("Adding computers container")
1395         computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid))
1396         setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
1397                 "DOMAINDN": names.domaindn,
1398                 "COMPUTERS_DESCRIPTOR": computers_desc
1399                 })
1400         logger.info("Modifying computers container")
1401         setup_modify_ldif(samdb,
1402             setup_path("provision_computers_modify.ldif"), {
1403                 "DOMAINDN": names.domaindn})
1404         logger.info("Setting up sam.ldb data")
1405         infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid))
1406         lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
1407         system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
1408         builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
1409         controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid))
1410         setup_add_ldif(samdb, setup_path("provision.ldif"), {
1411             "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1412             "DOMAINDN": names.domaindn,
1413             "NETBIOSNAME": names.netbiosname,
1414             "DEFAULTSITE": names.sitename,
1415             "CONFIGDN": names.configdn,
1416             "SERVERDN": names.serverdn,
1417             "RIDAVAILABLESTART": str(next_rid + 600),
1418             "POLICYGUID_DC": policyguid_dc,
1419             "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
1420             "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
1421             "SYSTEM_DESCRIPTOR": system_desc,
1422             "BUILTIN_DESCRIPTOR": builtin_desc,
1423             "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
1424             })
1425
1426         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1427         if fill == FILL_FULL:
1428             setup_modify_ldif(samdb,
1429                               setup_path("provision_configuration_references.ldif"), {
1430                     "CONFIGDN": names.configdn,
1431                     "SCHEMADN": names.schemadn})
1432
1433             logger.info("Setting up well known security principals")
1434             protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
1435             setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
1436                 "CONFIGDN": names.configdn,
1437                 "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
1438                 })
1439
1440         if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
1441             setup_modify_ldif(samdb,
1442                               setup_path("provision_basedn_references.ldif"),
1443                               {"DOMAINDN": names.domaindn})
1444
1445             logger.info("Setting up sam.ldb users and groups")
1446             setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
1447                 "DOMAINDN": names.domaindn,
1448                 "DOMAINSID": str(names.domainsid),
1449                 "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
1450                 "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
1451                 })
1452
1453             logger.info("Setting up self join")
1454             setup_self_join(samdb, admin_session_info, names=names, fill=fill,
1455                 invocationid=invocationid,
1456                 dns_backend=dns_backend,
1457                 dnspass=dnspass,
1458                 machinepass=machinepass,
1459                 domainsid=names.domainsid,
1460                 next_rid=next_rid,
1461                 dc_rid=dc_rid,
1462                 policyguid=policyguid,
1463                 policyguid_dc=policyguid_dc,
1464                 domainControllerFunctionality=domainControllerFunctionality,
1465                 ntdsguid=ntdsguid)
1466
1467             ntds_dn = "CN=NTDS Settings,%s" % names.serverdn
1468             names.ntdsguid = samdb.searchone(basedn=ntds_dn,
1469                 attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE)
1470             assert isinstance(names.ntdsguid, str)
1471     except:
1472         samdb.transaction_cancel()
1473         raise
1474     else:
1475         samdb.transaction_commit()
1476         return samdb
1477
1478
1479 SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
1480 POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
1481 SYSVOL_SERVICE="sysvol"
1482
1483 def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):
1484     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1485     for root, dirs, files in os.walk(path, topdown=False):
1486         for name in files:
1487             setntacl(lp, os.path.join(root, name), acl, domsid,
1488                     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1489         for name in dirs:
1490             setntacl(lp, os.path.join(root, name), acl, domsid,
1491                     use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1492
1493
1494 def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb):
1495     """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1496     folders beneath.
1497
1498     :param sysvol: Physical path for the sysvol folder
1499     :param dnsdomain: The DNS name of the domain
1500     :param domainsid: The SID of the domain
1501     :param domaindn: The DN of the domain (ie. DC=...)
1502     :param samdb: An LDB object on the SAM db
1503     :param lp: an LP object
1504     """
1505
1506     # Set ACL for GPO root folder
1507     root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1508     setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
1509             use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
1510
1511     res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1512                         attrs=["cn", "nTSecurityDescriptor"],
1513                         expression="", scope=ldb.SCOPE_ONELEVEL)
1514
1515     for policy in res:
1516         acl = ndr_unpack(security.descriptor,
1517                          str(policy["nTSecurityDescriptor"])).as_sddl()
1518         policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1519         set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1520                     str(domainsid), use_ntvfs,
1521                     passdb=passdb)
1522
1523
1524 def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
1525         domaindn, lp, use_ntvfs):
1526     """Set the ACL for the sysvol share and the subfolders
1527
1528     :param samdb: An LDB object on the SAM db
1529     :param netlogon: Physical path for the netlogon folder
1530     :param sysvol: Physical path for the sysvol folder
1531     :param uid: The UID of the "Administrator" user
1532     :param gid: The GID of the "Domain adminstrators" group
1533     :param domainsid: The SID of the domain
1534     :param dnsdomain: The DNS name of the domain
1535     :param domaindn: The DN of the domain (ie. DC=...)
1536     """
1537     s4_passdb = None
1538
1539     if not use_ntvfs:
1540         s3conf = s3param.get_context()
1541         s3conf.load(lp.configfile)
1542
1543         file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol))
1544         try:
1545             try:
1546                 smbd.set_simple_acl(file.name, 0755, gid)
1547             except OSError:
1548                 if not smbd.have_posix_acls():
1549                     # This clue is only strictly correct for RPM and
1550                     # Debian-like Linux systems, but hopefully other users
1551                     # will get enough clue from it.
1552                     raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires.  "
1553                                             "Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
1554
1555                 raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  "
1556                                         "Try the mounting the filesystem with the 'acl' option.")
1557             try:
1558                 smbd.chown(file.name, uid, gid)
1559             except OSError:
1560                 raise ProvisioningError("Unable to chown a file on your filesystem.  "
1561                                         "You may not be running provision as root.")
1562         finally:
1563             file.close()
1564
1565         # This will ensure that the smbd code we are running when setting ACLs
1566         # is initialised with the smb.conf
1567         s3conf = s3param.get_context()
1568         s3conf.load(lp.configfile)
1569         # ensure we are using the right samba_dsdb passdb backend, no matter what
1570         s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1571         passdb.reload_static_pdb()
1572
1573         # ensure that we init the samba_dsdb backend, so the domain sid is
1574         # marked in secrets.tdb
1575         s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1576
1577         # now ensure everything matches correctly, to avoid wierd issues
1578         if passdb.get_global_sam_sid() != domainsid:
1579             raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1580
1581         domain_info = s4_passdb.domain_info()
1582         if domain_info["dom_sid"] != domainsid:
1583             raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1584
1585         if domain_info["dns_domain"].upper() != dnsdomain.upper():
1586             raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1587
1588
1589     try:
1590         if use_ntvfs:
1591             os.chown(sysvol, -1, gid)
1592     except OSError:
1593         canchown = False
1594     else:
1595         canchown = True
1596
1597     # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1598     setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs,
1599              skip_invalid_chown=True, passdb=s4_passdb,
1600              service=SYSVOL_SERVICE)
1601     for root, dirs, files in os.walk(sysvol, topdown=False):
1602         for name in files:
1603             if use_ntvfs and canchown:
1604                 os.chown(os.path.join(root, name), -1, gid)
1605             setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
1606                      use_ntvfs=use_ntvfs, skip_invalid_chown=True,
1607                      passdb=s4_passdb, service=SYSVOL_SERVICE)
1608         for name in dirs:
1609             if use_ntvfs and canchown:
1610                 os.chown(os.path.join(root, name), -1, gid)
1611             setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid),
1612                      use_ntvfs=use_ntvfs, skip_invalid_chown=True,
1613                      passdb=s4_passdb, service=SYSVOL_SERVICE)
1614
1615     # Set acls on Policy folder and policies folders
1616     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
1617
1618 def acl_type(direct_db_access):
1619     if direct_db_access:
1620         return "DB"
1621     else:
1622         return "VFS"
1623
1624 def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
1625     fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1626     fsacl_sddl = fsacl.as_sddl(domainsid)
1627     if fsacl_sddl != acl:
1628         raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
1629
1630     for root, dirs, files in os.walk(path, topdown=False):
1631         for name in files:
1632             fsacl = getntacl(lp, os.path.join(root, name),
1633                              direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1634             if fsacl is None:
1635                 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1636             fsacl_sddl = fsacl.as_sddl(domainsid)
1637             if fsacl_sddl != acl:
1638                 raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1639
1640         for name in dirs:
1641             fsacl = getntacl(lp, os.path.join(root, name),
1642                              direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1643             if fsacl is None:
1644                 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1645             fsacl_sddl = fsacl.as_sddl(domainsid)
1646             if fsacl_sddl != acl:
1647                 raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1648
1649
1650 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1651         direct_db_access):
1652     """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1653     folders beneath.
1654
1655     :param sysvol: Physical path for the sysvol folder
1656     :param dnsdomain: The DNS name of the domain
1657     :param domainsid: The SID of the domain
1658     :param domaindn: The DN of the domain (ie. DC=...)
1659     :param samdb: An LDB object on the SAM db
1660     :param lp: an LP object
1661     """
1662
1663     # Set ACL for GPO root folder
1664     root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1665     fsacl = getntacl(lp, root_policy_path,
1666                      direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1667     if fsacl is None:
1668         raise ProvisioningError('DB ACL on policy root %s %s not found!' % (acl_type(direct_db_access), root_policy_path))
1669     fsacl_sddl = fsacl.as_sddl(domainsid)
1670     if fsacl_sddl != POLICIES_ACL:
1671         raise ProvisioningError('%s ACL on policy root %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), root_policy_path, fsacl_sddl, fsacl))
1672     res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1673                         attrs=["cn", "nTSecurityDescriptor"],
1674                         expression="", scope=ldb.SCOPE_ONELEVEL)
1675
1676     for policy in res:
1677         acl = ndr_unpack(security.descriptor,
1678                          str(policy["nTSecurityDescriptor"])).as_sddl()
1679         policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1680         check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1681                       domainsid, direct_db_access)
1682
1683
1684 def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,
1685     lp):
1686     """Set the ACL for the sysvol share and the subfolders
1687
1688     :param samdb: An LDB object on the SAM db
1689     :param netlogon: Physical path for the netlogon folder
1690     :param sysvol: Physical path for the sysvol folder
1691     :param uid: The UID of the "Administrator" user
1692     :param gid: The GID of the "Domain adminstrators" group
1693     :param domainsid: The SID of the domain
1694     :param dnsdomain: The DNS name of the domain
1695     :param domaindn: The DN of the domain (ie. DC=...)
1696     """
1697
1698     # This will ensure that the smbd code we are running when setting ACLs is initialised with the smb.conf
1699     s3conf = s3param.get_context()
1700     s3conf.load(lp.configfile)
1701     # ensure we are using the right samba_dsdb passdb backend, no matter what
1702     s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1703     # ensure that we init the samba_dsdb backend, so the domain sid is marked in secrets.tdb
1704     s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1705
1706     # now ensure everything matches correctly, to avoid wierd issues
1707     if passdb.get_global_sam_sid() != domainsid:
1708         raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1709
1710     domain_info = s4_passdb.domain_info()
1711     if domain_info["dom_sid"] != domainsid:
1712         raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1713
1714     if domain_info["dns_domain"].upper() != dnsdomain.upper():
1715         raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1716
1717     # Ensure we can read this directly, and via the smbd VFS
1718     for direct_db_access in [True, False]:
1719         # Check the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1720         for dir_path in [os.path.join(sysvol, dnsdomain), netlogon]:
1721             fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1722             if fsacl is None:
1723                 raise ProvisioningError('%s ACL on sysvol directory %s not found!' % (acl_type(direct_db_access), dir_path))
1724             fsacl_sddl = fsacl.as_sddl(domainsid)
1725             if fsacl_sddl != SYSVOL_ACL:
1726                 raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
1727
1728         # Check acls on Policy folder and policies folders
1729         check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1730                 direct_db_access)
1731
1732
1733 def interface_ips_v4(lp):
1734     """return only IPv4 IPs"""
1735     ips = samba.interface_ips(lp, False)
1736     ret = []
1737     for i in ips:
1738         if i.find(':') == -1:
1739             ret.append(i)
1740     return ret
1741
1742
1743 def interface_ips_v6(lp):
1744     """return only IPv6 IPs"""
1745     ips = samba.interface_ips(lp, False)
1746     ret = []
1747     for i in ips:
1748         if i.find(':') != -1:
1749             ret.append(i)
1750     return ret
1751
1752
1753 def provision_fill(samdb, secrets_ldb, logger, names, paths,
1754                    schema=None,
1755                    targetdir=None, samdb_fill=FILL_FULL,
1756                    hostip=None, hostip6=None,
1757                    next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
1758                    domainguid=None, policyguid=None, policyguid_dc=None,
1759                    invocationid=None, machinepass=None, ntdsguid=None,
1760                    dns_backend=None, dnspass=None,
1761                    serverrole=None, dom_for_fun_level=None,
1762                    am_rodc=False, lp=None, use_ntvfs=False, skip_sysvolacl=False):
1763     # create/adapt the group policy GUIDs
1764     # Default GUID for default policy are described at
1765     # "How Core Group Policy Works"
1766     # http://technet.microsoft.com/en-us/library/cc784268%28WS.10%29.aspx
1767     if policyguid is None:
1768         policyguid = DEFAULT_POLICY_GUID
1769     policyguid = policyguid.upper()
1770     if policyguid_dc is None:
1771         policyguid_dc = DEFAULT_DC_POLICY_GUID
1772     policyguid_dc = policyguid_dc.upper()
1773
1774     if invocationid is None:
1775         invocationid = str(uuid.uuid4())
1776
1777     if krbtgtpass is None:
1778         krbtgtpass = samba.generate_random_password(128, 255)
1779     if machinepass is None:
1780         machinepass  = samba.generate_random_password(128, 255)
1781     if dnspass is None:
1782         dnspass = samba.generate_random_password(128, 255)
1783
1784     samdb = fill_samdb(samdb, lp, names, logger=logger,
1785                    schema=schema,
1786                    policyguid=policyguid, policyguid_dc=policyguid_dc,
1787                    fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
1788                    invocationid=invocationid, machinepass=machinepass,
1789                    dns_backend=dns_backend, dnspass=dnspass,
1790                    ntdsguid=ntdsguid, serverrole=serverrole,
1791                    dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
1792                    next_rid=next_rid, dc_rid=dc_rid)
1793
1794     if serverrole == "active directory domain controller":
1795
1796         # Set up group policies (domain policy and domain controller
1797         # policy)
1798         create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
1799                            policyguid_dc)
1800         if not skip_sysvolacl:
1801             setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
1802                          paths.root_gid, names.domainsid, names.dnsdomain,
1803                          names.domaindn, lp, use_ntvfs)
1804         else:
1805             logger.info("Setting acl on sysvol skipped")
1806
1807         secretsdb_self_join(secrets_ldb, domain=names.domain,
1808                 realm=names.realm, dnsdomain=names.dnsdomain,
1809                 netbiosname=names.netbiosname, domainsid=names.domainsid,
1810                 machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
1811
1812         # Now set up the right msDS-SupportedEncryptionTypes into the DB
1813         # In future, this might be determined from some configuration
1814         kerberos_enctypes = str(ENC_ALL_TYPES)
1815
1816         try:
1817             msg = ldb.Message(ldb.Dn(samdb,
1818                                      samdb.searchone("distinguishedName",
1819                                                      expression="samAccountName=%s$" % names.netbiosname,
1820                                                      scope=ldb.SCOPE_SUBTREE)))
1821             msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(
1822                 elements=kerberos_enctypes, flags=ldb.FLAG_MOD_REPLACE,
1823                 name="msDS-SupportedEncryptionTypes")
1824             samdb.modify(msg)
1825         except ldb.LdbError, (enum, estr):
1826             if enum != ldb.ERR_NO_SUCH_ATTRIBUTE:
1827                 # It might be that this attribute does not exist in this schema
1828                 raise
1829
1830         setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
1831                      hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
1832                      dnspass=dnspass, os_level=dom_for_fun_level,
1833                      targetdir=targetdir, fill_level=samdb_fill)
1834
1835         domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
1836                                      attribute="objectGUID")
1837         assert isinstance(domainguid, str)
1838
1839     lastProvisionUSNs = get_last_provision_usn(samdb)
1840     maxUSN = get_max_usn(samdb, str(names.rootdn))
1841     if lastProvisionUSNs is not None:
1842         update_provision_usn(samdb, 0, maxUSN, invocationid, 1)
1843     else:
1844         set_provision_usn(samdb, 0, maxUSN, invocationid)
1845
1846     logger.info("Setting up sam.ldb rootDSE marking as synchronized")
1847     setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"),
1848                       { 'NTDSGUID' : names.ntdsguid })
1849
1850     # fix any dangling GUIDs from the provision
1851     logger.info("Fixing provision GUIDs")
1852     chk = dbcheck(samdb, samdb_schema=samdb, verbose=False, fix=True, yes=True,
1853             quiet=True)
1854     samdb.transaction_start()
1855     try:
1856         # a small number of GUIDs are missing because of ordering issues in the
1857         # provision code
1858         for schema_obj in ['CN=Domain', 'CN=Organizational-Person', 'CN=Contact', 'CN=inetOrgPerson']:
1859             chk.check_database(DN="%s,%s" % (schema_obj, names.schemadn),
1860                                scope=ldb.SCOPE_BASE,
1861                                attrs=['defaultObjectCategory'])
1862         chk.check_database(DN="CN=IP Security,CN=System,%s" % names.domaindn,
1863                            scope=ldb.SCOPE_ONELEVEL,
1864                            attrs=['ipsecOwnersReference',
1865                                   'ipsecFilterReference',
1866                                   'ipsecISAKMPReference',
1867                                   'ipsecNegotiationPolicyReference',
1868                                   'ipsecNFAReference'])
1869     except:
1870         samdb.transaction_cancel()
1871         raise
1872     else:
1873         samdb.transaction_commit()
1874
1875
1876 _ROLES_MAP = {
1877     "ROLE_STANDALONE": "standalone server",
1878     "ROLE_DOMAIN_MEMBER": "member server",
1879     "ROLE_DOMAIN_BDC": "active directory domain controller",
1880     "ROLE_DOMAIN_PDC": "active directory domain controller",
1881     "dc": "active directory domain controller",
1882     "member": "member server",
1883     "domain controller": "active directory domain controller",
1884     "active directory domain controller": "active directory domain controller",
1885     "member server": "member server",
1886     "standalone": "standalone server",
1887     "standalone server": "standalone server",
1888     }
1889
1890
1891 def sanitize_server_role(role):
1892     """Sanitize a server role name.
1893
1894     :param role: Server role
1895     :raise ValueError: If the role can not be interpreted
1896     :return: Sanitized server role (one of "member server",
1897         "active directory domain controller", "standalone server")
1898     """
1899     try:
1900         return _ROLES_MAP[role]
1901     except KeyError:
1902         raise ValueError(role)
1903
1904
1905 def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
1906         maxuid, maxgid):
1907     """Create AD entries for the fake ypserver.
1908
1909     This is needed for being able to manipulate posix attrs via ADUC.
1910     """
1911     samdb.transaction_start()
1912     try:
1913         logger.info("Setting up fake yp server settings")
1914         setup_add_ldif(samdb, setup_path("ypServ30.ldif"), {
1915         "DOMAINDN": domaindn,
1916         "NETBIOSNAME": netbiosname,
1917         "NISDOMAIN": nisdomain,
1918          })
1919     except:
1920         samdb.transaction_cancel()
1921         raise
1922     else:
1923         samdb.transaction_commit()
1924
1925
1926 def provision(logger, session_info, smbconf=None,
1927         targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
1928         domaindn=None, schemadn=None, configdn=None, serverdn=None,
1929         domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
1930         next_rid=1000, dc_rid=None, adminpass=None, ldapadminpass=None,
1931         krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
1932         dns_backend=None, dns_forwarder=None, dnspass=None,
1933         invocationid=None, machinepass=None, ntdsguid=None,
1934         root=None, nobody=None, users=None, backup=None, aci=None,
1935         serverrole=None, dom_for_fun_level=None, backend_type=None,
1936         sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path=None,
1937         useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
1938         use_rfc2307=False, maxuid=None, maxgid=None, skip_sysvolacl=True,
1939         ldap_backend_forced_uri=None, nosync=False, ldap_dryrun_mode=False, ldap_backend_extra_port=None):
1940     """Provision samba4
1941
1942     :note: caution, this wipes all existing data!
1943     """
1944
1945     try:
1946         serverrole = sanitize_server_role(serverrole)
1947     except ValueError:
1948         raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone server"' % serverrole)
1949
1950     if ldapadminpass is None:
1951         # Make a new, random password between Samba and it's LDAP server
1952         ldapadminpass = samba.generate_random_password(128, 255)
1953
1954     if backend_type is None:
1955         backend_type = "ldb"
1956
1957     if domainsid is None:
1958         domainsid = security.random_sid()
1959     else:
1960         domainsid = security.dom_sid(domainsid)
1961
1962     root_uid = findnss_uid([root or "root"])
1963     nobody_uid = findnss_uid([nobody or "nobody"])
1964     users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
1965     root_gid = pwd.getpwuid(root_uid).pw_gid
1966
1967     try:
1968         bind_gid = findnss_gid(["bind", "named"])
1969     except KeyError:
1970         bind_gid = None
1971
1972     if targetdir is not None:
1973         smbconf = os.path.join(targetdir, "etc", "smb.conf")
1974     elif smbconf is None:
1975         smbconf = samba.param.default_path()
1976     if not os.path.exists(os.path.dirname(smbconf)):
1977         os.makedirs(os.path.dirname(smbconf))
1978
1979     server_services = []
1980     global_param = {}
1981     if use_rfc2307:
1982         global_param["idmap_ldb:use rfc2307"] = ["yes"]
1983
1984     if dns_backend != "SAMBA_INTERNAL":
1985         server_services.append("-dns")
1986     else:
1987         if dns_forwarder is not None:
1988             global_param["dns forwarder"] = [dns_forwarder]
1989
1990     if use_ntvfs:
1991         server_services.append("+smb")
1992         server_services.append("-s3fs")
1993         global_param["dcerpc endpoint servers"] = ["+winreg", "+srvsvc"]
1994
1995     if len(server_services) > 0:
1996         global_param["server services"] = server_services
1997
1998     # only install a new smb.conf if there isn't one there already
1999     if os.path.exists(smbconf):
2000         # if Samba Team members can't figure out the weird errors
2001         # loading an empty smb.conf gives, then we need to be smarter.
2002         # Pretend it just didn't exist --abartlet
2003         f = open(smbconf, 'r')
2004         try:
2005             data = f.read().lstrip()
2006         finally:
2007             f.close()
2008         if data is None or data == "":
2009             make_smbconf(smbconf, hostname, domain, realm,
2010                          targetdir, serverrole=serverrole,
2011                          eadb=useeadb, use_ntvfs=use_ntvfs,
2012                          lp=lp, global_param=global_param)
2013     else:
2014         make_smbconf(smbconf, hostname, domain, realm, targetdir,
2015                      serverrole=serverrole,
2016                      eadb=useeadb, use_ntvfs=use_ntvfs, lp=lp, global_param=global_param)
2017
2018     if lp is None:
2019         lp = samba.param.LoadParm()
2020     lp.load(smbconf)
2021     names = guess_names(lp=lp, hostname=hostname, domain=domain,
2022         dnsdomain=realm, serverrole=serverrole, domaindn=domaindn,
2023         configdn=configdn, schemadn=schemadn, serverdn=serverdn,
2024         sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
2025     paths = provision_paths_from_lp(lp, names.dnsdomain)
2026
2027     paths.bind_gid = bind_gid
2028     paths.root_uid = root_uid;
2029     paths.root_gid = root_gid
2030
2031     if hostip is None:
2032         logger.info("Looking up IPv4 addresses")
2033         hostips = interface_ips_v4(lp)
2034         if len(hostips) > 0:
2035             hostip = hostips[0]
2036             if len(hostips) > 1:
2037                 logger.warning("More than one IPv4 address found. Using %s",
2038                     hostip)
2039     if hostip == "127.0.0.1":
2040         hostip = None
2041     if hostip is None:
2042         logger.warning("No IPv4 address will be assigned")
2043
2044     if hostip6 is None:
2045         logger.info("Looking up IPv6 addresses")
2046         hostips = interface_ips_v6(lp)
2047         if hostips:
2048             hostip6 = hostips[0]
2049         if len(hostips) > 1:
2050             logger.warning("More than one IPv6 address found. Using %s", hostip6)
2051     if hostip6 is None:
2052         logger.warning("No IPv6 address will be assigned")
2053
2054     names.hostip = hostip
2055     names.hostip6 = hostip6
2056     names.domainguid = domainguid
2057     names.domainsid = domainsid
2058     names.forestsid = domainsid
2059
2060     if serverrole is None:
2061         serverrole = lp.get("server role")
2062
2063     if not os.path.exists(paths.private_dir):
2064         os.mkdir(paths.private_dir)
2065     if not os.path.exists(os.path.join(paths.private_dir, "tls")):
2066         os.makedirs(os.path.join(paths.private_dir, "tls"), 0700)
2067     if not os.path.exists(paths.state_dir):
2068         os.mkdir(paths.state_dir)
2069
2070     if paths.sysvol and not os.path.exists(paths.sysvol):
2071         os.makedirs(paths.sysvol, 0775)
2072
2073     ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
2074
2075     schema = Schema(domainsid, invocationid=invocationid,
2076         schemadn=names.schemadn)
2077
2078     if backend_type == "ldb":
2079         provision_backend = LDBBackend(backend_type, paths=paths,
2080             lp=lp,
2081             names=names, logger=logger)
2082     elif backend_type == "existing":
2083         # If support for this is ever added back, then the URI will need to be
2084         # specified again
2085         provision_backend = ExistingBackend(backend_type, paths=paths,
2086             lp=lp,
2087             names=names, logger=logger,
2088             ldap_backend_forced_uri=ldap_backend_forced_uri)
2089     elif backend_type == "fedora-ds":
2090         provision_backend = FDSBackend(backend_type, paths=paths,
2091             lp=lp,
2092             names=names, logger=logger, domainsid=domainsid,
2093             schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
2094             slapd_path=slapd_path,
2095             root=root)
2096     elif backend_type == "openldap":
2097         provision_backend = OpenLDAPBackend(backend_type, paths=paths,
2098             lp=lp,
2099             names=names, logger=logger, domainsid=domainsid,
2100             schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
2101             slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls,
2102             ldap_backend_extra_port=ldap_backend_extra_port,
2103             ldap_dryrun_mode=ldap_dryrun_mode, nosync=nosync,
2104             ldap_backend_forced_uri=ldap_backend_forced_uri)
2105     else:
2106         raise ValueError("Unknown LDAP backend type selected")
2107
2108     provision_backend.init()
2109     provision_backend.start()
2110
2111     # only install a new shares config db if there is none
2112     if not os.path.exists(paths.shareconf):
2113         logger.info("Setting up share.ldb")
2114         share_ldb = Ldb(paths.shareconf, session_info=session_info, lp=lp)
2115         share_ldb.load_ldif_file_add(setup_path("share.ldif"))
2116
2117     logger.info("Setting up secrets.ldb")
2118     secrets_ldb = setup_secretsdb(paths,
2119         session_info=session_info,
2120         backend_credentials=provision_backend.credentials, lp=lp)
2121
2122     try:
2123         logger.info("Setting up the registry")
2124         setup_registry(paths.hklm, session_info, lp=lp)
2125
2126         logger.info("Setting up the privileges database")
2127         setup_privileges(paths.privilege, session_info, lp=lp)
2128
2129         logger.info("Setting up idmap db")
2130         idmap = setup_idmapdb(paths.idmapdb, session_info=session_info, lp=lp)
2131
2132         setup_name_mappings(idmap, sid=str(domainsid),
2133                             root_uid=root_uid, nobody_uid=nobody_uid,
2134                             users_gid=users_gid, root_gid=root_gid)
2135
2136         logger.info("Setting up SAM db")
2137         samdb = setup_samdb(paths.samdb, session_info,
2138                             provision_backend, lp, names, logger=logger,
2139                             serverrole=serverrole,
2140                             schema=schema, fill=samdb_fill, am_rodc=am_rodc)
2141
2142         if serverrole == "active directory domain controller":
2143             if paths.netlogon is None:
2144                 raise MissingShareError("netlogon", paths.smbconf)
2145
2146             if paths.sysvol is None:
2147                 raise MissingShareError("sysvol", paths.smbconf)
2148
2149             if not os.path.isdir(paths.netlogon):
2150                 os.makedirs(paths.netlogon, 0755)
2151
2152         if adminpass is None:
2153             adminpass = samba.generate_random_password(12, 32)
2154             adminpass_generated = True
2155         else:
2156             adminpass = unicode(adminpass, 'utf-8')
2157             adminpass_generated = False
2158
2159         if samdb_fill == FILL_FULL:
2160             provision_fill(samdb, secrets_ldb, logger, names, paths,
2161                     schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
2162                     hostip=hostip, hostip6=hostip6,
2163                     next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
2164                     krbtgtpass=krbtgtpass,
2165                     policyguid=policyguid, policyguid_dc=policyguid_dc,
2166                     invocationid=invocationid, machinepass=machinepass,
2167                     ntdsguid=ntdsguid, dns_backend=dns_backend,
2168                     dnspass=dnspass, serverrole=serverrole,
2169                     dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
2170                     lp=lp, use_ntvfs=use_ntvfs,
2171                            skip_sysvolacl=skip_sysvolacl)
2172
2173         create_krb5_conf(paths.krb5conf,
2174                          dnsdomain=names.dnsdomain, hostname=names.hostname,
2175                          realm=names.realm)
2176         logger.info("A Kerberos configuration suitable for Samba 4 has been "
2177                     "generated at %s", paths.krb5conf)
2178
2179         if serverrole == "active directory domain controller":
2180             create_dns_update_list(lp, logger, paths)
2181
2182         backend_result = provision_backend.post_setup()
2183         provision_backend.shutdown()
2184
2185     except:
2186         secrets_ldb.transaction_cancel()
2187         raise
2188
2189     # Now commit the secrets.ldb to disk
2190     secrets_ldb.transaction_commit()
2191
2192     # the commit creates the dns.keytab, now chown it
2193     dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
2194     if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
2195         try:
2196             os.chmod(dns_keytab_path, 0640)
2197             os.chown(dns_keytab_path, -1, paths.bind_gid)
2198         except OSError:
2199             if not os.environ.has_key('SAMBA_SELFTEST'):
2200                 logger.info("Failed to chown %s to bind gid %u",
2201                             dns_keytab_path, paths.bind_gid)
2202
2203     result = ProvisionResult()
2204     result.server_role = serverrole
2205     result.domaindn = domaindn
2206     result.paths = paths
2207     result.names = names
2208     result.lp = lp
2209     result.samdb = samdb
2210     result.idmap = idmap
2211     result.domainsid = str(domainsid)
2212
2213     if samdb_fill == FILL_FULL:
2214         result.adminpass_generated = adminpass_generated
2215         result.adminpass = adminpass
2216     else:
2217         result.adminpass_generated = False
2218         result.adminpass = None
2219
2220     result.backend_result = backend_result
2221
2222     if use_rfc2307:
2223         provision_fake_ypserver(logger=logger, samdb=samdb,
2224                 domaindn=names.domaindn, netbiosname=names.netbiosname,
2225                 nisdomain=names.domain.lower(), maxuid=maxuid, maxgid=maxgid)
2226
2227     return result
2228
2229
2230 def provision_become_dc(smbconf=None, targetdir=None,
2231         realm=None, rootdn=None, domaindn=None, schemadn=None, configdn=None,
2232         serverdn=None, domain=None, hostname=None, domainsid=None,
2233         adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
2234         policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
2235         dns_backend=None, root=None, nobody=None, users=None,
2236         backup=None, serverrole=None, ldap_backend=None,
2237         ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False):
2238
2239     logger = logging.getLogger("provision")
2240     samba.set_debug_level(debuglevel)
2241
2242     res = provision(logger, system_session(),
2243         smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
2244         realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
2245         configdn=configdn, serverdn=serverdn, domain=domain,
2246         hostname=hostname, hostip=None, domainsid=domainsid,
2247         machinepass=machinepass,
2248         serverrole="active directory domain controller",
2249         sitename=sitename, dns_backend=dns_backend, dnspass=dnspass,
2250         use_ntvfs=use_ntvfs)
2251     res.lp.set("debuglevel", str(debuglevel))
2252     return res
2253
2254
2255 def create_krb5_conf(path, dnsdomain, hostname, realm):
2256     """Write out a file containing a valid krb5.conf file
2257
2258     :param path: Path of the new krb5.conf file.
2259     :param dnsdomain: DNS Domain name
2260     :param hostname: Local hostname
2261     :param realm: Realm name
2262     """
2263     setup_file(setup_path("krb5.conf"), path, {
2264             "DNSDOMAIN": dnsdomain,
2265             "HOSTNAME": hostname,
2266             "REALM": realm,
2267         })
2268
2269
2270 class ProvisioningError(Exception):
2271     """A generic provision error."""
2272
2273     def __init__(self, value):
2274         self.value = value
2275
2276     def __str__(self):
2277         return "ProvisioningError: " + self.value
2278
2279
2280 class InvalidNetbiosName(Exception):
2281     """A specified name was not a valid NetBIOS name."""
2282
2283     def __init__(self, name):
2284         super(InvalidNetbiosName, self).__init__(
2285             "The name '%r' is not a valid NetBIOS name" % name)
2286
2287
2288 class MissingShareError(ProvisioningError):
2289
2290     def __init__(self, name, smbconf):
2291         super(MissingShareError, self).__init__(
2292             "Existing smb.conf does not have a [%s] share, but you are "
2293             "configuring a DC. Please remove %s or add the share manually." %
2294             (name, smbconf))