-#!/usr/bin/python
+#!/usr/bin/env python
#
# Unix SMB/CIFS implementation.
# provision a Samba4 server
#
# Based on the original in EJS:
# Copyright (C) Andrew Tridgell 2005
-#
+#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import getopt
+import logging
import optparse
-import os
import sys
+import tempfile
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba
+import samba.ntacls
+import os
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
import samba.getopt as options
-from samba import param
-from samba.provision import provision, FILL_FULL, FILL_NT4SYNC, FILL_DRS
+from samba.provision import (
+ provision,
+ FILL_FULL,
+ FILL_NT4SYNC,
+ FILL_DRS,
+ ProvisioningError,
+ )
+from samba.dsdb import (
+ DS_DOMAIN_FUNCTION_2000,
+ DS_DOMAIN_FUNCTION_2003,
+ DS_DOMAIN_FUNCTION_2008,
+ DS_DOMAIN_FUNCTION_2008_R2,
+ )
# how do we make this case insensitive??
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
-parser.add_option("--interactive", help="Ask for names")
-parser.add_option("--setupdir", type="string", metavar="DIR",
- help="directory with setup files")
-parser.add_option("--realm", type="string", metavar="REALM", help="set realm")
+parser.add_option("--interactive", help="Ask for names", action="store_true")
parser.add_option("--domain", type="string", metavar="DOMAIN",
- help="set domain")
-parser.add_option("--domain-guid", type="string", metavar="GUID",
- help="set domainguid (otherwise random)")
-parser.add_option("--domain-sid", type="string", metavar="SID",
- help="set domainsid (otherwise random)")
-parser.add_option("--policy-guid", type="string", metavar="GUID",
- help="set policy guid")
-parser.add_option("--invocationid", type="string", metavar="GUID",
- help="set invocationid (otherwise random)")
-parser.add_option("--host-name", type="string", metavar="HOSTNAME",
- help="set hostname")
-parser.add_option("--host-ip", type="string", metavar="IPADDRESS",
- help="set IPv4 ipaddress")
-parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS",
- help="set IPv6 ipaddress")
-parser.add_option("--adminpass", type="string", metavar="PASSWORD",
- help="choose admin password (otherwise random)")
-parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD",
- help="choose krbtgt password (otherwise random)")
-parser.add_option("--machinepass", type="string", metavar="PASSWORD",
- help="choose machine password (otherwise random)")
-parser.add_option("--dnspass", type="string", metavar="PASSWORD",
- help="choose dns password (otherwise random)")
-parser.add_option("--root", type="string", metavar="USERNAME",
- help="choose 'root' unix username")
-parser.add_option("--nobody", type="string", metavar="USERNAME",
- help="choose 'nobody' user")
-parser.add_option("--nogroup", type="string", metavar="GROUPNAME",
- help="choose 'nogroup' group")
-parser.add_option("--wheel", type="string", metavar="GROUPNAME",
- help="choose 'wheel' privileged group")
-parser.add_option("--users", type="string", metavar="GROUPNAME",
- help="choose 'users' group")
+ help="set domain")
+parser.add_option("--domain-guid", type="string", metavar="GUID",
+ help="set domainguid (otherwise random)")
+parser.add_option("--domain-sid", type="string", metavar="SID",
+ help="set domainsid (otherwise random)")
+parser.add_option("--ntds-guid", type="string", metavar="GUID",
+ help="set NTDS object GUID (otherwise random)")
+parser.add_option("--invocationid", type="string", metavar="GUID",
+ help="set invocationid (otherwise random)")
+parser.add_option("--host-name", type="string", metavar="HOSTNAME",
+ help="set hostname")
+parser.add_option("--host-ip", type="string", metavar="IPADDRESS",
+ help="set IPv4 ipaddress")
+parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS",
+ help="set IPv6 ipaddress")
+parser.add_option("--adminpass", type="string", metavar="PASSWORD",
+ help="choose admin password (otherwise random)")
+parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD",
+ help="choose krbtgt password (otherwise random)")
+parser.add_option("--machinepass", type="string", metavar="PASSWORD",
+ help="choose machine password (otherwise random)")
+parser.add_option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
+ choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
+ help="The DNS server backend. SAMBA_INTERNAL is the builtin name server, " \
+ "BIND9_FLATFILE uses bind9 text database to store zone information, " \
+ "BIND9_DLZ uses samba4 AD to store zone information (default), " \
+ "NONE skips the DNS setup entirely (not recommended)")
+parser.add_option("--dnspass", type="string", metavar="PASSWORD",
+ help="choose dns password (otherwise random)")
+parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD",
+ help="choose password to set between Samba and it's LDAP backend (otherwise random)")
+parser.add_option("--root", type="string", metavar="USERNAME",
+ help="choose 'root' unix username")
+parser.add_option("--nobody", type="string", metavar="USERNAME",
+ help="choose 'nobody' user")
+parser.add_option("--wheel", type="string", metavar="GROUPNAME",
+ help="choose 'wheel' privileged group")
+parser.add_option("--users", type="string", metavar="GROUPNAME",
+ help="choose 'users' group")
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--blank", action="store_true",
- help="do not add users or groups, just the structure")
-parser.add_option("--ldap-backend", type="string", metavar="LDAPSERVER",
- help="LDAP server to use for this provision")
-parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
- help="LDB mapping module to use for the LDAP backend",
- choices=["fedora-ds", "openldap"])
-parser.add_option("--aci", type="string", metavar="ACI",
- help="An arbitary LDIF fragment, particularly useful to loading a backend ACI value into a target LDAP server. You must provide at least a realm and domain")
+ help="do not add users or groups, just the structure")
+parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
+ help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
+ choices=["fedora-ds", "openldap"])
parser.add_option("--server-role", type="choice", metavar="ROLE",
- choices=["domain controller", "dc", "member server", "member", "standalone"],
- help="Set server role to provision for (default standalone)")
-parser.add_option("--partitions-only",
- help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
-parser.add_option("--targetdir", type="string", metavar="DIR",
- help="Set target directory")
+ choices=["domain controller", "dc", "member server", "member", "standalone"],
+ help="The server role (domain controller | dc | member server | member | standalone). Default is dc.")
+parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
+ choices=["2000", "2003", "2008", "2008_R2"],
+ help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.")
+parser.add_option("--next-rid", type="int", metavar="NEXTRID", default=1000,
+ help="The initial nextRid value (only needed for upgrades). Default is 1000.")
+parser.add_option("--partitions-only",
+ help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
+parser.add_option("--targetdir", type="string", metavar="DIR",
+ help="Set target directory")
+parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
+ help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\"")
+parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
+ help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.")
+parser.add_option("--use-xattrs", type="choice", choices=["yes", "no", "auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto")
opts = parser.parse_args()[0]
-def message(text):
- """print a message if quiet is not set."""
- if not opts.quiet:
- print text
+logger = logging.getLogger("provision")
+logger.addHandler(logging.StreamHandler(sys.stdout))
+if opts.quiet:
+ logger.setLevel(logging.WARNING)
+else:
+ logger.setLevel(logging.INFO)
if len(sys.argv) == 1:
- opts.interactive = True
-
-if not opts.interactive and (opts.realm is None or opts.domain is None):
- if opts.realm is None:
- print >>sys.stderr, "No realm set"
- if opts.domain is None:
- print >>sys.stderr, "No domain set"
- parser.print_usage()
- sys.exit(1)
+ opts.interactive = True
if opts.interactive:
- from getpass import getpass
- import readline
- import socket
- def ask(prompt, default=None):
- if default is not None:
- print "%s [%s]: " % (prompt,default),
- else:
- print "%s: " % (prompt,),
- return sys.stdin.readline().rstrip("\n") or default
- opts.realm = ask("Realm", socket.gethostname().split(".", 1)[1].upper())
- opts.domain = ask("Domain", opts.realm.split(".")[0])
- opts.server_role = ask("Server Role (dc, member, standalone)", "dc")
- for i in range(3):
- opts.adminpass = getpass("Administrator password: ")
- if not opts.adminpass:
- print >>sys.stderr, "Invalid administrator password."
- else:
- break
+ from getpass import getpass
+ import socket
+
+ def ask(prompt, default=None):
+ if default is not None:
+ print "%s [%s]: " % (prompt, default),
+ else:
+ print "%s: " % (prompt,),
+ return sys.stdin.readline().rstrip("\n") or default
+ try:
+ default = socket.getfqdn().split(".", 1)[1].upper()
+ except IndexError:
+ default = None
+ opts.realm = ask("Realm", default)
+ if opts.realm in (None, ""):
+ print >>sys.stderr, "No realm set!"
+ sys.exit(1)
+
+ try:
+ default = opts.realm.split(".")[0]
+ except IndexError:
+ default = None
+ opts.domain = ask("Domain", default)
+ if opts.domain is None:
+ print >> sys.stderr, "No domain set!"
+ sys.exit(1)
+
+ opts.server_role = ask("Server Role (dc, member, standalone)", "dc")
+ for i in range(3):
+ adminpass = getpass("Administrator password: ")
+ if not adminpass:
+ print >>sys.stderr, "Invalid administrator password."
+ else:
+ adminpassverify = getpass("Retype password: ")
+ if not adminpass == adminpassverify:
+ print >>sys.stderr, "Sorry, passwords do not match."
+ else:
+ opts.adminpass = adminpass
+ break
+
+else:
+ if opts.realm in (None, ""):
+ opts.realm = sambaopts._lp.get('realm')
+ if opts.realm is None or opts.domain is None:
+ if opts.realm is None:
+ print >>sys.stderr, "No realm set!"
+ if opts.domain is None:
+ print >> sys.stderr, "No domain set!"
+ parser.print_usage()
+ sys.exit(1)
+
+if not opts.adminpass:
+ logger.info("Administrator password will be set randomly!")
lp = sambaopts.get_loadparm()
-smbconf = lp.configfile()
+smbconf = lp.configfile
+
+server_role = opts.server_role
+
+if server_role is None:
+ server_role = "domain controller"
-if opts.aci is not None:
- print "set ACI: %s" % opts.aci
+if opts.function_level is None:
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
+elif opts.function_level == "2000":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2000
+elif opts.function_level == "2003":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
+elif opts.function_level == "2008":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
+elif opts.function_level == "2008_R2":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
-if opts.server_role == "dc":
- server_role = "domain controller"
-elif opts.server_role == "member":
- server_role = "member server"
+if opts.dns_backend is None:
+ dns_backend = "BIND9_DLZ"
else:
- server_role = opts.server_role
+ dns_backend = opts.dns_backend
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
-setup_dir = opts.setupdir
-if setup_dir is None:
- setup_dir = "setup"
-
samdb_fill = FILL_FULL
if opts.blank:
samdb_fill = FILL_NT4SYNC
elif opts.partitions_only:
samdb_fill = FILL_DRS
-provision(setup_dir, message,
- system_session(), creds, smbconf=smbconf, targetdir=opts.targetdir,
+if opts.targetdir is not None:
+ if not os.path.isdir(opts.targetdir):
+ os.mkdir(opts.targetdir)
+
+eadb = True
+if opts.use_xattrs == "yes":
+ eadb = False
+elif opts.use_xattrs == "auto" and not lp.get("posix:eadb"):
+ if opts.targetdir:
+ file = tempfile.NamedTemporaryFile(dir=os.path.abspath(opts.targetdir))
+ else:
+ file = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
+ try:
+ try:
+ samba.ntacls.setntacl(lp, file.name,
+ "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ eadb = False
+ except Exception:
+ logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
+ "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
+ finally:
+ file.close()
+
+session = system_session()
+try:
+ result = provision(logger,
+ session, creds, smbconf=smbconf, targetdir=opts.targetdir,
samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain,
domainguid=opts.domain_guid, domainsid=opts.domain_sid,
- policyguid=opts.policy_guid, hostname=opts.host_name,
+ hostname=opts.host_name,
hostip=opts.host_ip, hostip6=opts.host_ip6,
+ ntdsguid=opts.ntds_guid,
invocationid=opts.invocationid, adminpass=opts.adminpass,
krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
+ dns_backend=dns_backend,
dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody,
- nogroup=opts.nogroup, wheel=opts.wheel, users=opts.users,
- aci=opts.aci, serverrole=server_role,
- ldap_backend=opts.ldap_backend,
- ldap_backend_type=opts.ldap_backend_type)
+ wheel=opts.wheel, users=opts.users,
+ serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
+ backend_type=opts.ldap_backend_type,
+ ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
+ slapd_path=opts.slapd_path,
+ useeadb=eadb, next_rid=opts.next_rid, lp=lp)
+except ProvisioningError, e:
+ print str(e)
+ sys.exit(1)
+
+result.report_logger(logger)
git.samba.org / nivanova / samba-autobuild / .git / blobdiff