2 # Unix SMB/CIFS implementation.
3 # backend code for provisioning a Samba4 server
5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
7 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
9 # Based on the original in EJS:
10 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
12 # This program is free software; you can redistribute it and/or modify
13 # it under the terms of the GNU General Public License as published by
14 # the Free Software Foundation; either version 3 of the License, or
15 # (at your option) any later version.
17 # This program is distributed in the hope that it will be useful,
18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # GNU General Public License for more details.
22 # You should have received a copy of the GNU General Public License
23 # along with this program. If not, see <http://www.gnu.org/licenses/>.
26 """Functions for setting up a Samba configuration."""
28 from base64 import b64encode
39 from auth import system_session
40 from samba import Ldb, substitute_var, valid_netbios_name, check_all_substituted
41 from samba.samdb import SamDB
42 from samba.idmap import IDmapDB
43 from samba.dcerpc import security
45 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, \
46 timestring, CHANGETYPE_MODIFY, CHANGETYPE_NONE
47 from ms_schema import read_ms_schema
49 __docformat__ = "restructuredText"
53 """Find the setup directory used by provision."""
54 dirname = os.path.dirname(__file__)
55 if "/site-packages/" in dirname:
56 prefix = "/".join(dirname[:dirname.index("/site-packages/")].split("/")[:-2])
57 for suffix in ["share/setup", "share/samba/setup", "setup"]:
58 ret = os.path.join(prefix, suffix)
59 if os.path.isdir(ret):
62 ret = os.path.join(dirname, "../../../setup")
63 if os.path.isdir(ret):
65 raise Exception("Unable to find setup directory.")
68 DEFAULTSITE = "Default-First-Site-Name"
70 class InvalidNetbiosName(Exception):
71 """A specified name was not a valid NetBIOS name."""
72 def __init__(self, name):
73 super(InvalidNetbiosName, self).__init__("The name '%r' is not a valid NetBIOS name" % name)
76 class ProvisionPaths(object):
89 self.dns_keytab = None
92 self.private_dir = None
95 self.modulesconf = None
96 self.memberofconf = None
97 self.fedoradsinf = None
98 self.fedoradspartitions = None
100 self.olmmrserveridsconf = None
101 self.olmmrsyncreplconf = None
103 self.olslaptest = None
104 self.olcseedldif = None
107 class ProvisionNames(object):
113 self.ldapmanagerdn = None
114 self.dnsdomain = None
116 self.netbiosname = None
123 class ProvisionResult(object):
130 def check_install(lp, session_info, credentials):
131 """Check whether the current install seems ok.
133 :param lp: Loadparm context
134 :param session_info: Session information
135 :param credentials: Credentials
137 if lp.get("realm") == "":
138 raise Exception("Realm empty")
139 ldb = Ldb(lp.get("sam database"), session_info=session_info,
140 credentials=credentials, lp=lp)
141 if len(ldb.search("(cn=Administrator)")) != 1:
142 raise "No administrator account found"
145 def findnss(nssfn, names):
146 """Find a user or group from a list of possibilities.
148 :param nssfn: NSS Function to try (should raise KeyError if not found)
149 :param names: Names to check.
150 :return: Value return by first names list.
157 raise KeyError("Unable to find user/group %r" % names)
160 findnss_uid = lambda names: findnss(pwd.getpwnam, names)[2]
161 findnss_gid = lambda names: findnss(grp.getgrnam, names)[2]
164 def read_and_sub_file(file, subst_vars):
165 """Read a file and sub in variables found in it
167 :param file: File to be read (typically from setup directory)
168 param subst_vars: Optional variables to subsitute in the file.
170 data = open(file, 'r').read()
171 if subst_vars is not None:
172 data = substitute_var(data, subst_vars)
173 check_all_substituted(data)
177 def setup_add_ldif(ldb, ldif_path, subst_vars=None):
178 """Setup a ldb in the private dir.
180 :param ldb: LDB file to import data into
181 :param ldif_path: Path of the LDIF file to load
182 :param subst_vars: Optional variables to subsitute in LDIF.
184 assert isinstance(ldif_path, str)
186 data = read_and_sub_file(ldif_path, subst_vars)
190 def setup_modify_ldif(ldb, ldif_path, subst_vars=None):
191 """Modify a ldb in the private dir.
193 :param ldb: LDB object.
194 :param ldif_path: LDIF file path.
195 :param subst_vars: Optional dictionary with substitution variables.
197 data = read_and_sub_file(ldif_path, subst_vars)
199 ldb.modify_ldif(data)
202 def setup_ldb(ldb, ldif_path, subst_vars):
203 """Import a LDIF a file into a LDB handle, optionally substituting variables.
205 :note: Either all LDIF data will be added or none (using transactions).
207 :param ldb: LDB file to import into.
208 :param ldif_path: Path to the LDIF file.
209 :param subst_vars: Dictionary with substitution variables.
211 assert ldb is not None
212 ldb.transaction_start()
214 setup_add_ldif(ldb, ldif_path, subst_vars)
216 ldb.transaction_cancel()
218 ldb.transaction_commit()
221 def setup_file(template, fname, subst_vars):
222 """Setup a file in the private dir.
224 :param template: Path of the template file.
225 :param fname: Path of the file to create.
226 :param subst_vars: Substitution variables.
230 if os.path.exists(f):
233 data = read_and_sub_file(template, subst_vars)
234 open(f, 'w').write(data)
237 def provision_paths_from_lp(lp, dnsdomain):
238 """Set the default paths for provisioning.
240 :param lp: Loadparm context.
241 :param dnsdomain: DNS Domain name
243 paths = ProvisionPaths()
244 paths.private_dir = lp.get("private dir")
245 paths.keytab = "secrets.keytab"
246 paths.dns_keytab = "dns.keytab"
248 paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
249 paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb")
250 paths.idmapdb = os.path.join(paths.private_dir, lp.get("idmap database") or "idmap.ldb")
251 paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
252 paths.templates = os.path.join(paths.private_dir, "templates.ldb")
253 paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
254 paths.namedconf = os.path.join(paths.private_dir, "named.conf")
255 paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
256 paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
257 paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
258 paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
259 paths.phpldapadminconfig = os.path.join(paths.private_dir,
260 "phpldapadmin-config.php")
261 paths.ldapdir = os.path.join(paths.private_dir,
263 paths.slapdconf = os.path.join(paths.ldapdir,
265 paths.modulesconf = os.path.join(paths.ldapdir,
267 paths.memberofconf = os.path.join(paths.ldapdir,
269 paths.fedoradsinf = os.path.join(paths.ldapdir,
271 paths.fedoradspartitions = os.path.join(paths.ldapdir,
272 "fedorads-partitions.ldif")
273 paths.olmmrserveridsconf = os.path.join(paths.ldapdir,
274 "mmr_serverids.conf")
275 paths.olmmrsyncreplconf = os.path.join(paths.ldapdir,
277 paths.olcdir = os.path.join(paths.ldapdir,
279 paths.olcseedldif = os.path.join(paths.ldapdir,
281 paths.hklm = "hklm.ldb"
282 paths.hkcr = "hkcr.ldb"
283 paths.hkcu = "hkcu.ldb"
284 paths.hku = "hku.ldb"
285 paths.hkpd = "hkpd.ldb"
286 paths.hkpt = "hkpt.ldb"
288 paths.sysvol = lp.get("path", "sysvol")
290 paths.netlogon = lp.get("path", "netlogon")
292 paths.smbconf = lp.configfile
297 def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None, serverrole=None,
298 rootdn=None, domaindn=None, configdn=None, schemadn=None, serverdn=None,
300 """Guess configuration settings to use."""
303 hostname = socket.gethostname().split(".")[0].lower()
305 netbiosname = hostname.upper()
306 if not valid_netbios_name(netbiosname):
307 raise InvalidNetbiosName(netbiosname)
309 hostname = hostname.lower()
311 if dnsdomain is None:
312 dnsdomain = lp.get("realm")
314 if serverrole is None:
315 serverrole = lp.get("server role")
317 assert dnsdomain is not None
318 realm = dnsdomain.upper()
320 if lp.get("realm").upper() != realm:
321 raise Exception("realm '%s' in %s must match chosen realm '%s'" %
322 (lp.get("realm"), lp.configfile, realm))
324 dnsdomain = dnsdomain.lower()
326 if serverrole == "domain controller":
328 domain = lp.get("workgroup")
330 domaindn = "DC=" + dnsdomain.replace(".", ",DC=")
331 if lp.get("workgroup").upper() != domain.upper():
332 raise Exception("workgroup '%s' in smb.conf must match chosen domain '%s'",
333 lp.get("workgroup"), domain)
337 domaindn = "CN=" + netbiosname
339 assert domain is not None
340 domain = domain.upper()
341 if not valid_netbios_name(domain):
342 raise InvalidNetbiosName(domain)
348 configdn = "CN=Configuration," + rootdn
350 schemadn = "CN=Schema," + configdn
355 names = ProvisionNames()
356 names.rootdn = rootdn
357 names.domaindn = domaindn
358 names.configdn = configdn
359 names.schemadn = schemadn
360 names.ldapmanagerdn = "CN=Manager," + rootdn
361 names.dnsdomain = dnsdomain
362 names.domain = domain
364 names.netbiosname = netbiosname
365 names.hostname = hostname
366 names.sitename = sitename
367 names.serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (netbiosname, sitename, configdn)
372 def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
374 """Create a new smb.conf file based on a couple of basic settings.
376 assert smbconf is not None
378 hostname = socket.gethostname().split(".")[0].lower()
380 if serverrole is None:
381 serverrole = "standalone"
383 assert serverrole in ("domain controller", "member server", "standalone")
384 if serverrole == "domain controller":
386 elif serverrole == "member server":
387 smbconfsuffix = "member"
388 elif serverrole == "standalone":
389 smbconfsuffix = "standalone"
391 assert domain is not None
392 assert realm is not None
394 default_lp = param.LoadParm()
395 #Load non-existant file
396 if os.path.exists(smbconf):
397 default_lp.load(smbconf)
399 if targetdir is not None:
400 privatedir_line = "private dir = " + os.path.abspath(os.path.join(targetdir, "private"))
401 lockdir_line = "lock dir = " + os.path.abspath(targetdir)
403 default_lp.set("lock dir", os.path.abspath(targetdir))
408 sysvol = os.path.join(default_lp.get("lock dir"), "sysvol")
409 netlogon = os.path.join(sysvol, realm.lower(), "scripts")
411 setup_file(setup_path("provision.smb.conf.%s" % smbconfsuffix),
413 "HOSTNAME": hostname,
416 "SERVERROLE": serverrole,
417 "NETLOGONPATH": netlogon,
418 "SYSVOLPATH": sysvol,
419 "PRIVATEDIR_LINE": privatedir_line,
420 "LOCKDIR_LINE": lockdir_line
424 def setup_name_mappings(samdb, idmap, sid, domaindn, root_uid, nobody_uid,
425 users_gid, wheel_gid):
426 """setup reasonable name mappings for sam names to unix names.
428 :param samdb: SamDB object.
429 :param idmap: IDmap db object.
430 :param sid: The domain sid.
431 :param domaindn: The domain DN.
432 :param root_uid: uid of the UNIX root user.
433 :param nobody_uid: uid of the UNIX nobody user.
434 :param users_gid: gid of the UNIX users group.
435 :param wheel_gid: gid of the UNIX wheel group."""
436 # add some foreign sids if they are not present already
437 samdb.add_stock_foreign_sids()
439 idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
440 idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
442 idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
443 idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
446 def setup_samdb_partitions(samdb_path, setup_path, message, lp, session_info,
448 serverrole, ldap_backend=None,
449 ldap_backend_type=None, erase=False):
450 """Setup the partitions for the SAM database.
452 Alternatively, provision() may call this, and then populate the database.
454 :note: This will wipe the Sam Database!
456 :note: This function always removes the local SAM LDB file. The erase
457 parameter controls whether to erase the existing data, which
458 may not be stored locally but in LDAP.
460 assert session_info is not None
463 samdb = SamDB(samdb_path, session_info=session_info,
464 credentials=credentials, lp=lp)
468 os.unlink(samdb_path)
469 samdb = SamDB(samdb_path, session_info=session_info,
470 credentials=credentials, lp=lp)
475 #Add modules to the list to activate them by default
476 #beware often order is important
478 # Some Known ordering constraints:
479 # - rootdse must be first, as it makes redirects from "" -> cn=rootdse
480 # - objectclass must be before password_hash, because password_hash checks
481 # that the objectclass is of type person (filled in by objectclass
482 # module when expanding the objectclass list)
483 # - partition must be last
484 # - each partition has its own module list then
485 modules_list = ["rootdse",
503 "extended_dn_out_ldb"]
504 modules_list2 = ["show_deleted",
507 domaindn_ldb = "users.ldb"
508 if ldap_backend is not None:
509 domaindn_ldb = ldap_backend
510 configdn_ldb = "configuration.ldb"
511 if ldap_backend is not None:
512 configdn_ldb = ldap_backend
513 schemadn_ldb = "schema.ldb"
514 if ldap_backend is not None:
515 schema_ldb = ldap_backend
516 schemadn_ldb = ldap_backend
518 if ldap_backend_type == "fedora-ds":
519 backend_modules = ["nsuniqueid", "paged_searches"]
520 # We can handle linked attributes here, as we don't have directory-side subtree operations
521 tdb_modules_list = ["linked_attributes", "extended_dn_out_dereference"]
522 elif ldap_backend_type == "openldap":
523 backend_modules = ["entryuuid", "paged_searches"]
524 # OpenLDAP handles subtree renames, so we don't want to do any of these things
525 tdb_modules_list = ["extended_dn_out_dereference"]
526 elif ldap_backend is not None:
527 raise "LDAP Backend specified, but LDAP Backend Type not specified"
528 elif serverrole == "domain controller":
529 backend_modules = ["repl_meta_data"]
531 backend_modules = ["objectguid"]
533 if tdb_modules_list is None:
534 tdb_modules_list_as_string = ""
536 tdb_modules_list_as_string = ","+",".join(tdb_modules_list)
538 samdb.transaction_start()
540 setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
541 "SCHEMADN": names.schemadn,
542 "SCHEMADN_LDB": schemadn_ldb,
543 "SCHEMADN_MOD2": ",objectguid",
544 "CONFIGDN": names.configdn,
545 "CONFIGDN_LDB": configdn_ldb,
546 "DOMAINDN": names.domaindn,
547 "DOMAINDN_LDB": domaindn_ldb,
548 "SCHEMADN_MOD": "schema_fsmo,instancetype",
549 "CONFIGDN_MOD": "naming_fsmo,instancetype",
550 "DOMAINDN_MOD": "pdc_fsmo,instancetype",
551 "MODULES_LIST": ",".join(modules_list),
552 "TDB_MODULES_LIST": tdb_modules_list_as_string,
553 "MODULES_LIST2": ",".join(modules_list2),
554 "BACKEND_MOD": ",".join(backend_modules),
558 samdb.transaction_cancel()
561 samdb.transaction_commit()
563 samdb = SamDB(samdb_path, session_info=session_info,
564 credentials=credentials, lp=lp)
566 samdb.transaction_start()
568 message("Setting up sam.ldb attributes")
569 samdb.load_ldif_file_add(setup_path("provision_init.ldif"))
571 message("Setting up sam.ldb rootDSE")
572 setup_samdb_rootdse(samdb, setup_path, names)
575 message("Erasing data from partitions")
576 samdb.erase_partitions()
579 samdb.transaction_cancel()
582 samdb.transaction_commit()
587 def secretsdb_become_dc(secretsdb, setup_path, domain, realm, dnsdomain,
588 netbiosname, domainsid, keytab_path, samdb_url,
589 dns_keytab_path, dnspass, machinepass):
590 """Add DC-specific bits to a secrets database.
592 :param secretsdb: Ldb Handle to the secrets database
593 :param setup_path: Setup path function
594 :param machinepass: Machine password
596 setup_ldb(secretsdb, setup_path("secrets_dc.ldif"), {
597 "MACHINEPASS_B64": b64encode(machinepass),
600 "DNSDOMAIN": dnsdomain,
601 "DOMAINSID": str(domainsid),
602 "SECRETS_KEYTAB": keytab_path,
603 "NETBIOSNAME": netbiosname,
604 "SAM_LDB": samdb_url,
605 "DNS_KEYTAB": dns_keytab_path,
606 "DNSPASS_B64": b64encode(dnspass),
610 def setup_secretsdb(path, setup_path, session_info, credentials, lp):
611 """Setup the secrets database.
613 :param path: Path to the secrets database.
614 :param setup_path: Get the path to a setup file.
615 :param session_info: Session info.
616 :param credentials: Credentials
617 :param lp: Loadparm context
618 :return: LDB handle for the created secrets database
620 if os.path.exists(path):
622 secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
625 secrets_ldb.load_ldif_file_add(setup_path("secrets_init.ldif"))
626 secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
628 secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
630 if credentials is not None and credentials.authentication_requested():
631 if credentials.get_bind_dn() is not None:
632 setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
633 "LDAPMANAGERDN": credentials.get_bind_dn(),
634 "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
637 setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
638 "LDAPADMINUSER": credentials.get_username(),
639 "LDAPADMINREALM": credentials.get_realm(),
640 "LDAPADMINPASS_B64": b64encode(credentials.get_password())
646 def setup_templatesdb(path, setup_path, session_info, credentials, lp):
647 """Setup the templates database.
649 :param path: Path to the database.
650 :param setup_path: Function for obtaining the path to setup files.
651 :param session_info: Session info
652 :param credentials: Credentials
653 :param lp: Loadparm context
655 templates_ldb = SamDB(path, session_info=session_info,
656 credentials=credentials, lp=lp)
659 templates_ldb.erase()
660 # This should be 'except LdbError', but on a re-provision the assert in ldb.erase fires, and we need to catch that too
664 templates_ldb.load_ldif_file_add(setup_path("provision_templates_init.ldif"))
666 templates_ldb = SamDB(path, session_info=session_info,
667 credentials=credentials, lp=lp)
669 templates_ldb.load_ldif_file_add(setup_path("provision_templates.ldif"))
672 def setup_registry(path, setup_path, session_info, credentials, lp):
673 """Setup the registry.
675 :param path: Path to the registry database
676 :param setup_path: Function that returns the path to a setup.
677 :param session_info: Session information
678 :param credentials: Credentials
679 :param lp: Loadparm context
681 reg = registry.Registry()
682 hive = registry.open_ldb(path, session_info=session_info,
683 credentials=credentials, lp_ctx=lp)
684 reg.mount_hive(hive, registry.HKEY_LOCAL_MACHINE)
685 provision_reg = setup_path("provision.reg")
686 assert os.path.exists(provision_reg)
687 reg.diff_apply(provision_reg)
690 def setup_idmapdb(path, setup_path, session_info, credentials, lp):
691 """Setup the idmap database.
693 :param path: path to the idmap database
694 :param setup_path: Function that returns a path to a setup file
695 :param session_info: Session information
696 :param credentials: Credentials
697 :param lp: Loadparm context
699 if os.path.exists(path):
702 idmap_ldb = IDmapDB(path, session_info=session_info,
703 credentials=credentials, lp=lp)
706 idmap_ldb.load_ldif_file_add(setup_path("idmap_init.ldif"))
710 def setup_samdb_rootdse(samdb, setup_path, names):
711 """Setup the SamDB rootdse.
713 :param samdb: Sam Database handle
714 :param setup_path: Obtain setup path
716 setup_add_ldif(samdb, setup_path("provision_rootdse_add.ldif"), {
717 "SCHEMADN": names.schemadn,
718 "NETBIOSNAME": names.netbiosname,
719 "DNSDOMAIN": names.dnsdomain,
720 "REALM": names.realm,
721 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
722 "DOMAINDN": names.domaindn,
723 "ROOTDN": names.rootdn,
724 "CONFIGDN": names.configdn,
725 "SERVERDN": names.serverdn,
729 def setup_self_join(samdb, names,
730 machinepass, dnspass,
731 domainsid, invocationid, setup_path,
733 """Join a host to its own domain."""
734 assert isinstance(invocationid, str)
735 setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
736 "CONFIGDN": names.configdn,
737 "SCHEMADN": names.schemadn,
738 "DOMAINDN": names.domaindn,
739 "SERVERDN": names.serverdn,
740 "INVOCATIONID": invocationid,
741 "NETBIOSNAME": names.netbiosname,
742 "DEFAULTSITE": names.sitename,
743 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
744 "MACHINEPASS_B64": b64encode(machinepass),
745 "DNSPASS_B64": b64encode(dnspass),
746 "REALM": names.realm,
747 "DOMAIN": names.domain,
748 "DNSDOMAIN": names.dnsdomain})
749 setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
750 "POLICYGUID": policyguid,
751 "DNSDOMAIN": names.dnsdomain,
752 "DOMAINSID": str(domainsid),
753 "DOMAINDN": names.domaindn})
756 def setup_samdb(path, setup_path, session_info, credentials, lp,
758 domainsid, aci, domainguid, policyguid,
759 fill, adminpass, krbtgtpass,
760 machinepass, invocationid, dnspass,
761 serverrole, ldap_backend=None,
762 ldap_backend_type=None):
763 """Setup a complete SAM Database.
765 :note: This will wipe the main SAM database file!
768 erase = (fill != FILL_DRS)
770 # Also wipes the database
771 setup_samdb_partitions(path, setup_path, message=message, lp=lp,
772 credentials=credentials, session_info=session_info,
774 ldap_backend=ldap_backend, serverrole=serverrole,
775 ldap_backend_type=ldap_backend_type, erase=erase)
777 samdb = SamDB(path, session_info=session_info,
778 credentials=credentials, lp=lp)
782 message("Pre-loading the Samba 4 and AD schema")
783 samdb.set_domain_sid(str(domainsid))
784 if serverrole == "domain controller":
785 samdb.set_invocation_id(invocationid)
787 schema_data = load_schema(setup_path, samdb, names.schemadn, names.netbiosname,
788 names.configdn, names.sitename, names.serverdn,
790 samdb.transaction_start()
793 message("Adding DomainDN: %s (permitted to fail)" % names.domaindn)
794 if serverrole == "domain controller":
795 domain_oc = "domainDNS"
797 domain_oc = "samba4LocalDomain"
799 setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
800 "DOMAINDN": names.domaindn,
802 "DOMAIN_OC": domain_oc
805 message("Modifying DomainDN: " + names.domaindn + "")
806 if domainguid is not None:
807 domainguid_mod = "replace: objectGUID\nobjectGUID: %s\n-" % domainguid
811 setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
812 "LDAPTIME": timestring(int(time.time())),
813 "DOMAINSID": str(domainsid),
814 "SCHEMADN": names.schemadn,
815 "NETBIOSNAME": names.netbiosname,
816 "DEFAULTSITE": names.sitename,
817 "CONFIGDN": names.configdn,
818 "SERVERDN": names.serverdn,
819 "POLICYGUID": policyguid,
820 "DOMAINDN": names.domaindn,
821 "DOMAINGUID_MOD": domainguid_mod,
824 message("Adding configuration container (permitted to fail)")
825 setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
826 "CONFIGDN": names.configdn,
829 message("Modifying configuration container")
830 setup_modify_ldif(samdb, setup_path("provision_configuration_basedn_modify.ldif"), {
831 "CONFIGDN": names.configdn,
832 "SCHEMADN": names.schemadn,
835 message("Adding schema container (permitted to fail)")
836 setup_add_ldif(samdb, setup_path("provision_schema_basedn.ldif"), {
837 "SCHEMADN": names.schemadn,
840 message("Modifying schema container")
842 prefixmap = open(setup_path("prefixMap.txt"), 'r').read()
844 setup_modify_ldif(samdb,
845 setup_path("provision_schema_basedn_modify.ldif"), {
846 "SCHEMADN": names.schemadn,
847 "NETBIOSNAME": names.netbiosname,
848 "DEFAULTSITE": names.sitename,
849 "CONFIGDN": names.configdn,
850 "SERVERDN": names.serverdn,
851 "PREFIXMAP_B64": b64encode(prefixmap)
854 message("Setting up sam.ldb schema")
855 samdb.add_ldif(schema_data)
856 setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
857 {"SCHEMADN": names.schemadn})
859 message("Setting up sam.ldb configuration data")
860 setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
861 "CONFIGDN": names.configdn,
862 "NETBIOSNAME": names.netbiosname,
863 "DEFAULTSITE": names.sitename,
864 "DNSDOMAIN": names.dnsdomain,
865 "DOMAIN": names.domain,
866 "SCHEMADN": names.schemadn,
867 "DOMAINDN": names.domaindn,
868 "SERVERDN": names.serverdn
871 message("Setting up display specifiers")
872 setup_add_ldif(samdb, setup_path("display_specifiers.ldif"),
873 {"CONFIGDN": names.configdn})
875 message("Adding users container (permitted to fail)")
876 setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
877 "DOMAINDN": names.domaindn})
878 message("Modifying users container")
879 setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
880 "DOMAINDN": names.domaindn})
881 message("Adding computers container (permitted to fail)")
882 setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
883 "DOMAINDN": names.domaindn})
884 message("Modifying computers container")
885 setup_modify_ldif(samdb, setup_path("provision_computers_modify.ldif"), {
886 "DOMAINDN": names.domaindn})
887 message("Setting up sam.ldb data")
888 setup_add_ldif(samdb, setup_path("provision.ldif"), {
889 "DOMAINDN": names.domaindn,
890 "NETBIOSNAME": names.netbiosname,
891 "DEFAULTSITE": names.sitename,
892 "CONFIGDN": names.configdn,
893 "SERVERDN": names.serverdn
896 if fill == FILL_FULL:
897 message("Setting up sam.ldb users and groups")
898 setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
899 "DOMAINDN": names.domaindn,
900 "DOMAINSID": str(domainsid),
901 "CONFIGDN": names.configdn,
902 "ADMINPASS_B64": b64encode(adminpass),
903 "KRBTGTPASS_B64": b64encode(krbtgtpass),
906 if serverrole == "domain controller":
907 message("Setting up self join")
908 setup_self_join(samdb, names=names, invocationid=invocationid,
910 machinepass=machinepass,
911 domainsid=domainsid, policyguid=policyguid,
912 setup_path=setup_path)
915 samdb.transaction_cancel()
918 samdb.transaction_commit()
923 FILL_NT4SYNC = "NT4SYNC"
926 def provision(setup_dir, message, session_info,
927 credentials, smbconf=None, targetdir=None, samdb_fill=FILL_FULL, realm=None,
928 rootdn=None, domaindn=None, schemadn=None, configdn=None,
930 domain=None, hostname=None, hostip=None, hostip6=None,
931 domainsid=None, adminpass=None, krbtgtpass=None, domainguid=None,
932 policyguid=None, invocationid=None, machinepass=None,
933 dnspass=None, root=None, nobody=None, nogroup=None, users=None,
934 wheel=None, backup=None, aci=None, serverrole=None,
935 ldap_backend=None, ldap_backend_type=None, sitename=None):
938 :note: caution, this wipes all existing data!
941 def setup_path(file):
942 return os.path.join(setup_dir, file)
944 if domainsid is None:
945 domainsid = security.random_sid()
947 if policyguid is None:
948 policyguid = str(uuid.uuid4())
949 if adminpass is None:
950 adminpass = glue.generate_random_str(12)
951 if krbtgtpass is None:
952 krbtgtpass = glue.generate_random_str(12)
953 if machinepass is None:
954 machinepass = glue.generate_random_str(12)
956 dnspass = glue.generate_random_str(12)
957 root_uid = findnss_uid([root or "root"])
958 nobody_uid = findnss_uid([nobody or "nobody"])
959 users_gid = findnss_gid([users or "users"])
961 wheel_gid = findnss_gid(["wheel", "adm"])
963 wheel_gid = findnss_gid([wheel])
965 aci = "# no aci for local ldb"
967 if targetdir is not None:
968 if (not os.path.exists(os.path.join(targetdir, "etc"))):
969 os.makedirs(os.path.join(targetdir, "etc"))
970 smbconf = os.path.join(targetdir, "etc", "smb.conf")
971 elif smbconf is None:
972 smbconf = param.default_path()
974 # only install a new smb.conf if there isn't one there already
975 if not os.path.exists(smbconf):
976 make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
979 lp = param.LoadParm()
982 names = guess_names(lp=lp, hostname=hostname, domain=domain,
983 dnsdomain=realm, serverrole=serverrole, sitename=sitename,
984 rootdn=rootdn, domaindn=domaindn, configdn=configdn, schemadn=schemadn,
987 paths = provision_paths_from_lp(lp, names.dnsdomain)
991 hostip = socket.getaddrinfo(names.hostname, None, socket.AF_INET, socket.AI_CANONNAME, socket.IPPROTO_IP)[0][-1][0]
992 except socket.gaierror, (socket.EAI_NODATA, msg):
997 hostip6 = socket.getaddrinfo(names.hostname, None, socket.AF_INET6, socket.AI_CANONNAME, socket.IPPROTO_IP)[0][-1][0]
998 except socket.gaierror, (socket.EAI_NODATA, msg):
1001 if serverrole is None:
1002 serverrole = lp.get("server role")
1004 assert serverrole in ("domain controller", "member server", "standalone")
1005 if invocationid is None and serverrole == "domain controller":
1006 invocationid = str(uuid.uuid4())
1008 if not os.path.exists(paths.private_dir):
1009 os.mkdir(paths.private_dir)
1011 ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
1013 if ldap_backend is not None:
1014 if ldap_backend == "ldapi":
1015 # provision-backend will set this path suggested slapd command line / fedorads.inf
1016 ldap_backend = "ldapi://%s" % urllib.quote(os.path.join(paths.private_dir, "ldap", "ldapi"), safe="")
1018 # only install a new shares config db if there is none
1019 if not os.path.exists(paths.shareconf):
1020 message("Setting up share.ldb")
1021 share_ldb = Ldb(paths.shareconf, session_info=session_info,
1022 credentials=credentials, lp=lp)
1023 share_ldb.load_ldif_file_add(setup_path("share.ldif"))
1026 message("Setting up secrets.ldb")
1027 secrets_ldb = setup_secretsdb(paths.secrets, setup_path,
1028 session_info=session_info,
1029 credentials=credentials, lp=lp)
1031 message("Setting up the registry")
1032 setup_registry(paths.hklm, setup_path, session_info,
1033 credentials=credentials, lp=lp)
1035 message("Setting up templates db")
1036 setup_templatesdb(paths.templates, setup_path, session_info=session_info,
1037 credentials=credentials, lp=lp)
1039 message("Setting up idmap db")
1040 idmap = setup_idmapdb(paths.idmapdb, setup_path, session_info=session_info,
1041 credentials=credentials, lp=lp)
1043 samdb = setup_samdb(paths.samdb, setup_path, session_info=session_info,
1044 credentials=credentials, lp=lp, names=names,
1046 domainsid=domainsid,
1047 aci=aci, domainguid=domainguid, policyguid=policyguid,
1049 adminpass=adminpass, krbtgtpass=krbtgtpass,
1050 invocationid=invocationid,
1051 machinepass=machinepass, dnspass=dnspass,
1052 serverrole=serverrole, ldap_backend=ldap_backend,
1053 ldap_backend_type=ldap_backend_type)
1055 if lp.get("server role") == "domain controller":
1056 if paths.netlogon is None:
1057 message("Existing smb.conf does not have a [netlogon] share, but you are configuring a DC.")
1058 message("Please either remove %s or see the template at %s" %
1059 ( paths.smbconf, setup_path("provision.smb.conf.dc")))
1060 assert(paths.netlogon is not None)
1062 if paths.sysvol is None:
1063 message("Existing smb.conf does not have a [sysvol] share, but you are configuring a DC.")
1064 message("Please either remove %s or see the template at %s" %
1065 (paths.smbconf, setup_path("provision.smb.conf.dc")))
1066 assert(paths.sysvol is not None)
1068 policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
1069 "{" + policyguid + "}")
1070 os.makedirs(policy_path, 0755)
1071 open(os.path.join(policy_path, "GPT.INI"), 'w').write("")
1072 os.makedirs(os.path.join(policy_path, "Machine"), 0755)
1073 os.makedirs(os.path.join(policy_path, "User"), 0755)
1074 if not os.path.isdir(paths.netlogon):
1075 os.makedirs(paths.netlogon, 0755)
1077 if samdb_fill == FILL_FULL:
1078 setup_name_mappings(samdb, idmap, str(domainsid), names.domaindn,
1079 root_uid=root_uid, nobody_uid=nobody_uid,
1080 users_gid=users_gid, wheel_gid=wheel_gid)
1082 message("Setting up sam.ldb rootDSE marking as synchronized")
1083 setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))
1085 # Only make a zone file on the first DC, it should be replicated with DNS replication
1086 if serverrole == "domain controller":
1087 secrets_ldb = Ldb(paths.secrets, session_info=session_info,
1088 credentials=credentials, lp=lp)
1089 secretsdb_become_dc(secrets_ldb, setup_path, domain=domain, realm=names.realm,
1090 netbiosname=names.netbiosname, domainsid=domainsid,
1091 keytab_path=paths.keytab, samdb_url=paths.samdb,
1092 dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
1093 machinepass=machinepass, dnsdomain=names.dnsdomain)
1095 samdb = SamDB(paths.samdb, session_info=session_info,
1096 credentials=credentials, lp=lp)
1098 domainguid = samdb.searchone(basedn=domaindn, attribute="objectGUID")
1099 assert isinstance(domainguid, str)
1100 hostguid = samdb.searchone(basedn=domaindn, attribute="objectGUID",
1101 expression="(&(objectClass=computer)(cn=%s))" % names.hostname,
1102 scope=SCOPE_SUBTREE)
1103 assert isinstance(hostguid, str)
1105 create_zone_file(paths.dns, setup_path, dnsdomain=names.dnsdomain,
1106 domaindn=names.domaindn, hostip=hostip,
1107 hostip6=hostip6, hostname=names.hostname,
1108 dnspass=dnspass, realm=names.realm,
1109 domainguid=domainguid, hostguid=hostguid)
1111 create_named_conf(paths.namedconf, setup_path, realm=names.realm,
1112 dnsdomain=names.dnsdomain, private_dir=paths.private_dir)
1114 create_named_txt(paths.namedtxt, setup_path, realm=names.realm,
1115 dnsdomain=names.dnsdomain, private_dir=paths.private_dir,
1116 keytab_name=paths.dns_keytab)
1117 message("See %s for an example configuration include file for BIND" % paths.namedconf)
1118 message("and %s for further documentation required for secure DNS updates" % paths.namedtxt)
1120 create_krb5_conf(paths.krb5conf, setup_path, dnsdomain=names.dnsdomain,
1121 hostname=names.hostname, realm=names.realm)
1122 message("A Kerberos configuration suitable for Samba 4 has been generated at %s" % paths.krb5conf)
1124 create_phpldapadmin_config(paths.phpldapadminconfig, setup_path,
1127 message("Please install the phpLDAPadmin configuration located at %s into /etc/phpldapadmin/config.php" % paths.phpldapadminconfig)
1129 message("Once the above files are installed, your Samba4 server will be ready to use")
1130 message("Server Role: %s" % serverrole)
1131 message("Hostname: %s" % names.hostname)
1132 message("NetBIOS Domain: %s" % names.domain)
1133 message("DNS Domain: %s" % names.dnsdomain)
1134 message("DOMAIN SID: %s" % str(domainsid))
1135 if samdb_fill == FILL_FULL:
1136 message("Admin password: %s" % adminpass)
1138 result = ProvisionResult()
1139 result.domaindn = domaindn
1140 result.paths = paths
1142 result.samdb = samdb
1146 def provision_become_dc(setup_dir=None,
1147 smbconf=None, targetdir=None, realm=None,
1148 rootdn=None, domaindn=None, schemadn=None, configdn=None,
1150 domain=None, hostname=None, domainsid=None,
1151 adminpass=None, krbtgtpass=None, domainguid=None,
1152 policyguid=None, invocationid=None, machinepass=None,
1153 dnspass=None, root=None, nobody=None, nogroup=None, users=None,
1154 wheel=None, backup=None, aci=None, serverrole=None,
1155 ldap_backend=None, ldap_backend_type=None, sitename=None):
1158 """print a message if quiet is not set."""
1161 return provision(setup_dir, message, system_session(), None,
1162 smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS, realm=realm,
1163 rootdn=rootdn, domaindn=domaindn, schemadn=schemadn, configdn=configdn, serverdn=serverdn,
1164 domain=domain, hostname=hostname, hostip="127.0.0.1", domainsid=domainsid, machinepass=machinepass, serverrole="domain controller", sitename=sitename)
1167 def setup_db_config(setup_path, dbdir):
1168 """Setup a Berkeley database.
1170 :param setup_path: Setup path function.
1171 :param dbdir: Database directory."""
1172 if not os.path.isdir(os.path.join(dbdir, "bdb-logs")):
1173 os.makedirs(os.path.join(dbdir, "bdb-logs"), 0700)
1174 if not os.path.isdir(os.path.join(dbdir, "tmp")):
1175 os.makedirs(os.path.join(dbdir, "tmp"), 0700)
1177 setup_file(setup_path("DB_CONFIG"), os.path.join(dbdir, "DB_CONFIG"),
1178 {"LDAPDBDIR": dbdir})
1182 def provision_backend(setup_dir=None, message=None,
1183 smbconf=None, targetdir=None, realm=None,
1184 rootdn=None, domaindn=None, schemadn=None, configdn=None,
1185 domain=None, hostname=None, adminpass=None, root=None, serverrole=None,
1186 ldap_backend_type=None, ldap_backend_port=None,
1187 ol_mmr_urls=None,ol_olc=None,ol_slaptest=None):
1189 def setup_path(file):
1190 return os.path.join(setup_dir, file)
1192 if hostname is None:
1193 hostname = socket.gethostname().split(".")[0].lower()
1196 root = findnss(pwd.getpwnam, ["root"])[0]
1198 if adminpass is None:
1199 adminpass = glue.generate_random_str(12)
1201 if targetdir is not None:
1202 if (not os.path.exists(os.path.join(targetdir, "etc"))):
1203 os.makedirs(os.path.join(targetdir, "etc"))
1204 smbconf = os.path.join(targetdir, "etc", "smb.conf")
1205 elif smbconf is None:
1206 smbconf = param.default_path()
1207 assert smbconf is not None
1209 # only install a new smb.conf if there isn't one there already
1210 if not os.path.exists(smbconf):
1211 make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
1214 # openldap-online-configuration: validation of olc and slaptest
1215 if ol_olc == "yes" and ol_slaptest is None:
1216 sys.exit("Warning: OpenLDAP-Online-Configuration cant be setup without path to slaptest-Binary!")
1218 if ol_olc == "yes" and ol_slaptest is not None:
1219 ol_slaptest = ol_slaptest + "/slaptest"
1220 if not os.path.exists(ol_slaptest):
1221 message (ol_slaptest)
1222 sys.exit("Warning: Given Path to slaptest-Binary does not exist!")
1227 lp = param.LoadParm()
1230 if serverrole is None:
1231 serverrole = lp.get("server role")
1233 names = guess_names(lp=lp, hostname=hostname, domain=domain,
1234 dnsdomain=realm, serverrole=serverrole,
1235 rootdn=rootdn, domaindn=domaindn, configdn=configdn,
1238 paths = provision_paths_from_lp(lp, names.dnsdomain)
1240 if not os.path.isdir(paths.ldapdir):
1241 os.makedirs(paths.ldapdir, 0700)
1242 schemadb_path = os.path.join(paths.ldapdir, "schema-tmp.ldb")
1244 os.unlink(schemadb_path)
1248 schemadb = SamDB(schemadb_path, lp=lp)
1249 schemadb.transaction_start()
1252 prefixmap = open(setup_path("prefixMap.txt"), 'r').read()
1254 setup_add_ldif(schemadb, setup_path("provision_schema_basedn.ldif"),
1255 {"SCHEMADN": names.schemadn,
1258 setup_modify_ldif(schemadb,
1259 setup_path("provision_schema_basedn_modify.ldif"), \
1260 {"SCHEMADN": names.schemadn,
1261 "NETBIOSNAME": names.netbiosname,
1262 "DEFAULTSITE": DEFAULTSITE,
1263 "CONFIGDN": names.configdn,
1264 "SERVERDN": names.serverdn,
1265 "PREFIXMAP_B64": b64encode(prefixmap)
1268 data = load_schema(setup_path, schemadb, names.schemadn, names.netbiosname,
1269 names.configdn, DEFAULTSITE, names.serverdn)
1270 schemadb.add_ldif(data)
1272 schemadb.transaction_cancel()
1274 schemadb.transaction_commit()
1276 if ldap_backend_type == "fedora-ds":
1277 if ldap_backend_port is not None:
1278 serverport = "ServerPort=%d" % ldap_backend_port
1282 setup_file(setup_path("fedorads.inf"), paths.fedoradsinf,
1284 "HOSTNAME": hostname,
1285 "DNSDOMAIN": names.dnsdomain,
1286 "LDAPDIR": paths.ldapdir,
1287 "DOMAINDN": names.domaindn,
1288 "LDAPMANAGERDN": names.ldapmanagerdn,
1289 "LDAPMANAGERPASS": adminpass,
1290 "SERVERPORT": serverport})
1292 setup_file(setup_path("fedorads-partitions.ldif"), paths.fedoradspartitions,
1293 {"CONFIGDN": names.configdn,
1294 "SCHEMADN": names.schemadn,
1297 mapping = "schema-map-fedora-ds-1.0"
1298 backend_schema = "99_ad.ldif"
1300 slapdcommand="Initialise Fedora DS with: setup-ds.pl --file=%s" % paths.fedoradsinf
1302 ldapuser = "--simple-bind-dn=" + names.ldapmanagerdn
1304 elif ldap_backend_type == "openldap":
1305 attrs = ["linkID", "lDAPDisplayName"]
1306 res = schemadb.search(expression="(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1))(objectclass=attributeSchema)(attributeSyntax=2.5.5.1))", base=names.schemadn, scope=SCOPE_SUBTREE, attrs=attrs)
1308 memberof_config = "# Generated from schema in %s\n" % schemadb_path
1309 refint_attributes = ""
1310 for i in range (0, len(res)):
1311 expression = "(&(objectclass=attributeSchema)(linkID=%d)(attributeSyntax=2.5.5.1))" % (int(res[i]["linkID"][0])+1)
1312 target = schemadb.searchone(basedn=names.schemadn,
1313 expression=expression,
1314 attribute="lDAPDisplayName",
1315 scope=SCOPE_SUBTREE)
1316 if target is not None:
1317 refint_attributes = refint_attributes + " " + target + " " + res[i]["lDAPDisplayName"][0]
1319 memberof_config += read_and_sub_file(setup_path("memberof.conf"),
1320 { "MEMBER_ATTR" : str(res[i]["lDAPDisplayName"][0]),
1321 "MEMBEROF_ATTR" : str(target) })
1323 refint_config = read_and_sub_file(setup_path("refint.conf"),
1324 { "LINK_ATTRS" : refint_attributes})
1326 # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
1328 mmr_replicator_acl = ""
1329 mmr_serverids_config = ""
1330 mmr_syncrepl_schema_config = ""
1331 mmr_syncrepl_config_config = ""
1332 mmr_syncrepl_user_config = ""
1335 if ol_mmr_urls is not None:
1336 # For now, make these equal
1337 mmr_pass = adminpass
1339 url_list=filter(None,ol_mmr_urls.split(' '))
1340 if (len(url_list) == 1):
1341 url_list=filter(None,ol_mmr_urls.split(','))
1344 mmr_on_config = "MirrorMode On"
1345 mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
1347 for url in url_list:
1349 mmr_serverids_config += read_and_sub_file(setup_path("mmr_serverids.conf"),
1350 { "SERVERID" : str(serverid),
1351 "LDAPSERVER" : url })
1354 mmr_syncrepl_schema_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
1356 "MMRDN": names.schemadn,
1358 "MMR_PASSWORD": mmr_pass})
1361 mmr_syncrepl_config_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
1363 "MMRDN": names.configdn,
1365 "MMR_PASSWORD": mmr_pass})
1368 mmr_syncrepl_user_config += read_and_sub_file(setup_path("mmr_syncrepl.conf"),
1370 "MMRDN": names.domaindn,
1372 "MMR_PASSWORD": mmr_pass })
1374 olc_config_pass = ""
1376 olc_syncrepl_config = ""
1379 olc_config_pass += read_and_sub_file(setup_path("olc_pass.conf"),
1380 { "OLC_PW": adminpass })
1381 olc_config_acl += read_and_sub_file(setup_path("olc_acl.conf"),{})
1383 # if olc = yes + mmr = yes, generate cn=config-replication directives
1384 # and olc_seed.lif for the other mmr-servers
1385 if ol_olc == "yes" and ol_mmr_urls is not None:
1387 olc_serverids_config = ""
1388 olc_syncrepl_config = ""
1389 olc_syncrepl_seed_config = ""
1391 olc_mmr_config += read_and_sub_file(setup_path("olc_mmr.conf"),{})
1393 for url in url_list:
1395 olc_serverids_config += read_and_sub_file(setup_path("olc_serverid.conf"),
1396 { "SERVERID" : str(serverid),
1397 "LDAPSERVER" : url })
1400 olc_syncrepl_config += read_and_sub_file(setup_path("olc_syncrepl.conf"),
1403 "MMR_PASSWORD": adminpass})
1405 olc_syncrepl_seed_config += read_and_sub_file(setup_path("olc_syncrepl_seed.conf"),
1407 "LDAPSERVER" : url})
1409 setup_file(setup_path("olc_seed.ldif"), paths.olcseedldif,
1410 {"OLC_SERVER_ID_CONF": olc_serverids_config,
1411 "OLC_PW": adminpass,
1412 "OLC_SYNCREPL_CONF": olc_syncrepl_seed_config})
1417 setup_file(setup_path("slapd.conf"), paths.slapdconf,
1418 {"DNSDOMAIN": names.dnsdomain,
1419 "LDAPDIR": paths.ldapdir,
1420 "DOMAINDN": names.domaindn,
1421 "CONFIGDN": names.configdn,
1422 "SCHEMADN": names.schemadn,
1423 "MEMBEROF_CONFIG": memberof_config,
1424 "MIRRORMODE": mmr_on_config,
1425 "REPLICATOR_ACL": mmr_replicator_acl,
1426 "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
1427 "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
1428 "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
1429 "MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
1430 "OLC_CONFIG_PASS": olc_config_pass,
1431 "OLC_SYNCREPL_CONFIG": olc_syncrepl_config,
1432 "OLC_CONFIG_ACL": olc_config_acl,
1433 "OLC_MMR_CONFIG": olc_mmr_config,
1434 "REFINT_CONFIG": refint_config})
1435 setup_file(setup_path("modules.conf"), paths.modulesconf,
1436 {"REALM": names.realm})
1438 setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
1439 setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
1440 setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
1442 if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")):
1443 os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"), 0700)
1445 setup_file(setup_path("cn=samba.ldif"),
1446 os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"),
1447 { "UUID": str(uuid.uuid4()),
1448 "LDAPTIME": timestring(int(time.time()))} )
1449 setup_file(setup_path("cn=samba-admin.ldif"),
1450 os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
1451 {"LDAPADMINPASS_B64": b64encode(adminpass),
1452 "UUID": str(uuid.uuid4()),
1453 "LDAPTIME": timestring(int(time.time()))} )
1455 if ol_mmr_urls is not None:
1456 setup_file(setup_path("cn=replicator.ldif"),
1457 os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
1458 {"MMR_PASSWORD_B64": b64encode(mmr_pass),
1459 "UUID": str(uuid.uuid4()),
1460 "LDAPTIME": timestring(int(time.time()))} )
1463 mapping = "schema-map-openldap-2.3"
1464 backend_schema = "backend-schema.schema"
1466 ldapi_uri = "ldapi://" + urllib.quote(os.path.join(paths.private_dir, "ldap", "ldapi"), safe="")
1467 if ldap_backend_port is not None:
1468 server_port_string = " -h ldap://0.0.0.0:%d" % ldap_backend_port
1470 server_port_string = ""
1472 if ol_olc != "yes" and ol_mmr_urls is None:
1473 slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string
1475 if ol_olc == "yes" and ol_mmr_urls is None:
1476 slapdcommand="Start slapd with: slapd -F " + paths.olcdir + " -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
1478 if ol_olc != "yes" and ol_mmr_urls is not None:
1479 slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
1481 if ol_olc == "yes" and ol_mmr_urls is not None:
1482 slapdcommand="Start slapd with: slapd -F " + paths.olcdir + " -h \"" + ldapi_uri + " ldap://<FQHN>:<PORT>\""
1485 ldapuser = "--username=samba-admin"
1488 backend_schema_data = schemadb.convert_schema_to_openldap(ldap_backend_type, open(setup_path(mapping), 'r').read())
1489 assert backend_schema_data is not None
1490 open(os.path.join(paths.ldapdir, backend_schema), 'w').write(backend_schema_data)
1492 message("Your %s Backend for Samba4 is now configured, and is ready to be started" % ldap_backend_type)
1493 message("Server Role: %s" % serverrole)
1494 message("Hostname: %s" % names.hostname)
1495 message("DNS Domain: %s" % names.dnsdomain)
1496 message("Base DN: %s" % names.domaindn)
1498 if ldap_backend_type == "openldap":
1499 message("LDAP admin user: samba-admin")
1501 message("LDAP admin DN: %s" % names.ldapmanagerdn)
1503 message("LDAP admin password: %s" % adminpass)
1504 message(slapdcommand)
1505 if ol_olc == "yes" or ol_mmr_urls is not None:
1506 message("Attention to slapd-Port: <PORT> must be different than 389!")
1507 assert isinstance(ldap_backend_type, str)
1508 assert isinstance(ldapuser, str)
1509 assert isinstance(adminpass, str)
1510 assert isinstance(names.dnsdomain, str)
1511 assert isinstance(names.domain, str)
1512 assert isinstance(serverrole, str)
1513 args = ["--ldap-backend=ldapi",
1514 "--ldap-backend-type=" + ldap_backend_type,
1515 "--password=" + adminpass,
1517 "--realm=" + names.dnsdomain,
1518 "--domain=" + names.domain,
1519 "--server-role='" + serverrole + "'"]
1520 message("Run provision with: " + " ".join(args))
1523 # if --ol-olc=yes, generate online-configuration in ../private/ldap/slapd.d
1525 if not os.path.isdir(paths.olcdir):
1526 os.makedirs(paths.olcdir, 0770)
1527 paths.olslaptest = str(ol_slaptest)
1528 olc_command = paths.olslaptest + " -f" + paths.slapdconf + " -F" + paths.olcdir + " >/dev/null 2>&1"
1529 os.system(olc_command)
1530 os.remove(paths.slapdconf)
1531 # use line below for debugging during olc-conversion with slaptest, instead of olc_command above
1532 #olc_command = paths.olslaptest + " -f" + paths.slapdconf + " -F" + paths.olcdir"
1535 def create_phpldapadmin_config(path, setup_path, ldapi_uri):
1536 """Create a PHP LDAP admin configuration file.
1538 :param path: Path to write the configuration to.
1539 :param setup_path: Function to generate setup paths.
1541 setup_file(setup_path("phpldapadmin-config.php"), path,
1542 {"S4_LDAPI_URI": ldapi_uri})
1545 def create_zone_file(path, setup_path, dnsdomain, domaindn,
1546 hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid):
1547 """Write out a DNS zone file, from the info in the current database.
1549 :param path: Path of the new zone file.
1550 :param setup_path: Setup path function.
1551 :param dnsdomain: DNS Domain name
1552 :param domaindn: DN of the Domain
1553 :param hostip: Local IPv4 IP
1554 :param hostip6: Local IPv6 IP
1555 :param hostname: Local hostname
1556 :param dnspass: Password for DNS
1557 :param realm: Realm name
1558 :param domainguid: GUID of the domain.
1559 :param hostguid: GUID of the host.
1561 assert isinstance(domainguid, str)
1563 if hostip6 is not None:
1564 hostip6_base_line = " IN AAAA " + hostip6
1565 hostip6_host_line = hostname + " IN AAAA " + hostip6
1567 hostip6_base_line = ""
1568 hostip6_host_line = ""
1570 if hostip is not None:
1571 hostip_base_line = " IN A " + hostip
1572 hostip_host_line = hostname + " IN A " + hostip
1574 hostip_base_line = ""
1575 hostip_host_line = ""
1577 setup_file(setup_path("provision.zone"), path, {
1578 "DNSPASS_B64": b64encode(dnspass),
1579 "HOSTNAME": hostname,
1580 "DNSDOMAIN": dnsdomain,
1582 "HOSTIP_BASE_LINE": hostip_base_line,
1583 "HOSTIP_HOST_LINE": hostip_host_line,
1584 "DOMAINGUID": domainguid,
1585 "DATESTRING": time.strftime("%Y%m%d%H"),
1586 "DEFAULTSITE": DEFAULTSITE,
1587 "HOSTGUID": hostguid,
1588 "HOSTIP6_BASE_LINE": hostip6_base_line,
1589 "HOSTIP6_HOST_LINE": hostip6_host_line,
1593 def create_named_conf(path, setup_path, realm, dnsdomain,
1595 """Write out a file containing zone statements suitable for inclusion in a
1596 named.conf file (including GSS-TSIG configuration).
1598 :param path: Path of the new named.conf file.
1599 :param setup_path: Setup path function.
1600 :param realm: Realm name
1601 :param dnsdomain: DNS Domain name
1602 :param private_dir: Path to private directory
1603 :param keytab_name: File name of DNS keytab file
1606 setup_file(setup_path("named.conf"), path, {
1607 "DNSDOMAIN": dnsdomain,
1609 "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
1610 "PRIVATE_DIR": private_dir
1613 def create_named_txt(path, setup_path, realm, dnsdomain,
1614 private_dir, keytab_name):
1615 """Write out a file containing zone statements suitable for inclusion in a
1616 named.conf file (including GSS-TSIG configuration).
1618 :param path: Path of the new named.conf file.
1619 :param setup_path: Setup path function.
1620 :param realm: Realm name
1621 :param dnsdomain: DNS Domain name
1622 :param private_dir: Path to private directory
1623 :param keytab_name: File name of DNS keytab file
1626 setup_file(setup_path("named.txt"), path, {
1627 "DNSDOMAIN": dnsdomain,
1629 "DNS_KEYTAB": keytab_name,
1630 "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
1631 "PRIVATE_DIR": private_dir
1634 def create_krb5_conf(path, setup_path, dnsdomain, hostname, realm):
1635 """Write out a file containing zone statements suitable for inclusion in a
1636 named.conf file (including GSS-TSIG configuration).
1638 :param path: Path of the new named.conf file.
1639 :param setup_path: Setup path function.
1640 :param dnsdomain: DNS Domain name
1641 :param hostname: Local hostname
1642 :param realm: Realm name
1645 setup_file(setup_path("krb5.conf"), path, {
1646 "DNSDOMAIN": dnsdomain,
1647 "HOSTNAME": hostname,
1652 def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename,
1654 """Load schema for the SamDB.
1656 :param samdb: Load a schema into a SamDB.
1657 :param setup_path: Setup path function.
1658 :param schemadn: DN of the schema
1659 :param netbiosname: NetBIOS name of the host.
1660 :param configdn: DN of the configuration
1661 :param serverdn: DN of the server
1663 Returns the schema data loaded, to avoid double-parsing when then needing to add it to the db
1665 schema_data = get_schema_data(setup_path, {"SCHEMADN": schemadn})
1666 schema_data += open(setup_path("schema_samba4.ldif"), 'r').read()
1667 schema_data = substitute_var(schema_data, {"SCHEMADN": schemadn})
1668 check_all_substituted(schema_data)
1669 prefixmap = open(setup_path("prefixMap.txt"), 'r').read()
1670 prefixmap = b64encode(prefixmap)
1672 head_data = open(setup_path("provision_schema_basedn_modify.ldif"), 'r').read()
1673 head_data = substitute_var(head_data, {
1674 "SCHEMADN": schemadn,
1675 "NETBIOSNAME": netbiosname,
1676 "CONFIGDN": configdn,
1677 "DEFAULTSITE": sitename,
1678 "PREFIXMAP_B64": prefixmap,
1679 "SERVERDN": serverdn,
1681 check_all_substituted(head_data)
1682 samdb.attach_schema_from_ldif(head_data, schema_data)
1685 def get_schema_data(setup_path, subst_vars = None):
1686 """Get schema data from the AD schema files instead of schema.ldif.
1688 :param setup_path: Setup path function.
1689 :param subst_vars: Optional variables to substitute in the file.
1691 Returns the schema data after substitution
1694 # this data used to be read from schema.ldif
1696 data = read_ms_schema(setup_path('ad-schema/MS-AD_Schema_2K8Attributes.txt'),
1697 setup_path('ad-schema/MS-AD_Schema_2K8Classes.txt'))
1699 if subst_vars is not None:
1700 data = substitute_var(data, subst_vars)
1701 check_all_substituted(data)