from samba import Ldb, registry
from samba.param import LoadParm
-from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
+from samba.provision import provision, ProvisioningError, setsysvolacl
+from samba.provision.common import FILL_FULL
from samba.samba3 import passdb
from samba.samba3 import param as s3param
from samba.dcerpc import lsa, samr, security
"maxVersion": str(version_id)})
-def enable_samba3sam(samdb, ldapurl):
- """Enable Samba 3 LDAP URL database.
-
- :param samdb: SAM Database.
- :param ldapurl: Samba 3 LDAP URL
- """
- samdb.modify_ldif("""
-dn: @MODULES
-changetype: modify
-replace: @LIST
-@LIST: samldb,operational,objectguid,rdn_name,samba3sam
-""")
-
- samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
-
-
-smbconf_keep = [
- "dos charset",
- "unix charset",
- "display charset",
- "comment",
- "path",
- "directory",
- "workgroup",
- "realm",
- "netbios name",
- "netbios aliases",
- "netbios scope",
- "server string",
- "interfaces",
- "bind interfaces only",
- "security",
- "auth methods",
- "encrypt passwords",
- "null passwords",
- "obey pam restrictions",
- "password server",
- "smb passwd file",
- "private dir",
- "passwd chat",
- "password level",
- "lanman auth",
- "ntlm auth",
- "client NTLMv2 auth",
- "client lanman auth",
- "client plaintext auth",
- "read only",
- "hosts allow",
- "hosts deny",
- "log level",
- "debuglevel",
- "log file",
- "smb ports",
- "large readwrite",
- "max protocol",
- "min protocol",
- "unicode",
- "read raw",
- "write raw",
- "disable netbios",
- "nt status support",
- "max mux",
- "max xmit",
- "name resolve order",
- "max wins ttl",
- "min wins ttl",
- "time server",
- "unix extensions",
- "use spnego",
- "server signing",
- "client signing",
- "max connections",
- "paranoid server security",
- "socket options",
- "strict sync",
- "max print jobs",
- "printable",
- "print ok",
- "printer name",
- "printer",
- "map system",
- "map hidden",
- "map archive",
- "preferred master",
- "prefered master",
- "local master",
- "browseable",
- "browsable",
- "wins server",
- "wins support",
- "csc policy",
- "strict locking",
- "preload",
- "auto services",
- "lock dir",
- "lock directory",
- "pid directory",
- "socket address",
- "copy",
- "include",
- "available",
- "volume",
- "fstype",
- "panic action",
- "msdfs root",
- "host msdfs",
- "winbind separator"]
-
-
-def upgrade_smbconf(oldconf, mark):
- """Remove configuration variables not present in Samba4
-
- :param oldconf: Old configuration structure
- :param mark: Whether removed configuration variables should be
- kept in the new configuration as "samba3:<name>"
- """
- data = oldconf.data()
- newconf = LoadParm()
-
- for s in data:
- for p in data[s]:
- keep = False
- for k in smbconf_keep:
- if smbconf_keep[k] == p:
- keep = True
- break
-
- if keep:
- newconf.set(s, p, oldconf.get(s, p))
- elif mark:
- newconf.set(s, "samba3:" + p, oldconf.get(s, p))
-
- return newconf
-
SAMBA3_PREDEF_NAMES = {
'HKLM': registry.HKEY_LOCAL_MACHINE,
}
expression=("(&(objectClass=posixAccount)(uid=%s))"
% (user)), attrs=[attr])
except ldb.LdbError, e:
- raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
+ raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s" % (attr, user, e))
else:
if msg.count <= 1:
# This will raise KeyError (which is what we want) if there isn't a entry for this user
user = s3db.getsampwnam(username)
acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
if acct_type == samr.ACB_SVRTRUST:
- logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username[:-1])
+ logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
elif acct_type == samr.ACB_DOMTRUST:
logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
+ continue
elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$':
logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username)
try:
ldb_object = Ldb(url, credentials=creds)
except ldb.LdbError, e:
- raise ProvisiongError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
+ raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
else:
break
logger.info("Exporting posix attributes")
adminpass = None
# Do full provision
- result = provision(logger, session_info, None,
+ result = provision(logger, session_info,
targetdir=targetdir, realm=realm, domain=domainname,
- domainsid=str(domainsid), next_rid=next_rid,
+ domainsid=domainsid, next_rid=next_rid,
dc_rid=machinerid, adminpass = adminpass,
dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
hostname=netbiosname.lower(), machinepass=machinepass,
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
- # Export groups to samba4 backend
- logger.info("Importing groups")
- for g in grouplist:
- # Ignore uninitialized groups (gid = -1)
- if g.gid != -1:
- add_group_from_mapping_entry(result.samdb, g, logger)
- add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
- add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
-
- # Export users to samba4 backend
- logger.info("Importing users")
- for username in userdata:
- if username.lower() == 'administrator':
- if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
- logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
- raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
- if username.lower() == 'root':
- if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
- logger.warn('User root has been replaced by Administrator')
- else:
- logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
+ # Start a new transaction (should speed this up a little, due to index churn)
+ result.samdb.transaction_start()
- s4_passdb.add_sam_account(userdata[username])
- if username in uids:
- add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
- if (username in homes) and (homes[username] is not None) and \
- (username in shells) and (shells[username] is not None) and \
- (username in pgids) and (pgids[username] is not None):
- add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
+ logger.info("Adding groups")
+ try:
+ # Export groups to samba4 backend
+ logger.info("Importing groups")
+ for g in grouplist:
+ # Ignore uninitialized groups (gid = -1)
+ if g.gid != -1:
+ add_group_from_mapping_entry(result.samdb, g, logger)
+ add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
+ add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Committing 'add groups' transaction to disk")
+ result.samdb.transaction_commit()
+
+ logger.info("Adding users")
+ # Start a new transaction (should speed this up a little, due to index churn)
+ result.samdb.transaction_start()
+
+ try:
+ # Export users to samba4 backend
+ logger.info("Importing users")
+ for username in userdata:
+ if username.lower() == 'administrator':
+ if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
+ logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
+ raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
+ if username.lower() == 'root':
+ if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
+ logger.warn('User root has been replaced by Administrator')
+ else:
+ logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
+
+ s4_passdb.add_sam_account(userdata[username])
+ if username in uids:
+ add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
+ if (username in homes) and (homes[username] is not None) and \
+ (username in shells) and (shells[username] is not None) and \
+ (username in pgids) and (pgids[username] is not None):
+ add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Committing 'add users' transaction to disk")
+ result.samdb.transaction_commit()
logger.info("Adding users to groups")
- for g in grouplist:
- if str(g.sid) in groupmembers:
- add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
+ # Start a new transaction (should speed this up a little, due to index churn)
+ result.samdb.transaction_start()
+
+ try:
+ for g in grouplist:
+ if str(g.sid) in groupmembers:
+ add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Committing 'add users to groups' transaction to disk")
+ result.samdb.transaction_commit()
# Set password for administrator
if admin_user: