1 # backend code for upgrading from Samba3
2 # Copyright Jelmer Vernooij 2005-2007
3 # Copyright Andrew Bartlett 2011
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Support code for upgrading from Samba 3 to Samba 4."""
21 __docformat__
= "restructuredText"
27 from samba
import Ldb
, registry
28 from samba
.provision
import provision
, ProvisioningError
, setsysvolacl
29 from samba
.provision
.common
import FILL_FULL
30 from samba
.samba3
import passdb
31 from samba
.samba3
import param
as s3param
32 from samba
.dcerpc
import lsa
, samr
, security
33 from samba
.dcerpc
.security
import dom_sid
34 from samba
.credentials
import Credentials
35 from samba
import dsdb
36 from samba
.ndr
import ndr_pack
37 from samba
import unix2nttime
38 from samba
import generate_random_password
41 def import_sam_policy(samdb
, policy
, logger
):
42 """Import a Samba 3 policy.
44 :param samdb: Samba4 SAM database
45 :param policy: Samba3 account policy
46 :param logger: Logger object
49 # Following entries are used -
50 # min password length, password history, minimum password age,
51 # maximum password age, lockout duration
53 # Following entries are not used -
54 # reset count minutes, user must logon to change password,
55 # bad lockout minutes, disconnect time
58 m
.dn
= samdb
.get_default_basedn()
60 if 'min password length' in policy
:
61 m
['a01'] = ldb
.MessageElement(str(policy
['min password length']),
62 ldb
.FLAG_MOD_REPLACE
, 'minPwdLength')
64 if 'password history' in policy
:
65 m
['a02'] = ldb
.MessageElement(str(policy
['password history']),
66 ldb
.FLAG_MOD_REPLACE
, 'pwdHistoryLength')
68 if 'minimum password age' in policy
:
69 min_pw_age_unix
= policy
['minimum password age']
70 min_pw_age_nt
= int(-min_pw_age_unix
* (1e7
))
71 m
['a03'] = ldb
.MessageElement(str(min_pw_age_nt
), ldb
.FLAG_MOD_REPLACE
,
74 if 'maximum password age' in policy
:
75 max_pw_age_unix
= policy
['maximum password age']
76 if max_pw_age_unix
== -1 or max_pw_age_unix
== 0 or max_pw_age_unix
== 0xFFFFFFFF:
77 max_pw_age_nt
= -0x8000000000000000
79 max_pw_age_nt
= int(-max_pw_age_unix
* (1e7
))
81 m
['a04'] = ldb
.MessageElement(str(max_pw_age_nt
), ldb
.FLAG_MOD_REPLACE
,
84 if 'lockout duration' in policy
:
85 lockout_duration_mins
= policy
['lockout duration']
86 lockout_duration_nt
= unix2nttime(lockout_duration_mins
* 60)
88 m
['a05'] = ldb
.MessageElement(str(lockout_duration_nt
),
89 ldb
.FLAG_MOD_REPLACE
, 'lockoutDuration')
93 except ldb
.LdbError
as e
:
94 logger
.warn("Could not set account policy, (%s)", str(e
))
97 def add_posix_attrs(logger
, samdb
, sid
, name
, nisdomain
, xid_type
, home
=None,
98 shell
=None, pgid
=None):
99 """Add posix attributes for the user/group
101 :param samdb: Samba4 sam.ldb database
102 :param sid: user/group sid
103 :param sid: user/group name
104 :param nisdomain: name of the (fake) NIS domain
105 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
106 :param home: user homedir (Unix homepath)
107 :param shell: user shell
108 :param pgid: users primary group id
113 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(sid
))
114 if xid_type
== "ID_TYPE_UID":
115 m
['unixHomeDirectory'] = ldb
.MessageElement(
116 str(home
), ldb
.FLAG_MOD_REPLACE
, 'unixHomeDirectory')
117 m
['loginShell'] = ldb
.MessageElement(
118 str(shell
), ldb
.FLAG_MOD_REPLACE
, 'loginShell')
119 m
['gidNumber'] = ldb
.MessageElement(
120 str(pgid
), ldb
.FLAG_MOD_REPLACE
, 'gidNumber')
122 m
['msSFU30NisDomain'] = ldb
.MessageElement(
123 str(nisdomain
), ldb
.FLAG_MOD_REPLACE
, 'msSFU30NisDomain')
126 except ldb
.LdbError
as e
:
128 'Could not add posix attrs for AD entry for sid=%s, (%s)',
132 def add_ad_posix_idmap_entry(samdb
, sid
, xid
, xid_type
, logger
):
133 """Create idmap entry
135 :param samdb: Samba4 sam.ldb database
136 :param sid: user/group sid
137 :param xid: user/group id
138 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
139 :param logger: Logger object
144 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(sid
))
145 if xid_type
== "ID_TYPE_UID":
146 m
['uidNumber'] = ldb
.MessageElement(
147 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'uidNumber')
148 m
['objectClass'] = ldb
.MessageElement(
149 "posixAccount", ldb
.FLAG_MOD_ADD
, 'objectClass')
150 elif xid_type
== "ID_TYPE_GID":
151 m
['gidNumber'] = ldb
.MessageElement(
152 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'gidNumber')
153 m
['objectClass'] = ldb
.MessageElement(
154 "posixGroup", ldb
.FLAG_MOD_ADD
, 'objectClass')
157 except ldb
.LdbError
as e
:
159 'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
160 str(sid
), str(xid
), xid_type
, str(e
))
163 def add_idmap_entry(idmapdb
, sid
, xid
, xid_type
, logger
):
164 """Create idmap entry
166 :param idmapdb: Samba4 IDMAP database
167 :param sid: user/group sid
168 :param xid: user/group id
169 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
170 :param logger: Logger object
173 # First try to see if we already have this entry
175 msg
= idmapdb
.search(expression
='objectSid=%s' % str(sid
))
183 m
['xidNumber'] = ldb
.MessageElement(
184 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'xidNumber')
185 m
['type'] = ldb
.MessageElement(
186 xid_type
, ldb
.FLAG_MOD_REPLACE
, 'type')
188 except ldb
.LdbError
as e
:
190 'Could not modify idmap entry for sid=%s, id=%s, type=%s (%s)',
191 str(sid
), str(xid
), xid_type
, str(e
))
194 idmapdb
.add({"dn": "CN=%s" % str(sid
),
196 "objectClass": "sidMap",
197 "objectSid": ndr_pack(sid
),
199 "xidNumber": str(xid
)})
200 except ldb
.LdbError
as e
:
202 'Could not add idmap entry for sid=%s, id=%s, type=%s (%s)',
203 str(sid
), str(xid
), xid_type
, str(e
))
206 def import_idmap(idmapdb
, samba3
, logger
):
207 """Import idmap data.
209 :param idmapdb: Samba4 IDMAP database
210 :param samba3_idmap: Samba3 IDMAP database to import from
211 :param logger: Logger object
215 samba3_idmap
= samba3
.get_idmap_db()
217 logger
.warn('Cannot open idmap database, Ignoring: %s', str(e
))
220 currentxid
= max(samba3_idmap
.get_user_hwm(), samba3_idmap
.get_group_hwm())
221 lowerbound
= currentxid
225 m
.dn
= ldb
.Dn(idmapdb
, 'CN=CONFIG')
226 m
['lowerbound'] = ldb
.MessageElement(
227 str(lowerbound
), ldb
.FLAG_MOD_REPLACE
, 'lowerBound')
228 m
['xidNumber'] = ldb
.MessageElement(
229 str(currentxid
), ldb
.FLAG_MOD_REPLACE
, 'xidNumber')
232 for id_type
, xid
in samba3_idmap
.ids():
234 xid_type
= 'ID_TYPE_UID'
235 elif id_type
== 'GID':
236 xid_type
= 'ID_TYPE_GID'
238 logger
.warn('Wrong type of entry in idmap (%s), Ignoring', id_type
)
241 sid
= samba3_idmap
.get_sid(xid
, id_type
)
242 add_idmap_entry(idmapdb
, dom_sid(sid
), xid
, xid_type
, logger
)
245 def add_group_from_mapping_entry(samdb
, groupmap
, logger
):
246 """Add or modify group from group mapping entry
248 param samdb: Samba4 SAM database
249 param groupmap: Groupmap entry
250 param logger: Logger object
253 # First try to see if we already have this entry
256 base
='<SID=%s>' % str(groupmap
.sid
), scope
=ldb
.SCOPE_BASE
)
258 except ldb
.LdbError
as e1
:
259 (ecode
, emsg
) = e1
.args
260 if ecode
== ldb
.ERR_NO_SUCH_OBJECT
:
263 raise ldb
.LdbError(ecode
, emsg
)
266 logger
.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
267 str(groupmap
.sid
), groupmap
.nt_name
, msg
[0]['sAMAccountName'][0])
269 if groupmap
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
270 # In a lot of Samba3 databases, aliases are marked as well known groups
271 (group_dom_sid
, rid
) = groupmap
.sid
.split()
272 if (group_dom_sid
!= security
.dom_sid(security
.SID_BUILTIN
)):
276 # We avoid using the format string to avoid needing to escape the CN values
277 m
.dn
= ldb
.Dn(samdb
, "CN=X,CN=Users")
278 m
.dn
.set_component(0, "CN", groupmap
.nt_name
)
279 m
.dn
.add_base(samdb
.get_default_basedn())
280 m
['objectClass'] = ldb
.MessageElement('group', ldb
.FLAG_MOD_ADD
, 'objectClass')
281 m
['objectSid'] = ldb
.MessageElement(ndr_pack(groupmap
.sid
), ldb
.FLAG_MOD_ADD
,
283 m
['sAMAccountName'] = ldb
.MessageElement(groupmap
.nt_name
, ldb
.FLAG_MOD_ADD
,
287 m
['description'] = ldb
.MessageElement(groupmap
.comment
, ldb
.FLAG_MOD_ADD
,
290 # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
291 if groupmap
.sid_name_use
== lsa
.SID_NAME_ALIAS
or groupmap
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
292 m
['groupType'] = ldb
.MessageElement(str(dsdb
.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
),
293 ldb
.FLAG_MOD_ADD
, 'groupType')
296 samdb
.add(m
, controls
=["relax:0"])
297 except ldb
.LdbError
as e
:
298 logger
.warn('Could not add group name=%s (%s)', groupmap
.nt_name
, str(e
))
301 def add_users_to_group(samdb
, group
, members
, logger
):
302 """Add user/member to group/alias
304 param samdb: Samba4 SAM database
305 param group: Groupmap object
306 param members: List of member SIDs
307 param logger: Logger object
309 for member_sid
in members
:
311 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(group
.sid
))
312 m
['a01'] = ldb
.MessageElement("<SID=%s>" % str(member_sid
), ldb
.FLAG_MOD_ADD
, 'member')
316 except ldb
.LdbError
as e
:
317 (ecode
, emsg
) = e
.args
318 if ecode
== ldb
.ERR_ENTRY_ALREADY_EXISTS
:
319 logger
.debug("skipped re-adding member '%s' to group '%s': %s", member_sid
, group
.sid
, emsg
)
320 elif ecode
== ldb
.ERR_NO_SUCH_OBJECT
:
321 raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid
, group
.sid
, emsg
))
323 raise ProvisioningError("Could not add member '%s' to group '%s': %s" % (member_sid
, group
.sid
, emsg
))
326 def import_wins(samba4_winsdb
, samba3_winsdb
):
327 """Import settings from a Samba3 WINS database.
329 :param samba4_winsdb: WINS database to import to
330 :param samba3_winsdb: WINS database to import from
335 for (name
, (ttl
, ips
, nb_flags
)) in samba3_winsdb
.items():
338 type = int(name
.split("#", 1)[1], 16)
353 if ttl
> time
.time():
354 rState
= 0x0 # active
356 rState
= 0x1 # released
358 nType
= ((nb_flags
& 0x60) >> 5)
360 samba4_winsdb
.add({"dn": "name=%s,type=0x%s" % tuple(name
.split("#")),
361 "type": name
.split("#")[1],
362 "name": name
.split("#")[0],
363 "objectClass": "winsRecord",
364 "recordType": str(rType
),
365 "recordState": str(rState
),
366 "nodeType": str(nType
),
367 "expireTime": ldb
.timestring(ttl
),
369 "versionID": str(version_id
),
372 samba4_winsdb
.add({"dn": "cn=VERSION",
374 "objectClass": "winsMaxVersion",
375 "maxVersion": str(version_id
)})
378 SAMBA3_PREDEF_NAMES
= {
379 'HKLM': registry
.HKEY_LOCAL_MACHINE
,
383 def import_registry(samba4_registry
, samba3_regdb
):
384 """Import a Samba 3 registry database into the Samba 4 registry.
386 :param samba4_registry: Samba 4 registry handle.
387 :param samba3_regdb: Samba 3 registry database handle.
389 def ensure_key_exists(keypath
):
390 (predef_name
, keypath
) = keypath
.split("/", 1)
391 predef_id
= SAMBA3_PREDEF_NAMES
[predef_name
]
392 keypath
= keypath
.replace("/", "\\")
393 return samba4_registry
.create_key(predef_id
, keypath
)
395 for key
in samba3_regdb
.keys():
396 key_handle
= ensure_key_exists(key
)
397 for subkey
in samba3_regdb
.subkeys(key
):
398 ensure_key_exists(subkey
)
399 for (value_name
, (value_type
, value_data
)) in samba3_regdb
.values(key
).items():
400 key_handle
.set_value(value_name
, value_type
, value_data
)
403 def get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, user
, attr
):
404 """Get posix attributes from a samba3 ldap backend
405 :param ldbs: a list of ldb connection objects
406 :param base_dn: the base_dn of the connection
407 :param user: the user to get the attribute for
408 :param attr: the attribute to be retrieved
411 msg
= ldb_object
.search(base_dn
, scope
=ldb
.SCOPE_SUBTREE
,
412 expression
=("(&(objectClass=posixAccount)(uid=%s))"
413 % (user
)), attrs
=[attr
])
414 except ldb
.LdbError
as e
:
415 raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s" % (attr
, user
, e
))
418 # This will raise KeyError (which is what we want) if there isn't a entry for this user
419 return msg
[0][attr
][0]
421 logger
.warning("LDAP entry for user %s contains more than one %s", user
, attr
)
425 def upgrade_from_samba3(samba3
, logger
, targetdir
, session_info
=None,
426 useeadb
=False, dns_backend
=None, use_ntvfs
=False):
427 """Upgrade from samba3 database to samba4 AD database
429 :param samba3: samba3 object
430 :param logger: Logger object
431 :param targetdir: samba4 database directory
432 :param session_info: Session information
434 serverrole
= samba3
.lp
.server_role()
436 domainname
= samba3
.lp
.get("workgroup")
437 realm
= samba3
.lp
.get("realm")
438 netbiosname
= samba3
.lp
.get("netbios name")
440 if samba3
.lp
.get("ldapsam:trusted") is None:
441 samba3
.lp
.set("ldapsam:trusted", "yes")
445 secrets_db
= samba3
.get_secrets_db()
447 raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3
.privatedir_path("secrets.tdb"), str(e
)))
450 domainname
= secrets_db
.domains()[0]
451 logger
.warning("No workgroup specified in smb.conf file, assuming '%s'",
455 if serverrole
== "ROLE_DOMAIN_BDC" or serverrole
== "ROLE_DOMAIN_PDC":
456 raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
458 realm
= domainname
.upper()
459 logger
.warning("No realm specified in smb.conf file, assuming '%s'",
462 # Find machine account and password
466 machinepass
= secrets_db
.get_machine_password(netbiosname
)
470 if samba3
.lp
.get("passdb backend").split(":")[0].strip() == "ldapsam":
471 base_dn
= samba3
.lp
.get("ldap suffix")
472 ldapuser
= samba3
.lp
.get("ldap admin dn")
473 ldappass
= secrets_db
.get_ldap_bind_pw(ldapuser
)
475 raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.")
476 ldappass
= ldappass
.decode('utf-8').strip('\x00')
483 # We must close the direct pytdb database before the C code loads it
486 # Connect to old password backend
487 passdb
.set_secrets_dir(samba3
.lp
.get("private dir"))
488 s3db
= samba3
.get_sam_db()
492 domainsid
= passdb
.get_global_sam_sid()
494 raise Exception("Can't find domain sid for '%s', Exiting." % domainname
)
496 # Get machine account, sid, rid
498 machineacct
= s3db
.getsampwnam('%s$' % netbiosname
)
503 machinesid
, machinerid
= machineacct
.user_sid
.split()
505 # Export account policy
506 logger
.info("Exporting account policy")
507 policy
= s3db
.get_account_policy()
509 # Export groups from old passdb backend
510 logger
.info("Exporting groups")
511 grouplist
= s3db
.enum_group_mapping()
513 for group
in grouplist
:
514 sid
, rid
= group
.sid
.split()
519 # Get members for each group/alias
520 if group
.sid_name_use
== lsa
.SID_NAME_ALIAS
:
522 members
= s3db
.enum_aliasmem(group
.sid
)
523 groupmembers
[str(group
.sid
)] = members
524 except passdb
.error
as e
:
525 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
526 group
.nt_name
, group
.sid
, e
)
528 elif group
.sid_name_use
== lsa
.SID_NAME_DOM_GRP
:
530 members
= s3db
.enum_group_members(group
.sid
)
531 groupmembers
[str(group
.sid
)] = members
532 except passdb
.error
as e
:
533 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
534 group
.nt_name
, group
.sid
, e
)
536 elif group
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
537 (group_dom_sid
, rid
) = group
.sid
.split()
538 if (group_dom_sid
!= security
.dom_sid(security
.SID_BUILTIN
)):
539 logger
.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
542 # A number of buggy databases mix up well known groups and aliases.
544 members
= s3db
.enum_aliasmem(group
.sid
)
545 groupmembers
[str(group
.sid
)] = members
546 except passdb
.error
as e
:
547 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
548 group
.nt_name
, group
.sid
, e
)
551 logger
.warn("Ignoring group '%s' %s with sid_name_use=%d",
552 group
.nt_name
, group
.sid
, group
.sid_name_use
)
555 # Export users from old passdb backend
556 logger
.info("Exporting users")
557 userlist
= s3db
.search_users(0)
561 for entry
in userlist
:
562 if machinerid
and machinerid
== entry
['rid']:
564 username
= entry
['account_name']
565 if entry
['rid'] < 1000:
566 logger
.info(" Skipping wellknown rid=%d (for username=%s)", entry
['rid'], username
)
568 if entry
['rid'] >= next_rid
:
569 next_rid
= entry
['rid'] + 1
571 user
= s3db
.getsampwnam(username
)
572 acct_type
= (user
.acct_ctrl
& (samr
.ACB_NORMAL |
576 if acct_type
== samr
.ACB_SVRTRUST
:
577 logger
.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username
[:-1])
578 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_SVRTRUST
) | samr
.ACB_WSTRUST
580 elif acct_type
== samr
.ACB_DOMTRUST
:
581 logger
.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username
[:-1])
584 elif acct_type
== (samr
.ACB_WSTRUST
) and username
[-1] != '$':
585 logger
.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username
)
588 elif acct_type
== (samr
.ACB_NORMAL | samr
.ACB_WSTRUST
) and username
[-1] == '$':
589 logger
.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username
)
590 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_NORMAL
)
592 elif acct_type
== (samr
.ACB_NORMAL | samr
.ACB_SVRTRUST
) and username
[-1] == '$':
593 logger
.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username
)
594 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_NORMAL
)
596 elif acct_type
== 0 and username
[-1] != '$':
597 user
.acct_ctrl
= (user
.acct_ctrl | samr
.ACB_NORMAL
)
599 elif (acct_type
== samr
.ACB_NORMAL
or acct_type
== samr
.ACB_WSTRUST
):
603 raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
604 ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
606 Please fix this account before attempting to upgrade again
608 % (username
, user
.acct_ctrl
,
609 samr
.ACB_NORMAL
, samr
.ACB_WSTRUST
, samr
.ACB_SVRTRUST
, samr
.ACB_DOMTRUST
))
611 userdata
[username
] = user
613 uids
[username
] = s3db
.sid_to_id(user
.user_sid
)[0]
616 uids
[username
] = pwd
.getpwnam(username
).pw_uid
620 if not admin_user
and username
.lower() == 'root':
621 admin_user
= username
622 if username
.lower() == 'administrator':
623 admin_user
= username
626 group_memberships
= s3db
.enum_group_memberships(user
)
627 for group
in group_memberships
:
628 if str(group
) in groupmembers
:
629 if user
.user_sid
not in groupmembers
[str(group
)]:
630 groupmembers
[str(group
)].append(user
.user_sid
)
632 groupmembers
[str(group
)] = [user
.user_sid
]
633 except passdb
.error
as e
:
634 logger
.warn("Ignoring group memberships of '%s' %s: %s",
635 username
, user
.user_sid
, e
)
637 logger
.info("Next rid = %d", next_rid
)
639 # Check for same username/groupname
640 group_names
= set([g
.nt_name
for g
in grouplist
])
641 user_names
= set([u
['account_name'] for u
in userlist
])
642 common_names
= group_names
.intersection(user_names
)
644 logger
.error("Following names are both user names and group names:")
645 for name
in common_names
:
646 logger
.error(" %s" % name
)
647 raise ProvisioningError("Please remove common user/group names before upgrade.")
649 # Check for same user sid/group sid
650 group_sids
= set([str(g
.sid
) for g
in grouplist
])
651 if len(grouplist
) != len(group_sids
):
652 raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
653 user_sids
= set(["%s-%u" % (domainsid
, u
['rid']) for u
in userlist
])
654 if len(userlist
) != len(user_sids
):
655 raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
656 common_sids
= group_sids
.intersection(user_sids
)
658 logger
.error("Following sids are both user and group sids:")
659 for sid
in common_sids
:
660 logger
.error(" %s" % str(sid
))
661 raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
663 # Get posix attributes from ldap or the os
668 creds
= Credentials()
669 creds
.guess(samba3
.lp
)
670 creds
.set_bind_dn(ldapuser
)
671 creds
.set_password(ldappass
)
672 urls
= samba3
.lp
.get("passdb backend").split(":", 1)[1].strip('"')
673 for url
in urls
.split():
675 ldb_object
= Ldb(url
, credentials
=creds
)
676 except ldb
.LdbError
as e
:
677 raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url
, e
))
680 logger
.info("Exporting posix attributes")
681 userlist
= s3db
.search_users(0)
682 for entry
in userlist
:
683 username
= entry
['account_name']
684 if username
in uids
.keys():
687 homes
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "homeDirectory")
689 homes
[username
] = pwd
.getpwnam(username
).pw_dir
697 shells
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "loginShell")
699 shells
[username
] = pwd
.getpwnam(username
).pw_shell
707 pgids
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "gidNumber")
709 pgids
[username
] = pwd
.getpwnam(username
).pw_gid
715 logger
.info("Reading WINS database")
718 samba3_winsdb
= samba3
.get_wins_db()
720 logger
.warn('Cannot open wins database, Ignoring: %s', str(e
))
722 if not (serverrole
== "ROLE_DOMAIN_BDC" or serverrole
== "ROLE_DOMAIN_PDC"):
725 # If we found an admin user, set a fake pw that we will override.
726 # This avoids us printing out an admin password that we won't actually
729 adminpass
= generate_random_password(12, 32)
734 result
= provision(logger
, session_info
,
735 targetdir
=targetdir
, realm
=realm
, domain
=domainname
,
736 domainsid
=domainsid
, next_rid
=next_rid
,
737 dc_rid
=machinerid
, adminpass
=adminpass
,
738 dom_for_fun_level
=dsdb
.DS_DOMAIN_FUNCTION_2003
,
739 hostname
=netbiosname
.lower(), machinepass
=machinepass
,
740 serverrole
=serverrole
, samdb_fill
=FILL_FULL
,
741 useeadb
=useeadb
, dns_backend
=dns_backend
, use_rfc2307
=True,
742 use_ntvfs
=use_ntvfs
, skip_sysvolacl
=True)
743 result
.report_logger(logger
)
745 # Import WINS database
746 logger
.info("Importing WINS database")
749 import_wins(Ldb(result
.paths
.winsdb
), samba3_winsdb
)
752 logger
.info("Importing Account policy")
753 import_sam_policy(result
.samdb
, policy
, logger
)
755 # Migrate IDMAP database
756 logger
.info("Importing idmap database")
757 import_idmap(result
.idmap
, samba3
, logger
)
759 # Set the s3 context for samba4 configuration
760 new_lp_ctx
= s3param
.get_context()
761 new_lp_ctx
.load(result
.lp
.configfile
)
762 new_lp_ctx
.set("private dir", result
.lp
.get("private dir"))
763 new_lp_ctx
.set("state directory", result
.lp
.get("state directory"))
764 new_lp_ctx
.set("lock directory", result
.lp
.get("lock directory"))
766 # Connect to samba4 backend
767 s4_passdb
= passdb
.PDB(new_lp_ctx
.get("passdb backend"))
769 # Start a new transaction (should speed this up a little, due to index churn)
770 result
.samdb
.transaction_start()
772 logger
.info("Adding groups")
774 # Export groups to samba4 backend
775 logger
.info("Importing groups")
777 # Ignore uninitialized groups (gid = -1)
779 add_group_from_mapping_entry(result
.samdb
, g
, logger
)
780 add_ad_posix_idmap_entry(result
.samdb
, g
.sid
, g
.gid
, "ID_TYPE_GID", logger
)
781 add_posix_attrs(samdb
=result
.samdb
, sid
=g
.sid
, name
=g
.nt_name
, nisdomain
=domainname
.lower(), xid_type
="ID_TYPE_GID", logger
=logger
)
784 # We need this, so that we do not give even more errors due to not cancelling the transaction
785 result
.samdb
.transaction_cancel()
788 logger
.info("Committing 'add groups' transaction to disk")
789 result
.samdb
.transaction_commit()
791 logger
.info("Adding users")
793 # Export users to samba4 backend
794 logger
.info("Importing users")
795 for username
in userdata
:
796 if username
.lower() == 'administrator':
797 if userdata
[username
].user_sid
!= dom_sid(str(domainsid
) + "-500"):
798 logger
.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata
[username
].user_sid
, dom_sid(str(domainsid
) + "-500")))
799 raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
800 if username
.lower() == 'root':
801 if userdata
[username
].user_sid
== dom_sid(str(domainsid
) + "-500"):
802 logger
.warn('User root has been replaced by Administrator')
804 logger
.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
806 s4_passdb
.add_sam_account(userdata
[username
])
808 add_ad_posix_idmap_entry(result
.samdb
, userdata
[username
].user_sid
, uids
[username
], "ID_TYPE_UID", logger
)
809 if (username
in homes
) and (homes
[username
] is not None) and \
810 (username
in shells
) and (shells
[username
] is not None) and \
811 (username
in pgids
) and (pgids
[username
] is not None):
812 add_posix_attrs(samdb
=result
.samdb
, sid
=userdata
[username
].user_sid
, name
=username
, nisdomain
=domainname
.lower(), xid_type
="ID_TYPE_UID", home
=homes
[username
], shell
=shells
[username
], pgid
=pgids
[username
], logger
=logger
)
814 logger
.info("Adding users to groups")
815 # Start a new transaction (should speed this up a little, due to index churn)
816 result
.samdb
.transaction_start()
820 if str(g
.sid
) in groupmembers
:
821 add_users_to_group(result
.samdb
, g
, groupmembers
[str(g
.sid
)], logger
)
824 # We need this, so that we do not give even more errors due to not cancelling the transaction
825 result
.samdb
.transaction_cancel()
828 logger
.info("Committing 'add users to groups' transaction to disk")
829 result
.samdb
.transaction_commit()
831 # Set password for administrator
833 logger
.info("Setting password for administrator")
834 admin_userdata
= s4_passdb
.getsampwnam("administrator")
835 admin_userdata
.nt_passwd
= userdata
[admin_user
].nt_passwd
836 if userdata
[admin_user
].lanman_passwd
:
837 admin_userdata
.lanman_passwd
= userdata
[admin_user
].lanman_passwd
838 admin_userdata
.pass_last_set_time
= userdata
[admin_user
].pass_last_set_time
839 if userdata
[admin_user
].pw_history
:
840 admin_userdata
.pw_history
= userdata
[admin_user
].pw_history
841 s4_passdb
.update_sam_account(admin_userdata
)
842 logger
.info("Administrator password has been set to password of user '%s'", admin_user
)
844 if result
.server_role
== "active directory domain controller":
845 setsysvolacl(result
.samdb
, result
.paths
.netlogon
, result
.paths
.sysvol
,
846 result
.paths
.root_uid
, result
.paths
.root_gid
,
847 security
.dom_sid(result
.domainsid
), result
.names
.dnsdomain
,
848 result
.names
.domaindn
, result
.lp
, use_ntvfs
)
850 # FIXME: import_registry(registry.Registry(), samba3.get_registry())