search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:service_named_pipe: make use of tstream_bsd_fail_readv_first_error(true)
[Samba.git] / python / samba / upgrade.py
blobbc21172a0d435d298ab867abdb2a862a04744009
1 # backend code for upgrading from Samba3
2 # Copyright Jelmer Vernooij 2005-2007
3 # Copyright Andrew Bartlett 2011
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Support code for upgrading from Samba 3 to Samba 4."""
20
21 __docformat__ = "restructuredText"
22
23 import ldb
24 import time
25 import pwd
26
27 from samba import Ldb, registry
28 from samba.provision import provision, ProvisioningError, setsysvolacl
29 from samba.provision.common import FILL_FULL
30 from samba.samba3 import passdb
31 from samba.samba3 import param as s3param
32 from samba.dcerpc import lsa, samr, security
33 from samba.dcerpc.security import dom_sid
34 from samba.credentials import Credentials
35 from samba import dsdb
36 from samba.ndr import ndr_pack
37 from samba import unix2nttime
38 from samba import generate_random_password
39
40
41 def import_sam_policy(samdb, policy, logger):
42 """Import a Samba 3 policy.
43
44 :param samdb: Samba4 SAM database
45 :param policy: Samba3 account policy
46 :param logger: Logger object
47 """
48
49 # Following entries are used -
50 # min password length, password history, minimum password age,
51 # maximum password age, lockout duration
52 #
53 # Following entries are not used -
54 # reset count minutes, user must logon to change password,
55 # bad lockout minutes, disconnect time
56
57 m = ldb.Message()
58 m.dn = samdb.get_default_basedn()
59
60 if 'min password length' in policy:
61 m['a01'] = ldb.MessageElement(str(policy['min password length']),
62 ldb.FLAG_MOD_REPLACE, 'minPwdLength')
63
64 if 'password history' in policy:
65 m['a02'] = ldb.MessageElement(str(policy['password history']),
66 ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength')
67
68 if 'minimum password age' in policy:
69 min_pw_age_unix = policy['minimum password age']
70 min_pw_age_nt = int(-min_pw_age_unix * (1e7))
71 m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE,
72 'minPwdAge')
73
74 if 'maximum password age' in policy:
75 max_pw_age_unix = policy['maximum password age']
76 if max_pw_age_unix == -1 or max_pw_age_unix == 0 or max_pw_age_unix == 0xFFFFFFFF:
77 max_pw_age_nt = -0x8000000000000000
78 else:
79 max_pw_age_nt = int(-max_pw_age_unix * (1e7))
80
81 m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE,
82 'maxPwdAge')
83
84 if 'lockout duration' in policy:
85 lockout_duration_mins = policy['lockout duration']
86 lockout_duration_nt = unix2nttime(lockout_duration_mins * 60)
87
88 m['a05'] = ldb.MessageElement(str(lockout_duration_nt),
89 ldb.FLAG_MOD_REPLACE, 'lockoutDuration')
90
91 try:
92 samdb.modify(m)
93 except ldb.LdbError as e:
94 logger.warn("Could not set account policy, (%s)", str(e))
95
96
97 def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None,
98 shell=None, pgid=None):
99 """Add posix attributes for the user/group
100
101 :param samdb: Samba4 sam.ldb database
102 :param sid: user/group sid
103 :param sid: user/group name
104 :param nisdomain: name of the (fake) NIS domain
105 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
106 :param home: user homedir (Unix homepath)
107 :param shell: user shell
108 :param pgid: users primary group id
109 """
110
111 try:
112 m = ldb.Message()
113 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
114 if xid_type == "ID_TYPE_UID":
115 m['unixHomeDirectory'] = ldb.MessageElement(
116 str(home), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
117 m['loginShell'] = ldb.MessageElement(
118 str(shell), ldb.FLAG_MOD_REPLACE, 'loginShell')
119 m['gidNumber'] = ldb.MessageElement(
120 str(pgid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
121
122 m['msSFU30NisDomain'] = ldb.MessageElement(
123 str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
124
125 samdb.modify(m)
126 except ldb.LdbError as e:
127 logger.warn(
128 'Could not add posix attrs for AD entry for sid=%s, (%s)',
129 str(sid), str(e))
130
131
132 def add_ad_posix_idmap_entry(samdb, sid, xid, xid_type, logger):
133 """Create idmap entry
134
135 :param samdb: Samba4 sam.ldb database
136 :param sid: user/group sid
137 :param xid: user/group id
138 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
139 :param logger: Logger object
140 """
141
142 try:
143 m = ldb.Message()
144 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
145 if xid_type == "ID_TYPE_UID":
146 m['uidNumber'] = ldb.MessageElement(
147 str(xid), ldb.FLAG_MOD_REPLACE, 'uidNumber')
148 m['objectClass'] = ldb.MessageElement(
149 "posixAccount", ldb.FLAG_MOD_ADD, 'objectClass')
150 elif xid_type == "ID_TYPE_GID":
151 m['gidNumber'] = ldb.MessageElement(
152 str(xid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
153 m['objectClass'] = ldb.MessageElement(
154 "posixGroup", ldb.FLAG_MOD_ADD, 'objectClass')
155
156 samdb.modify(m)
157 except ldb.LdbError as e:
158 logger.warn(
159 'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
160 str(sid), str(xid), xid_type, str(e))
161
162
163 def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
164 """Create idmap entry
165
166 :param idmapdb: Samba4 IDMAP database
167 :param sid: user/group sid
168 :param xid: user/group id
169 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
170 :param logger: Logger object
171 """
172
173 # First try to see if we already have this entry
174 found = False
175 msg = idmapdb.search(expression='objectSid=%s' % str(sid))
176 if msg.count == 1:
177 found = True
178
179 if found:
180 try:
181 m = ldb.Message()
182 m.dn = msg[0]['dn']
183 m['xidNumber'] = ldb.MessageElement(
184 str(xid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
185 m['type'] = ldb.MessageElement(
186 xid_type, ldb.FLAG_MOD_REPLACE, 'type')
187 idmapdb.modify(m)
188 except ldb.LdbError as e:
189 logger.warn(
190 'Could not modify idmap entry for sid=%s, id=%s, type=%s (%s)',
191 str(sid), str(xid), xid_type, str(e))
192 else:
193 try:
194 idmapdb.add({"dn": "CN=%s" % str(sid),
195 "cn": str(sid),
196 "objectClass": "sidMap",
197 "objectSid": ndr_pack(sid),
198 "type": xid_type,
199 "xidNumber": str(xid)})
200 except ldb.LdbError as e:
201 logger.warn(
202 'Could not add idmap entry for sid=%s, id=%s, type=%s (%s)',
203 str(sid), str(xid), xid_type, str(e))
204
205
206 def import_idmap(idmapdb, samba3, logger):
207 """Import idmap data.
208
209 :param idmapdb: Samba4 IDMAP database
210 :param samba3_idmap: Samba3 IDMAP database to import from
211 :param logger: Logger object
212 """
213
214 try:
215 samba3_idmap = samba3.get_idmap_db()
216 except IOError as e:
217 logger.warn('Cannot open idmap database, Ignoring: %s', str(e))
218 return
219
220 currentxid = max(samba3_idmap.get_user_hwm(), samba3_idmap.get_group_hwm())
221 lowerbound = currentxid
222 # FIXME: upperbound
223
224 m = ldb.Message()
225 m.dn = ldb.Dn(idmapdb, 'CN=CONFIG')
226 m['lowerbound'] = ldb.MessageElement(
227 str(lowerbound), ldb.FLAG_MOD_REPLACE, 'lowerBound')
228 m['xidNumber'] = ldb.MessageElement(
229 str(currentxid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
230 idmapdb.modify(m)
231
232 for id_type, xid in samba3_idmap.ids():
233 if id_type == 'UID':
234 xid_type = 'ID_TYPE_UID'
235 elif id_type == 'GID':
236 xid_type = 'ID_TYPE_GID'
237 else:
238 logger.warn('Wrong type of entry in idmap (%s), Ignoring', id_type)
239 continue
240
241 sid = samba3_idmap.get_sid(xid, id_type)
242 add_idmap_entry(idmapdb, dom_sid(sid), xid, xid_type, logger)
243
244
245 def add_group_from_mapping_entry(samdb, groupmap, logger):
246 """Add or modify group from group mapping entry
247
248 param samdb: Samba4 SAM database
249 param groupmap: Groupmap entry
250 param logger: Logger object
251 """
252
253 # First try to see if we already have this entry
254 try:
255 msg = samdb.search(
256 base='<SID=%s>' % str(groupmap.sid), scope=ldb.SCOPE_BASE)
257 found = True
258 except ldb.LdbError as e1:
259 (ecode, emsg) = e1.args
260 if ecode == ldb.ERR_NO_SUCH_OBJECT:
261 found = False
262 else:
263 raise ldb.LdbError(ecode, emsg)
264
265 if found:
266 logger.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
267 str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
268 else:
269 if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
270 # In a lot of Samba3 databases, aliases are marked as well known groups
271 (group_dom_sid, rid) = groupmap.sid.split()
272 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
273 return
274
275 m = ldb.Message()
276 # We avoid using the format string to avoid needing to escape the CN values
277 m.dn = ldb.Dn(samdb, "CN=X,CN=Users")
278 m.dn.set_component(0, "CN", groupmap.nt_name)
279 m.dn.add_base(samdb.get_default_basedn())
280 m['objectClass'] = ldb.MessageElement('group', ldb.FLAG_MOD_ADD, 'objectClass')
281 m['objectSid'] = ldb.MessageElement(ndr_pack(groupmap.sid), ldb.FLAG_MOD_ADD,
282 'objectSid')
283 m['sAMAccountName'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD,
284 'sAMAccountName')
285
286 if groupmap.comment:
287 m['description'] = ldb.MessageElement(groupmap.comment, ldb.FLAG_MOD_ADD,
288 'description')
289
290 # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
291 if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
292 m['groupType'] = ldb.MessageElement(str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
293 ldb.FLAG_MOD_ADD, 'groupType')
294
295 try:
296 samdb.add(m, controls=["relax:0"])
297 except ldb.LdbError as e:
298 logger.warn('Could not add group name=%s (%s)', groupmap.nt_name, str(e))
299
300
301 def add_users_to_group(samdb, group, members, logger):
302 """Add user/member to group/alias
303
304 param samdb: Samba4 SAM database
305 param group: Groupmap object
306 param members: List of member SIDs
307 param logger: Logger object
308 """
309 for member_sid in members:
310 m = ldb.Message()
311 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(group.sid))
312 m['a01'] = ldb.MessageElement("<SID=%s>" % str(member_sid), ldb.FLAG_MOD_ADD, 'member')
313
314 try:
315 samdb.modify(m)
316 except ldb.LdbError as e:
317 (ecode, emsg) = e.args
318 if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS:
319 logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
320 elif ecode == ldb.ERR_NO_SUCH_OBJECT:
321 raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg))
322 else:
323 raise ProvisioningError("Could not add member '%s' to group '%s': %s" % (member_sid, group.sid, emsg))
324
325
326 def import_wins(samba4_winsdb, samba3_winsdb):
327 """Import settings from a Samba3 WINS database.
328
329 :param samba4_winsdb: WINS database to import to
330 :param samba3_winsdb: WINS database to import from
331 """
332
333 version_id = 0
334
335 for (name, (ttl, ips, nb_flags)) in samba3_winsdb.items():
336 version_id += 1
337
338 type = int(name.split("#", 1)[1], 16)
339
340 if type == 0x1C:
341 rType = 0x2
342 elif type & 0x80:
343 if len(ips) > 1:
344 rType = 0x2
345 else:
346 rType = 0x1
347 else:
348 if len(ips) > 1:
349 rType = 0x3
350 else:
351 rType = 0x0
352
353 if ttl > time.time():
354 rState = 0x0 # active
355 else:
356 rState = 0x1 # released
357
358 nType = ((nb_flags & 0x60) >> 5)
359
360 samba4_winsdb.add({"dn": "name=%s,type=0x%s" % tuple(name.split("#")),
361 "type": name.split("#")[1],
362 "name": name.split("#")[0],
363 "objectClass": "winsRecord",
364 "recordType": str(rType),
365 "recordState": str(rState),
366 "nodeType": str(nType),
367 "expireTime": ldb.timestring(ttl),
368 "isStatic": "0",
369 "versionID": str(version_id),
370 "address": ips})
371
372 samba4_winsdb.add({"dn": "cn=VERSION",
373 "cn": "VERSION",
374 "objectClass": "winsMaxVersion",
375 "maxVersion": str(version_id)})
376
377
378 SAMBA3_PREDEF_NAMES = {
379 'HKLM': registry.HKEY_LOCAL_MACHINE,
380 }
381
382
383 def import_registry(samba4_registry, samba3_regdb):
384 """Import a Samba 3 registry database into the Samba 4 registry.
385
386 :param samba4_registry: Samba 4 registry handle.
387 :param samba3_regdb: Samba 3 registry database handle.
388 """
389 def ensure_key_exists(keypath):
390 (predef_name, keypath) = keypath.split("/", 1)
391 predef_id = SAMBA3_PREDEF_NAMES[predef_name]
392 keypath = keypath.replace("/", "\\")
393 return samba4_registry.create_key(predef_id, keypath)
394
395 for key in samba3_regdb.keys():
396 key_handle = ensure_key_exists(key)
397 for subkey in samba3_regdb.subkeys(key):
398 ensure_key_exists(subkey)
399 for (value_name, (value_type, value_data)) in samba3_regdb.values(key).items():
400 key_handle.set_value(value_name, value_type, value_data)
401
402
403 def get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, user, attr):
404 """Get posix attributes from a samba3 ldap backend
405 :param ldbs: a list of ldb connection objects
406 :param base_dn: the base_dn of the connection
407 :param user: the user to get the attribute for
408 :param attr: the attribute to be retrieved
409 """
410 try:
411 msg = ldb_object.search(base_dn, scope=ldb.SCOPE_SUBTREE,
412 expression=("(&(objectClass=posixAccount)(uid=%s))"
413 % (user)), attrs=[attr])
414 except ldb.LdbError as e:
415 raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s" % (attr, user, e))
416 else:
417 if msg.count <= 1:
418 # This will raise KeyError (which is what we want) if there isn't a entry for this user
419 return msg[0][attr][0]
420 else:
421 logger.warning("LDAP entry for user %s contains more than one %s", user, attr)
422 raise KeyError
423
424
425 def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
426 useeadb=False, dns_backend=None, use_ntvfs=False):
427 """Upgrade from samba3 database to samba4 AD database
428
429 :param samba3: samba3 object
430 :param logger: Logger object
431 :param targetdir: samba4 database directory
432 :param session_info: Session information
433 """
434 serverrole = samba3.lp.server_role()
435
436 domainname = samba3.lp.get("workgroup")
437 realm = samba3.lp.get("realm")
438 netbiosname = samba3.lp.get("netbios name")
439
440 if samba3.lp.get("ldapsam:trusted") is None:
441 samba3.lp.set("ldapsam:trusted", "yes")
442
443 # secrets db
444 try:
445 secrets_db = samba3.get_secrets_db()
446 except IOError as e:
447 raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3.privatedir_path("secrets.tdb"), str(e)))
448
449 if not domainname:
450 domainname = secrets_db.domains()[0]
451 logger.warning("No workgroup specified in smb.conf file, assuming '%s'",
452 domainname)
453
454 if not realm:
455 if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
456 raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
457 else:
458 realm = domainname.upper()
459 logger.warning("No realm specified in smb.conf file, assuming '%s'",
460 realm)
461
462 # Find machine account and password
463 next_rid = 1000
464
465 try:
466 machinepass = secrets_db.get_machine_password(netbiosname)
467 except KeyError:
468 machinepass = None
469
470 if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
471 base_dn = samba3.lp.get("ldap suffix")
472 ldapuser = samba3.lp.get("ldap admin dn")
473 ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
474 if ldappass is None:
475 raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.")
476 ldappass = ldappass.decode('utf-8').strip('\x00')
477 ldap = True
478 else:
479 ldapuser = None
480 ldappass = None
481 ldap = False
482
483 # We must close the direct pytdb database before the C code loads it
484 secrets_db.close()
485
486 # Connect to old password backend
487 passdb.set_secrets_dir(samba3.lp.get("private dir"))
488 s3db = samba3.get_sam_db()
489
490 # Get domain sid
491 try:
492 domainsid = passdb.get_global_sam_sid()
493 except passdb.error:
494 raise Exception("Can't find domain sid for '%s', Exiting." % domainname)
495
496 # Get machine account, sid, rid
497 try:
498 machineacct = s3db.getsampwnam('%s$' % netbiosname)
499 except passdb.error:
500 machinerid = None
501 machinesid = None
502 else:
503 machinesid, machinerid = machineacct.user_sid.split()
504
505 # Export account policy
506 logger.info("Exporting account policy")
507 policy = s3db.get_account_policy()
508
509 # Export groups from old passdb backend
510 logger.info("Exporting groups")
511 grouplist = s3db.enum_group_mapping()
512 groupmembers = {}
513 for group in grouplist:
514 sid, rid = group.sid.split()
515 if sid == domainsid:
516 if rid >= next_rid:
517 next_rid = rid + 1
518
519 # Get members for each group/alias
520 if group.sid_name_use == lsa.SID_NAME_ALIAS:
521 try:
522 members = s3db.enum_aliasmem(group.sid)
523 groupmembers[str(group.sid)] = members
524 except passdb.error as e:
525 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
526 group.nt_name, group.sid, e)
527 continue
528 elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
529 try:
530 members = s3db.enum_group_members(group.sid)
531 groupmembers[str(group.sid)] = members
532 except passdb.error as e:
533 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
534 group.nt_name, group.sid, e)
535 continue
536 elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
537 (group_dom_sid, rid) = group.sid.split()
538 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
539 logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
540 group.nt_name)
541 continue
542 # A number of buggy databases mix up well known groups and aliases.
543 try:
544 members = s3db.enum_aliasmem(group.sid)
545 groupmembers[str(group.sid)] = members
546 except passdb.error as e:
547 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
548 group.nt_name, group.sid, e)
549 continue
550 else:
551 logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
552 group.nt_name, group.sid, group.sid_name_use)
553 continue
554
555 # Export users from old passdb backend
556 logger.info("Exporting users")
557 userlist = s3db.search_users(0)
558 userdata = {}
559 uids = {}
560 admin_user = None
561 for entry in userlist:
562 if machinerid and machinerid == entry['rid']:
563 continue
564 username = entry['account_name']
565 if entry['rid'] < 1000:
566 logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
567 continue
568 if entry['rid'] >= next_rid:
569 next_rid = entry['rid'] + 1
570
571 user = s3db.getsampwnam(username)
572 acct_type = (user.acct_ctrl & (samr.ACB_NORMAL |
573 samr.ACB_WSTRUST |
574 samr.ACB_SVRTRUST |
575 samr.ACB_DOMTRUST))
576 if acct_type == samr.ACB_SVRTRUST:
577 logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
578 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
579
580 elif acct_type == samr.ACB_DOMTRUST:
581 logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
582 continue
583
584 elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$':
585 logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username)
586 continue
587
588 elif acct_type == (samr.ACB_NORMAL | samr.ACB_WSTRUST) and username[-1] == '$':
589 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
590 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
591
592 elif acct_type == (samr.ACB_NORMAL | samr.ACB_SVRTRUST) and username[-1] == '$':
593 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username)
594 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
595
596 elif acct_type == 0 and username[-1] != '$':
597 user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL)
598
599 elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
600 pass
601
602 else:
603 raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
604 ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
605
606 Please fix this account before attempting to upgrade again
607 """
608 % (username, user.acct_ctrl,
609 samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
610
611 userdata[username] = user
612 try:
613 uids[username] = s3db.sid_to_id(user.user_sid)[0]
614 except passdb.error:
615 try:
616 uids[username] = pwd.getpwnam(username).pw_uid
617 except KeyError:
618 pass
619
620 if not admin_user and username.lower() == 'root':
621 admin_user = username
622 if username.lower() == 'administrator':
623 admin_user = username
624
625 try:
626 group_memberships = s3db.enum_group_memberships(user)
627 for group in group_memberships:
628 if str(group) in groupmembers:
629 if user.user_sid not in groupmembers[str(group)]:
630 groupmembers[str(group)].append(user.user_sid)
631 else:
632 groupmembers[str(group)] = [user.user_sid]
633 except passdb.error as e:
634 logger.warn("Ignoring group memberships of '%s' %s: %s",
635 username, user.user_sid, e)
636
637 logger.info("Next rid = %d", next_rid)
638
639 # Check for same username/groupname
640 group_names = set([g.nt_name for g in grouplist])
641 user_names = set([u['account_name'] for u in userlist])
642 common_names = group_names.intersection(user_names)
643 if common_names:
644 logger.error("Following names are both user names and group names:")
645 for name in common_names:
646 logger.error(" %s" % name)
647 raise ProvisioningError("Please remove common user/group names before upgrade.")
648
649 # Check for same user sid/group sid
650 group_sids = set([str(g.sid) for g in grouplist])
651 if len(grouplist) != len(group_sids):
652 raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
653 user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
654 if len(userlist) != len(user_sids):
655 raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
656 common_sids = group_sids.intersection(user_sids)
657 if common_sids:
658 logger.error("Following sids are both user and group sids:")
659 for sid in common_sids:
660 logger.error(" %s" % str(sid))
661 raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
662
663 # Get posix attributes from ldap or the os
664 homes = {}
665 shells = {}
666 pgids = {}
667 if ldap:
668 creds = Credentials()
669 creds.guess(samba3.lp)
670 creds.set_bind_dn(ldapuser)
671 creds.set_password(ldappass)
672 urls = samba3.lp.get("passdb backend").split(":", 1)[1].strip('"')
673 for url in urls.split():
674 try:
675 ldb_object = Ldb(url, credentials=creds)
676 except ldb.LdbError as e:
677 raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
678 else:
679 break
680 logger.info("Exporting posix attributes")
681 userlist = s3db.search_users(0)
682 for entry in userlist:
683 username = entry['account_name']
684 if username in uids.keys():
685 try:
686 if ldap:
687 homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
688 else:
689 homes[username] = pwd.getpwnam(username).pw_dir
690 except KeyError:
691 pass
692 except IndexError:
693 pass
694
695 try:
696 if ldap:
697 shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
698 else:
699 shells[username] = pwd.getpwnam(username).pw_shell
700 except KeyError:
701 pass
702 except IndexError:
703 pass
704
705 try:
706 if ldap:
707 pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
708 else:
709 pgids[username] = pwd.getpwnam(username).pw_gid
710 except KeyError:
711 pass
712 except IndexError:
713 pass
714
715 logger.info("Reading WINS database")
716 samba3_winsdb = None
717 try:
718 samba3_winsdb = samba3.get_wins_db()
719 except IOError as e:
720 logger.warn('Cannot open wins database, Ignoring: %s', str(e))
721
722 if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
723 dns_backend = "NONE"
724
725 # If we found an admin user, set a fake pw that we will override.
726 # This avoids us printing out an admin password that we won't actually
727 # set.
728 if admin_user:
729 adminpass = generate_random_password(12, 32)
730 else:
731 adminpass = None
732
733 # Do full provision
734 result = provision(logger, session_info,
735 targetdir=targetdir, realm=realm, domain=domainname,
736 domainsid=domainsid, next_rid=next_rid,
737 dc_rid=machinerid, adminpass=adminpass,
738 dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
739 hostname=netbiosname.lower(), machinepass=machinepass,
740 serverrole=serverrole, samdb_fill=FILL_FULL,
741 useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
742 use_ntvfs=use_ntvfs, skip_sysvolacl=True)
743 result.report_logger(logger)
744
745 # Import WINS database
746 logger.info("Importing WINS database")
747
748 if samba3_winsdb:
749 import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
750
751 # Set Account policy
752 logger.info("Importing Account policy")
753 import_sam_policy(result.samdb, policy, logger)
754
755 # Migrate IDMAP database
756 logger.info("Importing idmap database")
757 import_idmap(result.idmap, samba3, logger)
758
759 # Set the s3 context for samba4 configuration
760 new_lp_ctx = s3param.get_context()
761 new_lp_ctx.load(result.lp.configfile)
762 new_lp_ctx.set("private dir", result.lp.get("private dir"))
763 new_lp_ctx.set("state directory", result.lp.get("state directory"))
764 new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
765
766 # Connect to samba4 backend
767 s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
768
769 # Start a new transaction (should speed this up a little, due to index churn)
770 result.samdb.transaction_start()
771
772 logger.info("Adding groups")
773 try:
774 # Export groups to samba4 backend
775 logger.info("Importing groups")
776 for g in grouplist:
777 # Ignore uninitialized groups (gid = -1)
778 if g.gid != -1:
779 add_group_from_mapping_entry(result.samdb, g, logger)
780 add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
781 add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
782
783 except:
784 # We need this, so that we do not give even more errors due to not cancelling the transaction
785 result.samdb.transaction_cancel()
786 raise
787
788 logger.info("Committing 'add groups' transaction to disk")
789 result.samdb.transaction_commit()
790
791 logger.info("Adding users")
792
793 # Export users to samba4 backend
794 logger.info("Importing users")
795 for username in userdata:
796 if username.lower() == 'administrator':
797 if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
798 logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
799 raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
800 if username.lower() == 'root':
801 if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
802 logger.warn('User root has been replaced by Administrator')
803 else:
804 logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
805
806 s4_passdb.add_sam_account(userdata[username])
807 if username in uids:
808 add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
809 if (username in homes) and (homes[username] is not None) and \
810 (username in shells) and (shells[username] is not None) and \
811 (username in pgids) and (pgids[username] is not None):
812 add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
813
814 logger.info("Adding users to groups")
815 # Start a new transaction (should speed this up a little, due to index churn)
816 result.samdb.transaction_start()
817
818 try:
819 for g in grouplist:
820 if str(g.sid) in groupmembers:
821 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
822
823 except:
824 # We need this, so that we do not give even more errors due to not cancelling the transaction
825 result.samdb.transaction_cancel()
826 raise
827
828 logger.info("Committing 'add users to groups' transaction to disk")
829 result.samdb.transaction_commit()
830
831 # Set password for administrator
832 if admin_user:
833 logger.info("Setting password for administrator")
834 admin_userdata = s4_passdb.getsampwnam("administrator")
835 admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
836 if userdata[admin_user].lanman_passwd:
837 admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
838 admin_userdata.pass_last_set_time = userdata[admin_user].pass_last_set_time
839 if userdata[admin_user].pw_history:
840 admin_userdata.pw_history = userdata[admin_user].pw_history
841 s4_passdb.update_sam_account(admin_userdata)
842 logger.info("Administrator password has been set to password of user '%s'", admin_user)
843
844 if result.server_role == "active directory domain controller":
845 setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
846 result.paths.root_uid, result.paths.root_gid,
847 security.dom_sid(result.domainsid), result.names.dnsdomain,
848 result.names.domaindn, result.lp, use_ntvfs)
849
850 # FIXME: import_registry(registry.Registry(), samba3.get_registry())
851 # FIXME: shares
Samba GIT mirror