search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
PEP8: fix E731: do not assign a lambda expression, use a def
[Samba.git] / python / samba / provision / __init__.py
blob2b3b7fc07f27b7670d40e4bfa235b89939cd11a6
1 # Unix SMB/CIFS implementation.
2 # backend code for provisioning a Samba AD server
3
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2012
5 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
6 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
7 #
8 # Based on the original in EJS:
9 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #
24
25 """Functions for setting up a Samba configuration."""
26
27 __docformat__ = "restructuredText"
28
29 from samba.compat import urllib_quote
30 from base64 import b64encode
31 import errno
32 import os
33 import stat
34 import re
35 import pwd
36 import grp
37 import logging
38 import time
39 import uuid
40 import socket
41 import string
42 import tempfile
43 import samba.dsdb
44
45 import ldb
46
47 from samba.auth import system_session, admin_session
48 import samba
49 from samba import auth
50 from samba.samba3 import smbd, passdb
51 from samba.samba3 import param as s3param
52 from samba.dsdb import DS_DOMAIN_FUNCTION_2000
53 from samba import (
54 Ldb,
55 MAX_NETBIOS_NAME_LEN,
56 check_all_substituted,
57 is_valid_netbios_char,
58 setup_file,
59 substitute_var,
60 valid_netbios_name,
61 version,
62 is_heimdal_built,
63 )
64 from samba.dcerpc import security, misc
65 from samba.dcerpc.misc import (
66 SEC_CHAN_BDC,
67 SEC_CHAN_WKSTA,
68 )
69 from samba.dsdb import (
70 DS_DOMAIN_FUNCTION_2003,
71 DS_DOMAIN_FUNCTION_2008_R2,
72 ENC_ALL_TYPES,
73 )
74 from samba.idmap import IDmapDB
75 from samba.ms_display_specifiers import read_ms_ldif
76 from samba.ntacls import setntacl, getntacl, dsacl2fsacl
77 from samba.ndr import ndr_pack, ndr_unpack
78 from samba.provision.backend import (
79 ExistingBackend,
80 FDSBackend,
81 LDBBackend,
82 OpenLDAPBackend,
83 )
84 from samba.descriptor import (
85 get_empty_descriptor,
86 get_config_descriptor,
87 get_config_partitions_descriptor,
88 get_config_sites_descriptor,
89 get_config_ntds_quotas_descriptor,
90 get_config_delete_protected1_descriptor,
91 get_config_delete_protected1wd_descriptor,
92 get_config_delete_protected2_descriptor,
93 get_domain_descriptor,
94 get_domain_infrastructure_descriptor,
95 get_domain_builtin_descriptor,
96 get_domain_computers_descriptor,
97 get_domain_users_descriptor,
98 get_domain_controllers_descriptor,
99 get_domain_delete_protected1_descriptor,
100 get_domain_delete_protected2_descriptor,
101 get_dns_partition_descriptor,
102 get_dns_forest_microsoft_dns_descriptor,
103 get_dns_domain_microsoft_dns_descriptor,
104 get_managed_service_accounts_descriptor,
105 )
106 from samba.provision.common import (
107 setup_path,
108 setup_add_ldif,
109 setup_modify_ldif,
110 FILL_FULL,
111 FILL_SUBDOMAIN,
112 FILL_NT4SYNC,
113 FILL_DRS
114 )
115 from samba.provision.sambadns import (
116 get_dnsadmins_sid,
117 setup_ad_dns,
118 create_dns_update_list
119 )
120
121 import samba.param
122 import samba.registry
123 from samba.schema import Schema
124 from samba.samdb import SamDB
125 from samba.dbchecker import dbcheck
126 from samba.provision.kerberos import create_kdc_conf
127 from samba.samdb import get_default_backend_store
128
129 DEFAULT_POLICY_GUID = "31B2F340-016D-11D2-945F-00C04FB984F9"
130 DEFAULT_DC_POLICY_GUID = "6AC1786C-016F-11D2-945F-00C04FB984F9"
131 DEFAULTSITE = "Default-First-Site-Name"
132 LAST_PROVISION_USN_ATTRIBUTE = "lastProvisionUSN"
133
134 DEFAULT_MIN_PWD_LENGTH = 7
135
136
137 class ProvisionPaths(object):
138
139 def __init__(self):
140 self.shareconf = None
141 self.hklm = None
142 self.hkcu = None
143 self.hkcr = None
144 self.hku = None
145 self.hkpd = None
146 self.hkpt = None
147 self.samdb = None
148 self.idmapdb = None
149 self.secrets = None
150 self.keytab = None
151 self.dns_keytab = None
152 self.dns = None
153 self.winsdb = None
154 self.private_dir = None
155 self.binddns_dir = None
156 self.state_dir = None
157
158
159 class ProvisionNames(object):
160
161 def __init__(self):
162 self.ncs = None
163 self.rootdn = None
164 self.domaindn = None
165 self.configdn = None
166 self.schemadn = None
167 self.dnsforestdn = None
168 self.dnsdomaindn = None
169 self.ldapmanagerdn = None
170 self.dnsdomain = None
171 self.realm = None
172 self.netbiosname = None
173 self.domain = None
174 self.hostname = None
175 self.sitename = None
176 self.smbconf = None
177 self.domainsid = None
178 self.forestsid = None
179 self.domainguid = None
180 self.name_map = {}
181
182
183 def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
184 lp):
185 """Get key provision parameters (realm, domain, ...) from a given provision
186
187 :param samdb: An LDB object connected to the sam.ldb file
188 :param secretsdb: An LDB object connected to the secrets.ldb file
189 :param idmapdb: An LDB object connected to the idmap.ldb file
190 :param paths: A list of path to provision object
191 :param smbconf: Path to the smb.conf file
192 :param lp: A LoadParm object
193 :return: A list of key provision parameters
194 """
195 names = ProvisionNames()
196 names.adminpass = None
197
198 # NT domain, kerberos realm, root dn, domain dn, domain dns name
199 names.domain = lp.get("workgroup").upper()
200 names.realm = lp.get("realm")
201 names.dnsdomain = names.realm.lower()
202 basedn = samba.dn_from_dns_name(names.dnsdomain)
203 names.realm = names.realm.upper()
204 # netbiosname
205 # Get the netbiosname first (could be obtained from smb.conf in theory)
206 res = secretsdb.search(expression="(flatname=%s)" %
207 names.domain,base="CN=Primary Domains",
208 scope=ldb.SCOPE_SUBTREE, attrs=["sAMAccountName"])
209 names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
210
211 names.smbconf = smbconf
212
213 # That's a bit simplistic but it's ok as long as we have only 3
214 # partitions
215 current = samdb.search(expression="(objectClass=*)",
216 base="", scope=ldb.SCOPE_BASE,
217 attrs=["defaultNamingContext", "schemaNamingContext",
218 "configurationNamingContext","rootDomainNamingContext",
219 "namingContexts"])
220
221 names.configdn = current[0]["configurationNamingContext"][0]
222 names.schemadn = current[0]["schemaNamingContext"][0]
223 if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
224 current[0]["defaultNamingContext"][0].decode('utf8')))):
225 raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
226 "is not the same ..." % (paths.samdb,
227 str(current[0]["defaultNamingContext"][0].decode('utf8')),
228 paths.smbconf, basedn)))
229
230 names.domaindn=current[0]["defaultNamingContext"][0]
231 names.rootdn=current[0]["rootDomainNamingContext"][0]
232 names.ncs=current[0]["namingContexts"]
233 names.dnsforestdn = None
234 names.dnsdomaindn = None
235
236 for i in range(0, len(names.ncs)):
237 nc = names.ncs[i]
238
239 dnsforestdn = "DC=ForestDnsZones,%s" % (str(names.rootdn))
240 if nc == dnsforestdn:
241 names.dnsforestdn = dnsforestdn
242 continue
243
244 dnsdomaindn = "DC=DomainDnsZones,%s" % (str(names.domaindn))
245 if nc == dnsdomaindn:
246 names.dnsdomaindn = dnsdomaindn
247 continue
248
249 # default site name
250 res3 = samdb.search(expression="(objectClass=site)",
251 base="CN=Sites," + names.configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
252 names.sitename = str(res3[0]["cn"])
253
254 # dns hostname and server dn
255 res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
256 base="OU=Domain Controllers,%s" % basedn,
257 scope=ldb.SCOPE_ONELEVEL, attrs=["dNSHostName"])
258 if len(res4) == 0:
259 raise ProvisioningError("Unable to find DC called CN=%s under OU=Domain Controllers,%s" % (names.netbiosname, basedn))
260
261 names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "")
262
263 server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
264 attrs=[], base=names.configdn)
265 names.serverdn = str(server_res[0].dn)
266
267 # invocation id/objectguid
268 res5 = samdb.search(expression="(objectClass=*)",
269 base="CN=NTDS Settings,%s" % str(names.serverdn),
270 scope=ldb.SCOPE_BASE,
271 attrs=["invocationID", "objectGUID"])
272 names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
273 names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
274
275 # domain guid/sid
276 res6 = samdb.search(expression="(objectClass=*)", base=basedn,
277 scope=ldb.SCOPE_BASE, attrs=["objectGUID",
278 "objectSid","msDS-Behavior-Version" ])
279 names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
280 names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
281 names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
282 if res6[0].get("msDS-Behavior-Version") is None or \
283 int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
284 names.domainlevel = DS_DOMAIN_FUNCTION_2000
285 else:
286 names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
287
288 # policy guid
289 res7 = samdb.search(expression="(name={%s})" % DEFAULT_POLICY_GUID,
290 base="CN=Policies,CN=System," + basedn,
291 scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
292 names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
293 # dc policy guid
294 res8 = samdb.search(expression="(name={%s})" % DEFAULT_DC_POLICY_GUID,
295 base="CN=Policies,CN=System," + basedn,
296 scope=ldb.SCOPE_ONELEVEL,
297 attrs=["cn","displayName"])
298 if len(res8) == 1:
299 names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
300 else:
301 names.policyid_dc = None
302
303 res9 = idmapdb.search(expression="(cn=%s-%s)" %
304 (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR),
305 attrs=["xidNumber", "type"])
306 if len(res9) != 1:
307 raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
308 if res9[0]["type"][0] == "ID_TYPE_BOTH":
309 names.root_gid = res9[0]["xidNumber"][0]
310 else:
311 names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid
312
313 res10 = samdb.search(expression="(samaccountname=dns)",
314 scope=ldb.SCOPE_SUBTREE, attrs=["dn"],
315 controls=["search_options:1:2"])
316 if (len(res10) > 0):
317 has_legacy_dns_account = True
318 else:
319 has_legacy_dns_account = False
320
321 res11 = samdb.search(expression="(samaccountname=dns-%s)" % names.netbiosname,
322 scope=ldb.SCOPE_SUBTREE, attrs=["dn"],
323 controls=["search_options:1:2"])
324 if (len(res11) > 0):
325 has_dns_account = True
326 else:
327 has_dns_account = False
328
329 if names.dnsdomaindn is not None:
330 if has_dns_account:
331 names.dns_backend = 'BIND9_DLZ'
332 else:
333 names.dns_backend = 'SAMBA_INTERNAL'
334 elif has_dns_account or has_legacy_dns_account:
335 names.dns_backend = 'BIND9_FLATFILE'
336 else:
337 names.dns_backend = 'NONE'
338
339 dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn)
340 names.name_map['DnsAdmins'] = str(dns_admins_sid)
341
342 return names
343
344
345 def update_provision_usn(samdb, low, high, id, replace=False):
346 """Update the field provisionUSN in sam.ldb
347
348 This field is used to track range of USN modified by provision and
349 upgradeprovision.
350 This value is used afterward by next provision to figure out if
351 the field have been modified since last provision.
352
353 :param samdb: An LDB object connect to sam.ldb
354 :param low: The lowest USN modified by this upgrade
355 :param high: The highest USN modified by this upgrade
356 :param id: The invocation id of the samba's dc
357 :param replace: A boolean indicating if the range should replace any
358 existing one or appended (default)
359 """
360
361 tab = []
362 if not replace:
363 entry = samdb.search(base="@PROVISION",
364 scope=ldb.SCOPE_BASE,
365 attrs=[LAST_PROVISION_USN_ATTRIBUTE, "dn"])
366 for e in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
367 if not re.search(';', e):
368 e = "%s;%s" % (e, id)
369 tab.append(str(e))
370
371 tab.append("%s-%s;%s" % (low, high, id))
372 delta = ldb.Message()
373 delta.dn = ldb.Dn(samdb, "@PROVISION")
374 delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
375 ldb.FLAG_MOD_REPLACE, LAST_PROVISION_USN_ATTRIBUTE)
376 entry = samdb.search(expression='provisionnerID=*',
377 base="@PROVISION", scope=ldb.SCOPE_BASE,
378 attrs=["provisionnerID"])
379 if len(entry) == 0 or len(entry[0]) == 0:
380 delta["provisionnerID"] = ldb.MessageElement(id, ldb.FLAG_MOD_ADD, "provisionnerID")
381 samdb.modify(delta)
382
383
384 def set_provision_usn(samdb, low, high, id):
385 """Set the field provisionUSN in sam.ldb
386 This field is used to track range of USN modified by provision and
387 upgradeprovision.
388 This value is used afterward by next provision to figure out if
389 the field have been modified since last provision.
390
391 :param samdb: An LDB object connect to sam.ldb
392 :param low: The lowest USN modified by this upgrade
393 :param high: The highest USN modified by this upgrade
394 :param id: The invocationId of the provision"""
395
396 tab = []
397 tab.append("%s-%s;%s" % (low, high, id))
398
399 delta = ldb.Message()
400 delta.dn = ldb.Dn(samdb, "@PROVISION")
401 delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
402 ldb.FLAG_MOD_ADD, LAST_PROVISION_USN_ATTRIBUTE)
403 samdb.add(delta)
404
405
406 def get_max_usn(samdb,basedn):
407 """ This function return the biggest USN present in the provision
408
409 :param samdb: A LDB object pointing to the sam.ldb
410 :param basedn: A string containing the base DN of the provision
411 (ie. DC=foo, DC=bar)
412 :return: The biggest USN in the provision"""
413
414 res = samdb.search(expression="objectClass=*",base=basedn,
415 scope=ldb.SCOPE_SUBTREE,attrs=["uSNChanged"],
416 controls=["search_options:1:2",
417 "server_sort:1:1:uSNChanged",
418 "paged_results:1:1"])
419 return res[0]["uSNChanged"]
420
421
422 def get_last_provision_usn(sam):
423 """Get USNs ranges modified by a provision or an upgradeprovision
424
425 :param sam: An LDB object pointing to the sam.ldb
426 :return: a dictionary which keys are invocation id and values are an array
427 of integer representing the different ranges
428 """
429 try:
430 entry = sam.search(expression="%s=*" % LAST_PROVISION_USN_ATTRIBUTE,
431 base="@PROVISION", scope=ldb.SCOPE_BASE,
432 attrs=[LAST_PROVISION_USN_ATTRIBUTE, "provisionnerID"])
433 except ldb.LdbError as e1:
434 (ecode, emsg) = e1.args
435 if ecode == ldb.ERR_NO_SUCH_OBJECT:
436 return None
437 raise
438 if len(entry) > 0:
439 myids = []
440 range = {}
441 p = re.compile(r'-')
442 if entry[0].get("provisionnerID"):
443 for e in entry[0]["provisionnerID"]:
444 myids.append(str(e))
445 for r in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
446 tab1 = str(r).split(';')
447 if len(tab1) == 2:
448 id = tab1[1]
449 else:
450 id = "default"
451 if (len(myids) > 0 and id not in myids):
452 continue
453 tab2 = p.split(tab1[0])
454 if range.get(id) is None:
455 range[id] = []
456 range[id].append(tab2[0])
457 range[id].append(tab2[1])
458 return range
459 else:
460 return None
461
462
463 class ProvisionResult(object):
464 """Result of a provision.
465
466 :ivar server_role: The server role
467 :ivar paths: ProvisionPaths instance
468 :ivar domaindn: The domain dn, as string
469 """
470
471 def __init__(self):
472 self.server_role = None
473 self.paths = None
474 self.domaindn = None
475 self.lp = None
476 self.samdb = None
477 self.idmap = None
478 self.names = None
479 self.domainsid = None
480 self.adminpass_generated = None
481 self.adminpass = None
482 self.backend_result = None
483
484 def report_logger(self, logger):
485 """Report this provision result to a logger."""
486 logger.info(
487 "Once the above files are installed, your Samba AD server will "
488 "be ready to use")
489 if self.adminpass_generated:
490 logger.info("Admin password: %s", self.adminpass)
491 logger.info("Server Role: %s", self.server_role)
492 logger.info("Hostname: %s", self.names.hostname)
493 logger.info("NetBIOS Domain: %s", self.names.domain)
494 logger.info("DNS Domain: %s", self.names.dnsdomain)
495 logger.info("DOMAIN SID: %s", self.domainsid)
496
497 if self.backend_result:
498 self.backend_result.report_logger(logger)
499
500
501 def check_install(lp, session_info, credentials):
502 """Check whether the current install seems ok.
503
504 :param lp: Loadparm context
505 :param session_info: Session information
506 :param credentials: Credentials
507 """
508 if lp.get("realm") == "":
509 raise Exception("Realm empty")
510 samdb = Ldb(lp.samdb_url(), session_info=session_info,
511 credentials=credentials, lp=lp)
512 if len(samdb.search("(cn=Administrator)")) != 1:
513 raise ProvisioningError("No administrator account found")
514
515
516 def findnss(nssfn, names):
517 """Find a user or group from a list of possibilities.
518
519 :param nssfn: NSS Function to try (should raise KeyError if not found)
520 :param names: Names to check.
521 :return: Value return by first names list.
522 """
523 for name in names:
524 try:
525 return nssfn(name)
526 except KeyError:
527 pass
528 raise KeyError("Unable to find user/group in %r" % names)
529
530
531 def findnss_uid(names):
532 return findnss(pwd.getpwnam, names)[2]
533
534
535 def findnss_gid(names):
536 return findnss(grp.getgrnam, names)[2]
537
538
539 def provision_paths_from_lp(lp, dnsdomain):
540 """Set the default paths for provisioning.
541
542 :param lp: Loadparm context.
543 :param dnsdomain: DNS Domain name
544 """
545 paths = ProvisionPaths()
546 paths.private_dir = lp.get("private dir")
547 paths.binddns_dir = lp.get("binddns dir")
548 paths.state_dir = lp.get("state directory")
549
550 # This is stored without path prefix for the "privateKeytab" attribute in
551 # "secrets_dns.ldif".
552 paths.dns_keytab = "dns.keytab"
553 paths.keytab = "secrets.keytab"
554
555 paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
556 paths.samdb = os.path.join(paths.private_dir, "sam.ldb")
557 paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
558 paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
559 paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
560 paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
561 paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
562 paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
563 paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
564 paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
565 paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
566 paths.encrypted_secrets_key_path = os.path.join(
567 paths.private_dir,
568 "encrypted_secrets.key")
569
570 paths.dns = os.path.join(paths.binddns_dir, "dns", dnsdomain + ".zone")
571 paths.namedconf = os.path.join(paths.binddns_dir, "named.conf")
572 paths.namedconf_update = os.path.join(paths.binddns_dir, "named.conf.update")
573 paths.namedtxt = os.path.join(paths.binddns_dir, "named.txt")
574
575 paths.hklm = "hklm.ldb"
576 paths.hkcr = "hkcr.ldb"
577 paths.hkcu = "hkcu.ldb"
578 paths.hku = "hku.ldb"
579 paths.hkpd = "hkpd.ldb"
580 paths.hkpt = "hkpt.ldb"
581 paths.sysvol = lp.get("path", "sysvol")
582 paths.netlogon = lp.get("path", "netlogon")
583 paths.smbconf = lp.configfile
584 return paths
585
586
587 def determine_netbios_name(hostname):
588 """Determine a netbios name from a hostname."""
589 # remove forbidden chars and force the length to be <16
590 netbiosname = "".join([x for x in hostname if is_valid_netbios_char(x)])
591 return netbiosname[:MAX_NETBIOS_NAME_LEN].upper()
592
593
594 def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
595 serverrole=None, rootdn=None, domaindn=None, configdn=None,
596 schemadn=None, serverdn=None, sitename=None,
597 domain_names_forced=False):
598 """Guess configuration settings to use."""
599
600 if hostname is None:
601 hostname = socket.gethostname().split(".")[0]
602
603 netbiosname = lp.get("netbios name")
604 if netbiosname is None:
605 netbiosname = determine_netbios_name(hostname)
606 netbiosname = netbiosname.upper()
607 if not valid_netbios_name(netbiosname):
608 raise InvalidNetbiosName(netbiosname)
609
610 if dnsdomain is None:
611 dnsdomain = lp.get("realm")
612 if dnsdomain is None or dnsdomain == "":
613 raise ProvisioningError("guess_names: 'realm' not specified in supplied %s!", lp.configfile)
614
615 dnsdomain = dnsdomain.lower()
616
617 if serverrole is None:
618 serverrole = lp.get("server role")
619 if serverrole is None:
620 raise ProvisioningError("guess_names: 'server role' not specified in supplied %s!" % lp.configfile)
621
622 serverrole = serverrole.lower()
623
624 realm = dnsdomain.upper()
625
626 if lp.get("realm") == "":
627 raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate it" % lp.configfile)
628
629 if lp.get("realm").upper() != realm:
630 raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), lp.configfile, realm))
631
632 if lp.get("server role").lower() != serverrole:
633 raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
634
635 if serverrole == "active directory domain controller":
636 if domain is None:
637 # This will, for better or worse, default to 'WORKGROUP'
638 domain = lp.get("workgroup")
639 domain = domain.upper()
640
641 if lp.get("workgroup").upper() != domain:
642 raise ProvisioningError("guess_names: Workgroup '%s' in smb.conf must match chosen domain '%s'! Please remove the %s file and let provision generate it" % (lp.get("workgroup").upper(), domain, lp.configfile))
643
644 if domaindn is None:
645 domaindn = samba.dn_from_dns_name(dnsdomain)
646
647 if domain == netbiosname:
648 raise ProvisioningError("guess_names: Domain '%s' must not be equal to short host name '%s'!" % (domain, netbiosname))
649 else:
650 domain = netbiosname
651 if domaindn is None:
652 domaindn = "DC=" + netbiosname
653
654 if not valid_netbios_name(domain):
655 raise InvalidNetbiosName(domain)
656
657 if hostname.upper() == realm:
658 raise ProvisioningError("guess_names: Realm '%s' must not be equal to hostname '%s'!" % (realm, hostname))
659 if netbiosname.upper() == realm:
660 raise ProvisioningError("guess_names: Realm '%s' must not be equal to NetBIOS hostname '%s'!" % (realm, netbiosname))
661 if domain == realm and not domain_names_forced:
662 raise ProvisioningError("guess_names: Realm '%s' must not be equal to short domain name '%s'!" % (realm, domain))
663
664 if serverrole != "active directory domain controller":
665 #
666 # This is the code path for a domain member
667 # where we provision the database as if we where
668 # on a domain controller, so we should not use
669 # the same dnsdomain as the domain controllers
670 # of our primary domain.
671 #
672 # This will be important if we start doing
673 # SID/name filtering and reject the local
674 # sid and names if they come from a domain
675 # controller.
676 #
677 realm = netbiosname
678 dnsdomain = netbiosname.lower()
679
680 if rootdn is None:
681 rootdn = domaindn
682
683 if configdn is None:
684 configdn = "CN=Configuration," + rootdn
685 if schemadn is None:
686 schemadn = "CN=Schema," + configdn
687
688 if sitename is None:
689 sitename = DEFAULTSITE
690
691 names = ProvisionNames()
692 names.rootdn = rootdn
693 names.domaindn = domaindn
694 names.configdn = configdn
695 names.schemadn = schemadn
696 names.ldapmanagerdn = "CN=Manager," + rootdn
697 names.dnsdomain = dnsdomain
698 names.domain = domain
699 names.realm = realm
700 names.netbiosname = netbiosname
701 names.hostname = hostname
702 names.sitename = sitename
703 names.serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (
704 netbiosname, sitename, configdn)
705
706 return names
707
708 def make_smbconf(smbconf, hostname, domain, realm, targetdir,
709 serverrole=None, eadb=False, use_ntvfs=False, lp=None,
710 global_param=None):
711 """Create a new smb.conf file based on a couple of basic settings.
712 """
713 assert smbconf is not None
714
715 if hostname is None:
716 hostname = socket.gethostname().split(".")[0]
717
718 netbiosname = determine_netbios_name(hostname)
719
720 if serverrole is None:
721 serverrole = "standalone server"
722
723 assert domain is not None
724 domain = domain.upper()
725
726 assert realm is not None
727 realm = realm.upper()
728
729 global_settings = {
730 "netbios name": netbiosname,
731 "workgroup": domain,
732 "realm": realm,
733 "server role": serverrole,
734 }
735
736 if lp is None:
737 lp = samba.param.LoadParm()
738 #Load non-existent file
739 if os.path.exists(smbconf):
740 lp.load(smbconf)
741
742 if global_param is not None:
743 for ent in global_param:
744 if global_param[ent] is not None:
745 global_settings[ent] = " ".join(global_param[ent])
746
747 if targetdir is not None:
748 global_settings["private dir"] = os.path.abspath(os.path.join(targetdir, "private"))
749 global_settings["lock dir"] = os.path.abspath(targetdir)
750 global_settings["state directory"] = os.path.abspath(os.path.join(targetdir, "state"))
751 global_settings["cache directory"] = os.path.abspath(os.path.join(targetdir, "cache"))
752 global_settings["binddns dir"] = os.path.abspath(os.path.join(targetdir, "bind-dns"))
753
754 lp.set("lock dir", os.path.abspath(targetdir))
755 lp.set("state directory", global_settings["state directory"])
756 lp.set("cache directory", global_settings["cache directory"])
757 lp.set("binddns dir", global_settings["binddns dir"])
758
759 if eadb:
760 if use_ntvfs and not lp.get("posix:eadb"):
761 if targetdir is not None:
762 privdir = os.path.join(targetdir, "private")
763 else:
764 privdir = lp.get("private dir")
765 lp.set("posix:eadb", os.path.abspath(os.path.join(privdir, "eadb.tdb")))
766 elif not use_ntvfs and not lp.get("xattr_tdb:file"):
767 if targetdir is not None:
768 statedir = os.path.join(targetdir, "state")
769 else:
770 statedir = lp.get("state directory")
771 lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
772
773 shares = {}
774 if serverrole == "active directory domain controller":
775 shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
776 shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
777 "scripts")
778 else:
779 global_settings["passdb backend"] = "samba_dsdb"
780
781 f = open(smbconf, 'w')
782 try:
783 f.write("[globals]\n")
784 for key, val in global_settings.items():
785 f.write("\t%s = %s\n" % (key, val))
786 f.write("\n")
787
788 for name, path in shares.items():
789 f.write("[%s]\n" % name)
790 f.write("\tpath = %s\n" % path)
791 f.write("\tread only = no\n")
792 f.write("\n")
793 finally:
794 f.close()
795 # reload the smb.conf
796 lp.load(smbconf)
797
798 # and dump it without any values that are the default
799 # this ensures that any smb.conf parameters that were set
800 # on the provision/join command line are set in the resulting smb.conf
801 lp.dump(False, smbconf)
802
803
804 def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
805 users_gid, root_gid):
806 """setup reasonable name mappings for sam names to unix names.
807
808 :param samdb: SamDB object.
809 :param idmap: IDmap db object.
810 :param sid: The domain sid.
811 :param domaindn: The domain DN.
812 :param root_uid: uid of the UNIX root user.
813 :param nobody_uid: uid of the UNIX nobody user.
814 :param users_gid: gid of the UNIX users group.
815 :param root_gid: gid of the UNIX root group.
816 """
817 idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
818
819 idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
820 idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
821
822
823 def setup_samdb_partitions(samdb_path, logger, lp, session_info,
824 provision_backend, names, serverrole,
825 erase=False, plaintext_secrets=False,
826 backend_store=None):
827 """Setup the partitions for the SAM database.
828
829 Alternatively, provision() may call this, and then populate the database.
830
831 :note: This will wipe the Sam Database!
832
833 :note: This function always removes the local SAM LDB file. The erase
834 parameter controls whether to erase the existing data, which
835 may not be stored locally but in LDAP.
836
837 """
838 assert session_info is not None
839
840 # We use options=["modules:"] to stop the modules loading - we
841 # just want to wipe and re-initialise the database, not start it up
842
843 try:
844 os.unlink(samdb_path)
845 except OSError:
846 pass
847
848 samdb = Ldb(url=samdb_path, session_info=session_info,
849 lp=lp, options=["modules:"])
850
851 ldap_backend_line = "# No LDAP backend"
852 if provision_backend.type != "ldb":
853 ldap_backend_line = "ldapBackend: %s" % provision_backend.ldap_uri
854
855 required_features = None
856 if not plaintext_secrets:
857 required_features = "requiredFeatures: encryptedSecrets"
858
859 if backend_store is None:
860 backend_store = get_default_backend_store()
861 backend_store_line = "backendStore: %s" % backend_store
862
863 if backend_store == "mdb":
864 if required_features is not None:
865 required_features += "\n"
866 else:
867 required_features = ""
868 required_features += "requiredFeatures: lmdbLevelOne"
869
870 if required_features is None:
871 required_features = "# No required features"
872
873 samdb.transaction_start()
874 try:
875 logger.info("Setting up sam.ldb partitions and settings")
876 setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
877 "LDAP_BACKEND_LINE": ldap_backend_line,
878 "BACKEND_STORE": backend_store_line
879 })
880
881
882 setup_add_ldif(samdb, setup_path("provision_init.ldif"), {
883 "BACKEND_TYPE": provision_backend.type,
884 "SERVER_ROLE": serverrole,
885 "REQUIRED_FEATURES": required_features
886 })
887
888 logger.info("Setting up sam.ldb rootDSE")
889 setup_samdb_rootdse(samdb, names)
890 except:
891 samdb.transaction_cancel()
892 raise
893 else:
894 samdb.transaction_commit()
895
896
897 def secretsdb_self_join(secretsdb, domain,
898 netbiosname, machinepass, domainsid=None,
899 realm=None, dnsdomain=None,
900 keytab_path=None,
901 key_version_number=1,
902 secure_channel_type=SEC_CHAN_WKSTA):
903 """Add domain join-specific bits to a secrets database.
904
905 :param secretsdb: Ldb Handle to the secrets database
906 :param machinepass: Machine password
907 """
908 attrs = ["whenChanged",
909 "secret",
910 "priorSecret",
911 "priorChanged",
912 "krb5Keytab",
913 "privateKeytab"]
914
915 if realm is not None:
916 if dnsdomain is None:
917 dnsdomain = realm.lower()
918 dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
919 else:
920 dnsname = None
921 shortname = netbiosname.lower()
922
923 # We don't need to set msg["flatname"] here, because rdn_name will handle
924 # it, and it causes problems for modifies anyway
925 msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
926 msg["secureChannelType"] = [str(secure_channel_type)]
927 msg["objectClass"] = ["top", "primaryDomain"]
928 if dnsname is not None:
929 msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
930 msg["realm"] = [realm]
931 msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
932 msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
933 msg["privateKeytab"] = ["secrets.keytab"]
934
935 msg["secret"] = [machinepass.encode('utf-8')]
936 msg["samAccountName"] = ["%s$" % netbiosname]
937 msg["secureChannelType"] = [str(secure_channel_type)]
938 if domainsid is not None:
939 msg["objectSid"] = [ndr_pack(domainsid)]
940
941 # This complex expression tries to ensure that we don't have more
942 # than one record for this SID, realm or netbios domain at a time,
943 # but we don't delete the old record that we are about to modify,
944 # because that would delete the keytab and previous password.
945 res = secretsdb.search(base="cn=Primary Domains", attrs=attrs,
946 expression=("(&(|(flatname=%s)(realm=%s)(objectSid=%s))(objectclass=primaryDomain)(!(distinguishedName=%s)))" % (domain, realm, str(domainsid), str(msg.dn))),
947 scope=ldb.SCOPE_ONELEVEL)
948
949 for del_msg in res:
950 secretsdb.delete(del_msg.dn)
951
952 res = secretsdb.search(base=msg.dn, attrs=attrs, scope=ldb.SCOPE_BASE)
953
954 if len(res) == 1:
955 msg["priorSecret"] = [res[0]["secret"][0]]
956 try:
957 msg["priorWhenChanged"] = [res[0]["whenChanged"][0]]
958 except KeyError:
959 pass
960
961 try:
962 msg["privateKeytab"] = [res[0]["privateKeytab"][0]]
963 except KeyError:
964 pass
965
966 try:
967 msg["krb5Keytab"] = [res[0]["krb5Keytab"][0]]
968 except KeyError:
969 pass
970
971 for el in msg:
972 if el != 'dn':
973 msg[el].set_flags(ldb.FLAG_MOD_REPLACE)
974 secretsdb.modify(msg)
975 secretsdb.rename(res[0].dn, msg.dn)
976 else:
977 spn = [ 'HOST/%s' % shortname ]
978 if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
979 # we are a domain controller then we add servicePrincipalName
980 # entries for the keytab code to update.
981 spn.extend([ 'HOST/%s' % dnsname ])
982 msg["servicePrincipalName"] = spn
983
984 secretsdb.add(msg)
985
986
987 def setup_secretsdb(paths, session_info, backend_credentials, lp):
988 """Setup the secrets database.
989
990 :note: This function does not handle exceptions and transaction on purpose,
991 it's up to the caller to do this job.
992
993 :param path: Path to the secrets database.
994 :param session_info: Session info.
995 :param credentials: Credentials
996 :param lp: Loadparm context
997 :return: LDB handle for the created secrets database
998 """
999 if os.path.exists(paths.secrets):
1000 os.unlink(paths.secrets)
1001
1002 keytab_path = os.path.join(paths.private_dir, paths.keytab)
1003 if os.path.exists(keytab_path):
1004 os.unlink(keytab_path)
1005
1006 bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
1007 if os.path.exists(bind_dns_keytab_path):
1008 os.unlink(bind_dns_keytab_path)
1009
1010 dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
1011 if os.path.exists(dns_keytab_path):
1012 os.unlink(dns_keytab_path)
1013
1014 path = paths.secrets
1015
1016 secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
1017 secrets_ldb.erase()
1018 secrets_ldb.load_ldif_file_add(setup_path("secrets_init.ldif"))
1019 secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
1020 secrets_ldb.transaction_start()
1021 try:
1022 secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
1023
1024 if (backend_credentials is not None and
1025 backend_credentials.authentication_requested()):
1026 if backend_credentials.get_bind_dn() is not None:
1027 setup_add_ldif(secrets_ldb,
1028 setup_path("secrets_simple_ldap.ldif"), {
1029 "LDAPMANAGERDN": backend_credentials.get_bind_dn(),
1030 "LDAPMANAGERPASS_B64": b64encode(backend_credentials.get_password()).decode('utf8')
1031 })
1032 else:
1033 setup_add_ldif(secrets_ldb,
1034 setup_path("secrets_sasl_ldap.ldif"), {
1035 "LDAPADMINUSER": backend_credentials.get_username(),
1036 "LDAPADMINREALM": backend_credentials.get_realm(),
1037 "LDAPADMINPASS_B64": b64encode(backend_credentials.get_password()).decode('utf8')
1038 })
1039 except:
1040 secrets_ldb.transaction_cancel()
1041 raise
1042 return secrets_ldb
1043
1044
1045 def setup_privileges(path, session_info, lp):
1046 """Setup the privileges database.
1047
1048 :param path: Path to the privileges database.
1049 :param session_info: Session info.
1050 :param credentials: Credentials
1051 :param lp: Loadparm context
1052 :return: LDB handle for the created secrets database
1053 """
1054 if os.path.exists(path):
1055 os.unlink(path)
1056 privilege_ldb = Ldb(path, session_info=session_info, lp=lp)
1057 privilege_ldb.erase()
1058 privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif"))
1059
1060 def setup_encrypted_secrets_key(path):
1061 """Setup the encrypted secrets key file.
1062
1063 Any existing key file will be deleted and a new random key generated.
1064
1065 :param path: Path to the secrets key file.
1066
1067 """
1068 if os.path.exists(path):
1069 os.unlink(path)
1070
1071 flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
1072 mode = stat.S_IRUSR | stat.S_IWUSR
1073
1074 umask_original = os.umask(0)
1075 try:
1076 fd = os.open(path, flags, mode)
1077 finally:
1078 os.umask(umask_original)
1079
1080 with os.fdopen(fd, 'w') as f:
1081 key = samba.generate_random_bytes(16)
1082 f.write(key)
1083
1084
1085 def setup_registry(path, session_info, lp):
1086 """Setup the registry.
1087
1088 :param path: Path to the registry database
1089 :param session_info: Session information
1090 :param credentials: Credentials
1091 :param lp: Loadparm context
1092 """
1093 reg = samba.registry.Registry()
1094 hive = samba.registry.open_ldb(path, session_info=session_info, lp_ctx=lp)
1095 reg.mount_hive(hive, samba.registry.HKEY_LOCAL_MACHINE)
1096 provision_reg = setup_path("provision.reg")
1097 assert os.path.exists(provision_reg)
1098 reg.diff_apply(provision_reg)
1099
1100
1101 def setup_idmapdb(path, session_info, lp):
1102 """Setup the idmap database.
1103
1104 :param path: path to the idmap database
1105 :param session_info: Session information
1106 :param credentials: Credentials
1107 :param lp: Loadparm context
1108 """
1109 if os.path.exists(path):
1110 os.unlink(path)
1111
1112 idmap_ldb = IDmapDB(path, session_info=session_info, lp=lp)
1113 idmap_ldb.erase()
1114 idmap_ldb.load_ldif_file_add(setup_path("idmap_init.ldif"))
1115 return idmap_ldb
1116
1117
1118 def setup_samdb_rootdse(samdb, names):
1119 """Setup the SamDB rootdse.
1120
1121 :param samdb: Sam Database handle
1122 """
1123 setup_add_ldif(samdb, setup_path("provision_rootdse_add.ldif"), {
1124 "SCHEMADN": names.schemadn,
1125 "DOMAINDN": names.domaindn,
1126 "ROOTDN" : names.rootdn,
1127 "CONFIGDN": names.configdn,
1128 "SERVERDN": names.serverdn,
1129 })
1130
1131
1132 def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
1133 dns_backend, dnspass, domainsid, next_rid, invocationid,
1134 policyguid, policyguid_dc,
1135 domainControllerFunctionality, ntdsguid=None, dc_rid=None):
1136 """Join a host to its own domain."""
1137 assert isinstance(invocationid, str)
1138 if ntdsguid is not None:
1139 ntdsguid_line = "objectGUID: %s\n"%ntdsguid
1140 else:
1141 ntdsguid_line = ""
1142
1143 if dc_rid is None:
1144 dc_rid = next_rid
1145
1146 setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
1147 "CONFIGDN": names.configdn,
1148 "SCHEMADN": names.schemadn,
1149 "DOMAINDN": names.domaindn,
1150 "SERVERDN": names.serverdn,
1151 "INVOCATIONID": invocationid,
1152 "NETBIOSNAME": names.netbiosname,
1153 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
1154 "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')).decode('utf8'),
1155 "DOMAINSID": str(domainsid),
1156 "DCRID": str(dc_rid),
1157 "SAMBA_VERSION_STRING": version,
1158 "NTDSGUID": ntdsguid_line,
1159 "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
1160 domainControllerFunctionality),
1161 "RIDALLOCATIONSTART": str(next_rid + 100),
1162 "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
1163
1164 setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
1165 "POLICYGUID": policyguid,
1166 "POLICYGUID_DC": policyguid_dc,
1167 "DNSDOMAIN": names.dnsdomain,
1168 "DOMAINDN": names.domaindn})
1169
1170 # If we are setting up a subdomain, then this has been replicated in, so we
1171 # don't need to add it
1172 if fill == FILL_FULL:
1173 setup_add_ldif(samdb, setup_path("provision_self_join_config.ldif"), {
1174 "CONFIGDN": names.configdn,
1175 "SCHEMADN": names.schemadn,
1176 "DOMAINDN": names.domaindn,
1177 "SERVERDN": names.serverdn,
1178 "INVOCATIONID": invocationid,
1179 "NETBIOSNAME": names.netbiosname,
1180 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
1181 "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')).decode('utf8'),
1182 "DOMAINSID": str(domainsid),
1183 "DCRID": str(dc_rid),
1184 "SAMBA_VERSION_STRING": version,
1185 "NTDSGUID": ntdsguid_line,
1186 "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
1187 domainControllerFunctionality)})
1188
1189 # Setup fSMORoleOwner entries to point at the newly created DC entry
1190 setup_modify_ldif(samdb,
1191 setup_path("provision_self_join_modify_config.ldif"), {
1192 "CONFIGDN": names.configdn,
1193 "SCHEMADN": names.schemadn,
1194 "DEFAULTSITE": names.sitename,
1195 "NETBIOSNAME": names.netbiosname,
1196 "SERVERDN": names.serverdn,
1197 })
1198
1199 system_session_info = system_session()
1200 samdb.set_session_info(system_session_info)
1201 # Setup fSMORoleOwner entries to point at the newly created DC entry to
1202 # modify a serverReference under cn=config when we are a subdomain, we must
1203 # be system due to ACLs
1204 setup_modify_ldif(samdb, setup_path("provision_self_join_modify.ldif"), {
1205 "DOMAINDN": names.domaindn,
1206 "SERVERDN": names.serverdn,
1207 "NETBIOSNAME": names.netbiosname,
1208 })
1209
1210 samdb.set_session_info(admin_session_info)
1211
1212 if dns_backend != "SAMBA_INTERNAL":
1213 # This is Samba4 specific and should be replaced by the correct
1214 # DNS AD-style setup
1215 setup_add_ldif(samdb, setup_path("provision_dns_add_samba.ldif"), {
1216 "DNSDOMAIN": names.dnsdomain,
1217 "DOMAINDN": names.domaindn,
1218 "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')).decode('utf8'),
1219 "HOSTNAME" : names.hostname,
1220 "DNSNAME" : '%s.%s' % (
1221 names.netbiosname.lower(), names.dnsdomain.lower())
1222 })
1223
1224
1225 def getpolicypath(sysvolpath, dnsdomain, guid):
1226 """Return the physical path of policy given its guid.
1227
1228 :param sysvolpath: Path to the sysvol folder
1229 :param dnsdomain: DNS name of the AD domain
1230 :param guid: The GUID of the policy
1231 :return: A string with the complete path to the policy folder
1232 """
1233 if guid[0] != "{":
1234 guid = "{%s}" % guid
1235 policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid)
1236 return policy_path
1237
1238
1239 def create_gpo_struct(policy_path):
1240 if not os.path.exists(policy_path):
1241 os.makedirs(policy_path, 0o775)
1242 f = open(os.path.join(policy_path, "GPT.INI"), 'w')
1243 try:
1244 f.write("[General]\r\nVersion=0")
1245 finally:
1246 f.close()
1247 p = os.path.join(policy_path, "MACHINE")
1248 if not os.path.exists(p):
1249 os.makedirs(p, 0o775)
1250 p = os.path.join(policy_path, "USER")
1251 if not os.path.exists(p):
1252 os.makedirs(p, 0o775)
1253
1254
1255 def create_default_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
1256 """Create the default GPO for a domain
1257
1258 :param sysvolpath: Physical path for the sysvol folder
1259 :param dnsdomain: DNS domain name of the AD domain
1260 :param policyguid: GUID of the default domain policy
1261 :param policyguid_dc: GUID of the default domain controler policy
1262 """
1263 policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid)
1264 create_gpo_struct(policy_path)
1265
1266 policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid_dc)
1267 create_gpo_struct(policy_path)
1268
1269
1270 def setup_samdb(path, session_info, provision_backend, lp, names,
1271 logger, fill, serverrole, schema, am_rodc=False,
1272 plaintext_secrets=False, backend_store=None):
1273 """Setup a complete SAM Database.
1274
1275 :note: This will wipe the main SAM database file!
1276 """
1277
1278 # Also wipes the database
1279 setup_samdb_partitions(path, logger=logger, lp=lp,
1280 provision_backend=provision_backend, session_info=session_info,
1281 names=names, serverrole=serverrole, plaintext_secrets=plaintext_secrets,
1282 backend_store=backend_store)
1283
1284 # Load the database, but don's load the global schema and don't connect
1285 # quite yet
1286 samdb = SamDB(session_info=session_info, url=None, auto_connect=False,
1287 credentials=provision_backend.credentials, lp=lp,
1288 global_schema=False, am_rodc=am_rodc)
1289
1290 logger.info("Pre-loading the Samba 4 and AD schema")
1291
1292 # Load the schema from the one we computed earlier
1293 samdb.set_schema(schema, write_indices_and_attributes=False)
1294
1295 # Set the NTDS settings DN manually - in order to have it already around
1296 # before the provisioned tree exists and we connect
1297 samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1298
1299 # And now we can connect to the DB - the schema won't be loaded from the
1300 # DB
1301 try:
1302 samdb.connect(path)
1303 except ldb.LdbError as e2:
1304 (num, string_error) = e2.args
1305 if (num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS):
1306 raise ProvisioningError("Permission denied connecting to %s, are you running as root?" % path)
1307 else:
1308 raise
1309
1310 # But we have to give it one more kick to have it use the schema
1311 # during provision - it needs, now that it is connected, to write
1312 # the schema @ATTRIBUTES and @INDEXLIST records to the database.
1313 samdb.set_schema(schema, write_indices_and_attributes=True)
1314
1315 return samdb
1316
1317
1318 def fill_samdb(samdb, lp, names, logger, policyguid,
1319 policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
1320 dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
1321 dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None,
1322 backend_store=None):
1323
1324 if next_rid is None:
1325 next_rid = 1000
1326
1327 # Provision does not make much sense values larger than 1000000000
1328 # as the upper range of the rIDAvailablePool is 1073741823 and
1329 # we don't want to create a domain that cannot allocate rids.
1330 if next_rid < 1000 or next_rid > 1000000000:
1331 error = "You want to run SAMBA 4 with a next_rid of %u, " % (next_rid)
1332 error += "the valid range is %u-%u. The default is %u." % (
1333 1000, 1000000000, 1000)
1334 raise ProvisioningError(error)
1335
1336 # ATTENTION: Do NOT change these default values without discussion with the
1337 # team and/or release manager. They have a big impact on the whole program!
1338 domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2
1339
1340 if dom_for_fun_level is None:
1341 dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
1342
1343 if dom_for_fun_level > domainControllerFunctionality:
1344 raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!")
1345
1346 domainFunctionality = dom_for_fun_level
1347 forestFunctionality = dom_for_fun_level
1348
1349 # Set the NTDS settings DN manually - in order to have it already around
1350 # before the provisioned tree exists and we connect
1351 samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1352
1353 # Set the domain functionality levels onto the database.
1354 # Various module (the password_hash module in particular) need
1355 # to know what level of AD we are emulating.
1356
1357 # These will be fixed into the database via the database
1358 # modifictions below, but we need them set from the start.
1359 samdb.set_opaque_integer("domainFunctionality", domainFunctionality)
1360 samdb.set_opaque_integer("forestFunctionality", forestFunctionality)
1361 samdb.set_opaque_integer("domainControllerFunctionality",
1362 domainControllerFunctionality)
1363
1364 samdb.set_domain_sid(str(names.domainsid))
1365 samdb.set_invocation_id(invocationid)
1366
1367 logger.info("Adding DomainDN: %s" % names.domaindn)
1368
1369 # impersonate domain admin
1370 admin_session_info = admin_session(lp, str(names.domainsid))
1371 samdb.set_session_info(admin_session_info)
1372 if names.domainguid is not None:
1373 domainguid_line = "objectGUID: %s\n-" % names.domainguid
1374 else:
1375 domainguid_line = ""
1376
1377 descr = b64encode(get_domain_descriptor(names.domainsid)).decode('utf8')
1378 setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
1379 "DOMAINDN": names.domaindn,
1380 "DOMAINSID": str(names.domainsid),
1381 "DESCRIPTOR": descr,
1382 "DOMAINGUID": domainguid_line
1383 })
1384
1385 setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
1386 "DOMAINDN": names.domaindn,
1387 "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1388 "NEXTRID": str(next_rid),
1389 "DEFAULTSITE": names.sitename,
1390 "CONFIGDN": names.configdn,
1391 "POLICYGUID": policyguid,
1392 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1393 "SAMBA_VERSION_STRING": version,
1394 "MIN_PWD_LENGTH": str(DEFAULT_MIN_PWD_LENGTH)
1395 })
1396
1397 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1398 if fill == FILL_FULL:
1399 logger.info("Adding configuration container")
1400 descr = b64encode(get_config_descriptor(names.domainsid)).decode('utf8')
1401 setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
1402 "CONFIGDN": names.configdn,
1403 "DESCRIPTOR": descr,
1404 })
1405
1406 # The LDIF here was created when the Schema object was constructed
1407 ignore_checks_oid = "local_oid:%s:0" % samba.dsdb.DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID
1408 logger.info("Setting up sam.ldb schema")
1409 samdb.add_ldif(schema.schema_dn_add,
1410 controls=["relax:0", ignore_checks_oid])
1411 samdb.modify_ldif(schema.schema_dn_modify,
1412 controls=[ignore_checks_oid])
1413 samdb.write_prefixes_from_schema()
1414 samdb.add_ldif(schema.schema_data, controls=["relax:0", ignore_checks_oid])
1415 setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
1416 {"SCHEMADN": names.schemadn},
1417 controls=["relax:0", ignore_checks_oid])
1418
1419 # Now register this container in the root of the forest
1420 msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
1421 msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
1422 "subRefs")
1423
1424 samdb.invocation_id = invocationid
1425
1426 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1427 if fill == FILL_FULL:
1428 logger.info("Setting up sam.ldb configuration data")
1429
1430 partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid)).decode('utf8')
1431 sites_descr = b64encode(get_config_sites_descriptor(names.domainsid)).decode('utf8')
1432 ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid)).decode('utf8')
1433 protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid)).decode('utf8')
1434 protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)).decode('utf8')
1435 protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)).decode('utf8')
1436
1437 if "2008" in schema.base_schema:
1438 # exclude 2012-specific changes if we're using a 2008 schema
1439 incl_2012 = "#"
1440 else:
1441 incl_2012 = ""
1442
1443 setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
1444 "CONFIGDN": names.configdn,
1445 "NETBIOSNAME": names.netbiosname,
1446 "DEFAULTSITE": names.sitename,
1447 "DNSDOMAIN": names.dnsdomain,
1448 "DOMAIN": names.domain,
1449 "SCHEMADN": names.schemadn,
1450 "DOMAINDN": names.domaindn,
1451 "SERVERDN": names.serverdn,
1452 "FOREST_FUNCTIONALITY": str(forestFunctionality),
1453 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1454 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
1455 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
1456 "SERVICES_DESCRIPTOR": protected1_descr,
1457 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
1458 "FORESTUPDATES_DESCRIPTOR": protected1wd_descr,
1459 "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr,
1460 "PARTITIONS_DESCRIPTOR": partitions_descr,
1461 "SITES_DESCRIPTOR": sites_descr,
1462 })
1463
1464 setup_add_ldif(samdb, setup_path("extended-rights.ldif"), {
1465 "CONFIGDN": names.configdn,
1466 "INC2012" : incl_2012,
1467 })
1468
1469 logger.info("Setting up display specifiers")
1470 display_specifiers_ldif = read_ms_ldif(
1471 setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt'))
1472 display_specifiers_ldif = substitute_var(display_specifiers_ldif,
1473 {"CONFIGDN": names.configdn})
1474 check_all_substituted(display_specifiers_ldif)
1475 samdb.add_ldif(display_specifiers_ldif)
1476
1477 logger.info("Modifying display specifiers and extended rights")
1478 setup_modify_ldif(samdb,
1479 setup_path("provision_configuration_modify.ldif"), {
1480 "CONFIGDN": names.configdn,
1481 "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr
1482 })
1483
1484 logger.info("Adding users container")
1485 users_desc = b64encode(get_domain_users_descriptor(names.domainsid)).decode('utf8')
1486 setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
1487 "DOMAINDN": names.domaindn,
1488 "USERS_DESCRIPTOR": users_desc
1489 })
1490 logger.info("Modifying users container")
1491 setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
1492 "DOMAINDN": names.domaindn})
1493 logger.info("Adding computers container")
1494 computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid)).decode('utf8')
1495 setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
1496 "DOMAINDN": names.domaindn,
1497 "COMPUTERS_DESCRIPTOR": computers_desc
1498 })
1499 logger.info("Modifying computers container")
1500 setup_modify_ldif(samdb,
1501 setup_path("provision_computers_modify.ldif"), {
1502 "DOMAINDN": names.domaindn})
1503 logger.info("Setting up sam.ldb data")
1504 infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid)).decode('utf8')
1505 lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid)).decode('utf8')
1506 system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid)).decode('utf8')
1507 builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid)).decode('utf8')
1508 controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid)).decode('utf8')
1509 setup_add_ldif(samdb, setup_path("provision.ldif"), {
1510 "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1511 "DOMAINDN": names.domaindn,
1512 "NETBIOSNAME": names.netbiosname,
1513 "DEFAULTSITE": names.sitename,
1514 "CONFIGDN": names.configdn,
1515 "SERVERDN": names.serverdn,
1516 "RIDAVAILABLESTART": str(next_rid + 600),
1517 "POLICYGUID_DC": policyguid_dc,
1518 "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
1519 "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
1520 "SYSTEM_DESCRIPTOR": system_desc,
1521 "BUILTIN_DESCRIPTOR": builtin_desc,
1522 "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
1523 })
1524
1525 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1526 if fill == FILL_FULL:
1527 managedservice_descr = b64encode(get_managed_service_accounts_descriptor(names.domainsid)).decode('utf8')
1528 setup_modify_ldif(samdb,
1529 setup_path("provision_configuration_references.ldif"), {
1530 "CONFIGDN": names.configdn,
1531 "SCHEMADN": names.schemadn})
1532
1533 logger.info("Setting up well known security principals")
1534 protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)).decode('utf8')
1535 setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
1536 "CONFIGDN": names.configdn,
1537 "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
1538 }, controls=["relax:0", "provision:0"])
1539
1540 if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
1541 setup_modify_ldif(samdb,
1542 setup_path("provision_basedn_references.ldif"), {
1543 "DOMAINDN": names.domaindn,
1544 "MANAGEDSERVICE_DESCRIPTOR": managedservice_descr
1545 })
1546
1547 logger.info("Setting up sam.ldb users and groups")
1548 setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
1549 "DOMAINDN": names.domaindn,
1550 "DOMAINSID": str(names.domainsid),
1551 "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')).decode('utf8'),
1552 "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')).decode('utf8')
1553 }, controls=["relax:0", "provision:0"])
1554
1555 logger.info("Setting up self join")
1556 setup_self_join(samdb, admin_session_info, names=names, fill=fill,
1557 invocationid=invocationid,
1558 dns_backend=dns_backend,
1559 dnspass=dnspass,
1560 machinepass=machinepass,
1561 domainsid=names.domainsid,
1562 next_rid=next_rid,
1563 dc_rid=dc_rid,
1564 policyguid=policyguid,
1565 policyguid_dc=policyguid_dc,
1566 domainControllerFunctionality=domainControllerFunctionality,
1567 ntdsguid=ntdsguid)
1568
1569 ntds_dn = "CN=NTDS Settings,%s" % names.serverdn
1570 names.ntdsguid = samdb.searchone(basedn=ntds_dn,
1571 attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE)
1572 assert isinstance(names.ntdsguid, str)
1573
1574 return samdb
1575
1576
1577 SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
1578 POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
1579 SYSVOL_SERVICE="sysvol"
1580
1581 def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):
1582 setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1583 for root, dirs, files in os.walk(path, topdown=False):
1584 for name in files:
1585 setntacl(lp, os.path.join(root, name), acl, domsid,
1586 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1587 for name in dirs:
1588 setntacl(lp, os.path.join(root, name), acl, domsid,
1589 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)
1590
1591
1592 def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb):
1593 """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1594 folders beneath.
1595
1596 :param sysvol: Physical path for the sysvol folder
1597 :param dnsdomain: The DNS name of the domain
1598 :param domainsid: The SID of the domain
1599 :param domaindn: The DN of the domain (ie. DC=...)
1600 :param samdb: An LDB object on the SAM db
1601 :param lp: an LP object
1602 """
1603
1604 # Set ACL for GPO root folder
1605 root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1606 setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
1607 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE)
1608
1609 res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1610 attrs=["cn", "nTSecurityDescriptor"],
1611 expression="", scope=ldb.SCOPE_ONELEVEL)
1612
1613 for policy in res:
1614 acl = ndr_unpack(security.descriptor,
1615 str(policy["nTSecurityDescriptor"])).as_sddl()
1616 policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1617 set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1618 str(domainsid), use_ntvfs,
1619 passdb=passdb)
1620
1621
1622 def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
1623 domaindn, lp, use_ntvfs):
1624 """Set the ACL for the sysvol share and the subfolders
1625
1626 :param samdb: An LDB object on the SAM db
1627 :param netlogon: Physical path for the netlogon folder
1628 :param sysvol: Physical path for the sysvol folder
1629 :param uid: The UID of the "Administrator" user
1630 :param gid: The GID of the "Domain adminstrators" group
1631 :param domainsid: The SID of the domain
1632 :param dnsdomain: The DNS name of the domain
1633 :param domaindn: The DN of the domain (ie. DC=...)
1634 """
1635 s4_passdb = None
1636
1637 if not use_ntvfs:
1638 s3conf = s3param.get_context()
1639 s3conf.load(lp.configfile)
1640
1641 file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol))
1642 try:
1643 try:
1644 smbd.set_simple_acl(file.name, 0o755, gid)
1645 except OSError:
1646 if not smbd.have_posix_acls():
1647 # This clue is only strictly correct for RPM and
1648 # Debian-like Linux systems, but hopefully other users
1649 # will get enough clue from it.
1650 raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. "
1651 "Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
1652
1653 raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. "
1654 "Try the mounting the filesystem with the 'acl' option.")
1655 try:
1656 smbd.chown(file.name, uid, gid)
1657 except OSError:
1658 raise ProvisioningError("Unable to chown a file on your filesystem. "
1659 "You may not be running provision as root.")
1660 finally:
1661 file.close()
1662
1663 # This will ensure that the smbd code we are running when setting ACLs
1664 # is initialised with the smb.conf
1665 s3conf = s3param.get_context()
1666 s3conf.load(lp.configfile)
1667 # ensure we are using the right samba_dsdb passdb backend, no matter what
1668 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1669 passdb.reload_static_pdb()
1670
1671 # ensure that we init the samba_dsdb backend, so the domain sid is
1672 # marked in secrets.tdb
1673 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1674
1675 # now ensure everything matches correctly, to avoid wierd issues
1676 if passdb.get_global_sam_sid() != domainsid:
1677 raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1678
1679 domain_info = s4_passdb.domain_info()
1680 if domain_info["dom_sid"] != domainsid:
1681 raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1682
1683 if domain_info["dns_domain"].upper() != dnsdomain.upper():
1684 raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1685
1686
1687 try:
1688 if use_ntvfs:
1689 os.chown(sysvol, -1, gid)
1690 except OSError:
1691 canchown = False
1692 else:
1693 canchown = True
1694
1695 # use admin sid dn as user dn, since admin should own most of the files,
1696 # the operation will be much faster
1697 userdn = '<SID={}-{}>'.format(domainsid, security.DOMAIN_RID_ADMINISTRATOR)
1698
1699 flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
1700 auth.AUTH_SESSION_INFO_AUTHENTICATED |
1701 auth.AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
1702
1703 session_info = auth.user_session(samdb, lp_ctx=lp, dn=userdn,
1704 session_info_flags=flags)
1705
1706 def _setntacl(path):
1707 """A helper to reuse args"""
1708 return setntacl(
1709 lp, path, SYSVOL_ACL, str(domainsid),
1710 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb,
1711 service=SYSVOL_SERVICE, session_info=session_info)
1712
1713 # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1714 _setntacl(sysvol)
1715 for root, dirs, files in os.walk(sysvol, topdown=False):
1716 for name in files:
1717 if use_ntvfs and canchown:
1718 os.chown(os.path.join(root, name), -1, gid)
1719 _setntacl(os.path.join(root, name))
1720 for name in dirs:
1721 if use_ntvfs and canchown:
1722 os.chown(os.path.join(root, name), -1, gid)
1723 _setntacl(os.path.join(root, name))
1724
1725 # Set acls on Policy folder and policies folders
1726 set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
1727
1728 def acl_type(direct_db_access):
1729 if direct_db_access:
1730 return "DB"
1731 else:
1732 return "VFS"
1733
1734 def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
1735 fsacl = getntacl(lp, path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1736 fsacl_sddl = fsacl.as_sddl(domainsid)
1737 if fsacl_sddl != acl:
1738 raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
1739
1740 for root, dirs, files in os.walk(path, topdown=False):
1741 for name in files:
1742 fsacl = getntacl(lp, os.path.join(root, name),
1743 direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1744 if fsacl is None:
1745 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1746 fsacl_sddl = fsacl.as_sddl(domainsid)
1747 if fsacl_sddl != acl:
1748 raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1749
1750 for name in dirs:
1751 fsacl = getntacl(lp, os.path.join(root, name),
1752 direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1753 if fsacl is None:
1754 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1755 fsacl_sddl = fsacl.as_sddl(domainsid)
1756 if fsacl_sddl != acl:
1757 raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1758
1759
1760 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1761 direct_db_access):
1762 """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1763 folders beneath.
1764
1765 :param sysvol: Physical path for the sysvol folder
1766 :param dnsdomain: The DNS name of the domain
1767 :param domainsid: The SID of the domain
1768 :param domaindn: The DN of the domain (ie. DC=...)
1769 :param samdb: An LDB object on the SAM db
1770 :param lp: an LP object
1771 """
1772
1773 # Set ACL for GPO root folder
1774 root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1775 fsacl = getntacl(lp, root_policy_path,
1776 direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1777 if fsacl is None:
1778 raise ProvisioningError('DB ACL on policy root %s %s not found!' % (acl_type(direct_db_access), root_policy_path))
1779 fsacl_sddl = fsacl.as_sddl(domainsid)
1780 if fsacl_sddl != POLICIES_ACL:
1781 raise ProvisioningError('%s ACL on policy root %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), root_policy_path, fsacl_sddl, fsacl))
1782 res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1783 attrs=["cn", "nTSecurityDescriptor"],
1784 expression="", scope=ldb.SCOPE_ONELEVEL)
1785
1786 for policy in res:
1787 acl = ndr_unpack(security.descriptor,
1788 str(policy["nTSecurityDescriptor"])).as_sddl()
1789 policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1790 check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1791 domainsid, direct_db_access)
1792
1793
1794 def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,
1795 lp):
1796 """Set the ACL for the sysvol share and the subfolders
1797
1798 :param samdb: An LDB object on the SAM db
1799 :param netlogon: Physical path for the netlogon folder
1800 :param sysvol: Physical path for the sysvol folder
1801 :param uid: The UID of the "Administrator" user
1802 :param gid: The GID of the "Domain adminstrators" group
1803 :param domainsid: The SID of the domain
1804 :param dnsdomain: The DNS name of the domain
1805 :param domaindn: The DN of the domain (ie. DC=...)
1806 """
1807
1808 # This will ensure that the smbd code we are running when setting ACLs is initialised with the smb.conf
1809 s3conf = s3param.get_context()
1810 s3conf.load(lp.configfile)
1811 # ensure we are using the right samba_dsdb passdb backend, no matter what
1812 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1813 # ensure that we init the samba_dsdb backend, so the domain sid is marked in secrets.tdb
1814 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1815
1816 # now ensure everything matches correctly, to avoid wierd issues
1817 if passdb.get_global_sam_sid() != domainsid:
1818 raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1819
1820 domain_info = s4_passdb.domain_info()
1821 if domain_info["dom_sid"] != domainsid:
1822 raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1823
1824 if domain_info["dns_domain"].upper() != dnsdomain.upper():
1825 raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1826
1827 # Ensure we can read this directly, and via the smbd VFS
1828 for direct_db_access in [True, False]:
1829 # Check the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1830 for dir_path in [os.path.join(sysvol, dnsdomain), netlogon]:
1831 fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
1832 if fsacl is None:
1833 raise ProvisioningError('%s ACL on sysvol directory %s not found!' % (acl_type(direct_db_access), dir_path))
1834 fsacl_sddl = fsacl.as_sddl(domainsid)
1835 if fsacl_sddl != SYSVOL_ACL:
1836 raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
1837
1838 # Check acls on Policy folder and policies folders
1839 check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1840 direct_db_access)
1841
1842
1843 def interface_ips_v4(lp):
1844 """return only IPv4 IPs"""
1845 ips = samba.interface_ips(lp, False)
1846 ret = []
1847 for i in ips:
1848 if i.find(':') == -1:
1849 ret.append(i)
1850 return ret
1851
1852
1853 def interface_ips_v6(lp):
1854 """return only IPv6 IPs"""
1855 ips = samba.interface_ips(lp, False)
1856 ret = []
1857 for i in ips:
1858 if i.find(':') != -1:
1859 ret.append(i)
1860 return ret
1861
1862
1863 def provision_fill(samdb, secrets_ldb, logger, names, paths,
1864 schema=None,
1865 targetdir=None, samdb_fill=FILL_FULL,
1866 hostip=None, hostip6=None,
1867 next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
1868 domainguid=None, policyguid=None, policyguid_dc=None,
1869 invocationid=None, machinepass=None, ntdsguid=None,
1870 dns_backend=None, dnspass=None,
1871 serverrole=None, dom_for_fun_level=None,
1872 am_rodc=False, lp=None, use_ntvfs=False,
1873 skip_sysvolacl=False, backend_store=None):
1874 # create/adapt the group policy GUIDs
1875 # Default GUID for default policy are described at
1876 # "How Core Group Policy Works"
1877 # http://technet.microsoft.com/en-us/library/cc784268%28WS.10%29.aspx
1878 if policyguid is None:
1879 policyguid = DEFAULT_POLICY_GUID
1880 policyguid = policyguid.upper()
1881 if policyguid_dc is None:
1882 policyguid_dc = DEFAULT_DC_POLICY_GUID
1883 policyguid_dc = policyguid_dc.upper()
1884
1885 if invocationid is None:
1886 invocationid = str(uuid.uuid4())
1887
1888 if krbtgtpass is None:
1889 krbtgtpass = samba.generate_random_machine_password(128, 255)
1890 if machinepass is None:
1891 machinepass = samba.generate_random_machine_password(128, 255)
1892 if dnspass is None:
1893 dnspass = samba.generate_random_password(128, 255)
1894
1895 samdb.transaction_start()
1896 try:
1897 samdb = fill_samdb(samdb, lp, names, logger=logger,
1898 schema=schema,
1899 policyguid=policyguid, policyguid_dc=policyguid_dc,
1900 fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
1901 invocationid=invocationid, machinepass=machinepass,
1902 dns_backend=dns_backend, dnspass=dnspass,
1903 ntdsguid=ntdsguid, serverrole=serverrole,
1904 dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
1905 next_rid=next_rid, dc_rid=dc_rid,
1906 backend_store=backend_store)
1907
1908 # Set up group policies (domain policy and domain controller
1909 # policy)
1910 if serverrole == "active directory domain controller":
1911 create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
1912 policyguid_dc)
1913 except:
1914 samdb.transaction_cancel()
1915 raise
1916 else:
1917 samdb.transaction_commit()
1918
1919 if serverrole == "active directory domain controller":
1920 # Continue setting up sysvol for GPO. This appears to require being
1921 # outside a transaction.
1922 if not skip_sysvolacl:
1923 setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
1924 paths.root_gid, names.domainsid, names.dnsdomain,
1925 names.domaindn, lp, use_ntvfs)
1926 else:
1927 logger.info("Setting acl on sysvol skipped")
1928
1929 secretsdb_self_join(secrets_ldb, domain=names.domain,
1930 realm=names.realm, dnsdomain=names.dnsdomain,
1931 netbiosname=names.netbiosname, domainsid=names.domainsid,
1932 machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
1933
1934 # Now set up the right msDS-SupportedEncryptionTypes into the DB
1935 # In future, this might be determined from some configuration
1936 kerberos_enctypes = str(ENC_ALL_TYPES)
1937
1938 try:
1939 msg = ldb.Message(ldb.Dn(samdb,
1940 samdb.searchone("distinguishedName",
1941 expression="samAccountName=%s$" % names.netbiosname,
1942 scope=ldb.SCOPE_SUBTREE).decode('utf8')))
1943 msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(
1944 elements=kerberos_enctypes, flags=ldb.FLAG_MOD_REPLACE,
1945 name="msDS-SupportedEncryptionTypes")
1946 samdb.modify(msg)
1947 except ldb.LdbError as e:
1948 (enum, estr) = e.args
1949 if enum != ldb.ERR_NO_SUCH_ATTRIBUTE:
1950 # It might be that this attribute does not exist in this schema
1951 raise
1952
1953 setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
1954 hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
1955 dnspass=dnspass, os_level=dom_for_fun_level,
1956 targetdir=targetdir, fill_level=samdb_fill,
1957 backend_store=backend_store)
1958
1959 domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
1960 attribute="objectGUID")
1961 assert isinstance(domainguid, str)
1962
1963 lastProvisionUSNs = get_last_provision_usn(samdb)
1964 maxUSN = get_max_usn(samdb, str(names.rootdn))
1965 if lastProvisionUSNs is not None:
1966 update_provision_usn(samdb, 0, maxUSN, invocationid, 1)
1967 else:
1968 set_provision_usn(samdb, 0, maxUSN, invocationid)
1969
1970 logger.info("Setting up sam.ldb rootDSE marking as synchronized")
1971 setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"),
1972 { 'NTDSGUID' : names.ntdsguid })
1973
1974 # fix any dangling GUIDs from the provision
1975 logger.info("Fixing provision GUIDs")
1976 chk = dbcheck(samdb, samdb_schema=samdb, verbose=False, fix=True, yes=True,
1977 quiet=True)
1978 samdb.transaction_start()
1979 try:
1980 # a small number of GUIDs are missing because of ordering issues in the
1981 # provision code
1982 for schema_obj in ['CN=Domain', 'CN=Organizational-Person', 'CN=Contact', 'CN=inetOrgPerson']:
1983 chk.check_database(DN="%s,%s" % (schema_obj, names.schemadn),
1984 scope=ldb.SCOPE_BASE,
1985 attrs=['defaultObjectCategory'])
1986 chk.check_database(DN="CN=IP Security,CN=System,%s" % names.domaindn,
1987 scope=ldb.SCOPE_ONELEVEL,
1988 attrs=['ipsecOwnersReference',
1989 'ipsecFilterReference',
1990 'ipsecISAKMPReference',
1991 'ipsecNegotiationPolicyReference',
1992 'ipsecNFAReference'])
1993 if chk.check_database(DN=names.schemadn, scope=ldb.SCOPE_SUBTREE,
1994 attrs=['attributeId', 'governsId']) != 0:
1995 raise ProvisioningError("Duplicate attributeId or governsId in schema. Must be fixed manually!!")
1996 except:
1997 samdb.transaction_cancel()
1998 raise
1999 else:
2000 samdb.transaction_commit()
2001
2002
2003 _ROLES_MAP = {
2004 "ROLE_STANDALONE": "standalone server",
2005 "ROLE_DOMAIN_MEMBER": "member server",
2006 "ROLE_DOMAIN_BDC": "active directory domain controller",
2007 "ROLE_DOMAIN_PDC": "active directory domain controller",
2008 "dc": "active directory domain controller",
2009 "member": "member server",
2010 "domain controller": "active directory domain controller",
2011 "active directory domain controller": "active directory domain controller",
2012 "member server": "member server",
2013 "standalone": "standalone server",
2014 "standalone server": "standalone server",
2015 }
2016
2017
2018 def sanitize_server_role(role):
2019 """Sanitize a server role name.
2020
2021 :param role: Server role
2022 :raise ValueError: If the role can not be interpreted
2023 :return: Sanitized server role (one of "member server",
2024 "active directory domain controller", "standalone server")
2025 """
2026 try:
2027 return _ROLES_MAP[role]
2028 except KeyError:
2029 raise ValueError(role)
2030
2031
2032 def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
2033 maxuid, maxgid):
2034 """Create AD entries for the fake ypserver.
2035
2036 This is needed for being able to manipulate posix attrs via ADUC.
2037 """
2038 samdb.transaction_start()
2039 try:
2040 logger.info("Setting up fake yp server settings")
2041 setup_add_ldif(samdb, setup_path("ypServ30.ldif"), {
2042 "DOMAINDN": domaindn,
2043 "NETBIOSNAME": netbiosname,
2044 "NISDOMAIN": nisdomain,
2045 })
2046 except:
2047 samdb.transaction_cancel()
2048 raise
2049 else:
2050 samdb.transaction_commit()
2051
2052 def directory_create_or_exists(path, mode=0o755):
2053 if not os.path.exists(path):
2054 try:
2055 os.mkdir(path, mode)
2056 except OSError as e:
2057 if e.errno in [errno.EEXIST]:
2058 pass
2059 else:
2060 raise ProvisioningError("Failed to create directory %s: %s" % (path, e.strerror))
2061
2062 def determine_host_ip(logger, lp, hostip=None):
2063 if hostip is None:
2064 logger.info("Looking up IPv4 addresses")
2065 hostips = interface_ips_v4(lp)
2066 if len(hostips) > 0:
2067 hostip = hostips[0]
2068 if len(hostips) > 1:
2069 logger.warning("More than one IPv4 address found. Using %s",
2070 hostip)
2071 if hostip == "127.0.0.1":
2072 hostip = None
2073 if hostip is None:
2074 logger.warning("No IPv4 address will be assigned")
2075
2076 return hostip
2077
2078 def determine_host_ip6(logger, lp, hostip6=None):
2079 if hostip6 is None:
2080 logger.info("Looking up IPv6 addresses")
2081 hostips = interface_ips_v6(lp)
2082 if hostips:
2083 hostip6 = hostips[0]
2084 if len(hostips) > 1:
2085 logger.warning("More than one IPv6 address found. Using %s", hostip6)
2086 if hostip6 is None:
2087 logger.warning("No IPv6 address will be assigned")
2088
2089 return hostip6
2090
2091 def provision(logger, session_info, smbconf=None,
2092 targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
2093 domaindn=None, schemadn=None, configdn=None, serverdn=None,
2094 domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
2095 next_rid=1000, dc_rid=None, adminpass=None, ldapadminpass=None,
2096 krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
2097 dns_backend=None, dns_forwarder=None, dnspass=None,
2098 invocationid=None, machinepass=None, ntdsguid=None,
2099 root=None, nobody=None, users=None, backup=None, aci=None,
2100 serverrole=None, dom_for_fun_level=None, backend_type=None,
2101 sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path=None,
2102 useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
2103 use_rfc2307=False, maxuid=None, maxgid=None, skip_sysvolacl=True,
2104 ldap_backend_forced_uri=None, nosync=False, ldap_dryrun_mode=False,
2105 ldap_backend_extra_port=None, base_schema=None,
2106 plaintext_secrets=False, backend_store=None):
2107 """Provision samba4
2108
2109 :note: caution, this wipes all existing data!
2110 """
2111
2112 try:
2113 serverrole = sanitize_server_role(serverrole)
2114 except ValueError:
2115 raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone server"' % serverrole)
2116
2117 if ldapadminpass is None:
2118 # Make a new, random password between Samba and it's LDAP server
2119 ldapadminpass = samba.generate_random_password(128, 255)
2120
2121 if backend_type is None:
2122 backend_type = "ldb"
2123 if backend_store is None:
2124 backend_store = get_default_backend_store()
2125
2126 if domainsid is None:
2127 domainsid = security.random_sid()
2128
2129 root_uid = findnss_uid([root or "root"])
2130 nobody_uid = findnss_uid([nobody or "nobody"])
2131 users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
2132 root_gid = pwd.getpwuid(root_uid).pw_gid
2133
2134 try:
2135 bind_gid = findnss_gid(["bind", "named"])
2136 except KeyError:
2137 bind_gid = None
2138
2139 if targetdir is not None:
2140 smbconf = os.path.join(targetdir, "etc", "smb.conf")
2141 elif smbconf is None:
2142 smbconf = samba.param.default_path()
2143 if not os.path.exists(os.path.dirname(smbconf)):
2144 os.makedirs(os.path.dirname(smbconf))
2145
2146 server_services = []
2147 global_param = {}
2148 if use_rfc2307:
2149 global_param["idmap_ldb:use rfc2307"] = ["yes"]
2150
2151 if dns_backend != "SAMBA_INTERNAL":
2152 server_services.append("-dns")
2153 else:
2154 if dns_forwarder is not None:
2155 global_param["dns forwarder"] = [dns_forwarder]
2156
2157 if use_ntvfs:
2158 server_services.append("+smb")
2159 server_services.append("-s3fs")
2160 global_param["dcerpc endpoint servers"] = ["+winreg", "+srvsvc"]
2161
2162 if len(server_services) > 0:
2163 global_param["server services"] = server_services
2164
2165 # only install a new smb.conf if there isn't one there already
2166 if os.path.exists(smbconf):
2167 # if Samba Team members can't figure out the weird errors
2168 # loading an empty smb.conf gives, then we need to be smarter.
2169 # Pretend it just didn't exist --abartlet
2170 f = open(smbconf, 'r')
2171 try:
2172 data = f.read().lstrip()
2173 finally:
2174 f.close()
2175 if data is None or data == "":
2176 make_smbconf(smbconf, hostname, domain, realm,
2177 targetdir, serverrole=serverrole,
2178 eadb=useeadb, use_ntvfs=use_ntvfs,
2179 lp=lp, global_param=global_param)
2180 else:
2181 make_smbconf(smbconf, hostname, domain, realm, targetdir,
2182 serverrole=serverrole,
2183 eadb=useeadb, use_ntvfs=use_ntvfs, lp=lp, global_param=global_param)
2184
2185 if lp is None:
2186 lp = samba.param.LoadParm()
2187 lp.load(smbconf)
2188 names = guess_names(lp=lp, hostname=hostname, domain=domain,
2189 dnsdomain=realm, serverrole=serverrole, domaindn=domaindn,
2190 configdn=configdn, schemadn=schemadn, serverdn=serverdn,
2191 sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
2192 paths = provision_paths_from_lp(lp, names.dnsdomain)
2193
2194 paths.bind_gid = bind_gid
2195 paths.root_uid = root_uid;
2196 paths.root_gid = root_gid
2197
2198 hostip = determine_host_ip(logger, lp, hostip)
2199 hostip6 = determine_host_ip6(logger, lp, hostip6)
2200 names.hostip = hostip
2201 names.hostip6 = hostip6
2202 names.domainguid = domainguid
2203 names.domainsid = domainsid
2204 names.forestsid = domainsid
2205
2206 if serverrole is None:
2207 serverrole = lp.get("server role")
2208
2209 directory_create_or_exists(paths.private_dir, 0o700)
2210 directory_create_or_exists(paths.binddns_dir, 0o770)
2211 directory_create_or_exists(os.path.join(paths.private_dir, "tls"))
2212 directory_create_or_exists(paths.state_dir)
2213 if not plaintext_secrets:
2214 setup_encrypted_secrets_key(paths.encrypted_secrets_key_path)
2215
2216 if paths.sysvol and not os.path.exists(paths.sysvol):
2217 os.makedirs(paths.sysvol, 0o775)
2218
2219 ldapi_url = "ldapi://%s" % urllib_quote(paths.s4_ldapi_path, safe="")
2220
2221 schema = Schema(domainsid, invocationid=invocationid,
2222 schemadn=names.schemadn, base_schema=base_schema)
2223
2224 if backend_type == "ldb":
2225 provision_backend = LDBBackend(backend_type, paths=paths,
2226 lp=lp,
2227 names=names, logger=logger)
2228 elif backend_type == "existing":
2229 # If support for this is ever added back, then the URI will need to be
2230 # specified again
2231 provision_backend = ExistingBackend(backend_type, paths=paths,
2232 lp=lp,
2233 names=names, logger=logger,
2234 ldap_backend_forced_uri=ldap_backend_forced_uri)
2235 elif backend_type == "fedora-ds":
2236 provision_backend = FDSBackend(backend_type, paths=paths,
2237 lp=lp,
2238 names=names, logger=logger, domainsid=domainsid,
2239 schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
2240 slapd_path=slapd_path,
2241 root=root)
2242 elif backend_type == "openldap":
2243 provision_backend = OpenLDAPBackend(backend_type, paths=paths,
2244 lp=lp,
2245 names=names, logger=logger, domainsid=domainsid,
2246 schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
2247 slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls,
2248 ldap_backend_extra_port=ldap_backend_extra_port,
2249 ldap_dryrun_mode=ldap_dryrun_mode, nosync=nosync,
2250 ldap_backend_forced_uri=ldap_backend_forced_uri)
2251 else:
2252 raise ValueError("Unknown LDAP backend type selected")
2253
2254 provision_backend.init()
2255 provision_backend.start()
2256
2257 # only install a new shares config db if there is none
2258 if not os.path.exists(paths.shareconf):
2259 logger.info("Setting up share.ldb")
2260 share_ldb = Ldb(paths.shareconf, session_info=session_info, lp=lp)
2261 share_ldb.load_ldif_file_add(setup_path("share.ldif"))
2262
2263 logger.info("Setting up secrets.ldb")
2264 secrets_ldb = setup_secretsdb(paths,
2265 session_info=session_info,
2266 backend_credentials=provision_backend.credentials, lp=lp)
2267
2268 try:
2269 logger.info("Setting up the registry")
2270 setup_registry(paths.hklm, session_info, lp=lp)
2271
2272 logger.info("Setting up the privileges database")
2273 setup_privileges(paths.privilege, session_info, lp=lp)
2274
2275 logger.info("Setting up idmap db")
2276 idmap = setup_idmapdb(paths.idmapdb, session_info=session_info, lp=lp)
2277
2278 setup_name_mappings(idmap, sid=str(domainsid),
2279 root_uid=root_uid, nobody_uid=nobody_uid,
2280 users_gid=users_gid, root_gid=root_gid)
2281
2282 logger.info("Setting up SAM db")
2283 samdb = setup_samdb(paths.samdb, session_info,
2284 provision_backend, lp, names, logger=logger,
2285 serverrole=serverrole,
2286 schema=schema, fill=samdb_fill, am_rodc=am_rodc,
2287 plaintext_secrets=plaintext_secrets,
2288 backend_store=backend_store)
2289
2290 if serverrole == "active directory domain controller":
2291 if paths.netlogon is None:
2292 raise MissingShareError("netlogon", paths.smbconf)
2293
2294 if paths.sysvol is None:
2295 raise MissingShareError("sysvol", paths.smbconf)
2296
2297 if not os.path.isdir(paths.netlogon):
2298 os.makedirs(paths.netlogon, 0o755)
2299
2300 if adminpass is None:
2301 adminpass = samba.generate_random_password(12, 32)
2302 adminpass_generated = True
2303 else:
2304 adminpass = unicode(adminpass, 'utf-8')
2305 adminpass_generated = False
2306
2307 if samdb_fill == FILL_FULL:
2308 provision_fill(samdb, secrets_ldb, logger, names, paths,
2309 schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
2310 hostip=hostip, hostip6=hostip6,
2311 next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
2312 krbtgtpass=krbtgtpass,
2313 policyguid=policyguid, policyguid_dc=policyguid_dc,
2314 invocationid=invocationid, machinepass=machinepass,
2315 ntdsguid=ntdsguid, dns_backend=dns_backend,
2316 dnspass=dnspass, serverrole=serverrole,
2317 dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
2318 lp=lp, use_ntvfs=use_ntvfs,
2319 skip_sysvolacl=skip_sysvolacl,
2320 backend_store=backend_store)
2321
2322 if not is_heimdal_built():
2323 create_kdc_conf(paths.kdcconf, realm, domain, os.path.dirname(lp.get("log file")))
2324 logger.info("The Kerberos KDC configuration for Samba AD is "
2325 "located at %s", paths.kdcconf)
2326
2327 create_krb5_conf(paths.krb5conf,
2328 dnsdomain=names.dnsdomain, hostname=names.hostname,
2329 realm=names.realm)
2330 logger.info("A Kerberos configuration suitable for Samba AD has been "
2331 "generated at %s", paths.krb5conf)
2332 logger.info("Merge the contents of this file with your system "
2333 "krb5.conf or replace it with this one. Do not create a "
2334 "symlink!")
2335
2336 if serverrole == "active directory domain controller":
2337 create_dns_update_list(lp, logger, paths)
2338
2339 backend_result = provision_backend.post_setup()
2340 provision_backend.shutdown()
2341
2342 except:
2343 secrets_ldb.transaction_cancel()
2344 raise
2345
2346 # Now commit the secrets.ldb to disk
2347 secrets_ldb.transaction_commit()
2348
2349 # the commit creates the dns.keytab in the private directory
2350 private_dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
2351 bind_dns_keytab_path = os.path.join(paths.binddns_dir, paths.dns_keytab)
2352
2353 if os.path.isfile(private_dns_keytab_path):
2354 if os.path.isfile(bind_dns_keytab_path):
2355 try:
2356 os.unlink(bind_dns_keytab_path)
2357 except OSError as e:
2358 logger.error("Failed to remove %s: %s" %
2359 (bind_dns_keytab_path, e.strerror))
2360
2361 # link the dns.keytab to the bind-dns directory
2362 try:
2363 os.link(private_dns_keytab_path, bind_dns_keytab_path)
2364 except OSError as e:
2365 logger.error("Failed to create link %s -> %s: %s" %
2366 (private_dns_keytab_path, bind_dns_keytab_path, e.strerror))
2367
2368 # chown the dns.keytab in the bind-dns directory
2369 if paths.bind_gid is not None:
2370 try:
2371 os.chmod(paths.binddns_dir, 0o770)
2372 os.chown(paths.binddns_dir, -1, paths.bind_gid)
2373 except OSError:
2374 if not os.environ.has_key('SAMBA_SELFTEST'):
2375 logger.info("Failed to chown %s to bind gid %u",
2376 paths.binddns_dir, paths.bind_gid)
2377
2378 try:
2379 os.chmod(bind_dns_keytab_path, 0o640)
2380 os.chown(bind_dns_keytab_path, -1, paths.bind_gid)
2381 except OSError:
2382 if not os.environ.has_key('SAMBA_SELFTEST'):
2383 logger.info("Failed to chown %s to bind gid %u",
2384 bind_dns_keytab_path, paths.bind_gid)
2385
2386 result = ProvisionResult()
2387 result.server_role = serverrole
2388 result.domaindn = domaindn
2389 result.paths = paths
2390 result.names = names
2391 result.lp = lp
2392 result.samdb = samdb
2393 result.idmap = idmap
2394 result.domainsid = str(domainsid)
2395
2396 if samdb_fill == FILL_FULL:
2397 result.adminpass_generated = adminpass_generated
2398 result.adminpass = adminpass
2399 else:
2400 result.adminpass_generated = False
2401 result.adminpass = None
2402
2403 result.backend_result = backend_result
2404
2405 if use_rfc2307:
2406 provision_fake_ypserver(logger=logger, samdb=samdb,
2407 domaindn=names.domaindn, netbiosname=names.netbiosname,
2408 nisdomain=names.domain.lower(), maxuid=maxuid, maxgid=maxgid)
2409
2410 return result
2411
2412
2413 def provision_become_dc(smbconf=None, targetdir=None,
2414 realm=None, rootdn=None, domaindn=None, schemadn=None, configdn=None,
2415 serverdn=None, domain=None, hostname=None, domainsid=None,
2416 adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
2417 policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
2418 dns_backend=None, root=None, nobody=None, users=None,
2419 backup=None, serverrole=None, ldap_backend=None,
2420 ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False):
2421
2422 logger = logging.getLogger("provision")
2423 samba.set_debug_level(debuglevel)
2424
2425 res = provision(logger, system_session(),
2426 smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
2427 realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
2428 configdn=configdn, serverdn=serverdn, domain=domain,
2429 hostname=hostname, hostip=None, domainsid=domainsid,
2430 machinepass=machinepass,
2431 serverrole="active directory domain controller",
2432 sitename=sitename, dns_backend=dns_backend, dnspass=dnspass,
2433 use_ntvfs=use_ntvfs)
2434 res.lp.set("debuglevel", str(debuglevel))
2435 return res
2436
2437
2438 def create_krb5_conf(path, dnsdomain, hostname, realm):
2439 """Write out a file containing a valid krb5.conf file
2440
2441 :param path: Path of the new krb5.conf file.
2442 :param dnsdomain: DNS Domain name
2443 :param hostname: Local hostname
2444 :param realm: Realm name
2445 """
2446 setup_file(setup_path("krb5.conf"), path, {
2447 "DNSDOMAIN": dnsdomain,
2448 "HOSTNAME": hostname,
2449 "REALM": realm,
2450 })
2451
2452
2453 class ProvisioningError(Exception):
2454 """A generic provision error."""
2455
2456 def __init__(self, value):
2457 self.value = value
2458
2459 def __str__(self):
2460 return "ProvisioningError: " + self.value
2461
2462
2463 class InvalidNetbiosName(Exception):
2464 """A specified name was not a valid NetBIOS name."""
2465
2466 def __init__(self, name):
2467 super(InvalidNetbiosName, self).__init__(
2468 "The name '%r' is not a valid NetBIOS name" % name)
2469
2470
2471 class MissingShareError(ProvisioningError):
2472
2473 def __init__(self, name, smbconf):
2474 super(MissingShareError, self).__init__(
2475 "Existing smb.conf does not have a [%s] share, but you are "
2476 "configuring a DC. Please remove %s or add the share manually." %
2477 (name, smbconf))
Samba GIT mirror