search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:provision: add get_empty_descriptor()
[Samba/gebeck_regimport.git] / source4 / scripting / python / samba / provision / __init__.py
blobc3713c90570787b194cebff6054288348fe290f7
1 # Unix SMB/CIFS implementation.
2 # backend code for provisioning a Samba4 server
3
4 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2012
5 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
6 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
7 #
8 # Based on the original in EJS:
9 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #
24
25 """Functions for setting up a Samba configuration."""
26
27 __docformat__ = "restructuredText"
28
29 from base64 import b64encode
30 import os
31 import re
32 import pwd
33 import grp
34 import logging
35 import time
36 import uuid
37 import socket
38 import urllib
39 import string
40 import tempfile
41
42 import ldb
43
44 from samba.auth import system_session, admin_session
45 import samba
46 from samba.samba3 import smbd, passdb
47 from samba.samba3 import param as s3param
48 from samba.dsdb import DS_DOMAIN_FUNCTION_2000
49 from samba import (
50 Ldb,
51 MAX_NETBIOS_NAME_LEN,
52 check_all_substituted,
53 is_valid_netbios_char,
54 setup_file,
55 substitute_var,
56 valid_netbios_name,
57 version,
58 )
59 from samba.dcerpc import security, misc
60 from samba.dcerpc.misc import (
61 SEC_CHAN_BDC,
62 SEC_CHAN_WKSTA,
63 )
64 from samba.dsdb import (
65 DS_DOMAIN_FUNCTION_2003,
66 DS_DOMAIN_FUNCTION_2008_R2,
67 ENC_ALL_TYPES,
68 )
69 from samba.idmap import IDmapDB
70 from samba.ms_display_specifiers import read_ms_ldif
71 from samba.ntacls import setntacl, getntacl, dsacl2fsacl
72 from samba.ndr import ndr_pack, ndr_unpack
73 from samba.provision.backend import (
74 ExistingBackend,
75 FDSBackend,
76 LDBBackend,
77 OpenLDAPBackend,
78 )
79 from samba.provision.descriptor import (
80 get_empty_descriptor,
81 get_config_descriptor,
82 get_domain_descriptor
83 )
84 from samba.provision.common import (
85 setup_path,
86 setup_add_ldif,
87 setup_modify_ldif,
88 )
89 from samba.provision.sambadns import (
90 setup_ad_dns,
91 create_dns_update_list
92 )
93
94 import samba.param
95 import samba.registry
96 from samba.schema import Schema
97 from samba.samdb import SamDB
98 from samba.dbchecker import dbcheck
99
100
101 DEFAULT_POLICY_GUID = "31B2F340-016D-11D2-945F-00C04FB984F9"
102 DEFAULT_DC_POLICY_GUID = "6AC1786C-016F-11D2-945F-00C04fB984F9"
103 DEFAULTSITE = "Default-First-Site-Name"
104 LAST_PROVISION_USN_ATTRIBUTE = "lastProvisionUSN"
105
106
107 class ProvisionPaths(object):
108
109 def __init__(self):
110 self.shareconf = None
111 self.hklm = None
112 self.hkcu = None
113 self.hkcr = None
114 self.hku = None
115 self.hkpd = None
116 self.hkpt = None
117 self.samdb = None
118 self.idmapdb = None
119 self.secrets = None
120 self.keytab = None
121 self.dns_keytab = None
122 self.dns = None
123 self.winsdb = None
124 self.private_dir = None
125 self.state_dir = None
126
127
128 class ProvisionNames(object):
129
130 def __init__(self):
131 self.rootdn = None
132 self.domaindn = None
133 self.configdn = None
134 self.schemadn = None
135 self.ldapmanagerdn = None
136 self.dnsdomain = None
137 self.realm = None
138 self.netbiosname = None
139 self.domain = None
140 self.hostname = None
141 self.sitename = None
142 self.smbconf = None
143
144
145 def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
146 lp):
147 """Get key provision parameters (realm, domain, ...) from a given provision
148
149 :param samdb: An LDB object connected to the sam.ldb file
150 :param secretsdb: An LDB object connected to the secrets.ldb file
151 :param idmapdb: An LDB object connected to the idmap.ldb file
152 :param paths: A list of path to provision object
153 :param smbconf: Path to the smb.conf file
154 :param lp: A LoadParm object
155 :return: A list of key provision parameters
156 """
157 names = ProvisionNames()
158 names.adminpass = None
159
160 # NT domain, kerberos realm, root dn, domain dn, domain dns name
161 names.domain = string.upper(lp.get("workgroup"))
162 names.realm = lp.get("realm")
163 names.dnsdomain = names.realm.lower()
164 basedn = samba.dn_from_dns_name(names.dnsdomain)
165 names.realm = string.upper(names.realm)
166 # netbiosname
167 # Get the netbiosname first (could be obtained from smb.conf in theory)
168 res = secretsdb.search(expression="(flatname=%s)" %
169 names.domain,base="CN=Primary Domains",
170 scope=ldb.SCOPE_SUBTREE, attrs=["sAMAccountName"])
171 names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
172
173 names.smbconf = smbconf
174
175 # That's a bit simplistic but it's ok as long as we have only 3
176 # partitions
177 current = samdb.search(expression="(objectClass=*)",
178 base="", scope=ldb.SCOPE_BASE,
179 attrs=["defaultNamingContext", "schemaNamingContext",
180 "configurationNamingContext","rootDomainNamingContext"])
181
182 names.configdn = current[0]["configurationNamingContext"]
183 configdn = str(names.configdn)
184 names.schemadn = current[0]["schemaNamingContext"]
185 if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
186 current[0]["defaultNamingContext"][0]))):
187 raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
188 "is not the same ..." % (paths.samdb,
189 str(current[0]["defaultNamingContext"][0]),
190 paths.smbconf, basedn)))
191
192 names.domaindn=current[0]["defaultNamingContext"]
193 names.rootdn=current[0]["rootDomainNamingContext"]
194 # default site name
195 res3 = samdb.search(expression="(objectClass=site)",
196 base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
197 names.sitename = str(res3[0]["cn"])
198
199 # dns hostname and server dn
200 res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
201 base="OU=Domain Controllers,%s" % basedn,
202 scope=ldb.SCOPE_ONELEVEL, attrs=["dNSHostName"])
203 names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "")
204
205 server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
206 attrs=[], base=configdn)
207 names.serverdn = server_res[0].dn
208
209 # invocation id/objectguid
210 res5 = samdb.search(expression="(objectClass=*)",
211 base="CN=NTDS Settings,%s" % str(names.serverdn),
212 scope=ldb.SCOPE_BASE,
213 attrs=["invocationID", "objectGUID"])
214 names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
215 names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
216
217 # domain guid/sid
218 res6 = samdb.search(expression="(objectClass=*)", base=basedn,
219 scope=ldb.SCOPE_BASE, attrs=["objectGUID",
220 "objectSid","msDS-Behavior-Version" ])
221 names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
222 names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
223 if res6[0].get("msDS-Behavior-Version") is None or \
224 int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
225 names.domainlevel = DS_DOMAIN_FUNCTION_2000
226 else:
227 names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
228
229 # policy guid
230 res7 = samdb.search(expression="(displayName=Default Domain Policy)",
231 base="CN=Policies,CN=System," + basedn,
232 scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
233 names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
234 # dc policy guid
235 res8 = samdb.search(expression="(displayName=Default Domain Controllers"
236 " Policy)",
237 base="CN=Policies,CN=System," + basedn,
238 scope=ldb.SCOPE_ONELEVEL,
239 attrs=["cn","displayName"])
240 if len(res8) == 1:
241 names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
242 else:
243 names.policyid_dc = None
244
245 res9 = idmapdb.search(expression="(cn=%s-%s)" %
246 (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR),
247 attrs=["xidNumber", "type"])
248 if len(res9) != 1:
249 raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
250 if res9[0]["type"][0] == "ID_TYPE_BOTH":
251 names.root_gid = res9[0]["xidNumber"][0]
252 else:
253 names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid
254 return names
255
256
257 def update_provision_usn(samdb, low, high, id, replace=False):
258 """Update the field provisionUSN in sam.ldb
259
260 This field is used to track range of USN modified by provision and
261 upgradeprovision.
262 This value is used afterward by next provision to figure out if
263 the field have been modified since last provision.
264
265 :param samdb: An LDB object connect to sam.ldb
266 :param low: The lowest USN modified by this upgrade
267 :param high: The highest USN modified by this upgrade
268 :param id: The invocation id of the samba's dc
269 :param replace: A boolean indicating if the range should replace any
270 existing one or appended (default)
271 """
272
273 tab = []
274 if not replace:
275 entry = samdb.search(base="@PROVISION",
276 scope=ldb.SCOPE_BASE,
277 attrs=[LAST_PROVISION_USN_ATTRIBUTE, "dn"])
278 for e in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
279 if not re.search(';', e):
280 e = "%s;%s" % (e, id)
281 tab.append(str(e))
282
283 tab.append("%s-%s;%s" % (low, high, id))
284 delta = ldb.Message()
285 delta.dn = ldb.Dn(samdb, "@PROVISION")
286 delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
287 ldb.FLAG_MOD_REPLACE, LAST_PROVISION_USN_ATTRIBUTE)
288 entry = samdb.search(expression='provisionnerID=*',
289 base="@PROVISION", scope=ldb.SCOPE_BASE,
290 attrs=["provisionnerID"])
291 if len(entry) == 0 or len(entry[0]) == 0:
292 delta["provisionnerID"] = ldb.MessageElement(id, ldb.FLAG_MOD_ADD, "provisionnerID")
293 samdb.modify(delta)
294
295
296 def set_provision_usn(samdb, low, high, id):
297 """Set the field provisionUSN in sam.ldb
298 This field is used to track range of USN modified by provision and
299 upgradeprovision.
300 This value is used afterward by next provision to figure out if
301 the field have been modified since last provision.
302
303 :param samdb: An LDB object connect to sam.ldb
304 :param low: The lowest USN modified by this upgrade
305 :param high: The highest USN modified by this upgrade
306 :param id: The invocationId of the provision"""
307
308 tab = []
309 tab.append("%s-%s;%s" % (low, high, id))
310
311 delta = ldb.Message()
312 delta.dn = ldb.Dn(samdb, "@PROVISION")
313 delta[LAST_PROVISION_USN_ATTRIBUTE] = ldb.MessageElement(tab,
314 ldb.FLAG_MOD_ADD, LAST_PROVISION_USN_ATTRIBUTE)
315 samdb.add(delta)
316
317
318 def get_max_usn(samdb,basedn):
319 """ This function return the biggest USN present in the provision
320
321 :param samdb: A LDB object pointing to the sam.ldb
322 :param basedn: A string containing the base DN of the provision
323 (ie. DC=foo, DC=bar)
324 :return: The biggest USN in the provision"""
325
326 res = samdb.search(expression="objectClass=*",base=basedn,
327 scope=ldb.SCOPE_SUBTREE,attrs=["uSNChanged"],
328 controls=["search_options:1:2",
329 "server_sort:1:1:uSNChanged",
330 "paged_results:1:1"])
331 return res[0]["uSNChanged"]
332
333
334 def get_last_provision_usn(sam):
335 """Get USNs ranges modified by a provision or an upgradeprovision
336
337 :param sam: An LDB object pointing to the sam.ldb
338 :return: a dictionary which keys are invocation id and values are an array
339 of integer representing the different ranges
340 """
341 try:
342 entry = sam.search(expression="%s=*" % LAST_PROVISION_USN_ATTRIBUTE,
343 base="@PROVISION", scope=ldb.SCOPE_BASE,
344 attrs=[LAST_PROVISION_USN_ATTRIBUTE, "provisionnerID"])
345 except ldb.LdbError, (ecode, emsg):
346 if ecode == ldb.ERR_NO_SUCH_OBJECT:
347 return None
348 raise
349 if len(entry) > 0:
350 myids = []
351 range = {}
352 p = re.compile(r'-')
353 if entry[0].get("provisionnerID"):
354 for e in entry[0]["provisionnerID"]:
355 myids.append(str(e))
356 for r in entry[0][LAST_PROVISION_USN_ATTRIBUTE]:
357 tab1 = str(r).split(';')
358 if len(tab1) == 2:
359 id = tab1[1]
360 else:
361 id = "default"
362 if (len(myids) > 0 and id not in myids):
363 continue
364 tab2 = p.split(tab1[0])
365 if range.get(id) is None:
366 range[id] = []
367 range[id].append(tab2[0])
368 range[id].append(tab2[1])
369 return range
370 else:
371 return None
372
373
374 class ProvisionResult(object):
375 """Result of a provision.
376
377 :ivar server_role: The server role
378 :ivar paths: ProvisionPaths instance
379 :ivar domaindn: The domain dn, as string
380 """
381
382 def __init__(self):
383 self.server_role = None
384 self.paths = None
385 self.domaindn = None
386 self.lp = None
387 self.samdb = None
388 self.idmap = None
389 self.names = None
390 self.domainsid = None
391 self.adminpass_generated = None
392 self.adminpass = None
393 self.backend_result = None
394
395 def report_logger(self, logger):
396 """Report this provision result to a logger."""
397 logger.info(
398 "Once the above files are installed, your Samba4 server will "
399 "be ready to use")
400 if self.adminpass_generated:
401 logger.info("Admin password: %s", self.adminpass)
402 logger.info("Server Role: %s", self.server_role)
403 logger.info("Hostname: %s", self.names.hostname)
404 logger.info("NetBIOS Domain: %s", self.names.domain)
405 logger.info("DNS Domain: %s", self.names.dnsdomain)
406 logger.info("DOMAIN SID: %s", self.domainsid)
407
408 if self.backend_result:
409 self.backend_result.report_logger(logger)
410
411
412 def check_install(lp, session_info, credentials):
413 """Check whether the current install seems ok.
414
415 :param lp: Loadparm context
416 :param session_info: Session information
417 :param credentials: Credentials
418 """
419 if lp.get("realm") == "":
420 raise Exception("Realm empty")
421 samdb = Ldb(lp.samdb_url(), session_info=session_info,
422 credentials=credentials, lp=lp)
423 if len(samdb.search("(cn=Administrator)")) != 1:
424 raise ProvisioningError("No administrator account found")
425
426
427 def findnss(nssfn, names):
428 """Find a user or group from a list of possibilities.
429
430 :param nssfn: NSS Function to try (should raise KeyError if not found)
431 :param names: Names to check.
432 :return: Value return by first names list.
433 """
434 for name in names:
435 try:
436 return nssfn(name)
437 except KeyError:
438 pass
439 raise KeyError("Unable to find user/group in %r" % names)
440
441
442 findnss_uid = lambda names: findnss(pwd.getpwnam, names)[2]
443 findnss_gid = lambda names: findnss(grp.getgrnam, names)[2]
444
445
446 def provision_paths_from_lp(lp, dnsdomain):
447 """Set the default paths for provisioning.
448
449 :param lp: Loadparm context.
450 :param dnsdomain: DNS Domain name
451 """
452 paths = ProvisionPaths()
453 paths.private_dir = lp.get("private dir")
454 paths.state_dir = lp.get("state directory")
455
456 # This is stored without path prefix for the "privateKeytab" attribute in
457 # "secrets_dns.ldif".
458 paths.dns_keytab = "dns.keytab"
459 paths.keytab = "secrets.keytab"
460
461 paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
462 paths.samdb = os.path.join(paths.private_dir, "sam.ldb")
463 paths.idmapdb = os.path.join(paths.private_dir, "idmap.ldb")
464 paths.secrets = os.path.join(paths.private_dir, "secrets.ldb")
465 paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
466 paths.dns = os.path.join(paths.private_dir, "dns", dnsdomain + ".zone")
467 paths.dns_update_list = os.path.join(paths.private_dir, "dns_update_list")
468 paths.spn_update_list = os.path.join(paths.private_dir, "spn_update_list")
469 paths.namedconf = os.path.join(paths.private_dir, "named.conf")
470 paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
471 paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
472 paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
473 paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
474 paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
475 paths.hklm = "hklm.ldb"
476 paths.hkcr = "hkcr.ldb"
477 paths.hkcu = "hkcu.ldb"
478 paths.hku = "hku.ldb"
479 paths.hkpd = "hkpd.ldb"
480 paths.hkpt = "hkpt.ldb"
481 paths.sysvol = lp.get("path", "sysvol")
482 paths.netlogon = lp.get("path", "netlogon")
483 paths.smbconf = lp.configfile
484 return paths
485
486
487 def determine_netbios_name(hostname):
488 """Determine a netbios name from a hostname."""
489 # remove forbidden chars and force the length to be <16
490 netbiosname = "".join([x for x in hostname if is_valid_netbios_char(x)])
491 return netbiosname[:MAX_NETBIOS_NAME_LEN].upper()
492
493
494 def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
495 serverrole=None, rootdn=None, domaindn=None, configdn=None,
496 schemadn=None, serverdn=None, sitename=None):
497 """Guess configuration settings to use."""
498
499 if hostname is None:
500 hostname = socket.gethostname().split(".")[0]
501
502 netbiosname = lp.get("netbios name")
503 if netbiosname is None:
504 netbiosname = determine_netbios_name(hostname)
505 netbiosname = netbiosname.upper()
506 if not valid_netbios_name(netbiosname):
507 raise InvalidNetbiosName(netbiosname)
508
509 if dnsdomain is None:
510 dnsdomain = lp.get("realm")
511 if dnsdomain is None or dnsdomain == "":
512 raise ProvisioningError("guess_names: 'realm' not specified in supplied %s!", lp.configfile)
513
514 dnsdomain = dnsdomain.lower()
515
516 if serverrole is None:
517 serverrole = lp.get("server role")
518 if serverrole is None:
519 raise ProvisioningError("guess_names: 'server role' not specified in supplied %s!" % lp.configfile)
520
521 serverrole = serverrole.lower()
522
523 realm = dnsdomain.upper()
524
525 if lp.get("realm") == "":
526 raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate it" % lp.configfile)
527
528 if lp.get("realm").upper() != realm:
529 raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), realm, lp.configfile))
530
531 if lp.get("server role").lower() != serverrole:
532 raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
533
534 if serverrole == "active directory domain controller":
535 if domain is None:
536 # This will, for better or worse, default to 'WORKGROUP'
537 domain = lp.get("workgroup")
538 domain = domain.upper()
539
540 if lp.get("workgroup").upper() != domain:
541 raise ProvisioningError("guess_names: Workgroup '%s' in smb.conf must match chosen domain '%s'! Please remove the %s file and let provision generate it" % (lp.get("workgroup").upper(), domain, lp.configfile))
542
543 if domaindn is None:
544 domaindn = samba.dn_from_dns_name(dnsdomain)
545
546 if domain == netbiosname:
547 raise ProvisioningError("guess_names: Domain '%s' must not be equal to short host name '%s'!" % (domain, netbiosname))
548 else:
549 domain = netbiosname
550 if domaindn is None:
551 domaindn = "DC=" + netbiosname
552
553 if not valid_netbios_name(domain):
554 raise InvalidNetbiosName(domain)
555
556 if hostname.upper() == realm:
557 raise ProvisioningError("guess_names: Realm '%s' must not be equal to hostname '%s'!" % (realm, hostname))
558 if netbiosname.upper() == realm:
559 raise ProvisioningError("guess_names: Realm '%s' must not be equal to netbios hostname '%s'!" % (realm, netbiosname))
560 if domain == realm:
561 raise ProvisioningError("guess_names: Realm '%s' must not be equal to short domain name '%s'!" % (realm, domain))
562
563 if rootdn is None:
564 rootdn = domaindn
565
566 if configdn is None:
567 configdn = "CN=Configuration," + rootdn
568 if schemadn is None:
569 schemadn = "CN=Schema," + configdn
570
571 if sitename is None:
572 sitename = DEFAULTSITE
573
574 names = ProvisionNames()
575 names.rootdn = rootdn
576 names.domaindn = domaindn
577 names.configdn = configdn
578 names.schemadn = schemadn
579 names.ldapmanagerdn = "CN=Manager," + rootdn
580 names.dnsdomain = dnsdomain
581 names.domain = domain
582 names.realm = realm
583 names.netbiosname = netbiosname
584 names.hostname = hostname
585 names.sitename = sitename
586 names.serverdn = "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (
587 netbiosname, sitename, configdn)
588
589 return names
590
591
592 def make_smbconf(smbconf, hostname, domain, realm, targetdir,
593 serverrole=None, eadb=False, use_ntvfs=False, lp=None,
594 global_param=None):
595 """Create a new smb.conf file based on a couple of basic settings.
596 """
597 assert smbconf is not None
598
599 if hostname is None:
600 hostname = socket.gethostname().split(".")[0]
601
602 netbiosname = determine_netbios_name(hostname)
603
604 if serverrole is None:
605 serverrole = "standalone server"
606
607 assert domain is not None
608 domain = domain.upper()
609
610 assert realm is not None
611 realm = realm.upper()
612
613 global_settings = {
614 "netbios name": netbiosname,
615 "workgroup": domain,
616 "realm": realm,
617 "server role": serverrole,
618 }
619
620 if lp is None:
621 lp = samba.param.LoadParm()
622 #Load non-existent file
623 if os.path.exists(smbconf):
624 lp.load(smbconf)
625
626 if global_param is not None:
627 for ent in global_param:
628 if global_param[ent] is not None:
629 global_settings[ent] = " ".join(global_param[ent])
630
631 if targetdir is not None:
632 global_settings["private dir"] = os.path.abspath(os.path.join(targetdir, "private"))
633 global_settings["lock dir"] = os.path.abspath(targetdir)
634 global_settings["state directory"] = os.path.abspath(os.path.join(targetdir, "state"))
635 global_settings["cache directory"] = os.path.abspath(os.path.join(targetdir, "cache"))
636
637 lp.set("lock dir", os.path.abspath(targetdir))
638 lp.set("state directory", global_settings["state directory"])
639 lp.set("cache directory", global_settings["cache directory"])
640
641 if eadb:
642 if use_ntvfs and not lp.get("posix:eadb"):
643 if targetdir is not None:
644 privdir = os.path.join(targetdir, "private")
645 else:
646 privdir = lp.get("private dir")
647 lp.set("posix:eadb", os.path.abspath(os.path.join(privdir, "eadb.tdb")))
648 elif not use_ntvfs and not lp.get("xattr_tdb:file"):
649 if targetdir is not None:
650 statedir = os.path.join(targetdir, "state")
651 else:
652 statedir = lp.get("state directory")
653 lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
654
655 shares = {}
656 if serverrole == "active directory domain controller":
657 shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
658 shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
659 "scripts")
660 else:
661 global_settings["passdb backend"] = "samba_dsdb"
662
663 f = open(smbconf, 'w')
664 try:
665 f.write("[globals]\n")
666 for key, val in global_settings.iteritems():
667 f.write("\t%s = %s\n" % (key, val))
668 f.write("\n")
669
670 for name, path in shares.iteritems():
671 f.write("[%s]\n" % name)
672 f.write("\tpath = %s\n" % path)
673 f.write("\tread only = no\n")
674 f.write("\n")
675 finally:
676 f.close()
677 # reload the smb.conf
678 lp.load(smbconf)
679
680 # and dump it without any values that are the default
681 # this ensures that any smb.conf parameters that were set
682 # on the provision/join command line are set in the resulting smb.conf
683 f = open(smbconf, mode='w')
684 try:
685 lp.dump(f, False)
686 finally:
687 f.close()
688
689
690 def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
691 users_gid, root_gid):
692 """setup reasonable name mappings for sam names to unix names.
693
694 :param samdb: SamDB object.
695 :param idmap: IDmap db object.
696 :param sid: The domain sid.
697 :param domaindn: The domain DN.
698 :param root_uid: uid of the UNIX root user.
699 :param nobody_uid: uid of the UNIX nobody user.
700 :param users_gid: gid of the UNIX users group.
701 :param root_gid: gid of the UNIX root group.
702 """
703 idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
704
705 idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
706 idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
707
708
709 def setup_samdb_partitions(samdb_path, logger, lp, session_info,
710 provision_backend, names, schema, serverrole,
711 erase=False):
712 """Setup the partitions for the SAM database.
713
714 Alternatively, provision() may call this, and then populate the database.
715
716 :note: This will wipe the Sam Database!
717
718 :note: This function always removes the local SAM LDB file. The erase
719 parameter controls whether to erase the existing data, which
720 may not be stored locally but in LDAP.
721
722 """
723 assert session_info is not None
724
725 # We use options=["modules:"] to stop the modules loading - we
726 # just want to wipe and re-initialise the database, not start it up
727
728 try:
729 os.unlink(samdb_path)
730 except OSError:
731 pass
732
733 samdb = Ldb(url=samdb_path, session_info=session_info,
734 lp=lp, options=["modules:"])
735
736 ldap_backend_line = "# No LDAP backend"
737 if provision_backend.type != "ldb":
738 ldap_backend_line = "ldapBackend: %s" % provision_backend.ldap_uri
739
740 samdb.transaction_start()
741 try:
742 logger.info("Setting up sam.ldb partitions and settings")
743 setup_add_ldif(samdb, setup_path("provision_partitions.ldif"), {
744 "LDAP_BACKEND_LINE": ldap_backend_line
745 })
746
747
748 setup_add_ldif(samdb, setup_path("provision_init.ldif"), {
749 "BACKEND_TYPE": provision_backend.type,
750 "SERVER_ROLE": serverrole
751 })
752
753 logger.info("Setting up sam.ldb rootDSE")
754 setup_samdb_rootdse(samdb, names)
755 except:
756 samdb.transaction_cancel()
757 raise
758 else:
759 samdb.transaction_commit()
760
761
762 def secretsdb_self_join(secretsdb, domain,
763 netbiosname, machinepass, domainsid=None,
764 realm=None, dnsdomain=None,
765 keytab_path=None,
766 key_version_number=1,
767 secure_channel_type=SEC_CHAN_WKSTA):
768 """Add domain join-specific bits to a secrets database.
769
770 :param secretsdb: Ldb Handle to the secrets database
771 :param machinepass: Machine password
772 """
773 attrs = ["whenChanged",
774 "secret",
775 "priorSecret",
776 "priorChanged",
777 "krb5Keytab",
778 "privateKeytab"]
779
780 if realm is not None:
781 if dnsdomain is None:
782 dnsdomain = realm.lower()
783 dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
784 else:
785 dnsname = None
786 shortname = netbiosname.lower()
787
788 # We don't need to set msg["flatname"] here, because rdn_name will handle
789 # it, and it causes problems for modifies anyway
790 msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
791 msg["secureChannelType"] = [str(secure_channel_type)]
792 msg["objectClass"] = ["top", "primaryDomain"]
793 if dnsname is not None:
794 msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
795 msg["realm"] = [realm]
796 msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
797 msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
798 msg["privateKeytab"] = ["secrets.keytab"]
799
800 msg["secret"] = [machinepass]
801 msg["samAccountName"] = ["%s$" % netbiosname]
802 msg["secureChannelType"] = [str(secure_channel_type)]
803 if domainsid is not None:
804 msg["objectSid"] = [ndr_pack(domainsid)]
805
806 # This complex expression tries to ensure that we don't have more
807 # than one record for this SID, realm or netbios domain at a time,
808 # but we don't delete the old record that we are about to modify,
809 # because that would delete the keytab and previous password.
810 res = secretsdb.search(base="cn=Primary Domains", attrs=attrs,
811 expression=("(&(|(flatname=%s)(realm=%s)(objectSid=%s))(objectclass=primaryDomain)(!(distinguishedName=%s)))" % (domain, realm, str(domainsid), str(msg.dn))),
812 scope=ldb.SCOPE_ONELEVEL)
813
814 for del_msg in res:
815 secretsdb.delete(del_msg.dn)
816
817 res = secretsdb.search(base=msg.dn, attrs=attrs, scope=ldb.SCOPE_BASE)
818
819 if len(res) == 1:
820 msg["priorSecret"] = [res[0]["secret"][0]]
821 msg["priorWhenChanged"] = [res[0]["whenChanged"][0]]
822
823 try:
824 msg["privateKeytab"] = [res[0]["privateKeytab"][0]]
825 except KeyError:
826 pass
827
828 try:
829 msg["krb5Keytab"] = [res[0]["krb5Keytab"][0]]
830 except KeyError:
831 pass
832
833 for el in msg:
834 if el != 'dn':
835 msg[el].set_flags(ldb.FLAG_MOD_REPLACE)
836 secretsdb.modify(msg)
837 secretsdb.rename(res[0].dn, msg.dn)
838 else:
839 spn = [ 'HOST/%s' % shortname ]
840 if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
841 # we are a domain controller then we add servicePrincipalName
842 # entries for the keytab code to update.
843 spn.extend([ 'HOST/%s' % dnsname ])
844 msg["servicePrincipalName"] = spn
845
846 secretsdb.add(msg)
847
848
849 def setup_secretsdb(paths, session_info, backend_credentials, lp):
850 """Setup the secrets database.
851
852 :note: This function does not handle exceptions and transaction on purpose,
853 it's up to the caller to do this job.
854
855 :param path: Path to the secrets database.
856 :param session_info: Session info.
857 :param credentials: Credentials
858 :param lp: Loadparm context
859 :return: LDB handle for the created secrets database
860 """
861 if os.path.exists(paths.secrets):
862 os.unlink(paths.secrets)
863
864 keytab_path = os.path.join(paths.private_dir, paths.keytab)
865 if os.path.exists(keytab_path):
866 os.unlink(keytab_path)
867
868 dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
869 if os.path.exists(dns_keytab_path):
870 os.unlink(dns_keytab_path)
871
872 path = paths.secrets
873
874 secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
875 secrets_ldb.erase()
876 secrets_ldb.load_ldif_file_add(setup_path("secrets_init.ldif"))
877 secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
878 secrets_ldb.transaction_start()
879 try:
880 secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
881
882 if (backend_credentials is not None and
883 backend_credentials.authentication_requested()):
884 if backend_credentials.get_bind_dn() is not None:
885 setup_add_ldif(secrets_ldb,
886 setup_path("secrets_simple_ldap.ldif"), {
887 "LDAPMANAGERDN": backend_credentials.get_bind_dn(),
888 "LDAPMANAGERPASS_B64": b64encode(backend_credentials.get_password())
889 })
890 else:
891 setup_add_ldif(secrets_ldb,
892 setup_path("secrets_sasl_ldap.ldif"), {
893 "LDAPADMINUSER": backend_credentials.get_username(),
894 "LDAPADMINREALM": backend_credentials.get_realm(),
895 "LDAPADMINPASS_B64": b64encode(backend_credentials.get_password())
896 })
897 except:
898 secrets_ldb.transaction_cancel()
899 raise
900 return secrets_ldb
901
902
903 def setup_privileges(path, session_info, lp):
904 """Setup the privileges database.
905
906 :param path: Path to the privileges database.
907 :param session_info: Session info.
908 :param credentials: Credentials
909 :param lp: Loadparm context
910 :return: LDB handle for the created secrets database
911 """
912 if os.path.exists(path):
913 os.unlink(path)
914 privilege_ldb = Ldb(path, session_info=session_info, lp=lp)
915 privilege_ldb.erase()
916 privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif"))
917
918
919 def setup_registry(path, session_info, lp):
920 """Setup the registry.
921
922 :param path: Path to the registry database
923 :param session_info: Session information
924 :param credentials: Credentials
925 :param lp: Loadparm context
926 """
927 reg = samba.registry.Registry()
928 hive = samba.registry.open_ldb(path, session_info=session_info, lp_ctx=lp)
929 reg.mount_hive(hive, samba.registry.HKEY_LOCAL_MACHINE)
930 provision_reg = setup_path("provision.reg")
931 assert os.path.exists(provision_reg)
932 reg.diff_apply(provision_reg)
933
934
935 def setup_idmapdb(path, session_info, lp):
936 """Setup the idmap database.
937
938 :param path: path to the idmap database
939 :param session_info: Session information
940 :param credentials: Credentials
941 :param lp: Loadparm context
942 """
943 if os.path.exists(path):
944 os.unlink(path)
945
946 idmap_ldb = IDmapDB(path, session_info=session_info, lp=lp)
947 idmap_ldb.erase()
948 idmap_ldb.load_ldif_file_add(setup_path("idmap_init.ldif"))
949 return idmap_ldb
950
951
952 def setup_samdb_rootdse(samdb, names):
953 """Setup the SamDB rootdse.
954
955 :param samdb: Sam Database handle
956 """
957 setup_add_ldif(samdb, setup_path("provision_rootdse_add.ldif"), {
958 "SCHEMADN": names.schemadn,
959 "DOMAINDN": names.domaindn,
960 "ROOTDN" : names.rootdn,
961 "CONFIGDN": names.configdn,
962 "SERVERDN": names.serverdn,
963 })
964
965
966 def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
967 dns_backend, dnspass, domainsid, next_rid, invocationid,
968 policyguid, policyguid_dc,
969 domainControllerFunctionality, ntdsguid=None, dc_rid=None):
970 """Join a host to its own domain."""
971 assert isinstance(invocationid, str)
972 if ntdsguid is not None:
973 ntdsguid_line = "objectGUID: %s\n"%ntdsguid
974 else:
975 ntdsguid_line = ""
976
977 if dc_rid is None:
978 dc_rid = next_rid
979
980 setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
981 "CONFIGDN": names.configdn,
982 "SCHEMADN": names.schemadn,
983 "DOMAINDN": names.domaindn,
984 "SERVERDN": names.serverdn,
985 "INVOCATIONID": invocationid,
986 "NETBIOSNAME": names.netbiosname,
987 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
988 "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')),
989 "DOMAINSID": str(domainsid),
990 "DCRID": str(dc_rid),
991 "SAMBA_VERSION_STRING": version,
992 "NTDSGUID": ntdsguid_line,
993 "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
994 domainControllerFunctionality),
995 "RIDALLOCATIONSTART": str(next_rid + 100),
996 "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
997
998 setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
999 "POLICYGUID": policyguid,
1000 "POLICYGUID_DC": policyguid_dc,
1001 "DNSDOMAIN": names.dnsdomain,
1002 "DOMAINDN": names.domaindn})
1003
1004 # If we are setting up a subdomain, then this has been replicated in, so we
1005 # don't need to add it
1006 if fill == FILL_FULL:
1007 setup_add_ldif(samdb, setup_path("provision_self_join_config.ldif"), {
1008 "CONFIGDN": names.configdn,
1009 "SCHEMADN": names.schemadn,
1010 "DOMAINDN": names.domaindn,
1011 "SERVERDN": names.serverdn,
1012 "INVOCATIONID": invocationid,
1013 "NETBIOSNAME": names.netbiosname,
1014 "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
1015 "MACHINEPASS_B64": b64encode(machinepass.encode('utf-16-le')),
1016 "DOMAINSID": str(domainsid),
1017 "DCRID": str(dc_rid),
1018 "SAMBA_VERSION_STRING": version,
1019 "NTDSGUID": ntdsguid_line,
1020 "DOMAIN_CONTROLLER_FUNCTIONALITY": str(
1021 domainControllerFunctionality)})
1022
1023 # Setup fSMORoleOwner entries to point at the newly created DC entry
1024 setup_modify_ldif(samdb,
1025 setup_path("provision_self_join_modify_config.ldif"), {
1026 "CONFIGDN": names.configdn,
1027 "SCHEMADN": names.schemadn,
1028 "DEFAULTSITE": names.sitename,
1029 "NETBIOSNAME": names.netbiosname,
1030 "SERVERDN": names.serverdn,
1031 })
1032
1033 system_session_info = system_session()
1034 samdb.set_session_info(system_session_info)
1035 # Setup fSMORoleOwner entries to point at the newly created DC entry to
1036 # modify a serverReference under cn=config when we are a subdomain, we must
1037 # be system due to ACLs
1038 setup_modify_ldif(samdb, setup_path("provision_self_join_modify.ldif"), {
1039 "DOMAINDN": names.domaindn,
1040 "SERVERDN": names.serverdn,
1041 "NETBIOSNAME": names.netbiosname,
1042 })
1043
1044 samdb.set_session_info(admin_session_info)
1045
1046 if dns_backend != "SAMBA_INTERNAL":
1047 # This is Samba4 specific and should be replaced by the correct
1048 # DNS AD-style setup
1049 setup_add_ldif(samdb, setup_path("provision_dns_add_samba.ldif"), {
1050 "DNSDOMAIN": names.dnsdomain,
1051 "DOMAINDN": names.domaindn,
1052 "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')),
1053 "HOSTNAME" : names.hostname,
1054 "DNSNAME" : '%s.%s' % (
1055 names.netbiosname.lower(), names.dnsdomain.lower())
1056 })
1057
1058
1059 def getpolicypath(sysvolpath, dnsdomain, guid):
1060 """Return the physical path of policy given its guid.
1061
1062 :param sysvolpath: Path to the sysvol folder
1063 :param dnsdomain: DNS name of the AD domain
1064 :param guid: The GUID of the policy
1065 :return: A string with the complete path to the policy folder
1066 """
1067 if guid[0] != "{":
1068 guid = "{%s}" % guid
1069 policy_path = os.path.join(sysvolpath, dnsdomain, "Policies", guid)
1070 return policy_path
1071
1072
1073 def create_gpo_struct(policy_path):
1074 if not os.path.exists(policy_path):
1075 os.makedirs(policy_path, 0775)
1076 f = open(os.path.join(policy_path, "GPT.INI"), 'w')
1077 try:
1078 f.write("[General]\r\nVersion=0")
1079 finally:
1080 f.close()
1081 p = os.path.join(policy_path, "MACHINE")
1082 if not os.path.exists(p):
1083 os.makedirs(p, 0775)
1084 p = os.path.join(policy_path, "USER")
1085 if not os.path.exists(p):
1086 os.makedirs(p, 0775)
1087
1088
1089 def create_default_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
1090 """Create the default GPO for a domain
1091
1092 :param sysvolpath: Physical path for the sysvol folder
1093 :param dnsdomain: DNS domain name of the AD domain
1094 :param policyguid: GUID of the default domain policy
1095 :param policyguid_dc: GUID of the default domain controler policy
1096 """
1097 policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid)
1098 create_gpo_struct(policy_path)
1099
1100 policy_path = getpolicypath(sysvolpath,dnsdomain,policyguid_dc)
1101 create_gpo_struct(policy_path)
1102
1103
1104 def setup_samdb(path, session_info, provision_backend, lp, names,
1105 logger, fill, serverrole, schema, am_rodc=False):
1106 """Setup a complete SAM Database.
1107
1108 :note: This will wipe the main SAM database file!
1109 """
1110
1111 # Also wipes the database
1112 setup_samdb_partitions(path, logger=logger, lp=lp,
1113 provision_backend=provision_backend, session_info=session_info,
1114 names=names, serverrole=serverrole, schema=schema)
1115
1116 # Load the database, but don's load the global schema and don't connect
1117 # quite yet
1118 samdb = SamDB(session_info=session_info, url=None, auto_connect=False,
1119 credentials=provision_backend.credentials, lp=lp,
1120 global_schema=False, am_rodc=am_rodc)
1121
1122 logger.info("Pre-loading the Samba 4 and AD schema")
1123
1124 # Load the schema from the one we computed earlier
1125 samdb.set_schema(schema, write_indices_and_attributes=False)
1126
1127 # Set the NTDS settings DN manually - in order to have it already around
1128 # before the provisioned tree exists and we connect
1129 samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1130
1131 # And now we can connect to the DB - the schema won't be loaded from the
1132 # DB
1133 samdb.connect(path)
1134
1135 # But we have to give it one more kick to have it use the schema
1136 # during provision - it needs, now that it is connected, to write
1137 # the schema @ATTRIBUTES and @INDEXLIST records to the database.
1138 samdb.set_schema(schema, write_indices_and_attributes=True)
1139
1140 return samdb
1141
1142
1143 def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
1144 policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
1145 dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
1146 dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
1147
1148 if next_rid is None:
1149 next_rid = 1000
1150
1151 # Provision does not make much sense values larger than 1000000000
1152 # as the upper range of the rIDAvailablePool is 1073741823 and
1153 # we don't want to create a domain that cannot allocate rids.
1154 if next_rid < 1000 or next_rid > 1000000000:
1155 error = "You want to run SAMBA 4 with a next_rid of %u, " % (next_rid)
1156 error += "the valid range is %u-%u. The default is %u." % (
1157 1000, 1000000000, 1000)
1158 raise ProvisioningError(error)
1159
1160 # ATTENTION: Do NOT change these default values without discussion with the
1161 # team and/or release manager. They have a big impact on the whole program!
1162 domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2
1163
1164 if dom_for_fun_level is None:
1165 dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
1166
1167 if dom_for_fun_level > domainControllerFunctionality:
1168 raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008_R2). This won't work!")
1169
1170 domainFunctionality = dom_for_fun_level
1171 forestFunctionality = dom_for_fun_level
1172
1173 # Set the NTDS settings DN manually - in order to have it already around
1174 # before the provisioned tree exists and we connect
1175 samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
1176
1177 samdb.transaction_start()
1178 try:
1179 # Set the domain functionality levels onto the database.
1180 # Various module (the password_hash module in particular) need
1181 # to know what level of AD we are emulating.
1182
1183 # These will be fixed into the database via the database
1184 # modifictions below, but we need them set from the start.
1185 samdb.set_opaque_integer("domainFunctionality", domainFunctionality)
1186 samdb.set_opaque_integer("forestFunctionality", forestFunctionality)
1187 samdb.set_opaque_integer("domainControllerFunctionality",
1188 domainControllerFunctionality)
1189
1190 samdb.set_domain_sid(str(domainsid))
1191 samdb.set_invocation_id(invocationid)
1192
1193 logger.info("Adding DomainDN: %s" % names.domaindn)
1194
1195 # impersonate domain admin
1196 admin_session_info = admin_session(lp, str(domainsid))
1197 samdb.set_session_info(admin_session_info)
1198 if domainguid is not None:
1199 domainguid_line = "objectGUID: %s\n-" % domainguid
1200 else:
1201 domainguid_line = ""
1202
1203 descr = b64encode(get_domain_descriptor(domainsid))
1204 setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
1205 "DOMAINDN": names.domaindn,
1206 "DOMAINSID": str(domainsid),
1207 "DESCRIPTOR": descr,
1208 "DOMAINGUID": domainguid_line
1209 })
1210
1211 setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
1212 "DOMAINDN": names.domaindn,
1213 "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1214 "NEXTRID": str(next_rid),
1215 "DEFAULTSITE": names.sitename,
1216 "CONFIGDN": names.configdn,
1217 "POLICYGUID": policyguid,
1218 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1219 "SAMBA_VERSION_STRING": version
1220 })
1221
1222 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1223 if fill == FILL_FULL:
1224 logger.info("Adding configuration container")
1225 descr = b64encode(get_config_descriptor(domainsid))
1226 setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
1227 "CONFIGDN": names.configdn,
1228 "DESCRIPTOR": descr,
1229 })
1230
1231 # The LDIF here was created when the Schema object was constructed
1232 logger.info("Setting up sam.ldb schema")
1233 samdb.add_ldif(schema.schema_dn_add, controls=["relax:0"])
1234 samdb.modify_ldif(schema.schema_dn_modify)
1235 samdb.write_prefixes_from_schema()
1236 samdb.add_ldif(schema.schema_data, controls=["relax:0"])
1237 setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
1238 {"SCHEMADN": names.schemadn})
1239
1240 # Now register this container in the root of the forest
1241 msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
1242 msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
1243 "subRefs")
1244
1245 except:
1246 samdb.transaction_cancel()
1247 raise
1248 else:
1249 samdb.transaction_commit()
1250
1251 samdb.transaction_start()
1252 try:
1253 samdb.invocation_id = invocationid
1254
1255 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1256 if fill == FILL_FULL:
1257 logger.info("Setting up sam.ldb configuration data")
1258 setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
1259 "CONFIGDN": names.configdn,
1260 "NETBIOSNAME": names.netbiosname,
1261 "DEFAULTSITE": names.sitename,
1262 "DNSDOMAIN": names.dnsdomain,
1263 "DOMAIN": names.domain,
1264 "SCHEMADN": names.schemadn,
1265 "DOMAINDN": names.domaindn,
1266 "SERVERDN": names.serverdn,
1267 "FOREST_FUNCTIONALITY": str(forestFunctionality),
1268 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
1269 })
1270
1271 logger.info("Setting up display specifiers")
1272 display_specifiers_ldif = read_ms_ldif(
1273 setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt'))
1274 display_specifiers_ldif = substitute_var(display_specifiers_ldif,
1275 {"CONFIGDN": names.configdn})
1276 check_all_substituted(display_specifiers_ldif)
1277 samdb.add_ldif(display_specifiers_ldif)
1278
1279 logger.info("Adding users container")
1280 setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
1281 "DOMAINDN": names.domaindn})
1282 logger.info("Modifying users container")
1283 setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
1284 "DOMAINDN": names.domaindn})
1285 logger.info("Adding computers container")
1286 setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
1287 "DOMAINDN": names.domaindn})
1288 logger.info("Modifying computers container")
1289 setup_modify_ldif(samdb,
1290 setup_path("provision_computers_modify.ldif"), {
1291 "DOMAINDN": names.domaindn})
1292 logger.info("Setting up sam.ldb data")
1293 setup_add_ldif(samdb, setup_path("provision.ldif"), {
1294 "CREATTIME": str(samba.unix2nttime(int(time.time()))),
1295 "DOMAINDN": names.domaindn,
1296 "NETBIOSNAME": names.netbiosname,
1297 "DEFAULTSITE": names.sitename,
1298 "CONFIGDN": names.configdn,
1299 "SERVERDN": names.serverdn,
1300 "RIDAVAILABLESTART": str(next_rid + 600),
1301 "POLICYGUID_DC": policyguid_dc
1302 })
1303
1304 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
1305 if fill == FILL_FULL:
1306 setup_modify_ldif(samdb,
1307 setup_path("provision_configuration_references.ldif"), {
1308 "CONFIGDN": names.configdn,
1309 "SCHEMADN": names.schemadn})
1310
1311 logger.info("Setting up well known security principals")
1312 setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
1313 "CONFIGDN": names.configdn,
1314 })
1315
1316 if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
1317 setup_modify_ldif(samdb,
1318 setup_path("provision_basedn_references.ldif"),
1319 {"DOMAINDN": names.domaindn})
1320
1321 logger.info("Setting up sam.ldb users and groups")
1322 setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
1323 "DOMAINDN": names.domaindn,
1324 "DOMAINSID": str(domainsid),
1325 "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
1326 "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
1327 })
1328
1329 logger.info("Setting up self join")
1330 setup_self_join(samdb, admin_session_info, names=names, fill=fill,
1331 invocationid=invocationid,
1332 dns_backend=dns_backend,
1333 dnspass=dnspass,
1334 machinepass=machinepass,
1335 domainsid=domainsid,
1336 next_rid=next_rid,
1337 dc_rid=dc_rid,
1338 policyguid=policyguid,
1339 policyguid_dc=policyguid_dc,
1340 domainControllerFunctionality=domainControllerFunctionality,
1341 ntdsguid=ntdsguid)
1342
1343 ntds_dn = "CN=NTDS Settings,%s" % names.serverdn
1344 names.ntdsguid = samdb.searchone(basedn=ntds_dn,
1345 attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE)
1346 assert isinstance(names.ntdsguid, str)
1347 except:
1348 samdb.transaction_cancel()
1349 raise
1350 else:
1351 samdb.transaction_commit()
1352 return samdb
1353
1354
1355 FILL_FULL = "FULL"
1356 FILL_SUBDOMAIN = "SUBDOMAIN"
1357 FILL_NT4SYNC = "NT4SYNC"
1358 FILL_DRS = "DRS"
1359 SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
1360 POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
1361
1362
1363 def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb):
1364 setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb)
1365 for root, dirs, files in os.walk(path, topdown=False):
1366 for name in files:
1367 setntacl(lp, os.path.join(root, name), acl, domsid,
1368 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb)
1369 for name in dirs:
1370 setntacl(lp, os.path.join(root, name), acl, domsid,
1371 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb)
1372
1373
1374 def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb):
1375 """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1376 folders beneath.
1377
1378 :param sysvol: Physical path for the sysvol folder
1379 :param dnsdomain: The DNS name of the domain
1380 :param domainsid: The SID of the domain
1381 :param domaindn: The DN of the domain (ie. DC=...)
1382 :param samdb: An LDB object on the SAM db
1383 :param lp: an LP object
1384 """
1385
1386 # Set ACL for GPO root folder
1387 root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1388 setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid),
1389 use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb)
1390
1391 res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1392 attrs=["cn", "nTSecurityDescriptor"],
1393 expression="", scope=ldb.SCOPE_ONELEVEL)
1394
1395 for policy in res:
1396 acl = ndr_unpack(security.descriptor,
1397 str(policy["nTSecurityDescriptor"])).as_sddl()
1398 policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1399 set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1400 str(domainsid), use_ntvfs,
1401 passdb=passdb)
1402
1403
1404 def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
1405 domaindn, lp, use_ntvfs):
1406 """Set the ACL for the sysvol share and the subfolders
1407
1408 :param samdb: An LDB object on the SAM db
1409 :param netlogon: Physical path for the netlogon folder
1410 :param sysvol: Physical path for the sysvol folder
1411 :param uid: The UID of the "Administrator" user
1412 :param gid: The GID of the "Domain adminstrators" group
1413 :param domainsid: The SID of the domain
1414 :param dnsdomain: The DNS name of the domain
1415 :param domaindn: The DN of the domain (ie. DC=...)
1416 """
1417 s4_passdb = None
1418
1419 if not use_ntvfs:
1420 # This will ensure that the smbd code we are running when setting ACLs
1421 # is initialised with the smb.conf
1422 s3conf = s3param.get_context()
1423 s3conf.load(lp.configfile)
1424 # ensure we are using the right samba_dsdb passdb backend, no matter what
1425 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1426 passdb.reload_static_pdb()
1427
1428 # ensure that we init the samba_dsdb backend, so the domain sid is
1429 # marked in secrets.tdb
1430 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1431
1432 # now ensure everything matches correctly, to avoid wierd issues
1433 if passdb.get_global_sam_sid() != domainsid:
1434 raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1435
1436 domain_info = s4_passdb.domain_info()
1437 if domain_info["dom_sid"] != domainsid:
1438 raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1439
1440 if domain_info["dns_domain"].upper() != dnsdomain.upper():
1441 raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1442
1443
1444 try:
1445 if use_ntvfs:
1446 os.chown(sysvol, -1, gid)
1447 except OSError:
1448 canchown = False
1449 else:
1450 canchown = True
1451
1452 # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1453 setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb)
1454 for root, dirs, files in os.walk(sysvol, topdown=False):
1455 for name in files:
1456 if use_ntvfs and canchown:
1457 os.chown(os.path.join(root, name), -1, gid)
1458 setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb)
1459 for name in dirs:
1460 if use_ntvfs and canchown:
1461 os.chown(os.path.join(root, name), -1, gid)
1462 setntacl(lp, os.path.join(root, name), SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb)
1463
1464 # Set acls on Policy folder and policies folders
1465 set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
1466
1467 def acl_type(direct_db_access):
1468 if direct_db_access:
1469 return "DB"
1470 else:
1471 return "VFS"
1472
1473 def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
1474 fsacl = getntacl(lp, path, direct_db_access=direct_db_access)
1475 fsacl_sddl = fsacl.as_sddl(domainsid)
1476 if fsacl_sddl != acl:
1477 raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
1478
1479 for root, dirs, files in os.walk(path, topdown=False):
1480 for name in files:
1481 fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access)
1482 if fsacl is None:
1483 raise ProvisioningError('%s ACL on GPO file %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1484 fsacl_sddl = fsacl.as_sddl(domainsid)
1485 if fsacl_sddl != acl:
1486 raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1487
1488 for name in dirs:
1489 fsacl = getntacl(lp, os.path.join(root, name), direct_db_access=direct_db_access)
1490 if fsacl is None:
1491 raise ProvisioningError('%s ACL on GPO directory %s %s not found!' % (acl_type(direct_db_access), os.path.join(root, name)))
1492 fsacl_sddl = fsacl.as_sddl(domainsid)
1493 if fsacl_sddl != acl:
1494 raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
1495
1496
1497 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1498 direct_db_access):
1499 """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
1500 folders beneath.
1501
1502 :param sysvol: Physical path for the sysvol folder
1503 :param dnsdomain: The DNS name of the domain
1504 :param domainsid: The SID of the domain
1505 :param domaindn: The DN of the domain (ie. DC=...)
1506 :param samdb: An LDB object on the SAM db
1507 :param lp: an LP object
1508 """
1509
1510 # Set ACL for GPO root folder
1511 root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
1512 fsacl = getntacl(lp, root_policy_path, direct_db_access=direct_db_access)
1513 if fsacl is None:
1514 raise ProvisioningError('DB ACL on policy root %s %s not found!' % (acl_type(direct_db_access), root_policy_path))
1515 fsacl_sddl = fsacl.as_sddl(domainsid)
1516 if fsacl_sddl != POLICIES_ACL:
1517 raise ProvisioningError('%s ACL on policy root %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), root_policy_path, fsacl_sddl, fsacl))
1518 res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
1519 attrs=["cn", "nTSecurityDescriptor"],
1520 expression="", scope=ldb.SCOPE_ONELEVEL)
1521
1522 for policy in res:
1523 acl = ndr_unpack(security.descriptor,
1524 str(policy["nTSecurityDescriptor"])).as_sddl()
1525 policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
1526 check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
1527 domainsid, direct_db_access)
1528
1529
1530 def checksysvolacl(samdb, netlogon, sysvol, domainsid, dnsdomain, domaindn,
1531 lp):
1532 """Set the ACL for the sysvol share and the subfolders
1533
1534 :param samdb: An LDB object on the SAM db
1535 :param netlogon: Physical path for the netlogon folder
1536 :param sysvol: Physical path for the sysvol folder
1537 :param uid: The UID of the "Administrator" user
1538 :param gid: The GID of the "Domain adminstrators" group
1539 :param domainsid: The SID of the domain
1540 :param dnsdomain: The DNS name of the domain
1541 :param domaindn: The DN of the domain (ie. DC=...)
1542 """
1543
1544 # This will ensure that the smbd code we are running when setting ACLs is initialised with the smb.conf
1545 s3conf = s3param.get_context()
1546 s3conf.load(lp.configfile)
1547 # ensure we are using the right samba_dsdb passdb backend, no matter what
1548 s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url)
1549 # ensure that we init the samba_dsdb backend, so the domain sid is marked in secrets.tdb
1550 s4_passdb = passdb.PDB(s3conf.get("passdb backend"))
1551
1552 # now ensure everything matches correctly, to avoid wierd issues
1553 if passdb.get_global_sam_sid() != domainsid:
1554 raise ProvisioningError('SID as seen by smbd [%s] does not match SID as seen by the provision script [%s]!' % (passdb.get_global_sam_sid(), domainsid))
1555
1556 domain_info = s4_passdb.domain_info()
1557 if domain_info["dom_sid"] != domainsid:
1558 raise ProvisioningError('SID as seen by pdb_samba_dsdb [%s] does not match SID as seen by the provision script [%s]!' % (domain_info["dom_sid"], domainsid))
1559
1560 if domain_info["dns_domain"].upper() != dnsdomain.upper():
1561 raise ProvisioningError('Realm as seen by pdb_samba_dsdb [%s] does not match Realm as seen by the provision script [%s]!' % (domain_info["dns_domain"].upper(), dnsdomain.upper()))
1562
1563 # Ensure we can read this directly, and via the smbd VFS
1564 for direct_db_access in [True, False]:
1565 # Check the SYSVOL_ACL on the sysvol folder and subfolder (first level)
1566 for dir_path in [os.path.join(sysvol, dnsdomain), netlogon]:
1567 fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access)
1568 if fsacl is None:
1569 raise ProvisioningError('%s ACL on sysvol directory %s not found!' % (acl_type(direct_db_access), dir_path))
1570 fsacl_sddl = fsacl.as_sddl(domainsid)
1571 if fsacl_sddl != SYSVOL_ACL:
1572 raise ProvisioningError('%s ACL on sysvol directory %s %s does not match expected value %s from provision' % (acl_type(direct_db_access), dir_path, fsacl_sddl, SYSVOL_ACL))
1573
1574 # Check acls on Policy folder and policies folders
1575 check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
1576 direct_db_access)
1577
1578
1579 def interface_ips_v4(lp):
1580 """return only IPv4 IPs"""
1581 ips = samba.interface_ips(lp, False)
1582 ret = []
1583 for i in ips:
1584 if i.find(':') == -1:
1585 ret.append(i)
1586 return ret
1587
1588
1589 def interface_ips_v6(lp, linklocal=False):
1590 """return only IPv6 IPs"""
1591 ips = samba.interface_ips(lp, False)
1592 ret = []
1593 for i in ips:
1594 if i.find(':') != -1 and (linklocal or i.find('%') == -1):
1595 ret.append(i)
1596 return ret
1597
1598
1599 def provision_fill(samdb, secrets_ldb, logger, names, paths,
1600 domainsid, schema=None,
1601 targetdir=None, samdb_fill=FILL_FULL,
1602 hostip=None, hostip6=None,
1603 next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
1604 domainguid=None, policyguid=None, policyguid_dc=None,
1605 invocationid=None, machinepass=None, ntdsguid=None,
1606 dns_backend=None, dnspass=None,
1607 serverrole=None, dom_for_fun_level=None,
1608 am_rodc=False, lp=None, use_ntvfs=False, skip_sysvolacl=False):
1609 # create/adapt the group policy GUIDs
1610 # Default GUID for default policy are described at
1611 # "How Core Group Policy Works"
1612 # http://technet.microsoft.com/en-us/library/cc784268%28WS.10%29.aspx
1613 if policyguid is None:
1614 policyguid = DEFAULT_POLICY_GUID
1615 policyguid = policyguid.upper()
1616 if policyguid_dc is None:
1617 policyguid_dc = DEFAULT_DC_POLICY_GUID
1618 policyguid_dc = policyguid_dc.upper()
1619
1620 if invocationid is None:
1621 invocationid = str(uuid.uuid4())
1622
1623 if krbtgtpass is None:
1624 krbtgtpass = samba.generate_random_password(128, 255)
1625 if machinepass is None:
1626 machinepass = samba.generate_random_password(128, 255)
1627 if dnspass is None:
1628 dnspass = samba.generate_random_password(128, 255)
1629
1630 samdb = fill_samdb(samdb, lp, names, logger=logger,
1631 domainsid=domainsid, schema=schema, domainguid=domainguid,
1632 policyguid=policyguid, policyguid_dc=policyguid_dc,
1633 fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
1634 invocationid=invocationid, machinepass=machinepass,
1635 dns_backend=dns_backend, dnspass=dnspass,
1636 ntdsguid=ntdsguid, serverrole=serverrole,
1637 dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
1638 next_rid=next_rid, dc_rid=dc_rid)
1639
1640 if serverrole == "active directory domain controller":
1641
1642 # Set up group policies (domain policy and domain controller
1643 # policy)
1644 create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
1645 policyguid_dc)
1646 if not skip_sysvolacl:
1647 setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
1648 paths.root_gid, domainsid, names.dnsdomain,
1649 names.domaindn, lp, use_ntvfs)
1650 else:
1651 logger.info("Setting acl on sysvol skipped")
1652
1653 secretsdb_self_join(secrets_ldb, domain=names.domain,
1654 realm=names.realm, dnsdomain=names.dnsdomain,
1655 netbiosname=names.netbiosname, domainsid=domainsid,
1656 machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
1657
1658 # Now set up the right msDS-SupportedEncryptionTypes into the DB
1659 # In future, this might be determined from some configuration
1660 kerberos_enctypes = str(ENC_ALL_TYPES)
1661
1662 try:
1663 msg = ldb.Message(ldb.Dn(samdb,
1664 samdb.searchone("distinguishedName",
1665 expression="samAccountName=%s$" % names.netbiosname,
1666 scope=ldb.SCOPE_SUBTREE)))
1667 msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(
1668 elements=kerberos_enctypes, flags=ldb.FLAG_MOD_REPLACE,
1669 name="msDS-SupportedEncryptionTypes")
1670 samdb.modify(msg)
1671 except ldb.LdbError, (enum, estr):
1672 if enum != ldb.ERR_NO_SUCH_ATTRIBUTE:
1673 # It might be that this attribute does not exist in this schema
1674 raise
1675
1676 setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
1677 hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
1678 dnspass=dnspass, os_level=dom_for_fun_level,
1679 targetdir=targetdir, site=DEFAULTSITE)
1680
1681 domainguid = samdb.searchone(basedn=samdb.get_default_basedn(),
1682 attribute="objectGUID")
1683 assert isinstance(domainguid, str)
1684
1685 lastProvisionUSNs = get_last_provision_usn(samdb)
1686 maxUSN = get_max_usn(samdb, str(names.rootdn))
1687 if lastProvisionUSNs is not None:
1688 update_provision_usn(samdb, 0, maxUSN, invocationid, 1)
1689 else:
1690 set_provision_usn(samdb, 0, maxUSN, invocationid)
1691
1692 logger.info("Setting up sam.ldb rootDSE marking as synchronized")
1693 setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"),
1694 { 'NTDSGUID' : names.ntdsguid })
1695
1696 # fix any dangling GUIDs from the provision
1697 logger.info("Fixing provision GUIDs")
1698 chk = dbcheck(samdb, samdb_schema=samdb, verbose=False, fix=True, yes=True,
1699 quiet=True)
1700 samdb.transaction_start()
1701 try:
1702 # a small number of GUIDs are missing because of ordering issues in the
1703 # provision code
1704 for schema_obj in ['CN=Domain', 'CN=Organizational-Person', 'CN=Contact', 'CN=inetOrgPerson']:
1705 chk.check_database(DN="%s,%s" % (schema_obj, names.schemadn),
1706 scope=ldb.SCOPE_BASE,
1707 attrs=['defaultObjectCategory'])
1708 chk.check_database(DN="CN=IP Security,CN=System,%s" % names.domaindn,
1709 scope=ldb.SCOPE_ONELEVEL,
1710 attrs=['ipsecOwnersReference',
1711 'ipsecFilterReference',
1712 'ipsecISAKMPReference',
1713 'ipsecNegotiationPolicyReference',
1714 'ipsecNFAReference'])
1715 except:
1716 samdb.transaction_cancel()
1717 raise
1718 else:
1719 samdb.transaction_commit()
1720
1721
1722 _ROLES_MAP = {
1723 "ROLE_STANDALONE": "standalone server",
1724 "ROLE_DOMAIN_MEMBER": "member server",
1725 "ROLE_DOMAIN_BDC": "active directory domain controller",
1726 "ROLE_DOMAIN_PDC": "active directory domain controller",
1727 "dc": "active directory domain controller",
1728 "member": "member server",
1729 "domain controller": "active directory domain controller",
1730 "active directory domain controller": "active directory domain controller",
1731 "member server": "member server",
1732 "standalone": "standalone server",
1733 "standalone server": "standalone server",
1734 }
1735
1736
1737 def sanitize_server_role(role):
1738 """Sanitize a server role name.
1739
1740 :param role: Server role
1741 :raise ValueError: If the role can not be interpreted
1742 :return: Sanitized server role (one of "member server",
1743 "active directory domain controller", "standalone server")
1744 """
1745 try:
1746 return _ROLES_MAP[role]
1747 except KeyError:
1748 raise ValueError(role)
1749
1750
1751 def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
1752 maxuid, maxgid):
1753 """Create AD entries for the fake ypserver.
1754
1755 This is needed for being able to manipulate posix attrs via ADUC.
1756 """
1757 samdb.transaction_start()
1758 try:
1759 logger.info("Setting up fake yp server settings")
1760 setup_add_ldif(samdb, setup_path("ypServ30.ldif"), {
1761 "DOMAINDN": domaindn,
1762 "NETBIOSNAME": netbiosname,
1763 "NISDOMAIN": nisdomain,
1764 })
1765 except:
1766 samdb.transaction_cancel()
1767 raise
1768 else:
1769 samdb.transaction_commit()
1770
1771
1772 def provision(logger, session_info, credentials, smbconf=None,
1773 targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
1774 domaindn=None, schemadn=None, configdn=None, serverdn=None,
1775 domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
1776 next_rid=1000, dc_rid=None, adminpass=None, ldapadminpass=None,
1777 krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
1778 dns_backend=None, dns_forwarder=None, dnspass=None,
1779 invocationid=None, machinepass=None, ntdsguid=None,
1780 root=None, nobody=None, users=None, backup=None, aci=None,
1781 serverrole=None, dom_for_fun_level=None, backend_type=None,
1782 sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
1783 useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
1784 use_rfc2307=False, maxuid=None, maxgid=None, skip_sysvolacl=True):
1785 """Provision samba4
1786
1787 :note: caution, this wipes all existing data!
1788 """
1789
1790 try:
1791 serverrole = sanitize_server_role(serverrole)
1792 except ValueError:
1793 raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone server"' % serverrole)
1794
1795 if ldapadminpass is None:
1796 # Make a new, random password between Samba and it's LDAP server
1797 ldapadminpass = samba.generate_random_password(128, 255)
1798
1799 if backend_type is None:
1800 backend_type = "ldb"
1801
1802 if domainsid is None:
1803 domainsid = security.random_sid()
1804 else:
1805 domainsid = security.dom_sid(domainsid)
1806
1807 root_uid = findnss_uid([root or "root"])
1808 nobody_uid = findnss_uid([nobody or "nobody"])
1809 users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
1810 root_gid = pwd.getpwuid(root_uid).pw_gid
1811
1812 try:
1813 bind_gid = findnss_gid(["bind", "named"])
1814 except KeyError:
1815 bind_gid = None
1816
1817 if targetdir is not None:
1818 smbconf = os.path.join(targetdir, "etc", "smb.conf")
1819 elif smbconf is None:
1820 smbconf = samba.param.default_path()
1821 if not os.path.exists(os.path.dirname(smbconf)):
1822 os.makedirs(os.path.dirname(smbconf))
1823
1824 server_services = []
1825 global_param = {}
1826 if use_rfc2307:
1827 global_param["idmap_ldb:use rfc2307"] = ["yes"]
1828
1829 if dns_backend != "SAMBA_INTERNAL":
1830 server_services.append("-dns")
1831 else:
1832 if dns_forwarder is not None:
1833 global_param["dns forwarder"] = [dns_forwarder]
1834
1835 if use_ntvfs:
1836 server_services.append("+smb")
1837 server_services.append("-s3fs")
1838 global_param["dcerpc endpoint servers"] = ["+winreg", "+srvsvc"]
1839
1840 if len(server_services) > 0:
1841 global_param["server services"] = server_services
1842
1843 # only install a new smb.conf if there isn't one there already
1844 if os.path.exists(smbconf):
1845 # if Samba Team members can't figure out the weird errors
1846 # loading an empty smb.conf gives, then we need to be smarter.
1847 # Pretend it just didn't exist --abartlet
1848 f = open(smbconf, 'r')
1849 try:
1850 data = f.read().lstrip()
1851 finally:
1852 f.close()
1853 if data is None or data == "":
1854 make_smbconf(smbconf, hostname, domain, realm,
1855 targetdir, serverrole=serverrole,
1856 eadb=useeadb, use_ntvfs=use_ntvfs,
1857 lp=lp, global_param=global_param)
1858 else:
1859 make_smbconf(smbconf, hostname, domain, realm, targetdir,
1860 serverrole=serverrole,
1861 eadb=useeadb, use_ntvfs=use_ntvfs, lp=lp, global_param=global_param)
1862
1863 if lp is None:
1864 lp = samba.param.LoadParm()
1865 lp.load(smbconf)
1866 names = guess_names(lp=lp, hostname=hostname, domain=domain,
1867 dnsdomain=realm, serverrole=serverrole, domaindn=domaindn,
1868 configdn=configdn, schemadn=schemadn, serverdn=serverdn,
1869 sitename=sitename, rootdn=rootdn)
1870 paths = provision_paths_from_lp(lp, names.dnsdomain)
1871
1872 paths.bind_gid = bind_gid
1873 paths.root_uid = root_uid;
1874 paths.root_gid = root_gid
1875
1876 if hostip is None:
1877 logger.info("Looking up IPv4 addresses")
1878 hostips = interface_ips_v4(lp)
1879 if len(hostips) > 0:
1880 hostip = hostips[0]
1881 if len(hostips) > 1:
1882 logger.warning("More than one IPv4 address found. Using %s",
1883 hostip)
1884 if hostip == "127.0.0.1":
1885 hostip = None
1886 if hostip is None:
1887 logger.warning("No IPv4 address will be assigned")
1888
1889 if hostip6 is None:
1890 logger.info("Looking up IPv6 addresses")
1891 hostips = interface_ips_v6(lp, linklocal=False)
1892 if hostips:
1893 hostip6 = hostips[0]
1894 if len(hostips) > 1:
1895 logger.warning("More than one IPv6 address found. Using %s", hostip6)
1896 if hostip6 is None:
1897 logger.warning("No IPv6 address will be assigned")
1898
1899 names.hostip = hostip
1900 names.hostip6 = hostip6
1901
1902 if serverrole is None:
1903 serverrole = lp.get("server role")
1904
1905 if not os.path.exists(paths.private_dir):
1906 os.mkdir(paths.private_dir)
1907 if not os.path.exists(os.path.join(paths.private_dir, "tls")):
1908 os.mkdir(os.path.join(paths.private_dir, "tls"))
1909 if not os.path.exists(paths.state_dir):
1910 os.mkdir(paths.state_dir)
1911
1912 if paths.sysvol and not os.path.exists(paths.sysvol):
1913 os.makedirs(paths.sysvol, 0775)
1914
1915 if not use_ntvfs and serverrole == "active directory domain controller":
1916 s3conf = s3param.get_context()
1917 s3conf.load(lp.configfile)
1918
1919 if paths.sysvol is None:
1920 raise MissingShareError("sysvol", paths.smbconf)
1921
1922 file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
1923 try:
1924 try:
1925 smbd.set_simple_acl(file.name, 0755, root_gid)
1926 except Exception:
1927 if not smbd.have_posix_acls():
1928 # This clue is only strictly correct for RPM and
1929 # Debian-like Linux systems, but hopefully other users
1930 # will get enough clue from it.
1931 raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. Try installing libacl1-dev or libacl-devel, then re-run configure and make.")
1932
1933 raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.")
1934 try:
1935 smbd.chown(file.name, root_uid, root_gid)
1936 except Exception:
1937 raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.")
1938 finally:
1939 file.close()
1940
1941 ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
1942
1943 schema = Schema(domainsid, invocationid=invocationid,
1944 schemadn=names.schemadn)
1945
1946 if backend_type == "ldb":
1947 provision_backend = LDBBackend(backend_type, paths=paths,
1948 lp=lp, credentials=credentials,
1949 names=names, logger=logger)
1950 elif backend_type == "existing":
1951 # If support for this is ever added back, then the URI will need to be
1952 # specified again
1953 provision_backend = ExistingBackend(backend_type, paths=paths,
1954 lp=lp, credentials=credentials,
1955 names=names, logger=logger,
1956 ldap_backend_forced_uri=None)
1957 elif backend_type == "fedora-ds":
1958 provision_backend = FDSBackend(backend_type, paths=paths,
1959 lp=lp, credentials=credentials,
1960 names=names, logger=logger, domainsid=domainsid,
1961 schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
1962 slapd_path=slapd_path,
1963 root=root)
1964 elif backend_type == "openldap":
1965 provision_backend = OpenLDAPBackend(backend_type, paths=paths,
1966 lp=lp, credentials=credentials,
1967 names=names, logger=logger, domainsid=domainsid,
1968 schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
1969 slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls)
1970 else:
1971 raise ValueError("Unknown LDAP backend type selected")
1972
1973 provision_backend.init()
1974 provision_backend.start()
1975
1976 # only install a new shares config db if there is none
1977 if not os.path.exists(paths.shareconf):
1978 logger.info("Setting up share.ldb")
1979 share_ldb = Ldb(paths.shareconf, session_info=session_info, lp=lp)
1980 share_ldb.load_ldif_file_add(setup_path("share.ldif"))
1981
1982 logger.info("Setting up secrets.ldb")
1983 secrets_ldb = setup_secretsdb(paths,
1984 session_info=session_info,
1985 backend_credentials=provision_backend.secrets_credentials, lp=lp)
1986
1987 try:
1988 logger.info("Setting up the registry")
1989 setup_registry(paths.hklm, session_info, lp=lp)
1990
1991 logger.info("Setting up the privileges database")
1992 setup_privileges(paths.privilege, session_info, lp=lp)
1993
1994 logger.info("Setting up idmap db")
1995 idmap = setup_idmapdb(paths.idmapdb, session_info=session_info, lp=lp)
1996
1997 setup_name_mappings(idmap, sid=str(domainsid),
1998 root_uid=root_uid, nobody_uid=nobody_uid,
1999 users_gid=users_gid, root_gid=root_gid)
2000
2001 logger.info("Setting up SAM db")
2002 samdb = setup_samdb(paths.samdb, session_info,
2003 provision_backend, lp, names, logger=logger,
2004 serverrole=serverrole,
2005 schema=schema, fill=samdb_fill, am_rodc=am_rodc)
2006
2007 if serverrole == "active directory domain controller":
2008 if paths.netlogon is None:
2009 raise MissingShareError("netlogon", paths.smbconf)
2010
2011 if paths.sysvol is None:
2012 raise MissingShareError("sysvol", paths.smbconf)
2013
2014 if not os.path.isdir(paths.netlogon):
2015 os.makedirs(paths.netlogon, 0755)
2016
2017 if adminpass is None:
2018 adminpass = samba.generate_random_password(12, 32)
2019 adminpass_generated = True
2020 else:
2021 adminpass_generated = False
2022
2023 if samdb_fill == FILL_FULL:
2024 provision_fill(samdb, secrets_ldb, logger, names, paths,
2025 schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
2026 hostip=hostip, hostip6=hostip6, domainsid=domainsid,
2027 next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
2028 krbtgtpass=krbtgtpass, domainguid=domainguid,
2029 policyguid=policyguid, policyguid_dc=policyguid_dc,
2030 invocationid=invocationid, machinepass=machinepass,
2031 ntdsguid=ntdsguid, dns_backend=dns_backend,
2032 dnspass=dnspass, serverrole=serverrole,
2033 dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
2034 lp=lp, use_ntvfs=use_ntvfs,
2035 skip_sysvolacl=skip_sysvolacl)
2036
2037 create_krb5_conf(paths.krb5conf,
2038 dnsdomain=names.dnsdomain, hostname=names.hostname,
2039 realm=names.realm)
2040 logger.info("A Kerberos configuration suitable for Samba 4 has been "
2041 "generated at %s", paths.krb5conf)
2042
2043 if serverrole == "active directory domain controller":
2044 create_dns_update_list(lp, logger, paths)
2045
2046 backend_result = provision_backend.post_setup()
2047 provision_backend.shutdown()
2048
2049 except:
2050 secrets_ldb.transaction_cancel()
2051 raise
2052
2053 # Now commit the secrets.ldb to disk
2054 secrets_ldb.transaction_commit()
2055
2056 # the commit creates the dns.keytab, now chown it
2057 dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
2058 if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
2059 try:
2060 os.chmod(dns_keytab_path, 0640)
2061 os.chown(dns_keytab_path, -1, paths.bind_gid)
2062 except OSError:
2063 if not os.environ.has_key('SAMBA_SELFTEST'):
2064 logger.info("Failed to chown %s to bind gid %u",
2065 dns_keytab_path, paths.bind_gid)
2066
2067 result = ProvisionResult()
2068 result.server_role = serverrole
2069 result.domaindn = domaindn
2070 result.paths = paths
2071 result.names = names
2072 result.lp = lp
2073 result.samdb = samdb
2074 result.idmap = idmap
2075 result.domainsid = str(domainsid)
2076
2077 if samdb_fill == FILL_FULL:
2078 result.adminpass_generated = adminpass_generated
2079 result.adminpass = adminpass
2080 else:
2081 result.adminpass_generated = False
2082 result.adminpass = None
2083
2084 result.backend_result = backend_result
2085
2086 if use_rfc2307:
2087 provision_fake_ypserver(logger=logger, samdb=samdb,
2088 domaindn=names.domaindn, netbiosname=names.netbiosname,
2089 nisdomain=names.domain.lower(), maxuid=maxuid, maxgid=maxgid)
2090
2091 return result
2092
2093
2094 def provision_become_dc(smbconf=None, targetdir=None,
2095 realm=None, rootdn=None, domaindn=None, schemadn=None, configdn=None,
2096 serverdn=None, domain=None, hostname=None, domainsid=None,
2097 adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
2098 policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
2099 dns_backend=None, root=None, nobody=None, users=None,
2100 backup=None, serverrole=None, ldap_backend=None,
2101 ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False):
2102
2103 logger = logging.getLogger("provision")
2104 samba.set_debug_level(debuglevel)
2105
2106 res = provision(logger, system_session(), None,
2107 smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
2108 realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
2109 configdn=configdn, serverdn=serverdn, domain=domain,
2110 hostname=hostname, hostip=None, domainsid=domainsid,
2111 machinepass=machinepass,
2112 serverrole="active directory domain controller",
2113 sitename=sitename, dns_backend=dns_backend, dnspass=dnspass,
2114 use_ntvfs=use_ntvfs)
2115 res.lp.set("debuglevel", str(debuglevel))
2116 return res
2117
2118
2119 def create_krb5_conf(path, dnsdomain, hostname, realm):
2120 """Write out a file containing zone statements suitable for inclusion in a
2121 named.conf file (including GSS-TSIG configuration).
2122
2123 :param path: Path of the new named.conf file.
2124 :param dnsdomain: DNS Domain name
2125 :param hostname: Local hostname
2126 :param realm: Realm name
2127 """
2128 setup_file(setup_path("krb5.conf"), path, {
2129 "DNSDOMAIN": dnsdomain,
2130 "HOSTNAME": hostname,
2131 "REALM": realm,
2132 })
2133
2134
2135 class ProvisioningError(Exception):
2136 """A generic provision error."""
2137
2138 def __init__(self, value):
2139 self.value = value
2140
2141 def __str__(self):
2142 return "ProvisioningError: " + self.value
2143
2144
2145 class InvalidNetbiosName(Exception):
2146 """A specified name was not a valid NetBIOS name."""
2147
2148 def __init__(self, name):
2149 super(InvalidNetbiosName, self).__init__(
2150 "The name '%r' is not a valid NetBIOS name" % name)
2151
2152
2153 class MissingShareError(ProvisioningError):
2154
2155 def __init__(self, name, smbconf):
2156 super(MissingShareError, self).__init__(
2157 "Existing smb.conf does not have a [%s] share, but you are "
2158 "configuring a DC. Please remove %s or add the share manually." %
2159 (name, smbconf))
reg import