1 # backend code for upgrading from Samba3
2 # Copyright Jelmer Vernooij 2005-2007
3 # Copyright Andrew Bartlett 2011
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Support code for upgrading from Samba 3 to Samba 4."""
21 __docformat__
= "restructuredText"
27 from samba
import Ldb
, registry
28 from samba
.param
import LoadParm
29 from samba
.provision
import provision
, FILL_FULL
, ProvisioningError
, setsysvolacl
30 from samba
.samba3
import passdb
31 from samba
.samba3
import param
as s3param
32 from samba
.dcerpc
import lsa
, samr
, security
33 from samba
.dcerpc
.security
import dom_sid
34 from samba
.credentials
import Credentials
35 from samba
import dsdb
36 from samba
.ndr
import ndr_pack
37 from samba
import unix2nttime
38 from samba
import generate_random_password
41 def import_sam_policy(samdb
, policy
, logger
):
42 """Import a Samba 3 policy.
44 :param samdb: Samba4 SAM database
45 :param policy: Samba3 account policy
46 :param logger: Logger object
49 # Following entries are used -
50 # min password length, password history, minimum password age,
51 # maximum password age, lockout duration
53 # Following entries are not used -
54 # reset count minutes, user must logon to change password,
55 # bad lockout minutes, disconnect time
58 m
.dn
= samdb
.get_default_basedn()
60 if 'min password length' in policy
:
61 m
['a01'] = ldb
.MessageElement(str(policy
['min password length']),
62 ldb
.FLAG_MOD_REPLACE
, 'minPwdLength')
64 if 'password history' in policy
:
65 m
['a02'] = ldb
.MessageElement(str(policy
['password history']),
66 ldb
.FLAG_MOD_REPLACE
, 'pwdHistoryLength')
68 if 'minimum password age' in policy
:
69 min_pw_age_unix
= policy
['minimum password age']
70 min_pw_age_nt
= int(-min_pw_age_unix
* (1e7
))
71 m
['a03'] = ldb
.MessageElement(str(min_pw_age_nt
), ldb
.FLAG_MOD_REPLACE
,
74 if 'maximum password age' in policy
:
75 max_pw_age_unix
= policy
['maximum password age']
76 if max_pw_age_unix
== -1 or max_pw_age_unix
== 0:
77 max_pw_age_nt
= -0x8000000000000000
79 max_pw_age_nt
= int(-max_pw_age_unix
* (1e7
))
81 m
['a04'] = ldb
.MessageElement(str(max_pw_age_nt
), ldb
.FLAG_MOD_REPLACE
,
84 if 'lockout duration' in policy
:
85 lockout_duration_mins
= policy
['lockout duration']
86 lockout_duration_nt
= unix2nttime(lockout_duration_mins
* 60)
88 m
['a05'] = ldb
.MessageElement(str(lockout_duration_nt
),
89 ldb
.FLAG_MOD_REPLACE
, 'lockoutDuration')
93 except ldb
.LdbError
, e
:
94 logger
.warn("Could not set account policy, (%s)", str(e
))
97 def add_posix_attrs(logger
, samdb
, sid
, name
, nisdomain
, xid_type
, home
=None,
98 shell
=None, pgid
=None):
99 """Add posix attributes for the user/group
101 :param samdb: Samba4 sam.ldb database
102 :param sid: user/group sid
103 :param sid: user/group name
104 :param nisdomain: name of the (fake) NIS domain
105 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
106 :param home: user homedir (Unix homepath)
107 :param shell: user shell
108 :param pgid: users primary group id
113 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(sid
))
114 if xid_type
== "ID_TYPE_UID":
115 m
['unixHomeDirectory'] = ldb
.MessageElement(
116 str(home
), ldb
.FLAG_MOD_REPLACE
, 'unixHomeDirectory')
117 m
['loginShell'] = ldb
.MessageElement(
118 str(shell
), ldb
.FLAG_MOD_REPLACE
, 'loginShell')
119 m
['gidNumber'] = ldb
.MessageElement(
120 str(pgid
), ldb
.FLAG_MOD_REPLACE
, 'gidNumber')
122 m
['msSFU30NisDomain'] = ldb
.MessageElement(
123 str(nisdomain
), ldb
.FLAG_MOD_REPLACE
, 'msSFU30NisDomain')
126 except ldb
.LdbError
, e
:
128 'Could not add posix attrs for AD entry for sid=%s, (%s)',
131 def add_ad_posix_idmap_entry(samdb
, sid
, xid
, xid_type
, logger
):
132 """Create idmap entry
134 :param samdb: Samba4 sam.ldb database
135 :param sid: user/group sid
136 :param xid: user/group id
137 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
138 :param logger: Logger object
143 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(sid
))
144 if xid_type
== "ID_TYPE_UID":
145 m
['uidNumber'] = ldb
.MessageElement(
146 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'uidNumber')
147 m
['objectClass'] = ldb
.MessageElement(
148 "posixAccount", ldb
.FLAG_MOD_ADD
, 'objectClass')
149 elif xid_type
== "ID_TYPE_GID":
150 m
['gidNumber'] = ldb
.MessageElement(
151 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'gidNumber')
152 m
['objectClass'] = ldb
.MessageElement(
153 "posixGroup", ldb
.FLAG_MOD_ADD
, 'objectClass')
156 except ldb
.LdbError
, e
:
158 'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
159 str(sid
), str(xid
), xid_type
, str(e
))
162 def add_idmap_entry(idmapdb
, sid
, xid
, xid_type
, logger
):
163 """Create idmap entry
165 :param idmapdb: Samba4 IDMAP database
166 :param sid: user/group sid
167 :param xid: user/group id
168 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
169 :param logger: Logger object
172 # First try to see if we already have this entry
174 msg
= idmapdb
.search(expression
='objectSid=%s' % str(sid
))
182 m
['xidNumber'] = ldb
.MessageElement(
183 str(xid
), ldb
.FLAG_MOD_REPLACE
, 'xidNumber')
184 m
['type'] = ldb
.MessageElement(
185 xid_type
, ldb
.FLAG_MOD_REPLACE
, 'type')
187 except ldb
.LdbError
, e
:
189 'Could not modify idmap entry for sid=%s, id=%s, type=%s (%s)',
190 str(sid
), str(xid
), xid_type
, str(e
))
193 idmapdb
.add({"dn": "CN=%s" % str(sid
),
195 "objectClass": "sidMap",
196 "objectSid": ndr_pack(sid
),
198 "xidNumber": str(xid
)})
199 except ldb
.LdbError
, e
:
201 'Could not add idmap entry for sid=%s, id=%s, type=%s (%s)',
202 str(sid
), str(xid
), xid_type
, str(e
))
205 def import_idmap(idmapdb
, samba3
, logger
):
206 """Import idmap data.
208 :param idmapdb: Samba4 IDMAP database
209 :param samba3_idmap: Samba3 IDMAP database to import from
210 :param logger: Logger object
214 samba3_idmap
= samba3
.get_idmap_db()
216 logger
.warn('Cannot open idmap database, Ignoring: %s', str(e
))
219 currentxid
= max(samba3_idmap
.get_user_hwm(), samba3_idmap
.get_group_hwm())
220 lowerbound
= currentxid
224 m
.dn
= ldb
.Dn(idmapdb
, 'CN=CONFIG')
225 m
['lowerbound'] = ldb
.MessageElement(
226 str(lowerbound
), ldb
.FLAG_MOD_REPLACE
, 'lowerBound')
227 m
['xidNumber'] = ldb
.MessageElement(
228 str(currentxid
), ldb
.FLAG_MOD_REPLACE
, 'xidNumber')
231 for id_type
, xid
in samba3_idmap
.ids():
233 xid_type
= 'ID_TYPE_UID'
234 elif id_type
== 'GID':
235 xid_type
= 'ID_TYPE_GID'
237 logger
.warn('Wrong type of entry in idmap (%s), Ignoring', id_type
)
240 sid
= samba3_idmap
.get_sid(xid
, id_type
)
241 add_idmap_entry(idmapdb
, dom_sid(sid
), xid
, xid_type
, logger
)
244 def add_group_from_mapping_entry(samdb
, groupmap
, logger
):
245 """Add or modify group from group mapping entry
247 param samdb: Samba4 SAM database
248 param groupmap: Groupmap entry
249 param logger: Logger object
252 # First try to see if we already have this entry
255 base
='<SID=%s>' % str(groupmap
.sid
), scope
=ldb
.SCOPE_BASE
)
257 except ldb
.LdbError
, (ecode
, emsg
):
258 if ecode
== ldb
.ERR_NO_SUCH_OBJECT
:
261 raise ldb
.LdbError(ecode
, emsg
)
264 logger
.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
265 str(groupmap
.sid
), groupmap
.nt_name
, msg
[0]['sAMAccountName'][0])
267 if groupmap
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
268 # In a lot of Samba3 databases, aliases are marked as well known groups
269 (group_dom_sid
, rid
) = groupmap
.sid
.split()
270 if (group_dom_sid
!= security
.dom_sid(security
.SID_BUILTIN
)):
274 m
.dn
= ldb
.Dn(samdb
, "CN=%s,CN=Users,%s" % (groupmap
.nt_name
, samdb
.get_default_basedn()))
275 m
['cn'] = ldb
.MessageElement(groupmap
.nt_name
, ldb
.FLAG_MOD_ADD
, 'cn')
276 m
['objectClass'] = ldb
.MessageElement('group', ldb
.FLAG_MOD_ADD
, 'objectClass')
277 m
['objectSid'] = ldb
.MessageElement(ndr_pack(groupmap
.sid
), ldb
.FLAG_MOD_ADD
,
279 m
['sAMAccountName'] = ldb
.MessageElement(groupmap
.nt_name
, ldb
.FLAG_MOD_ADD
,
283 m
['description'] = ldb
.MessageElement(groupmap
.comment
, ldb
.FLAG_MOD_ADD
,
286 # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
287 if groupmap
.sid_name_use
== lsa
.SID_NAME_ALIAS
or groupmap
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
288 m
['groupType'] = ldb
.MessageElement(str(dsdb
.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP
),
289 ldb
.FLAG_MOD_ADD
, 'groupType')
292 samdb
.add(m
, controls
=["relax:0"])
293 except ldb
.LdbError
, e
:
294 logger
.warn('Could not add group name=%s (%s)', groupmap
.nt_name
, str(e
))
297 def add_users_to_group(samdb
, group
, members
, logger
):
298 """Add user/member to group/alias
300 param samdb: Samba4 SAM database
301 param group: Groupmap object
302 param members: List of member SIDs
303 param logger: Logger object
305 for member_sid
in members
:
307 m
.dn
= ldb
.Dn(samdb
, "<SID=%s>" % str(group
.sid
))
308 m
['a01'] = ldb
.MessageElement("<SID=%s>" % str(member_sid
), ldb
.FLAG_MOD_ADD
, 'member')
312 except ldb
.LdbError
, (ecode
, emsg
):
313 if ecode
== ldb
.ERR_ENTRY_ALREADY_EXISTS
:
314 logger
.debug("skipped re-adding member '%s' to group '%s': %s", member_sid
, group
.sid
, emsg
)
315 elif ecode
== ldb
.ERR_NO_SUCH_OBJECT
:
316 raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid
, group
.sid
, emsg
))
318 raise ProvisioningError("Could not add member '%s' to group '%s': %s" % (member_sid
, group
.sid
, emsg
))
321 def import_wins(samba4_winsdb
, samba3_winsdb
):
322 """Import settings from a Samba3 WINS database.
324 :param samba4_winsdb: WINS database to import to
325 :param samba3_winsdb: WINS database to import from
330 for (name
, (ttl
, ips
, nb_flags
)) in samba3_winsdb
.items():
333 type = int(name
.split("#", 1)[1], 16)
348 if ttl
> time
.time():
349 rState
= 0x0 # active
351 rState
= 0x1 # released
353 nType
= ((nb_flags
& 0x60) >> 5)
355 samba4_winsdb
.add({"dn": "name=%s,type=0x%s" % tuple(name
.split("#")),
356 "type": name
.split("#")[1],
357 "name": name
.split("#")[0],
358 "objectClass": "winsRecord",
359 "recordType": str(rType
),
360 "recordState": str(rState
),
361 "nodeType": str(nType
),
362 "expireTime": ldb
.timestring(ttl
),
364 "versionID": str(version_id
),
367 samba4_winsdb
.add({"dn": "cn=VERSION",
369 "objectClass": "winsMaxVersion",
370 "maxVersion": str(version_id
)})
373 def enable_samba3sam(samdb
, ldapurl
):
374 """Enable Samba 3 LDAP URL database.
376 :param samdb: SAM Database.
377 :param ldapurl: Samba 3 LDAP URL
379 samdb
.modify_ldif("""
383 @LIST: samldb,operational,objectguid,rdn_name,samba3sam
386 samdb
.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl
})
403 "bind interfaces only",
408 "obey pam restrictions",
416 "client NTLMv2 auth",
417 "client lanman auth",
418 "client plaintext auth",
436 "name resolve order",
445 "paranoid server security",
482 def upgrade_smbconf(oldconf
, mark
):
483 """Remove configuration variables not present in Samba4
485 :param oldconf: Old configuration structure
486 :param mark: Whether removed configuration variables should be
487 kept in the new configuration as "samba3:<name>"
489 data
= oldconf
.data()
495 for k
in smbconf_keep
:
496 if smbconf_keep
[k
] == p
:
501 newconf
.set(s
, p
, oldconf
.get(s
, p
))
503 newconf
.set(s
, "samba3:" + p
, oldconf
.get(s
, p
))
507 SAMBA3_PREDEF_NAMES
= {
508 'HKLM': registry
.HKEY_LOCAL_MACHINE
,
512 def import_registry(samba4_registry
, samba3_regdb
):
513 """Import a Samba 3 registry database into the Samba 4 registry.
515 :param samba4_registry: Samba 4 registry handle.
516 :param samba3_regdb: Samba 3 registry database handle.
518 def ensure_key_exists(keypath
):
519 (predef_name
, keypath
) = keypath
.split("/", 1)
520 predef_id
= SAMBA3_PREDEF_NAMES
[predef_name
]
521 keypath
= keypath
.replace("/", "\\")
522 return samba4_registry
.create_key(predef_id
, keypath
)
524 for key
in samba3_regdb
.keys():
525 key_handle
= ensure_key_exists(key
)
526 for subkey
in samba3_regdb
.subkeys(key
):
527 ensure_key_exists(subkey
)
528 for (value_name
, (value_type
, value_data
)) in samba3_regdb
.values(key
).items():
529 key_handle
.set_value(value_name
, value_type
, value_data
)
531 def get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, user
, attr
):
532 """Get posix attributes from a samba3 ldap backend
533 :param ldbs: a list of ldb connection objects
534 :param base_dn: the base_dn of the connection
535 :param user: the user to get the attribute for
536 :param attr: the attribute to be retrieved
539 msg
= ldb_object
.search(base_dn
, scope
=ldb
.SCOPE_SUBTREE
,
540 expression
=("(&(objectClass=posixAccount)(uid=%s))"
541 % (user
)), attrs
=[attr
])
542 except ldb
.LdbError
, e
:
543 raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr
, user
, e
)
546 # This will raise KeyError (which is what we want) if there isn't a entry for this user
547 return msg
[0][attr
][0]
549 logger
.warning("LDAP entry for user %s contains more than one %s", user
, attr
)
553 def upgrade_from_samba3(samba3
, logger
, targetdir
, session_info
=None,
554 useeadb
=False, dns_backend
=None, use_ntvfs
=False):
555 """Upgrade from samba3 database to samba4 AD database
557 :param samba3: samba3 object
558 :param logger: Logger object
559 :param targetdir: samba4 database directory
560 :param session_info: Session information
562 serverrole
= samba3
.lp
.server_role()
564 domainname
= samba3
.lp
.get("workgroup")
565 realm
= samba3
.lp
.get("realm")
566 netbiosname
= samba3
.lp
.get("netbios name")
568 if samba3
.lp
.get("ldapsam:trusted") is None:
569 samba3
.lp
.set("ldapsam:trusted", "yes")
573 secrets_db
= samba3
.get_secrets_db()
575 raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3
.privatedir_path("secrets.tdb"), str(e
)))
578 domainname
= secrets_db
.domains()[0]
579 logger
.warning("No workgroup specified in smb.conf file, assuming '%s'",
583 if serverrole
== "ROLE_DOMAIN_BDC" or serverrole
== "ROLE_DOMAIN_PDC":
584 raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
586 realm
= domainname
.upper()
587 logger
.warning("No realm specified in smb.conf file, assuming '%s'",
590 # Find machine account and password
594 machinepass
= secrets_db
.get_machine_password(netbiosname
)
598 if samba3
.lp
.get("passdb backend").split(":")[0].strip() == "ldapsam":
599 base_dn
= samba3
.lp
.get("ldap suffix")
600 ldapuser
= samba3
.lp
.get("ldap admin dn")
601 ldappass
= secrets_db
.get_ldap_bind_pw(ldapuser
)
603 raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.")
604 ldappass
= ldappass
.strip('\x00')
611 # We must close the direct pytdb database before the C code loads it
614 # Connect to old password backend
615 passdb
.set_secrets_dir(samba3
.lp
.get("private dir"))
616 s3db
= samba3
.get_sam_db()
620 domainsid
= passdb
.get_global_sam_sid()
622 raise Exception("Can't find domain sid for '%s', Exiting." % domainname
)
624 # Get machine account, sid, rid
626 machineacct
= s3db
.getsampwnam('%s$' % netbiosname
)
631 machinesid
, machinerid
= machineacct
.user_sid
.split()
633 # Export account policy
634 logger
.info("Exporting account policy")
635 policy
= s3db
.get_account_policy()
637 # Export groups from old passdb backend
638 logger
.info("Exporting groups")
639 grouplist
= s3db
.enum_group_mapping()
641 for group
in grouplist
:
642 sid
, rid
= group
.sid
.split()
647 # Get members for each group/alias
648 if group
.sid_name_use
== lsa
.SID_NAME_ALIAS
:
650 members
= s3db
.enum_aliasmem(group
.sid
)
651 groupmembers
[str(group
.sid
)] = members
652 except passdb
.error
, e
:
653 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
654 group
.nt_name
, group
.sid
, e
)
656 elif group
.sid_name_use
== lsa
.SID_NAME_DOM_GRP
:
658 members
= s3db
.enum_group_members(group
.sid
)
659 groupmembers
[str(group
.sid
)] = members
660 except passdb
.error
, e
:
661 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
662 group
.nt_name
, group
.sid
, e
)
664 elif group
.sid_name_use
== lsa
.SID_NAME_WKN_GRP
:
665 (group_dom_sid
, rid
) = group
.sid
.split()
666 if (group_dom_sid
!= security
.dom_sid(security
.SID_BUILTIN
)):
667 logger
.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
670 # A number of buggy databases mix up well known groups and aliases.
672 members
= s3db
.enum_aliasmem(group
.sid
)
673 groupmembers
[str(group
.sid
)] = members
674 except passdb
.error
, e
:
675 logger
.warn("Ignoring group '%s' %s listed but then not found: %s",
676 group
.nt_name
, group
.sid
, e
)
679 logger
.warn("Ignoring group '%s' %s with sid_name_use=%d",
680 group
.nt_name
, group
.sid
, group
.sid_name_use
)
683 # Export users from old passdb backend
684 logger
.info("Exporting users")
685 userlist
= s3db
.search_users(0)
689 for entry
in userlist
:
690 if machinerid
and machinerid
== entry
['rid']:
692 username
= entry
['account_name']
693 if entry
['rid'] < 1000:
694 logger
.info(" Skipping wellknown rid=%d (for username=%s)", entry
['rid'], username
)
696 if entry
['rid'] >= next_rid
:
697 next_rid
= entry
['rid'] + 1
699 user
= s3db
.getsampwnam(username
)
700 acct_type
= (user
.acct_ctrl
& (samr
.ACB_NORMAL|samr
.ACB_WSTRUST|samr
.ACB_SVRTRUST|samr
.ACB_DOMTRUST
))
701 if acct_type
== samr
.ACB_SVRTRUST
:
702 logger
.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username
[:-1])
703 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_SVRTRUST
) | samr
.ACB_WSTRUST
705 elif acct_type
== samr
.ACB_DOMTRUST
:
706 logger
.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username
[:-1])
708 elif acct_type
== (samr
.ACB_WSTRUST
) and username
[-1] != '$':
709 logger
.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username
)
712 elif acct_type
== (samr
.ACB_NORMAL|samr
.ACB_WSTRUST
) and username
[-1] == '$':
713 logger
.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username
)
714 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_NORMAL
)
716 elif acct_type
== (samr
.ACB_NORMAL|samr
.ACB_SVRTRUST
) and username
[-1] == '$':
717 logger
.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username
)
718 user
.acct_ctrl
= (user
.acct_ctrl
& ~samr
.ACB_NORMAL
)
720 elif acct_type
== 0 and username
[-1] != '$':
721 user
.acct_ctrl
= (user
.acct_ctrl | samr
.ACB_NORMAL
)
723 elif (acct_type
== samr
.ACB_NORMAL
or acct_type
== samr
.ACB_WSTRUST
):
727 raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
728 ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
730 Please fix this account before attempting to upgrade again
732 % (username
, user
.acct_ctrl
,
733 samr
.ACB_NORMAL
, samr
.ACB_WSTRUST
, samr
.ACB_SVRTRUST
, samr
.ACB_DOMTRUST
))
735 userdata
[username
] = user
737 uids
[username
] = s3db
.sid_to_id(user
.user_sid
)[0]
740 uids
[username
] = pwd
.getpwnam(username
).pw_uid
744 if not admin_user
and username
.lower() == 'root':
745 admin_user
= username
746 if username
.lower() == 'administrator':
747 admin_user
= username
750 group_memberships
= s3db
.enum_group_memberships(user
);
751 for group
in group_memberships
:
752 if str(group
) in groupmembers
:
753 if user
.user_sid
not in groupmembers
[str(group
)]:
754 groupmembers
[str(group
)].append(user
.user_sid
)
756 groupmembers
[str(group
)] = [user
.user_sid
];
757 except passdb
.error
, e
:
758 logger
.warn("Ignoring group memberships of '%s' %s: %s",
759 username
, user
.user_sid
, e
)
761 logger
.info("Next rid = %d", next_rid
)
763 # Check for same username/groupname
764 group_names
= set([g
.nt_name
for g
in grouplist
])
765 user_names
= set([u
['account_name'] for u
in userlist
])
766 common_names
= group_names
.intersection(user_names
)
768 logger
.error("Following names are both user names and group names:")
769 for name
in common_names
:
770 logger
.error(" %s" % name
)
771 raise ProvisioningError("Please remove common user/group names before upgrade.")
773 # Check for same user sid/group sid
774 group_sids
= set([str(g
.sid
) for g
in grouplist
])
775 if len(grouplist
) != len(group_sids
):
776 raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
777 user_sids
= set(["%s-%u" % (domainsid
, u
['rid']) for u
in userlist
])
778 if len(userlist
) != len(user_sids
):
779 raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
780 common_sids
= group_sids
.intersection(user_sids
)
782 logger
.error("Following sids are both user and group sids:")
783 for sid
in common_sids
:
784 logger
.error(" %s" % str(sid
))
785 raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
787 # Get posix attributes from ldap or the os
792 creds
= Credentials()
793 creds
.guess(samba3
.lp
)
794 creds
.set_bind_dn(ldapuser
)
795 creds
.set_password(ldappass
)
796 urls
= samba3
.lp
.get("passdb backend").split(":",1)[1].strip('"')
797 for url
in urls
.split():
799 ldb_object
= Ldb(url
, credentials
=creds
)
800 except ldb
.LdbError
, e
:
801 raise ProvisiongError("Could not open ldb connection to %s, the error message is: %s" % (url
, e
))
804 logger
.info("Exporting posix attributes")
805 userlist
= s3db
.search_users(0)
806 for entry
in userlist
:
807 username
= entry
['account_name']
808 if username
in uids
.keys():
811 homes
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "homeDirectory")
813 homes
[username
] = pwd
.getpwnam(username
).pw_dir
821 shells
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "loginShell")
823 shells
[username
] = pwd
.getpwnam(username
).pw_shell
831 pgids
[username
] = get_posix_attr_from_ldap_backend(logger
, ldb_object
, base_dn
, username
, "gidNumber")
833 pgids
[username
] = pwd
.getpwnam(username
).pw_gid
839 logger
.info("Reading WINS database")
842 samba3_winsdb
= samba3
.get_wins_db()
844 logger
.warn('Cannot open wins database, Ignoring: %s', str(e
))
846 if not (serverrole
== "ROLE_DOMAIN_BDC" or serverrole
== "ROLE_DOMAIN_PDC"):
849 # If we found an admin user, set a fake pw that we will override.
850 # This avoids us printing out an admin password that we won't actually
853 adminpass
= generate_random_password(12, 32)
858 result
= provision(logger
, session_info
, None,
859 targetdir
=targetdir
, realm
=realm
, domain
=domainname
,
860 domainsid
=str(domainsid
), next_rid
=next_rid
,
861 dc_rid
=machinerid
, adminpass
= adminpass
,
862 dom_for_fun_level
=dsdb
.DS_DOMAIN_FUNCTION_2003
,
863 hostname
=netbiosname
.lower(), machinepass
=machinepass
,
864 serverrole
=serverrole
, samdb_fill
=FILL_FULL
,
865 useeadb
=useeadb
, dns_backend
=dns_backend
, use_rfc2307
=True,
866 use_ntvfs
=use_ntvfs
, skip_sysvolacl
=True)
867 result
.report_logger(logger
)
869 # Import WINS database
870 logger
.info("Importing WINS database")
873 import_wins(Ldb(result
.paths
.winsdb
), samba3_winsdb
)
876 logger
.info("Importing Account policy")
877 import_sam_policy(result
.samdb
, policy
, logger
)
879 # Migrate IDMAP database
880 logger
.info("Importing idmap database")
881 import_idmap(result
.idmap
, samba3
, logger
)
883 # Set the s3 context for samba4 configuration
884 new_lp_ctx
= s3param
.get_context()
885 new_lp_ctx
.load(result
.lp
.configfile
)
886 new_lp_ctx
.set("private dir", result
.lp
.get("private dir"))
887 new_lp_ctx
.set("state directory", result
.lp
.get("state directory"))
888 new_lp_ctx
.set("lock directory", result
.lp
.get("lock directory"))
890 # Connect to samba4 backend
891 s4_passdb
= passdb
.PDB(new_lp_ctx
.get("passdb backend"))
893 # Export groups to samba4 backend
894 logger
.info("Importing groups")
896 # Ignore uninitialized groups (gid = -1)
898 add_group_from_mapping_entry(result
.samdb
, g
, logger
)
899 add_ad_posix_idmap_entry(result
.samdb
, g
.sid
, g
.gid
, "ID_TYPE_GID", logger
)
900 add_posix_attrs(samdb
=result
.samdb
, sid
=g
.sid
, name
=g
.nt_name
, nisdomain
=domainname
.lower(), xid_type
="ID_TYPE_GID", logger
=logger
)
902 # Export users to samba4 backend
903 logger
.info("Importing users")
904 for username
in userdata
:
905 if username
.lower() == 'administrator':
906 if userdata
[username
].user_sid
!= dom_sid(str(domainsid
) + "-500"):
907 logger
.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata
[username
].user_sid
, dom_sid(str(domainsid
) + "-500")))
908 raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
909 if username
.lower() == 'root':
910 if userdata
[username
].user_sid
== dom_sid(str(domainsid
) + "-500"):
911 logger
.warn('User root has been replaced by Administrator')
913 logger
.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
915 s4_passdb
.add_sam_account(userdata
[username
])
917 add_ad_posix_idmap_entry(result
.samdb
, userdata
[username
].user_sid
, uids
[username
], "ID_TYPE_UID", logger
)
918 if (username
in homes
) and (homes
[username
] is not None) and \
919 (username
in shells
) and (shells
[username
] is not None) and \
920 (username
in pgids
) and (pgids
[username
] is not None):
921 add_posix_attrs(samdb
=result
.samdb
, sid
=userdata
[username
].user_sid
, name
=username
, nisdomain
=domainname
.lower(), xid_type
="ID_TYPE_UID", home
=homes
[username
], shell
=shells
[username
], pgid
=pgids
[username
], logger
=logger
)
923 logger
.info("Adding users to groups")
925 if str(g
.sid
) in groupmembers
:
926 add_users_to_group(result
.samdb
, g
, groupmembers
[str(g
.sid
)], logger
)
928 # Set password for administrator
930 logger
.info("Setting password for administrator")
931 admin_userdata
= s4_passdb
.getsampwnam("administrator")
932 admin_userdata
.nt_passwd
= userdata
[admin_user
].nt_passwd
933 if userdata
[admin_user
].lanman_passwd
:
934 admin_userdata
.lanman_passwd
= userdata
[admin_user
].lanman_passwd
935 admin_userdata
.pass_last_set_time
= userdata
[admin_user
].pass_last_set_time
936 if userdata
[admin_user
].pw_history
:
937 admin_userdata
.pw_history
= userdata
[admin_user
].pw_history
938 s4_passdb
.update_sam_account(admin_userdata
)
939 logger
.info("Administrator password has been set to password of user '%s'", admin_user
)
941 if result
.server_role
== "active directory domain controller":
942 setsysvolacl(result
.samdb
, result
.paths
.netlogon
, result
.paths
.sysvol
,
943 result
.paths
.root_uid
, result
.paths
.root_gid
,
944 security
.dom_sid(result
.domainsid
), result
.names
.dnsdomain
,
945 result
.names
.domaindn
, result
.lp
, use_ntvfs
)
947 # FIXME: import_registry(registry.Registry(), samba3.get_registry())