search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libsmb: let cli_read_andx_create() accept any length
[Samba/gebeck_regimport.git] / python / samba / upgrade.py
blob83712242fe294f4484223b27cb8341140e2dfa0d
1 # backend code for upgrading from Samba3
2 # Copyright Jelmer Vernooij 2005-2007
3 # Copyright Andrew Bartlett 2011
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Support code for upgrading from Samba 3 to Samba 4."""
20
21 __docformat__ = "restructuredText"
22
23 import ldb
24 import time
25 import pwd
26
27 from samba import Ldb, registry
28 from samba.param import LoadParm
29 from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
30 from samba.samba3 import passdb
31 from samba.samba3 import param as s3param
32 from samba.dcerpc import lsa, samr, security
33 from samba.dcerpc.security import dom_sid
34 from samba.credentials import Credentials
35 from samba import dsdb
36 from samba.ndr import ndr_pack
37 from samba import unix2nttime
38 from samba import generate_random_password
39
40
41 def import_sam_policy(samdb, policy, logger):
42 """Import a Samba 3 policy.
43
44 :param samdb: Samba4 SAM database
45 :param policy: Samba3 account policy
46 :param logger: Logger object
47 """
48
49 # Following entries are used -
50 # min password length, password history, minimum password age,
51 # maximum password age, lockout duration
52 #
53 # Following entries are not used -
54 # reset count minutes, user must logon to change password,
55 # bad lockout minutes, disconnect time
56
57 m = ldb.Message()
58 m.dn = samdb.get_default_basedn()
59
60 if 'min password length' in policy:
61 m['a01'] = ldb.MessageElement(str(policy['min password length']),
62 ldb.FLAG_MOD_REPLACE, 'minPwdLength')
63
64 if 'password history' in policy:
65 m['a02'] = ldb.MessageElement(str(policy['password history']),
66 ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength')
67
68 if 'minimum password age' in policy:
69 min_pw_age_unix = policy['minimum password age']
70 min_pw_age_nt = int(-min_pw_age_unix * (1e7))
71 m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE,
72 'minPwdAge')
73
74 if 'maximum password age' in policy:
75 max_pw_age_unix = policy['maximum password age']
76 if max_pw_age_unix == -1 or max_pw_age_unix == 0:
77 max_pw_age_nt = -0x8000000000000000
78 else:
79 max_pw_age_nt = int(-max_pw_age_unix * (1e7))
80
81 m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE,
82 'maxPwdAge')
83
84 if 'lockout duration' in policy:
85 lockout_duration_mins = policy['lockout duration']
86 lockout_duration_nt = unix2nttime(lockout_duration_mins * 60)
87
88 m['a05'] = ldb.MessageElement(str(lockout_duration_nt),
89 ldb.FLAG_MOD_REPLACE, 'lockoutDuration')
90
91 try:
92 samdb.modify(m)
93 except ldb.LdbError, e:
94 logger.warn("Could not set account policy, (%s)", str(e))
95
96
97 def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None,
98 shell=None, pgid=None):
99 """Add posix attributes for the user/group
100
101 :param samdb: Samba4 sam.ldb database
102 :param sid: user/group sid
103 :param sid: user/group name
104 :param nisdomain: name of the (fake) NIS domain
105 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
106 :param home: user homedir (Unix homepath)
107 :param shell: user shell
108 :param pgid: users primary group id
109 """
110
111 try:
112 m = ldb.Message()
113 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
114 if xid_type == "ID_TYPE_UID":
115 m['unixHomeDirectory'] = ldb.MessageElement(
116 str(home), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
117 m['loginShell'] = ldb.MessageElement(
118 str(shell), ldb.FLAG_MOD_REPLACE, 'loginShell')
119 m['gidNumber'] = ldb.MessageElement(
120 str(pgid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
121
122 m['msSFU30NisDomain'] = ldb.MessageElement(
123 str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
124
125 samdb.modify(m)
126 except ldb.LdbError, e:
127 logger.warn(
128 'Could not add posix attrs for AD entry for sid=%s, (%s)',
129 str(sid), str(e))
130
131 def add_ad_posix_idmap_entry(samdb, sid, xid, xid_type, logger):
132 """Create idmap entry
133
134 :param samdb: Samba4 sam.ldb database
135 :param sid: user/group sid
136 :param xid: user/group id
137 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
138 :param logger: Logger object
139 """
140
141 try:
142 m = ldb.Message()
143 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
144 if xid_type == "ID_TYPE_UID":
145 m['uidNumber'] = ldb.MessageElement(
146 str(xid), ldb.FLAG_MOD_REPLACE, 'uidNumber')
147 m['objectClass'] = ldb.MessageElement(
148 "posixAccount", ldb.FLAG_MOD_ADD, 'objectClass')
149 elif xid_type == "ID_TYPE_GID":
150 m['gidNumber'] = ldb.MessageElement(
151 str(xid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
152 m['objectClass'] = ldb.MessageElement(
153 "posixGroup", ldb.FLAG_MOD_ADD, 'objectClass')
154
155 samdb.modify(m)
156 except ldb.LdbError, e:
157 logger.warn(
158 'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
159 str(sid), str(xid), xid_type, str(e))
160
161
162 def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
163 """Create idmap entry
164
165 :param idmapdb: Samba4 IDMAP database
166 :param sid: user/group sid
167 :param xid: user/group id
168 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
169 :param logger: Logger object
170 """
171
172 # First try to see if we already have this entry
173 found = False
174 msg = idmapdb.search(expression='objectSid=%s' % str(sid))
175 if msg.count == 1:
176 found = True
177
178 if found:
179 try:
180 m = ldb.Message()
181 m.dn = msg[0]['dn']
182 m['xidNumber'] = ldb.MessageElement(
183 str(xid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
184 m['type'] = ldb.MessageElement(
185 xid_type, ldb.FLAG_MOD_REPLACE, 'type')
186 idmapdb.modify(m)
187 except ldb.LdbError, e:
188 logger.warn(
189 'Could not modify idmap entry for sid=%s, id=%s, type=%s (%s)',
190 str(sid), str(xid), xid_type, str(e))
191 else:
192 try:
193 idmapdb.add({"dn": "CN=%s" % str(sid),
194 "cn": str(sid),
195 "objectClass": "sidMap",
196 "objectSid": ndr_pack(sid),
197 "type": xid_type,
198 "xidNumber": str(xid)})
199 except ldb.LdbError, e:
200 logger.warn(
201 'Could not add idmap entry for sid=%s, id=%s, type=%s (%s)',
202 str(sid), str(xid), xid_type, str(e))
203
204
205 def import_idmap(idmapdb, samba3, logger):
206 """Import idmap data.
207
208 :param idmapdb: Samba4 IDMAP database
209 :param samba3_idmap: Samba3 IDMAP database to import from
210 :param logger: Logger object
211 """
212
213 try:
214 samba3_idmap = samba3.get_idmap_db()
215 except IOError, e:
216 logger.warn('Cannot open idmap database, Ignoring: %s', str(e))
217 return
218
219 currentxid = max(samba3_idmap.get_user_hwm(), samba3_idmap.get_group_hwm())
220 lowerbound = currentxid
221 # FIXME: upperbound
222
223 m = ldb.Message()
224 m.dn = ldb.Dn(idmapdb, 'CN=CONFIG')
225 m['lowerbound'] = ldb.MessageElement(
226 str(lowerbound), ldb.FLAG_MOD_REPLACE, 'lowerBound')
227 m['xidNumber'] = ldb.MessageElement(
228 str(currentxid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
229 idmapdb.modify(m)
230
231 for id_type, xid in samba3_idmap.ids():
232 if id_type == 'UID':
233 xid_type = 'ID_TYPE_UID'
234 elif id_type == 'GID':
235 xid_type = 'ID_TYPE_GID'
236 else:
237 logger.warn('Wrong type of entry in idmap (%s), Ignoring', id_type)
238 continue
239
240 sid = samba3_idmap.get_sid(xid, id_type)
241 add_idmap_entry(idmapdb, dom_sid(sid), xid, xid_type, logger)
242
243
244 def add_group_from_mapping_entry(samdb, groupmap, logger):
245 """Add or modify group from group mapping entry
246
247 param samdb: Samba4 SAM database
248 param groupmap: Groupmap entry
249 param logger: Logger object
250 """
251
252 # First try to see if we already have this entry
253 try:
254 msg = samdb.search(
255 base='<SID=%s>' % str(groupmap.sid), scope=ldb.SCOPE_BASE)
256 found = True
257 except ldb.LdbError, (ecode, emsg):
258 if ecode == ldb.ERR_NO_SUCH_OBJECT:
259 found = False
260 else:
261 raise ldb.LdbError(ecode, emsg)
262
263 if found:
264 logger.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
265 str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
266 else:
267 if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
268 # In a lot of Samba3 databases, aliases are marked as well known groups
269 (group_dom_sid, rid) = groupmap.sid.split()
270 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
271 return
272
273 m = ldb.Message()
274 m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name, samdb.get_default_basedn()))
275 m['cn'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD, 'cn')
276 m['objectClass'] = ldb.MessageElement('group', ldb.FLAG_MOD_ADD, 'objectClass')
277 m['objectSid'] = ldb.MessageElement(ndr_pack(groupmap.sid), ldb.FLAG_MOD_ADD,
278 'objectSid')
279 m['sAMAccountName'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD,
280 'sAMAccountName')
281
282 if groupmap.comment:
283 m['description'] = ldb.MessageElement(groupmap.comment, ldb.FLAG_MOD_ADD,
284 'description')
285
286 # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
287 if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
288 m['groupType'] = ldb.MessageElement(str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
289 ldb.FLAG_MOD_ADD, 'groupType')
290
291 try:
292 samdb.add(m, controls=["relax:0"])
293 except ldb.LdbError, e:
294 logger.warn('Could not add group name=%s (%s)', groupmap.nt_name, str(e))
295
296
297 def add_users_to_group(samdb, group, members, logger):
298 """Add user/member to group/alias
299
300 param samdb: Samba4 SAM database
301 param group: Groupmap object
302 param members: List of member SIDs
303 param logger: Logger object
304 """
305 for member_sid in members:
306 m = ldb.Message()
307 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(group.sid))
308 m['a01'] = ldb.MessageElement("<SID=%s>" % str(member_sid), ldb.FLAG_MOD_ADD, 'member')
309
310 try:
311 samdb.modify(m)
312 except ldb.LdbError, (ecode, emsg):
313 if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS:
314 logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
315 elif ecode == ldb.ERR_NO_SUCH_OBJECT:
316 raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg))
317 else:
318 raise ProvisioningError("Could not add member '%s' to group '%s': %s" % (member_sid, group.sid, emsg))
319
320
321 def import_wins(samba4_winsdb, samba3_winsdb):
322 """Import settings from a Samba3 WINS database.
323
324 :param samba4_winsdb: WINS database to import to
325 :param samba3_winsdb: WINS database to import from
326 """
327
328 version_id = 0
329
330 for (name, (ttl, ips, nb_flags)) in samba3_winsdb.items():
331 version_id += 1
332
333 type = int(name.split("#", 1)[1], 16)
334
335 if type == 0x1C:
336 rType = 0x2
337 elif type & 0x80:
338 if len(ips) > 1:
339 rType = 0x2
340 else:
341 rType = 0x1
342 else:
343 if len(ips) > 1:
344 rType = 0x3
345 else:
346 rType = 0x0
347
348 if ttl > time.time():
349 rState = 0x0 # active
350 else:
351 rState = 0x1 # released
352
353 nType = ((nb_flags & 0x60) >> 5)
354
355 samba4_winsdb.add({"dn": "name=%s,type=0x%s" % tuple(name.split("#")),
356 "type": name.split("#")[1],
357 "name": name.split("#")[0],
358 "objectClass": "winsRecord",
359 "recordType": str(rType),
360 "recordState": str(rState),
361 "nodeType": str(nType),
362 "expireTime": ldb.timestring(ttl),
363 "isStatic": "0",
364 "versionID": str(version_id),
365 "address": ips})
366
367 samba4_winsdb.add({"dn": "cn=VERSION",
368 "cn": "VERSION",
369 "objectClass": "winsMaxVersion",
370 "maxVersion": str(version_id)})
371
372
373 def enable_samba3sam(samdb, ldapurl):
374 """Enable Samba 3 LDAP URL database.
375
376 :param samdb: SAM Database.
377 :param ldapurl: Samba 3 LDAP URL
378 """
379 samdb.modify_ldif("""
380 dn: @MODULES
381 changetype: modify
382 replace: @LIST
383 @LIST: samldb,operational,objectguid,rdn_name,samba3sam
384 """)
385
386 samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
387
388
389 smbconf_keep = [
390 "dos charset",
391 "unix charset",
392 "display charset",
393 "comment",
394 "path",
395 "directory",
396 "workgroup",
397 "realm",
398 "netbios name",
399 "netbios aliases",
400 "netbios scope",
401 "server string",
402 "interfaces",
403 "bind interfaces only",
404 "security",
405 "auth methods",
406 "encrypt passwords",
407 "null passwords",
408 "obey pam restrictions",
409 "password server",
410 "smb passwd file",
411 "private dir",
412 "passwd chat",
413 "password level",
414 "lanman auth",
415 "ntlm auth",
416 "client NTLMv2 auth",
417 "client lanman auth",
418 "client plaintext auth",
419 "read only",
420 "hosts allow",
421 "hosts deny",
422 "log level",
423 "debuglevel",
424 "log file",
425 "smb ports",
426 "large readwrite",
427 "max protocol",
428 "min protocol",
429 "unicode",
430 "read raw",
431 "write raw",
432 "disable netbios",
433 "nt status support",
434 "max mux",
435 "max xmit",
436 "name resolve order",
437 "max wins ttl",
438 "min wins ttl",
439 "time server",
440 "unix extensions",
441 "use spnego",
442 "server signing",
443 "client signing",
444 "max connections",
445 "paranoid server security",
446 "socket options",
447 "strict sync",
448 "max print jobs",
449 "printable",
450 "print ok",
451 "printer name",
452 "printer",
453 "map system",
454 "map hidden",
455 "map archive",
456 "preferred master",
457 "prefered master",
458 "local master",
459 "browseable",
460 "browsable",
461 "wins server",
462 "wins support",
463 "csc policy",
464 "strict locking",
465 "preload",
466 "auto services",
467 "lock dir",
468 "lock directory",
469 "pid directory",
470 "socket address",
471 "copy",
472 "include",
473 "available",
474 "volume",
475 "fstype",
476 "panic action",
477 "msdfs root",
478 "host msdfs",
479 "winbind separator"]
480
481
482 def upgrade_smbconf(oldconf, mark):
483 """Remove configuration variables not present in Samba4
484
485 :param oldconf: Old configuration structure
486 :param mark: Whether removed configuration variables should be
487 kept in the new configuration as "samba3:<name>"
488 """
489 data = oldconf.data()
490 newconf = LoadParm()
491
492 for s in data:
493 for p in data[s]:
494 keep = False
495 for k in smbconf_keep:
496 if smbconf_keep[k] == p:
497 keep = True
498 break
499
500 if keep:
501 newconf.set(s, p, oldconf.get(s, p))
502 elif mark:
503 newconf.set(s, "samba3:" + p, oldconf.get(s, p))
504
505 return newconf
506
507 SAMBA3_PREDEF_NAMES = {
508 'HKLM': registry.HKEY_LOCAL_MACHINE,
509 }
510
511
512 def import_registry(samba4_registry, samba3_regdb):
513 """Import a Samba 3 registry database into the Samba 4 registry.
514
515 :param samba4_registry: Samba 4 registry handle.
516 :param samba3_regdb: Samba 3 registry database handle.
517 """
518 def ensure_key_exists(keypath):
519 (predef_name, keypath) = keypath.split("/", 1)
520 predef_id = SAMBA3_PREDEF_NAMES[predef_name]
521 keypath = keypath.replace("/", "\\")
522 return samba4_registry.create_key(predef_id, keypath)
523
524 for key in samba3_regdb.keys():
525 key_handle = ensure_key_exists(key)
526 for subkey in samba3_regdb.subkeys(key):
527 ensure_key_exists(subkey)
528 for (value_name, (value_type, value_data)) in samba3_regdb.values(key).items():
529 key_handle.set_value(value_name, value_type, value_data)
530
531 def get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, user, attr):
532 """Get posix attributes from a samba3 ldap backend
533 :param ldbs: a list of ldb connection objects
534 :param base_dn: the base_dn of the connection
535 :param user: the user to get the attribute for
536 :param attr: the attribute to be retrieved
537 """
538 try:
539 msg = ldb_object.search(base_dn, scope=ldb.SCOPE_SUBTREE,
540 expression=("(&(objectClass=posixAccount)(uid=%s))"
541 % (user)), attrs=[attr])
542 except ldb.LdbError, e:
543 raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
544 else:
545 if msg.count <= 1:
546 # This will raise KeyError (which is what we want) if there isn't a entry for this user
547 return msg[0][attr][0]
548 else:
549 logger.warning("LDAP entry for user %s contains more than one %s", user, attr)
550 raise KeyError
551
552
553 def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
554 useeadb=False, dns_backend=None, use_ntvfs=False):
555 """Upgrade from samba3 database to samba4 AD database
556
557 :param samba3: samba3 object
558 :param logger: Logger object
559 :param targetdir: samba4 database directory
560 :param session_info: Session information
561 """
562 serverrole = samba3.lp.server_role()
563
564 domainname = samba3.lp.get("workgroup")
565 realm = samba3.lp.get("realm")
566 netbiosname = samba3.lp.get("netbios name")
567
568 if samba3.lp.get("ldapsam:trusted") is None:
569 samba3.lp.set("ldapsam:trusted", "yes")
570
571 # secrets db
572 try:
573 secrets_db = samba3.get_secrets_db()
574 except IOError, e:
575 raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3.privatedir_path("secrets.tdb"), str(e)))
576
577 if not domainname:
578 domainname = secrets_db.domains()[0]
579 logger.warning("No workgroup specified in smb.conf file, assuming '%s'",
580 domainname)
581
582 if not realm:
583 if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
584 raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
585 else:
586 realm = domainname.upper()
587 logger.warning("No realm specified in smb.conf file, assuming '%s'",
588 realm)
589
590 # Find machine account and password
591 next_rid = 1000
592
593 try:
594 machinepass = secrets_db.get_machine_password(netbiosname)
595 except KeyError:
596 machinepass = None
597
598 if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
599 base_dn = samba3.lp.get("ldap suffix")
600 ldapuser = samba3.lp.get("ldap admin dn")
601 ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
602 if ldappass is None:
603 raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.")
604 ldappass = ldappass.strip('\x00')
605 ldap = True
606 else:
607 ldapuser = None
608 ldappass = None
609 ldap = False
610
611 # We must close the direct pytdb database before the C code loads it
612 secrets_db.close()
613
614 # Connect to old password backend
615 passdb.set_secrets_dir(samba3.lp.get("private dir"))
616 s3db = samba3.get_sam_db()
617
618 # Get domain sid
619 try:
620 domainsid = passdb.get_global_sam_sid()
621 except passdb.error:
622 raise Exception("Can't find domain sid for '%s', Exiting." % domainname)
623
624 # Get machine account, sid, rid
625 try:
626 machineacct = s3db.getsampwnam('%s$' % netbiosname)
627 except passdb.error:
628 machinerid = None
629 machinesid = None
630 else:
631 machinesid, machinerid = machineacct.user_sid.split()
632
633 # Export account policy
634 logger.info("Exporting account policy")
635 policy = s3db.get_account_policy()
636
637 # Export groups from old passdb backend
638 logger.info("Exporting groups")
639 grouplist = s3db.enum_group_mapping()
640 groupmembers = {}
641 for group in grouplist:
642 sid, rid = group.sid.split()
643 if sid == domainsid:
644 if rid >= next_rid:
645 next_rid = rid + 1
646
647 # Get members for each group/alias
648 if group.sid_name_use == lsa.SID_NAME_ALIAS:
649 try:
650 members = s3db.enum_aliasmem(group.sid)
651 groupmembers[str(group.sid)] = members
652 except passdb.error, e:
653 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
654 group.nt_name, group.sid, e)
655 continue
656 elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
657 try:
658 members = s3db.enum_group_members(group.sid)
659 groupmembers[str(group.sid)] = members
660 except passdb.error, e:
661 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
662 group.nt_name, group.sid, e)
663 continue
664 elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
665 (group_dom_sid, rid) = group.sid.split()
666 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
667 logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
668 group.nt_name)
669 continue
670 # A number of buggy databases mix up well known groups and aliases.
671 try:
672 members = s3db.enum_aliasmem(group.sid)
673 groupmembers[str(group.sid)] = members
674 except passdb.error, e:
675 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
676 group.nt_name, group.sid, e)
677 continue
678 else:
679 logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
680 group.nt_name, group.sid, group.sid_name_use)
681 continue
682
683 # Export users from old passdb backend
684 logger.info("Exporting users")
685 userlist = s3db.search_users(0)
686 userdata = {}
687 uids = {}
688 admin_user = None
689 for entry in userlist:
690 if machinerid and machinerid == entry['rid']:
691 continue
692 username = entry['account_name']
693 if entry['rid'] < 1000:
694 logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
695 continue
696 if entry['rid'] >= next_rid:
697 next_rid = entry['rid'] + 1
698
699 user = s3db.getsampwnam(username)
700 acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
701 if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
702 pass
703
704 elif acct_type == samr.ACB_SVRTRUST:
705 logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username[:-1])
706 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
707
708 elif acct_type == samr.ACB_DOMTRUST:
709 logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
710
711 elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$':
712 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
713 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
714
715 elif acct_type == (samr.ACB_NORMAL|samr.ACB_SVRTRUST) and username[-1] == '$':
716 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username)
717 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
718
719 else:
720 raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
721 ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
722
723 Please fix this account before attempting to upgrade again
724 """
725 % (username, user.acct_ctrl,
726 samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
727
728 userdata[username] = user
729 try:
730 uids[username] = s3db.sid_to_id(user.user_sid)[0]
731 except passdb.error:
732 try:
733 uids[username] = pwd.getpwnam(username).pw_uid
734 except KeyError:
735 pass
736
737 if not admin_user and username.lower() == 'root':
738 admin_user = username
739 if username.lower() == 'administrator':
740 admin_user = username
741
742 try:
743 group_memberships = s3db.enum_group_memberships(user);
744 for group in group_memberships:
745 if str(group) in groupmembers:
746 if user.user_sid not in groupmembers[str(group)]:
747 groupmembers[str(group)].append(user.user_sid)
748 else:
749 groupmembers[str(group)] = [user.user_sid];
750 except passdb.error, e:
751 logger.warn("Ignoring group memberships of '%s' %s: %s",
752 username, user.user_sid, e)
753
754 logger.info("Next rid = %d", next_rid)
755
756 # Check for same username/groupname
757 group_names = set([g.nt_name for g in grouplist])
758 user_names = set([u['account_name'] for u in userlist])
759 common_names = group_names.intersection(user_names)
760 if common_names:
761 logger.error("Following names are both user names and group names:")
762 for name in common_names:
763 logger.error(" %s" % name)
764 raise ProvisioningError("Please remove common user/group names before upgrade.")
765
766 # Check for same user sid/group sid
767 group_sids = set([str(g.sid) for g in grouplist])
768 if len(grouplist) != len(group_sids):
769 raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
770 user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
771 if len(userlist) != len(user_sids):
772 raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
773 common_sids = group_sids.intersection(user_sids)
774 if common_sids:
775 logger.error("Following sids are both user and group sids:")
776 for sid in common_sids:
777 logger.error(" %s" % str(sid))
778 raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
779
780 # Get posix attributes from ldap or the os
781 homes = {}
782 shells = {}
783 pgids = {}
784 if ldap:
785 creds = Credentials()
786 creds.guess(samba3.lp)
787 creds.set_bind_dn(ldapuser)
788 creds.set_password(ldappass)
789 urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
790 for url in urls.split():
791 try:
792 ldb_object = Ldb(url, credentials=creds)
793 except ldb.LdbError, e:
794 logger.warning("Could not open ldb connection to %s, the error message is: %s", url, e)
795 else:
796 break
797 logger.info("Exporting posix attributes")
798 userlist = s3db.search_users(0)
799 for entry in userlist:
800 username = entry['account_name']
801 if username in uids.keys():
802 try:
803 if ldap:
804 homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
805 else:
806 homes[username] = pwd.getpwnam(username).pw_dir
807 except KeyError:
808 pass
809 except IndexError:
810 pass
811
812 try:
813 if ldap:
814 shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
815 else:
816 shells[username] = pwd.getpwnam(username).pw_shell
817 except KeyError:
818 pass
819 except IndexError:
820 pass
821
822 try:
823 if ldap:
824 pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
825 else:
826 pgids[username] = pwd.getpwnam(username).pw_gid
827 except KeyError:
828 pass
829 except IndexError:
830 pass
831
832 logger.info("Reading WINS database")
833 samba3_winsdb = None
834 try:
835 samba3_winsdb = samba3.get_wins_db()
836 except IOError, e:
837 logger.warn('Cannot open wins database, Ignoring: %s', str(e))
838
839 if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
840 dns_backend = "NONE"
841
842 # If we found an admin user, set a fake pw that we will override.
843 # This avoids us printing out an admin password that we won't actually
844 # set.
845 if admin_user:
846 adminpass = generate_random_password(12, 32)
847 else:
848 adminpass = None
849
850 # Do full provision
851 result = provision(logger, session_info, None,
852 targetdir=targetdir, realm=realm, domain=domainname,
853 domainsid=str(domainsid), next_rid=next_rid,
854 dc_rid=machinerid, adminpass = adminpass,
855 dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
856 hostname=netbiosname.lower(), machinepass=machinepass,
857 serverrole=serverrole, samdb_fill=FILL_FULL,
858 useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
859 use_ntvfs=use_ntvfs, skip_sysvolacl=True)
860 result.report_logger(logger)
861
862 # Import WINS database
863 logger.info("Importing WINS database")
864
865 if samba3_winsdb:
866 import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
867
868 # Set Account policy
869 logger.info("Importing Account policy")
870 import_sam_policy(result.samdb, policy, logger)
871
872 # Migrate IDMAP database
873 logger.info("Importing idmap database")
874 import_idmap(result.idmap, samba3, logger)
875
876 # Set the s3 context for samba4 configuration
877 new_lp_ctx = s3param.get_context()
878 new_lp_ctx.load(result.lp.configfile)
879 new_lp_ctx.set("private dir", result.lp.get("private dir"))
880 new_lp_ctx.set("state directory", result.lp.get("state directory"))
881 new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
882
883 # Connect to samba4 backend
884 s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
885
886 # Export groups to samba4 backend
887 logger.info("Importing groups")
888 for g in grouplist:
889 # Ignore uninitialized groups (gid = -1)
890 if g.gid != -1:
891 add_group_from_mapping_entry(result.samdb, g, logger)
892 add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
893 add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
894
895 # Export users to samba4 backend
896 logger.info("Importing users")
897 for username in userdata:
898 if username.lower() == 'administrator':
899 if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
900 logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
901 raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
902 if username.lower() == 'root':
903 if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
904 logger.warn('User root has been replaced by Administrator')
905 else:
906 logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
907
908 s4_passdb.add_sam_account(userdata[username])
909 if username in uids:
910 add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
911 if (username in homes) and (homes[username] is not None) and \
912 (username in shells) and (shells[username] is not None) and \
913 (username in pgids) and (pgids[username] is not None):
914 add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
915
916 logger.info("Adding users to groups")
917 for g in grouplist:
918 if str(g.sid) in groupmembers:
919 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
920
921 # Set password for administrator
922 if admin_user:
923 logger.info("Setting password for administrator")
924 admin_userdata = s4_passdb.getsampwnam("administrator")
925 admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
926 if userdata[admin_user].lanman_passwd:
927 admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
928 admin_userdata.pass_last_set_time = userdata[admin_user].pass_last_set_time
929 if userdata[admin_user].pw_history:
930 admin_userdata.pw_history = userdata[admin_user].pw_history
931 s4_passdb.update_sam_account(admin_userdata)
932 logger.info("Administrator password has been set to password of user '%s'", admin_user)
933
934 if result.server_role == "active directory domain controller":
935 setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
936 result.paths.root_uid, result.paths.root_gid,
937 security.dom_sid(result.domainsid), result.names.dnsdomain,
938 result.names.domaindn, result.lp, use_ntvfs)
939
940 # FIXME: import_registry(registry.Registry(), samba3.get_registry())
941 # FIXME: shares
reg import