search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4 provision: Ask for the dns forwarder IP address during interactive provision
[Samba/gebeck_regimport.git] / source4 / scripting / python / samba / netcmd / domain.py
blob0ace70fc9ab008dffd552abe86de6d023eb6ef2d
1 # domain management
2 #
3 # Copyright Matthias Dieter Wallnoefer 2009
4 # Copyright Andrew Kroeger 2009
5 # Copyright Jelmer Vernooij 2007-2009
6 # Copyright Giampaolo Lauria 2011
7 # Copyright Matthieu Patou <mat@matws.net> 2011
8 # Copyright Andrew Bartlett 2008
9 # Copyright Stefan Metzmacher 2012
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #
24
25
26
27 import samba.getopt as options
28 import ldb
29 import string
30 import os
31 import sys
32 import tempfile
33 import logging
34 from samba.net import Net, LIBNET_JOIN_AUTOMATIC
35 import samba.ntacls
36 from samba.join import join_RODC, join_DC, join_subdomain
37 from samba.auth import system_session
38 from samba.samdb import SamDB
39 from samba.dcerpc import drsuapi
40 from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
41 from samba.netcmd import (
42 Command,
43 CommandError,
44 SuperCommand,
45 Option
46 )
47 from samba.netcmd.common import netcmd_get_domain_infos_via_cldap
48 from samba.samba3 import Samba3
49 from samba.samba3 import param as s3param
50 from samba.upgrade import upgrade_from_samba3
51 from samba.drs_utils import (
52 sendDsReplicaSync, drsuapi_connect, drsException,
53 sendRemoveDsServer)
54
55
56 from samba.dsdb import (
57 DS_DOMAIN_FUNCTION_2000,
58 DS_DOMAIN_FUNCTION_2003,
59 DS_DOMAIN_FUNCTION_2003_MIXED,
60 DS_DOMAIN_FUNCTION_2008,
61 DS_DOMAIN_FUNCTION_2008_R2,
62 DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL,
63 DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL,
64 UF_WORKSTATION_TRUST_ACCOUNT,
65 UF_SERVER_TRUST_ACCOUNT,
66 UF_TRUSTED_FOR_DELEGATION
67 )
68
69 from samba.credentials import DONT_USE_KERBEROS
70 from samba.provision import (
71 provision,
72 FILL_FULL,
73 FILL_NT4SYNC,
74 FILL_DRS,
75 ProvisioningError,
76 )
77
78 def get_testparm_var(testparm, smbconf, varname):
79 cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
80 output = os.popen(cmd, 'r').readline()
81 return output.strip()
82
83 try:
84 import samba.dckeytab
85 class cmd_domain_export_keytab(Command):
86 """Dumps kerberos keys of the domain into a keytab"""
87
88 synopsis = "%prog <keytab> [options]"
89
90 takes_optiongroups = {
91 "sambaopts": options.SambaOptions,
92 "credopts": options.CredentialsOptions,
93 "versionopts": options.VersionOptions,
94 }
95
96 takes_options = [
97 Option("--principal", help="extract only this principal", type=str),
98 ]
99
100 takes_args = ["keytab"]
101
102 def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
103 lp = sambaopts.get_loadparm()
104 net = Net(None, lp)
105 net.export_keytab(keytab=keytab, principal=principal)
106 except:
107 cmd_domain_export_keytab = None
108
109
110 class cmd_domain_info(Command):
111 """Print basic info about a domain and the DC passed as parameter"""
112
113 synopsis = "%prog <ip_address> [options]"
114
115 takes_options = [
116 ]
117
118 takes_optiongroups = {
119 "sambaopts": options.SambaOptions,
120 "credopts": options.CredentialsOptions,
121 "versionopts": options.VersionOptions,
122 }
123
124 takes_args = ["address"]
125
126 def run(self, address, credopts=None, sambaopts=None, versionopts=None):
127 lp = sambaopts.get_loadparm()
128 try:
129 res = netcmd_get_domain_infos_via_cldap(lp, None, address)
130 print "Forest : %s" % res.forest
131 print "Domain : %s" % res.dns_domain
132 print "Netbios domain : %s" % res.domain_name
133 print "DC name : %s" % res.pdc_dns_name
134 print "DC netbios name : %s" % res.pdc_name
135 print "Server site : %s" % res.server_site
136 print "Client site : %s" % res.client_site
137 except RuntimeError:
138 raise CommandError("Invalid IP address '" + address + "'!")
139
140 class cmd_domain_provision(Command):
141 """Promotes an existing domain member or NT4 PDC to an AD DC"""
142
143 synopsis = "%prog <dnsdomain> [DC|RODC] [options]"
144
145 takes_optiongroups = {
146 "sambaopts": options.SambaOptions,
147 "versionopts": options.VersionOptions,
148 "credopts": options.CredentialsOptions,
149 }
150
151 takes_options = [
152 Option("--interactive", help="Ask for names", action="store_true"),
153 Option("--domain", type="string", metavar="DOMAIN",
154 help="set domain"),
155 Option("--domain-guid", type="string", metavar="GUID",
156 help="set domainguid (otherwise random)"),
157 Option("--domain-sid", type="string", metavar="SID",
158 help="set domainsid (otherwise random)"),
159 Option("--ntds-guid", type="string", metavar="GUID",
160 help="set NTDS object GUID (otherwise random)"),
161 Option("--invocationid", type="string", metavar="GUID",
162 help="set invocationid (otherwise random)"),
163 Option("--host-name", type="string", metavar="HOSTNAME",
164 help="set hostname"),
165 Option("--host-ip", type="string", metavar="IPADDRESS",
166 help="set IPv4 ipaddress"),
167 Option("--host-ip6", type="string", metavar="IP6ADDRESS",
168 help="set IPv6 ipaddress"),
169 Option("--adminpass", type="string", metavar="PASSWORD",
170 help="choose admin password (otherwise random)"),
171 Option("--krbtgtpass", type="string", metavar="PASSWORD",
172 help="choose krbtgt password (otherwise random)"),
173 Option("--machinepass", type="string", metavar="PASSWORD",
174 help="choose machine password (otherwise random)"),
175 Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
176 choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
177 help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), " \
178 "BIND9_FLATFILE uses bind9 text database to store zone information, " \
179 "BIND9_DLZ uses samba4 AD to store zone information, " \
180 "NONE skips the DNS setup entirely (not recommended)",
181 default="SAMBA_INTERNAL"),
182 Option("--dnspass", type="string", metavar="PASSWORD",
183 help="choose dns password (otherwise random)"),
184 Option("--ldapadminpass", type="string", metavar="PASSWORD",
185 help="choose password to set between Samba and it's LDAP backend (otherwise random)"),
186 Option("--root", type="string", metavar="USERNAME",
187 help="choose 'root' unix username"),
188 Option("--nobody", type="string", metavar="USERNAME",
189 help="choose 'nobody' user"),
190 Option("--wheel", type="string", metavar="GROUPNAME",
191 help="choose 'wheel' privileged group"),
192 Option("--users", type="string", metavar="GROUPNAME",
193 help="choose 'users' group"),
194 Option("--quiet", help="Be quiet", action="store_true"),
195 Option("--blank", action="store_true",
196 help="do not add users or groups, just the structure"),
197 Option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
198 help="Test initialisation support for unsupported LDAP backend type (fedora-ds or openldap) DO NOT USE",
199 choices=["fedora-ds", "openldap"]),
200 Option("--server-role", type="choice", metavar="ROLE",
201 choices=["domain controller", "dc", "member server", "member", "standalone"],
202 help="The server role (domain controller | dc | member server | member | standalone). Default is dc.",
203 default="domain controller"),
204 Option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
205 choices=["2000", "2003", "2008", "2008_R2"],
206 help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2003 Native.",
207 default="2003"),
208 Option("--next-rid", type="int", metavar="NEXTRID", default=1000,
209 help="The initial nextRid value (only needed for upgrades). Default is 1000."),
210 Option("--partitions-only",
211 help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true"),
212 Option("--targetdir", type="string", metavar="DIR",
213 help="Set target directory"),
214 Option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
215 help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with comma (\",\") for use with OpenLDAP-MMR (Multi-Master-Replication), e.g.: \"ldap://s4dc1:9000,ldap://s4dc2:9000\""),
216 Option("--use-xattrs", type="choice", choices=["yes", "no", "auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"),
217 Option("--use-ntvfs", action="store_true", help="Use NTVFS for the fileserver (default = no)"),
218 Option("--use-rfc2307", action="store_true", help="Use AD to store posix attributes (default = no)"),
219 ]
220 takes_args = []
221
222 def run(self, sambaopts=None, credopts=None, versionopts=None,
223 interactive = None,
224 domain = None,
225 domain_guid = None,
226 domain_sid = None,
227 ntds_guid = None,
228 invocationid = None,
229 host_name = None,
230 host_ip = None,
231 host_ip6 = None,
232 adminpass = None,
233 krbtgtpass = None,
234 machinepass = None,
235 dns_backend = None,
236 dns_forwarder = None,
237 dnspass = None,
238 ldapadminpass = None,
239 root = None,
240 nobody = None,
241 wheel = None,
242 users = None,
243 quiet = None,
244 blank = None,
245 ldap_backend_type = None,
246 server_role = None,
247 function_level = None,
248 next_rid = None,
249 partitions_only = None,
250 targetdir = None,
251 ol_mmr_urls = None,
252 use_xattrs = None,
253 use_ntvfs = None,
254 use_rfc2307 = None):
255
256 self.logger = self.get_logger("provision")
257 if quiet:
258 self.logger.setLevel(logging.WARNING)
259 else:
260 self.logger.setLevel(logging.INFO)
261
262 lp = sambaopts.get_loadparm()
263 smbconf = lp.configfile
264
265 creds = credopts.get_credentials(lp)
266
267 creds.set_kerberos_state(DONT_USE_KERBEROS)
268
269 suggested_forwarder = dns_forwarder is None and self._get_nameserver_ip() or dns_forwarder
270
271 if len(self.raw_argv) == 1:
272 interactive = True
273
274 if interactive:
275 from getpass import getpass
276 import socket
277
278 def ask(prompt, default=None):
279 if default is not None:
280 print "%s [%s]: " % (prompt, default),
281 else:
282 print "%s: " % (prompt,),
283 return sys.stdin.readline().rstrip("\n") or default
284
285 try:
286 default = socket.getfqdn().split(".", 1)[1].upper()
287 except IndexError:
288 default = None
289 realm = ask("Realm", default)
290 if realm in (None, ""):
291 raise CommandError("No realm set!")
292
293 try:
294 default = realm.split(".")[0]
295 except IndexError:
296 default = None
297 domain = ask("Domain", default)
298 if domain is None:
299 raise CommandError("No domain set!")
300
301 server_role = ask("Server Role (dc, member, standalone)", "dc")
302
303 dns_backend = ask("DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE)", "SAMBA_INTERNAL")
304 if dns_backend in (None, ''):
305 raise CommandError("No DNS backend set!")
306
307 if dns_backend == "SAMBA_INTERNAL":
308 dns_forwarder = ask("DNS forwarder IP address (write 'none' to disable forwarding)", suggested_forwarder)
309 if dns_forwarder.lower() in (None, 'none'):
310 suggested_forwarder = None
311 dns_forwarder = None
312
313 while True:
314 adminpassplain = getpass("Administrator password: ")
315 if not adminpassplain:
316 print >>sys.stderr, "Invalid administrator password."
317 else:
318 adminpassverify = getpass("Retype password: ")
319 if not adminpassplain == adminpassverify:
320 print >>sys.stderr, "Sorry, passwords do not match."
321 else:
322 adminpass = adminpassplain
323 break
324
325 else:
326 realm = sambaopts._lp.get('realm')
327 if realm is None:
328 raise CommandError("No realm set!")
329 if domain is None:
330 raise CommandError("No domain set!")
331
332 if not adminpass:
333 self.logger.info("Administrator password will be set randomly!")
334
335 if function_level == "2000":
336 dom_for_fun_level = DS_DOMAIN_FUNCTION_2000
337 elif function_level == "2003":
338 dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
339 elif function_level == "2008":
340 dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
341 elif function_level == "2008_R2":
342 dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
343
344 if dns_backend == "SAMBA_INTERNAL" and dns_forwarder is None:
345 dns_forwarder = suggested_forwarder
346
347 samdb_fill = FILL_FULL
348 if blank:
349 samdb_fill = FILL_NT4SYNC
350 elif partitions_only:
351 samdb_fill = FILL_DRS
352
353 if targetdir is not None:
354 if not os.path.isdir(targetdir):
355 os.mkdir(targetdir)
356
357 eadb = True
358
359 if use_xattrs == "yes":
360 eadb = False
361 elif use_xattrs == "auto" and not lp.get("posix:eadb"):
362 if targetdir:
363 file = tempfile.NamedTemporaryFile(dir=os.path.abspath(targetdir))
364 else:
365 file = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
366 try:
367 try:
368 samba.ntacls.setntacl(lp, file.name,
369 "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
370 eadb = False
371 except Exception:
372 self.logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. ")
373 finally:
374 file.close()
375
376 if eadb:
377 self.logger.info("not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
378
379 session = system_session()
380 try:
381 result = provision(self.logger,
382 session, creds, smbconf=smbconf, targetdir=targetdir,
383 samdb_fill=samdb_fill, realm=realm, domain=domain,
384 domainguid=domain_guid, domainsid=domain_sid,
385 hostname=host_name,
386 hostip=host_ip, hostip6=host_ip6,
387 ntdsguid=ntds_guid,
388 invocationid=invocationid, adminpass=adminpass,
389 krbtgtpass=krbtgtpass, machinepass=machinepass,
390 dns_backend=dns_backend, dns_forwarder=dns_forwarder,
391 dnspass=dnspass, root=root, nobody=nobody,
392 wheel=wheel, users=users,
393 serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
394 backend_type=ldap_backend_type,
395 ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,
396 useeadb=eadb, next_rid=next_rid, lp=lp, use_ntvfs=(use_ntvfs),
397 use_rfc2307=(use_rfc2307))
398 except ProvisioningError, e:
399 raise CommandError("Provision failed", e)
400
401 result.report_logger(self.logger)
402
403 def _get_nameserver_ip(self):
404 """Grab the nameserver IP address from /etc/resolv.conf"""
405 from os import path
406 RESOLV_CONF="/etc/resolv.conf"
407
408 if not path.isfile(RESOLV_CONF):
409 self.logger.warning("Failed to locate %s" % RESOLV_CONF)
410 return None
411
412 handle = None
413 try:
414 handle = open(RESOLV_CONF, 'r')
415 for line in handle:
416 if not line.startswith('nameserver'):
417 continue
418 # we want the last non-space continuous string of the line
419 return line.strip().split()[-1]
420 finally:
421 if handle is not None:
422 handle.close()
423
424 self.logger.warning("No nameserver found in %s" % RESOLV_CONF)
425 return None
426
427
428 class cmd_domain_dcpromo(Command):
429 """Promotes an existing domain member or NT4 PDC to an AD DC"""
430
431 synopsis = "%prog <dnsdomain> [DC|RODC] [options]"
432
433 takes_optiongroups = {
434 "sambaopts": options.SambaOptions,
435 "versionopts": options.VersionOptions,
436 "credopts": options.CredentialsOptions,
437 }
438
439 takes_options = [
440 Option("--server", help="DC to join", type=str),
441 Option("--site", help="site to join", type=str),
442 Option("--targetdir", help="where to store provision", type=str),
443 Option("--domain-critical-only",
444 help="only replicate critical domain objects",
445 action="store_true"),
446 Option("--machinepass", type=str, metavar="PASSWORD",
447 help="choose machine password (otherwise random)"),
448 Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
449 action="store_true"),
450 Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
451 choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
452 help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), " \
453 "BIND9_DLZ uses samba4 AD to store zone information, " \
454 "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
455 default="SAMBA_INTERNAL")
456 ]
457
458 takes_args = ["domain", "role?"]
459
460 def run(self, domain, role=None, sambaopts=None, credopts=None,
461 versionopts=None, server=None, site=None, targetdir=None,
462 domain_critical_only=False, parent_domain=None, machinepass=None,
463 use_ntvfs=False, dns_backend=None):
464 lp = sambaopts.get_loadparm()
465 creds = credopts.get_credentials(lp)
466 net = Net(creds, lp, server=credopts.ipaddress)
467
468 if site is None:
469 site = "Default-First-Site-Name"
470
471 netbios_name = lp.get("netbios name")
472
473 if not role is None:
474 role = role.upper()
475
476 if role == "DC":
477 join_DC(server=server, creds=creds, lp=lp, domain=domain,
478 site=site, netbios_name=netbios_name, targetdir=targetdir,
479 domain_critical_only=domain_critical_only,
480 machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
481 promote_existing=True)
482 return
483 elif role == "RODC":
484 join_RODC(server=server, creds=creds, lp=lp, domain=domain,
485 site=site, netbios_name=netbios_name, targetdir=targetdir,
486 domain_critical_only=domain_critical_only,
487 machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend,
488 promote_existing=True)
489 return
490 else:
491 raise CommandError("Invalid role '%s' (possible values: DC, RODC)" % role)
492
493
494 class cmd_domain_join(Command):
495 """Joins domain as either member or backup domain controller"""
496
497 synopsis = "%prog <dnsdomain> [DC|RODC|MEMBER|SUBDOMAIN] [options]"
498
499 takes_optiongroups = {
500 "sambaopts": options.SambaOptions,
501 "versionopts": options.VersionOptions,
502 "credopts": options.CredentialsOptions,
503 }
504
505 takes_options = [
506 Option("--server", help="DC to join", type=str),
507 Option("--site", help="site to join", type=str),
508 Option("--targetdir", help="where to store provision", type=str),
509 Option("--parent-domain", help="parent domain to create subdomain under", type=str),
510 Option("--domain-critical-only",
511 help="only replicate critical domain objects",
512 action="store_true"),
513 Option("--machinepass", type=str, metavar="PASSWORD",
514 help="choose machine password (otherwise random)"),
515 Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
516 action="store_true"),
517 Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
518 choices=["SAMBA_INTERNAL", "BIND9_DLZ", "NONE"],
519 help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), " \
520 "BIND9_DLZ uses samba4 AD to store zone information, " \
521 "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
522 default="SAMBA_INTERNAL")
523 ]
524
525 takes_args = ["domain", "role?"]
526
527 def run(self, domain, role=None, sambaopts=None, credopts=None,
528 versionopts=None, server=None, site=None, targetdir=None,
529 domain_critical_only=False, parent_domain=None, machinepass=None,
530 use_ntvfs=False, dns_backend=None):
531 lp = sambaopts.get_loadparm()
532 creds = credopts.get_credentials(lp)
533 net = Net(creds, lp, server=credopts.ipaddress)
534
535 if site is None:
536 site = "Default-First-Site-Name"
537
538 netbios_name = lp.get("netbios name")
539
540 if not role is None:
541 role = role.upper()
542
543 if role is None or role == "MEMBER":
544 (join_password, sid, domain_name) = net.join_member(domain,
545 netbios_name,
546 LIBNET_JOIN_AUTOMATIC,
547 machinepass=machinepass)
548
549 self.outf.write("Joined domain %s (%s)\n" % (domain_name, sid))
550 return
551 elif role == "DC":
552 join_DC(server=server, creds=creds, lp=lp, domain=domain,
553 site=site, netbios_name=netbios_name, targetdir=targetdir,
554 domain_critical_only=domain_critical_only,
555 machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
556 return
557 elif role == "RODC":
558 join_RODC(server=server, creds=creds, lp=lp, domain=domain,
559 site=site, netbios_name=netbios_name, targetdir=targetdir,
560 domain_critical_only=domain_critical_only,
561 machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
562 return
563 elif role == "SUBDOMAIN":
564 netbios_domain = lp.get("workgroup")
565 if parent_domain is None:
566 parent_domain = ".".join(domain.split(".")[1:])
567 join_subdomain(server=server, creds=creds, lp=lp, dnsdomain=domain, parent_domain=parent_domain,
568 site=site, netbios_name=netbios_name, netbios_domain=netbios_domain, targetdir=targetdir,
569 machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
570 return
571 else:
572 raise CommandError("Invalid role '%s' (possible values: MEMBER, DC, RODC, SUBDOMAIN)" % role)
573
574
575
576 class cmd_domain_demote(Command):
577 """Demote ourselves from the role of Domain Controller"""
578
579 synopsis = "%prog [options]"
580
581 takes_options = [
582 Option("--server", help="DC to force replication before demote", type=str),
583 Option("--targetdir", help="where provision is stored", type=str),
584 ]
585
586 takes_optiongroups = {
587 "sambaopts": options.SambaOptions,
588 "credopts": options.CredentialsOptions,
589 "versionopts": options.VersionOptions,
590 }
591
592 def run(self, sambaopts=None, credopts=None,
593 versionopts=None, server=None, targetdir=None):
594 lp = sambaopts.get_loadparm()
595 creds = credopts.get_credentials(lp)
596 net = Net(creds, lp, server=credopts.ipaddress)
597
598 netbios_name = lp.get("netbios name")
599 samdb = SamDB(session_info=system_session(), credentials=creds, lp=lp)
600 if not server:
601 res = samdb.search(expression='(&(objectClass=computer)(serverReferenceBL=*))', attrs=["dnsHostName", "name"])
602 if (len(res) == 0):
603 raise CommandError("Unable to search for servers")
604
605 if (len(res) == 1):
606 raise CommandError("You are the latest server in the domain")
607
608 server = None
609 for e in res:
610 if str(e["name"]).lower() != netbios_name.lower():
611 server = e["dnsHostName"]
612 break
613
614 ntds_guid = samdb.get_ntds_GUID()
615 msg = samdb.search(base=str(samdb.get_config_basedn()), scope=ldb.SCOPE_SUBTREE,
616 expression="(objectGUID=%s)" % ntds_guid,
617 attrs=['options'])
618 if len(msg) == 0 or "options" not in msg[0]:
619 raise CommandError("Failed to find options on %s" % ntds_guid)
620
621 ntds_dn = msg[0].dn
622 dsa_options = int(str(msg[0]['options']))
623
624 res = samdb.search(expression="(fSMORoleOwner=%s)" % str(ntds_dn),
625 controls=["search_options:1:2"])
626
627 if len(res) != 0:
628 raise CommandError("Current DC is still the owner of %d role(s), use the role command to transfer roles to another DC" % len(res))
629
630 print "Using %s as partner server for the demotion" % server
631 (drsuapiBind, drsuapi_handle, supportedExtensions) = drsuapi_connect(server, lp, creds)
632
633 print "Desactivating inbound replication"
634
635 nmsg = ldb.Message()
636 nmsg.dn = msg[0].dn
637
638 dsa_options |= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
639 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
640 samdb.modify(nmsg)
641
642 if not (dsa_options & DS_NTDSDSA_OPT_DISABLE_OUTBOUND_REPL) and not samdb.am_rodc():
643
644 print "Asking partner server %s to synchronize from us" % server
645 for part in (samdb.get_schema_basedn(),
646 samdb.get_config_basedn(),
647 samdb.get_root_basedn()):
648 try:
649 sendDsReplicaSync(drsuapiBind, drsuapi_handle, ntds_guid, str(part), drsuapi.DRSUAPI_DRS_WRIT_REP)
650 except drsException, e:
651 print "Error while demoting, re-enabling inbound replication"
652 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
653 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
654 samdb.modify(nmsg)
655 raise CommandError("Error while sending a DsReplicaSync for partion %s" % str(part), e)
656 try:
657 remote_samdb = SamDB(url="ldap://%s" % server,
658 session_info=system_session(),
659 credentials=creds, lp=lp)
660
661 print "Changing userControl and container"
662 res = remote_samdb.search(base=str(remote_samdb.get_root_basedn()),
663 expression="(&(objectClass=user)(sAMAccountName=%s$))" %
664 netbios_name.upper(),
665 attrs=["userAccountControl"])
666 dc_dn = res[0].dn
667 uac = int(str(res[0]["userAccountControl"]))
668
669 except Exception, e:
670 print "Error while demoting, re-enabling inbound replication"
671 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
672 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
673 samdb.modify(nmsg)
674 raise CommandError("Error while changing account control", e)
675
676 if (len(res) != 1):
677 print "Error while demoting, re-enabling inbound replication"
678 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
679 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
680 samdb.modify(nmsg)
681 raise CommandError("Unable to find object with samaccountName = %s$"
682 " in the remote dc" % netbios_name.upper())
683
684 olduac = uac
685
686 uac ^= (UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION)
687 uac |= UF_WORKSTATION_TRUST_ACCOUNT
688
689 msg = ldb.Message()
690 msg.dn = dc_dn
691
692 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
693 ldb.FLAG_MOD_REPLACE,
694 "userAccountControl")
695 try:
696 remote_samdb.modify(msg)
697 except Exception, e:
698 print "Error while demoting, re-enabling inbound replication"
699 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
700 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
701 samdb.modify(nmsg)
702
703 raise CommandError("Error while changing account control", e)
704
705 parent = msg.dn.parent()
706 rdn = str(res[0].dn)
707 rdn = string.replace(rdn, ",%s" % str(parent), "")
708 # Let's move to the Computer container
709 i = 0
710 newrdn = rdn
711
712 computer_dn = ldb.Dn(remote_samdb, "CN=Computers,%s" % str(remote_samdb.get_root_basedn()))
713 res = remote_samdb.search(base=computer_dn, expression=rdn, scope=ldb.SCOPE_ONELEVEL)
714
715 if (len(res) != 0):
716 res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
717 scope=ldb.SCOPE_ONELEVEL)
718 while(len(res) != 0 and i < 100):
719 i = i + 1
720 res = remote_samdb.search(base=computer_dn, expression="%s-%d" % (rdn, i),
721 scope=ldb.SCOPE_ONELEVEL)
722
723 if i == 100:
724 print "Error while demoting, re-enabling inbound replication"
725 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
726 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
727 samdb.modify(nmsg)
728
729 msg = ldb.Message()
730 msg.dn = dc_dn
731
732 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
733 ldb.FLAG_MOD_REPLACE,
734 "userAccountControl")
735
736 remote_samdb.modify(msg)
737
738 raise CommandError("Unable to find a slot for renaming %s,"
739 " all names from %s-1 to %s-%d seemed used" %
740 (str(dc_dn), rdn, rdn, i - 9))
741
742 newrdn = "%s-%d" % (rdn, i)
743
744 try:
745 newdn = ldb.Dn(remote_samdb, "%s,%s" % (newrdn, str(computer_dn)))
746 remote_samdb.rename(dc_dn, newdn)
747 except Exception, e:
748 print "Error while demoting, re-enabling inbound replication"
749 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
750 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
751 samdb.modify(nmsg)
752
753 msg = ldb.Message()
754 msg.dn = dc_dn
755
756 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
757 ldb.FLAG_MOD_REPLACE,
758 "userAccountControl")
759
760 remote_samdb.modify(msg)
761 raise CommandError("Error while renaming %s to %s" % (str(dc_dn), str(newdn)), e)
762
763
764 server_dsa_dn = samdb.get_serverName()
765 domain = remote_samdb.get_root_basedn()
766
767 try:
768 sendRemoveDsServer(drsuapiBind, drsuapi_handle, server_dsa_dn, domain)
769 except drsException, e:
770 print "Error while demoting, re-enabling inbound replication"
771 dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
772 nmsg["options"] = ldb.MessageElement(str(dsa_options), ldb.FLAG_MOD_REPLACE, "options")
773 samdb.modify(nmsg)
774
775 msg = ldb.Message()
776 msg.dn = newdn
777
778 msg["userAccountControl"] = ldb.MessageElement("%d" % uac,
779 ldb.FLAG_MOD_REPLACE,
780 "userAccountControl")
781 print str(dc_dn)
782 remote_samdb.modify(msg)
783 remote_samdb.rename(newdn, dc_dn)
784 raise CommandError("Error while sending a removeDsServer", e)
785
786 for s in ("CN=Entreprise,CN=Microsoft System Volumes,CN=System,CN=Configuration",
787 "CN=%s,CN=Microsoft System Volumes,CN=System,CN=Configuration" % lp.get("realm"),
788 "CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System"):
789 try:
790 remote_samdb.delete(ldb.Dn(remote_samdb,
791 "%s,%s,%s" % (str(rdn), s, str(remote_samdb.get_root_basedn()))))
792 except ldb.LdbError, l:
793 pass
794
795 for s in ("CN=Entreprise,CN=NTFRS Subscriptions",
796 "CN=%s, CN=NTFRS Subscriptions" % lp.get("realm"),
797 "CN=Domain system Volumes (SYSVOL Share), CN=NTFRS Subscriptions",
798 "CN=NTFRS Subscriptions"):
799 try:
800 remote_samdb.delete(ldb.Dn(remote_samdb,
801 "%s,%s" % (s, str(newdn))))
802 except ldb.LdbError, l:
803 pass
804
805 self.outf.write("Demote successfull\n")
806
807
808 class cmd_domain_level(Command):
809 """Raises domain and forest function levels"""
810
811 synopsis = "%prog (show|raise <options>) [options]"
812
813 takes_optiongroups = {
814 "sambaopts": options.SambaOptions,
815 "credopts": options.CredentialsOptions,
816 "versionopts": options.VersionOptions,
817 }
818
819 takes_options = [
820 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
821 metavar="URL", dest="H"),
822 Option("--quiet", help="Be quiet", action="store_true"),
823 Option("--forest-level", type="choice", choices=["2003", "2008", "2008_R2"],
824 help="The forest function level (2003 | 2008 | 2008_R2)"),
825 Option("--domain-level", type="choice", choices=["2003", "2008", "2008_R2"],
826 help="The domain function level (2003 | 2008 | 2008_R2)")
827 ]
828
829 takes_args = ["subcommand"]
830
831 def run(self, subcommand, H=None, forest_level=None, domain_level=None,
832 quiet=False, credopts=None, sambaopts=None, versionopts=None):
833 lp = sambaopts.get_loadparm()
834 creds = credopts.get_credentials(lp, fallback_machine=True)
835
836 samdb = SamDB(url=H, session_info=system_session(),
837 credentials=creds, lp=lp)
838
839 domain_dn = samdb.domain_dn()
840
841 res_forest = samdb.search("CN=Partitions,%s" % samdb.get_config_basedn(),
842 scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
843 assert len(res_forest) == 1
844
845 res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
846 attrs=["msDS-Behavior-Version", "nTMixedDomain"])
847 assert len(res_domain) == 1
848
849 res_dc_s = samdb.search("CN=Sites,%s" % samdb.get_config_basedn(),
850 scope=ldb.SCOPE_SUBTREE, expression="(objectClass=nTDSDSA)",
851 attrs=["msDS-Behavior-Version"])
852 assert len(res_dc_s) >= 1
853
854 try:
855 level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
856 level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
857 level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0])
858
859 min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init value
860 for msg in res_dc_s:
861 if int(msg["msDS-Behavior-Version"][0]) < min_level_dc:
862 min_level_dc = int(msg["msDS-Behavior-Version"][0])
863
864 if level_forest < 0 or level_domain < 0:
865 raise CommandError("Domain and/or forest function level(s) is/are invalid. Correct them or reprovision!")
866 if min_level_dc < 0:
867 raise CommandError("Lowest function level of a DC is invalid. Correct this or reprovision!")
868 if level_forest > level_domain:
869 raise CommandError("Forest function level is higher than the domain level(s). Correct this or reprovision!")
870 if level_domain > min_level_dc:
871 raise CommandError("Domain function level is higher than the lowest function level of a DC. Correct this or reprovision!")
872
873 except KeyError:
874 raise CommandError("Could not retrieve the actual domain, forest level and/or lowest DC function level!")
875
876 if subcommand == "show":
877 self.message("Domain and forest function level for domain '%s'" % domain_dn)
878 if level_forest == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
879 self.message("\nATTENTION: You run SAMBA 4 on a forest function level lower than Windows 2000 (Native). This isn't supported! Please raise!")
880 if level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
881 self.message("\nATTENTION: You run SAMBA 4 on a domain function level lower than Windows 2000 (Native). This isn't supported! Please raise!")
882 if min_level_dc == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
883 self.message("\nATTENTION: You run SAMBA 4 on a lowest function level of a DC lower than Windows 2003. This isn't supported! Please step-up or upgrade the concerning DC(s)!")
884
885 self.message("")
886
887 if level_forest == DS_DOMAIN_FUNCTION_2000:
888 outstr = "2000"
889 elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
890 outstr = "2003 with mixed domains/interim (NT4 DC support)"
891 elif level_forest == DS_DOMAIN_FUNCTION_2003:
892 outstr = "2003"
893 elif level_forest == DS_DOMAIN_FUNCTION_2008:
894 outstr = "2008"
895 elif level_forest == DS_DOMAIN_FUNCTION_2008_R2:
896 outstr = "2008 R2"
897 else:
898 outstr = "higher than 2008 R2"
899 self.message("Forest function level: (Windows) " + outstr)
900
901 if level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0:
902 outstr = "2000 mixed (NT4 DC support)"
903 elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0:
904 outstr = "2000"
905 elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
906 outstr = "2003 with mixed domains/interim (NT4 DC support)"
907 elif level_domain == DS_DOMAIN_FUNCTION_2003:
908 outstr = "2003"
909 elif level_domain == DS_DOMAIN_FUNCTION_2008:
910 outstr = "2008"
911 elif level_domain == DS_DOMAIN_FUNCTION_2008_R2:
912 outstr = "2008 R2"
913 else:
914 outstr = "higher than 2008 R2"
915 self.message("Domain function level: (Windows) " + outstr)
916
917 if min_level_dc == DS_DOMAIN_FUNCTION_2000:
918 outstr = "2000"
919 elif min_level_dc == DS_DOMAIN_FUNCTION_2003:
920 outstr = "2003"
921 elif min_level_dc == DS_DOMAIN_FUNCTION_2008:
922 outstr = "2008"
923 elif min_level_dc == DS_DOMAIN_FUNCTION_2008_R2:
924 outstr = "2008 R2"
925 else:
926 outstr = "higher than 2008 R2"
927 self.message("Lowest function level of a DC: (Windows) " + outstr)
928
929 elif subcommand == "raise":
930 msgs = []
931
932 if domain_level is not None:
933 if domain_level == "2003":
934 new_level_domain = DS_DOMAIN_FUNCTION_2003
935 elif domain_level == "2008":
936 new_level_domain = DS_DOMAIN_FUNCTION_2008
937 elif domain_level == "2008_R2":
938 new_level_domain = DS_DOMAIN_FUNCTION_2008_R2
939
940 if new_level_domain <= level_domain and level_domain_mixed == 0:
941 raise CommandError("Domain function level can't be smaller than or equal to the actual one!")
942
943 if new_level_domain > min_level_dc:
944 raise CommandError("Domain function level can't be higher than the lowest function level of a DC!")
945
946 # Deactivate mixed/interim domain support
947 if level_domain_mixed != 0:
948 # Directly on the base DN
949 m = ldb.Message()
950 m.dn = ldb.Dn(samdb, domain_dn)
951 m["nTMixedDomain"] = ldb.MessageElement("0",
952 ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
953 samdb.modify(m)
954 # Under partitions
955 m = ldb.Message()
956 m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup") + ",CN=Partitions,%s" % samdb.get_config_basedn())
957 m["nTMixedDomain"] = ldb.MessageElement("0",
958 ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
959 try:
960 samdb.modify(m)
961 except ldb.LdbError, (enum, emsg):
962 if enum != ldb.ERR_UNWILLING_TO_PERFORM:
963 raise
964
965 # Directly on the base DN
966 m = ldb.Message()
967 m.dn = ldb.Dn(samdb, domain_dn)
968 m["msDS-Behavior-Version"]= ldb.MessageElement(
969 str(new_level_domain), ldb.FLAG_MOD_REPLACE,
970 "msDS-Behavior-Version")
971 samdb.modify(m)
972 # Under partitions
973 m = ldb.Message()
974 m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
975 + ",CN=Partitions,%s" % samdb.get_config_basedn())
976 m["msDS-Behavior-Version"]= ldb.MessageElement(
977 str(new_level_domain), ldb.FLAG_MOD_REPLACE,
978 "msDS-Behavior-Version")
979 try:
980 samdb.modify(m)
981 except ldb.LdbError, (enum, emsg):
982 if enum != ldb.ERR_UNWILLING_TO_PERFORM:
983 raise
984
985 level_domain = new_level_domain
986 msgs.append("Domain function level changed!")
987
988 if forest_level is not None:
989 if forest_level == "2003":
990 new_level_forest = DS_DOMAIN_FUNCTION_2003
991 elif forest_level == "2008":
992 new_level_forest = DS_DOMAIN_FUNCTION_2008
993 elif forest_level == "2008_R2":
994 new_level_forest = DS_DOMAIN_FUNCTION_2008_R2
995 if new_level_forest <= level_forest:
996 raise CommandError("Forest function level can't be smaller than or equal to the actual one!")
997 if new_level_forest > level_domain:
998 raise CommandError("Forest function level can't be higher than the domain function level(s). Please raise it/them first!")
999 m = ldb.Message()
1000 m.dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
1001 m["msDS-Behavior-Version"]= ldb.MessageElement(
1002 str(new_level_forest), ldb.FLAG_MOD_REPLACE,
1003 "msDS-Behavior-Version")
1004 samdb.modify(m)
1005 msgs.append("Forest function level changed!")
1006 msgs.append("All changes applied successfully!")
1007 self.message("\n".join(msgs))
1008 else:
1009 raise CommandError("invalid argument: '%s' (choose from 'show', 'raise')" % subcommand)
1010
1011
1012 class cmd_domain_passwordsettings(Command):
1013 """Sets password settings
1014
1015 Password complexity, history length, minimum password length, the minimum
1016 and maximum password age) on a Samba4 server.
1017 """
1018
1019 synopsis = "%prog (show|set <options>) [options]"
1020
1021 takes_optiongroups = {
1022 "sambaopts": options.SambaOptions,
1023 "versionopts": options.VersionOptions,
1024 "credopts": options.CredentialsOptions,
1025 }
1026
1027 takes_options = [
1028 Option("-H", "--URL", help="LDB URL for database or target server", type=str,
1029 metavar="URL", dest="H"),
1030 Option("--quiet", help="Be quiet", action="store_true"),
1031 Option("--complexity", type="choice", choices=["on","off","default"],
1032 help="The password complexity (on | off | default). Default is 'on'"),
1033 Option("--store-plaintext", type="choice", choices=["on","off","default"],
1034 help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
1035 Option("--history-length",
1036 help="The password history length (<integer> | default). Default is 24.", type=str),
1037 Option("--min-pwd-length",
1038 help="The minimum password length (<integer> | default). Default is 7.", type=str),
1039 Option("--min-pwd-age",
1040 help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
1041 Option("--max-pwd-age",
1042 help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
1043 ]
1044
1045 takes_args = ["subcommand"]
1046
1047 def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
1048 quiet=False, complexity=None, store_plaintext=None, history_length=None,
1049 min_pwd_length=None, credopts=None, sambaopts=None,
1050 versionopts=None):
1051 lp = sambaopts.get_loadparm()
1052 creds = credopts.get_credentials(lp)
1053
1054 samdb = SamDB(url=H, session_info=system_session(),
1055 credentials=creds, lp=lp)
1056
1057 domain_dn = samdb.domain_dn()
1058 res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
1059 attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
1060 "minPwdAge", "maxPwdAge"])
1061 assert(len(res) == 1)
1062 try:
1063 pwd_props = int(res[0]["pwdProperties"][0])
1064 pwd_hist_len = int(res[0]["pwdHistoryLength"][0])
1065 cur_min_pwd_len = int(res[0]["minPwdLength"][0])
1066 # ticks -> days
1067 cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
1068 if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000:
1069 cur_max_pwd_age = 0
1070 else:
1071 cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
1072 except Exception, e:
1073 raise CommandError("Could not retrieve password properties!", e)
1074
1075 if subcommand == "show":
1076 self.message("Password informations for domain '%s'" % domain_dn)
1077 self.message("")
1078 if pwd_props & DOMAIN_PASSWORD_COMPLEX != 0:
1079 self.message("Password complexity: on")
1080 else:
1081 self.message("Password complexity: off")
1082 if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
1083 self.message("Store plaintext passwords: on")
1084 else:
1085 self.message("Store plaintext passwords: off")
1086 self.message("Password history length: %d" % pwd_hist_len)
1087 self.message("Minimum password length: %d" % cur_min_pwd_len)
1088 self.message("Minimum password age (days): %d" % cur_min_pwd_age)
1089 self.message("Maximum password age (days): %d" % cur_max_pwd_age)
1090 elif subcommand == "set":
1091 msgs = []
1092 m = ldb.Message()
1093 m.dn = ldb.Dn(samdb, domain_dn)
1094
1095 if complexity is not None:
1096 if complexity == "on" or complexity == "default":
1097 pwd_props = pwd_props | DOMAIN_PASSWORD_COMPLEX
1098 msgs.append("Password complexity activated!")
1099 elif complexity == "off":
1100 pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
1101 msgs.append("Password complexity deactivated!")
1102
1103 if store_plaintext is not None:
1104 if store_plaintext == "on" or store_plaintext == "default":
1105 pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
1106 msgs.append("Plaintext password storage for changed passwords activated!")
1107 elif store_plaintext == "off":
1108 pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
1109 msgs.append("Plaintext password storage for changed passwords deactivated!")
1110
1111 if complexity is not None or store_plaintext is not None:
1112 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
1113 ldb.FLAG_MOD_REPLACE, "pwdProperties")
1114
1115 if history_length is not None:
1116 if history_length == "default":
1117 pwd_hist_len = 24
1118 else:
1119 pwd_hist_len = int(history_length)
1120
1121 if pwd_hist_len < 0 or pwd_hist_len > 24:
1122 raise CommandError("Password history length must be in the range of 0 to 24!")
1123
1124 m["pwdHistoryLength"] = ldb.MessageElement(str(pwd_hist_len),
1125 ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
1126 msgs.append("Password history length changed!")
1127
1128 if min_pwd_length is not None:
1129 if min_pwd_length == "default":
1130 min_pwd_len = 7
1131 else:
1132 min_pwd_len = int(min_pwd_length)
1133
1134 if min_pwd_len < 0 or min_pwd_len > 14:
1135 raise CommandError("Minimum password length must be in the range of 0 to 14!")
1136
1137 m["minPwdLength"] = ldb.MessageElement(str(min_pwd_len),
1138 ldb.FLAG_MOD_REPLACE, "minPwdLength")
1139 msgs.append("Minimum password length changed!")
1140
1141 if min_pwd_age is not None:
1142 if min_pwd_age == "default":
1143 min_pwd_age = 1
1144 else:
1145 min_pwd_age = int(min_pwd_age)
1146
1147 if min_pwd_age < 0 or min_pwd_age > 998:
1148 raise CommandError("Minimum password age must be in the range of 0 to 998!")
1149
1150 # days -> ticks
1151 min_pwd_age_ticks = -int(min_pwd_age * (24 * 60 * 60 * 1e7))
1152
1153 m["minPwdAge"] = ldb.MessageElement(str(min_pwd_age_ticks),
1154 ldb.FLAG_MOD_REPLACE, "minPwdAge")
1155 msgs.append("Minimum password age changed!")
1156
1157 if max_pwd_age is not None:
1158 if max_pwd_age == "default":
1159 max_pwd_age = 43
1160 else:
1161 max_pwd_age = int(max_pwd_age)
1162
1163 if max_pwd_age < 0 or max_pwd_age > 999:
1164 raise CommandError("Maximum password age must be in the range of 0 to 999!")
1165
1166 # days -> ticks
1167 if max_pwd_age == 0:
1168 max_pwd_age_ticks = -0x8000000000000000
1169 else:
1170 max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
1171
1172 m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
1173 ldb.FLAG_MOD_REPLACE, "maxPwdAge")
1174 msgs.append("Maximum password age changed!")
1175
1176 if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
1177 raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
1178
1179 if len(m) == 0:
1180 raise CommandError("You must specify at least one option to set. Try --help")
1181 samdb.modify(m)
1182 msgs.append("All changes applied successfully!")
1183 self.message("\n".join(msgs))
1184 else:
1185 raise CommandError("Wrong argument '%s'!" % subcommand)
1186
1187
1188 class cmd_domain_classicupgrade(Command):
1189 """Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
1190
1191 Specify either a directory with all Samba classic DC databases and state files (with --dbdir) or
1192 the testparm utility from your classic installation (with --testparm).
1193 """
1194
1195 synopsis = "%prog [options] <classic_smb_conf>"
1196
1197 takes_optiongroups = {
1198 "sambaopts": options.SambaOptions,
1199 "versionopts": options.VersionOptions
1200 }
1201
1202 takes_options = [
1203 Option("--dbdir", type="string", metavar="DIR",
1204 help="Path to samba classic DC database directory"),
1205 Option("--testparm", type="string", metavar="PATH",
1206 help="Path to samba classic DC testparm utility from the previous installation. This allows the default paths of the previous installation to be followed"),
1207 Option("--targetdir", type="string", metavar="DIR",
1208 help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
1209 Option("--quiet", help="Be quiet", action="store_true"),
1210 Option("--verbose", help="Be verbose", action="store_true"),
1211 Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]",
1212 help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"),
1213 Option("--use-ntvfs", help="Use NTVFS for the fileserver (default = no)",
1214 action="store_true"),
1215 Option("--dns-backend", type="choice", metavar="NAMESERVER-BACKEND",
1216 choices=["SAMBA_INTERNAL", "BIND9_FLATFILE", "BIND9_DLZ", "NONE"],
1217 help="The DNS server backend. SAMBA_INTERNAL is the builtin name server (default), " \
1218 "BIND9_FLATFILE uses bind9 text database to store zone information, " \
1219 "BIND9_DLZ uses samba4 AD to store zone information, " \
1220 "NONE skips the DNS setup entirely (this DC will not be a DNS server)",
1221 default="SAMBA_INTERNAL")
1222 ]
1223
1224 takes_args = ["smbconf"]
1225
1226 def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None,
1227 quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None,
1228 dns_backend=None, use_ntvfs=False):
1229
1230 if not os.path.exists(smbconf):
1231 raise CommandError("File %s does not exist" % smbconf)
1232
1233 if testparm and not os.path.exists(testparm):
1234 raise CommandError("Testparm utility %s does not exist" % testparm)
1235
1236 if dbdir and not os.path.exists(dbdir):
1237 raise CommandError("Directory %s does not exist" % dbdir)
1238
1239 if not dbdir and not testparm:
1240 raise CommandError("Please specify either dbdir or testparm")
1241
1242 logger = self.get_logger()
1243 if verbose:
1244 logger.setLevel(logging.DEBUG)
1245 elif quiet:
1246 logger.setLevel(logging.WARNING)
1247 else:
1248 logger.setLevel(logging.INFO)
1249
1250 if dbdir and testparm:
1251 logger.warning("both dbdir and testparm specified, ignoring dbdir.")
1252 dbdir = None
1253
1254 lp = sambaopts.get_loadparm()
1255
1256 s3conf = s3param.get_context()
1257
1258 if sambaopts.realm:
1259 s3conf.set("realm", sambaopts.realm)
1260
1261 if targetdir is not None:
1262 if not os.path.isdir(targetdir):
1263 os.mkdir(targetdir)
1264
1265 eadb = True
1266 if use_xattrs == "yes":
1267 eadb = False
1268 elif use_xattrs == "auto" and not s3conf.get("posix:eadb"):
1269 if targetdir:
1270 tmpfile = tempfile.NamedTemporaryFile(dir=os.path.abspath(targetdir))
1271 else:
1272 tmpfile = tempfile.NamedTemporaryFile(dir=os.path.abspath(os.path.dirname(lp.get("private dir"))))
1273 try:
1274 try:
1275 samba.ntacls.setntacl(lp, tmpfile.name,
1276 "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
1277 eadb = False
1278 except Exception:
1279 # FIXME: Don't catch all exceptions here
1280 logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
1281 "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
1282 finally:
1283 tmpfile.close()
1284
1285 # Set correct default values from dbdir or testparm
1286 paths = {}
1287 if dbdir:
1288 paths["state directory"] = dbdir
1289 paths["private dir"] = dbdir
1290 paths["lock directory"] = dbdir
1291 paths["smb passwd file"] = dbdir + "/smbpasswd"
1292 else:
1293 paths["state directory"] = get_testparm_var(testparm, smbconf, "state directory")
1294 paths["private dir"] = get_testparm_var(testparm, smbconf, "private dir")
1295 paths["smb passwd file"] = get_testparm_var(testparm, smbconf, "smb passwd file")
1296 paths["lock directory"] = get_testparm_var(testparm, smbconf, "lock directory")
1297 # "testparm" from Samba 3 < 3.4.x is not aware of the parameter
1298 # "state directory", instead make use of "lock directory"
1299 if len(paths["state directory"]) == 0:
1300 paths["state directory"] = paths["lock directory"]
1301
1302 for p in paths:
1303 s3conf.set(p, paths[p])
1304
1305 # load smb.conf parameters
1306 logger.info("Reading smb.conf")
1307 s3conf.load(smbconf)
1308 samba3 = Samba3(smbconf, s3conf)
1309
1310 logger.info("Provisioning")
1311 upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session(),
1312 useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
1313
1314 class cmd_domain(SuperCommand):
1315 """Domain management"""
1316
1317 subcommands = {}
1318 subcommands["demote"] = cmd_domain_demote()
1319 if type(cmd_domain_export_keytab).__name__ != 'NoneType':
1320 subcommands["exportkeytab"] = cmd_domain_export_keytab()
1321 subcommands["info"] = cmd_domain_info()
1322 subcommands["provision"] = cmd_domain_provision()
1323 subcommands["join"] = cmd_domain_join()
1324 subcommands["dcpromo"] = cmd_domain_dcpromo()
1325 subcommands["level"] = cmd_domain_level()
1326 subcommands["passwordsettings"] = cmd_domain_passwordsettings()
1327 subcommands["classicupgrade"] = cmd_domain_classicupgrade()
1328 subcommands["samba3upgrade"] = cmd_domain_classicupgrade()
reg import