Remove remaining references to "password level" in the tree
[Samba/id10ts.git] / python / samba / upgrade.py
blob532e1dee81ae21405e48b3222d0e0cb12603c0bd
1 # backend code for upgrading from Samba3
2 # Copyright Jelmer Vernooij 2005-2007
3 # Copyright Andrew Bartlett 2011
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
19 """Support code for upgrading from Samba 3 to Samba 4."""
21 __docformat__ = "restructuredText"
23 import ldb
24 import time
25 import pwd
27 from samba import Ldb, registry
28 from samba.param import LoadParm
29 from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
30 from samba.samba3 import passdb
31 from samba.samba3 import param as s3param
32 from samba.dcerpc import lsa, samr, security
33 from samba.dcerpc.security import dom_sid
34 from samba.credentials import Credentials
35 from samba import dsdb
36 from samba.ndr import ndr_pack
37 from samba import unix2nttime
38 from samba import generate_random_password
41 def import_sam_policy(samdb, policy, logger):
42 """Import a Samba 3 policy.
44 :param samdb: Samba4 SAM database
45 :param policy: Samba3 account policy
46 :param logger: Logger object
47 """
49 # Following entries are used -
50 # min password length, password history, minimum password age,
51 # maximum password age, lockout duration
53 # Following entries are not used -
54 # reset count minutes, user must logon to change password,
55 # bad lockout minutes, disconnect time
57 m = ldb.Message()
58 m.dn = samdb.get_default_basedn()
60 if 'min password length' in policy:
61 m['a01'] = ldb.MessageElement(str(policy['min password length']),
62 ldb.FLAG_MOD_REPLACE, 'minPwdLength')
64 if 'password history' in policy:
65 m['a02'] = ldb.MessageElement(str(policy['password history']),
66 ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength')
68 if 'minimum password age' in policy:
69 min_pw_age_unix = policy['minimum password age']
70 min_pw_age_nt = int(-min_pw_age_unix * (1e7))
71 m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE,
72 'minPwdAge')
74 if 'maximum password age' in policy:
75 max_pw_age_unix = policy['maximum password age']
76 if max_pw_age_unix == -1 or max_pw_age_unix == 0:
77 max_pw_age_nt = -0x8000000000000000
78 else:
79 max_pw_age_nt = int(-max_pw_age_unix * (1e7))
81 m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE,
82 'maxPwdAge')
84 if 'lockout duration' in policy:
85 lockout_duration_mins = policy['lockout duration']
86 lockout_duration_nt = unix2nttime(lockout_duration_mins * 60)
88 m['a05'] = ldb.MessageElement(str(lockout_duration_nt),
89 ldb.FLAG_MOD_REPLACE, 'lockoutDuration')
91 try:
92 samdb.modify(m)
93 except ldb.LdbError, e:
94 logger.warn("Could not set account policy, (%s)", str(e))
97 def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None,
98 shell=None, pgid=None):
99 """Add posix attributes for the user/group
101 :param samdb: Samba4 sam.ldb database
102 :param sid: user/group sid
103 :param sid: user/group name
104 :param nisdomain: name of the (fake) NIS domain
105 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
106 :param home: user homedir (Unix homepath)
107 :param shell: user shell
108 :param pgid: users primary group id
111 try:
112 m = ldb.Message()
113 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
114 if xid_type == "ID_TYPE_UID":
115 m['unixHomeDirectory'] = ldb.MessageElement(
116 str(home), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
117 m['loginShell'] = ldb.MessageElement(
118 str(shell), ldb.FLAG_MOD_REPLACE, 'loginShell')
119 m['gidNumber'] = ldb.MessageElement(
120 str(pgid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
122 m['msSFU30NisDomain'] = ldb.MessageElement(
123 str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
125 samdb.modify(m)
126 except ldb.LdbError, e:
127 logger.warn(
128 'Could not add posix attrs for AD entry for sid=%s, (%s)',
129 str(sid), str(e))
131 def add_ad_posix_idmap_entry(samdb, sid, xid, xid_type, logger):
132 """Create idmap entry
134 :param samdb: Samba4 sam.ldb database
135 :param sid: user/group sid
136 :param xid: user/group id
137 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
138 :param logger: Logger object
141 try:
142 m = ldb.Message()
143 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(sid))
144 if xid_type == "ID_TYPE_UID":
145 m['uidNumber'] = ldb.MessageElement(
146 str(xid), ldb.FLAG_MOD_REPLACE, 'uidNumber')
147 m['objectClass'] = ldb.MessageElement(
148 "posixAccount", ldb.FLAG_MOD_ADD, 'objectClass')
149 elif xid_type == "ID_TYPE_GID":
150 m['gidNumber'] = ldb.MessageElement(
151 str(xid), ldb.FLAG_MOD_REPLACE, 'gidNumber')
152 m['objectClass'] = ldb.MessageElement(
153 "posixGroup", ldb.FLAG_MOD_ADD, 'objectClass')
155 samdb.modify(m)
156 except ldb.LdbError, e:
157 logger.warn(
158 'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
159 str(sid), str(xid), xid_type, str(e))
162 def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
163 """Create idmap entry
165 :param idmapdb: Samba4 IDMAP database
166 :param sid: user/group sid
167 :param xid: user/group id
168 :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
169 :param logger: Logger object
172 # First try to see if we already have this entry
173 found = False
174 msg = idmapdb.search(expression='objectSid=%s' % str(sid))
175 if msg.count == 1:
176 found = True
178 if found:
179 try:
180 m = ldb.Message()
181 m.dn = msg[0]['dn']
182 m['xidNumber'] = ldb.MessageElement(
183 str(xid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
184 m['type'] = ldb.MessageElement(
185 xid_type, ldb.FLAG_MOD_REPLACE, 'type')
186 idmapdb.modify(m)
187 except ldb.LdbError, e:
188 logger.warn(
189 'Could not modify idmap entry for sid=%s, id=%s, type=%s (%s)',
190 str(sid), str(xid), xid_type, str(e))
191 else:
192 try:
193 idmapdb.add({"dn": "CN=%s" % str(sid),
194 "cn": str(sid),
195 "objectClass": "sidMap",
196 "objectSid": ndr_pack(sid),
197 "type": xid_type,
198 "xidNumber": str(xid)})
199 except ldb.LdbError, e:
200 logger.warn(
201 'Could not add idmap entry for sid=%s, id=%s, type=%s (%s)',
202 str(sid), str(xid), xid_type, str(e))
205 def import_idmap(idmapdb, samba3, logger):
206 """Import idmap data.
208 :param idmapdb: Samba4 IDMAP database
209 :param samba3_idmap: Samba3 IDMAP database to import from
210 :param logger: Logger object
213 try:
214 samba3_idmap = samba3.get_idmap_db()
215 except IOError, e:
216 logger.warn('Cannot open idmap database, Ignoring: %s', str(e))
217 return
219 currentxid = max(samba3_idmap.get_user_hwm(), samba3_idmap.get_group_hwm())
220 lowerbound = currentxid
221 # FIXME: upperbound
223 m = ldb.Message()
224 m.dn = ldb.Dn(idmapdb, 'CN=CONFIG')
225 m['lowerbound'] = ldb.MessageElement(
226 str(lowerbound), ldb.FLAG_MOD_REPLACE, 'lowerBound')
227 m['xidNumber'] = ldb.MessageElement(
228 str(currentxid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
229 idmapdb.modify(m)
231 for id_type, xid in samba3_idmap.ids():
232 if id_type == 'UID':
233 xid_type = 'ID_TYPE_UID'
234 elif id_type == 'GID':
235 xid_type = 'ID_TYPE_GID'
236 else:
237 logger.warn('Wrong type of entry in idmap (%s), Ignoring', id_type)
238 continue
240 sid = samba3_idmap.get_sid(xid, id_type)
241 add_idmap_entry(idmapdb, dom_sid(sid), xid, xid_type, logger)
244 def add_group_from_mapping_entry(samdb, groupmap, logger):
245 """Add or modify group from group mapping entry
247 param samdb: Samba4 SAM database
248 param groupmap: Groupmap entry
249 param logger: Logger object
252 # First try to see if we already have this entry
253 try:
254 msg = samdb.search(
255 base='<SID=%s>' % str(groupmap.sid), scope=ldb.SCOPE_BASE)
256 found = True
257 except ldb.LdbError, (ecode, emsg):
258 if ecode == ldb.ERR_NO_SUCH_OBJECT:
259 found = False
260 else:
261 raise ldb.LdbError(ecode, emsg)
263 if found:
264 logger.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
265 str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
266 else:
267 if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
268 # In a lot of Samba3 databases, aliases are marked as well known groups
269 (group_dom_sid, rid) = groupmap.sid.split()
270 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
271 return
273 m = ldb.Message()
274 m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name, samdb.get_default_basedn()))
275 m['cn'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD, 'cn')
276 m['objectClass'] = ldb.MessageElement('group', ldb.FLAG_MOD_ADD, 'objectClass')
277 m['objectSid'] = ldb.MessageElement(ndr_pack(groupmap.sid), ldb.FLAG_MOD_ADD,
278 'objectSid')
279 m['sAMAccountName'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD,
280 'sAMAccountName')
282 if groupmap.comment:
283 m['description'] = ldb.MessageElement(groupmap.comment, ldb.FLAG_MOD_ADD,
284 'description')
286 # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
287 if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
288 m['groupType'] = ldb.MessageElement(str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP),
289 ldb.FLAG_MOD_ADD, 'groupType')
291 try:
292 samdb.add(m, controls=["relax:0"])
293 except ldb.LdbError, e:
294 logger.warn('Could not add group name=%s (%s)', groupmap.nt_name, str(e))
297 def add_users_to_group(samdb, group, members, logger):
298 """Add user/member to group/alias
300 param samdb: Samba4 SAM database
301 param group: Groupmap object
302 param members: List of member SIDs
303 param logger: Logger object
305 for member_sid in members:
306 m = ldb.Message()
307 m.dn = ldb.Dn(samdb, "<SID=%s>" % str(group.sid))
308 m['a01'] = ldb.MessageElement("<SID=%s>" % str(member_sid), ldb.FLAG_MOD_ADD, 'member')
310 try:
311 samdb.modify(m)
312 except ldb.LdbError, (ecode, emsg):
313 if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS:
314 logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
315 elif ecode == ldb.ERR_NO_SUCH_OBJECT:
316 raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg))
317 else:
318 raise ProvisioningError("Could not add member '%s' to group '%s': %s" % (member_sid, group.sid, emsg))
321 def import_wins(samba4_winsdb, samba3_winsdb):
322 """Import settings from a Samba3 WINS database.
324 :param samba4_winsdb: WINS database to import to
325 :param samba3_winsdb: WINS database to import from
328 version_id = 0
330 for (name, (ttl, ips, nb_flags)) in samba3_winsdb.items():
331 version_id += 1
333 type = int(name.split("#", 1)[1], 16)
335 if type == 0x1C:
336 rType = 0x2
337 elif type & 0x80:
338 if len(ips) > 1:
339 rType = 0x2
340 else:
341 rType = 0x1
342 else:
343 if len(ips) > 1:
344 rType = 0x3
345 else:
346 rType = 0x0
348 if ttl > time.time():
349 rState = 0x0 # active
350 else:
351 rState = 0x1 # released
353 nType = ((nb_flags & 0x60) >> 5)
355 samba4_winsdb.add({"dn": "name=%s,type=0x%s" % tuple(name.split("#")),
356 "type": name.split("#")[1],
357 "name": name.split("#")[0],
358 "objectClass": "winsRecord",
359 "recordType": str(rType),
360 "recordState": str(rState),
361 "nodeType": str(nType),
362 "expireTime": ldb.timestring(ttl),
363 "isStatic": "0",
364 "versionID": str(version_id),
365 "address": ips})
367 samba4_winsdb.add({"dn": "cn=VERSION",
368 "cn": "VERSION",
369 "objectClass": "winsMaxVersion",
370 "maxVersion": str(version_id)})
373 def enable_samba3sam(samdb, ldapurl):
374 """Enable Samba 3 LDAP URL database.
376 :param samdb: SAM Database.
377 :param ldapurl: Samba 3 LDAP URL
379 samdb.modify_ldif("""
380 dn: @MODULES
381 changetype: modify
382 replace: @LIST
383 @LIST: samldb,operational,objectguid,rdn_name,samba3sam
384 """)
386 samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
389 smbconf_keep = [
390 "dos charset",
391 "unix charset",
392 "display charset",
393 "comment",
394 "path",
395 "directory",
396 "workgroup",
397 "realm",
398 "netbios name",
399 "netbios aliases",
400 "netbios scope",
401 "server string",
402 "interfaces",
403 "bind interfaces only",
404 "security",
405 "auth methods",
406 "encrypt passwords",
407 "null passwords",
408 "obey pam restrictions",
409 "password server",
410 "smb passwd file",
411 "private dir",
412 "passwd chat",
413 "lanman auth",
414 "ntlm auth",
415 "client NTLMv2 auth",
416 "client lanman auth",
417 "client plaintext auth",
418 "read only",
419 "hosts allow",
420 "hosts deny",
421 "log level",
422 "debuglevel",
423 "log file",
424 "smb ports",
425 "large readwrite",
426 "max protocol",
427 "min protocol",
428 "unicode",
429 "read raw",
430 "write raw",
431 "disable netbios",
432 "nt status support",
433 "max mux",
434 "max xmit",
435 "name resolve order",
436 "max wins ttl",
437 "min wins ttl",
438 "time server",
439 "unix extensions",
440 "use spnego",
441 "server signing",
442 "client signing",
443 "max connections",
444 "paranoid server security",
445 "socket options",
446 "strict sync",
447 "max print jobs",
448 "printable",
449 "print ok",
450 "printer name",
451 "printer",
452 "map system",
453 "map hidden",
454 "map archive",
455 "preferred master",
456 "prefered master",
457 "local master",
458 "browseable",
459 "browsable",
460 "wins server",
461 "wins support",
462 "csc policy",
463 "strict locking",
464 "preload",
465 "auto services",
466 "lock dir",
467 "lock directory",
468 "pid directory",
469 "socket address",
470 "copy",
471 "include",
472 "available",
473 "volume",
474 "fstype",
475 "panic action",
476 "msdfs root",
477 "host msdfs",
478 "winbind separator"]
481 def upgrade_smbconf(oldconf, mark):
482 """Remove configuration variables not present in Samba4
484 :param oldconf: Old configuration structure
485 :param mark: Whether removed configuration variables should be
486 kept in the new configuration as "samba3:<name>"
488 data = oldconf.data()
489 newconf = LoadParm()
491 for s in data:
492 for p in data[s]:
493 keep = False
494 for k in smbconf_keep:
495 if smbconf_keep[k] == p:
496 keep = True
497 break
499 if keep:
500 newconf.set(s, p, oldconf.get(s, p))
501 elif mark:
502 newconf.set(s, "samba3:" + p, oldconf.get(s, p))
504 return newconf
506 SAMBA3_PREDEF_NAMES = {
507 'HKLM': registry.HKEY_LOCAL_MACHINE,
511 def import_registry(samba4_registry, samba3_regdb):
512 """Import a Samba 3 registry database into the Samba 4 registry.
514 :param samba4_registry: Samba 4 registry handle.
515 :param samba3_regdb: Samba 3 registry database handle.
517 def ensure_key_exists(keypath):
518 (predef_name, keypath) = keypath.split("/", 1)
519 predef_id = SAMBA3_PREDEF_NAMES[predef_name]
520 keypath = keypath.replace("/", "\\")
521 return samba4_registry.create_key(predef_id, keypath)
523 for key in samba3_regdb.keys():
524 key_handle = ensure_key_exists(key)
525 for subkey in samba3_regdb.subkeys(key):
526 ensure_key_exists(subkey)
527 for (value_name, (value_type, value_data)) in samba3_regdb.values(key).items():
528 key_handle.set_value(value_name, value_type, value_data)
530 def get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, user, attr):
531 """Get posix attributes from a samba3 ldap backend
532 :param ldbs: a list of ldb connection objects
533 :param base_dn: the base_dn of the connection
534 :param user: the user to get the attribute for
535 :param attr: the attribute to be retrieved
537 try:
538 msg = ldb_object.search(base_dn, scope=ldb.SCOPE_SUBTREE,
539 expression=("(&(objectClass=posixAccount)(uid=%s))"
540 % (user)), attrs=[attr])
541 except ldb.LdbError, e:
542 raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
543 else:
544 if msg.count <= 1:
545 # This will raise KeyError (which is what we want) if there isn't a entry for this user
546 return msg[0][attr][0]
547 else:
548 logger.warning("LDAP entry for user %s contains more than one %s", user, attr)
549 raise KeyError
552 def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
553 useeadb=False, dns_backend=None, use_ntvfs=False):
554 """Upgrade from samba3 database to samba4 AD database
556 :param samba3: samba3 object
557 :param logger: Logger object
558 :param targetdir: samba4 database directory
559 :param session_info: Session information
561 serverrole = samba3.lp.server_role()
563 domainname = samba3.lp.get("workgroup")
564 realm = samba3.lp.get("realm")
565 netbiosname = samba3.lp.get("netbios name")
567 if samba3.lp.get("ldapsam:trusted") is None:
568 samba3.lp.set("ldapsam:trusted", "yes")
570 # secrets db
571 try:
572 secrets_db = samba3.get_secrets_db()
573 except IOError, e:
574 raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3.privatedir_path("secrets.tdb"), str(e)))
576 if not domainname:
577 domainname = secrets_db.domains()[0]
578 logger.warning("No workgroup specified in smb.conf file, assuming '%s'",
579 domainname)
581 if not realm:
582 if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
583 raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
584 else:
585 realm = domainname.upper()
586 logger.warning("No realm specified in smb.conf file, assuming '%s'",
587 realm)
589 # Find machine account and password
590 next_rid = 1000
592 try:
593 machinepass = secrets_db.get_machine_password(netbiosname)
594 except KeyError:
595 machinepass = None
597 if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
598 base_dn = samba3.lp.get("ldap suffix")
599 ldapuser = samba3.lp.get("ldap admin dn")
600 ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
601 if ldappass is None:
602 raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.")
603 ldappass = ldappass.strip('\x00')
604 ldap = True
605 else:
606 ldapuser = None
607 ldappass = None
608 ldap = False
610 # We must close the direct pytdb database before the C code loads it
611 secrets_db.close()
613 # Connect to old password backend
614 passdb.set_secrets_dir(samba3.lp.get("private dir"))
615 s3db = samba3.get_sam_db()
617 # Get domain sid
618 try:
619 domainsid = passdb.get_global_sam_sid()
620 except passdb.error:
621 raise Exception("Can't find domain sid for '%s', Exiting." % domainname)
623 # Get machine account, sid, rid
624 try:
625 machineacct = s3db.getsampwnam('%s$' % netbiosname)
626 except passdb.error:
627 machinerid = None
628 machinesid = None
629 else:
630 machinesid, machinerid = machineacct.user_sid.split()
632 # Export account policy
633 logger.info("Exporting account policy")
634 policy = s3db.get_account_policy()
636 # Export groups from old passdb backend
637 logger.info("Exporting groups")
638 grouplist = s3db.enum_group_mapping()
639 groupmembers = {}
640 for group in grouplist:
641 sid, rid = group.sid.split()
642 if sid == domainsid:
643 if rid >= next_rid:
644 next_rid = rid + 1
646 # Get members for each group/alias
647 if group.sid_name_use == lsa.SID_NAME_ALIAS:
648 try:
649 members = s3db.enum_aliasmem(group.sid)
650 groupmembers[str(group.sid)] = members
651 except passdb.error, e:
652 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
653 group.nt_name, group.sid, e)
654 continue
655 elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
656 try:
657 members = s3db.enum_group_members(group.sid)
658 groupmembers[str(group.sid)] = members
659 except passdb.error, e:
660 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
661 group.nt_name, group.sid, e)
662 continue
663 elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
664 (group_dom_sid, rid) = group.sid.split()
665 if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
666 logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
667 group.nt_name)
668 continue
669 # A number of buggy databases mix up well known groups and aliases.
670 try:
671 members = s3db.enum_aliasmem(group.sid)
672 groupmembers[str(group.sid)] = members
673 except passdb.error, e:
674 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
675 group.nt_name, group.sid, e)
676 continue
677 else:
678 logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
679 group.nt_name, group.sid, group.sid_name_use)
680 continue
682 # Export users from old passdb backend
683 logger.info("Exporting users")
684 userlist = s3db.search_users(0)
685 userdata = {}
686 uids = {}
687 admin_user = None
688 for entry in userlist:
689 if machinerid and machinerid == entry['rid']:
690 continue
691 username = entry['account_name']
692 if entry['rid'] < 1000:
693 logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
694 continue
695 if entry['rid'] >= next_rid:
696 next_rid = entry['rid'] + 1
698 user = s3db.getsampwnam(username)
699 acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
700 if acct_type == samr.ACB_SVRTRUST:
701 logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
702 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
704 elif acct_type == samr.ACB_DOMTRUST:
705 logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
706 continue
708 elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$':
709 logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username)
710 continue
712 elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$':
713 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
714 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
716 elif acct_type == (samr.ACB_NORMAL|samr.ACB_SVRTRUST) and username[-1] == '$':
717 logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username)
718 user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
720 elif acct_type == 0 and username[-1] != '$':
721 user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL)
723 elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
724 pass
726 else:
727 raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
728 ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
730 Please fix this account before attempting to upgrade again
732 % (username, user.acct_ctrl,
733 samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
735 userdata[username] = user
736 try:
737 uids[username] = s3db.sid_to_id(user.user_sid)[0]
738 except passdb.error:
739 try:
740 uids[username] = pwd.getpwnam(username).pw_uid
741 except KeyError:
742 pass
744 if not admin_user and username.lower() == 'root':
745 admin_user = username
746 if username.lower() == 'administrator':
747 admin_user = username
749 try:
750 group_memberships = s3db.enum_group_memberships(user);
751 for group in group_memberships:
752 if str(group) in groupmembers:
753 if user.user_sid not in groupmembers[str(group)]:
754 groupmembers[str(group)].append(user.user_sid)
755 else:
756 groupmembers[str(group)] = [user.user_sid];
757 except passdb.error, e:
758 logger.warn("Ignoring group memberships of '%s' %s: %s",
759 username, user.user_sid, e)
761 logger.info("Next rid = %d", next_rid)
763 # Check for same username/groupname
764 group_names = set([g.nt_name for g in grouplist])
765 user_names = set([u['account_name'] for u in userlist])
766 common_names = group_names.intersection(user_names)
767 if common_names:
768 logger.error("Following names are both user names and group names:")
769 for name in common_names:
770 logger.error(" %s" % name)
771 raise ProvisioningError("Please remove common user/group names before upgrade.")
773 # Check for same user sid/group sid
774 group_sids = set([str(g.sid) for g in grouplist])
775 if len(grouplist) != len(group_sids):
776 raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
777 user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
778 if len(userlist) != len(user_sids):
779 raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
780 common_sids = group_sids.intersection(user_sids)
781 if common_sids:
782 logger.error("Following sids are both user and group sids:")
783 for sid in common_sids:
784 logger.error(" %s" % str(sid))
785 raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
787 # Get posix attributes from ldap or the os
788 homes = {}
789 shells = {}
790 pgids = {}
791 if ldap:
792 creds = Credentials()
793 creds.guess(samba3.lp)
794 creds.set_bind_dn(ldapuser)
795 creds.set_password(ldappass)
796 urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
797 for url in urls.split():
798 try:
799 ldb_object = Ldb(url, credentials=creds)
800 except ldb.LdbError, e:
801 raise ProvisiongError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
802 else:
803 break
804 logger.info("Exporting posix attributes")
805 userlist = s3db.search_users(0)
806 for entry in userlist:
807 username = entry['account_name']
808 if username in uids.keys():
809 try:
810 if ldap:
811 homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
812 else:
813 homes[username] = pwd.getpwnam(username).pw_dir
814 except KeyError:
815 pass
816 except IndexError:
817 pass
819 try:
820 if ldap:
821 shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
822 else:
823 shells[username] = pwd.getpwnam(username).pw_shell
824 except KeyError:
825 pass
826 except IndexError:
827 pass
829 try:
830 if ldap:
831 pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
832 else:
833 pgids[username] = pwd.getpwnam(username).pw_gid
834 except KeyError:
835 pass
836 except IndexError:
837 pass
839 logger.info("Reading WINS database")
840 samba3_winsdb = None
841 try:
842 samba3_winsdb = samba3.get_wins_db()
843 except IOError, e:
844 logger.warn('Cannot open wins database, Ignoring: %s', str(e))
846 if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
847 dns_backend = "NONE"
849 # If we found an admin user, set a fake pw that we will override.
850 # This avoids us printing out an admin password that we won't actually
851 # set.
852 if admin_user:
853 adminpass = generate_random_password(12, 32)
854 else:
855 adminpass = None
857 # Do full provision
858 result = provision(logger, session_info, None,
859 targetdir=targetdir, realm=realm, domain=domainname,
860 domainsid=str(domainsid), next_rid=next_rid,
861 dc_rid=machinerid, adminpass = adminpass,
862 dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
863 hostname=netbiosname.lower(), machinepass=machinepass,
864 serverrole=serverrole, samdb_fill=FILL_FULL,
865 useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
866 use_ntvfs=use_ntvfs, skip_sysvolacl=True)
867 result.report_logger(logger)
869 # Import WINS database
870 logger.info("Importing WINS database")
872 if samba3_winsdb:
873 import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
875 # Set Account policy
876 logger.info("Importing Account policy")
877 import_sam_policy(result.samdb, policy, logger)
879 # Migrate IDMAP database
880 logger.info("Importing idmap database")
881 import_idmap(result.idmap, samba3, logger)
883 # Set the s3 context for samba4 configuration
884 new_lp_ctx = s3param.get_context()
885 new_lp_ctx.load(result.lp.configfile)
886 new_lp_ctx.set("private dir", result.lp.get("private dir"))
887 new_lp_ctx.set("state directory", result.lp.get("state directory"))
888 new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
890 # Connect to samba4 backend
891 s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
893 # Start a new transaction (should speed this up a little, due to index churn)
894 result.samdb.transaction_start()
896 logger.info("Adding groups")
897 try:
898 # Export groups to samba4 backend
899 logger.info("Importing groups")
900 for g in grouplist:
901 # Ignore uninitialized groups (gid = -1)
902 if g.gid != -1:
903 add_group_from_mapping_entry(result.samdb, g, logger)
904 add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
905 add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
907 except:
908 # We need this, so that we do not give even more errors due to not cancelling the transaction
909 result.samdb.transaction_cancel()
910 raise
912 logger.info("Commiting 'add groups' transaction to disk")
913 result.samdb.transaction_commit()
915 logger.info("Adding users")
916 # Start a new transaction (should speed this up a little, due to index churn)
917 result.samdb.transaction_start()
919 try:
920 # Export users to samba4 backend
921 logger.info("Importing users")
922 for username in userdata:
923 if username.lower() == 'administrator':
924 if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
925 logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
926 raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
927 if username.lower() == 'root':
928 if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
929 logger.warn('User root has been replaced by Administrator')
930 else:
931 logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
933 s4_passdb.add_sam_account(userdata[username])
934 if username in uids:
935 add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
936 if (username in homes) and (homes[username] is not None) and \
937 (username in shells) and (shells[username] is not None) and \
938 (username in pgids) and (pgids[username] is not None):
939 add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
941 except:
942 # We need this, so that we do not give even more errors due to not cancelling the transaction
943 result.samdb.transaction_cancel()
944 raise
946 logger.info("Commiting 'add users' transaction to disk")
947 result.samdb.transaction_commit()
949 logger.info("Adding users to groups")
950 # Start a new transaction (should speed this up a little, due to index churn)
951 result.samdb.transaction_start()
953 try:
954 for g in grouplist:
955 if str(g.sid) in groupmembers:
956 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
958 except:
959 # We need this, so that we do not give even more errors due to not cancelling the transaction
960 result.samdb.transaction_cancel()
961 raise
963 logger.info("Commiting 'add users to groups' transaction to disk")
964 result.samdb.transaction_commit()
966 # Set password for administrator
967 if admin_user:
968 logger.info("Setting password for administrator")
969 admin_userdata = s4_passdb.getsampwnam("administrator")
970 admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
971 if userdata[admin_user].lanman_passwd:
972 admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
973 admin_userdata.pass_last_set_time = userdata[admin_user].pass_last_set_time
974 if userdata[admin_user].pw_history:
975 admin_userdata.pw_history = userdata[admin_user].pw_history
976 s4_passdb.update_sam_account(admin_userdata)
977 logger.info("Administrator password has been set to password of user '%s'", admin_user)
979 if result.server_role == "active directory domain controller":
980 setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
981 result.paths.root_uid, result.paths.root_gid,
982 security.dom_sid(result.domainsid), result.names.dnsdomain,
983 result.names.domaindn, result.lp, use_ntvfs)
985 # FIXME: import_registry(registry.Registry(), samba3.get_registry())
986 # FIXME: shares