+ domainname = samba3.lp.get("workgroup")
+ realm = samba3.lp.get("realm")
+ netbiosname = samba3.lp.get("netbios name")
+
+ if samba3.lp.get("ldapsam:trusted") is None:
+ samba3.lp.set("ldapsam:trusted", "yes")
+
+ # secrets db
+ try:
+ secrets_db = samba3.get_secrets_db()
+ except IOError, e:
+ raise ProvisioningError("Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?" % (samba3.privatedir_path("secrets.tdb"), str(e)))
+
+ if not domainname:
+ domainname = secrets_db.domains()[0]
+ logger.warning("No workgroup specified in smb.conf file, assuming '%s'",
+ domainname)
+
+ if not realm:
+ if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
+ raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
+ else:
+ realm = domainname.upper()
+ logger.warning("No realm specified in smb.conf file, assuming '%s'",
+ realm)
+
+ # Find machine account and password
+ next_rid = 1000
+
+ try:
+ machinepass = secrets_db.get_machine_password(netbiosname)
+ except KeyError:
+ machinepass = None
+
+ if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
+ base_dn = samba3.lp.get("ldap suffix")
+ ldapuser = samba3.lp.get("ldap admin dn")
+ ldappass = (secrets_db.get_ldap_bind_pw(ldapuser)).strip('\x00')
+ ldap = True
+ else:
+ ldapuser = None
+ ldappass = None
+ ldap = False
+
+ # We must close the direct pytdb database before the C code loads it
+ secrets_db.close()
+
+ # Connect to old password backend
+ passdb.set_secrets_dir(samba3.lp.get("private dir"))
+ s3db = samba3.get_sam_db()
+
+ # Get domain sid
+ try:
+ domainsid = passdb.get_global_sam_sid()
+ except passdb.error:
+ raise Exception("Can't find domain sid for '%s', Exiting." % domainname)
+
+ # Get machine account, sid, rid
+ try:
+ machineacct = s3db.getsampwnam('%s$' % netbiosname)
+ except passdb.error:
+ machinerid = None
+ machinesid = None
+ else:
+ machinesid, machinerid = machineacct.user_sid.split()
+
+ # Export account policy
+ logger.info("Exporting account policy")
+ policy = s3db.get_account_policy()
+
+ # Export groups from old passdb backend
+ logger.info("Exporting groups")
+ grouplist = s3db.enum_group_mapping()
+ groupmembers = {}
+ for group in grouplist:
+ sid, rid = group.sid.split()
+ if sid == domainsid:
+ if rid >= next_rid:
+ next_rid = rid + 1
+
+ # Get members for each group/alias
+ if group.sid_name_use == lsa.SID_NAME_ALIAS:
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
+ continue
+ elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
+ try:
+ members = s3db.enum_group_members(group.sid)
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
+ continue
+ elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
+ (group_dom_sid, rid) = group.sid.split()
+ if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
+ logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
+ group.nt_name)
+ continue
+ # A number of buggy databases mix up well known groups and aliases.
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
+ continue
+ else:
+ logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
+ group.nt_name, group.sid, group.sid_name_use)
+ continue
+
+ # Export users from old passdb backend
+ logger.info("Exporting users")
+ userlist = s3db.search_users(0)
+ userdata = {}
+ uids = {}
+ admin_user = None
+ for entry in userlist:
+ if machinerid and machinerid == entry['rid']:
+ continue
+ username = entry['account_name']
+ if entry['rid'] < 1000:
+ logger.info(" Skipping wellknown rid=%d (for username=%s)", entry['rid'], username)
+ continue
+ if entry['rid'] >= next_rid:
+ next_rid = entry['rid'] + 1
+
+ user = s3db.getsampwnam(username)
+ acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
+ if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
+ pass
+
+ elif acct_type == samr.ACB_SVRTRUST:
+ logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username[:-1])
+ user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
+
+ elif acct_type == samr.ACB_DOMTRUST:
+ logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
+
+ elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$':
+ logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
+ user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
+
+ elif acct_type == (samr.ACB_NORMAL|samr.ACB_SVRTRUST) and username[-1] == '$':
+ logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username)
+ user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
+
+ else:
+ raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
+ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
+
+Please fix this account before attempting to upgrade again
+"""
+ % (user.acct_flags, username,
+ samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
+
+ userdata[username] = user
+ try:
+ uids[username] = s3db.sid_to_id(user.user_sid)[0]
+ except passdb.error:
+ try:
+ uids[username] = pwd.getpwnam(username).pw_uid
+ except KeyError:
+ pass
+
+ if not admin_user and username.lower() == 'root':
+ admin_user = username
+ if username.lower() == 'administrator':
+ admin_user = username
+
+ try:
+ group_memberships = s3db.enum_group_memberships(user);
+ for group in group_memberships:
+ if str(group) in groupmembers:
+ if user.user_sid not in groupmembers[str(group)]:
+ groupmembers[str(group)].append(user.user_sid)
+ else:
+ groupmembers[str(group)] = [user.user_sid];
+ except passdb.error, e:
+ logger.warn("Ignoring group memberships of '%s' %s: %s",
+ username, user.user_sid, e)
+
+ logger.info("Next rid = %d", next_rid)
+
+ # Check for same username/groupname
+ group_names = set([g.nt_name for g in grouplist])
+ user_names = set([u['account_name'] for u in userlist])
+ common_names = group_names.intersection(user_names)
+ if common_names:
+ logger.error("Following names are both user names and group names:")
+ for name in common_names:
+ logger.error(" %s" % name)
+ raise ProvisioningError("Please remove common user/group names before upgrade.")
+
+ # Check for same user sid/group sid
+ group_sids = set([str(g.sid) for g in grouplist])
+ if len(grouplist) != len(group_sids):
+ raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
+ user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
+ if len(userlist) != len(user_sids):
+ raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
+ common_sids = group_sids.intersection(user_sids)
+ if common_sids:
+ logger.error("Following sids are both user and group sids:")
+ for sid in common_sids:
+ logger.error(" %s" % str(sid))
+ raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
+
+ # Get posix attributes from ldap or the os
+ homes = {}
+ shells = {}
+ pgids = {}
+ if ldap:
+ creds = Credentials()
+ creds.guess(samba3.lp)
+ creds.set_bind_dn(ldapuser)
+ creds.set_password(ldappass)
+ urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
+ for url in urls.split():
+ try:
+ ldb_object = Ldb(url, credentials=creds)
+ except ldb.LdbError, e:
+ logger.warning("Could not open ldb connection to %s, the error message is: %s", url, e)
+ else:
+ break
+ logger.info("Exporting posix attributes")
+ userlist = s3db.search_users(0)
+ for entry in userlist:
+ username = entry['account_name']
+ if username in uids.keys():
+ try:
+ if ldap:
+ homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
+ else:
+ homes[username] = pwd.getpwnam(username).pw_dir
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
+ else:
+ shells[username] = pwd.getpwnam(username).pw_shell
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
+ else:
+ pgids[username] = pwd.getpwnam(username).pw_gid
+ except KeyError:
+ pass
+
+ logger.info("Reading WINS database")
+ samba3_winsdb = None
+ try:
+ samba3_winsdb = samba3.get_wins_db()
+ except IOError, e:
+ logger.warn('Cannot open wins database, Ignoring: %s', str(e))
+
+ if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
+ dns_backend = "NONE"
+
+ # Do full provision
+ result = provision(logger, session_info, None,
+ targetdir=targetdir, realm=realm, domain=domainname,
+ domainsid=str(domainsid), next_rid=next_rid,
+ dc_rid=machinerid,
+ dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
+ hostname=netbiosname.lower(), machinepass=machinepass,
+ serverrole=serverrole, samdb_fill=FILL_FULL,
+ useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
+ use_ntvfs=use_ntvfs, skip_sysvolacl=True)
+ result.report_logger(logger)
+
+ # Import WINS database
+ logger.info("Importing WINS database")
+
+ if samba3_winsdb:
+ import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
+
+ # Set Account policy
+ logger.info("Importing Account policy")
+ import_sam_policy(result.samdb, policy, logger)
+
+ # Migrate IDMAP database
+ logger.info("Importing idmap database")
+ import_idmap(result.idmap, samba3, logger)
+
+ # Set the s3 context for samba4 configuration
+ new_lp_ctx = s3param.get_context()
+ new_lp_ctx.load(result.lp.configfile)
+ new_lp_ctx.set("private dir", result.lp.get("private dir"))
+ new_lp_ctx.set("state directory", result.lp.get("state directory"))
+ new_lp_ctx.set("lock directory", result.lp.get("lock directory"))
+
+ # Connect to samba4 backend
+ s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
+
+ # Export groups to samba4 backend
+ logger.info("Importing groups")
+ for g in grouplist:
+ # Ignore uninitialized groups (gid = -1)
+ if g.gid != -1:
+ add_group_from_mapping_entry(result.samdb, g, logger)
+ add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid, "ID_TYPE_GID", logger)
+ add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name, nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
+
+ # Export users to samba4 backend
+ logger.info("Importing users")
+ for username in userdata:
+ if username.lower() == 'administrator':
+ if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
+ logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
+ raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
+ if username.lower() == 'root':
+ if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
+ logger.warn('User root has been replaced by Administrator')
+ else:
+ logger.warn('User root has been kept in the directory, it should be removed in favour of the Administrator user')
+
+ s4_passdb.add_sam_account(userdata[username])
+ if username in uids:
+ add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
+ if (username in homes) and (homes[username] is not None) and \
+ (username in shells) and (shells[username] is not None) and \
+ (username in pgids) and (pgids[username] is not None):
+ add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
+
+ logger.info("Adding users to groups")
+ for g in grouplist:
+ if str(g.sid) in groupmembers:
+ add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
+
+ # Set password for administrator
+ if admin_user:
+ logger.info("Setting password for administrator")
+ admin_userdata = s4_passdb.getsampwnam("administrator")
+ admin_userdata.nt_passwd = userdata[admin_user].nt_passwd
+ if userdata[admin_user].lanman_passwd:
+ admin_userdata.lanman_passwd = userdata[admin_user].lanman_passwd
+ admin_userdata.pass_last_set_time = userdata[admin_user].pass_last_set_time
+ if userdata[admin_user].pw_history:
+ admin_userdata.pw_history = userdata[admin_user].pw_history
+ s4_passdb.update_sam_account(admin_userdata)
+ logger.info("Administrator password has been set to password of user '%s'", admin_user)
+
+ if result.server_role == "active directory domain controller":
+ setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
+ result.paths.root_uid, result.paths.root_gid,
+ security.dom_sid(result.domainsid), result.names.dnsdomain,
+ result.names.domaindn, result.lp, use_ntvfs)
+
+ # FIXME: import_registry(registry.Registry(), samba3.get_registry())
+ # FIXME: shares