from samba.auth import system_session, admin_session
from samba import glue, version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba import DS_DOMAIN_FUNCTION_2003, DS_DC_FUNCTION_2008
+from samba import DS_DOMAIN_FUNCTION_2003, DS_DC_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
from samba.dcerpc import security
from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
from samba.idmap import IDmapDB
if os.path.exists(smbconf):
default_lp.load(smbconf)
if eadb:
- posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(os.path.join(targetdir, "private"),"eadb.tdb"))
+ if targetdir is not None:
+ privdir = os.path.join(targetdir, "private")
+ else:
+ privdir = default_lp.get("private dir")
+ posixeadb_line = "posix:eadb = " + os.path.abspath(os.path.join(privdir,"eadb.tdb"))
else:
posixeadb_line = ""
FILL_FULL = "FULL"
FILL_NT4SYNC = "NT4SYNC"
FILL_DRS = "DRS"
-SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
-POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
def set_gpo_acl(path,acl,lp,domsid):
setntacl(lp,path,acl,domsid)
def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
canchown = 1
- acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
try:
os.chown(sysvol,-1,gid)
except:
canchown = 0
- setntacl(lp,sysvol,acl,str(domainsid))
+ setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
for root, dirs, files in os.walk(sysvol, topdown=False):
for name in files:
if canchown:
os.chown(os.path.join(root, name),-1,gid)
- setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+ setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
for name in dirs:
if canchown:
os.chown(os.path.join(root, name),-1,gid)
- setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+ setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
# Set ACL for GPO
policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
- acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
- set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+ set_gpo_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
attrs=["cn","nTSecurityDescriptor"],
expression="", scope=ldb.SCOPE_ONELEVEL)
# Only make a zone file on the first DC, it should be replicated
# with DNS replication
- create_zone_file(message, paths, setup_path, dnsdomain=names.dnsdomain,
+ create_zone_file(lp, message, paths, targetdir, setup_path, dnsdomain=names.dnsdomain,
hostip=hostip,
hostip6=hostip6, hostname=names.hostname,
realm=names.realm,
{"S4_LDAPI_URI": ldapi_uri})
-def create_zone_file(message, paths, setup_path, dnsdomain,
+def create_zone_file(lp, message, paths, targetdir, setup_path, dnsdomain,
hostip, hostip6, hostname, realm, domainguid,
ntdsguid):
"""Write out a DNS zone file, from the info in the current database.
except OSError:
pass
- os.mkdir(dns_dir, 0770)
+ os.mkdir(dns_dir, 0775)
- if paths.bind_gid is not None:
- try:
- os.chown(dns_dir, -1, paths.bind_gid)
- except OSError:
- message("Failed to chown %s to bind gid %u" % (dns_dir, paths.bind_gid))
+ # we need to freeze the zone while we update the contents
+ if targetdir is None:
+ rndc = lp.get("rndc command")
+ os.system(rndc + " freeze " + lp.get("realm"))
setup_file(setup_path("provision.zone"), paths.dns, {
"HOSTNAME": hostname,
"HOSTIP6_HOST_LINE": hostip6_host_line,
})
+ if paths.bind_gid is not None:
+ try:
+ os.chown(dns_dir, -1, paths.bind_gid)
+ os.chown(paths.dns, -1, paths.bind_gid)
+ # chmod needed to cope with umask
+ os.chmod(dns_dir, 0775)
+ os.chmod(paths.dns, 0664)
+ except OSError:
+ message("Failed to chown %s to bind gid %u" % (dns_dir, paths.bind_gid))
+
+ if targetdir is None:
+ os.system(rndc + " unfreeze " + lp.get("realm"))
+
def create_named_conf(paths, setup_path, realm, dnsdomain,
private_dir):