3 # backend code for upgrading from Samba3
4 # Copyright Jelmer Vernooij 2005-2007
5 # Released under the GNU GPL v3 or later
8 """Support code for upgrading from Samba 3 to Samba 4."""
10 from provision import findnss, provision, FILL_DRS
18 from samba.samdb import SamDB
20 def import_sam_policy(samldb, samba3_policy, domaindn):
21 """Import a Samba 3 policy database."""
22 samldb.modify_ldif("""
31 samba3ResetCountMinutes: %d
32 samba3UserMustLogonToChangePassword: %d
33 samba3BadLockoutMinutes: %d
34 samba3DisconnectTime: %d
36 """ % (dn, policy.min_password_length,
37 policy.password_history, policy.minimum_password_age,
38 policy.maximum_password_age, policy.lockout_duration,
39 policy.reset_count_minutes, policy.user_must_logon_to_change_password,
40 policy.bad_lockout_minutes, policy.disconnect_time))
43 def import_sam_account(samldb,acc,domaindn,domainsid):
44 """Import a Samba 3 SAM account.
46 :param samldb: Samba 4 SAM Database handle
47 :param acc: Samba 3 account
48 :param domaindn: Domain DN
49 :param domainsid: Domain SID."""
50 if acc.nt_username is None or acc.nt_username == "":
51 acc.nt_username = acc.username
53 if acc.fullname is None:
55 acc.fullname = pwd.getpwnam(acc.username)[4].split(",")[0]
59 if acc.fullname is None:
60 acc.fullname = acc.username
62 assert acc.fullname is not None
63 assert acc.nt_username is not None
66 "dn": "cn=%s,%s" % (acc.fullname, domaindn),
67 "objectClass": ["top", "user"],
68 "lastLogon": str(acc.logon_time),
69 "lastLogoff": str(acc.logoff_time),
70 "unixName": acc.username,
71 "sAMAccountName": acc.nt_username,
72 "cn": acc.nt_username,
73 "description": acc.acct_desc,
74 "primaryGroupID": str(acc.group_rid),
75 "badPwdcount": str(acc.bad_password_count),
76 "logonCount": str(acc.logon_count),
77 "samba3Domain": acc.domain,
78 "samba3DirDrive": acc.dir_drive,
79 "samba3MungedDial": acc.munged_dial,
80 "samba3Homedir": acc.homedir,
81 "samba3LogonScript": acc.logon_script,
82 "samba3ProfilePath": acc.profile_path,
83 "samba3Workstations": acc.workstations,
84 "samba3KickOffTime": str(acc.kickoff_time),
85 "samba3BadPwdTime": str(acc.bad_password_time),
86 "samba3PassLastSetTime": str(acc.pass_last_set_time),
87 "samba3PassCanChangeTime": str(acc.pass_can_change_time),
88 "samba3PassMustChangeTime": str(acc.pass_must_change_time),
89 "objectSid": "%s-%d" % (domainsid, acc.user_rid),
90 "lmPwdHash:": acc.lm_password,
91 "ntPwdHash:": acc.nt_password,
95 def import_sam_group(samldb, sid, gid, sid_name_use, nt_name, comment, domaindn):
96 """Upgrade a SAM group.
98 :param samldb: SAM database.
100 :param sid_name_use: SID name use
101 :param nt_name: NT Group Name
102 :param comment: NT Group Comment
103 :param domaindn: Domain DN
106 if sid_name_use == 5: # Well-known group
109 if nt_name in ("Domain Guests", "Domain Users", "Domain Admins"):
113 gr = grp.getgrnam(nt_name)
115 gr = grp.getgrgid(gid)
120 unixname = gr.gr_name
122 assert unixname is not None
125 "dn": "cn=%s,%s" % (nt_name, domaindn),
126 "objectClass": ["top", "group"],
127 "description": comment,
130 "unixName": unixname,
131 "samba3SidNameUse": str(sid_name_use)
135 def import_idmap(samdb,samba3_idmap,domaindn):
136 """Import idmap data.
138 :param samdb: SamDB handle.
139 :param samba3_idmap: Samba 3 IDMAP database to import from
140 :param domaindn: Domain DN.
144 "userHwm": str(samba3_idmap.get_user_hwm()),
145 "groupHwm": str(samba3_idmap.get_group_hwm())})
147 for uid in samba3_idmap.uids():
148 samdb.add({"dn": "SID=%s,%s" % (samba3_idmap.get_user_sid(uid), domaindn),
149 "SID": samba3_idmap.get_user_sid(uid),
153 for gid in samba3_idmap.uids():
154 samdb.add({"dn": "SID=%s,%s" % (samba3_idmap.get_group_sid(gid), domaindn),
155 "SID": samba3_idmap.get_group_sid(gid),
160 def import_wins(samba4_winsdb, samba3_winsdb):
161 """Import settings from a Samba3 WINS database.
163 :param samba4_winsdb: WINS database to import to
164 :param samba3_winsdb: WINS database to import from
168 for (name, (ttl, ips, nb_flags)) in samba3_winsdb.items():
171 type = int(name.split("#", 1)[1], 16)
186 if ttl > time.time():
187 rState = 0x0 # active
189 rState = 0x1 # released
191 nType = ((nb_flags & 0x60)>>5)
193 samba4_winsdb.add({"dn": "name=%s,type=0x%s" % tuple(name.split("#")),
194 "type": name.split("#")[1],
195 "name": name.split("#")[0],
196 "objectClass": "winsRecord",
197 "recordType": str(rType),
198 "recordState": str(rState),
199 "nodeType": str(nType),
200 "expireTime": ldb.timestring(ttl),
202 "versionID": str(version_id),
205 samba4_winsdb.add({"dn": "cn=VERSION",
207 "objectClass": "winsMaxVersion",
208 "maxVersion": str(version_id)})
210 def upgrade_provision(samba3, setup_dir, message, credentials, session_info, smbconf, targetdir):
211 oldconf = samba3.get_conf()
213 if oldconf.get("domain logons") == "True":
214 serverrole = "domain controller"
216 if oldconf.get("security") == "user":
217 serverrole = "standalone"
219 serverrole = "member server"
221 domainname = oldconf.get("workgroup")
223 domainname = str(domainname)
224 realm = oldconf.get("realm")
225 netbiosname = oldconf.get("netbios name")
227 secrets_db = samba3.get_secrets_db()
229 if domainname is None:
230 domainname = secrets_db.domains()[0]
231 message("No domain specified in smb.conf file, assuming '%s'" % domainname)
234 realm = domainname.lower()
235 message("No realm specified in smb.conf file, assuming '%s'\n" % realm)
237 domainguid = secrets_db.get_domain_guid(domainname)
238 domainsid = secrets_db.get_sid(domainname)
239 if domainsid is None:
240 message("Can't find domain secrets for '%s'; using random SID\n" % domainname)
242 if netbiosname is not None:
243 machinepass = secrets_db.get_machine_password(netbiosname)
247 result = provision(setup_dir=setup_dir, message=message,
248 samdb_fill=FILL_DRS, smbconf=smbconf, session_info=session_info,
249 credentials=credentials, realm=realm,
250 domain=domainname, domainsid=domainsid, domainguid=domainguid,
251 machinepass=machinepass, serverrole=serverrole, targetdir=targetdir)
253 import_wins(Ldb(result.paths.winsdb), samba3.get_wins_db())
255 # FIXME: import_registry(registry.Registry(), samba3.get_registry())
257 # FIXME: import_idmap(samdb,samba3.get_idmap_db(),domaindn)
259 groupdb = samba3.get_groupmapping_db()
260 for sid in groupdb.groupsids():
261 (gid, sid_name_use, nt_name, comment) = groupdb.get_group(sid)
262 # FIXME: import_sam_group(samdb, sid, gid, sid_name_use, nt_name, comment, domaindn)
266 passdb = samba3.get_sam_db()
269 #FIXME: import_sam_account(result.samdb, user, domaindn, domainsid)
271 if hasattr(passdb, 'ldap_url'):
272 message("Enabling Samba3 LDAP mappings for SAM database")
274 enable_samba3sam(result.samdb, passdb.ldap_url)
277 def enable_samba3sam(samdb, ldapurl):
278 """Enable Samba 3 LDAP URL database.
280 :param samdb: SAM Database.
281 :param ldapurl: Samba 3 LDAP URL
283 samdb.modify_ldif("""
287 @LIST: samldb,operational,objectguid,rdn_name,samba3sam
290 samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
307 "bind interfaces only",
312 "obey pam restrictions",
320 "client NTLMv2 auth",
321 "client lanman auth",
322 "client plaintext auth",
342 "name resolve order",
351 "paranoid server security",
387 def upgrade_smbconf(oldconf,mark):
388 """Remove configuration variables not present in Samba4
390 :param oldconf: Old configuration structure
391 :param mark: Whether removed configuration variables should be
392 kept in the new configuration as "samba3:<name>"
394 data = oldconf.data()
395 newconf = param_init()
400 for k in smbconf_keep:
401 if smbconf_keep[k] == p:
406 newconf.set(s, p, oldconf.get(s, p))
408 newconf.set(s, "samba3:"+p, oldconf.get(s,p))
412 SAMBA3_PREDEF_NAMES = {
413 'HKLM': registry.HKEY_LOCAL_MACHINE,
416 def import_registry(samba4_registry, samba3_regdb):
417 """Import a Samba 3 registry database into the Samba 4 registry.
419 :param samba4_registry: Samba 4 registry handle.
420 :param samba3_regdb: Samba 3 registry database handle.
422 def ensure_key_exists(keypath):
423 (predef_name, keypath) = keypath.split("/", 1)
424 predef_id = SAMBA3_PREDEF_NAMES[predef_name]
425 keypath = keypath.replace("/", "\\")
426 return samba4_registry.create_key(predef_id, keypath)
428 for key in samba3_regdb.keys():
429 key_handle = ensure_key_exists(key)
430 for subkey in samba3_regdb.subkeys(key):
431 ensure_key_exists(subkey)
432 for (value_name, (value_type, value_data)) in samba3_regdb.values(key).items():
433 key_handle.set_value(value_name, value_type, value_data)