from samba import Ldb, registry
from samba.param import LoadParm
-from samba.provision import provision, FILL_FULL, ProvisioningError
+from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl
from samba.samba3 import passdb
from samba.samba3 import param as s3param
from samba.dcerpc import lsa, samr, security
from samba.dcerpc.security import dom_sid
from samba.credentials import Credentials
-from samba.auth import system_session
from samba import dsdb
from samba.ndr import ndr_pack
from samba import unix2nttime
except ldb.LdbError, e:
logger.warn("Could not set account policy, (%s)", str(e))
-def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None, shell=None, pgid=None):
+
+def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None,
+ shell=None, pgid=None):
"""Add posix attributes for the user/group
:param samdb: Samba4 sam.ldb database
'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
str(sid), str(xid), xid_type, str(e))
+
def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
"""Create idmap entry
expression=("(&(objectClass=posixAccount)(uid=%s))"
% (user)), attrs=[attr])
except ldb.LdbError, e:
- logger.warning("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
+ raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
else:
- if msg.count == 1:
+ if msg.count <= 1:
+ # This will raise KeyError (which is what we want) if there isn't a entry for this user
return msg[0][attr][0]
else:
logger.warning("LDAP entry for user %s contains more than one %s", user, attr)
- return None
+ raise KeyError
+
-def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=False, dns_backend=None,
- use_ntvfs=False):
+def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
+ useeadb=False, dns_backend=None, use_ntvfs=False):
"""Upgrade from samba3 database to samba4 AD database
:param samba3: samba3 object
logger.error(" %s" % str(sid))
raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
+ # Get posix attributes from ldap or the os
+ homes = {}
+ shells = {}
+ pgids = {}
+ if ldap:
+ creds = Credentials()
+ creds.guess(samba3.lp)
+ creds.set_bind_dn(ldapuser)
+ creds.set_password(ldappass)
+ urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
+ for url in urls.split():
+ try:
+ ldb_object = Ldb(url, credentials=creds)
+ except ldb.LdbError, e:
+ logger.warning("Could not open ldb connection to %s, the error message is: %s", url, e)
+ else:
+ break
+ logger.info("Exporting posix attributes")
+ userlist = s3db.search_users(0)
+ for entry in userlist:
+ username = entry['account_name']
+ if username in uids.keys():
+ try:
+ if ldap:
+ homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
+ else:
+ homes[username] = pwd.getpwnam(username).pw_dir
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
+ else:
+ shells[username] = pwd.getpwnam(username).pw_shell
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
+ else:
+ pgids[username] = pwd.getpwnam(username).pw_gid
+ except KeyError:
+ pass
+
+ logger.info("Reading WINS database")
+ samba3_winsdb = None
+ try:
+ samba3_winsdb = samba3.get_wins_db()
+ except IOError, e:
+ logger.warn('Cannot open wins database, Ignoring: %s', str(e))
+
if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
dns_backend = "NONE"
hostname=netbiosname.lower(), machinepass=machinepass,
serverrole=serverrole, samdb_fill=FILL_FULL,
useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True,
- use_ntvfs=use_ntvfs)
+ use_ntvfs=use_ntvfs, skip_sysvolacl=True)
result.report_logger(logger)
# Import WINS database
logger.info("Importing WINS database")
- samba3_winsdb = None
- try:
- samba3_winsdb = samba3.get_wins_db()
- except IOError, e:
- logger.warn('Cannot open wins database, Ignoring: %s', str(e))
-
if samba3_winsdb:
import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
logger.info("Importing idmap database")
import_idmap(result.idmap, samba3, logger)
- # Get posix attributes from ldap or the os
- homes = {}
- shells = {}
- pgids = {}
- if ldap:
- creds = Credentials()
- creds.guess(result.lp)
- creds.set_bind_dn(ldapuser)
- creds.set_password(ldappass)
- urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
- for url in urls.split():
- try:
- ldb_object = Ldb(url, session_info=system_session(result.lp), credentials=creds, lp=result.lp)
- except ldb.LdbError, e:
- logger.warning("Could not open ldb connection to %s, the error message is: %s", url, e)
- else:
- break
- logger.info("Exporting posix attributes")
- userlist = s3db.search_users(0)
- for entry in userlist:
- username = entry['account_name']
- if username in uids.keys():
- if ldap:
- homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
- shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
- pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
- else:
- try:
- homes[username] = pwd.getpwnam(username).pw_dir
- except KeyError:
- pass
- try:
- shells[username] = pwd.getpwnam(username).pw_shell
- except KeyError:
- pass
- try:
- pgids[username] = pwd.getpwnam(username).pw_gid
- except KeyError:
- pass
-
# Set the s3 context for samba4 configuration
new_lp_ctx = s3param.get_context()
new_lp_ctx.load(result.lp.configfile)
for username in userdata:
if username.lower() == 'administrator':
if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
+ logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
if username.lower() == 'root':
if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
s4_passdb.add_sam_account(userdata[username])
if username in uids:
add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
- if (username in homes) and (homes[username] != None) and \
- (username in shells) and (shells[username] != None) and \
- (username in pgids) and (pgids[username] != None):
+ if (username in homes) and (homes[username] is not None) and \
+ (username in shells) and (shells[username] is not None) and \
+ (username in pgids) and (pgids[username] is not None):
add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
logger.info("Adding users to groups")
s4_passdb.update_sam_account(admin_userdata)
logger.info("Administrator password has been set to password of user '%s'", admin_user)
+ if result.server_role == "active directory domain controller":
+ setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
+ result.paths.root_uid, result.paths.root_gid,
+ security.dom_sid(result.domainsid), result.names.dnsdomain,
+ result.names.domaindn, result.lp, use_ntvfs)
+
# FIXME: import_registry(registry.Registry(), samba3.get_registry())
# FIXME: shares