ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength')
min_pw_age_unix = policy['minimum password age']
- min_pw_age_nt = 0 - unix2nttime(min_pw_age_unix)
+ min_pw_age_nt = int(-min_pw_age_unix * (1e7 * 60 * 60 * 24))
m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE,
'minPwdAge')
max_pw_age_unix = policy['maximum password age']
- if (max_pw_age_unix == -1):
- max_pw_age_nt = 0
+ if max_pw_age_unix == -1 or max_pw_age_unix == 0:
+ max_pw_age_nt = -0x8000000000000000
else:
- max_pw_age_nt = unix2nttime(max_pw_age_unix)
+ max_pw_age_nt = int(-max_pw_age_unix * (1e7 * 60 * 60 * 24))
m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE,
'maxPwdAge')
:param idmapdb: Samba4 IDMAP database
:param sid: user/group sid
:param xid: user/group id
- :param xid_type: type of id (UID/GID)
+ :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
:param logger: Logger object
"""
samdb.modify(m)
except ldb.LdbError, (ecode, emsg):
if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS:
- logger.info("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
+ logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
elif ecode == ldb.ERR_NO_SUCH_OBJECT:
raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg))
else:
# Get members for each group/alias
if group.sid_name_use == lsa.SID_NAME_ALIAS:
- members = s3db.enum_aliasmem(group.sid)
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
+ continue
elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
try:
members = s3db.enum_group_members(group.sid)
- except passdb.error:
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
continue
- groupmembers[group.nt_name] = members
elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
(group_dom_sid, rid) = group.sid.split()
if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
group.nt_name)
continue
# A number of buggy databases mix up well known groups and aliases.
- members = s3db.enum_aliasmem(group.sid)
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ groupmembers[str(group.sid)] = members
+ except passdb.error, e:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, e)
+ continue
else:
- logger.warn("Ignoring group '%s' with sid_name_use=%d",
- group.nt_name, group.sid_name_use)
+ logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
+ group.nt_name, group.sid, group.sid_name_use)
continue
# Export users from old passdb backend
if username.lower() == 'administrator':
admin_user = username
+ try:
+ group_memberships = s3db.enum_group_memberships(user);
+ for group in group_memberships:
+ if str(group) in groupmembers:
+ if user.user_sid not in groupmembers[str(group)]:
+ groupmembers[str(group)].append(user.user_sid)
+ else:
+ groupmembers[str(group)] = [user.user_sid];
+ except passdb.error, e:
+ logger.warn("Ignoring group memberships of '%s' %s: %s",
+ username, user.user_sid, e)
+
+
logger.info("Next rid = %d", next_rid)
# Check for same username/groupname
# Check for same user sid/group sid
group_sids = set([str(g.sid) for g in grouplist])
+ if len(grouplist) != len(group_sids):
+ raise ProvisioningError("Please remove duplicate group sid entries before upgrade.")
user_sids = set(["%s-%u" % (domainsid, u['rid']) for u in userlist])
+ if len(userlist) != len(user_sids):
+ raise ProvisioningError("Please remove duplicate user sid entries before upgrade.")
common_sids = group_sids.intersection(user_sids)
if common_sids:
logger.error("Following sids are both user and group sids:")
raise ProvisioningError("Please remove duplicate sid entries before upgrade.")
if serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC":
- dns_backend = "BIND9_FLATFILE"
+ dns_backend = "BIND9_DLZ"
else:
dns_backend = "NONE"
domainsid=str(domainsid), next_rid=next_rid,
dc_rid=machinerid,
dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
- hostname=netbiosname, machinepass=machinepass,
+ hostname=netbiosname.lower(), machinepass=machinepass,
serverrole=serverrole, samdb_fill=FILL_FULL,
useeadb=useeadb, dns_backend=dns_backend)
+ result.report_logger(logger)
# Import WINS database
logger.info("Importing WINS database")
logger.info("Importing groups")
for g in grouplist:
# Ignore uninitialized groups (gid = -1)
- if g.gid != 0xffffffff:
- add_idmap_entry(result.idmap, g.sid, g.gid, "GID", logger)
+ if g.gid != -1:
+ add_idmap_entry(result.idmap, g.sid, g.gid, "ID_TYPE_GID", logger)
add_group_from_mapping_entry(result.samdb, g, logger)
# Export users to samba4 backend
continue
s4_passdb.add_sam_account(userdata[username])
if username in uids:
- add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "UID", logger)
+ add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
logger.info("Adding users to groups")
for g in grouplist:
- if g.nt_name in groupmembers:
- add_users_to_group(result.samdb, g, groupmembers[g.nt_name], logger)
+ if str(g.sid) in groupmembers:
+ add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
# Set password for administrator
if admin_user: