from samba.dcerpc import lsa, samr, security
from samba.dcerpc.security import dom_sid
from samba.credentials import Credentials
-from samba.auth import system_session
from samba import dsdb
from samba.ndr import ndr_pack
from samba import unix2nttime
except ldb.LdbError, e:
logger.warn("Could not set account policy, (%s)", str(e))
-def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None, shell=None, pgid=None):
+
+def add_posix_attrs(logger, samdb, sid, name, nisdomain, xid_type, home=None,
+ shell=None, pgid=None):
"""Add posix attributes for the user/group
:param samdb: Samba4 sam.ldb database
'Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)',
str(sid), str(xid), xid_type, str(e))
+
def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
"""Create idmap entry
expression=("(&(objectClass=posixAccount)(uid=%s))"
% (user)), attrs=[attr])
except ldb.LdbError, e:
- logger.warning("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
+ raise ProvisioningError("Failed to retrieve attribute %s for user %s, the error is: %s", attr, user, e)
else:
- if msg.count == 1:
+ if msg.count <= 1:
+ # This will raise KeyError (which is what we want) if there isn't a entry for this user
return msg[0][attr][0]
else:
logger.warning("LDAP entry for user %s contains more than one %s", user, attr)
- return None
+ raise KeyError
+
-def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=False, dns_backend=None,
- use_ntvfs=False):
+def upgrade_from_samba3(samba3, logger, targetdir, session_info=None,
+ useeadb=False, dns_backend=None, use_ntvfs=False):
"""Upgrade from samba3 database to samba4 AD database
:param samba3: samba3 object
pgids = {}
if ldap:
creds = Credentials()
- creds.guess(s3param.get_context())
+ creds.guess(samba3.lp)
creds.set_bind_dn(ldapuser)
creds.set_password(ldappass)
urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
for url in urls.split():
try:
- ldb_object = Ldb(url, session_info=system_session(result.lp), credentials=creds, lp=result.lp)
+ ldb_object = Ldb(url, credentials=creds)
except ldb.LdbError, e:
logger.warning("Could not open ldb connection to %s, the error message is: %s", url, e)
else:
for entry in userlist:
username = entry['account_name']
if username in uids.keys():
- if ldap:
- homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
- shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
- pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
- else:
- try:
+ try:
+ if ldap:
+ homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")
+ else:
homes[username] = pwd.getpwnam(username).pw_dir
- except KeyError:
- pass
- try:
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ shells[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "loginShell")
+ else:
shells[username] = pwd.getpwnam(username).pw_shell
- except KeyError:
- pass
- try:
+ except KeyError:
+ pass
+
+ try:
+ if ldap:
+ pgids[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "gidNumber")
+ else:
pgids[username] = pwd.getpwnam(username).pw_gid
- except KeyError:
- pass
+ except KeyError:
+ pass
logger.info("Reading WINS database")
samba3_winsdb = None
for username in userdata:
if username.lower() == 'administrator':
if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
+ logger.error("User 'Administrator' in your existing directory has SID %s, expected it to be %s" % (userdata[username].user_sid, dom_sid(str(domainsid) + "-500")))
raise ProvisioningError("User 'Administrator' in your existing directory does not have SID ending in -500")
if username.lower() == 'root':
if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
s4_passdb.add_sam_account(userdata[username])
if username in uids:
add_ad_posix_idmap_entry(result.samdb, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
- if (username in homes) and (homes[username] != None) and \
- (username in shells) and (shells[username] != None) and \
- (username in pgids) and (pgids[username] != None):
+ if (username in homes) and (homes[username] is not None) and \
+ (username in shells) and (shells[username] is not None) and \
+ (username in pgids) and (pgids[username] is not None):
add_posix_attrs(samdb=result.samdb, sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(), xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username], pgid=pgids[username], logger=logger)
logger.info("Adding users to groups")
logger.info("Administrator password has been set to password of user '%s'", admin_user)
if result.server_role == "active directory domain controller":
- setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol, result.paths.root_uid, result.paths.wheel_gid,
- security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs)
+ setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
+ result.paths.root_uid, result.paths.root_gid,
+ security.dom_sid(result.domainsid), result.names.dnsdomain,
+ result.names.domaindn, result.lp, use_ntvfs)
# FIXME: import_registry(registry.Registry(), samba3.get_registry())
# FIXME: shares