Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- if len(hostips) > 1:
- logger.warning("More than one IPv4 address found. Using %s",
- hostip)
- if hostip == "127.0.0.1":
- hostip = None
- if hostip is None:
- logger.warning("No IPv4 address will be assigned")
- if hostip6 is None:
- logger.info("Looking up IPv6 addresses")
- hostips = interface_ips_v6(lp, linklocal=False)
- if hostips:
- hostip6 = hostips[0]
- if len(hostips) > 1:
- logger.warning("More than one IPv6 address found. Using %s", hostip6)
- if hostip6 is None:
- logger.warning("No IPv6 address will be assigned")
- if serverrole is None:
- serverrole = lp.get("server role")
- assert serverrole in ("domain controller", "member server", "standalone")
- if invocationid is None:
- invocationid = str(uuid.uuid4())
- if not os.path.exists(paths.private_dir):
- os.mkdir(paths.private_dir)
- if not os.path.exists(os.path.join(paths.private_dir, "tls")):
- os.mkdir(os.path.join(paths.private_dir, "tls"))
- ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="")
- schema = Schema(domainsid, invocationid=invocationid,
- schemadn=names.schemadn)
- if backend_type == "ldb":
- provision_backend = LDBBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
- names=names, logger=logger)
- elif backend_type == "existing":
- provision_backend = ExistingBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
- names=names, logger=logger,
- ldap_backend_forced_uri=ldap_backend_forced_uri)
- elif backend_type == "fedora-ds":
- provision_backend = FDSBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
- names=names, logger=logger, domainsid=domainsid,
- schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
- slapd_path=slapd_path,
- ldap_backend_extra_port=ldap_backend_extra_port,
- ldap_dryrun_mode=ldap_dryrun_mode, root=root,
- setup_ds_path=setup_ds_path,
- ldap_backend_forced_uri=ldap_backend_forced_uri)
- elif backend_type == "openldap":
- provision_backend = OpenLDAPBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
- names=names, logger=logger, domainsid=domainsid,
- schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
- slapd_path=slapd_path,
- ldap_backend_extra_port=ldap_backend_extra_port,
- ldap_dryrun_mode=ldap_dryrun_mode, ol_mmr_urls=ol_mmr_urls,
- nosync=nosync,
- ldap_backend_forced_uri=ldap_backend_forced_uri)
- else:
- raise ValueError("Unknown LDAP backend type selected")
- provision_backend.init()
- provision_backend.start()
- # only install a new shares config db if there is none
- if not os.path.exists(paths.shareconf):
- logger.info("Setting up share.ldb")
- share_ldb = Ldb(paths.shareconf, session_info=session_info,
- lp=lp)
- share_ldb.load_ldif_file_add(setup_path("share.ldif"))
- logger.info("Setting up secrets.ldb")
- secrets_ldb = setup_secretsdb(paths,
- session_info=session_info,
- backend_credentials=provision_backend.secrets_credentials, lp=lp)
- try:
- logger.info("Setting up the registry")
- setup_registry(paths.hklm, session_info,
- lp=lp)
- logger.info("Setting up the privileges database")
- setup_privileges(paths.privilege, session_info, lp=lp)
- logger.info("Setting up idmap db")
- idmap = setup_idmapdb(paths.idmapdb,
- session_info=session_info, lp=lp)
- logger.info("Setting up SAM db")
- samdb = setup_samdb(paths.samdb, session_info,
- provision_backend, lp, names, logger=logger,
- domainsid=domainsid, schema=schema, domainguid=domainguid,
- policyguid=policyguid, policyguid_dc=policyguid_dc,
- fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
- invocationid=invocationid, machinepass=machinepass,
- dnspass=dnspass, ntdsguid=ntdsguid, serverrole=serverrole,
- dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
- next_rid=next_rid)
- if serverrole == "domain controller":
- if paths.netlogon is None:
- logger.info("Existing smb.conf does not have a [netlogon] share, but you are configuring a DC.")
- logger.info("Please either remove %s or see the template at %s" %
- (paths.smbconf, setup_path("provision.smb.conf.dc")))
- assert paths.netlogon is not None
- if paths.sysvol is None:
- logger.info("Existing smb.conf does not have a [sysvol] share, but you"
- " are configuring a DC.")
- logger.info("Please either remove %s or see the template at %s" %
- (paths.smbconf, setup_path("provision.smb.conf.dc")))
- assert paths.sysvol is not None
- if not os.path.isdir(paths.netlogon):
- os.makedirs(paths.netlogon, 0755)
- if samdb_fill == FILL_FULL:
- setup_name_mappings(samdb, idmap, str(domainsid), names.domaindn,
- root_uid=root_uid, nobody_uid=nobody_uid,
- users_gid=users_gid, wheel_gid=wheel_gid)
- if serverrole == "domain controller":
- # Set up group policies (domain policy and domain controller
- # policy)
- create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
- policyguid_dc)
- setsysvolacl(samdb, paths.netlogon, paths.sysvol, wheel_gid,
- domainsid, names.dnsdomain, names.domaindn, lp)
- logger.info("Setting up sam.ldb rootDSE marking as synchronized")
- setup_modify_ldif(samdb, setup_path("provision_rootdse_modify.ldif"))
- secretsdb_self_join(secrets_ldb, domain=names.domain,
- realm=names.realm, dnsdomain=names.dnsdomain,
- netbiosname=names.netbiosname, domainsid=domainsid,
- machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
- # Now set up the right msDS-SupportedEncryptionTypes into the DB
- # In future, this might be determined from some configuration
- kerberos_enctypes = str(ENC_ALL_TYPES)
- try:
- msg = ldb.Message(ldb.Dn(samdb,
- samdb.searchone("distinguishedName",
- expression="samAccountName=%s$" % names.netbiosname,
- scope=ldb.SCOPE_SUBTREE)))
- msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(
- elements=kerberos_enctypes, flags=ldb.FLAG_MOD_REPLACE,
- name="msDS-SupportedEncryptionTypes")
- samdb.modify(msg)
- except ldb.LdbError, (enum, estr):
- if enum != ldb.ERR_NO_SUCH_ATTRIBUTE:
- # It might be that this attribute does not exist in this schema
- raise
- if serverrole == "domain controller":
- secretsdb_setup_dns(secrets_ldb, names,
- paths.private_dir, realm=names.realm,
- dnsdomain=names.dnsdomain,
- dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
- setup_ad_dns(samdb, names=names, hostip=hostip, hostip6=hostip6)
- domainguid = samdb.searchone(basedn=domaindn,
- attribute="objectGUID")
- assert isinstance(domainguid, str)
- # Only make a zone file on the first DC, it should be
- # replicated with DNS replication
- create_zone_file(lp, logger, paths, targetdir,
- dnsdomain=names.dnsdomain, hostip=hostip, hostip6=hostip6,
- hostname=names.hostname, realm=names.realm,
- domainguid=domainguid, ntdsguid=names.ntdsguid)
- create_named_conf(paths, realm=names.realm,
- dnsdomain=names.dnsdomain, private_dir=paths.private_dir)
- create_named_txt(paths.namedtxt,
- realm=names.realm, dnsdomain=names.dnsdomain,
- dnsname = "%s.%s" % (names.hostname, names.dnsdomain),
- private_dir=paths.private_dir,
- keytab_name=paths.dns_keytab)
- logger.info("See %s for an example configuration include file for BIND", paths.namedconf)
- logger.info("and %s for further documentation required for secure DNS "
- "updates", paths.namedtxt)
- lastProvisionUSNs = get_last_provision_usn(samdb)
- maxUSN = get_max_usn(samdb, str(names.rootdn))
- if lastProvisionUSNs is not None:
- update_provision_usn(samdb, 0, maxUSN, invocationid, 1)
- else:
- set_provision_usn(samdb, 0, maxUSN, invocationid)
- create_krb5_conf(paths.krb5conf,
- dnsdomain=names.dnsdomain, hostname=names.hostname,
- realm=names.realm)
- logger.info("A Kerberos configuration suitable for Samba 4 has been "
- "generated at %s", paths.krb5conf)
- if serverrole == "domain controller":
- create_dns_update_list(lp, logger, paths)
- provision_backend.post_setup()
- provision_backend.shutdown()
- create_phpldapadmin_config(paths.phpldapadminconfig,
- ldapi_url)
- except Exception:
- secrets_ldb.transaction_cancel()
- raise
- # Now commit the secrets.ldb to disk
- secrets_ldb.transaction_commit()
- # the commit creates the dns.keytab, now chown it
- dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
- if os.path.isfile(dns_keytab_path) and paths.bind_gid is not None:
- try:
- os.chmod(dns_keytab_path, 0640)
- os.chown(dns_keytab_path, -1, paths.bind_gid)
- except OSError:
- if not os.environ.has_key('SAMBA_SELFTEST'):
- logger.info("Failed to chown %s to bind gid %u",
- dns_keytab_path, paths.bind_gid)
- if samdb_fill != FILL_DRS:
- # fix any dangling GUIDs from the provision
- logger.info("Fixing provision GUIDs")
- chk = dbcheck(samdb, samdb_schema=samdb, verbose=False, fix=True, yes=True, quiet=True)
- samdb.transaction_start()
- # a small number of GUIDs are missing because of ordering issues in the
- # provision code
- for schema_obj in ['CN=Domain', 'CN=Organizational-Person', 'CN=Contact', 'CN=inetOrgPerson']:
- chk.check_database(DN="%s,%s" % (schema_obj, names.schemadn),
- scope=ldb.SCOPE_BASE, attrs=['defaultObjectCategory'])
- chk.check_database(DN="CN=IP Security,CN=System,%s" % names.domaindn,
- scope=ldb.SCOPE_ONELEVEL,
- attrs=['ipsecOwnersReference',
- 'ipsecFilterReference',
- 'ipsecISAKMPReference',
- 'ipsecNegotiationPolicyReference',
- 'ipsecNFAReference'])
- samdb.transaction_commit()
- logger.info("Please install the phpLDAPadmin configuration located at %s into /etc/phpldapadmin/config.php",
- paths.phpldapadminconfig)
- logger.info("Once the above files are installed, your Samba4 server will be ready to use")
- logger.info("Server Role: %s" % serverrole)
- logger.info("Hostname: %s" % names.hostname)
- logger.info("NetBIOS Domain: %s" % names.domain)
- logger.info("DNS Domain: %s" % names.dnsdomain)
- logger.info("DOMAIN SID: %s" % str(domainsid))
- if samdb_fill == FILL_FULL:
- logger.info("Admin password: %s" % adminpass)
- if provision_backend.type is not "ldb":
- if provision_backend.credentials.get_bind_dn() is not None:
- logger.info("LDAP Backend Admin DN: %s" %
- provision_backend.credentials.get_bind_dn())
- else:
- logger.info("LDAP Admin User: %s" %
- provision_backend.credentials.get_username())
- logger.info("LDAP Admin Password: %s" %
- provision_backend.credentials.get_password())
- if provision_backend.slapd_command_escaped is not None:
- # now display slapd_command_file.txt to show how slapd must be
- # started next time
- logger.info("Use later the following commandline to start slapd, then Samba:")
- logger.info(provision_backend.slapd_command_escaped)
- logger.info("This slapd-Commandline is also stored under: %s/ldap_backend_startup.sh",
- provision_backend.ldapdir)
- result = ProvisionResult()
- result.domaindn = domaindn
- result.paths = paths
- result.lp = lp
- result.samdb = samdb
- return result
- def provision_become_dc(smbconf=None, targetdir=None,
- realm=None, rootdn=None, domaindn=None, schemadn=None, configdn=None,
- serverdn=None, domain=None, hostname=None, domainsid=None,
- adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
- policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
- root=None, nobody=None, users=None, wheel=None, backup=None,
- serverrole=None, ldap_backend=None, ldap_backend_type=None,
- sitename=None, debuglevel=1):
- logger = logging.getLogger("provision")
- samba.set_debug_level(debuglevel)
- res = provision(logger, system_session(), None,
- smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
- realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
- configdn=configdn, serverdn=serverdn, domain=domain,
- hostname=hostname, hostip=None, domainsid=domainsid,
- machinepass=machinepass, serverrole="domain controller",
- sitename=sitename)
- res.lp.set("debuglevel", str(debuglevel))
- return res
- def create_phpldapadmin_config(path, ldapi_uri):
- """Create a PHP LDAP admin configuration file.
- :param path: Path to write the configuration to.
- """
- setup_file(setup_path("phpldapadmin-config.php"), path,
- {"S4_LDAPI_URI": ldapi_uri})
- def create_zone_file(lp, logger, paths, targetdir, dnsdomain,
- hostip, hostip6, hostname, realm, domainguid,
- ntdsguid):
- """Write out a DNS zone file, from the info in the current database.
- :param paths: paths object
- :param dnsdomain: DNS Domain name
- :param domaindn: DN of the Domain
- :param hostip: Local IPv4 IP
- :param hostip6: Local IPv6 IP
- :param hostname: Local hostname
- :param realm: Realm name
- :param domainguid: GUID of the domain.
- :param ntdsguid: GUID of the hosts nTDSDSA record.
- """
- assert isinstance(domainguid, str)
- if hostip6 is not None:
- hostip6_base_line = " IN AAAA " + hostip6
- hostip6_host_line = hostname + " IN AAAA " + hostip6
- gc_msdcs_ip6_line = "gc._msdcs IN AAAA " + hostip6
- else:
- hostip6_base_line = ""
- hostip6_host_line = ""
- gc_msdcs_ip6_line = ""
- if hostip is not None:
- hostip_base_line = " IN A " + hostip
- hostip_host_line = hostname + " IN A " + hostip
- gc_msdcs_ip_line = "gc._msdcs IN A " + hostip
- else:
- hostip_base_line = ""
- hostip_host_line = ""
- gc_msdcs_ip_line = ""
- dns_dir = os.path.dirname(paths.dns)
- try:
- shutil.rmtree(dns_dir, True)
- except OSError:
- pass
- os.mkdir(dns_dir, 0775)
- # we need to freeze the zone while we update the contents
- if targetdir is None:
- rndc = ' '.join(lp.get("rndc command"))
- os.system(rndc + " freeze " + lp.get("realm"))
- setup_file(setup_path("provision.zone"), paths.dns, {
- "HOSTNAME": hostname,
- "DNSDOMAIN": dnsdomain,
- "REALM": realm,
- "HOSTIP_BASE_LINE": hostip_base_line,
- "HOSTIP_HOST_LINE": hostip_host_line,
- "DOMAINGUID": domainguid,
- "DATESTRING": time.strftime("%Y%m%d%H"),
- "DEFAULTSITE": DEFAULTSITE,
- "NTDSGUID": ntdsguid,
- "HOSTIP6_BASE_LINE": hostip6_base_line,
- "HOSTIP6_HOST_LINE": hostip6_host_line,
- "GC_MSDCS_IP_LINE": gc_msdcs_ip_line,
- "GC_MSDCS_IP6_LINE": gc_msdcs_ip6_line,
- })
- # note that we use no variable substitution on this file
- # the substitution is done at runtime by samba_dnsupdate
- setup_file(setup_path("dns_update_list"), paths.dns_update_list, None)
- # and the SPN update list
- setup_file(setup_path("spn_update_list"), paths.spn_update_list, None)
- if paths.bind_gid is not None:
- try:
- os.chown(dns_dir, -1, paths.bind_gid)
- os.chown(paths.dns, -1, paths.bind_gid)
- # chmod needed to cope with umask
- os.chmod(dns_dir, 0775)
- os.chmod(paths.dns, 0664)
- except OSError:
- if not os.environ.has_key('SAMBA_SELFTEST'):
- logger.error("Failed to chown %s to bind gid %u" % (
- dns_dir, paths.bind_gid))
- if targetdir is None:
- os.system(rndc + " unfreeze " + lp.get("realm"))
- def create_dns_update_list(lp, logger, paths):
- """Write out a dns_update_list file"""
- # note that we use no variable substitution on this file
- # the substitution is done at runtime by samba_dnsupdate
- setup_file(setup_path("dns_update_list"), paths.dns_update_list, None)
- setup_file(setup_path("spn_update_list"), paths.spn_update_list, None)
- def create_named_conf(paths, realm, dnsdomain,
- private_dir):
- """Write out a file containing zone statements suitable for inclusion in a
- named.conf file (including GSS-TSIG configuration).
- :param paths: all paths
- :param realm: Realm name
- :param dnsdomain: DNS Domain name
- :param private_dir: Path to private directory
- :param keytab_name: File name of DNS keytab file
- """
- setup_file(setup_path("named.conf"), paths.namedconf, {
- "DNSDOMAIN": dnsdomain,
- "REALM": realm,
- "ZONE_FILE": paths.dns,
- "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
- "NAMED_CONF": paths.namedconf,
- "NAMED_CONF_UPDATE": paths.namedconf_update
- })
- setup_file(setup_path("named.conf.update"), paths.namedconf_update)
- def create_named_txt(path, realm, dnsdomain, dnsname, private_dir,
- keytab_name):
- """Write out a file containing zone statements suitable for inclusion in a
- named.conf file (including GSS-TSIG configuration).
- :param path: Path of the new named.conf file.
- :param realm: Realm name
- :param dnsdomain: DNS Domain name
- :param private_dir: Path to private directory
- :param keytab_name: File name of DNS keytab file
- """
- setup_file(setup_path("named.txt"), path, {
- "DNSDOMAIN": dnsdomain,
- "DNSNAME" : dnsname,
- "REALM": realm,
- "DNS_KEYTAB": keytab_name,
- "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
- "PRIVATE_DIR": private_dir
- })
- def create_krb5_conf(path, dnsdomain, hostname, realm):
- """Write out a file containing zone statements suitable for inclusion in a
- named.conf file (including GSS-TSIG configuration).
- :param path: Path of the new named.conf file.
- :param dnsdomain: DNS Domain name
- :param hostname: Local hostname
- :param realm: Realm name
- """
- setup_file(setup_path("krb5.conf"), path, {
- "DNSDOMAIN": dnsdomain,
- "HOSTNAME": hostname,
- "REALM": realm,
- })
- class ProvisioningError(Exception):
- """A generic provision error."""
- def __init__(self, value):
- self.value = value
- def __str__(self):
- return "ProvisioningError: " + self.value
- class InvalidNetbiosName(Exception):
- """A specified name was not a valid NetBIOS name."""
- def __init__(self, name):
- super(InvalidNetbiosName, self).__init__(
- "The name '%r' is not a valid NetBIOS name" % name)
Add Comment
Please, Sign In to add comment