diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2014-08-08 18:43:47 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2014-09-01 00:36:42 +0200 |
| commit | 204337f454d1225fb7bf8525448000f2c30e0011 (patch) | |
| tree | 267ddbc0ed0d2fbc0f383d4bf95bbb65d31305fd /python | |
| parent | 79ee8fc82cf3f96d64419a905b46d20ce2c17a64 (diff) | |
| download | samba-204337f454d1225fb7bf8525448000f2c30e0011.tar.gz samba-204337f454d1225fb7bf8525448000f2c30e0011.tar.xz samba-204337f454d1225fb7bf8525448000f2c30e0011.zip | |
provision: Use names.domainsid and names.domainguid
This is better than passing around parameters to functions all over
the provision stack and makes it easier to pass in a seperate forest
SID when we start to support subdomains.
Change-Id: I3787f4f3433ca04628f888135c7c0c8195379542
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/join.py | 14 | ||||
| -rw-r--r-- | python/samba/provision/__init__.py | 69 | ||||
| -rw-r--r-- | python/samba/provision/sambadns.py | 18 |
3 files changed, 55 insertions, 46 deletions
diff --git a/python/samba/join.py b/python/samba/join.py index 1b61109f99..63f83767e0 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -95,6 +95,7 @@ class dc_join(object): ctx.schema_dn = str(ctx.samdb.get_schema_basedn()) ctx.config_dn = str(ctx.samdb.get_config_basedn()) ctx.domsid = ctx.samdb.get_domain_sid() + ctx.forestsid = ctx.domsid ctx.domain_name = ctx.get_domain_name() ctx.forest_domain_name = ctx.get_forest_domain_name() ctx.invocation_id = misc.GUID(str(uuid.uuid4())) @@ -729,6 +730,9 @@ class dc_join(object): ctx.paths = presult.paths ctx.names = presult.names + # Fix up the forestsid, it may be different if we are joining as a subdomain + ctx.names.forestsid = ctx.forestsid + def join_provision_own_domain(ctx): """Provision the local SAM.""" @@ -750,19 +754,18 @@ class dc_join(object): raise DCJoinException("Can't find naming context on partition DN %s in %s" % (ctx.partition_dn, ctx.samdb.url)) try: - domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID'))) + ctx.names.domainguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID'))) except KeyError: raise DCJoinException("Can't find GUID in naming master on partition DN %s" % res[0]['ncName'][0]) - ctx.logger.info("Got domain GUID %s" % domguid) + ctx.logger.info("Got domain GUID %s" % ctx.names.domainguid) ctx.logger.info("Calling own domain provision") secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp) presult = provision_fill(ctx.local_samdb, secrets_ldb, - ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid), - domainguid=domguid, + ctx.logger, ctx.names, ctx.paths, dom_for_fun_level=DS_DOMAIN_FUNCTION_2003, targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN, machinepass=ctx.acct_pass, serverrole="active directory domain controller", @@ -927,7 +930,7 @@ class dc_join(object): key_version_number=ctx.key_version_number) if ctx.dns_backend.startswith("BIND9_"): - setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid), + setup_bind9_dns(ctx.local_samdb, secrets_ldb, ctx.names, ctx.paths, ctx.lp, ctx.logger, dns_backend=ctx.dns_backend, dnspass=ctx.dnspass, os_level=ctx.behavior_version, @@ -1206,6 +1209,7 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None, logger.info("DNS name of new naming master is %s" % ctx.server) ctx.base_dn = samba.dn_from_dns_name(dnsdomain) + ctx.forestsid = ctx.domsid ctx.domsid = str(security.random_sid()) ctx.acct_dn = None ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 477c5ddc4b..06daa0ec7d 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -164,6 +164,9 @@ class ProvisionNames(object): self.hostname = None self.sitename = None self.smbconf = None + self.domainsid = None + self.forestsid = None + self.domainguid = None self.name_map = {} @@ -262,6 +265,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, "objectSid","msDS-Behavior-Version" ]) names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0])) names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0]) + names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0]) if res6[0].get("msDS-Behavior-Version") is None or \ int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000: names.domainlevel = DS_DOMAIN_FUNCTION_2000 @@ -1219,7 +1223,7 @@ def setup_samdb(path, session_info, provision_backend, lp, names, return samdb -def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, +def fill_samdb(samdb, lp, names, logger, policyguid, policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend, dnspass, invocationid, ntdsguid, serverrole, am_rodc=False, dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None): @@ -1266,23 +1270,23 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, samdb.set_opaque_integer("domainControllerFunctionality", domainControllerFunctionality) - samdb.set_domain_sid(str(domainsid)) + samdb.set_domain_sid(str(names.domainsid)) samdb.set_invocation_id(invocationid) logger.info("Adding DomainDN: %s" % names.domaindn) # impersonate domain admin - admin_session_info = admin_session(lp, str(domainsid)) + admin_session_info = admin_session(lp, str(names.domainsid)) samdb.set_session_info(admin_session_info) - if domainguid is not None: - domainguid_line = "objectGUID: %s\n-" % domainguid + if names.domainguid is not None: + domainguid_line = "objectGUID: %s\n-" % names.domainguid else: domainguid_line = "" - descr = b64encode(get_domain_descriptor(domainsid)) + descr = b64encode(get_domain_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { "DOMAINDN": names.domaindn, - "DOMAINSID": str(domainsid), + "DOMAINSID": str(names.domainsid), "DESCRIPTOR": descr, "DOMAINGUID": domainguid_line }) @@ -1301,7 +1305,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it if fill == FILL_FULL: logger.info("Adding configuration container") - descr = b64encode(get_config_descriptor(domainsid)) + descr = b64encode(get_config_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), { "CONFIGDN": names.configdn, "DESCRIPTOR": descr, @@ -1335,12 +1339,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") - partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) - sites_descr = b64encode(get_config_sites_descriptor(domainsid)) - ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid)) - protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid)) - protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) - protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid)) + partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid)) + sites_descr = b64encode(get_config_sites_descriptor(names.domainsid)) + ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid)) + protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid)) + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) + protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, @@ -1379,7 +1383,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, }) logger.info("Adding users container") - users_desc = b64encode(get_domain_users_descriptor(domainsid)) + users_desc = b64encode(get_domain_users_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { "DOMAINDN": names.domaindn, "USERS_DESCRIPTOR": users_desc @@ -1388,7 +1392,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { "DOMAINDN": names.domaindn}) logger.info("Adding computers container") - computers_desc = b64encode(get_domain_computers_descriptor(domainsid)) + computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), { "DOMAINDN": names.domaindn, "COMPUTERS_DESCRIPTOR": computers_desc @@ -1398,11 +1402,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, setup_path("provision_computers_modify.ldif"), { "DOMAINDN": names.domaindn}) logger.info("Setting up sam.ldb data") - infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) - lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(domainsid)) - system_desc = b64encode(get_domain_delete_protected1_descriptor(domainsid)) - builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) - controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid)) + infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid)) + lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid)) + system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid)) + builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid)) + controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1427,7 +1431,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SCHEMADN": names.schemadn}) logger.info("Setting up well known security principals") - protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), { "CONFIGDN": names.configdn, "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr, @@ -1441,7 +1445,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, logger.info("Setting up sam.ldb users and groups") setup_add_ldif(samdb, setup_path("provision_users.ldif"), { "DOMAINDN": names.domaindn, - "DOMAINSID": str(domainsid), + "DOMAINSID": str(names.domainsid), "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')), "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) }) @@ -1452,7 +1456,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, dns_backend=dns_backend, dnspass=dnspass, machinepass=machinepass, - domainsid=domainsid, + domainsid=names.domainsid, next_rid=next_rid, dc_rid=dc_rid, policyguid=policyguid, @@ -1747,7 +1751,7 @@ def interface_ips_v6(lp): def provision_fill(samdb, secrets_ldb, logger, names, paths, - domainsid, schema=None, + schema=None, targetdir=None, samdb_fill=FILL_FULL, hostip=None, hostip6=None, next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None, @@ -1778,7 +1782,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, dnspass = samba.generate_random_password(128, 255) samdb = fill_samdb(samdb, lp, names, logger=logger, - domainsid=domainsid, schema=schema, domainguid=domainguid, + schema=schema, policyguid=policyguid, policyguid_dc=policyguid_dc, fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass, invocationid=invocationid, machinepass=machinepass, @@ -1795,14 +1799,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, policyguid_dc) if not skip_sysvolacl: setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, - paths.root_gid, domainsid, names.dnsdomain, + paths.root_gid, names.domainsid, names.dnsdomain, names.domaindn, lp, use_ntvfs) else: logger.info("Setting acl on sysvol skipped") secretsdb_self_join(secrets_ldb, domain=names.domain, realm=names.realm, dnsdomain=names.dnsdomain, - netbiosname=names.netbiosname, domainsid=domainsid, + netbiosname=names.netbiosname, domainsid=names.domainsid, machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC) # Now set up the right msDS-SupportedEncryptionTypes into the DB @@ -1823,7 +1827,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, # It might be that this attribute does not exist in this schema raise - setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger, + setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger, hostip=hostip, hostip6=hostip6, dns_backend=dns_backend, dnspass=dnspass, os_level=dom_for_fun_level, targetdir=targetdir, fill_level=samdb_fill) @@ -2049,6 +2053,9 @@ def provision(logger, session_info, smbconf=None, names.hostip = hostip names.hostip6 = hostip6 + names.domainguid = domainguid + names.domainsid = domainsid + names.forestsid = domainsid if serverrole is None: serverrole = lp.get("server role") @@ -2152,9 +2159,9 @@ def provision(logger, session_info, smbconf=None, if samdb_fill == FILL_FULL: provision_fill(samdb, secrets_ldb, logger, names, paths, schema=schema, targetdir=targetdir, samdb_fill=samdb_fill, - hostip=hostip, hostip6=hostip6, domainsid=domainsid, + hostip=hostip, hostip6=hostip6, next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass, - krbtgtpass=krbtgtpass, domainguid=domainguid, + krbtgtpass=krbtgtpass, policyguid=policyguid, policyguid_dc=policyguid_dc, invocationid=invocationid, machinepass=machinepass, ntdsguid=ntdsguid, dns_backend=dns_backend, diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 66696e83f9..aca9116eec 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -1033,14 +1033,13 @@ def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, domainguid, ntdsguid) -def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, +def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, os_level, dnspass=None, hostip=None, hostip6=None, targetdir=None, fill_level=FILL_FULL): """Provision DNS information (assuming GC role) :param samdb: LDB object connected to sam.ldb file :param secretsdb: LDB object connected to secrets.ldb file - :param domainsid: Domain SID (as dom_sid object) :param names: Names shortcut :param paths: Paths shortcut :param lp: Loadparm object @@ -1097,12 +1096,12 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, # Create CN=System logger.info("Creating CN=MicrosoftDNS,CN=System,%s" % domaindn) - create_dns_legacy(samdb, domainsid, domaindn, dnsadmins_sid) + create_dns_legacy(samdb, names.domainsid, domaindn, dnsadmins_sid) if os_level == DS_DOMAIN_FUNCTION_2000: # Populating legacy dns logger.info("Populating CN=MicrosoftDNS,CN=System,%s" % domaindn) - fill_dns_data_legacy(samdb, domainsid, domaindn, dnsdomain, site, + fill_dns_data_legacy(samdb, names.domainsid, domaindn, dnsdomain, site, hostname, hostip, hostip6, dnsadmins_sid) elif dns_backend in ("SAMBA_INTERNAL", "BIND9_DLZ") and \ @@ -1110,30 +1109,29 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, # Create DNS partitions logger.info("Creating DomainDnsZones and ForestDnsZones partitions") - create_dns_partitions(samdb, domainsid, names, domaindn, forestdn, + create_dns_partitions(samdb, names.domainsid, names, domaindn, forestdn, dnsadmins_sid, fill_level) # Populating dns partitions logger.info("Populating DomainDnsZones and ForestDnsZones partitions") - fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, + fill_dns_data_partitions(samdb, names.domainsid, site, domaindn, forestdn, dnsdomain, dnsforest, hostname, hostip, hostip6, domainguid, names.ntdsguid, dnsadmins_sid, fill_level=fill_level) if dns_backend.startswith("BIND9_"): - setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, + setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, os_level, site=site, dnspass=dnspass, hostip=hostip, hostip6=hostip6, targetdir=targetdir) -def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, +def setup_bind9_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, os_level, site=None, dnspass=None, hostip=None, hostip6=None, targetdir=None, key_version_number=None): """Provision DNS information (assuming BIND9 backend in DC role) :param samdb: LDB object connected to sam.ldb file :param secretsdb: LDB object connected to secrets.ldb file - :param domainsid: Domain SID (as dom_sid object) :param names: Names shortcut :param paths: Paths shortcut :param lp: Loadparm object @@ -1174,7 +1172,7 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, ntdsguid=names.ntdsguid) if dns_backend == "BIND9_DLZ" and os_level >= DS_DOMAIN_FUNCTION_2003: - create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid) + create_samdb_copy(samdb, logger, paths, names, names.domainsid, domainguid) create_named_conf(paths, realm=names.realm, dnsdomain=names.dnsdomain, dns_backend=dns_backend, |