#!/usr/bin/python
#
# backend code for upgrading from Samba3
# Copyright Jelmer Vernooij 2005-2007
# Released under the GNU GPL v3 or later
#
"""Support code for upgrading from Samba 3 to Samba 4."""
from provision import findnss
import provision
import grp
import pwd
import uuid
def regkey_to_dn(name):
"""Convert a registry key to a DN.
:name: The registry key name.
:return: A matching DN."""
dn = "hive=NONE"
if name == "":
return dn
for el in name.split("/"):
dn = "key=%s," % el + dn
return dn
# Where prefix is any of:
# - HKLM
# HKU
# HKCR
# HKPD
# HKPT
#
def upgrade_registry(regdb,prefix,ldb):
"""Migrate registry contents."""
assert regdb is not None
prefix_up = prefix.upper()
ldif = []
for rk in regdb.keys:
pts = rk.name.split("/")
# Only handle selected hive
if pts[0].upper() != prefix_up:
continue
keydn = regkey_to_dn(rk.name)
pts = rk.name.split("/")
# Convert key name to dn
ldif[rk.name] = """
dn: %s
name: %s
""" % (keydn, pts[0])
for rv in rk.values:
ldif[rk.name + " (" + rv.name + ")"] = """
dn: %s,value=%s
value: %s
type: %d
data:: %s""" % (keydn, rv.name, rv.name, rv.type, ldb.encode(rv.data))
return ldif
def upgrade_sam_policy(samba3,dn):
ldif = """
dn: %s
changetype: modify
replace: minPwdLength
minPwdLength: %d
pwdHistoryLength: %d
minPwdAge: %d
maxPwdAge: %d
lockoutDuration: %d
samba3ResetCountMinutes: %d
samba3UserMustLogonToChangePassword: %d
samba3BadLockoutMinutes: %d
samba3DisconnectTime: %d
""" % (dn, samba3.policy.min_password_length,
samba3.policy.password_history, samba3.policy.minimum_password_age,
samba3.policy.maximum_password_age, samba3.policy.lockout_duration,
samba3.policy.reset_count_minutes, samba3.policy.user_must_logon_to_change_password,
samba3.policy.bad_lockout_minutes, samba3.policy.disconnect_time)
return ldif
def upgrade_sam_account(ldb,acc,domaindn,domainsid):
"""Upgrade a SAM account."""
if acc.nt_username is None or acc.nt_username == "":
acc.nt_username = acc.username
if acc.fullname is None:
acc.fullname = pwd.getpwnam(acc.fullname)[4]
acc.fullname = acc.fullname.split(",")[0]
if acc.fullname is None:
acc.fullname = acc.username
assert acc.fullname is not None
assert acc.nt_username is not None
ldif = """dn: cn=%s,%s
objectClass: top
objectClass: user
lastLogon: %d
lastLogoff: %d
unixName: %s
sAMAccountName: %s
cn: %s
description: %s
primaryGroupID: %d
badPwdcount: %d
logonCount: %d
samba3Domain: %s
samba3DirDrive: %s
samba3MungedDial: %s
samba3Homedir: %s
samba3LogonScript: %s
samba3ProfilePath: %s
samba3Workstations: %s
samba3KickOffTime: %d
samba3BadPwdTime: %d
samba3PassLastSetTime: %d
samba3PassCanChangeTime: %d
samba3PassMustChangeTime: %d
objectSid: %s-%d
lmPwdHash:: %s
ntPwdHash:: %s
""" % (ldb.dn_escape(acc.fullname), domaindn, acc.logon_time, acc.logoff_time, acc.username, acc.nt_username, acc.nt_username,
acc.acct_desc, acc.group_rid, acc.bad_password_count, acc.logon_count,
acc.domain, acc.dir_drive, acc.munged_dial, acc.homedir, acc.logon_script,
acc.profile_path, acc.workstations, acc.kickoff_time, acc.bad_password_time,
acc.pass_last_set_time, acc.pass_can_change_time, acc.pass_must_change_time, domainsid, acc.user_rid,
ldb.encode(acc.lm_pw), ldb.encode(acc.nt_pw))
return ldif
def upgrade_sam_group(group,domaindn):
"""Upgrade a SAM group."""
if group.sid_name_use == 5: # Well-known group
return None
if group.nt_name in ("Domain Guests", "Domain Users", "Domain Admins"):
return None
if group.gid == -1:
gr = grp.getgrnam(grp.nt_name)
else:
gr = grp.getgrgid(grp.gid)
if gr is None:
group.unixname = "UNKNOWN"
else:
group.unixname = gr.gr_name
assert group.unixname is not None
ldif = """dn: cn=%s,%s
objectClass: top
objectClass: group
description: %s
cn: %s
objectSid: %s
unixName: %s
samba3SidNameUse: %d
""" % (group.nt_name, domaindn,
group.comment, group.nt_name, group.sid, group.unixname, group.sid_name_use)
return ldif
def upgrade_winbind(samba3,domaindn):
ldif = """
dn: dc=none
userHwm: %d
groupHwm: %d
""" % (samba3.idmap.user_hwm, samba3.idmap.group_hwm)
for m in samba3.idmap.mappings:
ldif += """
dn: SID=%s,%s
SID: %s
type: %d
unixID: %d""" % (m.sid, domaindn, m.sid, m.type, m.unix_id)
return ldif
def upgrade_wins(samba3):
"""Upgrade the WINS database."""
ldif = ""
version_id = 0
for e in samba3.winsentries:
now = sys.nttime()
ttl = sys.unix2nttime(e.ttl)
version_id+=1
numIPs = len(e.ips)
if e.type == 0x1C:
rType = 0x2
elif e.type & 0x80:
if numIPs > 1:
rType = 0x2
else:
rType = 0x1
else:
if numIPs > 1:
rType = 0x3
else:
rType = 0x0
if ttl > now:
rState = 0x0 # active
else:
rState = 0x1 # released
nType = ((e.nb_flags & 0x60)>>5)
ldif += """
dn: name=%s,type=0x%02X
type: 0x%02X
name: %s
objectClass: winsRecord
recordType: %u
recordState: %u
nodeType: %u
isStatic: 0
expireTime: %s
versionID: %llu
""" % (e.name, e.type, e.type, e.name,
rType, rState, nType,
ldaptime(ttl), version_id)
for ip in e.ips:
ldif += "address: %s\n" % ip
ldif += """
dn: CN=VERSION
objectClass: winsMaxVersion
maxVersion: %llu
""" % version_id
return ldif
def upgrade_provision(lp, samba3):
domainname = samba3.configuration.get("workgroup")
if domainname is None:
domainname = samba3.secrets.domains[0].name
print "No domain specified in smb.conf file, assuming '%s'\n" % domainname
domsec = samba3.find_domainsecrets(domainname)
hostsec = samba3.find_domainsecrets(hostname())
realm = samba3.configuration.get("realm")
if realm is None:
realm = domainname
print "No realm specified in smb.conf file, assuming '%s'\n" % realm
random_init(local)
subobj.realm = realm
subobj.domain = domainname
if domsec is not None:
subobj.DOMAINGUID = domsec.guid
subobj.DOMAINSID = domsec.sid
else:
print "Can't find domain secrets for '%s'; using random SID and GUID\n" % domainname
subobj.DOMAINGUID = uuid.random()
subobj.DOMAINSID = randsid()
if hostsec:
hostguid = hostsec.guid
subobj.krbtgtpass = randpass(12)
subobj.machinepass = randpass(12)
subobj.adminpass = randpass(12)
subobj.datestring = datestring()
subobj.root = findnss(pwd.getpwnam, "root")[4]
subobj.nobody = findnss(pwd.getpwnam, "nobody")[4]
subobj.nogroup = findnss(grp.getgrnam, "nogroup", "nobody")[2]
subobj.wheel = findnss(grp.getgrnam, "wheel", "root")[2]
subobj.users = findnss(grp.getgrnam, "users", "guest", "other")[2]
subobj.dnsdomain = subobj.realm.lower()
subobj.dnsname = "%s.%s" % (subobj.hostname.lower(), subobj.dnsdomain)
subobj.basedn = "DC=" + ",DC=".join(subobj.realm.split("."))
rdn_list = subobj.dnsdomain.split(".")
subobj.domaindn = "DC=" + ",DC=".join(rdn_list)
subobj.domaindn_ldb = "users.ldb"
subobj.rootdn = subobj.domaindn
modules_list = ["rootdse",
"kludge_acl",
"paged_results",
"server_sort",
"extended_dn",
"asq",
"samldb",
"password_hash",
"operational",
"objectclass",
"rdn_name",
"show_deleted",
"partition"]
subobj.modules_list = ",".join(modules_list)
return subobj
smbconf_keep = [
"dos charset",
"unix charset",
"display charset",
"comment",
"path",
"directory",
"workgroup",
"realm",
"netbios name",
"netbios aliases",
"netbios scope",
"server string",
"interfaces",
"bind interfaces only",
"security",
"auth methods",
"encrypt passwords",
"null passwords",
"obey pam restrictions",
"password server",
"smb passwd file",
"private dir",
"passwd chat",
"password level",
"lanman auth",
"ntlm auth",
"client NTLMv2 auth",
"client lanman auth",
"client plaintext auth",
"read only",
"hosts allow",
"hosts deny",
"log level",
"debuglevel",
"log file",
"smb ports",
"large readwrite",
"max protocol",
"min protocol",
"unicode",
"read raw",
"write raw",
"disable netbios",
"nt status support",
"announce version",
"announce as",
"max mux",
"max xmit",
"name resolve order",
"max wins ttl",
"min wins ttl",
"time server",
"unix extensions",
"use spnego",
"server signing",
"client signing",
"max connections",
"paranoid server security",
"socket options",
"strict sync",
"max print jobs",
"printable",
"print ok",
"printer name",
"printer",
"map system",
"map hidden",
"map archive",
"preferred master",
"prefered master",
"local master",
"browseable",
"browsable",
"wins server",
"wins support",
"csc policy",
"strict locking",
"preload",
"auto services",
"lock dir",
"lock directory",
"pid directory",
"socket address",
"copy",
"include",
"available",
"volume",
"fstype",
"panic action",
"msdfs root",
"host msdfs",
"winbind separator"]
def upgrade_smbconf(oldconf,mark):
"""Remove configuration variables not present in Samba4
:param oldconf: Old configuration structure
:param mark: Whether removed configuration variables should be
kept in the new configuration as "samba3:<name>"
"""
data = oldconf.data()
newconf = param_init()
for s in data:
for p in data[s]:
keep = False
for k in smbconf_keep:
if smbconf_keep[k] == p:
keep = True
break
if keep:
newconf.set(s, p, oldconf.get(s, p))
elif mark:
newconf.set(s, "samba3:"+p, oldconf.get(s,p))
if oldconf.get("domain logons") == "True":
newconf.set("server role", "domain controller")
else:
if oldconf.get("security") == "user":
newconf.set("server role", "standalone")
else:
newconf.set("server role", "member server")
return newconf
def upgrade(subobj, samba3, message, paths, session_info, credentials):
ret = 0
lp = loadparm_init()
samdb = Ldb(paths.samdb, session_info=session_info, credentials=credentials)
message("Writing configuration")
newconf = upgrade_smbconf(samba3.configuration,True)
newconf.save(paths.smbconf)
message("Importing account policies")
ldif = upgrade_sam_policy(samba3,subobj.BASEDN)
samdb.modify(ldif)
regdb = Ldb(paths.hklm)
regdb.modify("""
dn: value=RefusePasswordChange,key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=System,HIVE=NONE
replace: type
type: 4
replace: data
data: %d
""" % samba3.policy.refuse_machine_password_change)
message("Importing users")
for account in samba3.samaccounts:
msg = "... " + account.username
ldif = upgrade_sam_account(samdb, accounts,subobj.BASEDN,subobj.DOMAINSID)
try:
samdb.add(ldif)
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1;
message(msg)
message("Importing groups")
for mapping in samba3.groupmappings:
msg = "... " + mapping.nt_name
ldif = upgrade_sam_group(mapping, subobj.BASEDN)
if ldif is not None:
try:
samdb.add(ldif)
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1
message(msg)
message("Importing registry data")
for hive in ["hkcr","hkcu","hklm","hkpd","hku","hkpt"]:
message("... " + hive)
regdb = Ldb(paths[hive])
ldif = upgrade_registry(samba3.registry, hive, regdb)
for j in ldif:
msg = "... ... " + j
try:
regdb.add(ldif[j])
except LdbError, e:
# FIXME: Ignore 'Record exists' errors
msg += "... error: " + str(e)
ret += 1
message(msg)
message("Importing WINS data")
winsdb = Ldb(paths.winsdb)
ldb_erase(winsdb)
ldif = upgrade_wins(samba3)
winsdb.add(ldif)
# figure out ldapurl, if applicable
ldapurl = None
pdb = samba3.configuration.get_list("passdb backend")
if pdb is not None:
for backend in pdb:
if len(backend) >= 7 and backend[0:7] == "ldapsam":
ldapurl = backend[7:]
# URL was not specified in passdb backend but ldap /is/ used
if ldapurl == "":
ldapurl = "ldap://%s" % samba3.configuration.get("ldap server")
# Enable samba3sam module if original passdb backend was ldap
if ldapurl is not None:
message("Enabling Samba3 LDAP mappings for SAM database")
samdb.modify("""
dn: @MODULES
changetype: modify
replace: @LIST
@LIST: samldb,operational,objectguid,rdn_name,samba3sam
""")
samdb.add({"dn": "@MAP=samba3sam", "@MAP_URL": ldapurl})
return ret
def upgrade_verify(subobj, samba3, paths, message):
message("Verifying account policies")
samldb = Ldb(paths.samdb)
for account in samba3.samaccounts:
msg = samldb.search("(&(sAMAccountName=" + account.nt_username + ")(objectclass=user))")
assert(len(msg) >= 1)
# FIXME