a í( a‡ã@s:dZdZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z m Z ddlmZddlmZdd lmZdd lmZmZmZdd lmZdd lmZdd lmZddlmZddlmZddlm Z dd„Z!d)dd„Z"dd„Z#dd„Z$dd„Z%dd„Z&dd„Z'dd „Z(d!ej)iZ*d"d#„Z+d$d%„Z,d*d'd(„Z-dS)+z3Support code for upgrading from Samba 3 to Samba 4.ZrestructuredTextéN)ÚLdbÚregistry)ÚLoadParm)Ú provisionÚProvisioningErrorÚ setsysvolacl)Ú FILL_FULL)Úpassdb)Úparam)ÚlsaÚsamrÚsecurity)Údom_sid)Ú Credentials)Údsdb)Úndr_pack)Ú unix2nttime)Úgenerate_random_passwordc Csft ¡}| ¡|_d|vr6t t|dƒtjd¡|d<d|vrZt t|dƒtjd¡|d<d|vr|d}t| dƒ}t t|ƒtjd ¡|d <d |vrä|d }|d ks¸|d ks¸|dkr¾d}nt| dƒ}t t|ƒtjd¡|d<d|vr|d}t|dƒ} t t| ƒtjd¡|d<z|  |¡Wn8tj y`} z|  dt| ƒ¡WYd} ~ n d} ~ 00dS)zŽImport a Samba 3 policy. :param samdb: Samba4 SAM database :param policy: Samba3 account policy :param logger: Logger object zmin password lengthZ minPwdLengthÚa01zpassword historyZpwdHistoryLengthZa02zminimum password agegÐcAZ minPwdAgeZa03zmaximum password ageéÿÿÿÿrlÿÿlûÿÿÿZ maxPwdAgeZa04zlockout durationé<ZlockoutDurationZa05z"Could not set account policy, (%s)N) ÚldbÚMessageÚget_default_basednÚdnÚMessageElementÚstrÚFLAG_MOD_REPLACEÚintrÚmodifyÚLdbErrorÚwarn) ÚsamdbÚpolicyÚloggerÚmZmin_pw_age_unixZ min_pw_age_ntZmax_pw_age_unixZ max_pw_age_ntZlockout_duration_minsZlockout_duration_ntÚe©r'ú//usr/lib/python3/dist-packages/samba/upgrade.pyÚimport_sam_policy*sD ÿÿÿÿ   ÿr)c CsÖz”t ¡} t |dt|ƒ¡| _|dkrpt t|ƒtjd¡| d<t t|ƒtjd¡| d<t t|ƒtjd¡| d<t t|ƒtjd¡| d<| | ¡Wn<tjyÐ} z"|  dt|ƒt| ƒ¡WYd} ~ n d} ~ 00dS) awAdd posix attributes for the user/group :param samdb: Samba4 sam.ldb database :param sid: user/group sid :param sid: user/group name :param nisdomain: name of the (fake) NIS domain :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID) :param home: user homedir (Unix homepath) :param shell: user shell :param pgid: users primary group id úÚ ID_TYPE_UIDZunixHomeDirectoryÚ loginShellÚ gidNumberZmsSFU30NisDomainz7Could not add posix attrs for AD entry for sid=%s, (%s)N) rrÚDnrrrrrr r!) r$r"ÚsidÚnameÚ nisdomainÚxid_typeÚhomeÚshellÚpgidr%r&r'r'r(Úadd_posix_attrsbs, ÿ ÿ ÿ ÿ þr6c Csàz–t ¡}t |dt|ƒ¡|_|dkrVt t|ƒtjd¡|d<t dtjd¡|d<n4|dkrŠt t|ƒtjd¡|d<t dtjd¡|d<| |¡WnDtj yÚ}z*|  d t|ƒt|ƒ|t|ƒ¡WYd }~n d }~00d S) zÚCreate idmap entry :param samdb: Samba4 sam.ldb database :param sid: user/group sid :param xid: user/group id :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID) :param logger: Logger object r*r+Z uidNumberZ posixAccountÚ objectClassÚ ID_TYPE_GIDr-Z posixGroupz?Could not modify AD idmap entry for sid=%s, id=%s, type=%s (%s)N) rrr.rrrrÚ FLAG_MOD_ADDrr r!)r"r/Úxidr2r$r%r&r'r'r(Úadd_ad_posix_idmap_entry…s.  ÿÿ  ÿÿþr;c Cs>d}|jdt|ƒd}|jdkr&d}|rÂzPt ¡}|dd|_t t|ƒtjd¡|d<t |tjd ¡|d <| |¡WnDtj y¾}z*|  d t|ƒt|ƒ|t|ƒ¡WYd }~n d }~00nxz0|  d t|ƒt|ƒd t |ƒ|t|ƒdœ¡WnFtj y8}z*|  dt|ƒt|ƒ|t|ƒ¡WYd }~n d }~00d S)zÚCreate idmap entry :param idmapdb: Samba4 IDMAP database :param sid: user/group sid :param xid: user/group id :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID) :param logger: Logger object Fz objectSid=%s)Ú expressionéTrrÚ xidNumberÚtypezz9Could not add idmap entry for sid=%s, id=%s, type=%s (%s)) ÚsearchrÚcountrrrrrrr r!Úaddr) Úidmapdbr/r:r2r$ÚfoundÚmsgr%r&r'r'r(Úadd_idmap_entry¤sB   ÿÿþû þrHc Cs z | ¡}Wn6tyB}z| dt|ƒ¡WYd}~dSd}~00t| ¡| ¡ƒ}|}t ¡}t  |d¡|_ t  t|ƒtj d¡|d<t  t|ƒtj d¡|d<|  |¡| ¡D]R\}} |dkrÈd} n|d krÖd } n| d |¡q²| | |¡} t|t| ƒ| | |ƒq²dS) z¡Import idmap data. :param idmapdb: Samba4 IDMAP database :param samba3_idmap: Samba3 IDMAP database to import from :param logger: Logger object z(Cannot open idmap database, Ignoring: %sNz CN=CONFIGZ lowerBoundÚ lowerboundr>ZUIDr+ZGIDr8z+Wrong type of entry in idmap (%s), Ignoring)Z get_idmap_dbÚIOErrorr!rÚmaxZ get_user_hwmZ get_group_hwmrrr.rrrrZidsZget_sidrHr) rEÚsamba3r$Z samba3_idmapr&Z currentxidrIr%Zid_typer:r2r/r'r'r(Ú import_idmapÏs2  ÿ ÿ   rMc Csðz"|jdt|jƒtjd}d}WnLtjyn}z2|j\}}|tjkrNd}n t ||¡‚WYd}~n d}~00|rœ| dt|jƒ|j |ddd¡nP|j t j krÊ|j  ¡\}} |t tj¡krÊdSt ¡} t |d ¡| _| j dd |j ¡| j | ¡¡t d tjd ¡| d <t t|jƒtjd ¡| d <t |j tjd¡| d<|jrdt |jtjd¡| d<|j t jks€|j t j kršt ttjƒtjd¡| d<z|j| dgdWn<tjyê} z | d|j t| ƒ¡WYd} ~ n d} ~ 00dS)zšAdd or modify group from group mapping entry param samdb: Samba4 SAM database param groupmap: Groupmap entry param logger: Logger object r*)ÚbaseÚscopeTFNzJGroup already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.rZsAMAccountNamez CN=X,CN=UsersZCNÚgroupr7rAZ descriptionZ groupTypezrelax:0)Zcontrolsz Could not add group name=%s (%s))rBrr/rZ SCOPE_BASEr ÚargsÚERR_NO_SUCH_OBJECTr!Únt_nameÚ sid_name_user ÚSID_NAME_WKN_GRPÚsplitr rÚ SID_BUILTINrr.rZ set_componentZadd_baserrr9rZcommentÚSID_NAME_ALIASrZ!GTYPE_SECURITY_DOMAIN_LOCAL_GROUPrD) r"Zgroupmapr$rGrFZe1ÚecodeÚemsgÚ group_dom_sidÚridr%r&r'r'r(Úadd_group_from_mapping_entryösR ÿ  "ÿ ÿ ÿ ÿ ÿr]c CsÜ|D]Ò}t ¡}t |dt|jƒ¡|_t dt|ƒtjd¡|d<z| |¡Wqtj yÔ}zh|j \}}|tj krŒ|  d||j|¡n4|tj kr¬td||j|fƒ‚ntd||j|fƒ‚WYd}~qd}~00qdS)z±Add user/member to group/alias param samdb: Samba4 SAM database param group: Groupmap object param members: List of member SIDs param logger: Logger object r*Úmemberrz/skipped re-adding member '%s' to group '%s': %szXCould not add member '%s' to group '%s' as either group or user record doesn't exist: %sz+Could not add member '%s' to group '%s': %sN)rrr.rr/rrr9rr rQZERR_ENTRY_ALREADY_EXISTSÚdebugrRr) r"rPÚmembersr$Z member_sidr%r&rYrZr'r'r(Úadd_users_to_group.s   rac Csd}| ¡D]ì\}\}}}|d7}t| dd¡ddƒ}|dkrFd}n6|d@rft|ƒdkr`d}q|d}nt|ƒdkrxd}nd}|t ¡krŽd} nd} |d @d ?} | d t| d¡ƒ| d¡d| d¡dd t|ƒt| ƒt| ƒt  |¡d t|ƒ|dœ ¡q | dddt|ƒdœ¡dS)zžImport settings from a Samba3 WINS database. :param samba4_winsdb: WINS database to import to :param samba3_winsdb: WINS database to import from rr=ú#éééé€éé`ézname=%s,type=0x%sZ winsRecordÚ0) rr?r0r7Z recordTypeZ recordStateZnodeTypeZ expireTimeZisStaticZ versionIDZaddressz cn=VERSIONZVERSIONZwinsMaxVersion)rr@r7Z maxVersionN) ÚitemsrrVÚlenÚtimerDÚtuplerrZ timestring) Z samba4_winsdbÚ samba3_winsdbZ version_idr0ZttlZipsZnb_flagsr?ZrTypeZrStateZnTyper'r'r(Ú import_winsGsD      ö ýrpZHKLMc sh‡fdd„}| ¡D]N}||ƒ}| |¡D] }||ƒq*| |¡ ¡D]\}\}}| |||¡qFqdS)z³Import a Samba 3 registry database into the Samba 4 registry. :param samba4_registry: Samba 4 registry handle. :param samba3_regdb: Samba 3 registry database handle. cs0| dd¡\}}t|}| dd¡}ˆ ||¡S)Nú/r=ú\)rVÚSAMBA3_PREDEF_NAMESÚreplaceZ create_key)ZkeypathZ predef_nameZ predef_id©Úsamba4_registryr'r(Úensure_key_exists†s z*import_registry..ensure_key_existsN)ÚkeysZsubkeysÚvaluesrkZ set_value) rvZ samba3_regdbrwÚkeyZ key_handleZsubkeyZ value_nameZ value_typeZ value_datar'rur(Úimport_registry€s   r{c Csˆz|j|tjd||gd}Wn8tjyV}ztd|||fƒ‚WYd}~n6d}~00|jdkrr|d|dS| d||¡t‚dS)zúGet posix attributes from a samba3 ldap backend :param ldbs: a list of ldb connection objects :param base_dn: the base_dn of the connection :param user: the user to get the attribute for :param attr: the attribute to be retrieved z%(&(objectClass=posixAccount)(uid=%s)))rOr<Úattrsz=Failed to retrieve attribute %s for user %s, the error is: %sNr=rz0LDAP entry for user %s contains more than one %s)rBrZ SCOPE_SUBTREEr rrCÚwarningÚKeyError)r$Ú ldb_objectÚbase_dnÚuserÚattrrGr&r'r'r(Ú get_posix_attr_from_ldap_backend”s ÿþ ( rƒFc=sN|j ¡}|j d¡}|j d¡} |j d¡} |j d¡durL|j dd¡z | ¡} Wn>ty–} z&td| d¡t| ƒfƒ‚WYd} ~ n d} ~ 00|s´|   ¡d }|  d |¡| sæ|d ksÈ|d krÒtd ƒ‚n|  ¡} |  d| ¡d} z|   | ¡}Wnt yd}Yn0|j d¡ d¡d  ¡dkr||j d¡}|j d¡}|  |¡}|durftdƒ‚| d¡ d¡}d}n d}d}d}|  ¡t |j d¡¡| ¡}z t ¡‰Wn"tjyØtd|ƒ‚Yn0z| d| ¡}Wntjy d}d}Yn0|j ¡\}}| d¡| ¡}| d¡| ¡}i}|D]ì}|j ¡\}}|ˆkrv|| krv|d} |jt j!kròz| "|j¡}||t|jƒ<WnJtjyì} z.| #d |j$|j| ¡WYd} ~ qFWYd} ~ n d} ~ 00qF|jt j%krlz| &|j¡}||t|jƒ<WnJtjyh} z.| #d |j$|j| ¡WYd} ~ qFWYd} ~ n d} ~ 00nÆ|jt j'kr|j ¡\}}|t( )t(j*¡kr¬| #d!|j$¡qFz| "|j¡}||t|jƒ<WnJtjy} z.| #d |j$|j| ¡WYd} ~ qFWYd} ~ n d} ~ 00n| #d"|j$|j|j¡qFqF| d#¡| +d ¡}i} i}!d}"|D].}#|rx||#d$krxqZ|#d%}$|#d$dkr¤| d&|#d$|$¡qZ|#d$| kr¾|#d$d} | |$¡}%|%j,t-j.t-j/Bt-j0Bt-j1B@}&|&t-j0kr"| #d'|$dd(…¡|%j,t-j0@t-j/B|%_,n<|&t-j1krL| #d)|$dd(…¡qZn|&t-j/krz|$d(d*krz| #d+|$¡qZnä|&t-j.t-j/Bkrº|$d(d*krº| #d,|$¡|%j,t-j.@|%_,n¤|&t-j.t-j0Bkrú|$d(d*krú| #d-|$¡|%j,t-j.@|%_,nd|&d kr"|$d(d*kr"|%j,t-j.B|%_,n<|&t-j.ks^|&t-j/krƒ‚i}/i}0i}1| rJt;ƒ}2|2 <|j¡|2 =|¡|2 >|¡|j d¡ dd¡d d?¡}3|3 ¡D]V}4zt?|4|2d@}5Wn8t@jA y>} ztdA|4| fƒ‚WYd} ~ nd} ~ 00 qJqò| dB¡| +d ¡}|D]$}#|#d%}$|$|! B¡v rbz0| rœtC||5||$dCƒ|/|$<nt3 4|$¡jD|/|$<Wn&t yÂYntE yÔYn0z0| rôtC||5||$dDƒ|0|$<nt3 4|$¡jF|0|$<Wn&t yYntE y,Yn0z0| rLtC||5||$dEƒ|1|$<nt3 4|$¡jG|1|$<Wn&t yrYntE y„Yn0 qb| dF¡d}6z | H¡}6Wn6t yÚ} z| #dGt| ƒ¡WYd} ~ n d} ~ 00|d k sô|d k sôdH}|" rtIdIdJƒ}7nd}7tJ|||| |ˆ| ||7tKjL|  6¡||tM||d|ddK}8|8 N|¡| dL¡|6 rjtOt?|8jPjQƒ|6ƒ| dM¡tR|8jS||ƒ| dN¡tT|8jU||ƒtV W¡}9|9 X|8jjY¡|9 d|8j d¡¡|9 dO|8j dO¡¡|9 dP|8j dP¡¡t Z|9 d¡¡}:|8jS [¡| dQ¡zh| dR¡|D]T};|;j\d(k r t]|8jS|;|ƒt^|8jS|;j|;j\dS|ƒt_|8jS|;j|;j$| 6¡dS|dT q Wn|8jS `¡‚Yn0| dU¡|8jS a¡| dV¡| dW¡| D]J}$|$ 6¡d0k r| |$jt)tˆƒdXƒk r| dY| |$jt)tˆƒdXƒf¡tdZƒ‚|$ 6¡d/k rZ| |$jt)tˆƒdXƒk rP| #d[¡n | #d\¡|: b| |$¡|$|!v r¾t^|8jS| |$j|!|$d]|ƒ|$|/v r¾|/|$du r¾|$|0v r¾|0|$du r¾|$|1v r¾|1|$du r¾t_|8jS| |$j|$| 6¡d]|/|$|0|$|1|$|d^  q¾| d_¡|8jS [¡z:|D]0};t|;jƒ|vr&tc|8jS|;|t|;jƒ|ƒq&Wn|8jS `¡‚Yn0| d`¡|8jS a¡|"r| da¡|: d0¡}<| |"jd|<_d| |"jerÆ| |"je|<_e| |"jf|<_f| |"jgrê| |"jg|<_g|: h|<¡| db|"¡|8jdckrJti|8jS|8jPjj|8jPjk|8jPjl|8jPjmt( )|8jn¡|8jojp|8jojq|8j|ƒ dS)dz×Upgrade from samba3 database to samba4 AD database :param samba3: samba3 object :param logger: Logger object :param targetdir: samba4 database directory :param session_info: Session information Z workgroupÚrealmz netbios namezldapsam:trustedNZyesz‚Could not open '%s', the Samba3 secrets database: %s. Perhaps you specified the incorrect smb.conf, --testparm or --dbdir option?z secrets.tdbrz6No workgroup specified in smb.conf file, assuming '%s'ZROLE_DOMAIN_BDCZROLE_DOMAIN_PDCzéNo realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.z2No realm specified in smb.conf file, assuming '%s'ièzpassdb backendú:Zldapsamz ldap suffixz ldap admin dnz¬ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s. Please point this tool at the secrets.tdb that was used by the previous installation.zutf-8úTFz private dirz(Can't find domain sid for '%s', Exiting.z%s$zExporting account policyzExporting groupsr=z4Ignoring group '%s' %s listed but then not found: %szOIgnoring 'well known' group '%s' (should already be in AD, and have no members)z+Ignoring group '%s' %s with sid_name_use=%dzExporting usersr\Ú account_namez- Skipping wellknown rid=%d (for username=%s)zk Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'rzZ Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trustú$zŸ Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration.zŽ Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain memberz Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain memberaFailed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X). Please fix this account before attempting to upgrade again ÚrootZ administratorz)Ignoring group memberships of '%s' %s: %sz Next rid = %dcSsg|] }|j‘qSr')rS©Ú.0Úgr'r'r(Ú óz'upgrade_from_samba3..cSsg|] }|d‘qS)r‡r'©r‹Úur'r'r(r‚rŽz4Following names are both user names and group names:z %sz5Please remove common user/group names before upgrade.cSsg|]}t|jƒ‘qSr')rr/rŠr'r'r(r‹rŽz9Please remove duplicate group sid entries before upgrade.csg|]}dˆ|df‘qS)z%s-%ur\r'r©Ú domainsidr'r(rŽrŽz8Please remove duplicate user sid entries before upgrade.z,Following sids are both user and group sids:z3Please remove duplicate sid entries before upgrade.ú")Z credentialsz=Could not open ldb connection to %s, the error message is: %szExporting posix attributesZ homeDirectoryr,r-zReading WINS databasez'Cannot open wins database, Ignoring: %sZNONEé é )Ú targetdirr„Zdomainr’Únext_ridZdc_ridÚ adminpassZdom_for_fun_levelZhostnameÚ machinepassÚ serverroleZ samdb_fillÚuseeadbÚ dns_backendZ use_rfc2307Ú use_ntvfsZskip_sysvolaclzImporting WINS databasezImporting Account policyzImporting idmap databasezstate directoryzlock directoryz Adding groupszImporting groupsr8)r"r/r0r1r2r$z+Committing 'add groups' transaction to diskz Adding userszImporting usersz-500zPUser 'Administrator' in your existing directory has SID %s, expected it to be %szPUser 'Administrator' in your existing directory does not have SID ending in -500z,User root has been replaced by AdministratorzbUser root has been kept in the directory, it should be removed in favour of the Administrator userr+) r"r/r0r1r2r3r4r5r$zAdding users to groupsz4Committing 'add users to groups' transaction to diskz"Setting password for administratorzsD          8ÿ #+'85ÿÿ