Index: univention-samba4/96univention-samba4.inst =================================================================== --- univention-samba4/96univention-samba4.inst (Revision 45021) +++ univention-samba4/96univention-samba4.inst (Arbeitskopie) @@ -459,6 +459,7 @@ { local name="$1" local sid="$2" + local position="$3" shift 2 @@ -471,12 +472,12 @@ test -z "$bindpwd" && bindpwd="$(cat /etc/ldap.secret)" udm groups/group create "$@" --ignore_exists --option=posix \ - --position "cn=Builtin,$ldap_base" \ + --position "$position,$ldap_base" \ --set name="$name" \ --set adGroupType="-2147483643" echo ldapmodify -x -D "$binddn" -w "$bindpwd" - echo "dn: cn=$name,cn=Builtin,$ldap_base + echo "dn: cn=$name,$position,$ldap_base changetype: modify add: objectClass objectClass: sambaGroupMapping @@ -488,7 +489,7 @@ sambaGroupType: 2" | ldapmodify -x -D "$binddn" -w "$bindpwd" if [ "$name" = "Authenticated Users" ]; then - udm groups/group modify "$@" --dn "cn=$name,cn=Builtin,$ldap_base" \ + udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \ --append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \ --append nestedGroup="cn=Windows Hosts,cn=groups,$ldap_base" fi @@ -497,11 +498,35 @@ create_pseudo_groups () { - _create_group_with_special_sid "Authenticated Users" "S-1-5-11" "$@" - _create_group_with_special_sid "World Authority" "S-1-1" "$@" - _create_group_with_special_sid "Everyone" "S-1-1-0" "$@" - _create_group_with_special_sid "Null Authority" "S-1-0" "$@" - _create_group_with_special_sid "Nobody" "S-1-0-0" "$@" + _create_group_with_special_sid "Authenticated Users" "S-1-5-11" "cn=Builtin" "$@" + _create_group_with_special_sid "World Authority" "S-1-1" "cn=Builtin" "$@" + _create_group_with_special_sid "Everyone" "S-1-1-0" "cn=Builtin" "$@" + _create_group_with_special_sid "Null Authority" "S-1-0" "cn=Builtin" "$@" + _create_group_with_special_sid "Nobody" "S-1-0-0" "cn=Builtin" "$@" + _create_group_with_special_sid "Enterprise Domain Controllers" "S-1-5-9" "cn=groups" "$@" + # _create_group_with_special_sid "Remote Interactive Logon" "S-1-5-14" "cn=Builtin" "$@" + # _create_group_with_special_sid "SChannel Authentication" "S-1-5-64-14" "cn=Builtin" "$@" + # _create_group_with_special_sid "Digest Authentication" "S-1-5-64-21" "cn=Builtin" "$@" + # _create_group_with_special_sid "Terminal Server User" "S-1-5-13" "cn=Builtin" "$@" + # _create_group_with_special_sid "NTLM Authentication" "S-1-5-64-10" "cn=Builtin" "$@" + # _create_group_with_special_sid "Other Organization" "S-1-5-1000" "cn=Builtin" "$@" + # _create_group_with_special_sid "This Organization" "S-1-5-15" "cn=Builtin" "$@" + # _create_group_with_special_sid "Anonymous Logon" "S-1-5-7" "cn=Builtin" "$@" + # _create_group_with_special_sid "Network Service" "S-1-5-20" "cn=Builtin" "$@" + # _create_group_with_special_sid "Creator Group" "S-1-3-1" "cn=Builtin" "$@" + # _create_group_with_special_sid "Creator Owner" "S-1-3-0" "cn=Builtin" "$@" + # _create_group_with_special_sid "Local Service" "S-1-5-19" "cn=Builtin" "$@" + # _create_group_with_special_sid "Owner Rights" "S-1-3-4" "cn=Builtin" "$@" + # _create_group_with_special_sid "Interactive" "S-1-5-4" "cn=Builtin" "$@" + # _create_group_with_special_sid "Restricted" "S-1-5-12" "cn=Builtin" "$@" + # _create_group_with_special_sid "Network" "S-1-5-2" "cn=Builtin" "$@" + # _create_group_with_special_sid "Service" "S-1-5-6" "cn=Builtin" "$@" + # _create_group_with_special_sid "Dialup" "S-1-5-1" "cn=Builtin" "$@" + # _create_group_with_special_sid "System" "S-1-5-18" "cn=Builtin" "$@" + # _create_group_with_special_sid "Batch" "S-1-5-3" "cn=Builtin" "$@" + # _create_group_with_special_sid "Proxy" "S-1-5-8" "cn=Builtin" "$@" + # _create_group_with_special_sid "IUSR" "S-1-5-17" "cn=Builtin" "$@" + # _create_group_with_special_sid "Self" "S-1-5-10" "cn=Builtin" "$@" } ### --- END helper functions --- @@ -673,6 +698,8 @@ fi + create_pseudo_groups "$@" + if [ $JS_LAST_EXECUTED_VERSION -lt 6 ]; then ## add server to Enterprise Domain Controllers group if it exists if univention-ldapsearch -x sambaSID='S-1-5-9' cn | grep -q '^cn:'; then @@ -819,8 +846,6 @@ univention-config-registry unset create/home/share fi -create_pseudo_groups "$@" - /etc/init.d/samba-ad-dc restart # To prevent a DRS replication conflict: Index: univention-samba4/lib/base.sh =================================================================== --- univention-samba4/lib/base.sh (Revision 45020) +++ univention-samba4/lib/base.sh (Arbeitskopie) @@ -75,29 +75,6 @@ %EOF } -create_Enterprise_Domain_Controllers() { - ## Note: This is actually joinscript code, but needs to be put here, to be called also from - ## univention-s4-connector.postinst because the joinscript version could not be increased - ## for the errata update. - ## Note: S4 Connector currently does not synchronize it to the Samba4 foreignSecurityPrincipal - ## having the same builtin SID. Additionally it should be put to the group/ignorelist, - ## as it would cause rejects. - ## - ## attempt to create group with correct builtin SID - if /usr/share/univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py "$@"; then - - ## update local group cache - . /usr/share/univention-lib/ucr.sh - is_ucr_true nss/group/cachefile - if [ $? != 1 ]; then ## $? = 2 would indicate an unset variable. - if is_ucr_true nss/group/cachefile/check_member; then - option='--check_member' - fi - /usr/lib/univention-pam/ldap-group-to-file.py "${option[@]}" - fi - fi -} - remove_non_samba4_dc_srv_records() { ldif=$(univention-ldapsearch -LLLx "(&(objectClass=univentionDomainController)(univentionService=Samba 4))" cn associatedDomain | ldapsearch-wrapper) Index: univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py =================================================================== --- univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py (Revision 45020) +++ univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py (Arbeitskopie) @@ -1,122 +0,0 @@ -#!/usr/bin/python2.6 -# -# Copyright 2013 Univention GmbH -# -# http://www.univention.de/ -# -# All rights reserved. -# -# The source code of this program is made available -# under the terms of the GNU Affero General Public License version 3 -# (GNU AGPL V3) as published by the Free Software Foundation. -# -# Binary versions of this program provided by Univention to you as -# well as other copyrighted, protected or trademarked materials like -# Logos, graphics, fonts, specific documentations and configurations, -# cryptographic keys etc. are subject to a license agreement between -# you and Univention and not subject to the GNU AGPL V3. -# -# In the case you use this program under the terms of the GNU AGPL V3, -# the program is provided in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public -# License with the Debian GNU/Linux or Univention distribution in file -# /usr/share/common-licenses/AGPL-3; if not, see -# . - -import sys -import univention.admin.allocators -import univention.admin.uldap -from optparse import OptionParser, OptionValueError -from univention.config_registry import ConfigRegistry - -from optparse import (OptionParser,BadOptionError,AmbiguousOptionError) - -class PassThroughOptionParser(OptionParser): - """ - An unknown option pass-through implementation of OptionParser. - - When unknown arguments are encountered, bundle with largs and try again, - until rargs is depleted. - - sys.exit(status) will still be called if a known argument is passed - incorrectly (e.g. missing arguments or bad argument types, etc.) - """ - def _process_args(self, largs, rargs, values): - while rargs: - try: - OptionParser._process_args(self,largs,rargs,values) - except (BadOptionError,AmbiguousOptionError), e: - largs.append(e.opt_str) - -def create_group_Enterprise_Domain_Controllers(lo): - - position = univention.admin.uldap.position(lo.base) - - sambaSID = "S-1-5-9" - groupName = "Enterprise Domain Controllers" - groupDN = "cn=%s,cn=groups,%s" % (groupName, lo.base) - - alloc = [] - try: - uid = univention.admin.allocators.request(lo, position, 'groupName', value=groupName) - alloc.append(("groupName",groupName)) - except univention.admin.uexceptions.noLock, e: - univention.admin.allocators.release(lo, position, 'groupName', groupName) - print "Group already exists" - sys.exit(1) - - ldap_filter = "(&(univentionService=Samba 4)(objectClass=univentionDomainController))" - s4dc_dnlist = lo.searchDn(ldap_filter, lo.base) - s4dc_uidlist = [ "%s$" % univention.admin.uldap.explodeDn(s4dcdn, 1)[0] for s4dcdn in s4dc_dnlist ] - - gidNumber = univention.admin.allocators.request(lo, position, 'gidNumber') - alloc.append(("gidNumber",gidNumber)) - - ocs = ["top", "posixGroup", "univentionGroup", "sambaGroupMapping", "univentionObject"] - al = [("objectClass", ocs)] - al.append(("gidNumber", [gidNumber])) - al.append(("sambaSID", [sambaSID])) - al.append(("sambaGroupType", ["5"])) - al.append(("uniqueMember", s4dc_dnlist)) - al.append(("memberUid", s4dc_uidlist)) - al.append(("univentionObjectType", "groups/group")) - try: - lo.add(groupDN, al) - except Exception, err: - print "Exception:", err - for i, j in alloc: - univention.admin.allocators.release(lo, position, i, j) - for i, j in alloc: - univention.admin.allocators.confirm(lo, position, i, j) - -if __name__ == "__main__": - parser = PassThroughOptionParser() - parser.add_option("--binddn", dest="binddn") - parser.add_option("--bindpwd", dest="bindpw") - parser.add_option("--bindpwdfile", dest="bindpwdfile") - opts, args = parser.parse_args() - - ucr = ConfigRegistry() - ucr.load() - - if not opts.binddn: - try: - opts.bindpw = open('/etc/ldap.secret').read().rstrip('\n') - opts.binddn = "cn=admin,%s" % ucr['ldap/base'] - except IOError: - fatal('Could not read /etc/ldap.secret') - - if opts.bindpwdfile and not opts.bindpw: - opts.bindpw = open(opts.bindpwdfile, 'r').read().strip() - - try: - lo = univention.admin.uldap.access(host=ucr['ldap/master'], port=int(ucr.get('ldap/master/port', '7389')), base=ucr['ldap/base'], binddn=opts.binddn, bindpw=opts.bindpw, start_tls=2) - except Exception, e: - print "Error during uldap.access: ", str(e) - sys.exit(1) - - create_group_Enterprise_Domain_Controllers(lo) Index: univention-s4-connector/97univention-s4-connector.inst =================================================================== --- univention-s4-connector/97univention-s4-connector.inst (Revision 45022) +++ univention-s4-connector/97univention-s4-connector.inst (Arbeitskopie) @@ -149,9 +149,6 @@ /etc/init.d/univention-s4-connector restart - ## Note: This group is created only once (usually during initial join) by the host providing the S4 Connector service - create_Enterprise_Domain_Controllers "$@" - univention-config-registry set dns/backend=samba4 if [ -x /etc/init.d/bind9 ]; then /etc/init.d/bind9 restart