Attachment #5516 for bug #29000




{
	local name="$1"
	local sid="$2"
	local position="$3"

	shift 2
	

		test -z "$bindpwd" && bindpwd="$(cat /etc/ldap.secret)"

		udm groups/group create "$@" --ignore_exists --option=posix \
				--position "$position,$ldap_base" \
				--set name="$name" \
				--set adGroupType="-2147483643"

		echo ldapmodify -x -D "$binddn" -w "$bindpwd"
		echo "dn: cn=$name,$position,$ldap_base
changetype: modify
add: objectClass
objectClass: sambaGroupMapping

sambaGroupType: 2" | ldapmodify -x -D "$binddn" -w "$bindpwd" 
		
		if [ "$name" = "Authenticated Users" ]; then
			udm groups/group modify "$@" --dn "cn=$name,$position,$ldap_base" \
				--append nestedGroup="cn=DC Slave Hosts,cn=groups,$ldap_base" \
				--append nestedGroup="cn=Windows Hosts,cn=groups,$ldap_base"
		fi


create_pseudo_groups ()
{
	_create_group_with_special_sid "Authenticated Users" "S-1-5-11" "cn=Builtin" "$@"
	_create_group_with_special_sid "World Authority" "S-1-1" "cn=Builtin" "$@"
	_create_group_with_special_sid "Everyone" "S-1-1-0" "cn=Builtin" "$@"
	_create_group_with_special_sid "Null Authority" "S-1-0" "cn=Builtin" "$@"
	_create_group_with_special_sid "Nobody" "S-1-0-0" "cn=Builtin" "$@"
	_create_group_with_special_sid "Enterprise Domain Controllers" "S-1-5-9" "cn=groups" "$@"
	# _create_group_with_special_sid "Remote Interactive Logon" "S-1-5-14" "cn=Builtin" "$@"
	# _create_group_with_special_sid "SChannel Authentication" "S-1-5-64-14" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Digest Authentication" "S-1-5-64-21" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Terminal Server User" "S-1-5-13" "cn=Builtin" "$@"
	# _create_group_with_special_sid "NTLM Authentication" "S-1-5-64-10" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Other Organization" "S-1-5-1000" "cn=Builtin" "$@"
	# _create_group_with_special_sid "This Organization" "S-1-5-15" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Anonymous Logon" "S-1-5-7" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Network Service" "S-1-5-20" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Creator Group" "S-1-3-1" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Creator Owner" "S-1-3-0" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Local Service" "S-1-5-19" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Owner Rights" "S-1-3-4" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Interactive" "S-1-5-4" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Restricted" "S-1-5-12" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Network" "S-1-5-2" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Service" "S-1-5-6" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Dialup" "S-1-5-1" "cn=Builtin" "$@"
	# _create_group_with_special_sid "System" "S-1-5-18" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Batch" "S-1-5-3" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Proxy" "S-1-5-8" "cn=Builtin" "$@"
	# _create_group_with_special_sid "IUSR" "S-1-5-17" "cn=Builtin" "$@"
	# _create_group_with_special_sid "Self" "S-1-5-10" "cn=Builtin" "$@"
}

### --- END helper functions ---


	fi

	create_pseudo_groups "$@"

	if [ $JS_LAST_EXECUTED_VERSION -lt 6 ]; then
		## add server to Enterprise Domain Controllers group if it exists
		if univention-ldapsearch -x sambaSID='S-1-5-9' cn | grep -q '^cn:'; then

	univention-config-registry unset create/home/share
fi

create_pseudo_groups "$@"

/etc/init.d/samba-ad-dc restart

# To prevent a DRS replication conflict: 




	%EOF
}

create_Enterprise_Domain_Controllers() {
	## Note: This is actually joinscript code, but needs to be put here, to be called also from
	##       univention-s4-connector.postinst because the joinscript version could not be increased
	##       for the errata update.
	## Note: S4 Connector currently does not synchronize it to the Samba4 foreignSecurityPrincipal
	##       having the same builtin SID. Additionally it should be put to the group/ignorelist,
	##       as it would cause rejects.
	##
	## attempt to create group with correct builtin SID
	if /usr/share/univention-samba4/scripts/create_group_Enterprise_Domain_Controllers.py "$@"; then

		## update local group cache
		. /usr/share/univention-lib/ucr.sh
		is_ucr_true nss/group/cachefile
		if [ $? != 1 ]; then	## $? = 2 would indicate an unset variable.
			if is_ucr_true nss/group/cachefile/check_member; then
				option='--check_member'
			fi
			/usr/lib/univention-pam/ldap-group-to-file.py "${option[@]}"
		fi
	fi
}

remove_non_samba4_dc_srv_records() {

	ldif=$(univention-ldapsearch -LLLx "(&(objectClass=univentionDomainController)(univentionService=Samba 4))" cn associatedDomain | ldapsearch-wrapper)




#!/usr/bin/python2.6
#
# Copyright 2013 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import sys
import univention.admin.allocators
import univention.admin.uldap
from optparse import OptionParser, OptionValueError
from univention.config_registry import ConfigRegistry

from optparse import (OptionParser,BadOptionError,AmbiguousOptionError)

class PassThroughOptionParser(OptionParser):
	"""
	An unknown option pass-through implementation of OptionParser.

	When unknown arguments are encountered, bundle with largs and try again,
	until rargs is depleted.  

	sys.exit(status) will still be called if a known argument is passed
	incorrectly (e.g. missing arguments or bad argument types, etc.)		
	"""
	def _process_args(self, largs, rargs, values):
		while rargs:
			try:
				OptionParser._process_args(self,largs,rargs,values)
			except (BadOptionError,AmbiguousOptionError), e:
				largs.append(e.opt_str)

def create_group_Enterprise_Domain_Controllers(lo):

	position = univention.admin.uldap.position(lo.base)

	sambaSID = "S-1-5-9"
	groupName = "Enterprise Domain Controllers"
	groupDN = "cn=%s,cn=groups,%s" % (groupName, lo.base)

	alloc = []
	try:
		uid = univention.admin.allocators.request(lo, position, 'groupName', value=groupName)
		alloc.append(("groupName",groupName))
	except univention.admin.uexceptions.noLock, e:
		univention.admin.allocators.release(lo, position, 'groupName', groupName)
		print "Group already exists"
		sys.exit(1)

	ldap_filter = "(&(univentionService=Samba 4)(objectClass=univentionDomainController))"
	s4dc_dnlist = lo.searchDn(ldap_filter, lo.base)
	s4dc_uidlist = [ "%s$" % univention.admin.uldap.explodeDn(s4dcdn, 1)[0] for s4dcdn in s4dc_dnlist ]

	gidNumber = univention.admin.allocators.request(lo, position, 'gidNumber')
	alloc.append(("gidNumber",gidNumber))

	ocs = ["top", "posixGroup", "univentionGroup", "sambaGroupMapping", "univentionObject"]
	al = [("objectClass", ocs)]
	al.append(("gidNumber", [gidNumber]))
	al.append(("sambaSID", [sambaSID]))
	al.append(("sambaGroupType", ["5"]))
	al.append(("uniqueMember", s4dc_dnlist))
	al.append(("memberUid", s4dc_uidlist))
	al.append(("univentionObjectType", "groups/group"))
	try:
		lo.add(groupDN, al)
	except Exception, err:
		print "Exception:", err
		for i, j in alloc:
			univention.admin.allocators.release(lo, position, i, j)
	for i, j in alloc:
		univention.admin.allocators.confirm(lo, position, i, j)

if __name__ == "__main__":
	parser = PassThroughOptionParser()
	parser.add_option("--binddn", dest="binddn")
	parser.add_option("--bindpwd", dest="bindpw")
	parser.add_option("--bindpwdfile", dest="bindpwdfile")
	opts, args = parser.parse_args()
	
	ucr = ConfigRegistry()
	ucr.load()

	if not opts.binddn:
		try:
			opts.bindpw = open('/etc/ldap.secret').read().rstrip('\n')
			opts.binddn = "cn=admin,%s" % ucr['ldap/base']
		except IOError:
			fatal('Could not read /etc/ldap.secret')

	if opts.bindpwdfile and not opts.bindpw:
		opts.bindpw = open(opts.bindpwdfile, 'r').read().strip()

	try:
		lo = univention.admin.uldap.access(host=ucr['ldap/master'], port=int(ucr.get('ldap/master/port', '7389')), base=ucr['ldap/base'], binddn=opts.binddn, bindpw=opts.bindpw, start_tls=2)
	except Exception, e:
		print "Error during uldap.access: ", str(e)
		sys.exit(1)

	create_group_Enterprise_Domain_Controllers(lo)

(-)univention-s4-connector/97univention-s4-connector.inst (-3 lines)

Lines 149-157	Link Here

149

150

	/etc/init.d/univention-s4-connector restart

150

	/etc/init.d/univention-s4-connector restart

151

152

	## Note: This group is created only once (usually during initial join) by the host providing the S4 Connector service

153

	create_Enterprise_Domain_Controllers "$@"

154

155

	univention-config-registry set dns/backend=samba4

152

	univention-config-registry set dns/backend=samba4

156

	if [ -x /etc/init.d/bind9 ]; then

153

	if [ -x /etc/init.d/bind9 ]; then

157

		/etc/init.d/bind9 restart

154

		/etc/init.d/bind9 restart

Return to bug 29000