def save(self):
enable = self.cleaned_data.get("ad_enable")
if self.__original_changed():
notifier()._clear_activedirectory_config()
started = notifier().started("activedirectory")
obj = super(ActiveDirectoryForm, self).save()
try:
utils.get_idmap_object(obj.ds_type, obj.id, obj.ad_idmap_backend)
except ObjectDoesNotExist:
log.debug('IDMAP backend {} entry does not exist, creating one.'.format(obj.ad_idmap_backend))
utils.get_idmap(obj.ds_type, obj.id, obj.ad_idmap_backend)
self.cifs.cifs_srv_netbiosname = self.cleaned_data.get("ad_netbiosname_a")
self.cifs.cifs_srv_netbiosname_b = self.cleaned_data.get("ad_netbiosname_b")
self.cifs.cifs_srv_netbiosalias = self.cleaned_data.get("ad_netbiosalias")
self.cifs.save()
if enable:
if started is True:
started = notifier().restart("activedirectory")
if started is False:
started = notifier().start("activedirectory")
if started is False:
self.instance.ad_enable = False
super(ActiveDirectoryForm, self).save()
raise ServiceFailed(
"activedirectory",
_("Active Directory failed to reload."),
)
else:
if started is True:
started = notifier().stop("activedirectory")
return obj
def add_ldap_conf(smb4_conf):
try:
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
except:
return
confset1(smb4_conf, "security = user")
confset1(
smb4_conf,
"passdb backend = ldapsam:%s://%s" % ("ldaps" if ldap.ldap_ssl == "on" else "ldap", ldap.ldap_hostname),
)
ldap_workgroup = cifs.cifs_srv_workgroup.upper()
confset2(smb4_conf, "ldap admin dn = %s", ldap.ldap_binddn)
confset2(smb4_conf, "ldap suffix = %s", ldap.ldap_basedn)
confset2(smb4_conf, "ldap user suffix = %s", ldap.ldap_usersuffix)
confset2(smb4_conf, "ldap group suffix = %s", ldap.ldap_groupsuffix)
confset2(smb4_conf, "ldap machine suffix = %s", ldap.ldap_machinesuffix)
confset2(smb4_conf, "ldap ssl = %s", "start tls" if (ldap.ldap_ssl == "start_tls") else "off")
confset1(smb4_conf, "ldap replication sleep = 1000")
confset1(smb4_conf, "ldap passwd sync = yes")
confset1(smb4_conf, "ldapsam:trusted = yes")
set_netbiosname(smb4_conf, ldap.ldap_netbiosname)
confset2(smb4_conf, "workgroup = %s", ldap_workgroup)
confset1(smb4_conf, "domain logons = yes")
idmap = get_idmap_object(ldap.ds_type, ldap.id, ldap.ldap_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ldap_workgroup)
def set_idmap_rfc2307_secret():
try:
ad = ActiveDirectory.objects.all()[0]
except:
return False
domain = None
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domain = fad.netbiosname.upper()
except:
return False
args = ["/usr/local/bin/net", "-d 0", "idmap", "secret"]
net_cmd = "%s '%s' '%s'" % (string.join(
args, ' '), domain, idmap.idmap_rfc2307_ldap_user_dn_password)
p = pipeopen(net_cmd, quiet=True)
net_out = p.communicate()
if net_out and net_out[0]:
for line in net_out[0].split('\n'):
if not line:
continue
print line
ret = True
if p.returncode != 0:
print >> sys.stderr, "Failed to set idmap secret!"
ret = False
return ret
def add_ldap_conf(smb4_conf):
try:
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
except:
return
confset1(smb4_conf, "security = user")
confset1(
smb4_conf, "passdb backend = ldapsam:%s://%s" %
("ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname))
ldap_workgroup = cifs.cifs_srv_workgroup.upper()
confset2(smb4_conf, "ldap admin dn = %s", ldap.ldap_binddn)
confset2(smb4_conf, "ldap suffix = %s", ldap.ldap_basedn)
confset2(smb4_conf, "ldap user suffix = %s", ldap.ldap_usersuffix)
confset2(smb4_conf, "ldap group suffix = %s", ldap.ldap_groupsuffix)
confset2(smb4_conf, "ldap machine suffix = %s", ldap.ldap_machinesuffix)
confset2(smb4_conf, "ldap ssl = %s", "start tls" if
(ldap.ldap_ssl == 'start_tls') else 'off')
confset1(smb4_conf, "ldap replication sleep = 1000")
confset1(smb4_conf, "ldap passwd sync = yes")
confset1(smb4_conf, "ldapsam:trusted = yes")
confset2(smb4_conf, "workgroup = %s", ldap_workgroup)
confset1(smb4_conf, "domain logons = yes")
idmap = get_idmap_object(ldap.ds_type, ldap.id, ldap.ldap_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ldap_workgroup)
def set_idmap_rfc2307_secret():
try:
ad = ActiveDirectory.objects.all()[0]
except:
return False
domain = None
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
domain = fad.netbiosname.upper()
except:
return False
args = ["/usr/local/bin/net", "-d 0", "idmap", "secret"]
net_cmd = "%s '%s' '%s'" % (string.join(args, " "), domain, idmap.idmap_rfc2307_ldap_user_dn_password)
p = pipeopen(net_cmd, quiet=True)
net_out = p.communicate()
if net_out and net_out[0]:
for line in net_out[0].split("\n"):
if not line:
continue
print line
ret = True
if p.returncode != 0:
print >> sys.stderr, "Failed to set idmap secret!"
ret = False
return ret
def add_activedirectory_conf(smb4_conf):
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
os.chmod(cachedir, 0755)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
set_netbiosname(smb4_conf, ad.ad_netbiosname)
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset2(smb4_conf, "ads dns update = %s",
"yes" if ad.ad_allow_dns_updates else "no")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_nss_info:
confset2(smb4_conf, "winbind nss info = %s", ad.ad_nss_info)
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset2(smb4_conf, "client ldap sasl wrapping = %s",
ad.ad_ldap_sasl_wrapping)
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
def add_activedirectory_conf(smb4_conf):
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
os.chmod(cachedir, 0755)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
set_netbiosname(smb4_conf, ad.ad_netbiosname)
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset2(smb4_conf, "ads dns update = %s",
"yes" if ad.ad_allow_dns_updates else "no")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_nss_info:
confset2(smb4_conf, "winbind nss info = %s", ad.ad_nss_info)
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset2(smb4_conf, "client ldap sasl wrapping = %s",
ad.ad_ldap_sasl_wrapping)
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
def save(self):
enable = self.cleaned_data.get("ad_enable")
if self.__original_changed():
notifier()._clear_activedirectory_config()
started = notifier().started("activedirectory")
obj = super(ActiveDirectoryForm, self).save()
try:
utils.get_idmap_object(obj.ds_type, obj.id, obj.ad_idmap_backend)
except ObjectDoesNotExist:
log.debug(
'IDMAP backend {} entry does not exist, creating one.'.format(
obj.ad_idmap_backend))
utils.get_idmap(obj.ds_type, obj.id, obj.ad_idmap_backend)
self.cifs.cifs_srv_netbiosname = self.cleaned_data.get(
"ad_netbiosname_a")
self.cifs.cifs_srv_netbiosname_b = self.cleaned_data.get(
"ad_netbiosname_b")
self.cifs.cifs_srv_netbiosalias = self.cleaned_data.get(
"ad_netbiosalias")
self.cifs.save()
if enable:
if started is True:
started = notifier().restart("activedirectory")
if started is False:
started = notifier().start("activedirectory")
if started is False:
self.instance.ad_enable = False
super(ActiveDirectoryForm, self).save()
raise ServiceFailed(
"activedirectory",
_("Active Directory failed to reload."),
)
else:
if started is True:
started = notifier().stop("activedirectory")
return obj
def add_nt4_conf(smb4_conf):
# TODO: These are unused, will they be at some point?
# rid_range_start = 20000
# rid_range_end = 20000000
try:
nt4 = NT4.objects.all()[0]
except:
return
dc_ip = None
try:
answers = resolver.query(nt4.nt4_dcname, 'A')
dc_ip = answers[0]
except Exception as e:
log.debug(
"resolver query for {0}'s A record failed with {1}".format(nt4.nt4_dcname, e)
)
log_traceback(log=log)
dc_ip = nt4.nt4_dcname
nt4_workgroup = nt4.nt4_workgroup.upper()
with open("/usr/local/etc/lmhosts", "w") as f:
f.write("%s\t%s\n" % (dc_ip, nt4.nt4_dcname.upper()))
confset2(smb4_conf, "workgroup = %s", nt4_workgroup)
confset1(smb4_conf, "security = domain")
confset1(smb4_conf, "password server = *")
idmap = get_idmap_object(nt4.ds_type, nt4.id, nt4.nt4_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, nt4_workgroup)
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(
smb4_conf, "winbind use default domain = %s", "yes" if nt4.nt4_use_default_domain else "no"
)
confset1(smb4_conf, "template shell = /bin/sh")
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
def ds_get_idmap_object(self, ds_type, id, idmap_backend):
"""Temporary wrapper to serialize IDMAP objects"""
obj = get_idmap_object(ds_type, id, idmap_backend)
data = django_modelobj_serialize(self.middleware, obj)
data['idmap_backend_name'] = obj.idmap_backend_name
data['idmap_backend_type'] = obj.idmap_backend_type
# Only these types have SSL
if data['idmap_backend_type'] not in (IDMAP_TYPE_LDAP, IDMAP_TYPE_RFC2307):
return data
cert = obj.get_certificate()
if cert:
data['certificate'] = django_modelobj_serialize(self.middleware, cert)
else:
data['certificate'] = None
data['ssl'] = obj.get_ssl()
data['url'] = obj.get_url()
return data
def ds_get_idmap_object(self, ds_type, id, idmap_backend):
"""Temporary wrapper to serialize IDMAP objects"""
obj = get_idmap_object(ds_type, id, idmap_backend)
data = django_modelobj_serialize(self.middleware, obj)
data['idmap_backend_name'] = obj.idmap_backend_name
data['idmap_backend_type'] = obj.idmap_backend_type
# Only these types have SSL
if ds_type not in (IDMAP_TYPE_LDAP, IDMAP_TYPE_RFC2307):
return data
cert = obj.get_certificate()
if cert:
data['certificate'] = django_modelobj_serialize(self.middleware, cert)
else:
data['certificate'] = None
data['ssl'] = obj.get_ssl()
data['url'] = obj.get_url()
return data
def add_nt4_conf(smb4_conf):
rid_range_start = 20000
rid_range_end = 20000000
try:
nt4 = NT4.objects.all()[0]
except:
return
dc_ip = None
try:
answers = resolver.query(nt4.nt4_dcname, 'A')
dc_ip = answers[0]
except Exception as e:
dc_ip = nt4.nt4_dcname
with open("/usr/local/etc/lmhosts", "w") as f:
f.write("%s\t%s\n" % (dc_ip, nt4.nt4_workgroup.upper()))
f.close()
nt4_workgroup = nt4.nt4_workgroup.upper()
set_netbiosname(smb4_conf, nt4.nt4_netbiosname)
confset2(smb4_conf, "workgroup = %s", nt4_workgroup)
confset1(smb4_conf, "security = domain")
confset1(smb4_conf, "password server = *")
idmap = get_idmap_object(nt4.ds_type, nt4.id, nt4.nt4_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, nt4_workgroup)
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if nt4.nt4_use_default_domain else "no")
confset1(smb4_conf, "template shell = /bin/sh")
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
def add_nt4_conf(smb4_conf):
rid_range_start = 20000
rid_range_end = 20000000
try:
nt4 = NT4.objects.all()[0]
except:
return
dc_ip = None
try:
answers = resolver.query(nt4.nt4_dcname, 'A')
dc_ip = answers[0]
except Exception as e:
dc_ip = nt4.nt4_dcname
with open("/usr/local/etc/lmhosts", "w") as f:
f.write("%s\t%s\n" % (dc_ip, nt4.nt4_workgroup.upper()))
f.close()
nt4_workgroup = nt4.nt4_workgroup.upper()
set_netbiosname(smb4_conf, nt4.nt4_netbiosname)
confset2(smb4_conf, "workgroup = %s", nt4_workgroup)
confset1(smb4_conf, "security = domain")
confset1(smb4_conf, "password server = *")
idmap = get_idmap_object(nt4.ds_type, nt4.id, nt4.nt4_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, nt4_workgroup)
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if nt4.nt4_use_default_domain else "no")
confset1(smb4_conf, "template shell = /bin/sh")
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
def ldap_conf_activedirectory(ldap_conf):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
config = { }
config["URI"] = "%s://%s" % (
"ldaps" if ad.ssl == "on" else "ldap",
ad.domainname
)
config["BASE"] = ad.basedn
if ad.ssl in ("start_tls", "on"):
if ad.certfile:
config["TLS_CACERT"] = ad.certfile
config["TLS_REQCERT"] = "allow"
#
# So what if the AD server is configured to use SSL or TLS,
# and the idmap backend is as well? WTF? whaddoyoudo?
#
ad = models.ActiveDirectory.objects.all()[0]
if ad.ad_idmap_backend in ("rfc2307", "ldap"):
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
idmap_url = idmap.get_url()
idmap_url = re.sub('^(ldaps?://)', '', idmap_url)
config["URI"] = "%s://%s" % (
"ldaps" if idmap.get_ssl() == "on" else "ldap",
idmap_url
)
if idmap.get_ssl() in ('start_tls', 'on'):
capath = get_certificateauthority_path(idmap.get_certificate())
if capath:
config["TLS_CACERT"] = capath
config["TLS_REQCERT"] = "allow"
keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"]
with open(ldap_conf, "w") as f:
for key in keys:
if key in config:
f.write("%s %s\n" % (key, config[key]))
f.close()
os.chmod(ldap_conf, 0644)
def ldap_conf_activedirectory(ldap_conf):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
config = {}
config["URI"] = "%s://%s" % ("ldaps" if ad.ssl == "on" else "ldap",
ad.domainname)
config["BASE"] = ad.basedn
if ad.ssl in ("start_tls", "on"):
if ad.certfile:
config["TLS_CACERT"] = ad.certfile
config["TLS_REQCERT"] = "allow"
#
# So what if the AD server is configured to use SSL or TLS,
# and the idmap backend is as well? WTF? whaddoyoudo?
#
ad = models.ActiveDirectory.objects.all()[0]
if ad.ad_idmap_backend in ("rfc2307", "ldap"):
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
idmap_url = idmap.get_url()
idmap_url = re.sub('^(ldaps?://)', '', idmap_url)
config["URI"] = "%s://%s" % ("ldaps" if idmap.get_ssl() == "on" else
"ldap", idmap_url)
if idmap.get_ssl() in ('start_tls', 'on'):
capath = get_certificateauthority_path(idmap.get_certificate())
if capath:
config["TLS_CACERT"] = capath
config["TLS_REQCERT"] = "allow"
keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"]
with open(ldap_conf, "w") as f:
for key in keys:
if key in config:
f.write("%s %s\n" % (key, config[key]))
f.close()
os.chmod(ldap_conf, 0644)
def generate_smb4_conf(smb4_conf, role):
try:
cifs = CIFS.objects.all()[0]
except:
return
if not cifs.cifs_srv_guest:
cifs.cifs_srv_guest = 'ftp'
if not cifs.cifs_srv_filemask:
cifs.cifs_srv_filemask = "0666"
if not cifs.cifs_srv_dirmask:
cifs.cifs_srv_dirmask = "0777"
# standard stuff... should probably do this differently
confset1(smb4_conf, "[global]", space=0)
if os.path.exists("/usr/local/etc/smbusers"):
confset1(smb4_conf, "username map = /usr/local/etc/smbusers")
confset2(smb4_conf, "server min protocol = %s", cifs.cifs_srv_min_protocol)
confset2(smb4_conf, "server max protocol = %s", cifs.cifs_srv_max_protocol)
if cifs.cifs_srv_bindip:
interfaces = []
bindips = string.join(cifs.cifs_srv_bindip, ' ')
if role != 'dc':
bindips = "127.0.0.1 %s" % bindips
n = notifier()
bindips = bindips.split()
for bindip in bindips:
if not bindip:
continue
bindip = bindip.strip()
iface = n.get_interface(bindip)
if iface and n.is_carp_interface(iface):
parent_iface = n.get_parent_interface(iface)
if not parent_iface:
continue
parent_iinfo = n.get_interface_info(parent_iface[0])
if not parent_iinfo:
continue
interfaces.append("%s/%s" % (bindip, parent_iface[2]))
else:
interfaces.append(bindip)
if interfaces:
confset2(smb4_conf, "interfaces = %s", string.join(interfaces))
confset1(smb4_conf, "bind interfaces only = yes")
confset1(smb4_conf, "encrypt passwords = yes")
confset1(smb4_conf, "dns proxy = no")
confset1(smb4_conf, "strict locking = no")
confset1(smb4_conf, "oplocks = yes")
confset1(smb4_conf, "deadtime = 15")
confset1(smb4_conf, "max log size = 51200")
confset2(smb4_conf, "max open files = %d",
long(get_sysctl('kern.maxfilesperproc')) - 25)
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
loglevel = cifs.cifs_srv_loglevel
else:
loglevel = "0"
if cifs.cifs_srv_syslog:
confset1(smb4_conf, "logging = syslog:%s" % loglevel)
else:
confset1(smb4_conf, "logging = file")
confset1(smb4_conf, "load printers = no")
confset1(smb4_conf, "printing = bsd")
confset1(smb4_conf, "printcap name = /dev/null")
confset1(smb4_conf, "disable spoolss = yes")
confset1(smb4_conf, "getwd cache = yes")
confset2(smb4_conf, "guest account = %s",
cifs.cifs_srv_guest.encode('utf8'))
confset1(smb4_conf, "map to guest = Bad User")
confset2(smb4_conf, "obey pam restrictions = %s",
"yes" if cifs.cifs_srv_obey_pam_restrictions else "no")
confset1(smb4_conf, "directory name cache size = 0")
confset1(smb4_conf, "kernel change notify = no")
confset1(smb4_conf,
"panic action = /usr/local/libexec/samba/samba-backtrace")
confset1(smb4_conf, "nsupdate command = /usr/local/bin/samba-nsupdate -g")
confset2(smb4_conf, "server string = %s", cifs.cifs_srv_description)
confset1(smb4_conf, "ea support = yes")
confset1(smb4_conf, "store dos attributes = yes")
confset1(smb4_conf, "lm announce = yes")
confset2(smb4_conf, "hostname lookups = %s",
"yes" if cifs.cifs_srv_hostlookup else False)
confset2(smb4_conf, "unix extensions = %s",
"no" if not cifs.cifs_srv_unixext else False)
confset2(smb4_conf, "time server = %s",
"yes" if cifs.cifs_srv_timeserver else False)
confset2(smb4_conf, "null passwords = %s",
"yes" if cifs.cifs_srv_nullpw else False)
confset2(smb4_conf, "acl allow execute always = %s",
"true" if cifs.cifs_srv_allow_execute_always else "false")
confset1(smb4_conf, "dos filemode = yes")
confset2(smb4_conf, "multicast dns register = %s",
"yes" if cifs.cifs_srv_zeroconf else "no")
if not smb4_ldap_enabled():
confset2(smb4_conf, "domain logons = %s",
"yes" if cifs.cifs_srv_domain_logons else "no")
if (not nt4_enabled() and not activedirectory_enabled()):
confset2(smb4_conf, "local master = %s",
"yes" if cifs.cifs_srv_localmaster else "no")
idmap = get_idmap_object(DS_TYPE_CIFS, cifs.id, 'tdb')
configure_idmap_backend(smb4_conf, idmap, None)
if role == 'auto':
confset1(smb4_conf, "server role = auto")
elif role == 'classic':
confset1(smb4_conf, "server role = classic primary domain controller")
elif role == 'netbios':
confset1(smb4_conf, "server role = netbios backup domain controller")
elif role == 'dc':
confset1(smb4_conf, "server role = active directory domain controller")
add_domaincontroller_conf(smb4_conf)
elif role == 'member':
confset1(smb4_conf, "server role = member server")
if nt4_enabled():
add_nt4_conf(smb4_conf)
elif smb4_ldap_enabled():
add_ldap_conf(smb4_conf)
elif activedirectory_enabled():
add_activedirectory_conf(smb4_conf)
confset2(smb4_conf, "netbios name = %s", cifs.get_netbiosname().upper())
if cifs.cifs_srv_netbiosalias:
confset2(smb4_conf, "netbios aliases = %s", cifs.cifs_srv_netbiosalias.upper())
elif role == 'standalone':
confset1(smb4_conf, "server role = standalone")
confset2(smb4_conf, "netbios name = %s", cifs.get_netbiosname().upper())
if cifs.cifs_srv_netbiosalias:
confset2(smb4_conf, "netbios aliases = %s", cifs.cifs_srv_netbiosalias.upper())
confset2(smb4_conf, "workgroup = %s", cifs.cifs_srv_workgroup.upper())
confset1(smb4_conf, "security = user")
if role != 'dc':
confset1(smb4_conf, "pid directory = /var/run/samba")
confset2(smb4_conf, "create mask = %s", cifs.cifs_srv_filemask)
confset2(smb4_conf, "directory mask = %s", cifs.cifs_srv_dirmask)
confset1(smb4_conf, "client ntlmv2 auth = yes")
confset2(smb4_conf, "dos charset = %s", cifs.cifs_srv_doscharset)
confset2(smb4_conf, "unix charset = %s", cifs.cifs_srv_unixcharset)
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
confset2(smb4_conf, "log level = %s", cifs.cifs_srv_loglevel)
smb_options = cifs.cifs_srv_smb_options.encode('utf-8')
smb_options = smb_options.strip()
for line in smb_options.split('\n'):
line = line.strip()
if not line:
continue
confset1(smb4_conf, line)
def add_activedirectory_conf(smb4_conf):
rid_range_start = 20000
rid_range_end = 20000000
ad_range_start = 10000
ad_range_end = 90000000
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
confset2(smb4_conf, "netbios name = %s", ad.ad_netbiosname.upper())
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset1(smb4_conf, "acl check permissions = true")
confset1(smb4_conf, "acl map full control = true")
confset1(smb4_conf, "dos filemode = yes")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_unix_extensions:
confset1(smb4_conf, "winbind nss info = rfc2307")
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
def save(self):
enable = self.cleaned_data.get("ad_enable")
enable_monitoring = self.cleaned_data.get("ad_enable_monitor")
monit_frequency = self.cleaned_data.get("ad_monitor_frequency")
monit_retry = self.cleaned_data.get("ad_recover_retry")
fqdn = self.cleaned_data.get("ad_domainname")
sm = None
if self.__original_changed():
notifier().clear_activedirectory_config()
started = notifier().started("activedirectory",
timeout=_fs().directoryservice.activedirectory.timeout.started)
obj = super(ActiveDirectoryForm, self).save()
try:
utils.get_idmap_object(obj.ds_type, obj.id, obj.ad_idmap_backend)
except ObjectDoesNotExist:
log.debug('IDMAP backend {} entry does not exist, creating one.'.format(obj.ad_idmap_backend))
utils.get_idmap(obj.ds_type, obj.id, obj.ad_idmap_backend)
self.cifs.cifs_srv_netbiosname = self.cleaned_data.get("ad_netbiosname_a")
self.cifs.cifs_srv_netbiosname_b = self.cleaned_data.get("ad_netbiosname_b")
self.cifs.cifs_srv_netbiosalias = self.cleaned_data.get("ad_netbiosalias")
self.cifs.save()
if enable:
if started is True:
timeout = _fs().directoryservice.activedirectory.timeout.restart
try:
started = notifier().restart("activedirectory", timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory restart timed out after %d seconds." % timeout),
)
if started is False:
timeout = _fs().directoryservice.activedirectory.timeout.start
try:
started = notifier().start("activedirectory", timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory start timed out after %d seconds." % timeout),
)
if started is False:
self.instance.ad_enable = False
super(ActiveDirectoryForm, self).save()
raise MiddlewareError(
_("Active Directory failed to reload."),
)
else:
if started is True:
timeout = _fs().directoryservice.activedirectory.timeout.stop
try:
started = notifier().stop("activedirectory", timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory stop timed out after %d seconds." % timeout),
)
sm_name = 'activedirectory'
try:
sm = ServiceMonitor.objects.get(sm_name=sm_name)
except Exception as e:
log.debug("XXX: Unable to find ServiceMonitor: %s", e)
pass
#
# Ports can be specified in the UI but there doesn't appear to be a way to
# override them via SRV records. This should be fixed.
#
dcport = self.get_dcport()
gcport = self.get_gcport()
if not sm:
try:
log.debug("XXX: fqdn=%s dcport=%s frequency=%s retry=%s enable=%s",
fqdn, dcport, monit_frequency, monit_retry, enable_monitoring)
sm = ServiceMonitor.objects.create(
sm_name=sm_name,
sm_host=fqdn,
sm_port=dcport,
sm_frequency=monit_frequency,
sm_retry=monit_retry,
sm_enable=enable_monitoring
)
except Exception as e:
log.debug("XXX: Unable to create ServiceMonitor: %s", e)
raise MiddlewareError(
_("Unable to create ServiceMonitor: %s" % e),
)
else:
sm.sm_name = sm_name
if fqdn != sm.sm_host:
sm.sm_host = fqdn
if dcport != sm.sm_port:
sm.sm_port = dcport
if monit_frequency != sm.sm_frequency:
sm.sm_frequency = monit_frequency
if monit_retry != sm.sm_retry:
sm.sm_retry = monit_retry
if enable_monitoring != sm.sm_enable:
sm.sm_enable = enable_monitoring
try:
sm.save(force_update=True)
except Exception as e:
log.debug("XXX: Unable to create ServiceMonitor: %s", e)
raise MiddlewareError(
_("Unable to save ServiceMonitor: %s" % e),
)
with client as c:
if enable_monitoring and enable:
log.debug("[ServiceMonitoring] Add %s service, frequency: %d, retry: %d" % ('activedirectory', monit_frequency, monit_retry))
c.call('servicemonitor.restart')
else:
log.debug("[ServiceMonitoring] Remove %s service, frequency: %d, retry: %d" % ('activedirectory', monit_frequency, monit_retry))
c.call('servicemonitor.restart')
return obj
def save(self):
enable = self.cleaned_data.get("ad_enable")
enable_monitoring = self.cleaned_data.get("ad_enable_monitor")
monit_frequency = self.cleaned_data.get("ad_monitor_frequency")
monit_retry = self.cleaned_data.get("ad_recover_retry")
fqdn = self.cleaned_data.get("ad_domainname")
if self.__original_changed():
notifier().clear_activedirectory_config()
started = notifier().started("activedirectory")
obj = super(ActiveDirectoryForm, self).save()
try:
utils.get_idmap_object(obj.ds_type, obj.id, obj.ad_idmap_backend)
except ObjectDoesNotExist:
log.debug(
'IDMAP backend {} entry does not exist, creating one.'.format(
obj.ad_idmap_backend))
utils.get_idmap(obj.ds_type, obj.id, obj.ad_idmap_backend)
self.cifs.cifs_srv_netbiosname = self.cleaned_data.get(
"ad_netbiosname_a")
self.cifs.cifs_srv_netbiosname_b = self.cleaned_data.get(
"ad_netbiosname_b")
self.cifs.cifs_srv_netbiosalias = self.cleaned_data.get(
"ad_netbiosalias")
self.cifs.save()
if enable:
if started is True:
started = notifier().restart("activedirectory", timeout=90)
if started is False:
started = notifier().start("activedirectory", timeout=90)
if started is False:
self.instance.ad_enable = False
super(ActiveDirectoryForm, self).save()
raise ServiceFailed(
"activedirectory",
_("Active Directory failed to reload."),
)
else:
if started is True:
started = notifier().stop("activedirectory", timeout=60)
with client as c:
if enable_monitoring and enable:
log.debug(
"[ServiceMonitoring] Add %s service, frequency: %d, retry: %d"
% ('activedirectory', monit_frequency, monit_retry))
c.call('service.enable_test_service_connection',
monit_frequency, monit_retry, fqdn, 3268,
'activedirectory')
else:
log.debug(
"[ServiceMonitoring] Remove %s service, frequency: %d, retry: %d"
% ('activedirectory', monit_frequency, monit_retry))
c.call('service.disable_test_service_connection',
monit_frequency, monit_retry, fqdn, 3268,
'activedirectory')
return obj
def save(self):
enable = self.cleaned_data.get("ad_enable")
enable_monitoring = self.cleaned_data.get("ad_enable_monitor")
monit_frequency = self.cleaned_data.get("ad_monitor_frequency")
monit_retry = self.cleaned_data.get("ad_recover_retry")
fqdn = self.cleaned_data.get("ad_domainname")
sm = None
if self.__original_changed():
notifier().clear_activedirectory_config()
started = notifier().started(
"activedirectory",
timeout=_fs().directoryservice.activedirectory.timeout.started)
obj = super(ActiveDirectoryForm, self).save()
try:
utils.get_idmap_object(obj.ds_type, obj.id, obj.ad_idmap_backend)
except ObjectDoesNotExist:
log.debug(
'IDMAP backend {} entry does not exist, creating one.'.format(
obj.ad_idmap_backend))
utils.get_idmap(obj.ds_type, obj.id, obj.ad_idmap_backend)
self.cifs.cifs_srv_netbiosname = self.cleaned_data.get(
"ad_netbiosname_a")
self.cifs.cifs_srv_netbiosname_b = self.cleaned_data.get(
"ad_netbiosname_b")
self.cifs.cifs_srv_netbiosalias = self.cleaned_data.get(
"ad_netbiosalias")
self.cifs.save()
if enable:
if started is True:
timeout = _fs(
).directoryservice.activedirectory.timeout.restart
try:
started = notifier().restart("activedirectory",
timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory restart timed out after %d seconds."
% timeout), )
if started is False:
timeout = _fs().directoryservice.activedirectory.timeout.start
try:
started = notifier().start("activedirectory",
timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory start timed out after %d seconds."
% timeout), )
if started is False:
self.instance.ad_enable = False
super(ActiveDirectoryForm, self).save()
raise MiddlewareError(
_("Active Directory failed to reload."), )
else:
if started is True:
timeout = _fs().directoryservice.activedirectory.timeout.stop
try:
started = notifier().stop("activedirectory",
timeout=timeout)
except Exception as e:
raise MiddlewareError(
_("Active Directory stop timed out after %d seconds." %
timeout), )
sm_name = 'activedirectory'
try:
sm = ServiceMonitor.objects.get(sm_name=sm_name)
except Exception as e:
log.debug("XXX: Unable to find ServiceMonitor: %s", e)
pass
#
# Ports can be specified in the UI but there doesn't appear to be a way to
# override them via SRV records. This should be fixed.
#
dcport = self.get_dcport()
gcport = self.get_gcport()
if not sm:
try:
log.debug(
"XXX: fqdn=%s dcport=%s frequency=%s retry=%s enable=%s",
fqdn, dcport, monit_frequency, monit_retry,
enable_monitoring)
sm = ServiceMonitor.objects.create(
sm_name=sm_name,
sm_host=fqdn,
sm_port=dcport,
sm_frequency=monit_frequency,
sm_retry=monit_retry,
sm_enable=enable_monitoring)
except Exception as e:
log.debug("XXX: Unable to create ServiceMonitor: %s", e)
raise MiddlewareError(
_("Unable to create ServiceMonitor: %s" % e), )
else:
sm.sm_name = sm_name
if fqdn != sm.sm_host:
sm.sm_host = fqdn
if dcport != sm.sm_port:
sm.sm_port = dcport
if monit_frequency != sm.sm_frequency:
sm.sm_frequency = monit_frequency
if monit_retry != sm.sm_retry:
sm.sm_retry = monit_retry
if enable_monitoring != sm.sm_enable:
sm.sm_enable = enable_monitoring
try:
sm.save(force_update=True)
except Exception as e:
log.debug("XXX: Unable to create ServiceMonitor: %s", e)
raise MiddlewareError(
_("Unable to save ServiceMonitor: %s" % e), )
with client as c:
if enable_monitoring and enable:
log.debug(
"[ServiceMonitoring] Add %s service, frequency: %d, retry: %d"
% ('activedirectory', monit_frequency, monit_retry))
c.call('servicemonitor.restart')
else:
log.debug(
"[ServiceMonitoring] Remove %s service, frequency: %d, retry: %d"
% ('activedirectory', monit_frequency, monit_retry))
c.call('servicemonitor.restart')
return obj
def generate_smb4_conf(smb4_conf, role):
try:
cifs = CIFS.objects.all()[0]
except:
return
if not cifs.cifs_srv_guest:
cifs.cifs_srv_guest = 'ftp'
if not cifs.cifs_srv_filemask:
cifs.cifs_srv_filemask = "0666"
if not cifs.cifs_srv_dirmask:
cifs.cifs_srv_dirmask = "0777"
# standard stuff... should probably do this differently
confset1(smb4_conf, "[global]", space=0)
confset2(smb4_conf, "server min protocol = %s", cifs.cifs_srv_min_protocol)
confset2(smb4_conf, "server max protocol = %s", cifs.cifs_srv_max_protocol)
if cifs.cifs_srv_bindip:
interfaces = cifs.cifs_srv_bindip.replace(',', ' ')
if role != 'dc':
interfaces = "127.0.0.1 %s" % interfaces
confset2(smb4_conf, "interfaces = %s", interfaces)
confset1(smb4_conf, "bind interfaces only = yes")
confset1(smb4_conf, "encrypt passwords = yes")
confset1(smb4_conf, "dns proxy = no")
confset1(smb4_conf, "strict locking = no")
confset1(smb4_conf, "oplocks = yes")
confset1(smb4_conf, "deadtime = 15")
confset1(smb4_conf, "max log size = 51200")
confset2(smb4_conf, "max open files = %d", long(get_sysctl('kern.maxfilesperproc')) - 25)
if cifs.cifs_srv_syslog:
confset1(smb4_conf, "syslog only = yes")
confset1(smb4_conf, "syslog = 1")
confset1(smb4_conf, "load printers = no")
confset1(smb4_conf, "printing = bsd")
confset1(smb4_conf, "printcap name = /dev/null")
confset1(smb4_conf, "disable spoolss = yes")
confset1(smb4_conf, "getwd cache = yes")
confset2(smb4_conf, "guest account = %s", cifs.cifs_srv_guest.encode('utf8'))
confset1(smb4_conf, "map to guest = Bad User")
confset2(smb4_conf, "obey pam restrictions = %s",
"yes" if cifs.cifs_srv_obey_pam_restrictions else "no")
confset1(smb4_conf, "directory name cache size = 0")
confset1(smb4_conf, "kernel change notify = no")
confset1(smb4_conf, "panic action = /usr/local/libexec/samba/samba-backtrace")
confset2(smb4_conf, "server string = %s", cifs.cifs_srv_description)
confset1(smb4_conf, "ea support = yes")
confset1(smb4_conf, "store dos attributes = yes")
confset2(smb4_conf, "hostname lookups = %s",
"yes" if cifs.cifs_srv_hostlookup else False)
confset2(smb4_conf, "unix extensions = %s",
"no" if not cifs.cifs_srv_unixext else False)
confset2(smb4_conf, "time server = %s",
"yes" if cifs.cifs_srv_timeserver else False)
confset2(smb4_conf, "null passwords = %s",
"yes" if cifs.cifs_srv_nullpw else False)
confset2(smb4_conf, "acl allow execute always = %s",
"true" if cifs.cifs_srv_allow_execute_always else "false")
confset1(smb4_conf, "acl check permissions = true")
confset1(smb4_conf, "dos filemode = yes")
if not smb4_ldap_enabled():
confset2(smb4_conf, "domain logons = %s",
"yes" if cifs.cifs_srv_domain_logons else "no")
if cifs.cifs_srv_localmaster and not nt4_enabled() \
and not activedirectory_enabled():
confset2(smb4_conf, "local master = %s",
"yes" if cifs.cifs_srv_localmaster else False)
idmap = get_idmap_object(DS_TYPE_CIFS, cifs.id, 'tdb')
configure_idmap_backend(smb4_conf, idmap, None)
if role == 'auto':
confset1(smb4_conf, "server role = auto")
elif role == 'classic':
confset1(smb4_conf, "server role = classic primary domain controller")
elif role == 'netbios':
confset1(smb4_conf, "server role = netbios backup domain controller")
elif role == 'dc':
confset1(smb4_conf, "server role = active directory domain controller")
add_domaincontroller_conf(smb4_conf)
elif role == 'member':
confset1(smb4_conf, "server role = member server")
if nt4_enabled():
add_nt4_conf(smb4_conf)
elif smb4_ldap_enabled():
add_ldap_conf(smb4_conf)
elif activedirectory_enabled():
add_activedirectory_conf(smb4_conf)
elif role == 'standalone':
confset1(smb4_conf, "server role = standalone")
confset2(smb4_conf, "netbios name = %s", cifs.cifs_srv_netbiosname.upper())
confset2(smb4_conf, "workgroup = %s", cifs.cifs_srv_workgroup.upper())
confset1(smb4_conf, "security = user")
if role != 'dc':
confset1(smb4_conf, "pid directory = /var/run/samba")
confset1(smb4_conf, "smb passwd file = /var/etc/private/smbpasswd")
confset1(smb4_conf, "private dir = /var/etc/private")
confset2(smb4_conf, "create mask = %s", cifs.cifs_srv_filemask)
confset2(smb4_conf, "directory mask = %s", cifs.cifs_srv_dirmask)
confset1(smb4_conf, "client ntlmv2 auth = yes")
confset2(smb4_conf, "dos charset = %s", cifs.cifs_srv_doscharset)
confset2(smb4_conf, "unix charset = %s", cifs.cifs_srv_unixcharset)
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
confset2(smb4_conf, "log level = %s", cifs.cifs_srv_loglevel)
for line in cifs.cifs_srv_smb_options.split('\n'):
confset1(smb4_conf, line)
def generate_smb4_conf(smb4_conf, role):
try:
cifs = CIFS.objects.all()[0]
except:
return
if not cifs.cifs_srv_guest:
cifs.cifs_srv_guest = 'ftp'
if not cifs.cifs_srv_filemask:
cifs.cifs_srv_filemask = "0666"
if not cifs.cifs_srv_dirmask:
cifs.cifs_srv_dirmask = "0777"
# standard stuff... should probably do this differently
confset1(smb4_conf, "[global]", space=0)
confset2(smb4_conf, "server min protocol = %s", cifs.cifs_srv_min_protocol)
confset2(smb4_conf, "server max protocol = %s", cifs.cifs_srv_max_protocol)
confset1(smb4_conf, "encrypt passwords = yes")
confset1(smb4_conf, "dns proxy = no")
confset1(smb4_conf, "strict locking = no")
confset1(smb4_conf, "oplocks = yes")
confset1(smb4_conf, "deadtime = 15")
confset1(smb4_conf, "max log size = 51200")
confset2(smb4_conf, "max open files = %d",
long(get_sysctl('kern.maxfilesperproc')) - 25)
if cifs.cifs_srv_syslog:
confset1(smb4_conf, "syslog only = yes")
confset1(smb4_conf, "syslog = 1")
confset1(smb4_conf, "load printers = no")
confset1(smb4_conf, "printing = bsd")
confset1(smb4_conf, "printcap name = /dev/null")
confset1(smb4_conf, "disable spoolss = yes")
confset1(smb4_conf, "getwd cache = yes")
confset2(smb4_conf, "guest account = %s",
cifs.cifs_srv_guest.encode('utf8'))
confset1(smb4_conf, "map to guest = Bad User")
confset2(smb4_conf, "obey pam restrictions = %s",
"yes" if cifs.cifs_srv_obey_pam_restrictions else "no")
confset1(smb4_conf, "directory name cache size = 0")
confset1(smb4_conf, "kernel change notify = no")
confset1(smb4_conf,
"panic action = /usr/local/libexec/samba/samba-backtrace")
confset2(smb4_conf, "server string = %s", cifs.cifs_srv_description)
confset1(smb4_conf, "ea support = yes")
confset1(smb4_conf, "store dos attributes = yes")
confset2(smb4_conf, "hostname lookups = %s",
"yes" if cifs.cifs_srv_hostlookup else False)
confset2(smb4_conf, "unix extensions = %s",
"no" if not cifs.cifs_srv_unixext else False)
confset2(smb4_conf, "time server = %s",
"yes" if cifs.cifs_srv_timeserver else False)
confset2(smb4_conf, "null passwords = %s",
"yes" if cifs.cifs_srv_nullpw else False)
confset2(smb4_conf, "domain logons = %s",
"yes" if cifs.cifs_srv_domain_logons else "no")
confset2(smb4_conf, "acl allow execute always = %s",
"true" if cifs.cifs_srv_allow_execute_always else "false")
if cifs.cifs_srv_localmaster and not nt4_enabled() \
and not activedirectory_enabled():
confset2(smb4_conf, "local master = %s",
"yes" if cifs.cifs_srv_localmaster else False)
idmap = get_idmap_object(DS_TYPE_CIFS, cifs.id, 'tdb')
configure_idmap_backend(smb4_conf, idmap, None)
if role == 'auto':
confset1(smb4_conf, "server role = auto")
elif role == 'classic':
confset1(smb4_conf, "server role = classic primary domain controller")
elif role == 'netbios':
confset1(smb4_conf, "server role = netbios backup domain controller")
elif role == 'dc':
confset1(smb4_conf, "server role = active directory domain controller")
add_domaincontroller_conf(smb4_conf)
elif role == 'member':
confset1(smb4_conf, "server role = member server")
if nt4_enabled():
add_nt4_conf(smb4_conf)
elif ldap_enabled():
add_ldap_conf(smb4_conf)
elif activedirectory_enabled():
add_activedirectory_conf(smb4_conf)
elif role == 'standalone':
confset1(smb4_conf, "server role = standalone")
confset2(smb4_conf, "netbios name = %s",
cifs.cifs_srv_netbiosname.upper())
confset2(smb4_conf, "workgroup = %s", cifs.cifs_srv_workgroup.upper())
confset1(smb4_conf, "security = user")
if role != 'dc':
confset1(smb4_conf, "pid directory = /var/run/samba")
confset1(smb4_conf, "smb passwd file = /var/etc/private/smbpasswd")
confset1(smb4_conf, "private dir = /var/etc/private")
confset2(smb4_conf, "create mask = %s", cifs.cifs_srv_filemask)
confset2(smb4_conf, "directory mask = %s", cifs.cifs_srv_dirmask)
confset1(smb4_conf, "client ntlmv2 auth = yes")
confset2(smb4_conf, "dos charset = %s", cifs.cifs_srv_doscharset)
confset2(smb4_conf, "unix charset = %s", cifs.cifs_srv_unixcharset)
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
confset2(smb4_conf, "log level = %s", cifs.cifs_srv_loglevel)
for line in cifs.cifs_srv_smb_options.split('\n'):
confset1(smb4_conf, line)
if cifs.cifs_srv_homedir_enable:
valid_users_path = "%U"
valid_users = "%U"
if activedirectory_enabled():
try:
ad = ActiveDirectory.objects.all()[0]
if not ad.ad_use_default_domain:
valid_users_path = "%D/%U"
valid_users = "%D\%U"
except:
pass
if cifs.cifs_srv_homedir:
cifs_homedir_path = "%s/%s" % (cifs.cifs_srv_homedir,
valid_users_path)
else:
cifs_homedir_path = False
confset1(smb4_conf, "\n")
confset1(smb4_conf, "[homes]", space=0)
confset1(smb4_conf, "comment = Home Directories")
confset2(smb4_conf, "valid users = %s", valid_users)
confset1(smb4_conf, "writable = yes")
confset2(smb4_conf, "browseable = %s",
"yes" if cifs.cifs_srv_homedir_browseable_enable else "no")
if cifs_homedir_path:
confset2(smb4_conf, "path = %s", cifs_homedir_path)
for line in cifs.cifs_srv_homedir_aux.split('\n'):
confset1(smb4_conf, line)
def generate_smb4_conf(smb4_conf, role):
try:
cifs = CIFS.objects.all()[0]
except:
return
if not cifs.cifs_srv_guest:
cifs.cifs_srv_guest = "ftp"
if not cifs.cifs_srv_filemask:
cifs.cifs_srv_filemask = "0666"
if not cifs.cifs_srv_dirmask:
cifs.cifs_srv_dirmask = "0777"
# standard stuff... should probably do this differently
confset1(smb4_conf, "[global]", space=0)
if os.path.exists("/usr/local/etc/smbusers"):
confset1(smb4_conf, "username map = /usr/local/etc/smbusers")
confset2(smb4_conf, "server min protocol = %s", cifs.cifs_srv_min_protocol)
confset2(smb4_conf, "server max protocol = %s", cifs.cifs_srv_max_protocol)
if cifs.cifs_srv_bindip:
interfaces = []
bindips = string.join(cifs.cifs_srv_bindip, " ")
if role != "dc":
bindips = "127.0.0.1 %s" % bindips
n = notifier()
bindips = bindips.split()
for bindip in bindips:
if not bindip:
continue
bindip = bindip.strip()
iface = n.get_interface(bindip)
if iface and n.is_carp_interface(iface):
parent_iface = n.get_parent_interface(iface)
if not parent_iface:
continue
parent_iinfo = n.get_interface_info(parent_iface[0])
if not parent_iinfo:
continue
interfaces.append("%s/%s" % (bindip, parent_iface[2]))
else:
interfaces.append(bindip)
if interfaces:
confset2(smb4_conf, "interfaces = %s", string.join(interfaces))
confset1(smb4_conf, "bind interfaces only = yes")
confset1(smb4_conf, "encrypt passwords = yes")
confset1(smb4_conf, "dns proxy = no")
confset1(smb4_conf, "strict locking = no")
confset1(smb4_conf, "oplocks = yes")
confset1(smb4_conf, "deadtime = 15")
confset1(smb4_conf, "max log size = 51200")
confset2(smb4_conf, "max open files = %d", long(get_sysctl("kern.maxfilesperproc")) - 25)
if cifs.cifs_srv_syslog:
confset1(smb4_conf, "syslog only = yes")
else:
confset1(smb4_conf, "syslog only = no")
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
confset2(smb4_conf, "syslog = %s", cifs.cifs_srv_loglevel)
else:
confset1(smb4_conf, "syslog = 0")
confset1(smb4_conf, "load printers = no")
confset1(smb4_conf, "printing = bsd")
confset1(smb4_conf, "printcap name = /dev/null")
confset1(smb4_conf, "disable spoolss = yes")
confset1(smb4_conf, "getwd cache = yes")
confset2(smb4_conf, "guest account = %s", cifs.cifs_srv_guest.encode("utf8"))
confset1(smb4_conf, "map to guest = Bad User")
confset2(smb4_conf, "obey pam restrictions = %s", "yes" if cifs.cifs_srv_obey_pam_restrictions else "no")
confset1(smb4_conf, "directory name cache size = 0")
confset1(smb4_conf, "kernel change notify = no")
confset1(smb4_conf, "panic action = /usr/local/libexec/samba/samba-backtrace")
confset1(smb4_conf, "nsupdate command = /usr/local/bin/samba-nsupdate -g")
confset2(smb4_conf, "server string = %s", cifs.cifs_srv_description)
confset1(smb4_conf, "ea support = yes")
confset1(smb4_conf, "store dos attributes = yes")
confset1(smb4_conf, "lm announce = yes")
confset2(smb4_conf, "hostname lookups = %s", "yes" if cifs.cifs_srv_hostlookup else False)
confset2(smb4_conf, "unix extensions = %s", "no" if not cifs.cifs_srv_unixext else False)
confset2(smb4_conf, "time server = %s", "yes" if cifs.cifs_srv_timeserver else False)
confset2(smb4_conf, "null passwords = %s", "yes" if cifs.cifs_srv_nullpw else False)
confset2(smb4_conf, "acl allow execute always = %s", "true" if cifs.cifs_srv_allow_execute_always else "false")
confset1(smb4_conf, "acl check permissions = true")
confset1(smb4_conf, "dos filemode = yes")
confset2(smb4_conf, "multicast dns register = %s", "yes" if cifs.cifs_srv_zeroconf else "no")
if not smb4_ldap_enabled():
confset2(smb4_conf, "domain logons = %s", "yes" if cifs.cifs_srv_domain_logons else "no")
if not nt4_enabled() and not activedirectory_enabled():
confset2(smb4_conf, "local master = %s", "yes" if cifs.cifs_srv_localmaster else "no")
idmap = get_idmap_object(DS_TYPE_CIFS, cifs.id, "tdb")
configure_idmap_backend(smb4_conf, idmap, None)
if role == "auto":
confset1(smb4_conf, "server role = auto")
elif role == "classic":
confset1(smb4_conf, "server role = classic primary domain controller")
elif role == "netbios":
confset1(smb4_conf, "server role = netbios backup domain controller")
elif role == "dc":
confset1(smb4_conf, "server role = active directory domain controller")
add_domaincontroller_conf(smb4_conf)
elif role == "member":
confset1(smb4_conf, "server role = member server")
if nt4_enabled():
add_nt4_conf(smb4_conf)
elif smb4_ldap_enabled():
add_ldap_conf(smb4_conf)
elif activedirectory_enabled():
add_activedirectory_conf(smb4_conf)
elif role == "standalone":
confset1(smb4_conf, "server role = standalone")
set_netbiosname(smb4_conf, cifs.cifs_srv_netbiosname)
confset2(smb4_conf, "workgroup = %s", cifs.cifs_srv_workgroup.upper())
confset1(smb4_conf, "security = user")
if role != "dc":
confset1(smb4_conf, "pid directory = /var/run/samba")
confset2(smb4_conf, "create mask = %s", cifs.cifs_srv_filemask)
confset2(smb4_conf, "directory mask = %s", cifs.cifs_srv_dirmask)
confset1(smb4_conf, "client ntlmv2 auth = yes")
confset2(smb4_conf, "dos charset = %s", cifs.cifs_srv_doscharset)
confset2(smb4_conf, "unix charset = %s", cifs.cifs_srv_unixcharset)
if cifs.cifs_srv_loglevel and cifs.cifs_srv_loglevel is not True:
confset2(smb4_conf, "log level = %s", cifs.cifs_srv_loglevel)
smb_options = cifs.cifs_srv_smb_options.encode("utf-8")
smb_options = smb_options.strip()
for line in smb_options.split("\n"):
line = line.strip()
if not line:
continue
confset1(smb4_conf, line)
def add_activedirectory_conf(smb4_conf):
rid_range_start = 20000
rid_range_end = 20000000
ad_range_start = 10000
ad_range_end = 90000000
try:
ad = ActiveDirectory.objects.all()[0]
except:
return
cachedir = "/var/tmp/.cache/.samba"
try:
os.makedirs(cachedir)
except:
pass
ad_workgroup = None
try:
fad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
ad_workgroup = fad.netbiosname.upper()
except:
return
confset2(smb4_conf, "netbios name = %s", ad.ad_netbiosname.upper())
confset2(smb4_conf, "workgroup = %s", ad_workgroup)
confset2(smb4_conf, "realm = %s", ad.ad_domainname.upper())
confset1(smb4_conf, "security = ADS")
confset1(smb4_conf, "client use spnego = yes")
confset2(smb4_conf, "cache directory = %s", cachedir)
confset1(smb4_conf, "local master = no")
confset1(smb4_conf, "domain master = no")
confset1(smb4_conf, "preferred master = no")
confset1(smb4_conf, "acl check permissions = true")
confset1(smb4_conf, "acl map full control = true")
confset1(smb4_conf, "dos filemode = yes")
confset1(smb4_conf, "winbind cache time = 7200")
confset1(smb4_conf, "winbind offline logon = yes")
confset1(smb4_conf, "winbind enum users = yes")
confset1(smb4_conf, "winbind enum groups = yes")
confset1(smb4_conf, "winbind nested groups = yes")
confset2(smb4_conf, "winbind use default domain = %s",
"yes" if ad.ad_use_default_domain else "no")
confset1(smb4_conf, "winbind refresh tickets = yes")
if ad.ad_unix_extensions:
confset1(smb4_conf, "winbind nss info = rfc2307")
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
configure_idmap_backend(smb4_conf, idmap, ad_workgroup)
confset2(smb4_conf, "allow trusted domains = %s",
"yes" if ad.ad_allow_trusted_doms else "no")
confset1(smb4_conf, "template shell = /bin/sh")
confset2(smb4_conf, "template homedir = %s",
"/home/%D/%U" if not ad.ad_use_default_domain else "/home/%U")
