From afdc9055b5f883a10f3b1fb74a0c40ad9d7fb199 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 18 Mar 2011 11:37:15 +0100
Subject: s3-net: add IPA provision
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Günther Deschner <gd@samba.org>
---
 source3/utils/net_sam.c | 139 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 119 insertions(+), 20 deletions(-)

(limited to 'source3/utils')

diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
index 81e0fe83451..4754fb0f343 100644
--- a/source3/utils/net_sam.c
+++ b/source3/utils/net_sam.c
@@ -1588,6 +1588,7 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 	gid_t domadmins_gid = -1;
 	struct samu *samuser;
 	struct passwd *pwd;
+	bool is_ipa = false;
 
 	if (c->display_usage) {
 		d_printf(  "%s\n"
@@ -1618,7 +1619,11 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 
 	trim_char(ldap_bk, ' ', ' ');
 
-	if (strcmp(ldap_bk, "ldapsam") != 0) {
+	if (strcmp(ldap_bk, "IPA_ldapsam") == 0 ) {
+		is_ipa = true;
+	}
+
+	if (strcmp(ldap_bk, "ldapsam") != 0 && !is_ipa ) {
 		d_fprintf(stderr,
 			  _("Provisioning works only with ldapsam backend\n"));
 		goto failed;
@@ -1632,7 +1637,7 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 		goto failed;
 	}
 
-	if (!winbind_ping()) {
+	if (!is_ipa && !winbind_ping()) {
 		d_fprintf(stderr, _("winbind seems not to run. Provisioning "
 			    "LDAP only works when winbind runs.\n"));
 		goto failed;
@@ -1659,10 +1664,14 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 		d_printf(_("Adding the Domain Users group.\n"));
 
 		/* lets allocate a new groupid for this group */
-		if (!winbind_allocate_gid(&domusers_gid)) {
-			d_fprintf(stderr, _("Unable to allocate a new gid to "
-					    "create Domain Users group!\n"));
-			goto domu_done;
+		if (is_ipa) {
+			domusers_gid = 999;
+		} else {
+			if (!winbind_allocate_gid(&domusers_gid)) {
+				d_fprintf(stderr, _("Unable to allocate a new gid to "
+						    "create Domain Users group!\n"));
+				goto domu_done;
+			}
 		}
 
 		uname = talloc_strdup(tc, "domusers");
@@ -1678,6 +1687,11 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+		if (is_ipa) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+		}
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
@@ -1693,6 +1707,16 @@ static int net_sam_provision(struct net_context *c, int argc, const char **argv)
 			d_fprintf(stderr, _("Failed to add Domain Users group "
 					    "to ldap directory\n"));
 		}
+
+		if (is_ipa) {
+			if (!pdb_getgrsid(&gmap, gsid)) {
+				d_fprintf(stderr, _("Failed to read just "
+						    "created domain group.\n"));
+				goto failed;
+			} else {
+				domusers_gid = gmap.gid;
+			}
+		}
 	} else {
 		domusers_gid = gmap.gid;
 		d_printf(_("found!\n"));
@@ -1716,10 +1740,14 @@ domu_done:
 		d_printf(_("Adding the Domain Admins group.\n"));
 
 		/* lets allocate a new groupid for this group */
-		if (!winbind_allocate_gid(&domadmins_gid)) {
-			d_fprintf(stderr, _("Unable to allocate a new gid to "
-					    "create Domain Admins group!\n"));
-			goto doma_done;
+		if (is_ipa) {
+			domadmins_gid = 999;
+		} else {
+			if (!winbind_allocate_gid(&domadmins_gid)) {
+				d_fprintf(stderr, _("Unable to allocate a new gid to "
+						    "create Domain Admins group!\n"));
+				goto doma_done;
+			}
 		}
 
 		uname = talloc_strdup(tc, "domadmins");
@@ -1735,6 +1763,11 @@ domu_done:
 
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+		if (is_ipa) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+		}
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
@@ -1750,6 +1783,16 @@ domu_done:
 			d_fprintf(stderr, _("Failed to add Domain Admins group "
 					    "to ldap directory\n"));
 		}
+
+		if (is_ipa) {
+			if (!pdb_getgrsid(&gmap, gsid)) {
+				d_fprintf(stderr, _("Failed to read just "
+						    "created domain group.\n"));
+				goto failed;
+			} else {
+				domadmins_gid = gmap.gid;
+			}
+		}
 	} else {
 		domadmins_gid = gmap.gid;
 		d_printf(_("found!\n"));
@@ -1774,6 +1817,7 @@ doma_done:
 		char *gidstr;
 		char *shell;
 		char *dir;
+		char *princ;
 		uid_t uid;
 		int rc;
 
@@ -1785,11 +1829,16 @@ doma_done:
 				    "Admins group not available!\n"));
 			goto done;
 		}
-		if (!winbind_allocate_uid(&uid)) {
-			d_fprintf(stderr,
-				  _("Unable to allocate a new uid to create "
-				    "the Administrator user!\n"));
-			goto done;
+
+		if (is_ipa) {
+			uid = 999;
+		} else {
+			if (!winbind_allocate_uid(&uid)) {
+				d_fprintf(stderr,
+					  _("Unable to allocate a new uid to create "
+					    "the Administrator user!\n"));
+				goto done;
+			}
 		}
 
 		name = talloc_strdup(tc, "Administrator");
@@ -1815,6 +1864,21 @@ doma_done:
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
+		if (is_ipa) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", name);
+			princ = talloc_asprintf(tc, "%s@%s", name, lp_realm());
+			if (!princ) {
+				d_fprintf(stderr, _("Out of Memory!\n"));
+				goto failed;
+			}
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "krbPrincipalName", princ);
+		}
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
@@ -1836,6 +1900,14 @@ doma_done:
 			d_fprintf(stderr, _("Failed to add Administrator user "
 					    "to ldap directory\n"));
 		}
+
+		if (is_ipa) {
+			if (!pdb_getsampwnam(samuser, "Administrator")) {
+				d_fprintf(stderr, _("Failed to read just "
+						    "created user.\n"));
+				goto failed;
+			}
+		}
 	} else {
 		d_printf(_("found!\n"));
 	}
@@ -1874,11 +1946,16 @@ doma_done:
 				goto done;
 			}
 			pwd->pw_name = talloc_strdup(pwd, lp_guestaccount());
-			if (!winbind_allocate_uid(&(pwd->pw_uid))) {
-				d_fprintf(stderr,
-					  _("Unable to allocate a new uid to "
-					    "create the Guest user!\n"));
-				goto done;
+
+			if (is_ipa) {
+				pwd->pw_uid = 999;
+			} else {
+				if (!winbind_allocate_uid(&(pwd->pw_uid))) {
+					d_fprintf(stderr,
+						  _("Unable to allocate a new uid to "
+						    "create the Guest user!\n"));
+					goto done;
+				}
 			}
 			pwd->pw_gid = domusers_gid;
 			pwd->pw_dir = talloc_strdup(tc, "/");
@@ -1900,6 +1977,15 @@ doma_done:
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
+		if (is_ipa) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "person");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "organizationalperson");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetorgperson");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "inetuser");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbprincipalaux");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "krbticketpolicyaux");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "sn", pwd->pw_name);
+		}
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", pwd->pw_name);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", pwd->pw_name);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", pwd->pw_name);
@@ -1925,6 +2011,14 @@ doma_done:
 			d_fprintf(stderr, _("Failed to add Guest user to "
 					    "ldap directory\n"));
 		}
+
+		if (is_ipa) {
+			if (!pdb_getsampwnam(samuser, lp_guestaccount())) {
+				d_fprintf(stderr, _("Failed to read just "
+						    "created user.\n"));
+				goto failed;
+			}
+		}
 	} else {
 		d_printf(_("found!\n"));
 	}
@@ -1970,6 +2064,11 @@ doma_done:
 
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
+		if (is_ipa) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "groupofnames");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "nestedgroup");
+			smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "ipausergroup");
+		}
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", uname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", wname);
 		smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
-- 
cgit v1.2.1