sambacc: add organizational unit (OU) support for ad dc configuration

It is possible to specify a group and a user who belongs to a
specific organizational group. See file examples/addc_ou.json.

Signed-off-by: myback <[email protected]>

Author: shulutkov

examples/addc_ou.json

@@ -0,0 +1,139 @@
+{
+  "samba-container-config": "v0",
+  "configs": {
+    "demo": {
+      "instance_features": ["addc"],
+      "domain_settings": "sink",
+      "instance_name": "dc1"
+    }
+  },
+  "domain_settings": {
+    "sink": {
+      "realm": "DOMAIN1.SINK.TEST",
+      "short_domain": "DOMAIN1",
+      "admin_password": "Passw0rd"
+    }
+  },
+  "organizational_units": {
+    "sink": [
+      {"name": "employees"}
+    ]
+  },
+  "domain_groups": {
+    "sink": [
+        {"name": "supervisors"},
+        {
+          "name": "employees",
+          "ou": "employees"
+        },
+        {"name": "characters"},
+        {"name": "bulk"}
+    ]
+  },
+  "domain_users": {
+    "sink": [
+      {
+        "name": "bwayne",
+        "password": "1115Rose.",
+        "given_name": "Bruce",
+        "surname": "Wayne",
+        "member_of": ["supervisors", "characters", "employees"],
+        "ou": "employees"
+      },
+      {
+        "name": "ckent",
+        "password": "1115Rose.",
+        "given_name": "Clark",
+        "surname": "Kent",
+        "member_of": ["characters", "employees"],
+        "ou": "employees"
+      },
+      {
+        "name": "bbanner",
+        "password": "1115Rose.",
+        "given_name": "Bruce",
+        "surname": "Banner",
+        "member_of": ["characters", "employees"],
+        "ou": "employees"
+      },
+      {
+        "name": "pparker",
+        "password": "1115Rose.",
+        "given_name": "Peter",
+        "surname": "Parker",
+        "member_of": ["characters", "employees"],
+        "ou": "employees"
+      },
+      {
+        "name": "user0",
+        "password": "1115Rose.",
+        "given_name": "George0",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user1",
+        "password": "1115Rose.",
+        "given_name": "George1",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user2",
+        "password": "1115Rose.",
+        "given_name": "George2",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user3",
+        "password": "1115Rose.",
+        "given_name": "George3",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user4",
+        "password": "1115Rose.",
+        "given_name": "George4",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user5",
+        "password": "1115Rose.",
+        "given_name": "George5",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user6",
+        "password": "1115Rose.",
+        "given_name": "George6",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user7",
+        "password": "1115Rose.",
+        "given_name": "George7",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user8",
+        "password": "1115Rose.",
+        "given_name": "George8",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      },
+      {
+        "name": "user9",
+        "password": "1115Rose.",
+        "given_name": "George9",
+        "surname": "Hue-Sir",
+        "member_of": ["bulk"]
+      }
+    ]
+  }
+}

sambacc/addc.py

@@ -75,18 +75,25 @@ def create_user(
     password: str,
     surname: typing.Optional[str],
     given_name: typing.Optional[str],
+    ou: typing.Optional[str] = None,
 ) -> None:
-    cmd = _user_create_cmd(name, password, surname, given_name)
+    cmd = _user_create_cmd(name, password, surname, given_name, ou)
     _logger.info("Creating user: %r", name)
     subprocess.check_call(cmd)
 
 
-def create_group(name: str) -> None:
-    cmd = _group_add_cmd(name)
+def create_group(name: str, ou: typing.Optional[str] = None) -> None:
+    cmd = _group_add_cmd(name, ou)
     _logger.info("Creating group: %r", name)
     subprocess.check_call(cmd)
 
 
+def create_ou(name: str) -> None:
+    cmd = _ou_add_cmd(name)
+    _logger.info("Creating organizational unit: %r", name)
+    subprocess.check_call(cmd)
+
+
 def add_group_members(group_name: str, members: list[str]) -> None:
     cmd = _group_add_members_cmd(group_name, members)
     _logger.info("Adding group members: %r", cmd)
@@ -163,6 +170,7 @@ def _user_create_cmd(
     password: str,
     surname: typing.Optional[str],
     given_name: typing.Optional[str],
+    ou: typing.Optional[str],
 ) -> list[str]:
     cmd = samba_cmds.sambatool[
         "user",
@@ -174,15 +182,28 @@ def _user_create_cmd(
         cmd.append(f"--surname={surname}")
     if given_name:
         cmd.append(f"--given-name={given_name}")
+    if ou:
+        cmd.append(f"--userou=OU={ou}")
     return cmd
 
 
-def _group_add_cmd(name: str) -> list[str]:
+def _group_add_cmd(name: str, ou: typing.Optional[str]) -> list[str]:
     cmd = samba_cmds.sambatool[
         "group",
         "add",
         name,
     ].argv()
+    if ou:
+        cmd.append(f"--groupou=OU={ou}")
+    return cmd
+
+
+def _ou_add_cmd(name: str) -> list[str]:
+    cmd = samba_cmds.sambatool[
+        "ou",
+        "add",
+        f"OU={name}",
+    ].argv()
     return cmd
 
 

sambacc/commands/addc.py

@@ -155,15 +155,19 @@ def _prep_populate(ctx: Context) -> None:
         return
     _logger.info("Populating domain with default entries")
 
+    for ou in ctx.instance_config.organizational_units():
+        addc.create_ou(ou.ou_name)
+
     for dgroup in ctx.instance_config.domain_groups():
-        addc.create_group(dgroup.groupname)
+        addc.create_group(dgroup.groupname, dgroup.ou)
 
     for duser in ctx.instance_config.domain_users():
         addc.create_user(
             name=duser.username,
             password=duser.plaintext_passwd,
             surname=duser.surname,
             given_name=duser.given_name,
+            ou=duser.ou,
         )
         # TODO: probably should improve this to avoid extra calls / loops
         for gname in duser.member_of:

sambacc/config.py

@@ -337,6 +337,16 @@ def domain_groups(self) -> typing.Iterable[DomainGroupEntry]:
         for n, entry in enumerate(dgroups):
             yield DomainGroupEntry(self, entry, n)
 
+    def organizational_units(self) -> typing.Iterable[OrganizationalUnitEntry]:
+        if not self.with_addc:
+            raise ValueError("ad dc not supported by configuration")
+        ds_name: str = self.iconfig["domain_settings"]
+        o_units = self.gconfig.data.get("organizational_units", {}).get(
+            ds_name, []
+        )
+        for n, entry in enumerate(o_units):
+            yield OrganizationalUnitEntry(self, entry, n)
+
     def __eq__(self, other: typing.Any) -> bool:
         if isinstance(other, InstanceConfig) and self.iconfig == other.iconfig:
             self_shares = _shares_data(self.gconfig, self.iconfig)
@@ -476,6 +486,7 @@ def __init__(self, iconf: InstanceConfig, grec: dict, num: int):
         self.groupname = grec["name"]
         self.entry_num = num
         self._gid = grec.get("gid")
+        self.ou = grec.get("ou")
         if self._gid is not None:
             if not isinstance(self._gid, int):
                 raise ValueError("invalid gid value")
@@ -505,6 +516,7 @@ def __init__(self, iconf: InstanceConfig, urec: dict, num: int):
         self.surname = urec.get("surname")
         self.given_name = urec.get("given_name")
         self.member_of = urec.get("member_of", [])
+        self.ou = urec.get("ou")
         if not isinstance(self.member_of, list):
             raise ValueError("member_of should contain a list of group names")
 
@@ -513,6 +525,13 @@ class DomainGroupEntry(GroupEntry):
     pass
 
 
+class OrganizationalUnitEntry:
+    def __init__(self, iconf: InstanceConfig, urec: dict, num: int):
+        self.iconfig = iconf
+        self.ou_name = urec["name"]
+        self.entry_num = num
+
+
 class PermissionsConfig:
     _method_key: str = "method"
     _status_xattr_key: str = "status_xattr"

sambacc/schema/conf-v0.schema.json

@@ -47,7 +47,7 @@
       }
     },
     "user_entry": {
-      "description": "A user that will be instantiated in the local contianer environment to\nin order to provide access to smb shares.\n",
+      "description": "A user that will be instantiated in the local container environment to\nin order to provide access to smb shares.\n",
       "type": "object",
       "properties": {
         "name": {
@@ -77,7 +77,7 @@
       "additionalProperties": false
     },
     "group_entry": {
-      "description": "A group that will be instantiated in the local contianer environment to\nin order to provide access to smb shares.\n",
+      "description": "A group that will be instantiated in the local container environment to\nin order to provide access to smb shares.\n",
       "type": "object",
       "properties": {
         "name": {
@@ -123,6 +123,10 @@
           "description": "A plain-text password",
           "type": "string"
         },
+        "ou": {
+          "description": "A organizational unit that the user should belong to",
+          "type": "string"
+        },
         "member_of": {
           "description": "A list of group names that the user should belong to",
           "type": "array",
@@ -146,6 +150,24 @@
         },
         "gid": {
           "type": "integer"
+        },
+        "ou": {
+          "description": "A organizational unit that the user should belong to",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name"
+      ],
+      "additionalProperties": false
+    },
+    "organizational_unit_entry": {
+      "description": "A organizational unit that will be created in the specified AD domain. These\ngroups are populated in the directory after the domain is provisioned.\n",
+      "type": "object",
+      "properties": {
+        "name": {
+          "description": "The organizational unit name",
+          "type": "string"
         }
       },
       "required": [
@@ -157,12 +179,12 @@
   "properties": {
     "samba-container-config": {
       "type": "string",
-      "title": "Cofiguration Format Version",
+      "title": "Configuration Format Version",
       "description": "A short version string that assists in allowing the configuration\nformat to (some day) support incompatible version changes.\n(It is unique to the configuration and is not the version of sambacc)\n"
     },
     "configs": {
       "title": "Container Configurations",
-      "description": "A mapping of named configurations (instances) to top-level configuration\nblocks. A useable configuration file must have at least one configuration,\nbut more than one is supported.\n",
+      "description": "A mapping of named configurations (instances) to top-level configuration\nblocks. A usable configuration file must have at least one configuration,\nbut more than one is supported.\n",
       "type": "object",
       "additionalProperties": {
         "type": "object",
@@ -208,7 +230,7 @@
       }
     },
     "globals": {
-      "description": "A mapping of samba global configuation blocks. The global section names\nare not passed to Samba. All sections selected by a configuration are\nmerged together before passing to Samba.\n",
+      "description": "A mapping of samba global configuration blocks. The global section names\nare not passed to Samba. All sections selected by a configuration are\nmerged together before passing to Samba.\n",
       "type": "object",
       "additionalProperties": {
         "type": "object",
@@ -243,7 +265,7 @@
       }
     },
     "users": {
-      "description": "Users to add to the container environment in order to provide\nShare access-control wihout becoming a domain member server.\n",
+      "description": "Users to add to the container environment in order to provide\nShare access-control without becoming a domain member server.\n",
       "type": "object",
       "properties": {
         "all_entries": {
@@ -255,7 +277,7 @@
       }
     },
     "groups": {
-      "description": "Groups to add to the container environment in order to provide\nShare access-control wihout becoming a domain member server.\n",
+      "description": "Groups to add to the container environment in order to provide\nShare access-control without becoming a domain member server.\n",
       "type": "object",
       "properties": {
         "all_entries": {
@@ -286,6 +308,16 @@
         }
       }
     },
+    "organizational_units": {
+      "description": "The organizational_unit section defines initial organizational unit that will be\nautomatically added to a newly provisioned domain. This section is\na mapping of the domain settings name to a list of domain group entries.\n",
+      "type": "object",
+      "additionalProperties": {
+        "type": "array",
+        "items": {
+          "$ref": "#/$defs/organizational_unit_entry"
+        }
+      }
+    },
     "ctdb": {
       "type": "object",
       "additionalProperties": {