@%@UCRWARNING=# @%@

@!@
if configRegistry.get('kerberos/defaults/ticket-lifetime'):
    print('kdc:user ticket lifetime = %s' % configRegistry.get('kerberos/defaults/ticket-lifetime'))
    print('')
print('; ---------------------<10global>------------------------')
print('[global]')
print('\tdebug level\t= %s' % configRegistry.get('samba/debug/level', 1))
print('\tlogging\t\t= file')
print('\tmax log size\t= %s\n' % configRegistry.get('samba/max_log_size', 0))
print('\tkdc default domain supported enctypes\t= %s\n' % configRegistry.get('samba/kdc_default_domain_supported_enctypes'))
if configRegistry.get('samba/netbios/name'):
    print('\tnetbios name\t= %s' % configRegistry['samba/netbios/name'])
else:
    print('\tnetbios name\t= %s' % configRegistry['hostname'])

samba4_role = configRegistry.get('samba4/role')
if samba4_role in ('DC', 'RODC'):
    print('\tserver role\t= active directory domain controller')
    print('\tname resolve order\t= %s' % (configRegistry.get('samba/name/resolve/order', 'wins host bcast'),))

elif samba4_role == 'MEMBER':
    print('\tserver role\t= member server')
    print('\tsecurity\t= ads')
    print('\tname resolve order\t= %s' % (configRegistry.get('samba/name/resolve/order', 'wins bcast'),))


samba_serverstring = configRegistry.get('samba/serverstring', 'Univention Corporate Server')
print('\tserver string\t= %s' % (samba_serverstring,))

# build up and set server services option list if non-empty
server_services = ['-dns']
if configRegistry.get('samba4/service/smb', 'smbd') == 'smbd':
    server_services.append('-smb')
elif configRegistry.get('samba4/service/smb', 's3fs') == 's3fs':
    server_services.extend(['-smb', '+s3fs'])
if configRegistry.get('samba4/service/nmb', 'nmbd') == 'nmbd':
    server_services.append('-nbt')
if configRegistry.is_false('samba4/service/drepl'):
    server_services.append('-drepl')
if server_services:
    print('\tserver services\t= %s' % (' '.join(server_services),))
if configRegistry.get('samba4/service/nmb', 'nmbd') == 'nmbd':
    print('\tserver role check:inhibit = yes')
    print('\t# use nmbd; to disable set samba4/service/nmb to s4')
    print('\tnmbd_proxy_logon:cldap_server=127.0.0.1')

print('\tworkgroup\t= %s' % configRegistry['windows/domain'])
print('\trealm\t\t= %s' % configRegistry['kerberos/realm'])

fqdn = '.'.join([configRegistry['hostname'], configRegistry['domainname']])
print('')
print('\ttls enabled\t= yes')
print('\ttls keyfile\t= /etc/univention/ssl/%s/private.key' % fqdn)
print('\ttls certfile\t= /etc/univention/ssl/%s/cert.pem' % fqdn)
print('\ttls cafile\t= /etc/univention/ssl/ucsCA/CAcert.pem')
for key, smbstring in [
        ('samba/tls/dh/params/file', 'tls dh params file'),
        ('samba/tls/priority', 'tls priority'),
]:
    ucrvalue = configRegistry.get(key)
    if ucrvalue:
        print('\t%s\t= %s' % (smbstring, ucrvalue))

for key, smbstring, ucsdefault in [
        ('samba/tls/verify/peer', 'tls verify peer', 'ca_and_name'),
        ('samba/ldap/server/require/strong/auth', 'ldap server require strong auth', 'yes'),
]:
    ucrvalue = configRegistry.get(key)
    if ucrvalue:
        print('\t%s\t= %s' % (smbstring, ucrvalue))
    else:
        print('\t%s\t= %s' % (smbstring, ucsdefault))

if configRegistry.is_true('samba4/schema/update/allowed'):
    print('\tdsdb:schema update allowed = yes')
else:
    print('\tdsdb:schema update allowed = no')

max_open_files = configRegistry.get('samba/max_open_files')
if max_open_files:
    print('\tmax open files = %s' % max_open_files)

for key, smbstring in [
        ('samba/interfaces', 'interfaces'),
        ('samba/interfaces/bindonly', 'bind interfaces only'),
        ('samba/server/signing', 'server signing'),
        ('samba/charset/dos', 'dos charset'),
        ('samba/charset/unix', 'unix charset'),
        ('samba/socket_options', 'socket options'),
        ('samba/netbios/aliases', 'netbios aliases'),
]:
    if configRegistry.get(key):
        if key == 'samba/interfaces':
            print('\t%s\t= %s' % (smbstring, configRegistry[key].replace('<interfaces/primary>', configRegistry.get('interfaces/primary', 'eth0'))))
        else:
            print('\t%s\t= %s' % (smbstring, configRegistry[key]))

print('\tntlm auth\t= %s' % (configRegistry.get('samba/ntlm/auth', 'ntlmv2-only')))

# legacy settings for smbd
if configRegistry.get('samba4/service/smb', 'smbd') == 'smbd':
    for key, smbstring in [
            ('samba/charset/display', 'display charset'),
            ('samba/enable-privileges', 'enable privileges'),
    ]:
        value = configRegistry.get(key)
        if value is not None:
            print('\t%s\t= %s' % (smbstring, value))

print('\tmachine password timeout\t= %d' % int(configRegistry.get('samba/machine_password_timeout', 0)))

if configRegistry.is_true('samba/acl/allow/execute/always', True):
    print('\tacl allow execute always = True')

if configRegistry.get('samba/register/exclude/interfaces') and not configRegistry.is_true('samba/interfaces/bindonly', False):
    from univention.config_registry.interfaces import Interfaces
    interfaces = Interfaces(configRegistry)
    interface_list = [_name for _name, iface in interfaces.all_interfaces]
    for ignore in configRegistry['samba/register/exclude/interfaces'].split(' '):
        if ignore in interface_list:
            interface_list.remove(ignore)
    # also ignore appliance-mode-temporary interface
    for iface in interface_list[:]:
        if configRegistry.get('interfaces/%s/type' % iface, '') == 'appliance-mode-temporary':
            interface_list.remove(iface)
    if interface_list:
        print('')
        print('\t# ignore interfaces in samba/register/exclude/interfaces')
        print('\tbind interfaces only = yes')
        print('\tinterfaces = lo %s' % ' '.join(interface_list))

if not configRegistry.is_true('samba4/kccsrv/samba_kcc', False):
    print('\tkccsrv:samba_kcc = False')
@!@
; ---------------------</10global>------------------------
