diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-04-27 18:25:55 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-27 19:27:18 +1000 |
commit | fa26383884751c5775ccb65e3fbbf9ec7eeda28c (patch) | |
tree | daef15eee84fb8f2a8b933e44fbbaa9b156e0ed0 | |
parent | 570c89287e3f5e424db65098d5e60c9e37a5b6f3 (diff) | |
download | samba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.tar.gz samba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.tar.bz2 samba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.zip |
s4-dsdb: added samba_spnupdate
this script adds all our required servicePrincipalName entries at
runtime. The admin can add more entries to spn_update_list as needed
-rwxr-xr-x | source4/scripting/bin/samba_spnupdate | 137 | ||||
-rw-r--r-- | source4/setup/spn_update_list | 27 |
2 files changed, 164 insertions, 0 deletions
diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate new file mode 100755 index 0000000000..1971ea1e86 --- /dev/null +++ b/source4/scripting/bin/samba_spnupdate @@ -0,0 +1,137 @@ +#!/usr/bin/env python +# +# update our servicePrincipalName names from spn_update_list +# +# Copyright (C) Andrew Tridgell 2010 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import os, sys + +# ensure we get messages out immediately, so they get in the samba logs, +# and don't get swallowed by a timeout +os.putenv('PYTHONUNBUFFERED', '1') + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba, ldb +import optparse +from samba import getopt as options +from samba.auth import system_session +from samba.samdb import SamDB + +parser = optparse.OptionParser("samba_spnupdate") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +parser.add_option("--verbose", action="store_true") + +creds = None +ccachename = None + +opts, args = parser.parse_args() + +if len(args) != 0: + parser.print_usage() + sys.exit(1) + +lp = sambaopts.get_loadparm() + +domain = lp.get("realm") +host = lp.get("netbios name") + + +# get the list of substitution vars +def get_subst_vars(samdb): + global lp + vars = {} + + vars['DNSDOMAIN'] = lp.get('realm').lower() + vars['HOSTNAME'] = lp.get('netbios name').lower() + "." + vars['DNSDOMAIN'] + vars['NETBIOSNAME'] = lp.get('netbios name').upper() + vars['WORKGROUP'] = lp.get('workgroup') + vars['NTDSGUID'] = samdb.get_ntds_GUID() + res = samdb.search(base=None, scope=ldb.SCOPE_BASE, attrs=["objectGUID"]) + guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0]) + vars['DOMAINGUID'] = guid + return vars + +try: + samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), lp=lp) +except ldb.LdbError, (num, msg): + print("Unable to open sam database %s : %s" % (lp.get("sam database")), msg) + sys.exit(1) + +# get the substitution dictionary +sub_vars = get_subst_vars(samdb) + +# get the list of SPN entries we should have +spn_update_list = lp.private_path('spn_update_list') + +file = open(spn_update_list, "r") + +spn_list = [] + +# build the spn list +for line in file: + line = line.strip() + if line == '' or line[0] == "#": + continue + line = samba.substitute_var(line, sub_vars) + spn_list.append(line) + +# get the current list of SPNs in our sam +res = samdb.search(base="", + expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'], + attrs=["servicePrincipalName"]) +if not res or len(res) != 1: + print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME']) + sys.exit(1) + +old_spns = [] +for s in res[0]['servicePrincipalName']: + old_spns.append(s) + +if opts.verbose: + print("Existing SPNs: %s" % old_spns) + +add_list = [] + +# work out what needs to be added +for s in spn_list: + in_list = False + for s2 in old_spns: + if s2.upper() == s.upper(): + in_list = True + break + if not in_list: + add_list.append(s) + +if opts.verbose: + print("New SPNs: %s" % add_list) + +if add_list == []: + if opts.verbose: + print("Nothing to add") + sys.exit(0) + +# build the modify request +msg = ldb.Message() +msg.dn = res[0]['dn'] +msg[""] = ldb.MessageElement(add_list, + ldb.FLAG_MOD_ADD, "servicePrincipalName") +res = samdb.modify(msg) +sys.exit(0) diff --git a/source4/setup/spn_update_list b/source4/setup/spn_update_list new file mode 100644 index 0000000000..e015e35500 --- /dev/null +++ b/source4/setup/spn_update_list @@ -0,0 +1,27 @@ +# this is a list of servicePrincipalName entries +# that we need to add on our account. It is processed by +# the samba_spnupdate script + +ldap/${HOSTNAME}/${DNSDOMAIN} +ldap/${HOSTNAME} +ldap/${NETBIOSNAME} +ldap/${HOSTNAME}/${WORKGROUP} +ldap/${NTDSGUID}._msdcs.${DNSDOMAIN} +ldap/${NETBIOSNAME}/${WORKGROUP} +E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN} +HOST/${HOSTNAME}/${DNSDOMAIN} +HOST/${HOSTNAME} +HOST/${NETBIOSNAME} +HOST/${HOSTNAME}/${WORKGROUP} +HOST/${NETBIOSNAME}/${WORKGROUP} +RestrictedKrbHost/${NETBIOSNAME} +RestrictedKrbHost/${HOSTNAME} +GC/${HOSTNAME}/${DNSDOMAIN} +DNS/${HOSTNAME} + +# these are not supported yet +# Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/${HOSTNAME} +# TERMSRV/${HOSTNAME} +# TERMSRV/${NETBIOSNAME} +# ldap/${HOSTNAME}/DomainDnsZones.${DNSDOMAIN} +# ldap/${HOSTNAME}/ForestDnsZones.${DNSDOMAIN} |