summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-04-27 18:25:55 +1000
committerAndrew Tridgell <tridge@samba.org>2010-04-27 19:27:18 +1000
commitfa26383884751c5775ccb65e3fbbf9ec7eeda28c (patch)
treedaef15eee84fb8f2a8b933e44fbbaa9b156e0ed0
parent570c89287e3f5e424db65098d5e60c9e37a5b6f3 (diff)
downloadsamba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.tar.gz
samba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.tar.bz2
samba-fa26383884751c5775ccb65e3fbbf9ec7eeda28c.zip
s4-dsdb: added samba_spnupdate
this script adds all our required servicePrincipalName entries at runtime. The admin can add more entries to spn_update_list as needed
-rwxr-xr-xsource4/scripting/bin/samba_spnupdate137
-rw-r--r--source4/setup/spn_update_list27
2 files changed, 164 insertions, 0 deletions
diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate
new file mode 100755
index 0000000000..1971ea1e86
--- /dev/null
+++ b/source4/scripting/bin/samba_spnupdate
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+#
+# update our servicePrincipalName names from spn_update_list
+#
+# Copyright (C) Andrew Tridgell 2010
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+import os, sys
+
+# ensure we get messages out immediately, so they get in the samba logs,
+# and don't get swallowed by a timeout
+os.putenv('PYTHONUNBUFFERED', '1')
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
+import samba, ldb
+import optparse
+from samba import getopt as options
+from samba.auth import system_session
+from samba.samdb import SamDB
+
+parser = optparse.OptionParser("samba_spnupdate")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+parser.add_option("--verbose", action="store_true")
+
+creds = None
+ccachename = None
+
+opts, args = parser.parse_args()
+
+if len(args) != 0:
+ parser.print_usage()
+ sys.exit(1)
+
+lp = sambaopts.get_loadparm()
+
+domain = lp.get("realm")
+host = lp.get("netbios name")
+
+
+# get the list of substitution vars
+def get_subst_vars(samdb):
+ global lp
+ vars = {}
+
+ vars['DNSDOMAIN'] = lp.get('realm').lower()
+ vars['HOSTNAME'] = lp.get('netbios name').lower() + "." + vars['DNSDOMAIN']
+ vars['NETBIOSNAME'] = lp.get('netbios name').upper()
+ vars['WORKGROUP'] = lp.get('workgroup')
+ vars['NTDSGUID'] = samdb.get_ntds_GUID()
+ res = samdb.search(base=None, scope=ldb.SCOPE_BASE, attrs=["objectGUID"])
+ guid = samdb.schema_format_value("objectGUID", res[0]['objectGUID'][0])
+ vars['DOMAINGUID'] = guid
+ return vars
+
+try:
+ samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), lp=lp)
+except ldb.LdbError, (num, msg):
+ print("Unable to open sam database %s : %s" % (lp.get("sam database")), msg)
+ sys.exit(1)
+
+# get the substitution dictionary
+sub_vars = get_subst_vars(samdb)
+
+# get the list of SPN entries we should have
+spn_update_list = lp.private_path('spn_update_list')
+
+file = open(spn_update_list, "r")
+
+spn_list = []
+
+# build the spn list
+for line in file:
+ line = line.strip()
+ if line == '' or line[0] == "#":
+ continue
+ line = samba.substitute_var(line, sub_vars)
+ spn_list.append(line)
+
+# get the current list of SPNs in our sam
+res = samdb.search(base="",
+ expression='(&(objectClass=computer)(samaccountname=%s$))' % sub_vars['NETBIOSNAME'],
+ attrs=["servicePrincipalName"])
+if not res or len(res) != 1:
+ print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME'])
+ sys.exit(1)
+
+old_spns = []
+for s in res[0]['servicePrincipalName']:
+ old_spns.append(s)
+
+if opts.verbose:
+ print("Existing SPNs: %s" % old_spns)
+
+add_list = []
+
+# work out what needs to be added
+for s in spn_list:
+ in_list = False
+ for s2 in old_spns:
+ if s2.upper() == s.upper():
+ in_list = True
+ break
+ if not in_list:
+ add_list.append(s)
+
+if opts.verbose:
+ print("New SPNs: %s" % add_list)
+
+if add_list == []:
+ if opts.verbose:
+ print("Nothing to add")
+ sys.exit(0)
+
+# build the modify request
+msg = ldb.Message()
+msg.dn = res[0]['dn']
+msg[""] = ldb.MessageElement(add_list,
+ ldb.FLAG_MOD_ADD, "servicePrincipalName")
+res = samdb.modify(msg)
+sys.exit(0)
diff --git a/source4/setup/spn_update_list b/source4/setup/spn_update_list
new file mode 100644
index 0000000000..e015e35500
--- /dev/null
+++ b/source4/setup/spn_update_list
@@ -0,0 +1,27 @@
+# this is a list of servicePrincipalName entries
+# that we need to add on our account. It is processed by
+# the samba_spnupdate script
+
+ldap/${HOSTNAME}/${DNSDOMAIN}
+ldap/${HOSTNAME}
+ldap/${NETBIOSNAME}
+ldap/${HOSTNAME}/${WORKGROUP}
+ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+ldap/${NETBIOSNAME}/${WORKGROUP}
+E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
+HOST/${HOSTNAME}/${DNSDOMAIN}
+HOST/${HOSTNAME}
+HOST/${NETBIOSNAME}
+HOST/${HOSTNAME}/${WORKGROUP}
+HOST/${NETBIOSNAME}/${WORKGROUP}
+RestrictedKrbHost/${NETBIOSNAME}
+RestrictedKrbHost/${HOSTNAME}
+GC/${HOSTNAME}/${DNSDOMAIN}
+DNS/${HOSTNAME}
+
+# these are not supported yet
+# Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/${HOSTNAME}
+# TERMSRV/${HOSTNAME}
+# TERMSRV/${NETBIOSNAME}
+# ldap/${HOSTNAME}/DomainDnsZones.${DNSDOMAIN}
+# ldap/${HOSTNAME}/ForestDnsZones.${DNSDOMAIN}