summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-09-26 10:19:18 -0700
committerStefan Metzmacher <metze@samba.org>2013-10-11 08:32:10 +0200
commit48b979c4fec39c8d3b9684b4a759715c0f93e9cc (patch)
tree07d9c8f6bc9e0e3c338b4918a9a3e1f9545f3477
parenta2d45cf49e4976d55261d01df955e412ac7fa73f (diff)
downloadsamba-48b979c4fec39c8d3b9684b4a759715c0f93e9cc.tar.gz
samba-48b979c4fec39c8d3b9684b4a759715c0f93e9cc.tar.bz2
samba-48b979c4fec39c8d3b9684b4a759715c0f93e9cc.zip
provision: Remove --username and --password options from samba-tool domain provision
This avoids confusion, because the LDAP backend does not use these, and they do not set the password for the administrator account either! This may break support for the 'existing' backend LDAP backend, but that is nothing more than a stub for future development anyway, and new work in this area should use EXTERNAL in any case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--python/samba/join.py2
-rw-r--r--python/samba/netcmd/domain.py9
-rw-r--r--python/samba/provision/__init__.py14
-rw-r--r--python/samba/provision/backend.py52
-rw-r--r--python/samba/upgrade.py2
-rw-r--r--python/samba/upgradehelpers.py4
-rwxr-xr-xsource4/scripting/bin/samba_upgradeprovision2
-rwxr-xr-xsource4/setup/tests/blackbox_provision-backend.sh2
8 files changed, 28 insertions, 59 deletions
diff --git a/python/samba/join.py b/python/samba/join.py
index 2379d5f214..637ade2b3c 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -717,7 +717,7 @@ class dc_join(object):
smbconf = ctx.lp.configfile
- presult = provision(ctx.logger, system_session(), None, smbconf=smbconf,
+ presult = provision(ctx.logger, system_session(), smbconf=smbconf,
targetdir=ctx.targetdir, samdb_fill=FILL_DRS, realm=ctx.realm,
rootdn=ctx.root_dn, domaindn=ctx.base_dn,
schemadn=ctx.schema_dn, configdn=ctx.config_dn,
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 0698928de0..217b5369b7 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -144,7 +144,6 @@ class cmd_domain_provision(Command):
takes_optiongroups = {
"sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions,
- "credopts": options.CredentialsOptions,
}
takes_options = [
@@ -231,7 +230,7 @@ class cmd_domain_provision(Command):
takes_args = []
- def run(self, sambaopts=None, credopts=None, versionopts=None,
+ def run(self, sambaopts=None, versionopts=None,
interactive=None,
domain=None,
domain_guid=None,
@@ -278,10 +277,6 @@ class cmd_domain_provision(Command):
lp = sambaopts.get_loadparm()
smbconf = lp.configfile
- creds = credopts.get_credentials(lp)
-
- creds.set_kerberos_state(DONT_USE_KERBEROS)
-
if dns_forwarder is not None:
suggested_forwarder = dns_forwarder
else:
@@ -408,7 +403,7 @@ class cmd_domain_provision(Command):
session = system_session()
try:
result = provision(self.logger,
- session, creds, smbconf=smbconf, targetdir=targetdir,
+ session, smbconf=smbconf, targetdir=targetdir,
samdb_fill=samdb_fill, realm=realm, domain=domain,
domainguid=domain_guid, domainsid=domain_sid,
hostname=host_name,
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 7f6d96d760..698df94f34 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1888,7 +1888,7 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
samdb.transaction_commit()
-def provision(logger, session_info, credentials, smbconf=None,
+def provision(logger, session_info, smbconf=None,
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
domaindn=None, schemadn=None, configdn=None, serverdn=None,
domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
@@ -2065,25 +2065,25 @@ def provision(logger, session_info, credentials, smbconf=None,
if backend_type == "ldb":
provision_backend = LDBBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
+ lp=lp,
names=names, logger=logger)
elif backend_type == "existing":
# If support for this is ever added back, then the URI will need to be
# specified again
provision_backend = ExistingBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
+ lp=lp,
names=names, logger=logger,
ldap_backend_forced_uri=ldap_backend_forced_uri)
elif backend_type == "fedora-ds":
provision_backend = FDSBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
+ lp=lp,
names=names, logger=logger, domainsid=domainsid,
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
slapd_path=slapd_path,
root=root)
elif backend_type == "openldap":
provision_backend = OpenLDAPBackend(backend_type, paths=paths,
- lp=lp, credentials=credentials,
+ lp=lp,
names=names, logger=logger, domainsid=domainsid,
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls,
@@ -2105,7 +2105,7 @@ def provision(logger, session_info, credentials, smbconf=None,
logger.info("Setting up secrets.ldb")
secrets_ldb = setup_secretsdb(paths,
session_info=session_info,
- backend_credentials=provision_backend.secrets_credentials, lp=lp)
+ backend_credentials=provision_backend.credentials, lp=lp)
try:
logger.info("Setting up the registry")
@@ -2227,7 +2227,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
logger = logging.getLogger("provision")
samba.set_debug_level(debuglevel)
- res = provision(logger, system_session(), None,
+ res = provision(logger, system_session(),
smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
configdn=configdn, serverdn=serverdn, domain=domain,
diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py
index 93c38f78bb..1180642c4a 100644
--- a/python/samba/provision/backend.py
+++ b/python/samba/provision/backend.py
@@ -63,19 +63,11 @@ class BackendResult(object):
class LDAPBackendResult(BackendResult):
- def __init__(self, credentials, slapd_command_escaped, ldapdir):
- self.credentials = credentials
+ def __init__(self, slapd_command_escaped, ldapdir):
self.slapd_command_escaped = slapd_command_escaped
self.ldapdir = ldapdir
def report_logger(self, logger):
- if self.credentials.get_bind_dn() is not None:
- logger.info("LDAP Backend Admin DN: %s" %
- self.credentials.get_bind_dn())
- else:
- logger.info("LDAP Admin User: %s" %
- self.credentials.get_username())
-
if self.slapd_command_escaped is not None:
# now display slapd_command_file.txt to show how slapd must be
# started next time
@@ -90,11 +82,11 @@ class LDAPBackendResult(BackendResult):
class ProvisionBackend(object):
def __init__(self, backend_type, paths=None, lp=None,
- credentials=None, names=None, logger=None):
+ names=None, logger=None):
"""Provision a backend for samba4"""
self.paths = paths
self.lp = lp
- self.credentials = credentials
+ self.credentials = None
self.names = names
self.logger = logger
@@ -127,7 +119,6 @@ class LDBBackend(ProvisionBackend):
def init(self):
self.credentials = None
- self.secrets_credentials = None
# Wipe the old sam.ldb databases away
shutil.rmtree(self.paths.samdb + ".d", True)
@@ -145,11 +136,11 @@ class LDBBackend(ProvisionBackend):
class ExistingBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, lp=None,
- credentials=None, names=None, logger=None, ldapi_uri=None):
+ names=None, logger=None, ldapi_uri=None):
super(ExistingBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp,
- credentials=credentials, names=names, logger=logger,
+ names=names, logger=logger,
ldap_backend_forced_uri=ldapi_uri)
def init(self):
@@ -158,27 +149,21 @@ class ExistingBackend(ProvisionBackend):
ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)")
- # If we have got here, then we must have a valid connection to the LDAP
- # server, with valid credentials supplied This caused them to be set
- # into the long-term database later in the script.
- self.secrets_credentials = self.credentials
-
-
- # For now, assume existing backends at least emulate OpenLDAP
+ # For now, assume existing backends at least emulate OpenLDAP
self.ldap_backend_type = "openldap"
class LDAPBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, lp=None,
- credentials=None, names=None, logger=None, domainsid=None,
+ names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None,
slapd_path=None, ldap_backend_extra_port=None,
ldap_backend_forced_uri=None, ldap_dryrun_mode=False):
super(LDAPBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp,
- credentials=credentials, names=names, logger=logger)
+ names=names, logger=logger)
self.domainsid = domainsid
self.schema = schema
@@ -253,19 +238,12 @@ class LDAPBackend(ProvisionBackend):
self.credentials = Credentials()
self.credentials.guess(self.lp)
- # Kerberos to an ldapi:// backend makes no sense
+ # Kerberos to an ldapi:// backend makes no sense (we also force EXTERNAL)
self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
+ self.credentials.set_username("samba-admin")
self.credentials.set_password(self.ldapadminpass)
self.credentials.set_forced_sasl_mech("EXTERNAL")
- self.secrets_credentials = Credentials()
- self.secrets_credentials.guess(self.lp)
- # Kerberos to an ldapi:// backend makes no sense
- self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
- self.secrets_credentials.set_username("samba-admin")
- self.secrets_credentials.set_password(self.ldapadminpass)
- self.secrets_credentials.set_forced_sasl_mech("EXTERNAL")
-
self.provision()
def provision(self):
@@ -340,7 +318,7 @@ class OpenLDAPBackend(LDAPBackend):
from samba.provision import setup_path
super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
paths=paths, lp=lp,
- credentials=credentials, names=names, logger=logger,
+ names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
@@ -595,10 +573,6 @@ class OpenLDAPBackend(LDAPBackend):
self.slapd_command.append(uris)
- # Set the username - done here because Fedora DS still uses the admin
- # DN and simple bind
- self.credentials.set_username("samba-admin")
-
# Wipe the old sam.ldb databases away
shutil.rmtree(self.olcdir, True)
os.makedirs(self.olcdir, 0770)
@@ -632,7 +606,7 @@ class OpenLDAPBackend(LDAPBackend):
class FDSBackend(LDAPBackend):
def __init__(self, backend_type, paths=None, lp=None,
- credentials=None, names=None, logger=None, domainsid=None,
+ names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
ldap_backend_extra_port=None, ldap_dryrun_mode=False, root=None,
setup_ds_path=None):
@@ -641,7 +615,7 @@ class FDSBackend(LDAPBackend):
super(FDSBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp,
- credentials=credentials, names=names, logger=logger,
+ names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port,
diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py
index 532e1dee81..6b55ed76a7 100644
--- a/python/samba/upgrade.py
+++ b/python/samba/upgrade.py
@@ -855,7 +855,7 @@ Please fix this account before attempting to upgrade again
adminpass = None
# Do full provision
- result = provision(logger, session_info, None,
+ result = provision(logger, session_info,
targetdir=targetdir, realm=realm, domain=domainname,
domainsid=str(domainsid), next_rid=next_rid,
dc_rid=machinerid, adminpass = adminpass,
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 04f1e82e61..b6750eb430 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -225,7 +225,7 @@ def update_policyids(names, samdb):
names.policyid_dc = None
-def newprovision(names, creds, session, smbconf, provdir, logger):
+def newprovision(names, session, smbconf, provdir, logger):
"""Create a new provision.
This provision will be the reference for knowing what has changed in the
@@ -242,7 +242,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
shutil.rmtree(provdir)
os.mkdir(provdir)
logger.info("Provision stored in %s", provdir)
- return provision(logger, session, creds, smbconf=smbconf,
+ return provision(logger, session, smbconf=smbconf,
targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
domain=names.domain, domainguid=names.domainguid,
domainsid=str(names.domainsid), ntdsguid=names.ntdsguid,
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 88e0206e59..c4a0f79329 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -1632,7 +1632,7 @@ if __name__ == '__main__':
message(SIMPLE, "Creating a reference provision")
provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
prefix="referenceprovision")
- result = newprovision(names, creds, session, smbconf, provisiondir,
+ result = newprovision(names, session, smbconf, provisiondir,
provision_logger)
result.report_logger(provision_logger)
diff --git a/source4/setup/tests/blackbox_provision-backend.sh b/source4/setup/tests/blackbox_provision-backend.sh
index 5dec621e59..fc455d5e12 100755
--- a/source4/setup/tests/blackbox_provision-backend.sh
+++ b/source4/setup/tests/blackbox_provision-backend.sh
@@ -13,7 +13,7 @@ shift 1
. `dirname $0`/../../../testprogs/blackbox/subunit.sh
testit "openldap-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
-testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --username=samba-admin --password=linux --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
+testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
testit "fedora-ds-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
reprovision() {