summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-09-22 12:57:17 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 15:07:09 -0500
commitee257e902ade941f734d5b647511d14e051ac0d1 (patch)
tree3503b046dbb0efafe3906821be8641980fdbb598
parent733591c079eb646344333bcad091839cd15992e7 (diff)
downloadsamba-ee257e902ade941f734d5b647511d14e051ac0d1.tar.gz
samba-ee257e902ade941f734d5b647511d14e051ac0d1.tar.bz2
samba-ee257e902ade941f734d5b647511d14e051ac0d1.zip
r25299: Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'. The default for the provision now changes to 'standalone'. This is not because Samba4 is particularlly useful in that mode, but because we still want a positive sign from the administrator that we should advertise as a DC. We now do more to ensure the 'standalone' and 'member server' provision output is reasonable, and try not to set odd things into the database that only belong for the DC. Andrew Bartlett (This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
-rw-r--r--source4/ldap_server/ldap_server.c12
-rw-r--r--source4/scripting/libjs/provision.js47
-rw-r--r--source4/selftest/env/Samba4.pm13
-rw-r--r--source4/setup/named.conf5
-rwxr-xr-xsource4/setup/provision3
-rw-r--r--source4/setup/provision.smb.conf.dc (renamed from source4/setup/provision.smb.conf)6
-rw-r--r--source4/setup/provision.smb.conf.member5
-rw-r--r--source4/setup/provision.smb.conf.standlone5
-rw-r--r--source4/setup/provision_self_join.ldif18
-rw-r--r--source4/setup/provision_users.ldif16
-rw-r--r--source4/setup/secrets.ldif44
-rw-r--r--source4/setup/secrets_dc.ldif44
12 files changed, 137 insertions, 81 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index a6753d46fa..f2ffc401cb 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -513,6 +513,18 @@ static void ldapsrv_task_init(struct task_server *task)
NTSTATUS status;
const struct model_ops *model_ops;
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
+ return;
+ case ROLE_DOMAIN_MEMBER:
+ task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
+ return;
+ case ROLE_DOMAIN_CONTROLLER:
+ /* Yes, we want an LDAP server */
+ break;
+ }
+
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index d6d4909499..502583507b 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -489,6 +489,17 @@ function provision_fix_subobj(subobj, paths)
subobj.NETLOGONPATH = paths.netlogon;
subobj.SYSVOLPATH = paths.sysvol;
+ if (subobj.DOMAIN_CONF == undefined) {
+ subobj.DOMAIN_CONF = subobj.DOMAIN;
+ }
+ if (subobj.REALM_CONF == undefined) {
+ subobj.REALM_CONF = subobj.REALM;
+ }
+ if (subobj.SERVERROLE != "domain controller") {
+ subobj.REALM = subobj.HOSTNAME;
+ subobj.DOMAIN = subobj.HOSTNAME;
+ }
+
return true;
}
@@ -536,6 +547,8 @@ function provision_become_dc(subobj, message, erase, paths, session_info)
setup_ldb("secrets.ldif", info, paths.secrets, false);
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
return true;
}
@@ -571,8 +584,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
/* only install a new smb.conf if there isn't one there already */
var st = sys.stat(paths.smbconf);
if (st == undefined) {
+ var smbconfsuffix;
+ if (subobj.ROLE == "domain controller") {
+ smbconfsuffix = "dc";
+ } else if (subobj.ROLE == "member server") {
+ smbconfsuffix = "member";
+ } else {
+ smbconfsuffix = subobj.ROLE;
+ }
message("Setting up " + paths.smbconf +"\n");
- setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+ setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
lp.reload();
}
/* only install a new shares config db if there is none */
@@ -724,7 +745,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
message("Setting up sam.ldb users and groups\n");
setup_add_ldif("provision_users.ldif", info, samdb, false);
- if (lp.get("server role") == "domain controller") {
+ if (subobj.SERVERROLE == "domain controller") {
message("Setting up self join\n");
setup_add_ldif("provision_self_join.ldif", info, samdb, false);
setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
@@ -737,6 +758,9 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
sys.mkdir(paths.netlogon, 0755);
+
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
}
if (setup_name_mappings(info, samdb) == false) {
@@ -809,8 +833,8 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
function provision_dns(subobj, message, paths, session_info, credentials)
{
var lp = loadparm_init();
- if (lp.get("server role") != "domain controller") {
- message("No DNS zone required for role %s\n", lp.get("server role"));
+ if (subobj.SERVERROLE != "domain controller") {
+ message("No DNS zone required for role %s\n", subobj.SERVERROLE);
return;
}
message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
@@ -886,6 +910,7 @@ function provision_guess()
var rdn_list;
random_init(local);
+ subobj.SERVERROLE = strlower(lp.get("server role"));
subobj.REALM = strupper(lp.get("realm"));
subobj.DOMAIN = lp.get("workgroup");
subobj.HOSTNAME = hostname();
@@ -1100,15 +1125,21 @@ function provision_validate(subobj, message)
}
- if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+ if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
- lp.get("workgroup"), subobj.DOMAIN);
+ lp.get("workgroup"), subobj.DOMAIN_CONF);
return false;
}
- if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+ if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
message("realm '%s' in smb.conf must match chosen realm '%s'\n",
- lp.get("realm"), subobj.REALM);
+ lp.get("realm"), subobj.REALM_CONF);
+ return false;
+ }
+
+ if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
+ message("server role '%s' in smb.conf must match chosen role '%s'\n",
+ lp.get("server role"), subobj.SERVERROLE);
return false;
}
diff --git a/source4/selftest/env/Samba4.pm b/source4/selftest/env/Samba4.pm
index c8d2ccc94b..0cd9c2e2be 100644
--- a/source4/selftest/env/Samba4.pm
+++ b/source4/selftest/env/Samba4.pm
@@ -297,10 +297,6 @@ sub provision($$$$$$)
$tmpdir);
- my $localdomain = $domain;
- $localdomain = $netbiosname if $server_role eq "member server";
- my $localrealm = $realm;
- $localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
@@ -416,9 +412,9 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
- push (@provision_options, "--quiet");
- push (@provision_options, "--domain=$localdomain");
- push (@provision_options, "--realm=$localrealm");
+# push (@provision_options, "--quiet");
+ push (@provision_options, "--domain=$domain");
+ push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
@@ -426,6 +422,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
push (@provision_options, "--root=$root");
+ push (@provision_options, "--server-role=$server_role");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
@@ -454,7 +451,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index bb9f421db0..025788093e 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -3,11 +3,12 @@
# the BIND nameserver.
#
-#insert this into options {}
+# If you have a very recent BIND, supporting GSS-TSIG,
+# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
-#the zone file
+# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
diff --git a/source4/setup/provision b/source4/setup/provision
index f6b9cde188..b8f955dcf4 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -32,6 +32,7 @@ options = GetOptions(ARGV,
'users=s',
'quiet',
'blank',
+ 'server-role=s',
'partitions-only',
'ldap-base',
'ldap-backend=s',
@@ -84,6 +85,7 @@ provision [options]
--users GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
+ --server-role ROLE Set server role to provision for (default standalone)
--partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
--ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
--ldap-backend LDAPSERVER LDAP server to use for this provision
@@ -112,6 +114,7 @@ if (options["realm"] == undefined ||
var lp = loadparm_init();
lp.set("realm", options.realm);
lp.set("workgroup", options.domain);
+lp.set("server role", options["server-role"]);
lp.reload();
var subobj = provision_guess();
diff --git a/source4/setup/provision.smb.conf b/source4/setup/provision.smb.conf.dc
index fe08d7e3be..5b8e141cbf 100644
--- a/source4/setup/provision.smb.conf
+++ b/source4/setup/provision.smb.conf.dc
@@ -1,8 +1,8 @@
[globals]
netbios name = ${HOSTNAME}
- workgroup = ${DOMAIN}
- realm = ${REALM}
- server role = domain controller
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
[netlogon]
path = ${NETLOGONPATH}
diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member
new file mode 100644
index 0000000000..bc37d4f3d3
--- /dev/null
+++ b/source4/setup/provision.smb.conf.member
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone
new file mode 100644
index 0000000000..bc37d4f3d3
--- /dev/null
+++ b/source4/setup/provision.smb.conf.standlone
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index ff44a35f6d..dca7b7c93e 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
+
+#Provide a account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: dns
+description: DNS Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+sAMAccountType: 805306368
+servicePrincipalName: DNS/${DNSDOMAIN}
+isCriticalSystemObject: TRUE
+sambaPassword:: ${DNSPASS_B64}
+
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index f6fbb0bd52..030fe5d742 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: dns
-description: DNS Service Account
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-sAMAccountType: 805306368
-servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
-
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif
index 80015b4b41..95cbe20e5f 100644
--- a/source4/setup/secrets.ldif
+++ b/source4/setup/secrets.ldif
@@ -8,47 +8,3 @@ objectClass: top
objectClass: container
cn: Primary Domains
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:ldb:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format.
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-servicePrincipalName: DNS/${DNSDOMAIN}
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
new file mode 100644
index 0000000000..64469352bb
--- /dev/null
+++ b/source4/setup/secrets_dc.ldif
@@ -0,0 +1,44 @@
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+msDS-KeyVersionNumber: 1
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+sAMAccountName: krbtgt
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+objectSid: ${DOMAINSID}
+servicePrincipalName: kadmin/changepw
+krb5Keytab: HDB:ldb:${SAM_LDB}:
+#The trailing : here is a HACK, but it matches the Heimdal format.
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+servicePrincipalName: DNS/${DNSDOMAIN}
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+