diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2007-09-22 12:57:17 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 15:07:09 -0500 |
| commit | ee257e902ade941f734d5b647511d14e051ac0d1 (patch) | |
| tree | 3503b046dbb0efafe3906821be8641980fdbb598 /source4/setup | |
| parent | 733591c079eb646344333bcad091839cd15992e7 (diff) | |
| download | samba-ee257e902ade941f734d5b647511d14e051ac0d1.tar.gz samba-ee257e902ade941f734d5b647511d14e051ac0d1.tar.bz2 samba-ee257e902ade941f734d5b647511d14e051ac0d1.zip | |
r25299: Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.
The default for the provision now changes to 'standalone'.
This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.
We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.
Andrew Bartlett
(This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
Diffstat (limited to 'source4/setup')
| -rw-r--r-- | source4/setup/named.conf | 5 | ||||
| -rwxr-xr-x | source4/setup/provision | 3 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.dc (renamed from source4/setup/provision.smb.conf) | 6 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.member | 5 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.standlone | 5 | ||||
| -rw-r--r-- | source4/setup/provision_self_join.ldif | 18 | ||||
| -rw-r--r-- | source4/setup/provision_users.ldif | 16 | ||||
| -rw-r--r-- | source4/setup/secrets.ldif | 44 | ||||
| -rw-r--r-- | source4/setup/secrets_dc.ldif | 44 |
9 files changed, 81 insertions, 65 deletions
diff --git a/source4/setup/named.conf b/source4/setup/named.conf index bb9f421db0..025788093e 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -3,11 +3,12 @@ # the BIND nameserver. # -#insert this into options {} +# If you have a very recent BIND, supporting GSS-TSIG, +# insert this into options {} (otherwise omit, it is not required if we don't accept updates) tkey-gssapi-credential "DNS/${DNSDOMAIN}"; tkey-domain "${REALM}"; -#the zone file +# You should always include the actual zone configuration reference: zone "${DNSDOMAIN}." IN { type master; file "${DNSDOMAIN}.zone"; diff --git a/source4/setup/provision b/source4/setup/provision index f6b9cde188..b8f955dcf4 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -32,6 +32,7 @@ options = GetOptions(ARGV, 'users=s', 'quiet', 'blank', + 'server-role=s', 'partitions-only', 'ldap-base', 'ldap-backend=s', @@ -84,6 +85,7 @@ provision [options] --users GROUPNAME choose 'users' group --quiet Be quiet --blank do not add users or groups, just the structure + --server-role ROLE Set server role to provision for (default standalone) --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC) --ldap-base output only an LDIF file, suitable for creating an LDAP baseDN --ldap-backend LDAPSERVER LDAP server to use for this provision @@ -112,6 +114,7 @@ if (options["realm"] == undefined || var lp = loadparm_init(); lp.set("realm", options.realm); lp.set("workgroup", options.domain); +lp.set("server role", options["server-role"]); lp.reload(); var subobj = provision_guess(); diff --git a/source4/setup/provision.smb.conf b/source4/setup/provision.smb.conf.dc index fe08d7e3be..5b8e141cbf 100644 --- a/source4/setup/provision.smb.conf +++ b/source4/setup/provision.smb.conf.dc @@ -1,8 +1,8 @@ [globals] netbios name = ${HOSTNAME} - workgroup = ${DOMAIN} - realm = ${REALM} - server role = domain controller + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} [netlogon] path = ${NETLOGONPATH} diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.member @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.standlone @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index ff44a35f6d..dca7b7c93e 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} ${HOSTGUID_ADD} + +#Provide a account for DNS keytab export +dn: CN=dns,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: dns +description: DNS Service Account +showInAdvancedViewOnly: TRUE +userAccountControl: 514 +accountExpires: 9223372036854775807 +sAMAccountName: dns +sAMAccountType: 805306368 +servicePrincipalName: DNS/${DNSDOMAIN} +isCriticalSystemObject: TRUE +sambaPassword:: ${DNSPASS_B64} + diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index f6fbb0bd52..030fe5d742 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw isCriticalSystemObject: TRUE sambaPassword:: ${KRBTGTPASS_B64} -dn: CN=dns,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -cn: dns -description: DNS Service Account -showInAdvancedViewOnly: TRUE -userAccountControl: 514 -accountExpires: 9223372036854775807 -sAMAccountName: dns -sAMAccountType: 805306368 -servicePrincipalName: DNS/${DNSDOMAIN} -isCriticalSystemObject: TRUE -sambaPassword:: ${DNSPASS_B64} - dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top objectClass: group diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif index 80015b4b41..95cbe20e5f 100644 --- a/source4/setup/secrets.ldif +++ b/source4/setup/secrets.ldif @@ -8,47 +8,3 @@ objectClass: top objectClass: container cn: Primary Domains -dn: flatname=${DOMAIN},CN=Primary Domains -objectClass: top -objectClass: primaryDomain -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -secret:: ${MACHINEPASS_B64} -secureChannelType: 6 -sAMAccountName: ${NETBIOSNAME}$ -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -msDS-KeyVersionNumber: 1 -objectSid: ${DOMAINSID} -privateKeytab: ${SECRETS_KEYTAB} - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -sAMAccountName: krbtgt -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -objectSid: ${DOMAINSID} -servicePrincipalName: kadmin/changepw -krb5Keytab: HDB:ldb:${SAM_LDB}: -#The trailing : here is a HACK, but it matches the Heimdal format. - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -realm: ${REALM} -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -servicePrincipalName: DNS/${DNSDOMAIN} -privateKeytab: ${DNS_KEYTAB} -secret:: ${DNSPASS_B64} - diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif new file mode 100644 index 0000000000..64469352bb --- /dev/null +++ b/source4/setup/secrets_dc.ldif @@ -0,0 +1,44 @@ +dn: flatname=${DOMAIN},CN=Primary Domains +objectClass: top +objectClass: primaryDomain +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +secret:: ${MACHINEPASS_B64} +secureChannelType: 6 +sAMAccountName: ${NETBIOSNAME}$ +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +msDS-KeyVersionNumber: 1 +objectSid: ${DOMAINSID} +privateKeytab: ${SECRETS_KEYTAB} + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +sAMAccountName: krbtgt +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +objectSid: ${DOMAINSID} +servicePrincipalName: kadmin/changepw +krb5Keytab: HDB:ldb:${SAM_LDB}: +#The trailing : here is a HACK, but it matches the Heimdal format. + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +realm: ${REALM} +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +servicePrincipalName: DNS/${DNSDOMAIN} +privateKeytab: ${DNS_KEYTAB} +secret:: ${DNSPASS_B64} + |