r23720: Allow the member server to work against an LDAP Backend. Another case

where LDB isn't as strict as OpenLDAP, the self join record contains
duplicate servicePrincipalNames once the DNS name and domain name are
made equal.  (Easier to just skip the useless self-join).

Andrew Bartlett
(This used to be commit 49ff929be6fcf57721532de13bdd7a7e1617af6f)

4 files changed, 37 insertions, 25 deletions

diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index 323c7cdacb..deaa97114a 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -700,6 +700,11 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
 	message("Setting up sam.ldb users and groups\n");
 	setup_add_ldif("provision_users.ldif", info, samdb, false);
 
+	if (lp.get("server role") == "domain controller") {
+		message("Setting up self join\n");
+		setup_add_ldif("provision_self_join.ldif", info, samdb, false);
+	}
+
 	if (setup_name_mappings(info, samdb) == false) {
 		return false;
 	}
@@ -769,6 +774,11 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
 /* Write out a DNS zone file, from the info in the current database */
 function provision_dns(subobj, message, paths, session_info, credentials)
 {
+	var lp = loadparm_init();
+	if (lp.get("server role") != "domain controller") {
+		message("No DNS zone required for role %s\n", lp.get("server role"));
+		return;
+	}
 	message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
 	var ldb = ldb_init();
 	ldb.session_info = session_info;
diff --git a/source4/selftest/Samba4.pm b/source4/selftest/Samba4.pm
index ec34358e0a..1da0439757 100644
--- a/source4/selftest/Samba4.pm
+++ b/source4/selftest/Samba4.pm
@@ -281,6 +281,8 @@ sub provision($$$$$$)
 	$localdomain = $netbiosname if $server_role eq "member server";
 	my $localrealm = $realm;
 	$localrealm = $netbiosname if $server_role eq "member server";
+	my $localbasedn = $basedn;
+	$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
 
 	open(CONFFILE, ">$conffile");
 	print CONFFILE "
@@ -400,7 +402,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
 	push (@provision_options, "--krbtgtpass=krbtgt$password");
 	push (@provision_options, "--machinepass=machine$password");
 	push (@provision_options, "--root=$root");
-	push (@provision_options, "--simple-bind-dn=cn=Manager,$basedn");
+	push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
 	push (@provision_options, "--password=$password");
 	push (@provision_options, "--root=$root");
 
@@ -430,7 +432,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
 	if (defined($self->{ldap})) {
 
                 push (@provision_options, "--ldap-backend=$ldap_uri");
-	        system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$dnsname --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+	        system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
 
 	        if ($self->{ldap} eq "openldap") {
 		       ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
new file mode 100644
index 0000000000..5ebc87b106
--- /dev/null
+++ b/source4/setup/provision_self_join.ldif
@@ -0,0 +1,23 @@
+#Join the DC to itself by default
+
+dn: CN=${NETBIOSNAME},CN=Domain Controllers,${DOMAINDN}
+objectClass: computer
+cn: ${NETBIOSNAME}
+userAccountControl: 532480
+localPolicyFlags: 0
+primaryGroupID: 516
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+sambaPassword: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}/${REALM}
+servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
+servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
+servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
+${HOSTGUID_ADD}
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index d00570b121..f1244fe8a1 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -67,29 +67,6 @@ privilege: SeInteractiveLogonRight
 privilege: SeNetworkLogonRight
 privilege: SeRemoteInteractiveLogonRight
 
-
-dn: CN=${NETBIOSNAME},CN=Domain Controllers,${DOMAINDN}
-objectClass: computer
-cn: ${NETBIOSNAME}
-userAccountControl: 532480
-localPolicyFlags: 0
-primaryGroupID: 516
-accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
-sambaPassword: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-servicePrincipalName: HOST/${DNSNAME}/${REALM}
-servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
-servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
-servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
-${HOSTGUID_ADD}
-
 dn: CN=Users,CN=Builtin,${DOMAINDN}
 objectClass: top
 objectClass: group