summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-24 23:25:49 -0700
committerAndrew Tridgell <tridge@samba.org>2010-09-26 01:21:49 +0000
commitb8444b64a32d698b01acce2a1307723cc69a472b (patch)
tree7779549492310c5a89ab2383f4e604d55c3f9c48 /source4
parent00791652f4a4894ecffbca38d1f9bb4584fb2635 (diff)
downloadsamba-b8444b64a32d698b01acce2a1307723cc69a472b.tar.gz
samba-b8444b64a32d698b01acce2a1307723cc69a472b.tar.bz2
samba-b8444b64a32d698b01acce2a1307723cc69a472b.zip
s4-provision: switch to dns-HOSTNAME instead of dns
We now use a host specific account name for the DNS account, which is the account used for dynamic DNS updates. We also setup the servicePrincipalName for automatic update, and add both DNS/${DNSDOMAIN} and DNS/${DNSNAME} for compatibility with both the old and new SPNs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/scripting/python/samba/provision.py30
-rw-r--r--source4/setup/provision_dns_add.ldif10
-rw-r--r--source4/setup/secrets_dns.ldif5
-rw-r--r--source4/setup/secrets_self_join.ldif13
4 files changed, 33 insertions, 25 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 7d8b08f54d..c1a35c9338 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -687,21 +687,26 @@ def secretsdb_self_join(secretsdb, domain,
"priorChanged",
"krb5Keytab",
"privateKeytab"]
+
+ if realm is not None:
+ if dnsdomain is None:
+ dnsdomain = realm.lower()
+ dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
+ else:
+ dnsname = None
+ shortname = netbiosname.lower()
#We don't need to set msg["flatname"] here, because rdn_name will handle it, and it causes problems for modifies anyway
msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
msg["secureChannelType"] = [str(secure_channel_type)]
msg["objectClass"] = ["top", "primaryDomain"]
- if realm is not None:
- if dnsdomain is None:
- dnsdomain = realm.lower()
+ if dnsname is not None:
msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
msg["realm"] = [realm]
- msg["saltPrincipal"] = ["host/%s.%s@%s" % (netbiosname.lower(), dnsdomain.lower(), realm.upper())]
+ msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
msg["privateKeytab"] = ["secrets.keytab"]
-
msg["secret"] = [machinepass]
msg["samAccountName"] = ["%s$" % netbiosname]
msg["secureChannelType"] = [str(secure_channel_type)]
@@ -742,10 +747,17 @@ def secretsdb_self_join(secretsdb, domain,
secretsdb.modify(msg)
secretsdb.rename(res[0].dn, msg.dn)
else:
+ spn = [ 'HOST/%s' % shortname ]
+ if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
+ # we are a domain controller then we add servicePrincipalName entries
+ # for the keytab code to update
+ spn.extend([ 'HOST/%s' % dnsname ])
+ msg["servicePrincipalName"] = spn
+
secretsdb.add(msg)
-def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
+def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir,
realm, dnsdomain,
dns_keytab_path, dnspass):
"""Add DNS specific bits to a secrets database.
@@ -764,6 +776,8 @@ def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
"DNSDOMAIN": dnsdomain,
"DNS_KEYTAB": dns_keytab_path,
"DNSPASS_B64": b64encode(dnspass),
+ "HOSTNAME": names.hostname,
+ "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
})
@@ -944,6 +958,8 @@ def setup_self_join(samdb, names,
"DNSDOMAIN": names.dnsdomain,
"DOMAINDN": names.domaindn,
"DNSPASS_B64": b64encode(dnspass),
+ "HOSTNAME" : names.hostname,
+ "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
})
def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -1583,7 +1599,7 @@ def provision(setup_dir, logger, session_info,
if serverrole == "domain controller":
- secretsdb_setup_dns(secrets_ldb, setup_path,
+ secretsdb_setup_dns(secrets_ldb, setup_path, names,
paths.private_dir,
realm=names.realm, dnsdomain=names.dnsdomain,
dns_keytab_path=paths.dns_keytab,
diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif
index ac818a573d..a0a8187030 100644
--- a/source4/setup/provision_dns_add.ldif
+++ b/source4/setup/provision_dns_add.ldif
@@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
# NOTE: This account is SAMBA4 specific!
-dn: CN=dns,CN=Users,${DOMAINDN}
+# we have it to avoid the need for the bind daemon to
+# have access to the whole secrets.keytab for the domain,
+# otherwise bind could impersonate any user
+dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
-description: DNS Service Account
+description: DNS Service Account for ${HOSTNAME}
userAccountControl: 514
accountExpires: 9223372036854775807
-sAMAccountName: dns
+sAMAccountName: dns-${HOSTNAME}
+servicePrincipalName: DNS/${DNSNAME}
servicePrincipalName: DNS/${DNSDOMAIN}
userPassword:: ${DNSPASS_B64}
isCriticalSystemObject: TRUE
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 840d1d6c43..641bce6382 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -1,11 +1,12 @@
#Update a keytab for the external DNS server to use
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+dn: samAccountName=dns-${HOSTNAME},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
servicePrincipalName: DNS/${DNSDOMAIN}
+servicePrincipalName: DNS/${DNSNAME}
msDS-KeyVersionNumber: 1
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}
-samAccountName: dns
+samAccountName: dns-${HOSTNAME}
diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif
deleted file mode 100644
index 22be0cab0b..0000000000
--- a/source4/setup/secrets_self_join.ldif
+++ /dev/null
@@ -1,13 +0,0 @@
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-saltPrincipal: ${SALT_PRINCIPAL}