diff options
-rw-r--r-- | source4/auth/credentials/credentials_files.c | 48 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_client.c | 15 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 27 | ||||
-rw-r--r-- | source4/ldap_server/ldap_backend.c | 9 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_bind.c | 7 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_client.c | 9 | ||||
-rw-r--r-- | source4/libnet/libnet_samsync_ldb.c | 10 | ||||
-rw-r--r-- | source4/param/secrets.h | 1 | ||||
-rw-r--r-- | source4/scripting/python/samba/provision.py | 51 | ||||
-rw-r--r-- | source4/selftest/target/Samba4.pm | 11 | ||||
-rw-r--r-- | source4/setup/cn=samba-admin.ldif | 12 | ||||
-rw-r--r-- | source4/setup/cn=samba.ldif | 11 | ||||
-rwxr-xr-x | source4/setup/provision | 4 | ||||
-rwxr-xr-x | source4/setup/provision-backend | 6 | ||||
-rw-r--r-- | source4/setup/secrets_init.ldif | 2 | ||||
-rw-r--r-- | source4/setup/secrets_sasl_ldap.ldif | 9 | ||||
-rw-r--r-- | source4/setup/secrets_simple_ldap.ldif | 6 | ||||
-rw-r--r-- | source4/setup/slapd.conf | 39 |
18 files changed, 216 insertions, 61 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 05b0bf56a8..6c3bb2531e 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "privateKeytab", "krb5Keytab", "servicePrincipalName", + "ldapBindDn", NULL }; @@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } } @@ -231,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n", filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", ldb_ret, filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); @@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL); if (!machine_account) { - DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", - cli_credentials_get_domain(cred), filter, base)); - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL); + if (!ldap_bind_dn) { + DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", + filter, base)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } } @@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); } - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + if (machine_account) { + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + } cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status))); + } + return status; } /** @@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, struct event_context *event_ctx, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status))); + } + return status; } /** - * Fill in credentials for the machine trust account, from the secrets database. + * Fill in credentials for a particular prinicpal, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure @@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c struct loadparm_context *lp_ctx, const char *serviceprincipal) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status))); + } + return status; } /** diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index e07c64befb..891761860c 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; + const char *domain = gensec_ntlmssp_state->domain; + const char *workstation = cli_credentials_get_workstation(gensec_security->credentials); + + /* These don't really matter in the initial packet, so don't panic if they are not set */ + if (!domain) { + domain = ""; + } + + if (!workstation) { + workstation = ""; + } if (gensec_ntlmssp_state->unicode) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; @@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, "NTLMSSP", NTLMSSP_NEGOTIATE, gensec_ntlmssp_state->neg_flags, - gensec_ntlmssp_state->domain, - cli_credentials_get_workstation(gensec_security->credentials)); + domain, + workstation); gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index acc2c2a9a1..b5b7ddfdc6 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -39,6 +39,8 @@ #include "dsdb/common/flags.h" #include "param/param.h" #include "lib/events/events.h" +#include "auth/credentials/credentials.h" +#include "param/secrets.h" char *samdb_relative_path(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb, return full_name; } +struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, + struct loadparm_context *lp_ctx) +{ + struct cli_credentials *cred = cli_credentials_init(mem_ctx); + if (!cred) { + return NULL; + } + cli_credentials_set_conf(cred, lp_ctx); + + /* We don't want to use krb5 to talk to our samdb - recursion + * here would be bad, and this account isn't in the KDC + * anyway */ + cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + + if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL, + SECRETS_LDAP_FILTER))) { + /* Perfectly OK - if not against an LDAP backend */ + return NULL; + } + return cred; +} /* connect to the SAM database @@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct ldb_context *ldb; ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_sam_url(lp_ctx), session_info, - NULL, 0, NULL); + samdb_credentials(mem_ctx, ev_ctx, lp_ctx), + 0, NULL); if (!ldb) { return NULL; } diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 2193c989cf..504dcf1c0f 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -21,13 +21,13 @@ #include "ldap_server/ldap_server.h" #include "lib/util/dlinklist.h" #include "libcli/ldap/ldap.h" -#include "lib/ldb/include/ldb.h" -#include "lib/ldb/include/ldb_errors.h" -#include "lib/ldb_wrap.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "param/param.h" #include "smbd/service_stream.h" +#include "dsdb/samdb/samdb.h" +#include "lib/ldb/include/ldb_errors.h" +#include "lib/ldb_wrap.h" #define VALID_DN_SYNTAX(dn,i) do {\ if (!(dn)) {\ @@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) conn->lp_ctx, lp_sam_url(conn->lp_ctx), conn->session_info, - NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); + samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx), + conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); if (conn->ldb == NULL) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index e1569e7296..65673116be 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -234,7 +234,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, * Windows seem not to like double encryption */ old_gensec_features = cli_credentials_get_gensec_features(creds); if (tls_enabled(conn->sock)) { - cli_credentials_set_gensec_features(creds, 0); + cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ @@ -245,7 +245,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, goto failed; } - /* reset the original gensec_features */ + /* reset the original gensec_features (on the credentials + * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (conn->host) { @@ -393,8 +394,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, &sasl_socket); if (!NT_STATUS_IS_OK(status)) goto failed; - talloc_steal(conn->sock, sasl_socket); - talloc_unlink(conn, conn->sock); conn->sock = sasl_socket; packet_set_socket(conn->packet, conn->sock); diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index bca867b033..844238afdb 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -38,7 +38,6 @@ #include "param/param.h" #include "libcli/resolve/resolve.h" - /** create a new ldap_connection stucture. The event context is optional */ @@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con char protocol[11]; int ret; - result = talloc_zero(NULL, struct composite_context); + result = talloc_zero(conn, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; result->async.fn = NULL; @@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con SMB_ASSERT(sizeof(protocol)>10); SMB_ASSERT(sizeof(path)>1024); + /* LDAPI connections are to localhost, so give the local host name as the target for gensec */ + conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx)); + if (composite_nomem(conn->host, state->ctx)) { + return result; + } + /* The %c specifier doesn't null terminate :-( */ ZERO_STRUCT(path); ret = sscanf(url, "%10[^:]://%1025c", protocol, path); diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index a79bf043a5..b223a74a31 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str state->secrets = NULL; state->trusted_domains = NULL; - state->sam_ldb = ldb_wrap_connect(mem_ctx, - ctx->event_ctx, - ctx->lp_ctx, - lp_sam_url(ctx->lp_ctx), - r->in.session_info, - ctx->cred, 0, NULL); + state->sam_ldb = samdb_connect(mem_ctx, + ctx->event_ctx, + ctx->lp_ctx, + r->in.session_info); r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string; diff --git a/source4/param/secrets.h b/source4/param/secrets.h index fa162ea66a..83b6dc7fdc 100644 --- a/source4/param/secrets.h +++ b/source4/param/secrets.h @@ -33,6 +33,7 @@ struct machine_acct_pass { #define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))" #define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))" #define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))" +#define SECRETS_LDAP_FILTER "(objectclass=ldapSecret)" /** * Use a TDB to store an incrementing random seed. diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 504044253e..6102dc77ff 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp): secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials, lp=lp) secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif")) + + if credentials is not None and credentials.authentication_requested(): + if credentials.get_bind_dn() is not None: + setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), { + "LDAPMANAGERDN": credentials.get_bind_dn(), + "LDAPMANAGERPASS_B64": b64encode(credentials.get_password()) + }) + else: + setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), { + "LDAPADMINUSER": credentials.get_username(), + "LDAPADMINREALM": credentials.get_realm(), + "LDAPADMINPASS_B64": b64encode(credentials.get_password()) + }) + return secrets_ldb @@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, domain_oc = "samba4LocalDomain" setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { - "DOMAINDN": names.domaindn, - "ACI": aci, - "DOMAIN_OC": domain_oc - }) + "DOMAINDN": names.domaindn, + "ACI": aci, + "DOMAIN_OC": domain_oc + }) message("Modifying DomainDN: " + names.domaindn + "") if domainguid is not None: @@ -1265,15 +1279,27 @@ refint_attributes""" + refint_attributes + "\n" "DOMAINDN": names.domaindn, "CONFIGDN": names.configdn, "SCHEMADN": names.schemadn, - "LDAPMANAGERDN": names.ldapmanagerdn, - "LDAPMANAGERPASS": adminpass, "MEMBEROF_CONFIG": memberof_config}) setup_file(setup_path("modules.conf"), paths.modulesconf, {"REALM": names.realm}) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user"))) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config"))) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema"))) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user")) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config")) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema")) + + if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")): + os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")) + + setup_file(setup_path("cn=samba.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"), + { "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + setup_file(setup_path("cn=samba-admin.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"), + {"LDAPADMINPASS_B64": b64encode(adminpass), + "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + mapping = "schema-map-openldap-2.3" backend_schema = "backend-schema.schema" @@ -1294,7 +1320,12 @@ refint_attributes""" + refint_attributes + "\n" message("Hostname: %s" % names.hostname) message("DNS Domain: %s" % names.dnsdomain) message("Base DN: %s" % names.domaindn) - message("LDAP admin DN: %s" % names.ldapmanagerdn) + + if ldap_backend_type == "openldap": + message("LDAP admin user: samba-admin") + else: + message("LDAP admin DN: %s" % names.ldapmanagerdn) + message("LDAP admin password: %s" % adminpass) message(slapdcommand) diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm index 2347dfc742..896b013105 100644 --- a/source4/selftest/target/Samba4.pm +++ b/source4/selftest/target/Samba4.pm @@ -571,7 +571,6 @@ sub provision($$$$$$) server max protocol = SMB2 notify:inotify = false ldb:nosync = true - system:anonymous = true #We don't want to pass our self-tests if the PAC code is wrong gensec:require_pac = true log level = $smbd_loglevel @@ -719,8 +718,7 @@ nogroup:x:65534:nobody push (@provision_options, "--krbtgtpass=krbtgt$password"); push (@provision_options, "--machinepass=machine$password"); push (@provision_options, "--root=$unix_name"); - push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn"); - push (@provision_options, "--password=$password"); + push (@provision_options, "--server-role=\"$server_role\""); my $ldap_uri= "$ldapdir/ldapi"; @@ -753,15 +751,18 @@ nogroup:x:65534:nobody if (defined($self->{ldap})) { push (@provision_options, "--ldap-backend=$ldap_uri"); - system("$self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); + system("$self->{setupdir}/provision-backend $configuration --ldap-admin-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); + + push (@provision_options, "--password=$password"); if ($self->{ldap} eq "openldap") { + push (@provision_options, "--username=samba-admin"); ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories"); push (@provision_options, "--ldap-backend-type=openldap"); } elsif ($self->{ldap} eq "fedora-ds") { + push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn"); ($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ldapdir, $configuration) or die("Unable to create fedora ds directories"); push (@provision_options, "--ldap-backend-type=fedora-ds"); - push (@provision_options, "'--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK'"); } $self->slapd_start($ret) or diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif new file mode 100644 index 0000000000..c59ffd9ab6 --- /dev/null +++ b/source4/setup/cn=samba-admin.ldif @@ -0,0 +1,12 @@ +dn: cn=samba-admin +objectClass: top +objectClass: person +cn: samba-admin +userPassword:: ${LDAPADMINPASS_B64} +structuralObjectClass: person +entryUUID: ${UUID} +creatorsName: +createTimestamp: ${LDAPTIME} +entryCSN: 20080714010529.241038Z#000000#000#000000 +modifiersName: +modifyTimestamp: ${LDAPTIME} diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif new file mode 100644 index 0000000000..3be6242fe3 --- /dev/null +++ b/source4/setup/cn=samba.ldif @@ -0,0 +1,11 @@ +dn: cn=Samba +objectClass: top +objectClass: container +cn: Samba +structuralObjectClass: container +entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68 +creatorsName: +createTimestamp: 20080714010529Z +entryCSN: 20080714010529.194412Z#000000#000#000000 +modifiersName: +modifyTimestamp: 20080714010529Z diff --git a/source4/setup/provision b/source4/setup/provision index c1d6cd157a..7bd61fc1d8 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -30,7 +30,7 @@ import os, sys sys.path.insert(0, "bin/python") import samba - +from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session import samba.getopt as options from samba import param @@ -131,6 +131,8 @@ else: creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + setup_dir = opts.setupdir if setup_dir is None: setup_dir = "setup" diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend index 54dc5839bf..845dc8679a 100755 --- a/source4/setup/provision-backend +++ b/source4/setup/provision-backend @@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN", help="set domain") parser.add_option("--host-name", type="string", metavar="HOSTNAME", help="set hostname") -parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD", - help="choose LDAP manager password (otherwise random)") +parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD", + help="choose LDAP admin password (otherwise random)") parser.add_option("--root", type="string", metavar="USERNAME", help="choose 'root' unix username") parser.add_option("--quiet", help="Be quiet", action="store_true") @@ -96,7 +96,7 @@ if setup_dir is None: provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, realm=opts.realm, domain=opts.domain, hostname=opts.host_name, - adminpass=opts.ldap_manager_pass, + adminpass=opts.ldap_admin_pass, root=opts.root, serverrole=server_role, ldap_backend_type=opts.ldap_backend_type, ldap_backend_port=opts.ldap_backend_port) diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif index 9eda47e463..eb423a5122 100644 --- a/source4/setup/secrets_init.ldif +++ b/source4/setup/secrets_init.ldif @@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE #Add modules to the list to activate them by default #beware often order is important dn: @MODULES -@LIST: update_keytab,operational,objectguid +@LIST: update_keytab,operational,objectguid,rdn_name diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif new file mode 100644 index 0000000000..81ccfee209 --- /dev/null +++ b/source4/setup/secrets_sasl_ldap.ldif @@ -0,0 +1,9 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPADMINPASS_B64} +samAccountName: ${LDAPADMINUSER} +realm: ${LDAPADMINREALM} + + diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif new file mode 100644 index 0000000000..3f5ccd2df1 --- /dev/null +++ b/source4/setup/secrets_simple_ldap.ldif @@ -0,0 +1,6 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPMANAGERPASS_B64} +ldapBindDn: ${LDAPMANAGERDN} diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 15b9d3104e..b1ce6f6492 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema pidfile ${LDAPDIR}/slapd.pid argsfile ${LDAPDIR}/slapd.args sasl-realm ${DNSDOMAIN} -access to * by * write -allow update_anon +#authz-regexp +# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) -authz-regexp - uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) +#authz-regexp +# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) + ldap:///cn=samba??one?(cn=\$1) + +authz-regexp + uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth + ldap:///cn=samba??one?(cn=\$1) + +access to dn.base="" + by dn=cn=samba-admin,cn=samba manage + by anonymous read + by * read + +access to dn.subtree="cn=samba" + by anonymous auth + +access to dn.subtree="${DOMAINDN}" + by dn=cn=samba-admin,cn=samba manage + by * read + +password-hash {CLEARTEXT} include ${LDAPDIR}/modules.conf @@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN} ${MEMBEROF_CONFIG} +database ldif +suffix cn=Samba +directory ${LDAPDIR}/db/samba + + database hdb suffix ${SCHEMADN} directory ${LDAPDIR}/db/schema @@ -78,9 +102,6 @@ index dnsRoot eq index nETBIOSName eq index cn eq -rootdn ${LDAPMANAGERDN} -rootpw ${LDAPMANAGERPASS} - #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov |