summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/scripting/python/samba/provision.py74
-rw-r--r--source4/setup/krb5.conf17
-rw-r--r--source4/setup/named.conf14
3 files changed, 69 insertions, 36 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 4818a79f00..69c7e8846d 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -237,6 +237,7 @@ def provision_paths_from_lp(lp, dnsdomain):
paths.templates = os.path.join(paths.private_dir, "templates.ldb")
paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
+ paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
paths.phpldapadminconfig = os.path.join(paths.private_dir,
@@ -1059,16 +1060,23 @@ def provision(setup_dir, message, session_info,
expression="(&(objectClass=computer)(cn=%s))" % names.hostname,
scope=SCOPE_SUBTREE)
assert isinstance(hostguid, str)
-
- create_zone_file(paths.dns, paths.namedconf, setup_path, samdb,
- hostname=names.hostname, hostip=hostip,
- hostip6=hostip6, dnsdomain=names.dnsdomain,
- domaindn=names.domaindn, dnspass=dnspass, realm=names.realm,
- domainguid=domainguid, hostguid=hostguid,
- private_dir=paths.private_dir, keytab_name=paths.dns_keytab)
+
+ create_zone_file(paths.dns, setup_path, dnsdomain=names.dnsdomain,
+ domaindn=names.domaindn, hostip=hostip,
+ hostip6=hostip6, hostname=names.hostname,
+ dnspass=dnspass, realm=names.realm,
+ domainguid=domainguid, hostguid=hostguid)
message("Please install the zone located in %s into your DNS server" % paths.dns)
- message("See %s if you want to use secure GSS-TSIG updates" % paths.namedconf)
-
+
+ create_named_conf(paths.namedconf, setup_path, realm=names.realm,
+ dnsdomain=names.dnsdomain, private_dir=paths.private_dir,
+ keytab_name=paths.dns_keytab)
+ message("See %s for example configuration statements for secure GSS-TSIG updates" % paths.namedconf)
+
+ create_krb5_conf(paths.krb5conf, setup_path, dnsdomain=names.dnsdomain,
+ hostname=names.hostname, realm=names.realm)
+ message("A Kerberos configuration suitable for Samba 4 has been generated at %s" % paths.krb5conf)
+
create_phpldapadmin_config(paths.phpldapadminconfig, setup_path,
ldapi_url)
@@ -1284,19 +1292,12 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri):
{"S4_LDAPI_URI": ldapi_uri})
-def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaindn,
- hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid,
- private_dir, keytab_name):
+def create_zone_file(path, setup_path, dnsdomain, domaindn,
+ hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid):
"""Write out a DNS zone file, from the info in the current database.
- Also writes a file with stubs appropriate for a DNS configuration file
- (including GSS-TSIG configuration), and details as to some of the other
- configuration changes that may be necessary.
-
- :param path_zone: Path of the new zone file.
- :param path_conf: Path of the config stubs file.
+ :param path: Path of the new zone file.
:param setup_path: Setup path function.
- :param samdb: SamDB object
:param dnsdomain: DNS Domain name
:param domaindn: DN of the Domain
:param hostip: Local IPv4 IP
@@ -1316,7 +1317,7 @@ def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaind
hostip6_base_line = " IN AAAA " + hostip6
hostip6_host_line = hostname + " IN AAAA " + hostip6
- setup_file(setup_path("provision.zone"), path_zone, {
+ setup_file(setup_path("provision.zone"), path, {
"DNSPASS_B64": b64encode(dnspass),
"HOSTNAME": hostname,
"DNSDOMAIN": dnsdomain,
@@ -1330,15 +1331,44 @@ def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaind
"HOSTIP6_HOST_LINE": hostip6_host_line,
})
- setup_file(setup_path("named.conf"), path_conf, {
+def create_named_conf(path, setup_path, realm, dnsdomain,
+ private_dir, keytab_name):
+ """Write out a file containing zone statements suitable for inclusion in a
+ named.conf file (including GSS-TSIG configuration).
+
+ :param path: Path of the new named.conf file.
+ :param setup_path: Setup path function.
+ :param realm: Realm name
+ :param dnsdomain: DNS Domain name
+ :param private_dir: Path to private directory
+ :param keytab_name: File name of DNS keytab file
+ """
+
+ setup_file(setup_path("named.conf"), path, {
"DNSDOMAIN": dnsdomain,
"REALM": realm,
"REALM_WC": "*." + ".".join(realm.split(".")[1:]),
- "HOSTNAME": hostname,
"DNS_KEYTAB": keytab_name,
"DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
})
+def create_krb5_conf(path, setup_path, dnsdomain, hostname, realm):
+ """Write out a file containing zone statements suitable for inclusion in a
+ named.conf file (including GSS-TSIG configuration).
+
+ :param path: Path of the new named.conf file.
+ :param setup_path: Setup path function.
+ :param dnsdomain: DNS Domain name
+ :param hostname: Local hostname
+ :param realm: Realm name
+ """
+
+ setup_file(setup_path("krb5.conf"), path, {
+ "DNSDOMAIN": dnsdomain,
+ "HOSTNAME": hostname,
+ "REALM": realm,
+ })
+
def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename):
"""Load schema for the SamDB.
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
new file mode 100644
index 0000000000..7dad63de73
--- /dev/null
+++ b/source4/setup/krb5.conf
@@ -0,0 +1,17 @@
+[libdefaults]
+ default_realm = ${REALM}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[realms]
+ ${REALM} = {
+ kdc = ${HOSTNAME}.${DNSDOMAIN}:88
+ admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
+ default_domain = ${DNSDOMAIN}
+ }
+
+[domain_realm]
+ .${DNSDOMAIN} = ${REALM}
+ ${DNSDOMAIN} = ${REALM}
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index 9cf0b48a7c..4f98bbd914 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -66,20 +66,6 @@ zone "123.168.192.in-addr.arpa" in {
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
-# - Add settings for the ${REALM} realm to the Kerberos configuration on the DNS
-# server. The easiest way is to add the following blocks to the appropriate
-# sections in /etc/krb5.conf:
-[realms]
- ${REALM} = {
- kdc = ${HOSTNAME}.${DNSDOMAIN}:88
- admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
- default_domain = ${DNSDOMAIN}
- }
-
-[domain_realm]
- .${DNSDOMAIN} = ${REALM}
- ${DNSDOMAIN} = ${REALM}
-
# - Modify BIND init scripts to pass the location of the generated keytab file.
# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
# for this purpose: