summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/credentials/credentials_files.c48
-rw-r--r--source4/auth/ntlmssp/ntlmssp_client.c15
-rw-r--r--source4/dsdb/samdb/samdb.c27
-rw-r--r--source4/ldap_server/ldap_backend.c9
-rw-r--r--source4/libcli/ldap/ldap_bind.c7
-rw-r--r--source4/libcli/ldap/ldap_client.c9
-rw-r--r--source4/libnet/libnet_samsync_ldb.c10
-rw-r--r--source4/param/secrets.h1
-rw-r--r--source4/scripting/python/samba/provision.py51
-rw-r--r--source4/selftest/target/Samba4.pm11
-rw-r--r--source4/setup/cn=samba-admin.ldif12
-rw-r--r--source4/setup/cn=samba.ldif11
-rwxr-xr-xsource4/setup/provision4
-rwxr-xr-xsource4/setup/provision-backend6
-rw-r--r--source4/setup/secrets_init.ldif2
-rw-r--r--source4/setup/secrets_sasl_ldap.ldif9
-rw-r--r--source4/setup/secrets_simple_ldap.ldif6
-rw-r--r--source4/setup/slapd.conf39
18 files changed, 216 insertions, 61 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 05b0bf56a8..6c3bb2531e 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
"privateKeytab",
"krb5Keytab",
"servicePrincipalName",
+ "ldapBindDn",
NULL
};
@@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
@@ -231,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
&msgs, attrs,
"%s", filter);
if (ldb_ret == 0) {
- DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n",
filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
- DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
ldb_ret, filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
@@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL);
if (!machine_account) {
- DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n",
- cli_credentials_get_domain(cred), filter, base));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+ if (!ldap_bind_dn) {
+ DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n",
+ filter, base));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
}
}
@@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ if (machine_account) {
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ }
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
@@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
@@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
- * Fill in credentials for the machine trust account, from the secrets database.
+ * Fill in credentials for a particular prinicpal, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
@@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status)));
+ }
+ return status;
}
/**
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index e07c64befb..891761860c 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
+ const char *domain = gensec_ntlmssp_state->domain;
+ const char *workstation = cli_credentials_get_workstation(gensec_security->credentials);
+
+ /* These don't really matter in the initial packet, so don't panic if they are not set */
+ if (!domain) {
+ domain = "";
+ }
+
+ if (!workstation) {
+ workstation = "";
+ }
if (gensec_ntlmssp_state->unicode) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
@@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
"NTLMSSP",
NTLMSSP_NEGOTIATE,
gensec_ntlmssp_state->neg_flags,
- gensec_ntlmssp_state->domain,
- cli_credentials_get_workstation(gensec_security->credentials));
+ domain,
+ workstation);
gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index acc2c2a9a1..b5b7ddfdc6 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -39,6 +39,8 @@
#include "dsdb/common/flags.h"
#include "param/param.h"
#include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
char *samdb_relative_path(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
@@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb,
return full_name;
}
+struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
+ struct loadparm_context *lp_ctx)
+{
+ struct cli_credentials *cred = cli_credentials_init(mem_ctx);
+ if (!cred) {
+ return NULL;
+ }
+ cli_credentials_set_conf(cred, lp_ctx);
+
+ /* We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+ SECRETS_LDAP_FILTER))) {
+ /* Perfectly OK - if not against an LDAP backend */
+ return NULL;
+ }
+ return cred;
+}
/*
connect to the SAM database
@@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb;
ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx,
lp_sam_url(lp_ctx), session_info,
- NULL, 0, NULL);
+ samdb_credentials(mem_ctx, ev_ctx, lp_ctx),
+ 0, NULL);
if (!ldb) {
return NULL;
}
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 2193c989cf..504dcf1c0f 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -21,13 +21,13 @@
#include "ldap_server/ldap_server.h"
#include "lib/util/dlinklist.h"
#include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb_wrap.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "param/param.h"
#include "smbd/service_stream.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "lib/ldb_wrap.h"
#define VALID_DN_SYNTAX(dn,i) do {\
if (!(dn)) {\
@@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
conn->lp_ctx,
lp_sam_url(conn->lp_ctx),
conn->session_info,
- NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+ samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx),
+ conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index e1569e7296..65673116be 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -234,7 +234,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
* Windows seem not to like double encryption */
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (tls_enabled(conn->sock)) {
- cli_credentials_set_gensec_features(creds, 0);
+ cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
/* this call also sets the gensec_want_features */
@@ -245,7 +245,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
goto failed;
}
- /* reset the original gensec_features */
+ /* reset the original gensec_features (on the credentials
+ * context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
if (conn->host) {
@@ -393,8 +394,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
&sasl_socket);
if (!NT_STATUS_IS_OK(status)) goto failed;
- talloc_steal(conn->sock, sasl_socket);
- talloc_unlink(conn, conn->sock);
conn->sock = sasl_socket;
packet_set_socket(conn->packet, conn->sock);
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index bca867b033..844238afdb 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -38,7 +38,6 @@
#include "param/param.h"
#include "libcli/resolve/resolve.h"
-
/**
create a new ldap_connection stucture. The event context is optional
*/
@@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
char protocol[11];
int ret;
- result = talloc_zero(NULL, struct composite_context);
+ result = talloc_zero(conn, struct composite_context);
if (result == NULL) goto failed;
result->state = COMPOSITE_STATE_IN_PROGRESS;
result->async.fn = NULL;
@@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
SMB_ASSERT(sizeof(protocol)>10);
SMB_ASSERT(sizeof(path)>1024);
+ /* LDAPI connections are to localhost, so give the local host name as the target for gensec */
+ conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx));
+ if (composite_nomem(conn->host, state->ctx)) {
+ return result;
+ }
+
/* The %c specifier doesn't null terminate :-( */
ZERO_STRUCT(path);
ret = sscanf(url, "%10[^:]://%1025c", protocol, path);
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index a79bf043a5..b223a74a31 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str
state->secrets = NULL;
state->trusted_domains = NULL;
- state->sam_ldb = ldb_wrap_connect(mem_ctx,
- ctx->event_ctx,
- ctx->lp_ctx,
- lp_sam_url(ctx->lp_ctx),
- r->in.session_info,
- ctx->cred, 0, NULL);
+ state->sam_ldb = samdb_connect(mem_ctx,
+ ctx->event_ctx,
+ ctx->lp_ctx,
+ r->in.session_info);
r2.out.error_string = NULL;
r2.in.binding_string = r->in.binding_string;
diff --git a/source4/param/secrets.h b/source4/param/secrets.h
index fa162ea66a..83b6dc7fdc 100644
--- a/source4/param/secrets.h
+++ b/source4/param/secrets.h
@@ -33,6 +33,7 @@ struct machine_acct_pass {
#define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))"
#define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))"
#define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))"
+#define SECRETS_LDAP_FILTER "(objectclass=ldapSecret)"
/**
* Use a TDB to store an incrementing random seed.
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 504044253e..6102dc77ff 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
lp=lp)
secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
+
+ if credentials is not None and credentials.authentication_requested():
+ if credentials.get_bind_dn() is not None:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
+ "LDAPMANAGERDN": credentials.get_bind_dn(),
+ "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
+ })
+ else:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
+ "LDAPADMINUSER": credentials.get_username(),
+ "LDAPADMINREALM": credentials.get_realm(),
+ "LDAPADMINPASS_B64": b64encode(credentials.get_password())
+ })
+
return secrets_ldb
@@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
domain_oc = "samba4LocalDomain"
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
- "DOMAINDN": names.domaindn,
- "ACI": aci,
- "DOMAIN_OC": domain_oc
- })
+ "DOMAINDN": names.domaindn,
+ "ACI": aci,
+ "DOMAIN_OC": domain_oc
+ })
message("Modifying DomainDN: " + names.domaindn + "")
if domainguid is not None:
@@ -1265,15 +1279,27 @@ refint_attributes""" + refint_attributes + "\n"
"DOMAINDN": names.domaindn,
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
- "LDAPMANAGERDN": names.ldapmanagerdn,
- "LDAPMANAGERPASS": adminpass,
"MEMBEROF_CONFIG": memberof_config})
setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema")))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
+
+ if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")):
+ os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"))
+
+ setup_file(setup_path("cn=samba.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"),
+ { "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+ setup_file(setup_path("cn=samba-admin.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
+ {"LDAPADMINPASS_B64": b64encode(adminpass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
@@ -1294,7 +1320,12 @@ refint_attributes""" + refint_attributes + "\n"
message("Hostname: %s" % names.hostname)
message("DNS Domain: %s" % names.dnsdomain)
message("Base DN: %s" % names.domaindn)
- message("LDAP admin DN: %s" % names.ldapmanagerdn)
+
+ if ldap_backend_type == "openldap":
+ message("LDAP admin user: samba-admin")
+ else:
+ message("LDAP admin DN: %s" % names.ldapmanagerdn)
+
message("LDAP admin password: %s" % adminpass)
message(slapdcommand)
diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm
index 2347dfc742..896b013105 100644
--- a/source4/selftest/target/Samba4.pm
+++ b/source4/selftest/target/Samba4.pm
@@ -571,7 +571,6 @@ sub provision($$$$$$)
server max protocol = SMB2
notify:inotify = false
ldb:nosync = true
- system:anonymous = true
#We don't want to pass our self-tests if the PAC code is wrong
gensec:require_pac = true
log level = $smbd_loglevel
@@ -719,8 +718,7 @@ nogroup:x:65534:nobody
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
push (@provision_options, "--root=$unix_name");
- push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
- push (@provision_options, "--password=$password");
+
push (@provision_options, "--server-role=\"$server_role\"");
my $ldap_uri= "$ldapdir/ldapi";
@@ -753,15 +751,18 @@ nogroup:x:65534:nobody
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{setupdir}/provision-backend $configuration --ldap-admin-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+
+ push (@provision_options, "--password=$password");
if ($self->{ldap} eq "openldap") {
+ push (@provision_options, "--username=samba-admin");
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
push (@provision_options, "--ldap-backend-type=openldap");
} elsif ($self->{ldap} eq "fedora-ds") {
+ push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ldapdir, $configuration) or die("Unable to create fedora ds directories");
push (@provision_options, "--ldap-backend-type=fedora-ds");
- push (@provision_options, "'--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK'");
}
$self->slapd_start($ret) or
diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif
new file mode 100644
index 0000000000..c59ffd9ab6
--- /dev/null
+++ b/source4/setup/cn=samba-admin.ldif
@@ -0,0 +1,12 @@
+dn: cn=samba-admin
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241038Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif
new file mode 100644
index 0000000000..3be6242fe3
--- /dev/null
+++ b/source4/setup/cn=samba.ldif
@@ -0,0 +1,11 @@
+dn: cn=Samba
+objectClass: top
+objectClass: container
+cn: Samba
+structuralObjectClass: container
+entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
+creatorsName:
+createTimestamp: 20080714010529Z
+entryCSN: 20080714010529.194412Z#000000#000#000000
+modifiersName:
+modifyTimestamp: 20080714010529Z
diff --git a/source4/setup/provision b/source4/setup/provision
index c1d6cd157a..7bd61fc1d8 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -30,7 +30,7 @@ import os, sys
sys.path.insert(0, "bin/python")
import samba
-
+from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
import samba.getopt as options
from samba import param
@@ -131,6 +131,8 @@ else:
creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = "setup"
diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend
index 54dc5839bf..845dc8679a 100755
--- a/source4/setup/provision-backend
+++ b/source4/setup/provision-backend
@@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN",
help="set domain")
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
help="set hostname")
-parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD",
- help="choose LDAP manager password (otherwise random)")
+parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD",
+ help="choose LDAP admin password (otherwise random)")
parser.add_option("--root", type="string", metavar="USERNAME",
help="choose 'root' unix username")
parser.add_option("--quiet", help="Be quiet", action="store_true")
@@ -96,7 +96,7 @@ if setup_dir is None:
provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir,
realm=opts.realm, domain=opts.domain,
hostname=opts.host_name,
- adminpass=opts.ldap_manager_pass,
+ adminpass=opts.ldap_admin_pass,
root=opts.root, serverrole=server_role,
ldap_backend_type=opts.ldap_backend_type,
ldap_backend_port=opts.ldap_backend_port)
diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif
index 9eda47e463..eb423a5122 100644
--- a/source4/setup/secrets_init.ldif
+++ b/source4/setup/secrets_init.ldif
@@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE
#Add modules to the list to activate them by default
#beware often order is important
dn: @MODULES
-@LIST: update_keytab,operational,objectguid
+@LIST: update_keytab,operational,objectguid,rdn_name
diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif
new file mode 100644
index 0000000000..81ccfee209
--- /dev/null
+++ b/source4/setup/secrets_sasl_ldap.ldif
@@ -0,0 +1,9 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPADMINPASS_B64}
+samAccountName: ${LDAPADMINUSER}
+realm: ${LDAPADMINREALM}
+
+
diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif
new file mode 100644
index 0000000000..3f5ccd2df1
--- /dev/null
+++ b/source4/setup/secrets_simple_ldap.ldif
@@ -0,0 +1,6 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPMANAGERPASS_B64}
+ldapBindDn: ${LDAPMANAGERDN}
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf
index 15b9d3104e..b1ce6f6492 100644
--- a/source4/setup/slapd.conf
+++ b/source4/setup/slapd.conf
@@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
-access to * by * write
-allow update_anon
+#authz-regexp
+# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
-authz-regexp
- uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+#authz-regexp
+# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+ ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+ uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
+ ldap:///cn=samba??one?(cn=\$1)
+
+access to dn.base=""
+ by dn=cn=samba-admin,cn=samba manage
+ by anonymous read
+ by * read
+
+access to dn.subtree="cn=samba"
+ by anonymous auth
+
+access to dn.subtree="${DOMAINDN}"
+ by dn=cn=samba-admin,cn=samba manage
+ by * read
+
+password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
@@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN}
${MEMBEROF_CONFIG}
+database ldif
+suffix cn=Samba
+directory ${LDAPDIR}/db/samba
+
+
database hdb
suffix ${SCHEMADN}
directory ${LDAPDIR}/db/schema
@@ -78,9 +102,6 @@ index dnsRoot eq
index nETBIOSName eq
index cn eq
-rootdn ${LDAPMANAGERDN}
-rootpw ${LDAPMANAGERPASS}
-
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov