summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/ldap_server/ldap_server.c12
-rw-r--r--source4/scripting/libjs/provision.js47
-rw-r--r--source4/selftest/env/Samba4.pm13
-rw-r--r--source4/setup/named.conf5
-rwxr-xr-xsource4/setup/provision3
-rw-r--r--source4/setup/provision.smb.conf.dc (renamed from source4/setup/provision.smb.conf)6
-rw-r--r--source4/setup/provision.smb.conf.member5
-rw-r--r--source4/setup/provision.smb.conf.standlone5
-rw-r--r--source4/setup/provision_self_join.ldif18
-rw-r--r--source4/setup/provision_users.ldif16
-rw-r--r--source4/setup/secrets.ldif44
-rw-r--r--source4/setup/secrets_dc.ldif44
12 files changed, 137 insertions, 81 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index a6753d46fa..f2ffc401cb 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -513,6 +513,18 @@ static void ldapsrv_task_init(struct task_server *task)
NTSTATUS status;
const struct model_ops *model_ops;
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
+ return;
+ case ROLE_DOMAIN_MEMBER:
+ task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
+ return;
+ case ROLE_DOMAIN_CONTROLLER:
+ /* Yes, we want an LDAP server */
+ break;
+ }
+
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index d6d4909499..502583507b 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -489,6 +489,17 @@ function provision_fix_subobj(subobj, paths)
subobj.NETLOGONPATH = paths.netlogon;
subobj.SYSVOLPATH = paths.sysvol;
+ if (subobj.DOMAIN_CONF == undefined) {
+ subobj.DOMAIN_CONF = subobj.DOMAIN;
+ }
+ if (subobj.REALM_CONF == undefined) {
+ subobj.REALM_CONF = subobj.REALM;
+ }
+ if (subobj.SERVERROLE != "domain controller") {
+ subobj.REALM = subobj.HOSTNAME;
+ subobj.DOMAIN = subobj.HOSTNAME;
+ }
+
return true;
}
@@ -536,6 +547,8 @@ function provision_become_dc(subobj, message, erase, paths, session_info)
setup_ldb("secrets.ldif", info, paths.secrets, false);
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
return true;
}
@@ -571,8 +584,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
/* only install a new smb.conf if there isn't one there already */
var st = sys.stat(paths.smbconf);
if (st == undefined) {
+ var smbconfsuffix;
+ if (subobj.ROLE == "domain controller") {
+ smbconfsuffix = "dc";
+ } else if (subobj.ROLE == "member server") {
+ smbconfsuffix = "member";
+ } else {
+ smbconfsuffix = subobj.ROLE;
+ }
message("Setting up " + paths.smbconf +"\n");
- setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+ setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
lp.reload();
}
/* only install a new shares config db if there is none */
@@ -724,7 +745,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
message("Setting up sam.ldb users and groups\n");
setup_add_ldif("provision_users.ldif", info, samdb, false);
- if (lp.get("server role") == "domain controller") {
+ if (subobj.SERVERROLE == "domain controller") {
message("Setting up self join\n");
setup_add_ldif("provision_self_join.ldif", info, samdb, false);
setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
@@ -737,6 +758,9 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
sys.mkdir(paths.netlogon, 0755);
+
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
}
if (setup_name_mappings(info, samdb) == false) {
@@ -809,8 +833,8 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
function provision_dns(subobj, message, paths, session_info, credentials)
{
var lp = loadparm_init();
- if (lp.get("server role") != "domain controller") {
- message("No DNS zone required for role %s\n", lp.get("server role"));
+ if (subobj.SERVERROLE != "domain controller") {
+ message("No DNS zone required for role %s\n", subobj.SERVERROLE);
return;
}
message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
@@ -886,6 +910,7 @@ function provision_guess()
var rdn_list;
random_init(local);
+ subobj.SERVERROLE = strlower(lp.get("server role"));
subobj.REALM = strupper(lp.get("realm"));
subobj.DOMAIN = lp.get("workgroup");
subobj.HOSTNAME = hostname();
@@ -1100,15 +1125,21 @@ function provision_validate(subobj, message)
}
- if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+ if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
- lp.get("workgroup"), subobj.DOMAIN);
+ lp.get("workgroup"), subobj.DOMAIN_CONF);
return false;
}
- if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+ if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
message("realm '%s' in smb.conf must match chosen realm '%s'\n",
- lp.get("realm"), subobj.REALM);
+ lp.get("realm"), subobj.REALM_CONF);
+ return false;
+ }
+
+ if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
+ message("server role '%s' in smb.conf must match chosen role '%s'\n",
+ lp.get("server role"), subobj.SERVERROLE);
return false;
}
diff --git a/source4/selftest/env/Samba4.pm b/source4/selftest/env/Samba4.pm
index c8d2ccc94b..0cd9c2e2be 100644
--- a/source4/selftest/env/Samba4.pm
+++ b/source4/selftest/env/Samba4.pm
@@ -297,10 +297,6 @@ sub provision($$$$$$)
$tmpdir);
- my $localdomain = $domain;
- $localdomain = $netbiosname if $server_role eq "member server";
- my $localrealm = $realm;
- $localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
@@ -416,9 +412,9 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
- push (@provision_options, "--quiet");
- push (@provision_options, "--domain=$localdomain");
- push (@provision_options, "--realm=$localrealm");
+# push (@provision_options, "--quiet");
+ push (@provision_options, "--domain=$domain");
+ push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
@@ -426,6 +422,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
push (@provision_options, "--root=$root");
+ push (@provision_options, "--server-role=$server_role");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
@@ -454,7 +451,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index bb9f421db0..025788093e 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -3,11 +3,12 @@
# the BIND nameserver.
#
-#insert this into options {}
+# If you have a very recent BIND, supporting GSS-TSIG,
+# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
-#the zone file
+# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
diff --git a/source4/setup/provision b/source4/setup/provision
index f6b9cde188..b8f955dcf4 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -32,6 +32,7 @@ options = GetOptions(ARGV,
'users=s',
'quiet',
'blank',
+ 'server-role=s',
'partitions-only',
'ldap-base',
'ldap-backend=s',
@@ -84,6 +85,7 @@ provision [options]
--users GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
+ --server-role ROLE Set server role to provision for (default standalone)
--partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
--ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
--ldap-backend LDAPSERVER LDAP server to use for this provision
@@ -112,6 +114,7 @@ if (options["realm"] == undefined ||
var lp = loadparm_init();
lp.set("realm", options.realm);
lp.set("workgroup", options.domain);
+lp.set("server role", options["server-role"]);
lp.reload();
var subobj = provision_guess();
diff --git a/source4/setup/provision.smb.conf b/source4/setup/provision.smb.conf.dc
index fe08d7e3be..5b8e141cbf 100644
--- a/source4/setup/provision.smb.conf
+++ b/source4/setup/provision.smb.conf.dc
@@ -1,8 +1,8 @@
[globals]
netbios name = ${HOSTNAME}
- workgroup = ${DOMAIN}
- realm = ${REALM}
- server role = domain controller
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
[netlogon]
path = ${NETLOGONPATH}
diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member
new file mode 100644
index 0000000000..bc37d4f3d3
--- /dev/null
+++ b/source4/setup/provision.smb.conf.member
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone
new file mode 100644
index 0000000000..bc37d4f3d3
--- /dev/null
+++ b/source4/setup/provision.smb.conf.standlone
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index ff44a35f6d..dca7b7c93e 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
+
+#Provide a account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: dns
+description: DNS Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+sAMAccountType: 805306368
+servicePrincipalName: DNS/${DNSDOMAIN}
+isCriticalSystemObject: TRUE
+sambaPassword:: ${DNSPASS_B64}
+
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index f6fbb0bd52..030fe5d742 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: dns
-description: DNS Service Account
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-sAMAccountType: 805306368
-servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
-
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif
index 80015b4b41..95cbe20e5f 100644
--- a/source4/setup/secrets.ldif
+++ b/source4/setup/secrets.ldif
@@ -8,47 +8,3 @@ objectClass: top
objectClass: container
cn: Primary Domains
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:ldb:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format.
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-servicePrincipalName: DNS/${DNSDOMAIN}
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
new file mode 100644
index 0000000000..64469352bb
--- /dev/null
+++ b/source4/setup/secrets_dc.ldif
@@ -0,0 +1,44 @@
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+msDS-KeyVersionNumber: 1
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+sAMAccountName: krbtgt
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+objectSid: ${DOMAINSID}
+servicePrincipalName: kadmin/changepw
+krb5Keytab: HDB:ldb:${SAM_LDB}:
+#The trailing : here is a HACK, but it matches the Heimdal format.
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+servicePrincipalName: DNS/${DNSDOMAIN}
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+