diff options
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 12 | ||||
| -rw-r--r-- | source4/scripting/libjs/provision.js | 47 | ||||
| -rw-r--r-- | source4/selftest/env/Samba4.pm | 13 | ||||
| -rw-r--r-- | source4/setup/named.conf | 5 | ||||
| -rwxr-xr-x | source4/setup/provision | 3 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.dc (renamed from source4/setup/provision.smb.conf) | 6 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.member | 5 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.standlone | 5 | ||||
| -rw-r--r-- | source4/setup/provision_self_join.ldif | 18 | ||||
| -rw-r--r-- | source4/setup/provision_users.ldif | 16 | ||||
| -rw-r--r-- | source4/setup/secrets.ldif | 44 | ||||
| -rw-r--r-- | source4/setup/secrets_dc.ldif | 44 |
12 files changed, 137 insertions, 81 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index a6753d46fa..f2ffc401cb 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -513,6 +513,18 @@ static void ldapsrv_task_init(struct task_server *task) NTSTATUS status; const struct model_ops *model_ops; + switch (lp_server_role()) { + case ROLE_STANDALONE: + task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration"); + return; + case ROLE_DOMAIN_MEMBER: + task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration"); + return; + case ROLE_DOMAIN_CONTROLLER: + /* Yes, we want an LDAP server */ + break; + } + task_server_set_title(task, "task[ldapsrv]"); /* run the ldap server as a single process */ diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js index d6d4909499..502583507b 100644 --- a/source4/scripting/libjs/provision.js +++ b/source4/scripting/libjs/provision.js @@ -489,6 +489,17 @@ function provision_fix_subobj(subobj, paths) subobj.NETLOGONPATH = paths.netlogon; subobj.SYSVOLPATH = paths.sysvol; + if (subobj.DOMAIN_CONF == undefined) { + subobj.DOMAIN_CONF = subobj.DOMAIN; + } + if (subobj.REALM_CONF == undefined) { + subobj.REALM_CONF = subobj.REALM; + } + if (subobj.SERVERROLE != "domain controller") { + subobj.REALM = subobj.HOSTNAME; + subobj.DOMAIN = subobj.HOSTNAME; + } + return true; } @@ -536,6 +547,8 @@ function provision_become_dc(subobj, message, erase, paths, session_info) setup_ldb("secrets.ldif", info, paths.secrets, false); + setup_ldb("secrets_dc.ldif", info, paths.secrets, false); + return true; } @@ -571,8 +584,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda /* only install a new smb.conf if there isn't one there already */ var st = sys.stat(paths.smbconf); if (st == undefined) { + var smbconfsuffix; + if (subobj.ROLE == "domain controller") { + smbconfsuffix = "dc"; + } else if (subobj.ROLE == "member server") { + smbconfsuffix = "member"; + } else { + smbconfsuffix = subobj.ROLE; + } message("Setting up " + paths.smbconf +"\n"); - setup_file("provision.smb.conf", info.message, paths.smbconf, subobj); + setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj); lp.reload(); } /* only install a new shares config db if there is none */ @@ -724,7 +745,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda message("Setting up sam.ldb users and groups\n"); setup_add_ldif("provision_users.ldif", info, samdb, false); - if (lp.get("server role") == "domain controller") { + if (subobj.SERVERROLE == "domain controller") { message("Setting up self join\n"); setup_add_ldif("provision_self_join.ldif", info, samdb, false); setup_add_ldif("provision_group_policy.ldif", info, samdb, false); @@ -737,6 +758,9 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755); sys.mkdir(paths.netlogon, 0755); + + setup_ldb("secrets_dc.ldif", info, paths.secrets, false); + } if (setup_name_mappings(info, samdb) == false) { @@ -809,8 +833,8 @@ function provision_schema(subobj, message, tmp_schema_path, paths) function provision_dns(subobj, message, paths, session_info, credentials) { var lp = loadparm_init(); - if (lp.get("server role") != "domain controller") { - message("No DNS zone required for role %s\n", lp.get("server role")); + if (subobj.SERVERROLE != "domain controller") { + message("No DNS zone required for role %s\n", subobj.SERVERROLE); return; } message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n"); @@ -886,6 +910,7 @@ function provision_guess() var rdn_list; random_init(local); + subobj.SERVERROLE = strlower(lp.get("server role")); subobj.REALM = strupper(lp.get("realm")); subobj.DOMAIN = lp.get("workgroup"); subobj.HOSTNAME = hostname(); @@ -1100,15 +1125,21 @@ function provision_validate(subobj, message) } - if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) { + if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) { message("workgroup '%s' in smb.conf must match chosen domain '%s'\n", - lp.get("workgroup"), subobj.DOMAIN); + lp.get("workgroup"), subobj.DOMAIN_CONF); return false; } - if (strupper(lp.get("realm")) != strupper(subobj.REALM)) { + if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) { message("realm '%s' in smb.conf must match chosen realm '%s'\n", - lp.get("realm"), subobj.REALM); + lp.get("realm"), subobj.REALM_CONF); + return false; + } + + if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) { + message("server role '%s' in smb.conf must match chosen role '%s'\n", + lp.get("server role"), subobj.SERVERROLE); return false; } diff --git a/source4/selftest/env/Samba4.pm b/source4/selftest/env/Samba4.pm index c8d2ccc94b..0cd9c2e2be 100644 --- a/source4/selftest/env/Samba4.pm +++ b/source4/selftest/env/Samba4.pm @@ -297,10 +297,6 @@ sub provision($$$$$$) $tmpdir); - my $localdomain = $domain; - $localdomain = $netbiosname if $server_role eq "member server"; - my $localrealm = $realm; - $localrealm = $netbiosname if $server_role eq "member server"; my $localbasedn = $basedn; $localbasedn = "DC=$netbiosname" if $server_role eq "member server"; @@ -416,9 +412,9 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi push (@provision_options, split(' ', $configuration)); push (@provision_options, "--host-name=$netbiosname"); push (@provision_options, "--host-ip=$ifaceipv4"); - push (@provision_options, "--quiet"); - push (@provision_options, "--domain=$localdomain"); - push (@provision_options, "--realm=$localrealm"); +# push (@provision_options, "--quiet"); + push (@provision_options, "--domain=$domain"); + push (@provision_options, "--realm=$realm"); push (@provision_options, "--adminpass=$password"); push (@provision_options, "--krbtgtpass=krbtgt$password"); push (@provision_options, "--machinepass=machine$password"); @@ -426,6 +422,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn"); push (@provision_options, "--password=$password"); push (@provision_options, "--root=$root"); + push (@provision_options, "--server-role=$server_role"); my $ldap_uri= "$ldapdir/ldapi"; $ldap_uri =~ s|/|%2F|g; @@ -454,7 +451,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi if (defined($self->{ldap})) { push (@provision_options, "--ldap-backend=$ldap_uri"); - system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); + system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); if ($self->{ldap} eq "openldap") { ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories"); diff --git a/source4/setup/named.conf b/source4/setup/named.conf index bb9f421db0..025788093e 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -3,11 +3,12 @@ # the BIND nameserver. # -#insert this into options {} +# If you have a very recent BIND, supporting GSS-TSIG, +# insert this into options {} (otherwise omit, it is not required if we don't accept updates) tkey-gssapi-credential "DNS/${DNSDOMAIN}"; tkey-domain "${REALM}"; -#the zone file +# You should always include the actual zone configuration reference: zone "${DNSDOMAIN}." IN { type master; file "${DNSDOMAIN}.zone"; diff --git a/source4/setup/provision b/source4/setup/provision index f6b9cde188..b8f955dcf4 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -32,6 +32,7 @@ options = GetOptions(ARGV, 'users=s', 'quiet', 'blank', + 'server-role=s', 'partitions-only', 'ldap-base', 'ldap-backend=s', @@ -84,6 +85,7 @@ provision [options] --users GROUPNAME choose 'users' group --quiet Be quiet --blank do not add users or groups, just the structure + --server-role ROLE Set server role to provision for (default standalone) --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC) --ldap-base output only an LDIF file, suitable for creating an LDAP baseDN --ldap-backend LDAPSERVER LDAP server to use for this provision @@ -112,6 +114,7 @@ if (options["realm"] == undefined || var lp = loadparm_init(); lp.set("realm", options.realm); lp.set("workgroup", options.domain); +lp.set("server role", options["server-role"]); lp.reload(); var subobj = provision_guess(); diff --git a/source4/setup/provision.smb.conf b/source4/setup/provision.smb.conf.dc index fe08d7e3be..5b8e141cbf 100644 --- a/source4/setup/provision.smb.conf +++ b/source4/setup/provision.smb.conf.dc @@ -1,8 +1,8 @@ [globals] netbios name = ${HOSTNAME} - workgroup = ${DOMAIN} - realm = ${REALM} - server role = domain controller + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} [netlogon] path = ${NETLOGONPATH} diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.member @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.standlone @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index ff44a35f6d..dca7b7c93e 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} ${HOSTGUID_ADD} + +#Provide a account for DNS keytab export +dn: CN=dns,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: dns +description: DNS Service Account +showInAdvancedViewOnly: TRUE +userAccountControl: 514 +accountExpires: 9223372036854775807 +sAMAccountName: dns +sAMAccountType: 805306368 +servicePrincipalName: DNS/${DNSDOMAIN} +isCriticalSystemObject: TRUE +sambaPassword:: ${DNSPASS_B64} + diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index f6fbb0bd52..030fe5d742 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw isCriticalSystemObject: TRUE sambaPassword:: ${KRBTGTPASS_B64} -dn: CN=dns,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -cn: dns -description: DNS Service Account -showInAdvancedViewOnly: TRUE -userAccountControl: 514 -accountExpires: 9223372036854775807 -sAMAccountName: dns -sAMAccountType: 805306368 -servicePrincipalName: DNS/${DNSDOMAIN} -isCriticalSystemObject: TRUE -sambaPassword:: ${DNSPASS_B64} - dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top objectClass: group diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif index 80015b4b41..95cbe20e5f 100644 --- a/source4/setup/secrets.ldif +++ b/source4/setup/secrets.ldif @@ -8,47 +8,3 @@ objectClass: top objectClass: container cn: Primary Domains -dn: flatname=${DOMAIN},CN=Primary Domains -objectClass: top -objectClass: primaryDomain -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -secret:: ${MACHINEPASS_B64} -secureChannelType: 6 -sAMAccountName: ${NETBIOSNAME}$ -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -msDS-KeyVersionNumber: 1 -objectSid: ${DOMAINSID} -privateKeytab: ${SECRETS_KEYTAB} - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -sAMAccountName: krbtgt -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -objectSid: ${DOMAINSID} -servicePrincipalName: kadmin/changepw -krb5Keytab: HDB:ldb:${SAM_LDB}: -#The trailing : here is a HACK, but it matches the Heimdal format. - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -realm: ${REALM} -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -servicePrincipalName: DNS/${DNSDOMAIN} -privateKeytab: ${DNS_KEYTAB} -secret:: ${DNSPASS_B64} - diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif new file mode 100644 index 0000000000..64469352bb --- /dev/null +++ b/source4/setup/secrets_dc.ldif @@ -0,0 +1,44 @@ +dn: flatname=${DOMAIN},CN=Primary Domains +objectClass: top +objectClass: primaryDomain +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +secret:: ${MACHINEPASS_B64} +secureChannelType: 6 +sAMAccountName: ${NETBIOSNAME}$ +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +msDS-KeyVersionNumber: 1 +objectSid: ${DOMAINSID} +privateKeytab: ${SECRETS_KEYTAB} + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +sAMAccountName: krbtgt +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +objectSid: ${DOMAINSID} +servicePrincipalName: kadmin/changepw +krb5Keytab: HDB:ldb:${SAM_LDB}: +#The trailing : here is a HACK, but it matches the Heimdal format. + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +realm: ${REALM} +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +servicePrincipalName: DNS/${DNSDOMAIN} +privateKeytab: ${DNS_KEYTAB} +secret:: ${DNSPASS_B64} + |