diff options
Diffstat (limited to 'source4/setup')
| -rwxr-xr-x | source4/setup/newuser | 141 | ||||
| -rwxr-xr-x | source4/setup/newuser.py | 61 | ||||
| -rwxr-xr-x | source4/setup/provision | 3 | ||||
| -rwxr-xr-x | source4/setup/provision-backend | 287 | ||||
| -rw-r--r-- | source4/setup/provision-backend.js | 188 | ||||
| -rwxr-xr-x | source4/setup/provision.js | 198 | ||||
| -rw-r--r-- | source4/setup/provision_basedn.ldif | 3 | ||||
| -rw-r--r-- | source4/setup/schema-map-openldap-2.3 | 1 | ||||
| -rw-r--r-- | source4/setup/schema_samba4.ldif | 38 | ||||
| -rw-r--r-- | source4/setup/slapd.conf | 8 | ||||
| -rwxr-xr-x | source4/setup/tests/blackbox_provision.sh | 2 |
11 files changed, 395 insertions, 535 deletions
diff --git a/source4/setup/newuser b/source4/setup/newuser index 7c80e9e8de..03ae4e5ffb 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -1,80 +1,61 @@ -#!/bin/sh -exec smbscript "$0" ${1+"$@"} -/* - add a new user to a Samba4 server - Copyright Andrew Tridgell 2005 - Released under the GNU GPL v2 or later -*/ - -options = GetOptions(ARGV, - "POPT_AUTOHELP", - 'username=s', - 'unixname=s', - 'password=s', - "POPT_COMMON_SAMBA", - "POPT_COMMON_VERSION", - "POPT_COMMON_CREDENTIALS", - 'quiet'); - -if (options == undefined) { - println("Failed to parse options"); - return -1; -} - -libinclude("base.js"); -libinclude("provision.js"); - -/* - print a message if quiet is not set -*/ -function message() -{ - if (options["quiet"] == undefined) { - print(vsprintf(arguments)); - } -} - -/* - show some help -*/ -function ShowHelp() -{ - print(" -Samba4 newuser - -newuser [options] - --username USERNAME choose new username - --unixname USERNAME choose unix name of new user - --password PASSWORD set password - -You must provide at least a username -"); - exit(1); -} - -if (options['username'] == undefined) { - ShowHelp(); -} - -if (options['password'] == undefined) { - random_init(local); - options.password = randpass(12); - printf("chose random password %s\n", options.password); -} -if (options['unixname'] == undefined) { - options.unixname = options.username; -} - -var nss = nss_init(); -if (nss.getpwnam(options.unixname) == undefined) { - printf("ERROR: Unix user '%s' does not exist\n", options.unixname); - exit(1); -} - -var creds = options.get_credentials(); -var system_session = system_session(); - - -newuser(options.username, options.unixname, options.password, message, system_session, creds); - -return 0; +#!/usr/bin/python +# +# add a new user to a Samba4 server +# Copyright Andrew Tridgell 2005 +# Copyright Jelmer Vernooij 2008 +# Released under the GNU GPL v2 or later +# + +import samba.getopt as options +import optparse +import pwd +import sys + +from auth import system_session +from samba.samdb import SamDB + +parser = optparse.OptionParser("newuser [options] <username> [<password>]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--quiet", help="Be quiet", action="store_true") +parser.add_option("--unixname", help="Unix Username", type=str) + +opts, args = parser.parse_args() + +# +# print a message if quiet is not set +# +def message(text): + if not opts.quiet: + print text + +if len(args) == 0: + parser.print_usage() + sys.exit(1) + +username = args[0] +if len(args) > 1: + password = args[1] +else: + random_init(local) + options.password = randpass(12) + print "chose random password %s\n" % password + +if opts.unixname is None: + opts.unixname = username + +try: + pwd.getpwnam(opts.unixname) +except KeyError: + print "ERROR: Unix user '%s' does not exist" % opts.unixname + sys.exit(1) + +creds = credopts.get_credentials() + +lp = sambaopts.get_loadparm() +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), + credentials=creds, lp=lp) +samdb.newuser(username, opts.unixname, password) diff --git a/source4/setup/newuser.py b/source4/setup/newuser.py deleted file mode 100755 index 03ae4e5ffb..0000000000 --- a/source4/setup/newuser.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/python -# -# add a new user to a Samba4 server -# Copyright Andrew Tridgell 2005 -# Copyright Jelmer Vernooij 2008 -# Released under the GNU GPL v2 or later -# - -import samba.getopt as options -import optparse -import pwd -import sys - -from auth import system_session -from samba.samdb import SamDB - -parser = optparse.OptionParser("newuser [options] <username> [<password>]") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -parser.add_option("--quiet", help="Be quiet", action="store_true") -parser.add_option("--unixname", help="Unix Username", type=str) - -opts, args = parser.parse_args() - -# -# print a message if quiet is not set -# -def message(text): - if not opts.quiet: - print text - -if len(args) == 0: - parser.print_usage() - sys.exit(1) - -username = args[0] -if len(args) > 1: - password = args[1] -else: - random_init(local) - options.password = randpass(12) - print "chose random password %s\n" % password - -if opts.unixname is None: - opts.unixname = username - -try: - pwd.getpwnam(opts.unixname) -except KeyError: - print "ERROR: Unix user '%s' does not exist" % opts.unixname - sys.exit(1) - -creds = credopts.get_credentials() - -lp = sambaopts.get_loadparm() -samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), - credentials=creds, lp=lp) -samdb.newuser(username, opts.unixname, password) diff --git a/source4/setup/provision b/source4/setup/provision index 629bfa10e0..b0363d8a8f 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -27,6 +27,7 @@ import optparse import os, sys import samba +import param from auth import system_session import samba.getopt as options @@ -110,7 +111,7 @@ if opts.realm is None or opts.domain is None: parser.print_usage() sys.exit(1) -smbconf = sambaopts.get_loadparm_path() +smbconf = sambaopts.get_loadparm().configfile() if opts.aci is not None: print "set ACI: %s" % opts.aci diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend index abd1b9a875..ada6dcef8d 100755 --- a/source4/setup/provision-backend +++ b/source4/setup/provision-backend @@ -1,189 +1,98 @@ -#!/bin/sh -exec smbscript "$0" ${1+"$@"} -/* - provision a Samba4 server - Copyright Andrew Tridgell 2005 - Released under the GNU GPL v2 or later -*/ - -options = GetOptions(ARGV, - "POPT_AUTOHELP", - "POPT_COMMON_SAMBA", - "POPT_COMMON_VERSION", - "POPT_COMMON_CREDENTIALS", - 'realm=s', - 'host-name=s', - 'ldap-manager-pass=s', - 'root=s', - 'quiet', - 'ldap-backend-type=s', - 'ldap-backend-port=i'); - -if (options == undefined) { - println("Failed to parse options"); - return -1; -} - -sys = sys_init(); - -libinclude("base.js"); -libinclude("provision.js"); - -/* - print a message if quiet is not set -*/ -function message() -{ - if (options["quiet"] == undefined) { - print(vsprintf(arguments)); - } -} - -/* - show some help -*/ -function ShowHelp() -{ - print(" -Samba4 provisioning - -provision [options] - --realm REALM set realm - --host-name HOSTNAME set hostname - --ldap-manager-pass PASSWORD choose LDAP Manager password (otherwise random) - --root USERNAME choose 'root' unix username - --quiet Be quiet - --ldap-backend-type LDAPSERVER Select either \"openldap\" or \"fedora-ds\" as a target to configure - --ldap-backend-port PORT Select the TCP port (if any) that the LDAP backend should listen on (Fedora DS only) -You must provide at least a realm and ldap-backend-type - -"); - exit(1); -} - -if (options['host-name'] == undefined) { - options['host-name'] = hostname(); -} - -/* - main program -*/ -if (options["realm"] == undefined || - options["ldap-backend-type"] == undefined || - options["host-name"] == undefined) { - ShowHelp(); -} - -/* cope with an initially blank smb.conf */ -var lp = loadparm_init(); -lp.set("realm", options.realm); -lp.reload(); - -var subobj = provision_guess(); -for (r in options) { - var key = strupper(join("", split("-", r))); - subobj[key] = options[r]; -} - - - -var paths = provision_default_paths(subobj); -provision_fix_subobj(subobj, paths); -message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR); -message("Using %s password: %s\n", subobj.LDAPMANAGERDN, subobj.LDAPMANAGERPASS); -var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb"; -sys.mkdir(subobj.LDAPDIR, 0700); - -provision_schema(subobj, message, tmp_schema_ldb, paths); - -var mapping; -var backend_schema; -var slapd_command; -if (options["ldap-backend-type"] == "fedora-ds") { - mapping = "schema-map-fedora-ds-1.0"; - backend_schema = "99_ad.ldif"; - if (options["ldap-backend-port"] != undefined) { - message("Will listen on TCP port " + options["ldap-backend-port"] + "\n"); - subobj.SERVERPORT="ServerPort = " + options["ldap-backend-port"]; - } else { - message("Will listen on LDAPI only\n"); - subobj.SERVERPORT=""; - } - setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj); - setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj); - - slapd_command = "(see documentation)"; -} else if (options["ldap-backend-type"] == "openldap") { - mapping = "schema-map-openldap-2.3"; - backend_schema = "backend-schema.schema"; - setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj); - setup_file("modules.conf", message, subobj.LDAPDIR + "/modules.conf", subobj); - sys.mkdir(subobj.LDAPDIR + "/db", 0700); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/user"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/config"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/schema"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - if (options["ldap-backend-port"] != undefined) { - message("\nStart slapd with: \n"); - slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h \"ldap://0.0.0.0:" + options["ldap-backend-port"] + " " + subobj.LDAPI_URI "\""; - } else { - slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h " + subobj.LDAPI_URI; - } - - var ldb = ldb_init(); - ldb.filename = tmp_schema_ldb; - - var connect_ok = ldb.connect(ldb.filename); - assert(connect_ok); - var attrs = new Array("linkID", "lDAPDisplayName"); - var res = ldb.search("(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", subobj.SCHEMADN, ldb.SCOPE_SUBTREE, attrs); - assert(res.error == 0); - var memberof_config = ""; - var refint_attributes = ""; - for (i=0; i < res.msgs.length; i++) { -searchone(ldb, subobj.DOMAINDN, "(&(objectClass=computer)(cn=" + subobj.NETBIOSNAME + "))", "objectGUID"); - var target = searchone(ldb, subobj.SCHEMADN, "(&(objectclass=attributeSchema)(linkID=" + (res.msgs[i].linkID + 1) + "))", "lDAPDisplayName"); - if (target != undefined) { - refint_attributes = refint_attributes + " " + target + " " + res.msgs[i].lDAPDisplayName; - memberof_config = memberof_config + "overlay memberof -memberof-dangling error -memberof-refint TRUE -memberof-group-oc top -memberof-member-ad " + res.msgs[i].lDAPDisplayName + " -memberof-memberof-ad " + target + " -memberof-dangling-error 32 - -"; - } - } - - memberof_config = memberof_config + " -overlay refint -refint_attributes" + refint_attributes + " -"; - - ok = sys.file_save(subobj.LDAPDIR + "/memberof.conf", memberof_config); - if (!ok) { - message("failed to create file: " + f + "\n"); - assert(ok); - } - -} -var schema_command = "ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/" + backend_schema; - -message("\nCreate a suitable schema file with:\n%s\n", schema_command); -message("\nStart slapd with: \n%s\n", slapd_command); - -message("All OK\n"); -return 0; +#!/usr/bin/python +# +# Unix SMB/CIFS implementation. +# provision a Samba4 server +# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008 +# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008 +# +# Based on the original in EJS: +# Copyright (C) Andrew Tridgell 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import getopt +import optparse +import os, sys + +import samba +import param + +from auth import system_session +import samba.getopt as options +from samba.provision import (provision_backend) + +parser = optparse.OptionParser("provision [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--setupdir", type="string", metavar="DIR", + help="directory with setup files") +parser.add_option("--realm", type="string", metavar="REALM", help="set realm") +parser.add_option("--domain", type="string", metavar="DOMAIN", + help="set domain") +parser.add_option("--host-name", type="string", metavar="HOSTNAME", + help="set hostname") +parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD", + help="choose LDAP manager password (otherwise random)") +parser.add_option("--root", type="string", metavar="USERNAME", + help="choose 'root' unix username") +parser.add_option("--quiet", help="Be quiet", action="store_true") +parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", + help="LDB mapping module to use for the LDAP backend", + choices=["fedora-ds", "openldap"]) +parser.add_option("--server-role", type="choice", metavar="ROLE", + choices=["domain controller", "dc", "member server", "member", "standalone"], + help="Set server role to provision for (default standalone)") +parser.add_option("--targetdir", type="string", metavar="DIR", + help="Set target directory") + +opts = parser.parse_args()[0] + +def message(text): + """print a message if quiet is not set.""" + if not opts.quiet: + print text + +if opts.realm is None or opts.domain is None: + if opts.realm is None: + print >>sys.stderr, "No realm set" + if opts.domain is None: + print >>sys.stderr, "No domain set" + parser.print_usage() + sys.exit(1) + +smbconf = sambaopts.get_loadparm().configfile() + +if opts.server_role == "dc": + server_role = "domain controller" +elif opts.server_role == "member": + server_role = "member server" +else: + server_role = opts.server_role + +setup_dir = opts.setupdir +if setup_dir is None: + setup_dir = "setup" + +provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, + realm=opts.realm, domain=opts.domain, + hostname=opts.host_name, + adminpass=opts.ldap_manager_pass, + root=opts.root, serverrole=server_role, + ldap_backend_type=opts.ldap_backend_type) + +message("All OK") diff --git a/source4/setup/provision-backend.js b/source4/setup/provision-backend.js new file mode 100644 index 0000000000..edc09907a8 --- /dev/null +++ b/source4/setup/provision-backend.js @@ -0,0 +1,188 @@ +#!/bin/sh +exec smbscript "$0" ${1+"$@"} +/* + provision a Samba4 server + Copyright Andrew Tridgell 2005 + Released under the GNU GPL v2 or later +*/ + +options = GetOptions(ARGV, + "POPT_AUTOHELP", + "POPT_COMMON_SAMBA", + "POPT_COMMON_VERSION", + "POPT_COMMON_CREDENTIALS", + 'realm=s', + 'host-name=s', + 'ldap-manager-pass=s', + 'root=s', + 'quiet', + 'ldap-backend-type=s', + 'ldap-backend-port=i'); + +if (options == undefined) { + println("Failed to parse options"); + return -1; +} + +sys = sys_init(); + +libinclude("base.js"); +libinclude("provision.js"); + +/* + print a message if quiet is not set +*/ +function message() +{ + if (options["quiet"] == undefined) { + print(vsprintf(arguments)); + } +} + +/* + show some help +*/ +function ShowHelp() +{ + print(" +Samba4 provisioning + +provision [options] + --realm REALM set realm + --host-name HOSTNAME set hostname + --ldap-manager-pass PASSWORD choose LDAP Manager password (otherwise random) + --root USERNAME choose 'root' unix username + --quiet Be quiet + --ldap-backend-type LDAPSERVER Select either \"openldap\" or \"fedora-ds\" as a target to configure + --ldap-backend-port PORT Select the TCP port (if any) that the LDAP backend should listen on (Fedora DS only) +You must provide at least a realm and ldap-backend-type + +"); + exit(1); +} + +if (options['host-name'] == undefined) { + options['host-name'] = hostname(); +} + +/* + main program +*/ +if (options["realm"] == undefined || + options["ldap-backend-type"] == undefined || + options["host-name"] == undefined) { + ShowHelp(); +} + +/* cope with an initially blank smb.conf */ +var lp = loadparm_init(); +lp.set("realm", options.realm); +lp.reload(); + +var subobj = provision_guess(); +for (r in options) { + var key = strupper(join("", split("-", r))); + subobj[key] = options[r]; +} + + + +var paths = provision_default_paths(subobj); +provision_fix_subobj(subobj, paths); +message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR); +message("Using %s password: %s\n", subobj.LDAPMANAGERDN, subobj.LDAPMANAGERPASS); +var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb"; +sys.mkdir(subobj.LDAPDIR, 0700); + +provision_schema(subobj, message, tmp_schema_ldb, paths); + +var mapping; +var backend_schema; +var slapd_command; +if (options["ldap-backend-type"] == "fedora-ds") { + mapping = "schema-map-fedora-ds-1.0"; + backend_schema = "99_ad.ldif"; + if (options["ldap-backend-port"] != undefined) { + message("Will listen on TCP port " + options["ldap-backend-port"] + "\n"); + subobj.SERVERPORT="ServerPort = " + options["ldap-backend-port"]; + } else { + message("Will listen on LDAPI only\n"); + subobj.SERVERPORT=""; + } + setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj); + setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj); + + slapd_command = "(see documentation)"; +} else if (options["ldap-backend-type"] == "openldap") { + mapping = "schema-map-openldap-2.3"; + backend_schema = "backend-schema.schema"; + setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj); + setup_file("modules.conf", message, subobj.LDAPDIR + "/modules.conf", subobj); + sys.mkdir(subobj.LDAPDIR + "/db", 0700); + subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/user"; + sys.mkdir(subobj.LDAPDBDIR, 0700); + sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); + sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); + setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); + subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/config"; + sys.mkdir(subobj.LDAPDBDIR, 0700); + sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); + sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); + setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); + subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/schema"; + sys.mkdir(subobj.LDAPDBDIR, 0700); + sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); + sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); + setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); + if (options["ldap-backend-port"] != undefined) { + message("\nStart slapd with: \n"); + slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h \"ldap://0.0.0.0:" + options["ldap-backend-port"] + " " + subobj.LDAPI_URI "\""; + } else { + slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h " + subobj.LDAPI_URI; + } + + var ldb = ldb_init(); + ldb.filename = tmp_schema_ldb; + + var connect_ok = ldb.connect(ldb.filename); + assert(connect_ok); + var attrs = new Array("linkID", "lDAPDisplayName"); + var res = ldb.search("(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", subobj.SCHEMADN, ldb.SCOPE_SUBTREE, attrs); + assert(res.error == 0); + var memberof_config = ""; + var refint_attributes = ""; + for (i=0; i < res.msgs.length; i++) { + var target = searchone(ldb, subobj.SCHEMADN, "(&(objectclass=attributeSchema)(linkID=" + (res.msgs[i].linkID + 1) + "))", "lDAPDisplayName"); + if (target != undefined) { + refint_attributes = refint_attributes + " " + target + " " + res.msgs[i].lDAPDisplayName; + memberof_config = memberof_config + "overlay memberof +memberof-dangling error +memberof-refint TRUE +memberof-group-oc top +memberof-member-ad " + res.msgs[i].lDAPDisplayName + " +memberof-memberof-ad " + target + " +memberof-dangling-error 32 + +"; + } + } + + memberof_config = memberof_config + " +overlay refint +refint_attributes" + refint_attributes + " +"; + + ok = sys.file_save(subobj.LDAPDIR + "/memberof.conf", memberof_config); + if (!ok) { + message("failed to create file: " + f + "\n"); + assert(ok); + } + +} +var schema_command = "ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/" + backend_schema; + +message("\nCreate a suitable schema file with:\n%s\n", schema_command); +message("\nStart slapd with: \n%s\n", slapd_command); + +message("All OK\n"); +return 0; diff --git a/source4/setup/provision.js b/source4/setup/provision.js deleted file mode 100755 index 328754fd9c..0000000000 --- a/source4/setup/provision.js +++ /dev/null @@ -1,198 +0,0 @@ -#!/bin/sh -exec smbscript "$0" ${1+"$@"} -/* - provision a Samba4 server - Copyright Andrew Tridgell 2005 - Released under the GNU GPL v2 or later -*/ - -options = GetOptions(ARGV, - "POPT_AUTOHELP", - "POPT_COMMON_SAMBA", - "POPT_COMMON_VERSION", - "POPT_COMMON_CREDENTIALS", - 'realm=s', - 'domain=s', - 'domain-guid=s', - 'domain-sid=s', - 'policy-guid=s', - 'host-name=s', - 'host-ip=s', - 'host-guid=s', - 'invocationid=s', - 'adminpass=s', - 'krbtgtpass=s', - 'machinepass=s', - 'dnspass=s', - 'root=s', - 'nobody=s', - 'nogroup=s', - 'wheel=s', - 'users=s', - 'quiet', - 'blank', - 'server-role=s', - 'partitions-only', - 'ldap-base', - 'ldap-backend=s', - 'ldap-backend-type=s', - 'aci=s'); - -if (options == undefined) { - println("Failed to parse options"); - return -1; -} - -libinclude("base.js"); -libinclude("provision.js"); - -/* - print a message if quiet is not set -*/ -function message() -{ - if (options["quiet"] == undefined) { - print(vsprintf(arguments)); - } -} - -/* - show some help -*/ -function ShowHelp() -{ - print(" -Samba4 provisioning - -provision [options] - --realm REALM set realm - --domain DOMAIN set domain - --domain-guid GUID set domainguid (otherwise random) - --domain-sid SID set domainsid (otherwise random) - --host-name HOSTNAME set hostname - --host-ip IPADDRESS set ipaddress - --host-guid GUID set hostguid (otherwise random) - --policy-guid GUID set group policy guid (otherwise random) - --invocationid GUID set invocationid (otherwise random) - --adminpass PASSWORD choose admin password (otherwise random) - --krbtgtpass PASSWORD choose krbtgt password (otherwise random) - --machinepass PASSWORD choose machine password (otherwise random) - --root USERNAME choose 'root' unix username - --nobody USERNAME choose 'nobody' user - --nogroup GROUPNAME choose 'nogroup' group - --wheel GROUPNAME choose 'wheel' privileged group - --users GROUPNAME choose 'users' group - --quiet Be quiet - --blank do not add users or groups, just the structure - --server-role ROLE Set server role to provision for (default standalone) - --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC) - --ldap-base output only an LDIF file, suitable for creating an LDAP baseDN - --ldap-backend LDAPSERVER LDAP server to use for this provision - --ldap-backend-type TYPE OpenLDAP or Fedora DS - --aci ACI An arbitary LDIF fragment, particularly useful to loading a backend ACI value into a target LDAP server -You must provide at least a realm and domain - -"); - exit(1); -} - -if (options['host-name'] == undefined) { - options['host-name'] = hostname(); -} - -/* - main program -*/ -if (options["realm"] == undefined || - options["domain"] == undefined || - options["host-name"] == undefined) { - ShowHelp(); -} - -/* cope with an initially blank smb.conf */ -var lp = loadparm_init(); -lp.set("realm", options.realm); -lp.set("workgroup", options.domain); -lp.set("server role", options["server-role"]); -lp.reload(); - -var subobj = provision_guess(); -for (r in options) { - var key = strupper(join("", split("-", r))); - subobj[key] = options[r]; -} - -var blank = (options["blank"] != undefined); -var ldapbackend = (options["ldap-backend"] != undefined); -var ldapbackendtype = options["ldap-backend-type"]; -var partitions_only = (options["partitions-only"] != undefined); -var paths = provision_default_paths(subobj); -if (options["aci"] != undefined) { - message("set ACI: %s\n", subobj["ACI"]); -} - -message("set DOMAIN SID: %s\n", subobj["DOMAINSID"]); - -provision_fix_subobj(subobj, paths); - -if (ldapbackend) { - if (options["ldap-backend"] == "ldapi") { - subobj.LDAPBACKEND = subobj.LDAPI_URI; - } - if (ldapbackendtype == undefined) { - - } else if (ldapbackendtype == "openldap") { - subobj.LDAPMODULE = "normalise,entryuuid"; - subobj.TDB_MODULES_LIST = ""; - } else if (ldapbackendtype == "fedora-ds") { - subobj.LDAPMODULE = "nsuniqueid"; - } - subobj.BACKEND_MOD = subobj.LDAPMODULE + ",paged_searches"; - subobj.DOMAINDN_LDB = subobj.LDAPBACKEND; - subobj.CONFIGDN_LDB = subobj.LDAPBACKEND; - subobj.SCHEMADN_LDB = subobj.LDAPBACKEND; - message("LDAP module: %s on backend: %s\n", subobj.LDAPMODULE, subobj.LDAPBACKEND); -} - -if (!provision_validate(subobj, message)) { - return -1; -} - -var system_session = system_session(); -var creds = options.get_credentials(); -message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM); -message("Using administrator password: %s\n", subobj.ADMINPASS); -if (partitions_only) { - provision_become_dc(subobj, message, false, paths, system_session); -} else { - provision(subobj, message, blank, paths, system_session, creds, ldapbackend); - provision_dns(subobj, message, paths, system_session, creds); - message("To reproduce this provision, run with:\n"); -/* There has to be a better way than this... */ - message("--realm='%s' --domain='%s' \\\n", subobj.REALM_CONF, subobj.DOMAIN_CONF); - if (subobj.DOMAINGUID != undefined) { - message("--domain-guid='%s' \\\n", subobj.DOMAINGUID); - } - if (subobj.HOSTGUID != undefined) { - message("--host-guid='%s' \\\n", subobj.HOSTGUID); - } - message("--policy-guid='%s' --host-name='%s' --host-ip='%s' \\\n", subobj.POLICYGUID, subobj.HOSTNAME, subobj.HOSTIP); - if (subobj.INVOCATIONID != undefined) { - message("--invocationid='%s' \\\n", subobj.INVOCATIONID); - } - message("--adminpass='%s' --krbtgtpass='%s' \\\n", subobj.ADMINPASS, subobj.KRBTGTPASS); - message("--machinepass='%s' --dnspass='%s' \\\n", subobj.MACHINEPASS, subobj.DNSPASS); - message("--root='%s' --nobody='%s' --nogroup='%s' \\\n", subobj.ROOT, subobj.NOBODY, subobj.NOGROUP); - message("--wheel='%s' --users='%s' --server-role='%s' \\\n", subobj.WHEEL, subobj.USERS, subobj.SERVERROLE); - if (ldapbackend) { - message("--ldap-backend='%s' \\\n", subobj.LDAPBACKEND); - } - if (ldapbackendtype != undefined) { - message("--ldap-backend-type='%s' \\\n", + ldapbackendtype); - } - message("--aci='" + subobj.ACI + "' \\\n") -} - - -message("All OK\n"); -return 0; diff --git a/source4/setup/provision_basedn.ldif b/source4/setup/provision_basedn.ldif index 11eb0593e8..7fdecfa3c0 100644 --- a/source4/setup/provision_basedn.ldif +++ b/source4/setup/provision_basedn.ldif @@ -3,7 +3,6 @@ ################################ dn: ${DOMAINDN} objectClass: top -objectClass: domain -objectClass: domainDNS +objectClass: ${DOMAIN_OC} ${ACI} diff --git a/source4/setup/schema-map-openldap-2.3 b/source4/setup/schema-map-openldap-2.3 index 0bce95afba..3f07a9d50f 100644 --- a/source4/setup/schema-map-openldap-2.3 +++ b/source4/setup/schema-map-openldap-2.3 @@ -11,6 +11,7 @@ distinguishedName description cn top +#The memberOf plugin provides this attribute memberOf #This shouldn't make it to the ldap server sambaPassword diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index 8bd1705468..7146091c8e 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -194,3 +194,41 @@ attributeID: 1.3.6.1.4.1.7165.4.1.11 attributeSyntax: 2.5.5.4 oMSyntax: 20 +# +# Based on domainDNS, but without the DNS bits. +# + +dn: CN=Samba4-Local-Domain,${SCHEMADN} +objectClass: top +objectClass: classSchema +subClassOf: top +governsID: 1.3.6.1.4.1.7165.4.2.2 +possibleInferiors: group +possibleInferiors: lostAndFound +possibleInferiors: builtinDomain +possibleInferiors: computer +possibleInferiors: user +possibleInferiors: container +possibleInferiors: groupPolicyContainer +possibleInferiors: organization +possibleInferiors: domainDNS +possibleInferiors: locality +possibleInferiors: msDS-AzAdminManager +possibleInferiors: country +possibleInferiors: organizationalUnit +rDNAttID: cn +showInAdvancedViewOnly: TRUE +adminDisplayName: Samba4-Local-Domain +adminDescription: Samba4-Local-Domain +systemMayContain: msDS-Behavior-Version +systemMayContain: managedBy +objectClassCategory: 1 +lDAPDisplayName: samba4LocalDomain +schemaIDGUID: 07be1647-8310-4fba-91ae-34e55d5a8293 +systemOnly: FALSE +systemAuxiliaryClass: samDomainBase +defaultSecurityDescriptor: D:(A;;RPLCLORC;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) +systemFlags: 16 +defaultHidingValue: TRUE +defaultObjectCategory: CN=Builtin-Domain,${SCHEMADN} + diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 83f4da3359..cdf9ff79a9 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -21,7 +21,7 @@ include ${LDAPDIR}/modules.conf defaultsearchbase ${DOMAINDN} -include ${LDAPDIR}/memberof.conf +${MEMBEROF_CONFIG} database hdb suffix ${SCHEMADN} @@ -62,8 +62,6 @@ syncprov-sessionlog 100 database hdb suffix ${DOMAINDN} -rootdn ${LDAPMANAGERDN} -rootpw ${LDAPMANAGERPASS} directory ${LDAPDIR}/db/user index objectClass eq index samAccountName eq @@ -82,8 +80,12 @@ index dnsRoot eq index nETBIOSName eq index cn eq +rootdn ${LDAPMANAGERDN} +rootpw ${LDAPMANAGERPASS} + #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 + diff --git a/source4/setup/tests/blackbox_provision.sh b/source4/setup/tests/blackbox_provision.sh index 83c045e40d..75d4fcfcb4 100755 --- a/source4/setup/tests/blackbox_provision.sh +++ b/source4/setup/tests/blackbox_provision.sh @@ -28,7 +28,7 @@ testit() { } testit "simple-default" $PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default -testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-dc +testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc testit "simple-member" $PYTHON ./setup/provision $CONFIGURATION --server-role="member" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-member testit "simple-standalone" $PYTHON ./setup/provision $CONFIGURATION --server-role="standalone" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-standalone |