summaryrefslogtreecommitdiff
path: root/source4/setup
diff options
context:
space:
mode:
Diffstat (limited to 'source4/setup')
-rw-r--r--source4/setup/provision_dns_add.ldif10
-rw-r--r--source4/setup/secrets_dns.ldif5
-rw-r--r--source4/setup/secrets_self_join.ldif13
3 files changed, 10 insertions, 18 deletions
diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif
index ac818a573d..a0a8187030 100644
--- a/source4/setup/provision_dns_add.ldif
+++ b/source4/setup/provision_dns_add.ldif
@@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
# NOTE: This account is SAMBA4 specific!
-dn: CN=dns,CN=Users,${DOMAINDN}
+# we have it to avoid the need for the bind daemon to
+# have access to the whole secrets.keytab for the domain,
+# otherwise bind could impersonate any user
+dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
-description: DNS Service Account
+description: DNS Service Account for ${HOSTNAME}
userAccountControl: 514
accountExpires: 9223372036854775807
-sAMAccountName: dns
+sAMAccountName: dns-${HOSTNAME}
+servicePrincipalName: DNS/${DNSNAME}
servicePrincipalName: DNS/${DNSDOMAIN}
userPassword:: ${DNSPASS_B64}
isCriticalSystemObject: TRUE
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 840d1d6c43..641bce6382 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -1,11 +1,12 @@
#Update a keytab for the external DNS server to use
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+dn: samAccountName=dns-${HOSTNAME},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
servicePrincipalName: DNS/${DNSDOMAIN}
+servicePrincipalName: DNS/${DNSNAME}
msDS-KeyVersionNumber: 1
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}
-samAccountName: dns
+samAccountName: dns-${HOSTNAME}
diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif
deleted file mode 100644
index 22be0cab0b..0000000000
--- a/source4/setup/secrets_self_join.ldif
+++ /dev/null
@@ -1,13 +0,0 @@
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-saltPrincipal: ${SALT_PRINCIPAL}