diff options
Diffstat (limited to 'source4/setup')
| -rw-r--r-- | source4/setup/named.conf | 5 | ||||
| -rwxr-xr-x | source4/setup/provision | 3 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.dc (renamed from source4/setup/provision.smb.conf) | 6 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.member | 5 | ||||
| -rw-r--r-- | source4/setup/provision.smb.conf.standlone | 5 | ||||
| -rw-r--r-- | source4/setup/provision_self_join.ldif | 18 | ||||
| -rw-r--r-- | source4/setup/provision_users.ldif | 16 | ||||
| -rw-r--r-- | source4/setup/secrets.ldif | 44 | ||||
| -rw-r--r-- | source4/setup/secrets_dc.ldif | 44 |
9 files changed, 81 insertions, 65 deletions
diff --git a/source4/setup/named.conf b/source4/setup/named.conf index bb9f421db0..025788093e 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -3,11 +3,12 @@ # the BIND nameserver. # -#insert this into options {} +# If you have a very recent BIND, supporting GSS-TSIG, +# insert this into options {} (otherwise omit, it is not required if we don't accept updates) tkey-gssapi-credential "DNS/${DNSDOMAIN}"; tkey-domain "${REALM}"; -#the zone file +# You should always include the actual zone configuration reference: zone "${DNSDOMAIN}." IN { type master; file "${DNSDOMAIN}.zone"; diff --git a/source4/setup/provision b/source4/setup/provision index f6b9cde188..b8f955dcf4 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -32,6 +32,7 @@ options = GetOptions(ARGV, 'users=s', 'quiet', 'blank', + 'server-role=s', 'partitions-only', 'ldap-base', 'ldap-backend=s', @@ -84,6 +85,7 @@ provision [options] --users GROUPNAME choose 'users' group --quiet Be quiet --blank do not add users or groups, just the structure + --server-role ROLE Set server role to provision for (default standalone) --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC) --ldap-base output only an LDIF file, suitable for creating an LDAP baseDN --ldap-backend LDAPSERVER LDAP server to use for this provision @@ -112,6 +114,7 @@ if (options["realm"] == undefined || var lp = loadparm_init(); lp.set("realm", options.realm); lp.set("workgroup", options.domain); +lp.set("server role", options["server-role"]); lp.reload(); var subobj = provision_guess(); diff --git a/source4/setup/provision.smb.conf b/source4/setup/provision.smb.conf.dc index fe08d7e3be..5b8e141cbf 100644 --- a/source4/setup/provision.smb.conf +++ b/source4/setup/provision.smb.conf.dc @@ -1,8 +1,8 @@ [globals] netbios name = ${HOSTNAME} - workgroup = ${DOMAIN} - realm = ${REALM} - server role = domain controller + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} [netlogon] path = ${NETLOGONPATH} diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.member @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone new file mode 100644 index 0000000000..bc37d4f3d3 --- /dev/null +++ b/source4/setup/provision.smb.conf.standlone @@ -0,0 +1,5 @@ +[globals] + netbios name = ${HOSTNAME} + workgroup = ${DOMAIN_CONF} + realm = ${REALM_CONF} + server role = ${SERVERROLE} diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index ff44a35f6d..dca7b7c93e 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} ${HOSTGUID_ADD} + +#Provide a account for DNS keytab export +dn: CN=dns,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: dns +description: DNS Service Account +showInAdvancedViewOnly: TRUE +userAccountControl: 514 +accountExpires: 9223372036854775807 +sAMAccountName: dns +sAMAccountType: 805306368 +servicePrincipalName: DNS/${DNSDOMAIN} +isCriticalSystemObject: TRUE +sambaPassword:: ${DNSPASS_B64} + diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index f6fbb0bd52..030fe5d742 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw isCriticalSystemObject: TRUE sambaPassword:: ${KRBTGTPASS_B64} -dn: CN=dns,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -cn: dns -description: DNS Service Account -showInAdvancedViewOnly: TRUE -userAccountControl: 514 -accountExpires: 9223372036854775807 -sAMAccountName: dns -sAMAccountType: 805306368 -servicePrincipalName: DNS/${DNSDOMAIN} -isCriticalSystemObject: TRUE -sambaPassword:: ${DNSPASS_B64} - dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top objectClass: group diff --git a/source4/setup/secrets.ldif b/source4/setup/secrets.ldif index 80015b4b41..95cbe20e5f 100644 --- a/source4/setup/secrets.ldif +++ b/source4/setup/secrets.ldif @@ -8,47 +8,3 @@ objectClass: top objectClass: container cn: Primary Domains -dn: flatname=${DOMAIN},CN=Primary Domains -objectClass: top -objectClass: primaryDomain -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -secret:: ${MACHINEPASS_B64} -secureChannelType: 6 -sAMAccountName: ${NETBIOSNAME}$ -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -msDS-KeyVersionNumber: 1 -objectSid: ${DOMAINSID} -privateKeytab: ${SECRETS_KEYTAB} - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -sAMAccountName: krbtgt -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -objectSid: ${DOMAINSID} -servicePrincipalName: kadmin/changepw -krb5Keytab: HDB:ldb:${SAM_LDB}: -#The trailing : here is a HACK, but it matches the Heimdal format. - -# A hook from our credentials system into HDB, as we must be on a KDC, -# we can look directly into the database. -dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals -objectClass: top -objectClass: secret -objectClass: kerberosSecret -realm: ${REALM} -whenCreated: ${LDAPTIME} -whenChanged: ${LDAPTIME} -servicePrincipalName: DNS/${DNSDOMAIN} -privateKeytab: ${DNS_KEYTAB} -secret:: ${DNSPASS_B64} - diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif new file mode 100644 index 0000000000..64469352bb --- /dev/null +++ b/source4/setup/secrets_dc.ldif @@ -0,0 +1,44 @@ +dn: flatname=${DOMAIN},CN=Primary Domains +objectClass: top +objectClass: primaryDomain +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +secret:: ${MACHINEPASS_B64} +secureChannelType: 6 +sAMAccountName: ${NETBIOSNAME}$ +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +msDS-KeyVersionNumber: 1 +objectSid: ${DOMAINSID} +privateKeytab: ${SECRETS_KEYTAB} + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +flatname: ${DOMAIN} +realm: ${REALM} +sAMAccountName: krbtgt +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +objectSid: ${DOMAINSID} +servicePrincipalName: kadmin/changepw +krb5Keytab: HDB:ldb:${SAM_LDB}: +#The trailing : here is a HACK, but it matches the Heimdal format. + +# A hook from our credentials system into HDB, as we must be on a KDC, +# we can look directly into the database. +dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals +objectClass: top +objectClass: secret +objectClass: kerberosSecret +realm: ${REALM} +whenCreated: ${LDAPTIME} +whenChanged: ${LDAPTIME} +servicePrincipalName: DNS/${DNSDOMAIN} +privateKeytab: ${DNS_KEYTAB} +secret:: ${DNSPASS_B64} + |