diff options
Diffstat (limited to 'source4/setup')
| -rwxr-xr-x[-rw-r--r--] | source4/setup/enableaccount | 8 | ||||
| -rw-r--r-- | source4/setup/idmap_init.ldif | 5 | ||||
| -rw-r--r-- | source4/setup/krb5.conf | 17 | ||||
| -rw-r--r-- | source4/setup/named.conf | 121 | ||||
| -rwxr-xr-x | source4/setup/newuser | 18 | ||||
| -rwxr-xr-x | source4/setup/provision | 9 | ||||
| -rwxr-xr-x | source4/setup/provision-backend | 24 | ||||
| -rw-r--r-- | source4/setup/provision-backend.js | 188 | ||||
| -rw-r--r-- | source4/setup/provision.ldif | 4 | ||||
| -rw-r--r-- | source4/setup/provision_basedn_modify.ldif | 4 | ||||
| -rw-r--r-- | source4/setup/provision_configuration.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_rootdse_add.ldif | 5 | ||||
| -rw-r--r-- | source4/setup/provision_schema_basedn_modify.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_self_join.ldif | 4 | ||||
| -rw-r--r-- | source4/setup/secrets_dc.ldif | 1 | ||||
| -rw-r--r-- | source4/setup/setpassword | 15 | ||||
| -rwxr-xr-x | source4/setup/tests/blackbox_newuser.sh | 21 | ||||
| -rwxr-xr-x | source4/setup/tests/blackbox_provision.sh | 18 | ||||
| -rwxr-xr-x | source4/setup/tests/blackbox_setpassword.sh | 22 | ||||
| -rwxr-xr-x | source4/setup/upgrade (renamed from source4/setup/upgrade.py) | 8 | ||||
| -rwxr-xr-x | source4/setup/vampire.py | 53 |
21 files changed, 220 insertions, 329 deletions
diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount index 849b515675..061997b804 100644..100755 --- a/source4/setup/enableaccount +++ b/source4/setup/enableaccount @@ -5,17 +5,19 @@ # Copyright Jelmer Vernooij 2008 # Released under the GNU GPL version 3 or later # +import os, sys + +sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python")) import samba.getopt as options import optparse import pwd -import sys import ldb -from auth import system_session +from samba.auth import system_session from samba.samdb import SamDB -parser = optparse.OptionParser("setpassword [username] [options]") +parser = optparse.OptionParser("enableaccount [username] [options]") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) diff --git a/source4/setup/idmap_init.ldif b/source4/setup/idmap_init.ldif index a397cfd0d2..43e5b65562 100644 --- a/source4/setup/idmap_init.ldif +++ b/source4/setup/idmap_init.ldif @@ -1,5 +1,4 @@ dn: CN=CONFIG cn: CONFIG -lowerBound: 10000 -upperBound: 20000 - +lowerBound: 3000000 +upperBound: 4000000 diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf new file mode 100644 index 0000000000..7dad63de73 --- /dev/null +++ b/source4/setup/krb5.conf @@ -0,0 +1,17 @@ +[libdefaults] + default_realm = ${REALM} + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + forwardable = yes + +[realms] + ${REALM} = { + kdc = ${HOSTNAME}.${DNSDOMAIN}:88 + admin_server = ${HOSTNAME}.${DNSDOMAIN}:749 + default_domain = ${DNSDOMAIN} + } + +[domain_realm] + .${DNSDOMAIN} = ${REALM} + ${DNSDOMAIN} = ${REALM} diff --git a/source4/setup/named.conf b/source4/setup/named.conf index 025788093e..4f98bbd914 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -3,35 +3,102 @@ # the BIND nameserver. # -# If you have a very recent BIND, supporting GSS-TSIG, -# insert this into options {} (otherwise omit, it is not required if we don't accept updates) -tkey-gssapi-credential "DNS/${DNSDOMAIN}"; -tkey-domain "${REALM}"; - -# You should always include the actual zone configuration reference: +# You should always include the actual forward zone configuration: zone "${DNSDOMAIN}." IN { - type master; - file "${DNSDOMAIN}.zone"; + type master; + file "${DNSDOMAIN}.zone"; update-policy { - /* use ANY only for Domain controllers for now */ - /* for normal machines A AAAA PTR is probbaly all is needed */ - grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY; + /* + * A rather long description here, as the "ms-self" option does + * not appear in any docs yet (it can only be found in the + * source code). + * + * The short of it is that each host is allowed to update its + * own A and AAAA records, when the update request is properly + * signed by the host itself. + * + * The long description is (look at the + * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and + * its definition in lib/dns/gssapictx.c for details): + * + * A GSS-TSIG update request will be signed by a given signer + * (e.g. machine-name$@${REALM}). The signer name is split into + * the machine component (e.g. "machine-name") and the realm + * component (e.g. "${REALM}"). The update is allowed if the + * following conditions are met: + * + * 1) The machine component of the signer name matches the first + * (host) component of the FQDN that is being updated. + * + * 2) The realm component of the signer name matches the realm + * in the grant statement below (${REALM}). + * + * 3) The domain component of the FQDN that is being updated + * matches the realm in the grant statement below. + * + * If the 3 conditions above are satisfied, the update succeeds. + */ + grant ${REALM} ms-self * A AAAA; }; }; -# Also, you need to change your init scripts to set this environment variable -# for named: KRB5_KTNAME so that it points to the keytab generated. -# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following -# line to the /etc/sysconfig/named file: -# export KRB5_KTNAME=${DNS_KEYTAB_ABS} -# -# Please note that most distributions have BIND configured to run under -# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as -# the user "named" once the daemon relinquishes its rights. Therefore, -# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as. -# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its -# permissions altered to allow the daemon to read it. In the FC6 -# example, execute the commands: -# -# chgrp named ${DNS_KEYTAB_ABS} -# chmod g+r ${DNS_KEYTAB_ABS} +# The reverse zone configuration is optional. The following example assumes a +# subnet of 192.168.123.0/24: +zone "123.168.192.in-addr.arpa" in { + type master; + file "123.168.192.in-addr.arpa.zone"; + update-policy { + grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR; + }; +}; +# Note that the reverse zone file is not created during the provision process. + +# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG +# updates. If you are running an earlier version of BIND, or if you do not wish +# to use secure GSS-TSIG updates, you may remove the update-policy sections in +# both examples above. + +# If you are running a capable version of BIND and you wish to support secure +# GSS-TSIG updates, you must make the following configuration changes: + +# - Insert the following lines into the options {} section of your named.conf +# file: +tkey-gssapi-credential "DNS/${DNSDOMAIN}"; +tkey-domain "${REALM}"; + +# - Modify BIND init scripts to pass the location of the generated keytab file. +# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named +# for this purpose: +KEYTAB_FILE="${DNS_KEYTAB_ABS}" +# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a +# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If +# your distribution does not provide a variable like KEYTAB_FILE to pass a +# keytab file to the BIND daemon, a workaround is to place the following line in +# BIND's sysconfig file or in the init script for BIND: +export KRB5_KTNAME="${DNS_KEYTAB_ABS}" + +# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note +# that most distributions have BIND configured to run under a non-root user +# account. For example, Fedora 9 runs BIND as the user "named" once the daemon +# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable +# by the user that BIND run as. If BIND is running as a non-root user, the +# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to +# read it. Under Fedora 9, execute the following commands: +chgrp named ${DNS_KEYTAB_ABS} +chmod g+r ${DNS_KEYTAB_ABS} + +# - Ensure the BIND zone file(s) that will be dynamically updated are in a +# directory where the BIND daemon can write. When BIND performs dynamic +# updates, it not only needs to update the zone file itself but it must also +# create a journal (.jnl) file to track the dynamic updates as they occur. +# Under Fedora 9, the /var/named directory can not be written to by the "named" +# user. However, the directory /var/named/dynamic directory does provide write +# access. Therefore the zone files were placed under the /var/named/dynamic +# directory. The file directives in both example zone statements at the +# beginning of this file were changed by prepending the directory "dynamic/". + +# - If SELinux is enabled, ensure that all files have the appropriate SELinux +# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon +# and should have a SELinux type of named_conf_t. This can be set with the +# following command: +chcon -t named_conf_t ${DNS_KEYTAB_ABS} diff --git a/source4/setup/newuser b/source4/setup/newuser index f622058a5d..991afa36d8 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -6,12 +6,16 @@ # Released under the GNU GPL version 3 or later # +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + import samba.getopt as options import optparse import pwd -import sys from getpass import getpass -from auth import system_session +from samba.auth import system_session from samba.samdb import SamDB parser = optparse.OptionParser("newuser [options] <username> [<password>]") @@ -45,15 +49,9 @@ else: if opts.unixname is None: opts.unixname = username -try: - pwd.getpwnam(opts.unixname) -except KeyError: - print "ERROR: Unix user '%s' does not exist" % opts.unixname - sys.exit(1) - -creds = credopts.get_credentials() - lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) samdb.newuser(username, opts.unixname, password) diff --git a/source4/setup/provision b/source4/setup/provision index 259bd814a4..c1d6cd157a 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -26,15 +26,20 @@ import getopt import optparse import os, sys +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + import samba -import param -from auth import system_session +from samba.auth import system_session import samba.getopt as options +from samba import param from samba.provision import (provision, FILL_FULL, FILL_NT4SYNC, FILL_DRS) +# how do we make this case insensitive?? + parser = optparse.OptionParser("provision [options]") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend index ada6dcef8d..54dc5839bf 100755 --- a/source4/setup/provision-backend +++ b/source4/setup/provision-backend @@ -22,14 +22,17 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os, sys + +sys.path.insert(0, "bin/python") + import getopt import optparse -import os, sys import samba -import param +from samba import param -from auth import system_session +from samba.auth import system_session import samba.getopt as options from samba.provision import (provision_backend) @@ -54,6 +57,8 @@ parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE", help="LDB mapping module to use for the LDAP backend", choices=["fedora-ds", "openldap"]) +parser.add_option("--ldap-backend-port", type="int", metavar="PORT", + help="TCP Port LDAP server should listen to (default ldapi only)") parser.add_option("--server-role", type="choice", metavar="ROLE", choices=["domain controller", "dc", "member server", "member", "standalone"], help="Set server role to provision for (default standalone)") @@ -89,10 +94,9 @@ if setup_dir is None: setup_dir = "setup" provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, - realm=opts.realm, domain=opts.domain, - hostname=opts.host_name, - adminpass=opts.ldap_manager_pass, - root=opts.root, serverrole=server_role, - ldap_backend_type=opts.ldap_backend_type) - -message("All OK") + realm=opts.realm, domain=opts.domain, + hostname=opts.host_name, + adminpass=opts.ldap_manager_pass, + root=opts.root, serverrole=server_role, + ldap_backend_type=opts.ldap_backend_type, + ldap_backend_port=opts.ldap_backend_port) diff --git a/source4/setup/provision-backend.js b/source4/setup/provision-backend.js deleted file mode 100644 index 9482d8c435..0000000000 --- a/source4/setup/provision-backend.js +++ /dev/null @@ -1,188 +0,0 @@ -#!/bin/sh -exec smbscript "$0" ${1+"$@"} -/* - provision a Samba4 server - Copyright Andrew Tridgell 2005 - Released under the GNU GPL version 3 or later -*/ - -options = GetOptions(ARGV, - "POPT_AUTOHELP", - "POPT_COMMON_SAMBA", - "POPT_COMMON_VERSION", - "POPT_COMMON_CREDENTIALS", - 'realm=s', - 'host-name=s', - 'ldap-manager-pass=s', - 'root=s', - 'quiet', - 'ldap-backend-type=s', - 'ldap-backend-port=i'); - -if (options == undefined) { - println("Failed to parse options"); - return -1; -} - -sys = sys_init(); - -libinclude("base.js"); -libinclude("provision.js"); - -/* - print a message if quiet is not set -*/ -function message() -{ - if (options["quiet"] == undefined) { - print(vsprintf(arguments)); - } -} - -/* - show some help -*/ -function ShowHelp() -{ - print(" -Samba4 provisioning - -provision [options] - --realm REALM set realm - --host-name HOSTNAME set hostname - --ldap-manager-pass PASSWORD choose LDAP Manager password (otherwise random) - --root USERNAME choose 'root' unix username - --quiet Be quiet - --ldap-backend-type LDAPSERVER Select either \"openldap\" or \"fedora-ds\" as a target to configure - --ldap-backend-port PORT Select the TCP port (if any) that the LDAP backend should listen on (Fedora DS only) -You must provide at least a realm and ldap-backend-type - -"); - exit(1); -} - -if (options['host-name'] == undefined) { - options['host-name'] = hostname(); -} - -/* - main program -*/ -if (options["realm"] == undefined || - options["ldap-backend-type"] == undefined || - options["host-name"] == undefined) { - ShowHelp(); -} - -/* cope with an initially blank smb.conf */ -var lp = loadparm_init(); -lp.set("realm", options.realm); -lp.reload(); - -var subobj = provision_guess(); -for (r in options) { - var key = strupper(join("", split("-", r))); - subobj[key] = options[r]; -} - - - -var paths = provision_default_paths(subobj); -provision_fix_subobj(subobj, paths); -message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR); -message("Using %s password: %s\n", subobj.LDAPMANAGERDN, subobj.LDAPMANAGERPASS); -var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb"; -sys.mkdir(subobj.LDAPDIR, 0700); - -provision_schema(subobj, message, tmp_schema_ldb, paths); - -var mapping; -var backend_schema; -var slapd_command; -if (options["ldap-backend-type"] == "fedora-ds") { - mapping = "schema-map-fedora-ds-1.0"; - backend_schema = "99_ad.ldif"; - if (options["ldap-backend-port"] != undefined) { - message("Will listen on TCP port " + options["ldap-backend-port"] + "\n"); - subobj.SERVERPORT="ServerPort = " + options["ldap-backend-port"]; - } else { - message("Will listen on LDAPI only\n"); - subobj.SERVERPORT=""; - } - setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj); - setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj); - - slapd_command = "(see documentation)"; -} else if (options["ldap-backend-type"] == "openldap") { - mapping = "schema-map-openldap-2.3"; - backend_schema = "backend-schema.schema"; - setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj); - setup_file("modules.conf", message, subobj.LDAPDIR + "/modules.conf", subobj); - sys.mkdir(subobj.LDAPDIR + "/db", 0700); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/user"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/config"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/schema"; - sys.mkdir(subobj.LDAPDBDIR, 0700); - sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700); - sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700); - setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj); - if (options["ldap-backend-port"] != undefined) { - message("\nStart slapd with: \n"); - slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h \"ldap://0.0.0.0:" + options["ldap-backend-port"] + " " + subobj.LDAPI_URI "\""; - } else { - slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h " + subobj.LDAPI_URI; - } - - var ldb = ldb_init(); - ldb.filename = tmp_schema_ldb; - - var connect_ok = ldb.connect(ldb.filename); - assert(connect_ok); - var attrs = new Array("linkID", "lDAPDisplayName"); - var res = ldb.search("(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", subobj.SCHEMADN, ldb.SCOPE_SUBTREE, attrs); - assert(res.error == 0); - var memberof_config = ""; - var refint_attributes = ""; - for (i=0; i < res.msgs.length; i++) { - var target = searchone(ldb, subobj.SCHEMADN, "(&(objectclass=attributeSchema)(linkID=" + (res.msgs[i].linkID + 1) + "))", "lDAPDisplayName"); - if (target != undefined) { - refint_attributes = refint_attributes + " " + target + " " + res.msgs[i].lDAPDisplayName; - memberof_config = memberof_config + "overlay memberof -memberof-dangling error -memberof-refint TRUE -memberof-group-oc top -memberof-member-ad " + res.msgs[i].lDAPDisplayName + " -memberof-memberof-ad " + target + " -memberof-dangling-error 32 - -"; - } - } - - memberof_config = memberof_config + " -overlay refint -refint_attributes" + refint_attributes + " -"; - - ok = sys.file_save(subobj.LDAPDIR + "/memberof.conf", memberof_config); - if (!ok) { - message("failed to create file: " + f + "\n"); - assert(ok); - } - -} -var schema_command = "ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/" + backend_schema; - -message("\nCreate a suitable schema file with:\n%s\n", schema_command); -message("\nStart slapd with: \n%s\n", slapd_command); - -message("All OK\n"); -return 0; diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 37b6bdaa60..2f734e83b2 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -30,7 +30,7 @@ objectclass: rIDManager cn: RID Manager$ systemFlags: 2348810240 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} rIDAvailablePool: 4611686014132423217 dn: CN=DomainUpdates,CN=System,${DOMAINDN} @@ -50,7 +50,7 @@ objectclass: infrastructureUpdate cn: Infrastructure systemFlags: 2348810240 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} dn: CN=Builtin,${DOMAINDN} objectClass: top diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif index dadfda720e..63332e937b 100644 --- a/source4/setup/provision_basedn_modify.ldif +++ b/source4/setup/provision_basedn_modify.ldif @@ -65,7 +65,7 @@ replace: objectCategory objectCategory: CN=Domain-DNS,${SCHEMADN} - replace: fSMORoleOwner -fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} - replace: isCriticalSystemObject isCriticalSystemObject: TRUE @@ -75,6 +75,6 @@ subRefs: ${CONFIGDN} subRefs: ${SCHEMADN} - replace: gPLink -gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};2] +gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0] - ${DOMAINGUID_MOD} diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 0fe90b0739..2a7357d7ad 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -7,7 +7,7 @@ objectClass: crossRefContainer cn: Partitions systemFlags: 2147483648 msDS-Behavior-Version: 0 -fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN} objectClass: top diff --git a/source4/setup/provision_rootdse_add.ldif b/source4/setup/provision_rootdse_add.ldif index 9f19796ec6..14e0d71df6 100644 --- a/source4/setup/provision_rootdse_add.ldif +++ b/source4/setup/provision_rootdse_add.ldif @@ -1,7 +1,7 @@ # the rootDSE module looks in this record for its base data dn: @ROOTDSE subschemaSubentry: CN=Aggregate,${SCHEMADN} -dsServiceName: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +dsServiceName: CN=NTDS Settings,${SERVERDN} defaultNamingContext: ${DOMAINDN} rootDomainNamingContext: ${ROOTDN} configurationNamingContext: ${CONFIGDN} @@ -9,10 +9,9 @@ schemaNamingContext: ${SCHEMADN} supportedLDAPVersion: 3 dnsHostName: ${DNSNAME} ldapServiceName: ${DNSDOMAIN}:${NETBIOSNAME}$@${REALM} -serverName: CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +serverName: ${SERVERDN} domainFunctionality: 0 forestFunctionality: 0 domainControllerFunctionality: 2 isSynchronized: FALSE vendorName: Samba Team (http://samba.org) -vendorVersion: ${VERSION} diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif index 4e690376d7..4e8267a303 100644 --- a/source4/setup/provision_schema_basedn_modify.ldif +++ b/source4/setup/provision_schema_basedn_modify.ldif @@ -4,7 +4,7 @@ dn: ${SCHEMADN} changetype: modify replace: fSMORoleOwner -fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} - replace: objectVersion objectVersion: 30 diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index a0cfa7eb23..c91e2f4c19 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -36,7 +36,7 @@ isCriticalSystemObject: TRUE sambaPassword:: ${DNSPASS_B64} showInAdvancedViewOnly: TRUE -dn: CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +dn: ${SERVERDN} objectClass: top objectClass: server cn: ${NETBIOSNAME} @@ -44,7 +44,7 @@ systemFlags: 1375731712 dNSHostName: ${DNSNAME} serverReference: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} -dn: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} +dn: CN=NTDS Settings,${SERVERDN} objectClass: top objectClass: applicationSettings objectClass: nTDSDSA diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif index 71c7fc2f5b..abc5860cf7 100644 --- a/source4/setup/secrets_dc.ldif +++ b/source4/setup/secrets_dc.ldif @@ -33,6 +33,7 @@ objectClass: secret objectClass: kerberosSecret realm: ${REALM} servicePrincipalName: DNS/${DNSDOMAIN} +msDS-KeyVersionNumber: 1 privateKeytab: ${DNS_KEYTAB} secret:: ${DNSPASS_B64} diff --git a/source4/setup/setpassword b/source4/setup/setpassword index 31b2f73a25..65770e1f4d 100644 --- a/source4/setup/setpassword +++ b/source4/setup/setpassword @@ -6,12 +6,17 @@ # Released under the GNU GPL version 3 or later # +import os, sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + import samba.getopt as options import optparse import pwd import sys from getpass import getpass -from auth import system_session +from samba.auth import system_session from samba.samdb import SamDB parser = optparse.OptionParser("setpassword [username] [options]") @@ -36,7 +41,7 @@ if len(args) == 0: parser.print_usage() sys.exit(1) -password = opts.password; +password = opts.newpassword; if password is None: password = getpass("New Password: ") @@ -47,12 +52,12 @@ if filter is None: if username is None: print "Either username or --filter must be specified" - filter = "(&(objectclass=user)(samAccountName=" + username + "))" + filter = "(&(objectclass=user)(samAccountName=%s))" % (username) -creds = credopts.get_credentials() - lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) samdb.setpassword(filter, password) diff --git a/source4/setup/tests/blackbox_newuser.sh b/source4/setup/tests/blackbox_newuser.sh new file mode 100755 index 0000000000..fed5f7d263 --- /dev/null +++ b/source4/setup/tests/blackbox_newuser.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: blackbox_newuser.sh PREFIX CONFIGURATION +EOF +exit 1; +fi + +PREFIX="$1" +CONFIGURATION="$2" +shift 2 + +. `dirname $0`/../../../testprogs/blackbox/subunit.sh + + +testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc + +testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass + +exit $failed diff --git a/source4/setup/tests/blackbox_provision.sh b/source4/setup/tests/blackbox_provision.sh index 75d4fcfcb4..2afa9dc952 100755 --- a/source4/setup/tests/blackbox_provision.sh +++ b/source4/setup/tests/blackbox_provision.sh @@ -11,26 +11,14 @@ PREFIX="$1" CONFIGURATION="$2" shift 2 -testit() { - name="$1" - shift - cmdline="$*" - echo "test: $name" - $cmdline - status=$? - if [ x$status = x0 ]; then - echo "success: $name" - else - echo "failure: $name" - failed=`expr $failed + 1` - fi - return $status -} +. `dirname $0`/../../../testprogs/blackbox/subunit.sh testit "simple-default" $PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc testit "simple-member" $PYTHON ./setup/provision $CONFIGURATION --server-role="member" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-member testit "simple-standalone" $PYTHON ./setup/provision $CONFIGURATION --server-role="standalone" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-standalone +testit "blank-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/blank-dc --blank +testit "partitions-only-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/partitions-only-dc --partitions-only reprovision() { $PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision" diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh new file mode 100755 index 0000000000..725466150c --- /dev/null +++ b/source4/setup/tests/blackbox_setpassword.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then +cat <<EOF +Usage: blackbox_setpassword.sh PREFIX CONFIGURATION +EOF +exit 1; +fi + +PREFIX="$1" +CONFIGURATION="$2" +shift 2 + +. `dirname $0`/../../../testprogs/blackbox/subunit.sh + +testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc + +testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass + +testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass + +exit $failed diff --git a/source4/setup/upgrade.py b/source4/setup/upgrade index 3bcc57ab64..03c6747d4e 100755 --- a/source4/setup/upgrade.py +++ b/source4/setup/upgrade @@ -7,10 +7,14 @@ import getopt import optparse import os, sys -import param + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + import samba import samba.getopt as options -from auth import system_session +from samba import param +from samba.auth import system_session parser = optparse.OptionParser("upgrade [options] <libdir> <smbconf>") sambaopts = options.SambaOptions(parser) diff --git a/source4/setup/vampire.py b/source4/setup/vampire.py deleted file mode 100755 index 728c53146a..0000000000 --- a/source4/setup/vampire.py +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/python - -# Unix SMB/CIFS implementation. -# Vampire a remote domain -# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -from net import libnet -import optparse -import samba.getopt as options -import param -from auth import system_session -import sys - -parser = optparse.OptionParser("vampire [options] <domain>") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) - -opts, args = parser.parse_args() - -if len(args) < 1: - parser.print_usage() - sys.exit(1) - -def vampire(domain, session_info, credentials, lp): - ctx = libnet(lp_ctx=lp) - ctx.cred = credentials - machine_creds = Credentials(); - machine_creds.set_domain(domain); - if not machine_creds.set_machine_account(): - raise Exception("Failed to access domain join information!") - ctx.samsync_ldb(vampire_ctx, machine_creds=machine_creds, - session_info=session_info) - -lp = sambaopts.get_loadparm() -vampire(args[0], session_info=system_session(), - credentials=credopts.get_credentials(), lp=lp) |