From b8444b64a32d698b01acce2a1307723cc69a472b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 24 Sep 2010 23:25:49 -0700 Subject: s4-provision: switch to dns-HOSTNAME instead of dns We now use a host specific account name for the DNS account, which is the account used for dynamic DNS updates. We also setup the servicePrincipalName for automatic update, and add both DNS/${DNSDOMAIN} and DNS/${DNSNAME} for compatibility with both the old and new SPNs Pair-Programmed-With: Andrew Bartlett --- source4/scripting/python/samba/provision.py | 30 ++++++++++++++++++++++------- source4/setup/provision_dns_add.ldif | 10 +++++++--- source4/setup/secrets_dns.ldif | 5 +++-- source4/setup/secrets_self_join.ldif | 13 ------------- 4 files changed, 33 insertions(+), 25 deletions(-) delete mode 100644 source4/setup/secrets_self_join.ldif diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 7d8b08f54d..c1a35c9338 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -687,21 +687,26 @@ def secretsdb_self_join(secretsdb, domain, "priorChanged", "krb5Keytab", "privateKeytab"] + + if realm is not None: + if dnsdomain is None: + dnsdomain = realm.lower() + dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower()) + else: + dnsname = None + shortname = netbiosname.lower() #We don't need to set msg["flatname"] here, because rdn_name will handle it, and it causes problems for modifies anyway msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain)) msg["secureChannelType"] = [str(secure_channel_type)] msg["objectClass"] = ["top", "primaryDomain"] - if realm is not None: - if dnsdomain is None: - dnsdomain = realm.lower() + if dnsname is not None: msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"] msg["realm"] = [realm] - msg["saltPrincipal"] = ["host/%s.%s@%s" % (netbiosname.lower(), dnsdomain.lower(), realm.upper())] + msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())] msg["msDS-KeyVersionNumber"] = [str(key_version_number)] msg["privateKeytab"] = ["secrets.keytab"] - msg["secret"] = [machinepass] msg["samAccountName"] = ["%s$" % netbiosname] msg["secureChannelType"] = [str(secure_channel_type)] @@ -742,10 +747,17 @@ def secretsdb_self_join(secretsdb, domain, secretsdb.modify(msg) secretsdb.rename(res[0].dn, msg.dn) else: + spn = [ 'HOST/%s' % shortname ] + if secure_channel_type == SEC_CHAN_BDC and dnsname is not None: + # we are a domain controller then we add servicePrincipalName entries + # for the keytab code to update + spn.extend([ 'HOST/%s' % dnsname ]) + msg["servicePrincipalName"] = spn + secretsdb.add(msg) -def secretsdb_setup_dns(secretsdb, setup_path, private_dir, +def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir, realm, dnsdomain, dns_keytab_path, dnspass): """Add DNS specific bits to a secrets database. @@ -764,6 +776,8 @@ def secretsdb_setup_dns(secretsdb, setup_path, private_dir, "DNSDOMAIN": dnsdomain, "DNS_KEYTAB": dns_keytab_path, "DNSPASS_B64": b64encode(dnspass), + "HOSTNAME": names.hostname, + "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower()) }) @@ -944,6 +958,8 @@ def setup_self_join(samdb, names, "DNSDOMAIN": names.dnsdomain, "DOMAINDN": names.domaindn, "DNSPASS_B64": b64encode(dnspass), + "HOSTNAME" : names.hostname, + "DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower()) }) def getpolicypath(sysvolpath, dnsdomain, guid): @@ -1583,7 +1599,7 @@ def provision(setup_dir, logger, session_info, if serverrole == "domain controller": - secretsdb_setup_dns(secrets_ldb, setup_path, + secretsdb_setup_dns(secrets_ldb, setup_path, names, paths.private_dir, realm=names.realm, dnsdomain=names.dnsdomain, dns_keytab_path=paths.dns_keytab, diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif index ac818a573d..a0a8187030 100644 --- a/source4/setup/provision_dns_add.ldif +++ b/source4/setup/provision_dns_add.ldif @@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg== # NOTE: This account is SAMBA4 specific! -dn: CN=dns,CN=Users,${DOMAINDN} +# we have it to avoid the need for the bind daemon to +# have access to the whole secrets.keytab for the domain, +# otherwise bind could impersonate any user +dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN} objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user -description: DNS Service Account +description: DNS Service Account for ${HOSTNAME} userAccountControl: 514 accountExpires: 9223372036854775807 -sAMAccountName: dns +sAMAccountName: dns-${HOSTNAME} +servicePrincipalName: DNS/${DNSNAME} servicePrincipalName: DNS/${DNSDOMAIN} userPassword:: ${DNSPASS_B64} isCriticalSystemObject: TRUE diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif index 840d1d6c43..641bce6382 100644 --- a/source4/setup/secrets_dns.ldif +++ b/source4/setup/secrets_dns.ldif @@ -1,11 +1,12 @@ #Update a keytab for the external DNS server to use -dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals +dn: samAccountName=dns-${HOSTNAME},CN=Principals objectClass: top objectClass: secret objectClass: kerberosSecret realm: ${REALM} servicePrincipalName: DNS/${DNSDOMAIN} +servicePrincipalName: DNS/${DNSNAME} msDS-KeyVersionNumber: 1 privateKeytab: ${DNS_KEYTAB} secret:: ${DNSPASS_B64} -samAccountName: dns +samAccountName: dns-${HOSTNAME} diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif deleted file mode 100644 index 22be0cab0b..0000000000 --- a/source4/setup/secrets_self_join.ldif +++ /dev/null @@ -1,13 +0,0 @@ -dn: flatname=${DOMAIN},CN=Primary Domains -objectClass: top -objectClass: primaryDomain -objectClass: kerberosSecret -flatname: ${DOMAIN} -realm: ${REALM} -secret:: ${MACHINEPASS_B64} -secureChannelType: 6 -sAMAccountName: ${NETBIOSNAME}$ -msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER} -objectSid: ${DOMAINSID} -privateKeytab: ${SECRETS_KEYTAB} -saltPrincipal: ${SALT_PRINCIPAL} -- cgit