2025-08-03 04:22:09 +03:00 · 2008-05-21 14:34:43 +10:00
parent 3a29c33e82 25ea110c38
commit 40ff67e454
4 changed files with 135 additions and 35 deletions
--- a/howto.txt
+++ b/howto.txt
@ -27,7 +27,7 @@ There are 2 methods of doing this:
  method 1:  "rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba4"
-  method 2:  "git clone git://git.samba.org/samba.git samba4; cd samba4; git checkout v4-0-test; cd .."
+  method 2:  "git clone git://git.samba.org/samba.git samba4; cd samba4 && git checkout -b v4-0-test origin/v4-0-test; cd .."
 both methods will create a directory called "samba4" in the current
 directory. If you don't have rsync or git then install one of them. 
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@ -236,6 +236,7 @@ def provision_paths_from_lp(lp, dnsdomain):
    paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
    paths.templates = os.path.join(paths.private_dir, "templates.ldb")
    paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
    paths.namedconf = os.path.join(paths.private_dir, "named.conf")
    paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
    paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
    paths.phpldapadminconfig = os.path.join(paths.private_dir, 
@ -1059,12 +1060,14 @@ def provision(setup_dir, message, session_info,
                                       scope=SCOPE_SUBTREE)
            assert isinstance(hostguid, str)
-            create_zone_file(paths.dns, setup_path, samdb, 
+            create_zone_file(paths.dns, paths.namedconf, setup_path, samdb, 
                             hostname=names.hostname, hostip=hostip,
                             hostip6=hostip6, dnsdomain=names.dnsdomain,
                             domaindn=names.domaindn, dnspass=dnspass, realm=names.realm, 
-                             domainguid=domainguid, hostguid=hostguid)
+                             domainguid=domainguid, hostguid=hostguid,
                             private_dir=paths.private_dir, keytab_name=paths.dns_keytab)
            message("Please install the zone located in %s into your DNS server" % paths.dns)
            message("See %s if you want to use secure GSS-TSIG updates" % paths.namedconf)
    create_phpldapadmin_config(paths.phpldapadminconfig, setup_path, 
                               ldapi_url)
@ -1281,12 +1284,18 @@ def create_phpldapadmin_config(path, setup_path, ldapi_uri):
            {"S4_LDAPI_URI": ldapi_uri})
-def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn, 
+def create_zone_file(path_zone, path_conf, setup_path, samdb, dnsdomain, domaindn, 
-                  hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid):
+                  hostip, hostip6, hostname, dnspass, realm, domainguid, hostguid,
                  private_dir, keytab_name):
    """Write out a DNS zone file, from the info in the current database.
    Also writes a file with stubs appropriate for a DNS configuration file
    (including GSS-TSIG configuration), and details as to some of the other
    configuration changes that may be necessary.
-    :param path: Path of the new file.
+    :param path_zone: Path of the new zone file.
-    :param setup_path": Setup path function.
+    :param path_conf: Path of the config stubs file.
    :param setup_path: Setup path function.
    :param samdb: SamDB object
    :param dnsdomain: DNS Domain name
    :param domaindn: DN of the Domain
@ -1307,7 +1316,7 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
        hostip6_base_line = "			IN AAAA	" + hostip6
        hostip6_host_line = hostname + "		IN AAAA	" + hostip6
-    setup_file(setup_path("provision.zone"), path, {
+    setup_file(setup_path("provision.zone"), path_zone, {
            "DNSPASS_B64": b64encode(dnspass),
            "HOSTNAME": hostname,
            "DNSDOMAIN": dnsdomain,
@ -1321,6 +1330,15 @@ def create_zone_file(path, setup_path, samdb, dnsdomain, domaindn,
            "HOSTIP6_HOST_LINE": hostip6_host_line,
        })
    setup_file(setup_path("named.conf"), path_conf, {
            "DNSDOMAIN": dnsdomain,
            "REALM": realm,
            "REALM_WC": "*." + ".".join(realm.split(".")[1:]),
            "HOSTNAME": hostname,
            "DNS_KEYTAB": keytab_name,
            "DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
        })
 def load_schema(setup_path, samdb, schemadn, netbiosname, configdn, sitename):
    """Load schema for the SamDB.
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@ -3,35 +3,116 @@
 # the BIND nameserver.
 #
-# If you have a very recent BIND, supporting GSS-TSIG, 
+# You should always include the actual forward zone configuration:
 # insert this into options {}  (otherwise omit, it is not required if we don't accept updates)
 tkey-gssapi-credential "DNS/${DNSDOMAIN}";
 tkey-domain "${REALM}";
 # You should always include the actual zone configuration reference:
 zone "${DNSDOMAIN}." IN {
-        type master;
+	type master;
-        file "${DNSDOMAIN}.zone";
+	file "${DNSDOMAIN}.zone";
 	update-policy {
-		/* use ANY only for Domain controllers for now */
+		/*
-		/* for normal machines A AAAA PTR is probbaly all is needed */
+		 * A rather long description here, as the "ms-self" option does
-		grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
+		 * not appear in any docs yet (it can only be found in the
 		 * source code).
 		 *
 		 * The short of it is that each host is allowed to update its
 		 * own A and AAAA records, when the update request is properly
 		 * signed by the host itself.
 		 *
 		 * The long description is (look at the
 		 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
 		 * its definition in lib/dns/gssapictx.c for details):
 		 *
 		 * A GSS-TSIG update request will be signed by a given signer
 		 * (e.g. machine-name$@${REALM}).  The signer name is split into
 		 * the machine component (e.g. "machine-name") and the realm
 		 * component (e.g. "${REALM}").  The update is allowed if the
 		 * following conditions are met:
 		 *
 		 * 1) The machine component of the signer name matches the first
 		 * (host) component of the FQDN that is being updated.
 		 *
 		 * 2) The realm component of the signer name matches the realm
 		 * in the grant statement below (${REALM}).
 		 *
 		 * 3) The domain component of the FQDN that is being updated
 		 * matches the realm in the grant statement below.
 		 *
 		 * If the 3 conditions above are satisfied, the update succeeds.
 		 */
 		grant ${REALM} ms-self * A AAAA;
 	};
 };
-# Also, you need to change your init scripts to set this environment variable
+# The reverse zone configuration is optional.  The following example assumes a
-# for named: KRB5_KTNAME so that it points to the keytab generated.
+# subnet of 192.168.123.0/24:
-# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
+zone "123.168.192.in-addr.arpa" in {
-# line to the /etc/sysconfig/named file:
+	type master;
-# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
+	file "123.168.192.in-addr.arpa.zone";
-#
+	update-policy {
-# Please note that most distributions have BIND configured to run under
+		grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
-# a non-root user account.  For example, Fedora Core 6 (FC6) runs BIND as
+	};
-# the user "named" once the daemon relinquishes its rights.  Therefore,
+};
-# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
+# Note that the reverse zone file is not created during the provision process.
-# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
+
-# permissions altered to allow the daemon to read it.  In the FC6
+# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
-# example, execute the commands:
+# updates.  If you are running an earlier version of BIND, or if you do not wish
-# 
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
-# chgrp named ${DNS_KEYTAB_ABS}
+# both examples above.
-# chmod g+r ${DNS_KEYTAB_ABS}
+
 # If you are running a capable version of BIND and you wish to support secure
 # GSS-TSIG updates, you must make the following configuration changes:
 # - Insert the following lines into the options {} section of your named.conf
 # file:
 tkey-gssapi-credential "DNS/${DNSDOMAIN}";
 tkey-domain "${REALM}";
 # - Add settings for the ${REALM} realm to the Kerberos configuration on the DNS
 # server.  The easiest way is to add the following blocks to the appropriate
 # sections in /etc/krb5.conf:
 [realms]
 	${REALM} = {
 		kdc = ${HOSTNAME}.${DNSDOMAIN}:88
 		admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
 		default_domain = ${DNSDOMAIN}
 	}
 [domain_realm]
 	.${DNSDOMAIN} = ${REALM}
 	${DNSDOMAIN} = ${REALM}
 # - Modify BIND init scripts to pass the location of the generated keytab file.
 # Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
 # for this purpose:
 KEYTAB_FILE="${DNS_KEYTAB_ABS}"
 # Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
 # variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon.  If
 # your distribution does not provide a variable like KEYTAB_FILE to pass a
 # keytab file to the BIND daemon, a workaround is to place the following line in
 # BIND's sysconfig file or in the init script for BIND:
 export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
 # - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file.  Note
 # that most distributions have BIND configured to run under a non-root user
 # account.  For example, Fedora 9 runs BIND as the user "named" once the daemon
 # relinquishes its rights.  Therefore, the file ${DNS_KEYTAB} must be readable
 # by the user that BIND run as.  If BIND is running as a non-root user, the
 # "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
 # read it.  Under Fedora 9, execute the following commands:
 chgrp named ${DNS_KEYTAB_ABS}
 chmod g+r ${DNS_KEYTAB_ABS}
 # - Ensure the BIND zone file(s) that will be dynamically updated are in a
 # directory where the BIND daemon can write.  When BIND performs dynamic
 # updates, it not only needs to update the zone file itself but it must also
 # create a journal (.jnl) file to track the dynamic updates as they occur.
 # Under Fedora 9, the /var/named directory can not be written to by the "named"
 # user.  However, the directory /var/named/dynamic directory does provide write
 # access.  Therefore the zone files were placed under the /var/named/dynamic
 # directory.  The file directives in both example zone statements at the
 # beginning of this file were changed by prepending the directory "dynamic/".
 # - If SELinux is enabled, ensure that all files have the appropriate SELinux
 # file contexts.  The ${DNS_KEYTAB} file must be accessible by the BIND daemon
 # and should have a SELinux type of named_conf_t.  This can be set with the
 # following command:
 chcon -t named_conf_t ${DNS_KEYTAB_ABS}
--- a/source4/setup/secrets_dc.ldif
+++ b/source4/setup/secrets_dc.ldif
@ -33,6 +33,7 @@ objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSDOMAIN}
 msDS-KeyVersionNumber: 1
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}