1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

provision: Remove --username and --password options from samba-tool domain provision

This avoids confusion, because the LDAP backend does not use these,
and they do not set the password for the administrator account either!

This may break support for the 'existing' backend LDAP backend, but
that is nothing more than a stub for future development anyway, and
new work in this area should use EXTERNAL in any case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2013-09-26 10:19:18 -07:00 committed by Stefan Metzmacher
parent a2d45cf49e
commit 48b979c4fe
8 changed files with 28 additions and 59 deletions

View File

@ -717,7 +717,7 @@ class dc_join(object):
smbconf = ctx.lp.configfile smbconf = ctx.lp.configfile
presult = provision(ctx.logger, system_session(), None, smbconf=smbconf, presult = provision(ctx.logger, system_session(), smbconf=smbconf,
targetdir=ctx.targetdir, samdb_fill=FILL_DRS, realm=ctx.realm, targetdir=ctx.targetdir, samdb_fill=FILL_DRS, realm=ctx.realm,
rootdn=ctx.root_dn, domaindn=ctx.base_dn, rootdn=ctx.root_dn, domaindn=ctx.base_dn,
schemadn=ctx.schema_dn, configdn=ctx.config_dn, schemadn=ctx.schema_dn, configdn=ctx.config_dn,

View File

@ -144,7 +144,6 @@ class cmd_domain_provision(Command):
takes_optiongroups = { takes_optiongroups = {
"sambaopts": options.SambaOptions, "sambaopts": options.SambaOptions,
"versionopts": options.VersionOptions, "versionopts": options.VersionOptions,
"credopts": options.CredentialsOptions,
} }
takes_options = [ takes_options = [
@ -231,7 +230,7 @@ class cmd_domain_provision(Command):
takes_args = [] takes_args = []
def run(self, sambaopts=None, credopts=None, versionopts=None, def run(self, sambaopts=None, versionopts=None,
interactive=None, interactive=None,
domain=None, domain=None,
domain_guid=None, domain_guid=None,
@ -278,10 +277,6 @@ class cmd_domain_provision(Command):
lp = sambaopts.get_loadparm() lp = sambaopts.get_loadparm()
smbconf = lp.configfile smbconf = lp.configfile
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
if dns_forwarder is not None: if dns_forwarder is not None:
suggested_forwarder = dns_forwarder suggested_forwarder = dns_forwarder
else: else:
@ -408,7 +403,7 @@ class cmd_domain_provision(Command):
session = system_session() session = system_session()
try: try:
result = provision(self.logger, result = provision(self.logger,
session, creds, smbconf=smbconf, targetdir=targetdir, session, smbconf=smbconf, targetdir=targetdir,
samdb_fill=samdb_fill, realm=realm, domain=domain, samdb_fill=samdb_fill, realm=realm, domain=domain,
domainguid=domain_guid, domainsid=domain_sid, domainguid=domain_guid, domainsid=domain_sid,
hostname=host_name, hostname=host_name,

View File

@ -1888,7 +1888,7 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
samdb.transaction_commit() samdb.transaction_commit()
def provision(logger, session_info, credentials, smbconf=None, def provision(logger, session_info, smbconf=None,
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None, targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
domaindn=None, schemadn=None, configdn=None, serverdn=None, domaindn=None, schemadn=None, configdn=None, serverdn=None,
domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None, domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
@ -2065,25 +2065,25 @@ def provision(logger, session_info, credentials, smbconf=None,
if backend_type == "ldb": if backend_type == "ldb":
provision_backend = LDBBackend(backend_type, paths=paths, provision_backend = LDBBackend(backend_type, paths=paths,
lp=lp, credentials=credentials, lp=lp,
names=names, logger=logger) names=names, logger=logger)
elif backend_type == "existing": elif backend_type == "existing":
# If support for this is ever added back, then the URI will need to be # If support for this is ever added back, then the URI will need to be
# specified again # specified again
provision_backend = ExistingBackend(backend_type, paths=paths, provision_backend = ExistingBackend(backend_type, paths=paths,
lp=lp, credentials=credentials, lp=lp,
names=names, logger=logger, names=names, logger=logger,
ldap_backend_forced_uri=ldap_backend_forced_uri) ldap_backend_forced_uri=ldap_backend_forced_uri)
elif backend_type == "fedora-ds": elif backend_type == "fedora-ds":
provision_backend = FDSBackend(backend_type, paths=paths, provision_backend = FDSBackend(backend_type, paths=paths,
lp=lp, credentials=credentials, lp=lp,
names=names, logger=logger, domainsid=domainsid, names=names, logger=logger, domainsid=domainsid,
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass, schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
slapd_path=slapd_path, slapd_path=slapd_path,
root=root) root=root)
elif backend_type == "openldap": elif backend_type == "openldap":
provision_backend = OpenLDAPBackend(backend_type, paths=paths, provision_backend = OpenLDAPBackend(backend_type, paths=paths,
lp=lp, credentials=credentials, lp=lp,
names=names, logger=logger, domainsid=domainsid, names=names, logger=logger, domainsid=domainsid,
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass, schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls, slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls,
@ -2105,7 +2105,7 @@ def provision(logger, session_info, credentials, smbconf=None,
logger.info("Setting up secrets.ldb") logger.info("Setting up secrets.ldb")
secrets_ldb = setup_secretsdb(paths, secrets_ldb = setup_secretsdb(paths,
session_info=session_info, session_info=session_info,
backend_credentials=provision_backend.secrets_credentials, lp=lp) backend_credentials=provision_backend.credentials, lp=lp)
try: try:
logger.info("Setting up the registry") logger.info("Setting up the registry")
@ -2227,7 +2227,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
logger = logging.getLogger("provision") logger = logging.getLogger("provision")
samba.set_debug_level(debuglevel) samba.set_debug_level(debuglevel)
res = provision(logger, system_session(), None, res = provision(logger, system_session(),
smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS, smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn, realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
configdn=configdn, serverdn=serverdn, domain=domain, configdn=configdn, serverdn=serverdn, domain=domain,

View File

@ -63,19 +63,11 @@ class BackendResult(object):
class LDAPBackendResult(BackendResult): class LDAPBackendResult(BackendResult):
def __init__(self, credentials, slapd_command_escaped, ldapdir): def __init__(self, slapd_command_escaped, ldapdir):
self.credentials = credentials
self.slapd_command_escaped = slapd_command_escaped self.slapd_command_escaped = slapd_command_escaped
self.ldapdir = ldapdir self.ldapdir = ldapdir
def report_logger(self, logger): def report_logger(self, logger):
if self.credentials.get_bind_dn() is not None:
logger.info("LDAP Backend Admin DN: %s" %
self.credentials.get_bind_dn())
else:
logger.info("LDAP Admin User: %s" %
self.credentials.get_username())
if self.slapd_command_escaped is not None: if self.slapd_command_escaped is not None:
# now display slapd_command_file.txt to show how slapd must be # now display slapd_command_file.txt to show how slapd must be
# started next time # started next time
@ -90,11 +82,11 @@ class LDAPBackendResult(BackendResult):
class ProvisionBackend(object): class ProvisionBackend(object):
def __init__(self, backend_type, paths=None, lp=None, def __init__(self, backend_type, paths=None, lp=None,
credentials=None, names=None, logger=None): names=None, logger=None):
"""Provision a backend for samba4""" """Provision a backend for samba4"""
self.paths = paths self.paths = paths
self.lp = lp self.lp = lp
self.credentials = credentials self.credentials = None
self.names = names self.names = names
self.logger = logger self.logger = logger
@ -127,7 +119,6 @@ class LDBBackend(ProvisionBackend):
def init(self): def init(self):
self.credentials = None self.credentials = None
self.secrets_credentials = None
# Wipe the old sam.ldb databases away # Wipe the old sam.ldb databases away
shutil.rmtree(self.paths.samdb + ".d", True) shutil.rmtree(self.paths.samdb + ".d", True)
@ -145,11 +136,11 @@ class LDBBackend(ProvisionBackend):
class ExistingBackend(ProvisionBackend): class ExistingBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, lp=None, def __init__(self, backend_type, paths=None, lp=None,
credentials=None, names=None, logger=None, ldapi_uri=None): names=None, logger=None, ldapi_uri=None):
super(ExistingBackend, self).__init__(backend_type=backend_type, super(ExistingBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp, paths=paths, lp=lp,
credentials=credentials, names=names, logger=logger, names=names, logger=logger,
ldap_backend_forced_uri=ldapi_uri) ldap_backend_forced_uri=ldapi_uri)
def init(self): def init(self):
@ -158,27 +149,21 @@ class ExistingBackend(ProvisionBackend):
ldapi_db.search(base="", scope=SCOPE_BASE, ldapi_db.search(base="", scope=SCOPE_BASE,
expression="(objectClass=OpenLDAProotDSE)") expression="(objectClass=OpenLDAProotDSE)")
# If we have got here, then we must have a valid connection to the LDAP # For now, assume existing backends at least emulate OpenLDAP
# server, with valid credentials supplied This caused them to be set
# into the long-term database later in the script.
self.secrets_credentials = self.credentials
# For now, assume existing backends at least emulate OpenLDAP
self.ldap_backend_type = "openldap" self.ldap_backend_type = "openldap"
class LDAPBackend(ProvisionBackend): class LDAPBackend(ProvisionBackend):
def __init__(self, backend_type, paths=None, lp=None, def __init__(self, backend_type, paths=None, lp=None,
credentials=None, names=None, logger=None, domainsid=None, names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None, schema=None, hostname=None, ldapadminpass=None,
slapd_path=None, ldap_backend_extra_port=None, slapd_path=None, ldap_backend_extra_port=None,
ldap_backend_forced_uri=None, ldap_dryrun_mode=False): ldap_backend_forced_uri=None, ldap_dryrun_mode=False):
super(LDAPBackend, self).__init__(backend_type=backend_type, super(LDAPBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp, paths=paths, lp=lp,
credentials=credentials, names=names, logger=logger) names=names, logger=logger)
self.domainsid = domainsid self.domainsid = domainsid
self.schema = schema self.schema = schema
@ -253,19 +238,12 @@ class LDAPBackend(ProvisionBackend):
self.credentials = Credentials() self.credentials = Credentials()
self.credentials.guess(self.lp) self.credentials.guess(self.lp)
# Kerberos to an ldapi:// backend makes no sense # Kerberos to an ldapi:// backend makes no sense (we also force EXTERNAL)
self.credentials.set_kerberos_state(DONT_USE_KERBEROS) self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.credentials.set_username("samba-admin")
self.credentials.set_password(self.ldapadminpass) self.credentials.set_password(self.ldapadminpass)
self.credentials.set_forced_sasl_mech("EXTERNAL") self.credentials.set_forced_sasl_mech("EXTERNAL")
self.secrets_credentials = Credentials()
self.secrets_credentials.guess(self.lp)
# Kerberos to an ldapi:// backend makes no sense
self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.secrets_credentials.set_username("samba-admin")
self.secrets_credentials.set_password(self.ldapadminpass)
self.secrets_credentials.set_forced_sasl_mech("EXTERNAL")
self.provision() self.provision()
def provision(self): def provision(self):
@ -340,7 +318,7 @@ class OpenLDAPBackend(LDAPBackend):
from samba.provision import setup_path from samba.provision import setup_path
super(OpenLDAPBackend, self).__init__( backend_type=backend_type, super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
paths=paths, lp=lp, paths=paths, lp=lp,
credentials=credentials, names=names, logger=logger, names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname, domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path, ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port, ldap_backend_extra_port=ldap_backend_extra_port,
@ -595,10 +573,6 @@ class OpenLDAPBackend(LDAPBackend):
self.slapd_command.append(uris) self.slapd_command.append(uris)
# Set the username - done here because Fedora DS still uses the admin
# DN and simple bind
self.credentials.set_username("samba-admin")
# Wipe the old sam.ldb databases away # Wipe the old sam.ldb databases away
shutil.rmtree(self.olcdir, True) shutil.rmtree(self.olcdir, True)
os.makedirs(self.olcdir, 0770) os.makedirs(self.olcdir, 0770)
@ -632,7 +606,7 @@ class OpenLDAPBackend(LDAPBackend):
class FDSBackend(LDAPBackend): class FDSBackend(LDAPBackend):
def __init__(self, backend_type, paths=None, lp=None, def __init__(self, backend_type, paths=None, lp=None,
credentials=None, names=None, logger=None, domainsid=None, names=None, logger=None, domainsid=None,
schema=None, hostname=None, ldapadminpass=None, slapd_path=None, schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
ldap_backend_extra_port=None, ldap_dryrun_mode=False, root=None, ldap_backend_extra_port=None, ldap_dryrun_mode=False, root=None,
setup_ds_path=None): setup_ds_path=None):
@ -641,7 +615,7 @@ class FDSBackend(LDAPBackend):
super(FDSBackend, self).__init__(backend_type=backend_type, super(FDSBackend, self).__init__(backend_type=backend_type,
paths=paths, lp=lp, paths=paths, lp=lp,
credentials=credentials, names=names, logger=logger, names=names, logger=logger,
domainsid=domainsid, schema=schema, hostname=hostname, domainsid=domainsid, schema=schema, hostname=hostname,
ldapadminpass=ldapadminpass, slapd_path=slapd_path, ldapadminpass=ldapadminpass, slapd_path=slapd_path,
ldap_backend_extra_port=ldap_backend_extra_port, ldap_backend_extra_port=ldap_backend_extra_port,

View File

@ -855,7 +855,7 @@ Please fix this account before attempting to upgrade again
adminpass = None adminpass = None
# Do full provision # Do full provision
result = provision(logger, session_info, None, result = provision(logger, session_info,
targetdir=targetdir, realm=realm, domain=domainname, targetdir=targetdir, realm=realm, domain=domainname,
domainsid=str(domainsid), next_rid=next_rid, domainsid=str(domainsid), next_rid=next_rid,
dc_rid=machinerid, adminpass = adminpass, dc_rid=machinerid, adminpass = adminpass,

View File

@ -225,7 +225,7 @@ def update_policyids(names, samdb):
names.policyid_dc = None names.policyid_dc = None
def newprovision(names, creds, session, smbconf, provdir, logger): def newprovision(names, session, smbconf, provdir, logger):
"""Create a new provision. """Create a new provision.
This provision will be the reference for knowing what has changed in the This provision will be the reference for knowing what has changed in the
@ -242,7 +242,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
shutil.rmtree(provdir) shutil.rmtree(provdir)
os.mkdir(provdir) os.mkdir(provdir)
logger.info("Provision stored in %s", provdir) logger.info("Provision stored in %s", provdir)
return provision(logger, session, creds, smbconf=smbconf, return provision(logger, session, smbconf=smbconf,
targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm, targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
domain=names.domain, domainguid=names.domainguid, domain=names.domain, domainguid=names.domainguid,
domainsid=str(names.domainsid), ntdsguid=names.ntdsguid, domainsid=str(names.domainsid), ntdsguid=names.ntdsguid,

View File

@ -1632,7 +1632,7 @@ if __name__ == '__main__':
message(SIMPLE, "Creating a reference provision") message(SIMPLE, "Creating a reference provision")
provisiondir = tempfile.mkdtemp(dir=paths.private_dir, provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
prefix="referenceprovision") prefix="referenceprovision")
result = newprovision(names, creds, session, smbconf, provisiondir, result = newprovision(names, session, smbconf, provisiondir,
provision_logger) provision_logger)
result.report_logger(provision_logger) result.report_logger(provision_logger)

View File

@ -13,7 +13,7 @@ shift 1
. `dirname $0`/../../../testprogs/blackbox/subunit.sh . `dirname $0`/../../../testprogs/blackbox/subunit.sh
testit "openldap-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode testit "openldap-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --username=samba-admin --password=linux --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
testit "fedora-ds-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode testit "fedora-ds-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
reprovision() { reprovision() {