mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
provision: Remove --username and --password options from samba-tool domain provision
This avoids confusion, because the LDAP backend does not use these, and they do not set the password for the administrator account either! This may break support for the 'existing' backend LDAP backend, but that is nothing more than a stub for future development anyway, and new work in this area should use EXTERNAL in any case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
a2d45cf49e
commit
48b979c4fe
@ -717,7 +717,7 @@ class dc_join(object):
|
||||
|
||||
smbconf = ctx.lp.configfile
|
||||
|
||||
presult = provision(ctx.logger, system_session(), None, smbconf=smbconf,
|
||||
presult = provision(ctx.logger, system_session(), smbconf=smbconf,
|
||||
targetdir=ctx.targetdir, samdb_fill=FILL_DRS, realm=ctx.realm,
|
||||
rootdn=ctx.root_dn, domaindn=ctx.base_dn,
|
||||
schemadn=ctx.schema_dn, configdn=ctx.config_dn,
|
||||
|
@ -144,7 +144,6 @@ class cmd_domain_provision(Command):
|
||||
takes_optiongroups = {
|
||||
"sambaopts": options.SambaOptions,
|
||||
"versionopts": options.VersionOptions,
|
||||
"credopts": options.CredentialsOptions,
|
||||
}
|
||||
|
||||
takes_options = [
|
||||
@ -231,7 +230,7 @@ class cmd_domain_provision(Command):
|
||||
|
||||
takes_args = []
|
||||
|
||||
def run(self, sambaopts=None, credopts=None, versionopts=None,
|
||||
def run(self, sambaopts=None, versionopts=None,
|
||||
interactive=None,
|
||||
domain=None,
|
||||
domain_guid=None,
|
||||
@ -278,10 +277,6 @@ class cmd_domain_provision(Command):
|
||||
lp = sambaopts.get_loadparm()
|
||||
smbconf = lp.configfile
|
||||
|
||||
creds = credopts.get_credentials(lp)
|
||||
|
||||
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
||||
|
||||
if dns_forwarder is not None:
|
||||
suggested_forwarder = dns_forwarder
|
||||
else:
|
||||
@ -408,7 +403,7 @@ class cmd_domain_provision(Command):
|
||||
session = system_session()
|
||||
try:
|
||||
result = provision(self.logger,
|
||||
session, creds, smbconf=smbconf, targetdir=targetdir,
|
||||
session, smbconf=smbconf, targetdir=targetdir,
|
||||
samdb_fill=samdb_fill, realm=realm, domain=domain,
|
||||
domainguid=domain_guid, domainsid=domain_sid,
|
||||
hostname=host_name,
|
||||
|
@ -1888,7 +1888,7 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
|
||||
samdb.transaction_commit()
|
||||
|
||||
|
||||
def provision(logger, session_info, credentials, smbconf=None,
|
||||
def provision(logger, session_info, smbconf=None,
|
||||
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
|
||||
domaindn=None, schemadn=None, configdn=None, serverdn=None,
|
||||
domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
|
||||
@ -2065,25 +2065,25 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
|
||||
if backend_type == "ldb":
|
||||
provision_backend = LDBBackend(backend_type, paths=paths,
|
||||
lp=lp, credentials=credentials,
|
||||
lp=lp,
|
||||
names=names, logger=logger)
|
||||
elif backend_type == "existing":
|
||||
# If support for this is ever added back, then the URI will need to be
|
||||
# specified again
|
||||
provision_backend = ExistingBackend(backend_type, paths=paths,
|
||||
lp=lp, credentials=credentials,
|
||||
lp=lp,
|
||||
names=names, logger=logger,
|
||||
ldap_backend_forced_uri=ldap_backend_forced_uri)
|
||||
elif backend_type == "fedora-ds":
|
||||
provision_backend = FDSBackend(backend_type, paths=paths,
|
||||
lp=lp, credentials=credentials,
|
||||
lp=lp,
|
||||
names=names, logger=logger, domainsid=domainsid,
|
||||
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
|
||||
slapd_path=slapd_path,
|
||||
root=root)
|
||||
elif backend_type == "openldap":
|
||||
provision_backend = OpenLDAPBackend(backend_type, paths=paths,
|
||||
lp=lp, credentials=credentials,
|
||||
lp=lp,
|
||||
names=names, logger=logger, domainsid=domainsid,
|
||||
schema=schema, hostname=hostname, ldapadminpass=ldapadminpass,
|
||||
slapd_path=slapd_path, ol_mmr_urls=ol_mmr_urls,
|
||||
@ -2105,7 +2105,7 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
logger.info("Setting up secrets.ldb")
|
||||
secrets_ldb = setup_secretsdb(paths,
|
||||
session_info=session_info,
|
||||
backend_credentials=provision_backend.secrets_credentials, lp=lp)
|
||||
backend_credentials=provision_backend.credentials, lp=lp)
|
||||
|
||||
try:
|
||||
logger.info("Setting up the registry")
|
||||
@ -2227,7 +2227,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
|
||||
logger = logging.getLogger("provision")
|
||||
samba.set_debug_level(debuglevel)
|
||||
|
||||
res = provision(logger, system_session(), None,
|
||||
res = provision(logger, system_session(),
|
||||
smbconf=smbconf, targetdir=targetdir, samdb_fill=FILL_DRS,
|
||||
realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
|
||||
configdn=configdn, serverdn=serverdn, domain=domain,
|
||||
|
@ -63,19 +63,11 @@ class BackendResult(object):
|
||||
|
||||
class LDAPBackendResult(BackendResult):
|
||||
|
||||
def __init__(self, credentials, slapd_command_escaped, ldapdir):
|
||||
self.credentials = credentials
|
||||
def __init__(self, slapd_command_escaped, ldapdir):
|
||||
self.slapd_command_escaped = slapd_command_escaped
|
||||
self.ldapdir = ldapdir
|
||||
|
||||
def report_logger(self, logger):
|
||||
if self.credentials.get_bind_dn() is not None:
|
||||
logger.info("LDAP Backend Admin DN: %s" %
|
||||
self.credentials.get_bind_dn())
|
||||
else:
|
||||
logger.info("LDAP Admin User: %s" %
|
||||
self.credentials.get_username())
|
||||
|
||||
if self.slapd_command_escaped is not None:
|
||||
# now display slapd_command_file.txt to show how slapd must be
|
||||
# started next time
|
||||
@ -90,11 +82,11 @@ class LDAPBackendResult(BackendResult):
|
||||
class ProvisionBackend(object):
|
||||
|
||||
def __init__(self, backend_type, paths=None, lp=None,
|
||||
credentials=None, names=None, logger=None):
|
||||
names=None, logger=None):
|
||||
"""Provision a backend for samba4"""
|
||||
self.paths = paths
|
||||
self.lp = lp
|
||||
self.credentials = credentials
|
||||
self.credentials = None
|
||||
self.names = names
|
||||
self.logger = logger
|
||||
|
||||
@ -127,7 +119,6 @@ class LDBBackend(ProvisionBackend):
|
||||
|
||||
def init(self):
|
||||
self.credentials = None
|
||||
self.secrets_credentials = None
|
||||
|
||||
# Wipe the old sam.ldb databases away
|
||||
shutil.rmtree(self.paths.samdb + ".d", True)
|
||||
@ -145,11 +136,11 @@ class LDBBackend(ProvisionBackend):
|
||||
class ExistingBackend(ProvisionBackend):
|
||||
|
||||
def __init__(self, backend_type, paths=None, lp=None,
|
||||
credentials=None, names=None, logger=None, ldapi_uri=None):
|
||||
names=None, logger=None, ldapi_uri=None):
|
||||
|
||||
super(ExistingBackend, self).__init__(backend_type=backend_type,
|
||||
paths=paths, lp=lp,
|
||||
credentials=credentials, names=names, logger=logger,
|
||||
names=names, logger=logger,
|
||||
ldap_backend_forced_uri=ldapi_uri)
|
||||
|
||||
def init(self):
|
||||
@ -158,27 +149,21 @@ class ExistingBackend(ProvisionBackend):
|
||||
ldapi_db.search(base="", scope=SCOPE_BASE,
|
||||
expression="(objectClass=OpenLDAProotDSE)")
|
||||
|
||||
# If we have got here, then we must have a valid connection to the LDAP
|
||||
# server, with valid credentials supplied This caused them to be set
|
||||
# into the long-term database later in the script.
|
||||
self.secrets_credentials = self.credentials
|
||||
|
||||
|
||||
# For now, assume existing backends at least emulate OpenLDAP
|
||||
# For now, assume existing backends at least emulate OpenLDAP
|
||||
self.ldap_backend_type = "openldap"
|
||||
|
||||
|
||||
class LDAPBackend(ProvisionBackend):
|
||||
|
||||
def __init__(self, backend_type, paths=None, lp=None,
|
||||
credentials=None, names=None, logger=None, domainsid=None,
|
||||
names=None, logger=None, domainsid=None,
|
||||
schema=None, hostname=None, ldapadminpass=None,
|
||||
slapd_path=None, ldap_backend_extra_port=None,
|
||||
ldap_backend_forced_uri=None, ldap_dryrun_mode=False):
|
||||
|
||||
super(LDAPBackend, self).__init__(backend_type=backend_type,
|
||||
paths=paths, lp=lp,
|
||||
credentials=credentials, names=names, logger=logger)
|
||||
names=names, logger=logger)
|
||||
|
||||
self.domainsid = domainsid
|
||||
self.schema = schema
|
||||
@ -253,19 +238,12 @@ class LDAPBackend(ProvisionBackend):
|
||||
|
||||
self.credentials = Credentials()
|
||||
self.credentials.guess(self.lp)
|
||||
# Kerberos to an ldapi:// backend makes no sense
|
||||
# Kerberos to an ldapi:// backend makes no sense (we also force EXTERNAL)
|
||||
self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
|
||||
self.credentials.set_username("samba-admin")
|
||||
self.credentials.set_password(self.ldapadminpass)
|
||||
self.credentials.set_forced_sasl_mech("EXTERNAL")
|
||||
|
||||
self.secrets_credentials = Credentials()
|
||||
self.secrets_credentials.guess(self.lp)
|
||||
# Kerberos to an ldapi:// backend makes no sense
|
||||
self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
|
||||
self.secrets_credentials.set_username("samba-admin")
|
||||
self.secrets_credentials.set_password(self.ldapadminpass)
|
||||
self.secrets_credentials.set_forced_sasl_mech("EXTERNAL")
|
||||
|
||||
self.provision()
|
||||
|
||||
def provision(self):
|
||||
@ -340,7 +318,7 @@ class OpenLDAPBackend(LDAPBackend):
|
||||
from samba.provision import setup_path
|
||||
super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
|
||||
paths=paths, lp=lp,
|
||||
credentials=credentials, names=names, logger=logger,
|
||||
names=names, logger=logger,
|
||||
domainsid=domainsid, schema=schema, hostname=hostname,
|
||||
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
|
||||
ldap_backend_extra_port=ldap_backend_extra_port,
|
||||
@ -595,10 +573,6 @@ class OpenLDAPBackend(LDAPBackend):
|
||||
|
||||
self.slapd_command.append(uris)
|
||||
|
||||
# Set the username - done here because Fedora DS still uses the admin
|
||||
# DN and simple bind
|
||||
self.credentials.set_username("samba-admin")
|
||||
|
||||
# Wipe the old sam.ldb databases away
|
||||
shutil.rmtree(self.olcdir, True)
|
||||
os.makedirs(self.olcdir, 0770)
|
||||
@ -632,7 +606,7 @@ class OpenLDAPBackend(LDAPBackend):
|
||||
class FDSBackend(LDAPBackend):
|
||||
|
||||
def __init__(self, backend_type, paths=None, lp=None,
|
||||
credentials=None, names=None, logger=None, domainsid=None,
|
||||
names=None, logger=None, domainsid=None,
|
||||
schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
|
||||
ldap_backend_extra_port=None, ldap_dryrun_mode=False, root=None,
|
||||
setup_ds_path=None):
|
||||
@ -641,7 +615,7 @@ class FDSBackend(LDAPBackend):
|
||||
|
||||
super(FDSBackend, self).__init__(backend_type=backend_type,
|
||||
paths=paths, lp=lp,
|
||||
credentials=credentials, names=names, logger=logger,
|
||||
names=names, logger=logger,
|
||||
domainsid=domainsid, schema=schema, hostname=hostname,
|
||||
ldapadminpass=ldapadminpass, slapd_path=slapd_path,
|
||||
ldap_backend_extra_port=ldap_backend_extra_port,
|
||||
|
@ -855,7 +855,7 @@ Please fix this account before attempting to upgrade again
|
||||
adminpass = None
|
||||
|
||||
# Do full provision
|
||||
result = provision(logger, session_info, None,
|
||||
result = provision(logger, session_info,
|
||||
targetdir=targetdir, realm=realm, domain=domainname,
|
||||
domainsid=str(domainsid), next_rid=next_rid,
|
||||
dc_rid=machinerid, adminpass = adminpass,
|
||||
|
@ -225,7 +225,7 @@ def update_policyids(names, samdb):
|
||||
names.policyid_dc = None
|
||||
|
||||
|
||||
def newprovision(names, creds, session, smbconf, provdir, logger):
|
||||
def newprovision(names, session, smbconf, provdir, logger):
|
||||
"""Create a new provision.
|
||||
|
||||
This provision will be the reference for knowing what has changed in the
|
||||
@ -242,7 +242,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
|
||||
shutil.rmtree(provdir)
|
||||
os.mkdir(provdir)
|
||||
logger.info("Provision stored in %s", provdir)
|
||||
return provision(logger, session, creds, smbconf=smbconf,
|
||||
return provision(logger, session, smbconf=smbconf,
|
||||
targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
|
||||
domain=names.domain, domainguid=names.domainguid,
|
||||
domainsid=str(names.domainsid), ntdsguid=names.ntdsguid,
|
||||
|
@ -1632,7 +1632,7 @@ if __name__ == '__main__':
|
||||
message(SIMPLE, "Creating a reference provision")
|
||||
provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
|
||||
prefix="referenceprovision")
|
||||
result = newprovision(names, creds, session, smbconf, provisiondir,
|
||||
result = newprovision(names, session, smbconf, provisiondir,
|
||||
provision_logger)
|
||||
result.report_logger(provision_logger)
|
||||
|
||||
|
@ -13,7 +13,7 @@ shift 1
|
||||
. `dirname $0`/../../../testprogs/blackbox/subunit.sh
|
||||
|
||||
testit "openldap-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
|
||||
testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --username=samba-admin --password=linux --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
|
||||
testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
|
||||
testit "fedora-ds-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
|
||||
|
||||
reprovision() {
|
||||
|
Loading…
Reference in New Issue
Block a user