1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

r25299: Modify the provision script to take an additional argument: --server-role

This must be set to either 'domain controller', 'domain member' or 'standalone'.

The default for the provision now changes to 'standalone'.

This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.

We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2007-09-22 12:57:17 +00:00 committed by Gerald (Jerry) Carter
parent bfd8c275bb
commit 4cc4ed7719
12 changed files with 137 additions and 81 deletions

View File

@ -513,6 +513,18 @@ static void ldapsrv_task_init(struct task_server *task)
NTSTATUS status;
const struct model_ops *model_ops;
switch (lp_server_role()) {
case ROLE_STANDALONE:
task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
return;
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
return;
case ROLE_DOMAIN_CONTROLLER:
/* Yes, we want an LDAP server */
break;
}
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */

View File

@ -489,6 +489,17 @@ function provision_fix_subobj(subobj, paths)
subobj.NETLOGONPATH = paths.netlogon;
subobj.SYSVOLPATH = paths.sysvol;
if (subobj.DOMAIN_CONF == undefined) {
subobj.DOMAIN_CONF = subobj.DOMAIN;
}
if (subobj.REALM_CONF == undefined) {
subobj.REALM_CONF = subobj.REALM;
}
if (subobj.SERVERROLE != "domain controller") {
subobj.REALM = subobj.HOSTNAME;
subobj.DOMAIN = subobj.HOSTNAME;
}
return true;
}
@ -536,6 +547,8 @@ function provision_become_dc(subobj, message, erase, paths, session_info)
setup_ldb("secrets.ldif", info, paths.secrets, false);
setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
return true;
}
@ -571,8 +584,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
/* only install a new smb.conf if there isn't one there already */
var st = sys.stat(paths.smbconf);
if (st == undefined) {
var smbconfsuffix;
if (subobj.ROLE == "domain controller") {
smbconfsuffix = "dc";
} else if (subobj.ROLE == "member server") {
smbconfsuffix = "member";
} else {
smbconfsuffix = subobj.ROLE;
}
message("Setting up " + paths.smbconf +"\n");
setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
lp.reload();
}
/* only install a new shares config db if there is none */
@ -724,7 +745,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
message("Setting up sam.ldb users and groups\n");
setup_add_ldif("provision_users.ldif", info, samdb, false);
if (lp.get("server role") == "domain controller") {
if (subobj.SERVERROLE == "domain controller") {
message("Setting up self join\n");
setup_add_ldif("provision_self_join.ldif", info, samdb, false);
setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
@ -737,6 +758,9 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
sys.mkdir(paths.netlogon, 0755);
setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
}
if (setup_name_mappings(info, samdb) == false) {
@ -809,8 +833,8 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
function provision_dns(subobj, message, paths, session_info, credentials)
{
var lp = loadparm_init();
if (lp.get("server role") != "domain controller") {
message("No DNS zone required for role %s\n", lp.get("server role"));
if (subobj.SERVERROLE != "domain controller") {
message("No DNS zone required for role %s\n", subobj.SERVERROLE);
return;
}
message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
@ -886,6 +910,7 @@ function provision_guess()
var rdn_list;
random_init(local);
subobj.SERVERROLE = strlower(lp.get("server role"));
subobj.REALM = strupper(lp.get("realm"));
subobj.DOMAIN = lp.get("workgroup");
subobj.HOSTNAME = hostname();
@ -1100,15 +1125,21 @@ function provision_validate(subobj, message)
}
if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
lp.get("workgroup"), subobj.DOMAIN);
lp.get("workgroup"), subobj.DOMAIN_CONF);
return false;
}
if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
message("realm '%s' in smb.conf must match chosen realm '%s'\n",
lp.get("realm"), subobj.REALM);
lp.get("realm"), subobj.REALM_CONF);
return false;
}
if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
message("server role '%s' in smb.conf must match chosen role '%s'\n",
lp.get("server role"), subobj.SERVERROLE);
return false;
}

View File

@ -297,10 +297,6 @@ sub provision($$$$$$)
$tmpdir);
my $localdomain = $domain;
$localdomain = $netbiosname if $server_role eq "member server";
my $localrealm = $realm;
$localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
@ -416,9 +412,9 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
push (@provision_options, "--quiet");
push (@provision_options, "--domain=$localdomain");
push (@provision_options, "--realm=$localrealm");
# push (@provision_options, "--quiet");
push (@provision_options, "--domain=$domain");
push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
@ -426,6 +422,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
push (@provision_options, "--root=$root");
push (@provision_options, "--server-role=$server_role");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
@ -454,7 +451,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");

View File

@ -3,11 +3,12 @@
# the BIND nameserver.
#
#insert this into options {}
# If you have a very recent BIND, supporting GSS-TSIG,
# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
#the zone file
# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";

View File

@ -32,6 +32,7 @@ options = GetOptions(ARGV,
'users=s',
'quiet',
'blank',
'server-role=s',
'partitions-only',
'ldap-base',
'ldap-backend=s',
@ -84,6 +85,7 @@ provision [options]
--users GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
--server-role ROLE Set server role to provision for (default standalone)
--partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
--ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
--ldap-backend LDAPSERVER LDAP server to use for this provision
@ -112,6 +114,7 @@ if (options["realm"] == undefined ||
var lp = loadparm_init();
lp.set("realm", options.realm);
lp.set("workgroup", options.domain);
lp.set("server role", options["server-role"]);
lp.reload();
var subobj = provision_guess();

View File

@ -1,8 +1,8 @@
[globals]
netbios name = ${HOSTNAME}
workgroup = ${DOMAIN}
realm = ${REALM}
server role = domain controller
workgroup = ${DOMAIN_CONF}
realm = ${REALM_CONF}
server role = ${SERVERROLE}
[netlogon]
path = ${NETLOGONPATH}

View File

@ -0,0 +1,5 @@
[globals]
netbios name = ${HOSTNAME}
workgroup = ${DOMAIN_CONF}
realm = ${REALM_CONF}
server role = ${SERVERROLE}

View File

@ -0,0 +1,5 @@
[globals]
netbios name = ${HOSTNAME}
workgroup = ${DOMAIN_CONF}
realm = ${REALM_CONF}
server role = ${SERVERROLE}

View File

@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
#Provide a account for DNS keytab export
dn: CN=dns,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: dns
description: DNS Service Account
showInAdvancedViewOnly: TRUE
userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
sAMAccountType: 805306368
servicePrincipalName: DNS/${DNSDOMAIN}
isCriticalSystemObject: TRUE
sambaPassword:: ${DNSPASS_B64}

View File

@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
dn: CN=dns,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: dns
description: DNS Service Account
showInAdvancedViewOnly: TRUE
userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
sAMAccountType: 805306368
servicePrincipalName: DNS/${DNSDOMAIN}
isCriticalSystemObject: TRUE
sambaPassword:: ${DNSPASS_B64}
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group

View File

@ -8,47 +8,3 @@ objectClass: top
objectClass: container
cn: Primary Domains
dn: flatname=${DOMAIN},CN=Primary Domains
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
secret:: ${MACHINEPASS_B64}
secureChannelType: 6
sAMAccountName: ${NETBIOSNAME}$
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
msDS-KeyVersionNumber: 1
objectSid: ${DOMAINSID}
privateKeytab: ${SECRETS_KEYTAB}
# A hook from our credentials system into HDB, as we must be on a KDC,
# we can look directly into the database.
dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
sAMAccountName: krbtgt
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
objectSid: ${DOMAINSID}
servicePrincipalName: kadmin/changepw
krb5Keytab: HDB:ldb:${SAM_LDB}:
#The trailing : here is a HACK, but it matches the Heimdal format.
# A hook from our credentials system into HDB, as we must be on a KDC,
# we can look directly into the database.
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
servicePrincipalName: DNS/${DNSDOMAIN}
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}

View File

@ -0,0 +1,44 @@
dn: flatname=${DOMAIN},CN=Primary Domains
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
secret:: ${MACHINEPASS_B64}
secureChannelType: 6
sAMAccountName: ${NETBIOSNAME}$
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
msDS-KeyVersionNumber: 1
objectSid: ${DOMAINSID}
privateKeytab: ${SECRETS_KEYTAB}
# A hook from our credentials system into HDB, as we must be on a KDC,
# we can look directly into the database.
dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
flatname: ${DOMAIN}
realm: ${REALM}
sAMAccountName: krbtgt
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
objectSid: ${DOMAINSID}
servicePrincipalName: kadmin/changepw
krb5Keytab: HDB:ldb:${SAM_LDB}:
#The trailing : here is a HACK, but it matches the Heimdal format.
# A hook from our credentials system into HDB, as we must be on a KDC,
# we can look directly into the database.
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
objectClass: top
objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
whenCreated: ${LDAPTIME}
whenChanged: ${LDAPTIME}
servicePrincipalName: DNS/${DNSDOMAIN}
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}