mirror of
https://github.com/samba-team/samba.git
synced 2025-08-04 08:22:08 +03:00
s4-provision: switch to dns-HOSTNAME instead of dns
We now use a host specific account name for the DNS account, which is
the account used for dynamic DNS updates. We also setup the
servicePrincipalName for automatic update, and add both DNS/${DNSDOMAIN}
and DNS/${DNSNAME} for compatibility with both the old and new SPNs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Tridgell
@ -687,21 +687,26 @@ def secretsdb_self_join(secretsdb, domain,
|
|||||||
"priorChanged",
|
"priorChanged",
|
||||||
"krb5Keytab",
|
"krb5Keytab",
|
||||||
"privateKeytab"]
|
"privateKeytab"]
|
||||||
|
|
||||||
|
if realm is not None:
|
||||||
|
if dnsdomain is None:
|
||||||
|
dnsdomain = realm.lower()
|
||||||
|
dnsname = '%s.%s' % (netbiosname.lower(), dnsdomain.lower())
|
||||||
|
else:
|
||||||
|
dnsname = None
|
||||||
|
shortname = netbiosname.lower()
|
||||||
|
|
||||||
#We don't need to set msg["flatname"] here, because rdn_name will handle it, and it causes problems for modifies anyway
|
#We don't need to set msg["flatname"] here, because rdn_name will handle it, and it causes problems for modifies anyway
|
||||||
msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
|
msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain))
|
||||||
msg["secureChannelType"] = [str(secure_channel_type)]
|
msg["secureChannelType"] = [str(secure_channel_type)]
|
||||||
msg["objectClass"] = ["top", "primaryDomain"]
|
msg["objectClass"] = ["top", "primaryDomain"]
|
||||||
if realm is not None:
|
if dnsname is not None:
|
||||||
if dnsdomain is None:
|
|
||||||
dnsdomain = realm.lower()
|
|
||||||
msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
|
msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
|
||||||
msg["realm"] = [realm]
|
msg["realm"] = [realm]
|
||||||
msg["saltPrincipal"] = ["host/%s.%s@%s" % (netbiosname.lower(), dnsdomain.lower(), realm.upper())]
|
msg["saltPrincipal"] = ["host/%s@%s" % (dnsname, realm.upper())]
|
||||||
msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
|
msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
|
||||||
msg["privateKeytab"] = ["secrets.keytab"]
|
msg["privateKeytab"] = ["secrets.keytab"]
|
||||||
|
|
||||||
|
|
||||||
msg["secret"] = [machinepass]
|
msg["secret"] = [machinepass]
|
||||||
msg["samAccountName"] = ["%s$" % netbiosname]
|
msg["samAccountName"] = ["%s$" % netbiosname]
|
||||||
msg["secureChannelType"] = [str(secure_channel_type)]
|
msg["secureChannelType"] = [str(secure_channel_type)]
|
||||||
@ -742,10 +747,17 @@ def secretsdb_self_join(secretsdb, domain,
|
|||||||
secretsdb.modify(msg)
|
secretsdb.modify(msg)
|
||||||
secretsdb.rename(res[0].dn, msg.dn)
|
secretsdb.rename(res[0].dn, msg.dn)
|
||||||
else:
|
else:
|
||||||
|
spn = [ 'HOST/%s' % shortname ]
|
||||||
|
if secure_channel_type == SEC_CHAN_BDC and dnsname is not None:
|
||||||
|
# we are a domain controller then we add servicePrincipalName entries
|
||||||
|
# for the keytab code to update
|
||||||
|
spn.extend([ 'HOST/%s' % dnsname ])
|
||||||
|
msg["servicePrincipalName"] = spn
|
||||||
|
|
||||||
secretsdb.add(msg)
|
secretsdb.add(msg)
|
||||||
|
|
||||||
|
|
||||||
def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
|
def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir,
|
||||||
realm, dnsdomain,
|
realm, dnsdomain,
|
||||||
dns_keytab_path, dnspass):
|
dns_keytab_path, dnspass):
|
||||||
"""Add DNS specific bits to a secrets database.
|
"""Add DNS specific bits to a secrets database.
|
||||||
@ -764,6 +776,8 @@ def secretsdb_setup_dns(secretsdb, setup_path, private_dir,
|
|||||||
"DNSDOMAIN": dnsdomain,
|
"DNSDOMAIN": dnsdomain,
|
||||||
"DNS_KEYTAB": dns_keytab_path,
|
"DNS_KEYTAB": dns_keytab_path,
|
||||||
"DNSPASS_B64": b64encode(dnspass),
|
"DNSPASS_B64": b64encode(dnspass),
|
||||||
|
"HOSTNAME": names.hostname,
|
||||||
|
"DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
@ -944,6 +958,8 @@ def setup_self_join(samdb, names,
|
|||||||
"DNSDOMAIN": names.dnsdomain,
|
"DNSDOMAIN": names.dnsdomain,
|
||||||
"DOMAINDN": names.domaindn,
|
"DOMAINDN": names.domaindn,
|
||||||
"DNSPASS_B64": b64encode(dnspass),
|
"DNSPASS_B64": b64encode(dnspass),
|
||||||
|
"HOSTNAME" : names.hostname,
|
||||||
|
"DNSNAME" : '%s.%s' % (names.netbiosname.lower(), names.dnsdomain.lower())
|
||||||
})
|
})
|
||||||
|
|
||||||
def getpolicypath(sysvolpath, dnsdomain, guid):
|
def getpolicypath(sysvolpath, dnsdomain, guid):
|
||||||
@ -1583,7 +1599,7 @@ def provision(setup_dir, logger, session_info,
|
|||||||
|
|
||||||
|
|
||||||
if serverrole == "domain controller":
|
if serverrole == "domain controller":
|
||||||
secretsdb_setup_dns(secrets_ldb, setup_path,
|
secretsdb_setup_dns(secrets_ldb, setup_path, names,
|
||||||
paths.private_dir,
|
paths.private_dir,
|
||||||
realm=names.realm, dnsdomain=names.dnsdomain,
|
realm=names.realm, dnsdomain=names.dnsdomain,
|
||||||
dns_keytab_path=paths.dns_keytab,
|
dns_keytab_path=paths.dns_keytab,
|
||||||
|
|||||||
@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
|
|||||||
|
|
||||||
|
|
||||||
# NOTE: This account is SAMBA4 specific!
|
# NOTE: This account is SAMBA4 specific!
|
||||||
dn: CN=dns,CN=Users,${DOMAINDN}
|
# we have it to avoid the need for the bind daemon to
|
||||||
|
# have access to the whole secrets.keytab for the domain,
|
||||||
|
# otherwise bind could impersonate any user
|
||||||
|
dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN}
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: person
|
objectClass: person
|
||||||
objectClass: organizationalPerson
|
objectClass: organizationalPerson
|
||||||
objectClass: user
|
objectClass: user
|
||||||
description: DNS Service Account
|
description: DNS Service Account for ${HOSTNAME}
|
||||||
userAccountControl: 514
|
userAccountControl: 514
|
||||||
accountExpires: 9223372036854775807
|
accountExpires: 9223372036854775807
|
||||||
sAMAccountName: dns
|
sAMAccountName: dns-${HOSTNAME}
|
||||||
|
servicePrincipalName: DNS/${DNSNAME}
|
||||||
servicePrincipalName: DNS/${DNSDOMAIN}
|
servicePrincipalName: DNS/${DNSDOMAIN}
|
||||||
userPassword:: ${DNSPASS_B64}
|
userPassword:: ${DNSPASS_B64}
|
||||||
isCriticalSystemObject: TRUE
|
isCriticalSystemObject: TRUE
|
||||||
|
|||||||
@ -1,11 +1,12 @@
|
|||||||
#Update a keytab for the external DNS server to use
|
#Update a keytab for the external DNS server to use
|
||||||
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
|
dn: samAccountName=dns-${HOSTNAME},CN=Principals
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: secret
|
objectClass: secret
|
||||||
objectClass: kerberosSecret
|
objectClass: kerberosSecret
|
||||||
realm: ${REALM}
|
realm: ${REALM}
|
||||||
servicePrincipalName: DNS/${DNSDOMAIN}
|
servicePrincipalName: DNS/${DNSDOMAIN}
|
||||||
|
servicePrincipalName: DNS/${DNSNAME}
|
||||||
msDS-KeyVersionNumber: 1
|
msDS-KeyVersionNumber: 1
|
||||||
privateKeytab: ${DNS_KEYTAB}
|
privateKeytab: ${DNS_KEYTAB}
|
||||||
secret:: ${DNSPASS_B64}
|
secret:: ${DNSPASS_B64}
|
||||||
samAccountName: dns
|
samAccountName: dns-${HOSTNAME}
|
||||||
|
|||||||
@ -1,13 +0,0 @@
|
|||||||
dn: flatname=${DOMAIN},CN=Primary Domains
|
|
||||||
objectClass: top
|
|
||||||
objectClass: primaryDomain
|
|
||||||
objectClass: kerberosSecret
|
|
||||||
flatname: ${DOMAIN}
|
|
||||||
realm: ${REALM}
|
|
||||||
secret:: ${MACHINEPASS_B64}
|
|
||||||
secureChannelType: 6
|
|
||||||
sAMAccountName: ${NETBIOSNAME}$
|
|
||||||
msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
|
|
||||||
objectSid: ${DOMAINSID}
|
|
||||||
privateKeytab: ${SECRETS_KEYTAB}
|
|
||||||
saltPrincipal: ${SALT_PRINCIPAL}
|
|
||||||
Reference in New Issue
Block a user