mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4 - SID allocation using FDS DNA plugin
This commit is contained in:
parent
40a06c0101
commit
e035433bab
@ -471,6 +471,7 @@ sub provision_raw_prepare($$$$$$$)
|
||||
$ctx->{realm} = "SAMBA.EXAMPLE.COM";
|
||||
$ctx->{dnsname} = "samba.example.com";
|
||||
$ctx->{basedn} = "dc=samba,dc=example,dc=com";
|
||||
$ctx->{sid_generator} = "internal";
|
||||
|
||||
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
|
||||
chomp $unix_name;
|
||||
@ -578,7 +579,14 @@ sub provision_raw_step1($$)
|
||||
#We don't want to pass our self-tests if the PAC code is wrong
|
||||
gensec:require_pac = true
|
||||
log level = $ctx->{server_loglevel}
|
||||
lanman auth = Yes
|
||||
lanman auth = Yes";
|
||||
|
||||
if (defined($ctx->{sid_generator}) && $ctx->{sid_generator} ne "internal") {
|
||||
print CONFFILE "
|
||||
sid generator = $ctx->{sid_generator}";
|
||||
}
|
||||
|
||||
print CONFFILE "
|
||||
|
||||
# Begin extra options
|
||||
$ctx->{smb_conf_extra_options}
|
||||
@ -778,6 +786,10 @@ sub provision($$$$$$$)
|
||||
$ldap_uri =~ s|/|%2F|g;
|
||||
$ldap_uri = "ldapi://$ldap_uri";
|
||||
$ctx->{ldap_uri} = $ldap_uri;
|
||||
|
||||
if ($self->{ldap} eq "fedora-ds") {
|
||||
$ctx->{sid_generator} = "backend";
|
||||
}
|
||||
}
|
||||
|
||||
my $ret = $self->provision_raw_step1($ctx);
|
||||
|
@ -37,6 +37,7 @@
|
||||
#include "librpc/gen_ndr/ndr_security.h"
|
||||
#include "../lib/util/util_ldb.h"
|
||||
#include "ldb_wrap.h"
|
||||
#include "param/param.h"
|
||||
|
||||
struct samldb_ctx;
|
||||
|
||||
@ -923,6 +924,8 @@ static int samldb_add_entry(struct samldb_ctx *ac)
|
||||
static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
|
||||
{
|
||||
struct ldb_context *ldb;
|
||||
struct loadparm_context *lp_ctx;
|
||||
enum sid_generator sid_generator;
|
||||
int ret;
|
||||
|
||||
ldb = ldb_module_get_ctx(ac->module);
|
||||
@ -997,19 +1000,25 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
}
|
||||
|
||||
/* check if we have a valid SID */
|
||||
ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
|
||||
if ( ! ac->sid) {
|
||||
ret = samldb_add_step(ac, samldb_new_sid);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
} else {
|
||||
ret = samldb_add_step(ac, samldb_get_sid_domain);
|
||||
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
|
||||
struct loadparm_context);
|
||||
|
||||
sid_generator = lp_sid_generator(lp_ctx);
|
||||
if (sid_generator == SID_GENERATOR_INTERNAL) {
|
||||
/* check if we have a valid SID */
|
||||
ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
|
||||
if ( ! ac->sid) {
|
||||
ret = samldb_add_step(ac, samldb_new_sid);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
} else {
|
||||
ret = samldb_add_step(ac, samldb_get_sid_domain);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
}
|
||||
|
||||
ret = samldb_add_step(ac, samldb_notice_sid);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
}
|
||||
|
||||
ret = samldb_add_step(ac, samldb_notice_sid);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
|
||||
/* finally proceed with adding the entry */
|
||||
ret = samldb_add_step(ac, samldb_add_entry);
|
||||
if (ret != LDB_SUCCESS) return ret;
|
||||
|
@ -79,6 +79,7 @@ static bool defaults_saved = false;
|
||||
struct loadparm_global
|
||||
{
|
||||
enum server_role server_role;
|
||||
enum sid_generator sid_generator;
|
||||
|
||||
const char **smb_ports;
|
||||
char *ncalrpc_dir;
|
||||
@ -328,12 +329,18 @@ static const struct enum_list enum_server_role[] = {
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
static const struct enum_list enum_sid_generator[] = {
|
||||
{SID_GENERATOR_INTERNAL, "internal"},
|
||||
{SID_GENERATOR_BACKEND, "backend"},
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
#define GLOBAL_VAR(name) offsetof(struct loadparm_global, name)
|
||||
#define LOCAL_VAR(name) offsetof(struct loadparm_service, name)
|
||||
|
||||
static struct parm_struct parm_table[] = {
|
||||
{"server role", P_ENUM, P_GLOBAL, GLOBAL_VAR(server_role), NULL, enum_server_role},
|
||||
{"sid generator", P_ENUM, P_GLOBAL, GLOBAL_VAR(sid_generator), NULL, enum_sid_generator},
|
||||
|
||||
{"dos charset", P_STRING, P_GLOBAL, GLOBAL_VAR(dos_charset), NULL, NULL},
|
||||
{"unix charset", P_STRING, P_GLOBAL, GLOBAL_VAR(unix_charset), NULL, NULL},
|
||||
@ -612,6 +619,7 @@ static const char *lp_string(const char *s)
|
||||
int fn_name(struct loadparm_service *service, struct loadparm_service *sDefault) {return((service != NULL)? service->val : sDefault->val);}
|
||||
|
||||
_PUBLIC_ FN_GLOBAL_INTEGER(lp_server_role, server_role)
|
||||
_PUBLIC_ FN_GLOBAL_INTEGER(lp_sid_generator, sid_generator)
|
||||
_PUBLIC_ FN_GLOBAL_LIST(lp_smb_ports, smb_ports)
|
||||
_PUBLIC_ FN_GLOBAL_INTEGER(lp_nbt_port, nbt_port)
|
||||
_PUBLIC_ FN_GLOBAL_INTEGER(lp_dgram_port, dgram_port)
|
||||
|
@ -51,6 +51,11 @@ enum server_role {
|
||||
ROLE_DOMAIN_CONTROLLER=2,
|
||||
};
|
||||
|
||||
enum sid_generator {
|
||||
SID_GENERATOR_INTERNAL=0,
|
||||
SID_GENERATOR_BACKEND=1,
|
||||
};
|
||||
|
||||
enum announce_as {/* Types of machine we can announce as. */
|
||||
ANNOUNCE_AS_NT_SERVER=1,
|
||||
ANNOUNCE_AS_WIN95=2,
|
||||
@ -69,6 +74,7 @@ void reload_charcnv(struct loadparm_context *lp_ctx);
|
||||
struct loadparm_service *lp_default_service(struct loadparm_context *lp_ctx);
|
||||
struct parm_struct *lp_parm_table(void);
|
||||
int lp_server_role(struct loadparm_context *);
|
||||
int lp_sid_generator(struct loadparm_context *);
|
||||
const char **lp_smb_ports(struct loadparm_context *);
|
||||
int lp_nbt_port(struct loadparm_context *);
|
||||
int lp_dgram_port(struct loadparm_context *);
|
||||
|
@ -144,6 +144,7 @@ class ProvisionPaths(object):
|
||||
self.fedoradsinf = None
|
||||
self.fedoradspartitions = None
|
||||
self.fedoradssasl = None
|
||||
self.fedoradsdna = None
|
||||
self.fedoradspam = None
|
||||
self.fedoradsrefint = None
|
||||
self.fedoradslinkedattributes = None
|
||||
@ -394,8 +395,10 @@ def provision_paths_from_lp(lp, dnsdomain):
|
||||
"fedorads-partitions.ldif")
|
||||
paths.fedoradssasl = os.path.join(paths.ldapdir,
|
||||
"fedorads-sasl.ldif")
|
||||
paths.fedoradsdna = os.path.join(paths.ldapdir,
|
||||
"fedorads-dna.ldif")
|
||||
paths.fedoradspam = os.path.join(paths.ldapdir,
|
||||
"fedorads-pam.ldif")
|
||||
"fedorads-pam.ldif")
|
||||
paths.fedoradsrefint = os.path.join(paths.ldapdir,
|
||||
"fedorads-refint.ldif")
|
||||
paths.fedoradslinkedattributes = os.path.join(paths.ldapdir,
|
||||
@ -517,7 +520,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
|
||||
|
||||
|
||||
def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
|
||||
targetdir):
|
||||
targetdir, sid_generator):
|
||||
"""Create a new smb.conf file based on a couple of basic settings.
|
||||
"""
|
||||
assert smbconf is not None
|
||||
@ -536,6 +539,9 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
|
||||
elif serverrole == "standalone":
|
||||
smbconfsuffix = "standalone"
|
||||
|
||||
if sid_generator is None:
|
||||
sid_generator = "internal"
|
||||
|
||||
assert domain is not None
|
||||
domain = domain.upper()
|
||||
|
||||
@ -556,6 +562,11 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
|
||||
privatedir_line = ""
|
||||
lockdir_line = ""
|
||||
|
||||
if sid_generator == "internal":
|
||||
sid_generator_line = ""
|
||||
else:
|
||||
sid_generator_line = "sid generator = " + sid_generator
|
||||
|
||||
sysvol = os.path.join(default_lp.get("lock dir"), "sysvol")
|
||||
netlogon = os.path.join(sysvol, realm.lower(), "scripts")
|
||||
|
||||
@ -567,6 +578,7 @@ def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
|
||||
"SERVERROLE": serverrole,
|
||||
"NETLOGONPATH": netlogon,
|
||||
"SYSVOLPATH": sysvol,
|
||||
"SIDGENERATOR_LINE": sid_generator_line,
|
||||
"PRIVATEDIR_LINE": privatedir_line,
|
||||
"LOCKDIR_LINE": lockdir_line
|
||||
})
|
||||
@ -1248,6 +1260,9 @@ def provision(setup_dir, message, session_info,
|
||||
#Make a new, random password between Samba and it's LDAP server
|
||||
ldapadminpass=glue.generate_random_str(12)
|
||||
|
||||
sid_generator = "internal"
|
||||
if ldap_backend_type == "fedora-ds":
|
||||
sid_generator = "backend"
|
||||
|
||||
root_uid = findnss_uid([root or "root"])
|
||||
nobody_uid = findnss_uid([nobody or "nobody"])
|
||||
@ -1267,7 +1282,7 @@ def provision(setup_dir, message, session_info,
|
||||
# only install a new smb.conf if there isn't one there already
|
||||
if not os.path.exists(smbconf):
|
||||
make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
|
||||
targetdir)
|
||||
targetdir, sid_generator)
|
||||
|
||||
lp = param.LoadParm()
|
||||
lp.load(smbconf)
|
||||
@ -1322,7 +1337,8 @@ def provision(setup_dir, message, session_info,
|
||||
ol_mmr_urls=ol_mmr_urls,
|
||||
slapd_path=slapd_path,
|
||||
setup_ds_path=setup_ds_path,
|
||||
ldap_dryrun_mode=ldap_dryrun_mode)
|
||||
ldap_dryrun_mode=ldap_dryrun_mode,
|
||||
domainsid=domainsid)
|
||||
|
||||
# Now use the backend credentials to access the databases
|
||||
credentials = provision_backend.credentials
|
||||
@ -1579,7 +1595,8 @@ class ProvisionBackend(object):
|
||||
ldap_backend_type=None, ldap_backend_extra_port=None,
|
||||
ol_mmr_urls=None,
|
||||
setup_ds_path=None, slapd_path=None,
|
||||
nosync=False, ldap_dryrun_mode=False):
|
||||
nosync=False, ldap_dryrun_mode=False,
|
||||
domainsid=None):
|
||||
"""Provision an LDAP backend for samba4
|
||||
|
||||
This works for OpenLDAP and Fedora DS
|
||||
@ -1670,7 +1687,8 @@ class ProvisionBackend(object):
|
||||
setup_ds_path=setup_ds_path,
|
||||
slapd_path=slapd_path,
|
||||
nosync=nosync,
|
||||
ldap_dryrun_mode=ldap_dryrun_mode)
|
||||
ldap_dryrun_mode=ldap_dryrun_mode,
|
||||
domainsid=domainsid)
|
||||
|
||||
elif ldap_backend_type == "openldap":
|
||||
provision_openldap_backend(self, paths=paths, setup_path=setup_path,
|
||||
@ -1947,7 +1965,8 @@ def provision_fds_backend(result, paths=None, setup_path=None, names=None,
|
||||
setup_ds_path=None,
|
||||
slapd_path=None,
|
||||
nosync=False,
|
||||
ldap_dryrun_mode=False):
|
||||
ldap_dryrun_mode=False,
|
||||
domainsid=None):
|
||||
|
||||
if ldap_backend_extra_port is not None:
|
||||
serverport = "ServerPort=%d" % ldap_backend_extra_port
|
||||
@ -1974,6 +1993,12 @@ def provision_fds_backend(result, paths=None, setup_path=None, names=None,
|
||||
{"SAMBADN": names.sambadn,
|
||||
})
|
||||
|
||||
setup_file(setup_path("fedorads-dna.ldif"), paths.fedoradsdna,
|
||||
{"DOMAINDN": names.domaindn,
|
||||
"SAMBADN": names.sambadn,
|
||||
"DOMAINSID": str(domainsid),
|
||||
})
|
||||
|
||||
setup_file(setup_path("fedorads-pam.ldif"), paths.fedoradspam)
|
||||
|
||||
lnkattr = get_linked_attributes(names.schemadn,schema.ldb)
|
||||
|
18
source4/setup/fedorads-dna.ldif
Normal file
18
source4/setup/fedorads-dna.ldif
Normal file
@ -0,0 +1,18 @@
|
||||
dn: cn=Samba SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
objectClass: top
|
||||
objectClass: extensibleObject
|
||||
cn: Samba SIDs
|
||||
dnaType: sambaSID
|
||||
dnaMaxValue: 10000
|
||||
dnaMagicRegen: 0
|
||||
dnaFilter: (|(objectClass=user)(objectClass=group))
|
||||
dnaScope: ${DOMAINDN}
|
||||
dnaNextValue: 1000
|
||||
dnaSharedCfgDn: cn=Samba SIDs,ou=Ranges,${SAMBADN}
|
||||
dnaPrefix: ${DOMAINSID}-
|
||||
|
||||
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-pluginEnabled
|
||||
nsslapd-pluginEnabled: on
|
||||
-
|
@ -9,3 +9,13 @@ objectClass: person
|
||||
cn: samba-admin
|
||||
sn: samba-admin
|
||||
userPassword: {CLEAR}${LDAPADMINPASS}
|
||||
|
||||
dn: ou=Ranges,${SAMBADN}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
ou: Ranges
|
||||
|
||||
dn: cn=Samba SIDs,ou=Ranges,${SAMBADN}
|
||||
objectClass: top
|
||||
objectClass: nsContainer
|
||||
cn: Samba SIDs
|
||||
|
@ -33,6 +33,7 @@ SchemaFile=/etc/dirsrv/schema/06inetorgperson.ldif
|
||||
SchemaFile=/usr/share/dirsrv/data/60samba3.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-partitions.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-sasl.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-dna.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-pam.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-refint.ldif
|
||||
ConfigFile = ${LDAPDIR}/fedorads-linked-attributes.ldif
|
||||
|
@ -3,6 +3,7 @@
|
||||
workgroup = ${DOMAIN}
|
||||
realm = ${REALM}
|
||||
server role = ${SERVERROLE}
|
||||
${SIDGENERATOR_LINE}
|
||||
${PRIVATEDIR_LINE}
|
||||
${LOCKDIR_LINE}
|
||||
|
||||
|
@ -3,5 +3,6 @@
|
||||
workgroup = ${DOMAIN}
|
||||
realm = ${REALM}
|
||||
server role = ${SERVERROLE}
|
||||
${SIDGENERATOR_LINE}
|
||||
${PRIVATEDIR_LINE}
|
||||
${LOCKDIR_LINE}
|
||||
|
@ -3,5 +3,6 @@
|
||||
workgroup = ${DOMAIN}
|
||||
realm = ${REALM}
|
||||
server role = ${SERVERROLE}
|
||||
${SIDGENERATOR_LINE}
|
||||
${PRIVATEDIR_LINE}
|
||||
${LOCKDIR_LINE}
|
||||
|
Loading…
Reference in New Issue
Block a user