1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

17 Commits

Author SHA1 Message Date
Andrew Bartlett
ee257e902a r25299: Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.

The default for the provision now changes to 'standalone'.

This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.

We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.

Andrew Bartlett
(This used to be commit 4cc4ed7719)
2007-10-10 15:07:09 -05:00
Andrew Bartlett
f681306335 r24760: Ensure we base64 encode any password being put into LDIF, to avoid
provision failures when some of the random password values are illigal
LDIF.

Andrew Bartlett
(This used to be commit 876003f6c6)
2007-10-10 15:03:05 -05:00
Andrew Bartlett
73388ce54c r24729: First try and publishing a DNS service account, for folks to play with.
The keytab in dns.keytab should (I hope) do the job.

Andrew Bartlett
(This used to be commit af4d331eef)
2007-10-10 15:02:58 -05:00
Andrew Bartlett
744dddd75b r21135: Instead of having hooks to update keytabs as an explicit thing, update
them as a hook on ldb modify, via a module.

This should allow the secrets.ldb to be edited by the admin, and to
have things update in the on-disk keytab just as an in-memory keytab
would.

This isn't really a dsdb plugin, but I don't have any other good ideas
about where to put it.

Andrew Bartlett
(This used to be commit 6ce557a1af)
2007-10-10 14:44:31 -05:00
Stefan Metzmacher
03d2647bd0 r20805: don't use hardcoded values for secrects.keytab and sam.ldb
metze
(This used to be commit c78e345fea)
2007-10-10 14:43:32 -05:00
Andrew Bartlett
1d9ffbbe67 r13320: Fix kpasswd's use of the local HDB. /dev/null was a bad idea, we want
'no filename' instead.

Andrew Bartlett
(This used to be commit 7de385dca4)
2007-10-10 13:51:43 -05:00
Andrew Bartlett
28d78c40ad r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa)
2007-10-10 13:51:26 -05:00
Andrew Bartlett
9c6b7f2d62 r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.

In particular, the credentials system now supplies GSS client and
server credentials.  These are imported into GSS with
gss_krb5_import_creds().  Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.

Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls.  Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.

To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass.  The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.

This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().

We can now (in theory) use a system-provided /etc/krb5.keytab, if

krb5Keytab: FILE:/etc/krb5.keytab

is added to the secrets.ldb record.  By default the attribute

privateKeytab: secrets.keytab

is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df4)
2007-10-10 13:46:56 -05:00
Andrew Bartlett
d820c353dc r11218: Always return the mutual authentication reply (needed for kpasswd),
and remove now duplicated unwrap_pac().

Andrew Bartlett
(This used to be commit 90642d54e0)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
372ca26b20 r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579)
2007-10-10 13:45:00 -05:00
Andrew Tridgell
3572073491 r10916: - finished the 'operational' ldb module
- removed the timestamps module, replacing it with the operational module

- added a ldb_msg_copy_shallow() function which should be used when a module
  wants to add new elements to a message on add/modify. This is needed
  because the caller might be using a constant structure, or may want to
  re-use the structure again

- enabled the UTC time attribute syntaxes in the operational module
(This used to be commit 61e8b01022)
2007-10-10 13:39:42 -05:00
Andrew Bartlett
51d2ae6e8d r10855: Put the domain SID in secrets.ldb by default, and add http as a
default SPN alias.

Andrew Bartlett
(This used to be commit e4fe5802da)
2007-10-10 13:39:37 -05:00
Andrew Bartlett
206ce778ee r8999: Use the timestamps module to ensure we update times.
Andrew Bartlett
(This used to be commit e6abd9f704)
2007-10-10 13:31:05 -05:00
Stefan Metzmacher
a3c7f79931 r8158: - use the timestring for the serial number of the bind zone file
- add --krbtgtpass and --machinepass options, with them you can easy set them to default
  values for testing so that you don't need to setup a new keytab file when you rerun provision.pl

metze
(This used to be commit cfb7245597)
2007-10-10 13:19:15 -05:00
Andrew Bartlett
f62a70fe54 r7988: Store the KVNO for the machine account, and set it up in the provision.
Andrew Bartlett
(This used to be commit 90e94a4630)
2007-10-10 13:18:56 -05:00
Andrew Bartlett
e5124bffca r6698: Our domain join code requires that the secureChannelType be set. Type
6 is BDC, which is correct for a self-join.

Andrew Bartlett
(This used to be commit cd61ff80f8)
2007-10-10 13:16:35 -05:00
Stefan Metzmacher
cf52d62ec9 r6207: - clean up source topdir
- move provision stuff to setup/
- remove unused scripts

metze
(This used to be commit c35887ca64)
2007-10-10 13:11:26 -05:00