svn commit: samba r23994 - in branches/SAMBA_4_0/webapps: . install
abartlet at samba.org
abartlet at samba.org
Mon Jul 23 02:10:14 GMT 2007
Author: abartlet
Date: 2007-07-23 02:10:11 +0000 (Mon, 23 Jul 2007)
New Revision: 23994
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23994
Log:
Finish my work to ensure that non-root and non-administrator users
cannot vampire, provision or upgrade a Samba4 server via SWAT.
(The previous commit was an accident, and not complete).
This should get Samba4 closer to being 'secure' for an alpha release.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/webapps/install/index.esp
branches/SAMBA_4_0/webapps/install/samba3.esp
branches/SAMBA_4_0/webapps/install/vampire.esp
branches/SAMBA_4_0/webapps/login.esp
Changeset:
Modified: branches/SAMBA_4_0/webapps/install/index.esp
===================================================================
--- branches/SAMBA_4_0/webapps/install/index.esp 2007-07-23 01:46:39 UTC (rev 23993)
+++ branches/SAMBA_4_0/webapps/install/index.esp 2007-07-23 02:10:11 UTC (rev 23994)
@@ -1,20 +1,40 @@
<% page_header("columns", "Server Installation", "install");
+
+if (session.authinfo.user_class == "ADMINISTRATOR"
+ || session.authinfo.user_class == "SYSTEM") {
+
%>
<h1>Installation</h1>
-Welcome to Samba4 installation. Before proceeding, you will need to
-know:
+<p>Welcome to Samba4 installation. Before proceeding, you will need to
+know: </p>
<ul>
<li>The domain name you will use
<li>The realm name you will use
</ul>
-After you have decided on those, choose the 'Provisioning' menu item
-on the left, and fill in the form.<p>
+<p>After you have decided on those, choose the 'Provisioning' menu item
+on the left, and fill in the form.</p>
-<b>Warning!</b> When you provision, your existing user database is
-wiped and replaced with a new one.
+<p><b>Warning!</b> When you provision, your existing user database is
+wiped and replaced with a new one.</p>
-<% page_footer(); %>
+<%
+
+} else {
+
+%>
+
+<h1>Installation</h1>
+
+<p>To install Samba4, you must have logged in as <b>root</b>, or administrator of the previously configured domain. </p>
+
+<p><b>Warning!</b> When you provision, your existing user database is
+wiped and replaced with a new one. </p>
+
+<%
+
+}
+page_footer(); %>
Modified: branches/SAMBA_4_0/webapps/install/samba3.esp
===================================================================
--- branches/SAMBA_4_0/webapps/install/samba3.esp 2007-07-23 01:46:39 UTC (rev 23993)
+++ branches/SAMBA_4_0/webapps/install/samba3.esp 2007-07-23 02:10:11 UTC (rev 23994)
@@ -15,91 +15,97 @@
<h1>Import from Samba3</h1>
<%
-if (form['submit'] == "Cancel") {
- redirect("/");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+ || session.authinfo.user_class == "SYSTEM") {
-function confirm_form()
-{
- var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
+ if (form['submit'] == "Cancel") {
+ redirect("/");
+ }
- var subobj = upgrade_provision(samba3);
- var f = FormObj("Import from Samba3", 0, 2);
- subobj.ADMINPASS = "";
+ function confirm_form()
+ {
+ var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
- f.add("REALM", "Realm");
- f.add("DOMAIN", "Domain Name");
- f.add("HOSTNAME", "Hostname");
- f.add("ADMINPASS", "Administrator Password", "password");
- f.add("CONFIRM", "Confirm Password", "password");
- f.add("DOMAINSID", "Domain SID");
- f.add("HOSTGUID", "Host GUID");
- f.add("HOSTIP", "Host IP");
- f.add("DEFAULTSITE", "Default Site");
+ var subobj = upgrade_provision(samba3);
+ var f = FormObj("Import from Samba3", 0, 2);
+ subobj.ADMINPASS = "";
- for (i=0;i<f.element.length;i++) {
- f.element[i].value = subobj[f.element[i].name];
- }
+ f.add("REALM", "Realm");
+ f.add("DOMAIN", "Domain Name");
+ f.add("HOSTNAME", "Hostname");
+ f.add("ADMINPASS", "Administrator Password", "password");
+ f.add("CONFIRM", "Confirm Password", "password");
+ f.add("DOMAINSID", "Domain SID");
+ f.add("HOSTGUID", "Host GUID");
+ f.add("HOSTIP", "Host IP");
+ f.add("DEFAULTSITE", "Default Site");
- f.add("SMBCONF", "", "hidden", form['SMBCONF']);
- f.add("LIBDIR", "", "hidden", form['LIBDIR']);
+ for (i=0;i<f.element.length;i++) {
+ f.element[i].value = subobj[f.element[i].name];
+ }
- f.submit[0] = "Continue";
- f.submit[1] = "Cancel";
- f.display();
-}
+ f.add("SMBCONF", "", "hidden", form['SMBCONF']);
+ f.add("LIBDIR", "", "hidden", form['LIBDIR']);
-if (form['submit'] == "Import") {
- confirm_form();
-} else if (form['submit'] == "Continue") {
- var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
- assert(samba3 != undefined);
- var subobj = upgrade_provision(samba3);
- for (r in form) {
- subobj[r] = form[r];
+ f.submit[0] = "Continue";
+ f.submit[1] = "Cancel";
+ f.display();
}
- var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+ if (form['submit'] == "Import") {
+ confirm_form();
+ } else if (form['submit'] == "Continue") {
+ var samba3 = samba3_read(form['LIBDIR'], form['SMBCONF']);
+ assert(samba3 != undefined);
+ var subobj = upgrade_provision(samba3);
+ for (r in form) {
+ subobj[r] = form[r];
+ }
- if (!goodpass) {
- write("<h3>Passwords don't match. Please try again.</h3>");
- confirm_form();
- } else if (subobj.ADMINPASS == "") {
- write("<h3>You must choose an administrator password. Please try again.</h3>");
- confirm_form();
- } else {
- var paths = provision_default_paths(subobj);
- if (!provision(subobj, writefln, true, paths,
- session.authinfo.session_info, session.authinfo.credentials)) {
- writefln("Provision failed!");
- } else {
- var ret = upgrade(subobj,samba3,message,paths,
- session.authinfo.session_info, session.authinfo.credentials);
- if (ret > 0) {
- writefln("Failed to import %d entries\n", ret);
- } else {
- if (!provision_dns(subobj, writefln, paths,
- session.authinfo.session_info, session.authinfo.credentials)) {
- writefln("DNS Provision failed!");
+ var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+
+ if (!goodpass) {
+ write("<h3>Passwords don't match. Please try again.</h3>");
+ confirm_form();
+ } else if (subobj.ADMINPASS == "") {
+ write("<h3>You must choose an administrator password. Please try again.</h3>");
+ confirm_form();
+ } else {
+ var paths = provision_default_paths(subobj);
+ if (!provision(subobj, writefln, true, paths,
+ session.authinfo.session_info, session.authinfo.credentials)) {
+ writefln("Provision failed!");
+ } else {
+ var ret = upgrade(subobj,samba3,message,paths,
+ session.authinfo.session_info, session.authinfo.credentials);
+ if (ret > 0) {
+ writefln("Failed to import %d entries\n", ret);
} else {
- writefln("Reloading smb.conf\n");
- var lp = loadparm_init();
- lp.reload();
- writefln("Upgrade Complete!");
+ if (!provision_dns(subobj, writefln, paths,
+ session.authinfo.session_info, session.authinfo.credentials)) {
+ writefln("DNS Provision failed!");
+ } else {
+ writefln("Reloading smb.conf\n");
+ var lp = loadparm_init();
+ lp.reload();
+ writefln("Upgrade Complete!");
+ }
}
}
}
+ } else {
+ var f = FormObj("Import from Samba3", 0, 2);
+
+ f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf");
+ f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba");
+ f.submit[0] = "Import";
+ f.submit[1] = "Cancel";
+
+ write('<p>Warning: This will erase your current configuration!</p>');
+ f.display();
}
} else {
- var f = FormObj("Import from Samba3", 0, 2);
-
- f.add("SMBCONF", "smb.conf file", "text", "/etc/samba/smb.conf");
- f.add("LIBDIR", "Lib directory", "text", "/var/lib/samba");
- f.submit[0] = "Import";
- f.submit[1] = "Cancel";
-
- write('<p>Warning: This will erase your current configuration!</p>');
- f.display();
+ redirect("/");
}
%>
Modified: branches/SAMBA_4_0/webapps/install/vampire.esp
===================================================================
--- branches/SAMBA_4_0/webapps/install/vampire.esp 2007-07-23 01:46:39 UTC (rev 23993)
+++ branches/SAMBA_4_0/webapps/install/vampire.esp 2007-07-23 02:10:11 UTC (rev 23994)
@@ -14,111 +14,111 @@
var i;
var lp = loadparm_init();
-if (session.authinfo.user_class != "ADMINISTRATOR"
- && session.authinfo.user_class != "SYSTEM") {
- redirect("/");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+ || session.authinfo.user_class == "SYSTEM") {
-if (lp.get("realm") == "") {
- lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+ if (lp.get("realm") == "") {
+ lp.set("realm", lp.get("workgroup") + ".example.com");
+ }
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
+ var subobj = provision_guess();
+ /* Don't supply default password for web interface */
+ subobj.ADMINPASS = "";
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("ADMIN", "Administrator Username");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("HOSTNAME", "My Hostname");
-f.add("HOSTIP", "My Host's IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Migrate";
-f.submit[1] = "Cancel";
+ f.add("REALM", "DNS Domain Name");
+ f.add("DOMAIN", "NetBIOS Domain Name");
+ f.add("ADMIN", "Administrator Username");
+ f.add("ADMINPASS", "Administrator Password", "password");
+ f.add("HOSTNAME", "My Hostname");
+ f.add("HOSTIP", "My Host's IP");
+ f.add("DEFAULTSITE", "Default Site");
+ f.submit[0] = "Migrate";
+ f.submit[1] = "Cancel";
-if (form['submit'] == "Cancel") {
- redirect("/");
-}
+ if (form['submit'] == "Cancel") {
+ redirect("/");
+ }
-if (form['submit'] == "Migrate") {
- for (r in form) {
- subobj[r] = form[r];
+ if (form['submit'] == "Migrate") {
+ for (r in form) {
+ subobj[r] = form[r];
+ }
}
-}
+
+ for (i=0;i<f.element.length;i++) {
+ f.element[i].value = subobj[f.element[i].name];
+ }
+
+ if (form['submit'] == "Migrate") {
+ lp.set("realm", subobj.REALM);
+ if (subobj.ADMINPASS == "") {
+ write("<h3>We need the administrator password for the " + subobj.DOMAIN + " domain to proceed. Please try again.</h3>");
+ f.display();
+ } else if (!provision_validate(subobj, writefln)) {
+ f.display();
+ } else if (strupper(lp.get("server role")) == "domain controller") {
+ writefln("You need to set 'server role' to 'member server' before starting the migration process");
+ } else {
+ var creds = credentials_init();
+ var samdb;
+ creds.set_username(form.ADMIN);
+ creds.set_password(form.ADMINPASS);
+ creds.set_domain(form.DOMAIN);
+ creds.set_realm(form.REALM);
-for (i=0;i<f.element.length;i++) {
- f.element[i].value = subobj[f.element[i].name];
-}
+ var info = new Object();
+ var paths = provision_default_paths(subobj);
+ var session_info = session.authinfo.session_info;
+ var credentials = session.authinfo.credentials;
-if (form['submit'] == "Migrate") {
- lp.set("realm", subobj.REALM);
- if (subobj.ADMINPASS == "") {
- write("<h3>We need the administrator password for the " + subobj.DOMAIN + " domain to proceed. Please try again.</h3>");
- f.display();
- } else if (!provision_validate(subobj, writefln)) {
- f.display();
- } else if (strupper(lp.get("server role")) == "domain controller") {
- writefln("You need to set 'server role' to 'member server' before starting the migration process");
- } else {
- var creds = credentials_init();
- var samdb;
- creds.set_username(form.ADMIN);
- creds.set_password(form.ADMINPASS);
- creds.set_domain(form.DOMAIN);
- creds.set_realm(form.REALM);
+ info.credentials = credentials;
+ info.session_info = session_info;
+ info.message = writefln;
+ info.subobj = subobj;
- var info = new Object();
- var paths = provision_default_paths(subobj);
- var session_info = session.authinfo.session_info;
- var credentials = session.authinfo.credentials;
+ /* Setup a basic database structure, but don't setup any users */
+ if (!provision(subobj, writefln, true, paths,
+ session_info, credentials, false)) {
+ writefln("Provision failed!");
- info.credentials = credentials;
- info.session_info = session_info;
- info.message = writefln;
- info.subobj = subobj;
-
- /* Setup a basic database structure, but don't setup any users */
- if (!provision(subobj, writefln, true, paths,
- session_info, credentials, false)) {
- writefln("Provision failed!");
-
- /* Join domain */
- } else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) {
- writefln("Domain Join failed!");
+ /* Join domain */
+ } else if (!join_domain(form.DOMAIN, form.HOSTNAME, misc.SEC_CHAN_BDC, creds, writefln)) {
+ writefln("Domain Join failed!");
- /* Vampire */
- } else if (!vampire(form.DOMAIN, session.authinfo.session_info,
+ /* Vampire */
+ } else if (!vampire(form.DOMAIN, session.authinfo.session_info,
session.authinfo.credentials, writefln)) {
- writefln("Failed to syncronsise remote domain into local database!");
- } else if (!provision_dns(subobj, writefln, paths,
- session.authinfo.session_info, session.authinfo.credentials)) {
- writefln("DNS Provision failed!");
- } else if (!(samdb = open_ldb(info, paths.samdb, false))) {
- writefln("Opening " + paths.samdb + " failed!");
- info.samdb = samdb;
- } else if (!setup_name_mappings(info, samdb)) {
- writefln("Setup of name mappings failed!");
- } else {
- var zonepath = paths.dns;
- %>
+ writefln("Failed to syncronsise remote domain into local database!");
+ } else if (!provision_dns(subobj, writefln, paths,
+ session.authinfo.session_info, session.authinfo.credentials)) {
+ writefln("DNS Provision failed!");
+ } else if (!(samdb = open_ldb(info, paths.samdb, false))) {
+ writefln("Opening " + paths.samdb + " failed!");
+ info.samdb = samdb;
+ } else if (!setup_name_mappings(info, samdb)) {
+ writefln("Setup of name mappings failed!");
+ } else {
+ var zonepath = paths.dns;
+ %>
<h3>Database migrated!</h3>
-
You need to do the following to complete the process:
-
<ul>
-<li>Install the <b>@@zonepath</b> zone file into your bind install, and restart bind
-<li>Change your smb.conf to set "server role = domain controller"
-<li>Shutdown your existing PDC and any other DCs
-<li>Restart smbd
+ <li>Install the <b>@@zonepath</b> zone file into your bind install, and restart bind
+ <li>Change your smb.conf to set "server role = domain controller"
+ <li>Shutdown your existing PDC and any other DCs
+ <li>Restart smbd
</ul>
- <%
+<%
+ }
}
+ } else {
+ f.display();
}
} else {
- f.display();
+ redirect("/");
}
+
%>
Modified: branches/SAMBA_4_0/webapps/login.esp
===================================================================
--- branches/SAMBA_4_0/webapps/login.esp 2007-07-23 01:46:39 UTC (rev 23993)
+++ branches/SAMBA_4_0/webapps/login.esp 2007-07-23 02:10:11 UTC (rev 23994)
@@ -39,6 +39,7 @@
session.authinfo.domain = auth.domain;
session.authinfo.credentials = creds;
session.authinfo.session_info = auth.session_info;
+ session.authinfo.user_class = auth.user_class;
/* if the user was asking for the login page, then now
redirect them to the main page. Otherwise just
More information about the samba-cvs
mailing list