svn commit: samba r25299 - in branches/SAMBA_4_0/source:
ldap_server scripting/libjs selftest/env setup
abartlet at samba.org
abartlet at samba.org
Sat Sep 22 12:57:19 GMT 2007
Author: abartlet
Date: 2007-09-22 12:57:17 +0000 (Sat, 22 Sep 2007)
New Revision: 25299
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=25299
Log:
Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.
The default for the provision now changes to 'standalone'.
This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.
We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.
Andrew Bartlett
Added:
branches/SAMBA_4_0/source/setup/provision.smb.conf.dc
branches/SAMBA_4_0/source/setup/provision.smb.conf.member
branches/SAMBA_4_0/source/setup/provision.smb.conf.standlone
branches/SAMBA_4_0/source/setup/secrets_dc.ldif
Removed:
branches/SAMBA_4_0/source/setup/provision.smb.conf
Modified:
branches/SAMBA_4_0/source/ldap_server/ldap_server.c
branches/SAMBA_4_0/source/scripting/libjs/provision.js
branches/SAMBA_4_0/source/selftest/env/Samba4.pm
branches/SAMBA_4_0/source/setup/named.conf
branches/SAMBA_4_0/source/setup/provision
branches/SAMBA_4_0/source/setup/provision_self_join.ldif
branches/SAMBA_4_0/source/setup/provision_users.ldif
branches/SAMBA_4_0/source/setup/secrets.ldif
Changeset:
Modified: branches/SAMBA_4_0/source/ldap_server/ldap_server.c
===================================================================
--- branches/SAMBA_4_0/source/ldap_server/ldap_server.c 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/ldap_server/ldap_server.c 2007-09-22 12:57:17 UTC (rev 25299)
@@ -513,6 +513,18 @@
NTSTATUS status;
const struct model_ops *model_ops;
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
+ return;
+ case ROLE_DOMAIN_MEMBER:
+ task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
+ return;
+ case ROLE_DOMAIN_CONTROLLER:
+ /* Yes, we want an LDAP server */
+ break;
+ }
+
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */
Modified: branches/SAMBA_4_0/source/scripting/libjs/provision.js
===================================================================
--- branches/SAMBA_4_0/source/scripting/libjs/provision.js 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/scripting/libjs/provision.js 2007-09-22 12:57:17 UTC (rev 25299)
@@ -489,6 +489,17 @@
subobj.NETLOGONPATH = paths.netlogon;
subobj.SYSVOLPATH = paths.sysvol;
+ if (subobj.DOMAIN_CONF == undefined) {
+ subobj.DOMAIN_CONF = subobj.DOMAIN;
+ }
+ if (subobj.REALM_CONF == undefined) {
+ subobj.REALM_CONF = subobj.REALM;
+ }
+ if (subobj.SERVERROLE != "domain controller") {
+ subobj.REALM = subobj.HOSTNAME;
+ subobj.DOMAIN = subobj.HOSTNAME;
+ }
+
return true;
}
@@ -536,6 +547,8 @@
setup_ldb("secrets.ldif", info, paths.secrets, false);
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
return true;
}
@@ -571,8 +584,16 @@
/* only install a new smb.conf if there isn't one there already */
var st = sys.stat(paths.smbconf);
if (st == undefined) {
+ var smbconfsuffix;
+ if (subobj.ROLE == "domain controller") {
+ smbconfsuffix = "dc";
+ } else if (subobj.ROLE == "member server") {
+ smbconfsuffix = "member";
+ } else {
+ smbconfsuffix = subobj.ROLE;
+ }
message("Setting up " + paths.smbconf +"\n");
- setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+ setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
lp.reload();
}
/* only install a new shares config db if there is none */
@@ -724,7 +745,7 @@
message("Setting up sam.ldb users and groups\n");
setup_add_ldif("provision_users.ldif", info, samdb, false);
- if (lp.get("server role") == "domain controller") {
+ if (subobj.SERVERROLE == "domain controller") {
message("Setting up self join\n");
setup_add_ldif("provision_self_join.ldif", info, samdb, false);
setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
@@ -737,6 +758,9 @@
sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
sys.mkdir(paths.netlogon, 0755);
+
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
}
if (setup_name_mappings(info, samdb) == false) {
@@ -809,8 +833,8 @@
function provision_dns(subobj, message, paths, session_info, credentials)
{
var lp = loadparm_init();
- if (lp.get("server role") != "domain controller") {
- message("No DNS zone required for role %s\n", lp.get("server role"));
+ if (subobj.SERVERROLE != "domain controller") {
+ message("No DNS zone required for role %s\n", subobj.SERVERROLE);
return;
}
message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
@@ -886,6 +910,7 @@
var rdn_list;
random_init(local);
+ subobj.SERVERROLE = strlower(lp.get("server role"));
subobj.REALM = strupper(lp.get("realm"));
subobj.DOMAIN = lp.get("workgroup");
subobj.HOSTNAME = hostname();
@@ -1100,18 +1125,24 @@
}
- if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+ if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
- lp.get("workgroup"), subobj.DOMAIN);
+ lp.get("workgroup"), subobj.DOMAIN_CONF);
return false;
}
- if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+ if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
message("realm '%s' in smb.conf must match chosen realm '%s'\n",
- lp.get("realm"), subobj.REALM);
+ lp.get("realm"), subobj.REALM_CONF);
return false;
}
+ if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
+ message("server role '%s' in smb.conf must match chosen role '%s'\n",
+ lp.get("server role"), subobj.SERVERROLE);
+ return false;
+ }
+
return true;
}
Modified: branches/SAMBA_4_0/source/selftest/env/Samba4.pm
===================================================================
--- branches/SAMBA_4_0/source/selftest/env/Samba4.pm 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/selftest/env/Samba4.pm 2007-09-22 12:57:17 UTC (rev 25299)
@@ -297,10 +297,6 @@
$tmpdir);
- my $localdomain = $domain;
- $localdomain = $netbiosname if $server_role eq "member server";
- my $localrealm = $realm;
- $localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
@@ -416,9 +412,9 @@
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
- push (@provision_options, "--quiet");
- push (@provision_options, "--domain=$localdomain");
- push (@provision_options, "--realm=$localrealm");
+# push (@provision_options, "--quiet");
+ push (@provision_options, "--domain=$domain");
+ push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
@@ -426,6 +422,7 @@
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
push (@provision_options, "--root=$root");
+ push (@provision_options, "--server-role=$server_role");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
@@ -454,7 +451,7 @@
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
Modified: branches/SAMBA_4_0/source/setup/named.conf
===================================================================
--- branches/SAMBA_4_0/source/setup/named.conf 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/named.conf 2007-09-22 12:57:17 UTC (rev 25299)
@@ -3,11 +3,12 @@
# the BIND nameserver.
#
-#insert this into options {}
+# If you have a very recent BIND, supporting GSS-TSIG,
+# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
-#the zone file
+# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
Modified: branches/SAMBA_4_0/source/setup/provision
===================================================================
--- branches/SAMBA_4_0/source/setup/provision 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision 2007-09-22 12:57:17 UTC (rev 25299)
@@ -32,6 +32,7 @@
'users=s',
'quiet',
'blank',
+ 'server-role=s',
'partitions-only',
'ldap-base',
'ldap-backend=s',
@@ -84,6 +85,7 @@
--users GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
+ --server-role ROLE Set server role to provision for (default standalone)
--partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
--ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
--ldap-backend LDAPSERVER LDAP server to use for this provision
@@ -112,6 +114,7 @@
var lp = loadparm_init();
lp.set("realm", options.realm);
lp.set("workgroup", options.domain);
+lp.set("server role", options["server-role"]);
lp.reload();
var subobj = provision_guess();
Deleted: branches/SAMBA_4_0/source/setup/provision.smb.conf
===================================================================
--- branches/SAMBA_4_0/source/setup/provision.smb.conf 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision.smb.conf 2007-09-22 12:57:17 UTC (rev 25299)
@@ -1,13 +0,0 @@
-[globals]
- netbios name = ${HOSTNAME}
- workgroup = ${DOMAIN}
- realm = ${REALM}
- server role = domain controller
-
-[netlogon]
- path = ${NETLOGONPATH}
- read only = no
-
-[sysvol]
- path = ${SYSVOLPATH}
- read only = no
Copied: branches/SAMBA_4_0/source/setup/provision.smb.conf.dc (from rev 25298, branches/SAMBA_4_0/source/setup/provision.smb.conf)
===================================================================
--- branches/SAMBA_4_0/source/setup/provision.smb.conf 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision.smb.conf.dc 2007-09-22 12:57:17 UTC (rev 25299)
@@ -0,0 +1,13 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
+
+[netlogon]
+ path = ${NETLOGONPATH}
+ read only = no
+
+[sysvol]
+ path = ${SYSVOLPATH}
+ read only = no
Copied: branches/SAMBA_4_0/source/setup/provision.smb.conf.member (from rev 25298, branches/SAMBA_4_0/source/setup/provision.smb.conf)
===================================================================
--- branches/SAMBA_4_0/source/setup/provision.smb.conf 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision.smb.conf.member 2007-09-22 12:57:17 UTC (rev 25299)
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
Copied: branches/SAMBA_4_0/source/setup/provision.smb.conf.standlone (from rev 25298, branches/SAMBA_4_0/source/setup/provision.smb.conf)
===================================================================
--- branches/SAMBA_4_0/source/setup/provision.smb.conf 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision.smb.conf.standlone 2007-09-22 12:57:17 UTC (rev 25299)
@@ -0,0 +1,5 @@
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
Modified: branches/SAMBA_4_0/source/setup/provision_self_join.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/provision_self_join.ldif 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision_self_join.ldif 2007-09-22 12:57:17 UTC (rev 25299)
@@ -21,3 +21,21 @@
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
+
+#Provide a account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: dns
+description: DNS Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+sAMAccountType: 805306368
+servicePrincipalName: DNS/${DNSDOMAIN}
+isCriticalSystemObject: TRUE
+sambaPassword:: ${DNSPASS_B64}
+
Modified: branches/SAMBA_4_0/source/setup/provision_users.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/provision_users.ldif 2007-09-22 12:57:17 UTC (rev 25299)
@@ -205,22 +205,6 @@
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: dns
-description: DNS Service Account
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-sAMAccountType: 805306368
-servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
-
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
Modified: branches/SAMBA_4_0/source/setup/secrets.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/secrets.ldif 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/secrets.ldif 2007-09-22 12:57:17 UTC (rev 25299)
@@ -8,47 +8,3 @@
objectClass: container
cn: Primary Domains
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:ldb:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format.
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-servicePrincipalName: DNS/${DNSDOMAIN}
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
Added: branches/SAMBA_4_0/source/setup/secrets_dc.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/secrets_dc.ldif 2007-09-22 09:44:29 UTC (rev 25298)
+++ branches/SAMBA_4_0/source/setup/secrets_dc.ldif 2007-09-22 12:57:17 UTC (rev 25299)
@@ -0,0 +1,44 @@
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+msDS-KeyVersionNumber: 1
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+sAMAccountName: krbtgt
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+objectSid: ${DOMAINSID}
+servicePrincipalName: kadmin/changepw
+krb5Keytab: HDB:ldb:${SAM_LDB}:
+#The trailing : here is a HACK, but it matches the Heimdal format.
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+servicePrincipalName: DNS/${DNSDOMAIN}
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+
More information about the samba-cvs
mailing list