[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-60-gcd07452
Andrew Bartlett
abartlet at samba.org
Tue Jul 15 05:17:25 GMT 2008
The branch, v4-0-test has been updated
via cd0745253c4a9ec59a035e830e54d74a05b71aaa (commit)
via edfb2ed1f22bc735af5a0c3d3ae6ab6771d28f2c (commit)
via 28c784966809d634e8497e0716b30bad018467b4 (commit)
via 72e52a301102941c41ab423e0212fe9a1aed0405 (commit)
via e396a59788d77aa2fbf3b523c3773fe0e5c976c0 (commit)
via 95825ae6d5e9d9846f3a7505a81ebe603826227e (commit)
via 9ac07e14873df2c18d0e9501691c2d4c4047e218 (commit)
from 79c4d8e2fabc9c33d978c064b9c01ca45e463ced (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit cd0745253c4a9ec59a035e830e54d74a05b71aaa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:15:12 2008 +1000
Connect to the LDAP backend with SASL credentials.
This reworks our LDAP backend code to move from anonymous access to a
shared-secret SASL-protected connection. (SASL selects NTLM or
DIGEST-MD5 on my system).
To get this working, we must pre-populate the LDAP backend with a DN
to store ths SASL secret on, and we use back-ldif for this.
This gives us a reasonable basis to deploy a replicated OpenLDAP
backend solution.
Andrew Bartlett
commit edfb2ed1f22bc735af5a0c3d3ae6ab6771d28f2c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:10:29 2008 +1000
Make up a full hostname for ldapi connections.
The DIGEST-MD5 SASL method requires a hostname, so provide one.
Andrew Bartlett
commit 28c784966809d634e8497e0716b30bad018467b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:09:32 2008 +1000
Add a standard filter for finding the LDAP secrets.
commit 72e52a301102941c41ab423e0212fe9a1aed0405
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:08:57 2008 +1000
Cleanup ldap_bind_sasl.
With these changes, we don't leak the LDAP socket, and don't reset all
credentials feature flags, just the ones we are actually incompatible
with.
Andrew Bartlett
commit e396a59788d77aa2fbf3b523c3773fe0e5c976c0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:07:13 2008 +1000
Use secrets.ldb to store credentials to contact LDAP backend.
This makes Samba4 behave much like Samba3 did, and use a single set of
administrative credentials for it's connection to LDAP.
Andrew Bartlett
commit 95825ae6d5e9d9846f3a7505a81ebe603826227e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:05:41 2008 +1000
Allow ldap credentials to be (optionally) stored in secrets.ldb
This includes a simple bind DN, or SASL credentials.
The error messages are reworked as on systems without an LDAP backend,
we will fail to find this record very often.
Andrew Bartlett
commit 9ac07e14873df2c18d0e9501691c2d4c4047e218
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 15 15:04:06 2008 +1000
Try to make NTLMSSP less fussy for unimportant messages.
We don't really care (because nobody uses them) what we send as the
domain and workstation in the negotiate packet.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/auth/credentials/credentials_files.c | 44 +++++++++++++++++++------
source/auth/ntlmssp/ntlmssp_client.c | 15 +++++++-
source/dsdb/samdb/samdb.c | 27 +++++++++++++++-
source/ldap_server/ldap_backend.c | 9 +++--
source/libcli/ldap/ldap_bind.c | 7 ++--
source/libcli/ldap/ldap_client.c | 9 ++++-
source/libnet/libnet_samsync_ldb.c | 10 ++---
source/param/secrets.h | 1 +
source/scripting/python/samba/provision.py | 47 +++++++++++++++++++++-----
source/selftest/target/Samba4.pm | 2 +-
source/setup/cn=samba-admin.ldif | 12 +++++++
source/setup/cn=samba.ldif | 11 ++++++
source/setup/provision | 4 ++-
source/setup/secrets_init.ldif | 2 +-
source/setup/secrets_sasl_ldap.ldif | 9 +++++
source/setup/secrets_simple_ldap.ldif | 6 +++
source/setup/slapd.conf | 39 +++++++++++++++++-----
17 files changed, 203 insertions(+), 51 deletions(-)
create mode 100644 source/setup/cn=samba-admin.ldif
create mode 100644 source/setup/cn=samba.ldif
create mode 100644 source/setup/secrets_sasl_ldap.ldif
create mode 100644 source/setup/secrets_simple_ldap.ldif
Changeset truncated at 500 lines:
diff --git a/source/auth/credentials/credentials_files.c b/source/auth/credentials/credentials_files.c
index 05b0bf5..bba3fdc 100644
--- a/source/auth/credentials/credentials_files.c
+++ b/source/auth/credentials/credentials_files.c
@@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
"privateKeytab",
"krb5Keytab",
"servicePrincipalName",
+ "ldapBindDn",
NULL
};
@@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
@@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL);
if (!machine_account) {
- DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n",
- cli_credentials_get_domain(cred), filter, base));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+ if (!ldap_bind_dn) {
+ DEBUG(5, ("(normal if no LDAP backend required) Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n",
+ filter, base));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
}
}
@@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ if (machine_account) {
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ }
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
@@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
@@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
- * Fill in credentials for the machine trust account, from the secrets database.
+ * Fill in credentials for a particular prinicpal, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
@@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status)));
+ }
+ return status;
}
/**
diff --git a/source/auth/ntlmssp/ntlmssp_client.c b/source/auth/ntlmssp/ntlmssp_client.c
index e07c64b..8917618 100644
--- a/source/auth/ntlmssp/ntlmssp_client.c
+++ b/source/auth/ntlmssp/ntlmssp_client.c
@@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
+ const char *domain = gensec_ntlmssp_state->domain;
+ const char *workstation = cli_credentials_get_workstation(gensec_security->credentials);
+
+ /* These don't really matter in the initial packet, so don't panic if they are not set */
+ if (!domain) {
+ domain = "";
+ }
+
+ if (!workstation) {
+ workstation = "";
+ }
if (gensec_ntlmssp_state->unicode) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
@@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
"NTLMSSP",
NTLMSSP_NEGOTIATE,
gensec_ntlmssp_state->neg_flags,
- gensec_ntlmssp_state->domain,
- cli_credentials_get_workstation(gensec_security->credentials));
+ domain,
+ workstation);
gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
diff --git a/source/dsdb/samdb/samdb.c b/source/dsdb/samdb/samdb.c
index acc2c2a..b5b7ddf 100644
--- a/source/dsdb/samdb/samdb.c
+++ b/source/dsdb/samdb/samdb.c
@@ -39,6 +39,8 @@
#include "dsdb/common/flags.h"
#include "param/param.h"
#include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
char *samdb_relative_path(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
@@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb,
return full_name;
}
+struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx,
+ struct event_context *event_ctx,
+ struct loadparm_context *lp_ctx)
+{
+ struct cli_credentials *cred = cli_credentials_init(mem_ctx);
+ if (!cred) {
+ return NULL;
+ }
+ cli_credentials_set_conf(cred, lp_ctx);
+
+ /* We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+ SECRETS_LDAP_FILTER))) {
+ /* Perfectly OK - if not against an LDAP backend */
+ return NULL;
+ }
+ return cred;
+}
/*
connect to the SAM database
@@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb;
ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx,
lp_sam_url(lp_ctx), session_info,
- NULL, 0, NULL);
+ samdb_credentials(mem_ctx, ev_ctx, lp_ctx),
+ 0, NULL);
if (!ldb) {
return NULL;
}
diff --git a/source/ldap_server/ldap_backend.c b/source/ldap_server/ldap_backend.c
index 2193c98..504dcf1 100644
--- a/source/ldap_server/ldap_backend.c
+++ b/source/ldap_server/ldap_backend.c
@@ -21,13 +21,13 @@
#include "ldap_server/ldap_server.h"
#include "lib/util/dlinklist.h"
#include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb_wrap.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "param/param.h"
#include "smbd/service_stream.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "lib/ldb_wrap.h"
#define VALID_DN_SYNTAX(dn,i) do {\
if (!(dn)) {\
@@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
conn->lp_ctx,
lp_sam_url(conn->lp_ctx),
conn->session_info,
- NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+ samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx),
+ conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
diff --git a/source/libcli/ldap/ldap_bind.c b/source/libcli/ldap/ldap_bind.c
index e1569e7..6567311 100644
--- a/source/libcli/ldap/ldap_bind.c
+++ b/source/libcli/ldap/ldap_bind.c
@@ -234,7 +234,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
* Windows seem not to like double encryption */
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (tls_enabled(conn->sock)) {
- cli_credentials_set_gensec_features(creds, 0);
+ cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
/* this call also sets the gensec_want_features */
@@ -245,7 +245,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
goto failed;
}
- /* reset the original gensec_features */
+ /* reset the original gensec_features (on the credentials
+ * context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
if (conn->host) {
@@ -393,8 +394,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
&sasl_socket);
if (!NT_STATUS_IS_OK(status)) goto failed;
- talloc_steal(conn->sock, sasl_socket);
- talloc_unlink(conn, conn->sock);
conn->sock = sasl_socket;
packet_set_socket(conn->packet, conn->sock);
diff --git a/source/libcli/ldap/ldap_client.c b/source/libcli/ldap/ldap_client.c
index bca867b..844238a 100644
--- a/source/libcli/ldap/ldap_client.c
+++ b/source/libcli/ldap/ldap_client.c
@@ -38,7 +38,6 @@
#include "param/param.h"
#include "libcli/resolve/resolve.h"
-
/**
create a new ldap_connection stucture. The event context is optional
*/
@@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
char protocol[11];
int ret;
- result = talloc_zero(NULL, struct composite_context);
+ result = talloc_zero(conn, struct composite_context);
if (result == NULL) goto failed;
result->state = COMPOSITE_STATE_IN_PROGRESS;
result->async.fn = NULL;
@@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
SMB_ASSERT(sizeof(protocol)>10);
SMB_ASSERT(sizeof(path)>1024);
+ /* LDAPI connections are to localhost, so give the local host name as the target for gensec */
+ conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx));
+ if (composite_nomem(conn->host, state->ctx)) {
+ return result;
+ }
+
/* The %c specifier doesn't null terminate :-( */
ZERO_STRUCT(path);
ret = sscanf(url, "%10[^:]://%1025c", protocol, path);
diff --git a/source/libnet/libnet_samsync_ldb.c b/source/libnet/libnet_samsync_ldb.c
index a79bf04..b223a74 100644
--- a/source/libnet/libnet_samsync_ldb.c
+++ b/source/libnet/libnet_samsync_ldb.c
@@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str
state->secrets = NULL;
state->trusted_domains = NULL;
- state->sam_ldb = ldb_wrap_connect(mem_ctx,
- ctx->event_ctx,
- ctx->lp_ctx,
- lp_sam_url(ctx->lp_ctx),
- r->in.session_info,
- ctx->cred, 0, NULL);
+ state->sam_ldb = samdb_connect(mem_ctx,
+ ctx->event_ctx,
+ ctx->lp_ctx,
+ r->in.session_info);
r2.out.error_string = NULL;
r2.in.binding_string = r->in.binding_string;
diff --git a/source/param/secrets.h b/source/param/secrets.h
index fa162ea..83b6dc7 100644
--- a/source/param/secrets.h
+++ b/source/param/secrets.h
@@ -33,6 +33,7 @@ struct machine_acct_pass {
#define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))"
#define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))"
#define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))"
+#define SECRETS_LDAP_FILTER "(objectclass=ldapSecret)"
/**
* Use a TDB to store an incrementing random seed.
diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py
index 5040442..d0f612c 100644
--- a/source/scripting/python/samba/provision.py
+++ b/source/scripting/python/samba/provision.py
@@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
lp=lp)
secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
+
+ if credentials.authentication_requested:
+ if credentials.get_bind_dn() is not None:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
+ "LDAPMANAGERDN": credentials.get_bind_dn(),
+ "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
+ })
+ else:
+ setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
+ "LDAPADMINUSER": credentials.get_username(),
+ "LDAPADMINREALM": credentials.get_realm(),
+ "LDAPADMINPASS_B64": b64encode(credentials.get_password())
+ })
+
return secrets_ldb
@@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
domain_oc = "samba4LocalDomain"
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
- "DOMAINDN": names.domaindn,
- "ACI": aci,
- "DOMAIN_OC": domain_oc
- })
+ "DOMAINDN": names.domaindn,
+ "ACI": aci,
+ "DOMAIN_OC": domain_oc
+ })
message("Modifying DomainDN: " + names.domaindn + "")
if domainguid is not None:
@@ -1265,15 +1279,30 @@ refint_attributes""" + refint_attributes + "\n"
"DOMAINDN": names.domaindn,
"CONFIGDN": names.configdn,
"SCHEMADN": names.schemadn,
- "LDAPMANAGERDN": names.ldapmanagerdn,
- "LDAPMANAGERPASS": adminpass,
"MEMBEROF_CONFIG": memberof_config})
setup_file(setup_path("modules.conf"), paths.modulesconf,
{"REALM": names.realm})
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config")))
- setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema")))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
+ setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
+
+ if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")):
+ os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"))
+
+ setup_file(setup_path("cn=samba.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"),
+ { "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+ setup_file(setup_path("cn=samba-admin.ldif"),
+ os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
+ {"LDAPADMINPASS_B64": b64encode(adminpass),
+ "UUID": str(uuid.uuid4()),
+ "LDAPTIME": timestring(int(time.time()))} )
+
+#"LDAPMANAGERDN": names.ldapmanagerdn,
+
+
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
diff --git a/source/selftest/target/Samba4.pm b/source/selftest/target/Samba4.pm
index 2347dfc..0be1acf 100644
--- a/source/selftest/target/Samba4.pm
+++ b/source/selftest/target/Samba4.pm
@@ -719,7 +719,7 @@ nogroup:x:65534:nobody
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
push (@provision_options, "--root=$unix_name");
- push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
+ push (@provision_options, "--username=samba-admin");
push (@provision_options, "--password=$password");
push (@provision_options, "--server-role=\"$server_role\"");
diff --git a/source/setup/cn=samba-admin.ldif b/source/setup/cn=samba-admin.ldif
new file mode 100644
index 0000000..c59ffd9
--- /dev/null
+++ b/source/setup/cn=samba-admin.ldif
@@ -0,0 +1,12 @@
+dn: cn=samba-admin
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241038Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source/setup/cn=samba.ldif b/source/setup/cn=samba.ldif
new file mode 100644
index 0000000..3be6242
--- /dev/null
+++ b/source/setup/cn=samba.ldif
@@ -0,0 +1,11 @@
+dn: cn=Samba
+objectClass: top
+objectClass: container
+cn: Samba
+structuralObjectClass: container
+entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
+creatorsName:
+createTimestamp: 20080714010529Z
+entryCSN: 20080714010529.194412Z#000000#000#000000
+modifiersName:
+modifyTimestamp: 20080714010529Z
diff --git a/source/setup/provision b/source/setup/provision
index c1d6cd1..7bd61fc 100755
--- a/source/setup/provision
+++ b/source/setup/provision
@@ -30,7 +30,7 @@ import os, sys
sys.path.insert(0, "bin/python")
import samba
-
+from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
import samba.getopt as options
from samba import param
@@ -131,6 +131,8 @@ else:
creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = "setup"
diff --git a/source/setup/secrets_init.ldif b/source/setup/secrets_init.ldif
index 9eda47e..eb423a5 100644
--- a/source/setup/secrets_init.ldif
+++ b/source/setup/secrets_init.ldif
@@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE
#Add modules to the list to activate them by default
#beware often order is important
dn: @MODULES
- at LIST: update_keytab,operational,objectguid
+ at LIST: update_keytab,operational,objectguid,rdn_name
diff --git a/source/setup/secrets_sasl_ldap.ldif b/source/setup/secrets_sasl_ldap.ldif
new file mode 100644
--
Samba Shared Repository
More information about the samba-cvs
mailing list