[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-112-gae311d8
Andrew Bartlett
abartlet at samba.org
Wed Jul 23 06:20:43 GMT 2008
The branch, v4-0-test has been updated
via ae311d89d2d477b235a6a9294a8bb463ed0a8c05 (commit)
via af629a3738298d27eb2dbecf466ceb503cec9638 (commit)
via a93b20b85b7b35965c428f1543cb7bbe96e16d42 (commit)
via 136a85599815670c807f212d7d4003ec53a13729 (commit)
via 74d684f6b329d7dd573cdc55e16bb8e629474b02 (commit)
from 532ccbbe7aa360440f455dfa136f425b9996e998 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit ae311d89d2d477b235a6a9294a8bb463ed0a8c05
Merge: af629a3738298d27eb2dbecf466ceb503cec9638 532ccbbe7aa360440f455dfa136f425b9996e998
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 23 16:20:07 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
commit af629a3738298d27eb2dbecf466ceb503cec9638
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 23 16:19:54 2008 +1000
The SMB session key must not be more than 16 bytes in SAMR (and
presumably LSA).
Tests show that Vista requires the sesion key to be truncated for a
domain join.
Andrew Bartlett
commit a93b20b85b7b35965c428f1543cb7bbe96e16d42
Merge: 136a85599815670c807f212d7d4003ec53a13729 b91bbc5fe4a47e5823be6be5f2f203f1f14105de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 23 16:15:43 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
commit 136a85599815670c807f212d7d4003ec53a13729
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 22 11:09:18 2008 +1000
Install'named.txt' to private/ as documentation.
This document is much more use when subbed with all the right things.
Andrew Bartlett
commit 74d684f6b329d7dd573cdc55e16bb8e629474b02
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Tue Jul 22 11:06:47 2008 +1000
Improve DNS and Group poicy configurations.
- fixes bug #4813 (simplify DNS setup)
- This reworks the named.conf to be a fully fledged include
- This also moves the documentation into named.txt
- improves bug #4900 (Group policy support in Samba)
- by creating an empty GPT.INI
- fixes bug #5582 (DNS: Enhanced zone file)
- This is now closer to the zone file AD creates
committed by Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/librpc/rpc/dcerpc_util.c | 14 +++++-
source/rpc_server/dcerpc_server.c | 11 ++++-
source/scripting/python/samba/provision.py | 31 ++++++++++++-
source/setup/named.conf | 63 ++++++----------------------
source/setup/named.txt | 46 ++++++++++++++++++++
source/setup/provision.zone | 7 +++-
6 files changed, 115 insertions(+), 57 deletions(-)
create mode 100644 source/setup/named.txt
Changeset truncated at 500 lines:
diff --git a/source/librpc/rpc/dcerpc_util.c b/source/librpc/rpc/dcerpc_util.c
index 71c6d5f..32646e8 100644
--- a/source/librpc/rpc/dcerpc_util.c
+++ b/source/librpc/rpc/dcerpc_util.c
@@ -647,11 +647,21 @@ NTSTATUS dcerpc_generic_session_key(struct dcerpc_connection *c,
/*
fetch the user session key - may be default (above) or the SMB session key
+
+ The key is always truncated to 16 bytes
*/
_PUBLIC_ NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
- DATA_BLOB *session_key)
+ DATA_BLOB *session_key)
{
- return p->conn->security_state.session_key(p->conn, session_key);
+ NTSTATUS status;
+ status = p->conn->security_state.session_key(p->conn, session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ session_key->length = MIN(session_key->length, 16);
+
+ return NT_STATUS_OK;
}
diff --git a/source/rpc_server/dcerpc_server.c b/source/rpc_server/dcerpc_server.c
index 91ae5fc..a2ca897 100644
--- a/source/rpc_server/dcerpc_server.c
+++ b/source/rpc_server/dcerpc_server.c
@@ -270,11 +270,20 @@ NTSTATUS dcesrv_generic_session_key(struct dcesrv_connection *p,
/*
fetch the user session key - may be default (above) or the SMB session key
+
+ The key is always truncated to 16 bytes
*/
_PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
DATA_BLOB *session_key)
{
- return p->auth_state.session_key(p, session_key);
+ NTSTATUS status = p->auth_state.session_key(p, session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ session_key->length = MIN(session_key->length, 16);
+
+ return NT_STATUS_OK;
}
diff --git a/source/scripting/python/samba/provision.py b/source/scripting/python/samba/provision.py
index 6eb47c8..4b31038 100644
--- a/source/scripting/python/samba/provision.py
+++ b/source/scripting/python/samba/provision.py
@@ -244,6 +244,7 @@ def provision_paths_from_lp(lp, dnsdomain):
paths.templates = os.path.join(paths.private_dir, "templates.ldb")
paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
+ paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
@@ -1043,6 +1044,7 @@ def provision(setup_dir, message, session_info,
policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
"{" + policyguid + "}")
os.makedirs(policy_path, 0755)
+ open(os.path.join(policy_path, "GPT.INI"), 'w').write("")
os.makedirs(os.path.join(policy_path, "Machine"), 0755)
os.makedirs(os.path.join(policy_path, "User"), 0755)
if not os.path.isdir(paths.netlogon):
@@ -1081,12 +1083,15 @@ def provision(setup_dir, message, session_info,
hostip6=hostip6, hostname=names.hostname,
dnspass=dnspass, realm=names.realm,
domainguid=domainguid, hostguid=hostguid)
- message("Please install the zone located in %s into your DNS server" % paths.dns)
create_named_conf(paths.namedconf, setup_path, realm=names.realm,
+ dnsdomain=names.dnsdomain, private_dir=paths.private_dir)
+
+ create_named_txt(paths.namedtxt, setup_path, realm=names.realm,
dnsdomain=names.dnsdomain, private_dir=paths.private_dir,
keytab_name=paths.dns_keytab)
- message("See %s for example configuration statements for secure GSS-TSIG updates" % paths.namedconf)
+ message("See %s for an example configuration include file for BIND" % paths.namedconf)
+ message("and %s for further documentation required for secure DNS updates" % paths.namedtxt)
create_krb5_conf(paths.krb5conf, setup_path, dnsdomain=names.dnsdomain,
hostname=names.hostname, realm=names.realm)
@@ -1376,7 +1381,7 @@ def create_zone_file(path, setup_path, dnsdomain, domaindn,
def create_named_conf(path, setup_path, realm, dnsdomain,
- private_dir, keytab_name):
+ private_dir):
"""Write out a file containing zone statements suitable for inclusion in a
named.conf file (including GSS-TSIG configuration).
@@ -1392,8 +1397,28 @@ def create_named_conf(path, setup_path, realm, dnsdomain,
"DNSDOMAIN": dnsdomain,
"REALM": realm,
"REALM_WC": "*." + ".".join(realm.split(".")[1:]),
+ "PRIVATE_DIR": private_dir
+ })
+
+def create_named_txt(path, setup_path, realm, dnsdomain,
+ private_dir, keytab_name):
+ """Write out a file containing zone statements suitable for inclusion in a
+ named.conf file (including GSS-TSIG configuration).
+
+ :param path: Path of the new named.conf file.
+ :param setup_path: Setup path function.
+ :param realm: Realm name
+ :param dnsdomain: DNS Domain name
+ :param private_dir: Path to private directory
+ :param keytab_name: File name of DNS keytab file
+ """
+
+ setup_file(setup_path("named.txt"), path, {
+ "DNSDOMAIN": dnsdomain,
+ "REALM": realm,
"DNS_KEYTAB": keytab_name,
"DNS_KEYTAB_ABS": os.path.join(private_dir, keytab_name),
+ "PRIVATE_DIR": private_dir
})
def create_krb5_conf(path, setup_path, dnsdomain, hostname, realm):
diff --git a/source/setup/named.conf b/source/setup/named.conf
index 4f98bbd..0b08706 100644
--- a/source/setup/named.conf
+++ b/source/setup/named.conf
@@ -1,12 +1,15 @@
+# This file should be included in your main BIND configuration file
#
-# Insert these snippets into your named.conf or bind.conf to configure
-# the BIND nameserver.
-#
+# For example with
+# include "${PRIVATE_DIR}/named.conf";
-# You should always include the actual forward zone configuration:
zone "${DNSDOMAIN}." IN {
type master;
- file "${DNSDOMAIN}.zone";
+ file "${PRIVATE_DIR}/${DNSDOMAIN}.zone";
+ /*
+ * Attention: Not all BIND versions support "ms-self". The instead use
+ * of allow-update { any; }; is another, but less secure possibility.
+ */
update-policy {
/*
* A rather long description here, as the "ms-self" option does
@@ -44,6 +47,8 @@ zone "${DNSDOMAIN}." IN {
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
+
+/*
zone "123.168.192.in-addr.arpa" in {
type master;
file "123.168.192.in-addr.arpa.zone";
@@ -51,54 +56,12 @@ zone "123.168.192.in-addr.arpa" in {
grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
};
};
+*/
+
# Note that the reverse zone file is not created during the provision process.
-# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
+# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
-# If you are running a capable version of BIND and you wish to support secure
-# GSS-TSIG updates, you must make the following configuration changes:
-
-# - Insert the following lines into the options {} section of your named.conf
-# file:
-tkey-gssapi-credential "DNS/${DNSDOMAIN}";
-tkey-domain "${REALM}";
-
-# - Modify BIND init scripts to pass the location of the generated keytab file.
-# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
-# for this purpose:
-KEYTAB_FILE="${DNS_KEYTAB_ABS}"
-# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
-# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
-# your distribution does not provide a variable like KEYTAB_FILE to pass a
-# keytab file to the BIND daemon, a workaround is to place the following line in
-# BIND's sysconfig file or in the init script for BIND:
-export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
-
-# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
-# that most distributions have BIND configured to run under a non-root user
-# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
-# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
-# by the user that BIND run as. If BIND is running as a non-root user, the
-# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
-# read it. Under Fedora 9, execute the following commands:
-chgrp named ${DNS_KEYTAB_ABS}
-chmod g+r ${DNS_KEYTAB_ABS}
-
-# - Ensure the BIND zone file(s) that will be dynamically updated are in a
-# directory where the BIND daemon can write. When BIND performs dynamic
-# updates, it not only needs to update the zone file itself but it must also
-# create a journal (.jnl) file to track the dynamic updates as they occur.
-# Under Fedora 9, the /var/named directory can not be written to by the "named"
-# user. However, the directory /var/named/dynamic directory does provide write
-# access. Therefore the zone files were placed under the /var/named/dynamic
-# directory. The file directives in both example zone statements at the
-# beginning of this file were changed by prepending the directory "dynamic/".
-
-# - If SELinux is enabled, ensure that all files have the appropriate SELinux
-# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
-# and should have a SELinux type of named_conf_t. This can be set with the
-# following command:
-chcon -t named_conf_t ${DNS_KEYTAB_ABS}
diff --git a/source/setup/named.txt b/source/setup/named.txt
new file mode 100644
index 0000000..c1e6b3a
--- /dev/null
+++ b/source/setup/named.txt
@@ -0,0 +1,46 @@
+# Additional informations for DNS setup using BIND
+
+# If you are running a capable version of BIND and you wish to support secure
+# GSS-TSIG updates, you must make the following configuration changes:
+
+# - Insert the following lines into the options {} section of your named.conf
+# file:
+tkey-gssapi-credential "DNS/${DNSDOMAIN}";
+tkey-domain "${REALM}";
+
+# - Modify BIND init scripts to pass the location of the generated keytab file.
+# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
+# for this purpose:
+KEYTAB_FILE="${DNS_KEYTAB_ABS}"
+# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
+# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
+# your distribution does not provide a variable like KEYTAB_FILE to pass a
+# keytab file to the BIND daemon, a workaround is to place the following line in
+# BIND's sysconfig file or in the init script for BIND:
+export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
+
+# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
+# that most distributions have BIND configured to run under a non-root user
+# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
+# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
+# by the user that BIND run as. If BIND is running as a non-root user, the
+# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
+# read it. Under Fedora 9, execute the following commands:
+chgrp named ${DNS_KEYTAB_ABS}
+chmod g+r ${DNS_KEYTAB_ABS}
+
+# - Ensure the BIND zone file(s) that will be dynamically updated are in a
+# directory where the BIND daemon can write. When BIND performs dynamic
+# updates, it not only needs to update the zone file itself but it must also
+# create a journal (.jnl) file to track the dynamic updates as they occur.
+# Under Fedora 9, the /var/named directory can not be written to by the "named"
+# user. However, the directory /var/named/dynamic directory does provide write
+# access. Therefore the zone files were placed under the /var/named/dynamic
+# directory. The file directives in both example zone statements at the
+# beginning of this file were changed by prepending the directory "dynamic/".
+
+# - If SELinux is enabled, ensure that all files have the appropriate SELinux
+# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
+# and should have a SELinux type of named_conf_t. This can be set with the
+# following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
diff --git a/source/setup/provision.zone b/source/setup/provision.zone
index 28c1c29..17ae3bb 100644
--- a/source/setup/provision.zone
+++ b/source/setup/provision.zone
@@ -14,10 +14,12 @@ ${HOSTIP6_BASE_LINE}
;
${HOSTIP6_HOST_LINE}
${HOSTNAME} IN A ${HOSTIP}
-${HOSTGUID}._msdcs IN CNAME ${HOSTNAME}
+gc._msdcs IN CNAME ${HOSTNAME}
+${HOSTGUID}._msdcs IN CNAME ${HOSTNAME}
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 ${HOSTNAME}
+_gc._tcp.${DEFAULTSITE}._sites IN SRV 0 100 3268 ${HOSTNAME}
_ldap._tcp.gc._msdcs IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp.${DEFAULTSITE}._sites.gc._msdcs IN SRV 0 100 389 ${HOSTNAME}
;
@@ -25,12 +27,15 @@ _ldap._tcp.${DEFAULTSITE}._sites.gc._msdcs IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp.dc._msdcs IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 ${HOSTNAME}
+_ldap._tcp.${DOMAINGUID} IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp.${DOMAINGUID}.domains._msdcs IN SRV 0 100 389 ${HOSTNAME}
+_ldap._tcp.${DEFAULTSITE}._sites IN SRV 0 100 389 ${HOSTNAME}
_ldap._tcp.${DEFAULTSITE}._sites.dc._msdcs IN SRV 0 100 389 ${HOSTNAME}
;
; krb5 servers
_kerberos._tcp IN SRV 0 100 88 ${HOSTNAME}
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 ${HOSTNAME}
+_kerberos._tcp.${DEFAULTSITE}._sites IN SRV 0 100 88 ${HOSTNAME}
_kerberos._tcp.${DEFAULTSITE}._sites.dc._msdcs IN SRV 0 100 88 ${HOSTNAME}
_kerberos._udp IN SRV 0 100 88 ${HOSTNAME}
; MIT kpasswd likes to lookup this name on password change
--
Samba Shared Repository
More information about the samba-cvs
mailing list