[PATCH] samba-tool domain provision with MIT KDC
Andreas Schneider
asn at samba.org
Mon May 15 09:19:41 UTC 2017
Hi Andrew,
here are the patches implementing the provisioning in a cleaner way. It works
on openSUSE, Fedora and Debian.
Please review and push if OK :-)
Thanks,
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
>From b9bb65816a19980e3d095f3b4747744902d7216d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 3 May 2017 09:04:45 +0200
Subject: [PATCH 1/3] python: Do not use the glue code directly
Signed-off-by: Andreas Schneider <asn at samba.org>
---
python/samba/provision/kerberos.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py
index f874ff61567..e07588c6abb 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -21,12 +21,12 @@
from samba.provision.kerberos_implementation import (
kdb_modules_dir,
kdc_default_config_dir)
-from samba import _glue
+from samba import is_heimdal_built
import os
def make_kdcconf(realm, domain, kdcconfdir, logdir):
- if _glue.is_heimdal_built:
+ if is_heimdal_built():
return
# Do nothing if kdc.conf has been set
--
2.12.2
>From 7ff0c5b888f55835069e61f99d00bf728fe362c1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 3 May 2017 09:19:38 +0200
Subject: [PATCH 2/3] python: Create the kdc.conf in the Samba private
directory
Signed-off-by: Andreas Schneider <asn at samba.org>
---
python/samba/netcmd/domain.py | 15 +--------------
python/samba/provision/__init__.py | 24 ++++++++++++------------
python/samba/provision/kerberos.py | 11 +++--------
python/wscript | 8 +-------
source4/kdc/kdc-service-mit.c | 16 +++++++++++-----
5 files changed, 28 insertions(+), 46 deletions(-)
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index bfc4772b7b1..4bd99ba6ff5 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -87,9 +87,6 @@ from samba.provision import (
ProvisioningError
)
-from samba.provision.kerberos_implementation import (
- kdc_default_config_dir)
-
from samba.provision.common import (
FILL_FULL,
FILL_NT4SYNC,
@@ -266,20 +263,12 @@ class cmd_domain_provision(Command):
default="auto")
]
- kdc_options = [
- Option("--kdc-config-dir", type="string", metavar="KDC-CONFIG-DIR",
- help="Set the MIT KDC config directory (default='%s')" % kdc_default_config_dir),
- ]
-
if os.getenv('TEST_LDAP', "no") == "yes":
takes_options.extend(openldap_options)
if samba.is_ntvfs_fileserver_built():
takes_options.extend(ntvfs_options)
- if not samba.is_heimdal_built():
- takes_options.extend(kdc_options)
-
takes_args = []
def run(self, sambaopts=None, versionopts=None,
@@ -315,7 +304,6 @@ class cmd_domain_provision(Command):
use_xattrs="auto",
slapd_path=None,
use_ntvfs=False,
- kdc_config_dir=None,
use_rfc2307=None,
ldap_backend_nosync=None,
ldap_backend_extra_port=None,
@@ -483,8 +471,7 @@ class cmd_domain_provision(Command):
use_rfc2307=use_rfc2307, skip_sysvolacl=False,
ldap_backend_extra_port=ldap_backend_extra_port,
ldap_backend_forced_uri=ldap_backend_forced_uri,
- nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode,
- kdcconfdir=kdc_config_dir)
+ nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
except ProvisioningError, e:
raise CommandError("Provision failed", e)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index d61f26e1345..f6821798c0c 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -56,6 +56,7 @@ from samba import (
substitute_var,
valid_netbios_name,
version,
+ is_heimdal_built,
)
from samba.dcerpc import security, misc
from samba.dcerpc.misc import (
@@ -118,7 +119,7 @@ import samba.registry
from samba.schema import Schema
from samba.samdb import SamDB
from samba.dbchecker import dbcheck
-from samba.provision.kerberos import make_kdcconf
+from samba.provision.kerberos import create_kdc_conf
DEFAULT_POLICY_GUID = "31B2F340-016D-11D2-945F-00C04FB984F9"
DEFAULT_DC_POLICY_GUID = "6AC1786C-016F-11D2-945F-00C04FB984F9"
@@ -549,6 +550,7 @@ def provision_paths_from_lp(lp, dnsdomain):
paths.namedconf_update = os.path.join(paths.private_dir, "named.conf.update")
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
paths.krb5conf = os.path.join(paths.private_dir, "krb5.conf")
+ paths.kdcconf = os.path.join(paths.private_dir, "kdc.conf")
paths.winsdb = os.path.join(paths.private_dir, "wins.ldb")
paths.s4_ldapi_path = os.path.join(paths.private_dir, "ldapi")
paths.hklm = "hklm.ldb"
@@ -670,7 +672,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
def make_smbconf(smbconf, hostname, domain, realm, targetdir,
serverrole=None, eadb=False, use_ntvfs=False, lp=None,
- global_param=None, kdcconfdir=None):
+ global_param=None):
"""Create a new smb.conf file based on a couple of basic settings.
"""
assert smbconf is not None
@@ -731,11 +733,6 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
statedir = lp.get("state directory")
lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
- make_kdcconf(realm, domain, kdcconfdir, os.path.dirname(lp.get("log file")))
- if kdcconfdir is not None:
- kdcconf = "%s/kdc.conf" % kdcconfdir
- lp.set("mit kdc config", kdcconf)
-
shares = {}
if serverrole == "active directory domain controller":
shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
@@ -1929,7 +1926,7 @@ def provision_fake_ypserver(logger, samdb, domaindn, netbiosname, nisdomain,
samdb.transaction_commit()
-def provision(logger, session_info, smbconf=None, kdcconfdir=None,
+def provision(logger, session_info, smbconf=None,
targetdir=None, samdb_fill=FILL_FULL, realm=None, rootdn=None,
domaindn=None, schemadn=None, configdn=None, serverdn=None,
domain=None, hostname=None, hostip=None, hostip6=None, domainsid=None,
@@ -2013,13 +2010,11 @@ def provision(logger, session_info, smbconf=None, kdcconfdir=None,
make_smbconf(smbconf, hostname, domain, realm,
targetdir, serverrole=serverrole,
eadb=useeadb, use_ntvfs=use_ntvfs,
- lp=lp, global_param=global_param,
- kdcconfdir=kdcconfdir)
+ lp=lp, global_param=global_param)
else:
make_smbconf(smbconf, hostname, domain, realm, targetdir,
serverrole=serverrole,
- eadb=useeadb, use_ntvfs=use_ntvfs, lp=lp, global_param=global_param,
- kdcconfdir=kdcconfdir)
+ eadb=useeadb, use_ntvfs=use_ntvfs, lp=lp, global_param=global_param)
if lp is None:
lp = samba.param.LoadParm()
@@ -2176,6 +2171,11 @@ def provision(logger, session_info, smbconf=None, kdcconfdir=None,
lp=lp, use_ntvfs=use_ntvfs,
skip_sysvolacl=skip_sysvolacl)
+ if not is_heimdal_built():
+ create_kdc_conf(paths.kdcconf, realm, domain, os.path.dirname(lp.get("log file")))
+ logger.info("The Kerberos KDC configuration for Samba AD is "
+ "located at %s", paths.kdcconf)
+
create_krb5_conf(paths.krb5conf,
dnsdomain=names.dnsdomain, hostname=names.hostname,
realm=names.realm)
diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py
index e07588c6abb..24ced9c4dc9 100644
--- a/python/samba/provision/kerberos.py
+++ b/python/samba/provision/kerberos.py
@@ -19,12 +19,11 @@
#
from samba.provision.kerberos_implementation import (
- kdb_modules_dir,
- kdc_default_config_dir)
+ kdb_modules_dir)
from samba import is_heimdal_built
import os
-def make_kdcconf(realm, domain, kdcconfdir, logdir):
+def create_kdc_conf(kdcconf, realm, domain, logdir):
if is_heimdal_built():
return
@@ -37,11 +36,7 @@ def make_kdcconf(realm, domain, kdcconfdir, logdir):
if 'SAMBA_SELFTEST' in os.environ and 'MITKRB5' in os.environ:
return
- # If not specified use the default
- if kdcconfdir is None:
- kdcconfdir = kdc_default_config_dir
-
- kdcconf = "%s/kdc.conf" % kdcconfdir
+ assert kdcconf is not None
assert domain is not None
domain = domain.upper()
diff --git a/python/wscript b/python/wscript
index 687a268412f..623ca44b005 100644
--- a/python/wscript
+++ b/python/wscript
@@ -27,20 +27,14 @@ def configure(conf):
f.write(header)
data = """kdb_modules_dir = "{0}"
-kdc_default_config_dir = "{1}"
"""
if conf.env.HEIMDAL_KRB5_CONFIG:
f.write(data.format("", ""))
else:
modulesdir = "%s/krb5/plugins/kdb" % conf.env.LIBDIR
- paths = [ "/var/kerberos/krb5kdc", "/var/lib/kerberos/krb5kdc" ]
- kdc_path = None
- for p in paths:
- if os.path.exists(p):
- kdc_path = p
- f.write(data.format(modulesdir, kdc_path))
+ f.write(data.format(modulesdir))
finally:
f.close()
diff --git a/source4/kdc/kdc-service-mit.c b/source4/kdc/kdc-service-mit.c
index 13d6f1f6e0a..7febf158a01 100644
--- a/source4/kdc/kdc-service-mit.c
+++ b/source4/kdc/kdc-service-mit.c
@@ -146,7 +146,7 @@ void mitkdc_task_init(struct task_server *task)
struct tevent_req *subreq;
const char * const *kdc_cmd;
struct interface *ifaces;
- const char *kdc_config;
+ char *kdc_config = NULL;
struct kdc_server *kdc;
krb5_error_code code;
NTSTATUS status;
@@ -183,11 +183,17 @@ void mitkdc_task_init(struct task_server *task)
return;
}
- kdc_config = lpcfg_mit_kdc_config(task->lp_ctx, task);
- if (kdc_config != NULL && kdc_config[0] != '\0') {
- /* Do not overwrite the variable if already set! */
- setenv("KRB5_KDC_PROFILE", kdc_config, 0);
+ kdc_config = talloc_asprintf(task,
+ "%s/kdc.conf",
+ lpcfg_private_dir(task->lp_ctx));
+ if (kdc_config == NULL) {
+ task_server_terminate(task,
+ "KDC: no memory",
+ false);
+ return;
}
+ setenv("KRB5_KDC_PROFILE", kdc_config, 0);
+ TALLOC_FREE(kdc_config);
/* start it as a child process */
kdc_cmd = lpcfg_mit_kdc_command(task->lp_ctx);
--
2.12.2
>From 9e3cd719750ed9068627d1d8360f1551227a44d3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Tue, 9 May 2017 08:01:12 +0200
Subject: [PATCH 3/3] Revert "param: Add 'mit kdc config' option to smb.conf"
This reverts commit eaaf5ce66e32d05b0a649619986d67ab6176a27a.
---
docs-xml/smbdotconf/security/mitkdcconfig.xml | 14 --------------
1 file changed, 14 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/mitkdcconfig.xml
diff --git a/docs-xml/smbdotconf/security/mitkdcconfig.xml b/docs-xml/smbdotconf/security/mitkdcconfig.xml
deleted file mode 100644
index 4dd9f9badff..00000000000
--- a/docs-xml/smbdotconf/security/mitkdcconfig.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<samba:parameter name="mit kdc config"
- context="G"
- type="string"
- advanced="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This option allows to use a different MIT KDC config file than using
- the system default.
- </para>
-</description>
-
-<value type="example">/etc/samba/kdc.conf</value>
-</samba:parameter>
--
2.12.2
More information about the samba-technical
mailing list