sub openldap_start($$$) {
my ($slapd_conf, $uri, $logs) = @_;
- my $oldpath = $ENV{PATH};
- $ENV{PATH} = "/usr/local/sbin:/usr/sbin:/sbin:$ENV{PATH}";
- system("slapd -d0 -f $slapd_conf -h $uri > $logs 2>&1 &");
+ my $oldpath = $ENV{PATH};
+ my $olroot = "";
+ my $olpath = "";
+ if (defined $ENV{OPENLDAP_ROOT}) {
+ $olroot = "$ENV{OPENLDAP_ROOT}";
+ $olpath = "$olroot/libexec:$olroot/sbin:";
+ }
+ $ENV{PATH} = "$olpath/usr/local/sbin:/usr/sbin:/sbin:$ENV{PATH}";
+ system("slapd -d63 -f $slapd_conf -h $uri > $logs 2>&1 &");
$ENV{PATH} = $oldpath;
}
# running slapd in the background means it stays in the same process group, so it can be
# killed by timelimit
if ($self->{ldap} eq "fedora-ds") {
- system("$ENV{FEDORA_DS_PREFIX}/sbin/ns-slapd -D $env_vars->{FEDORA_DS_DIR} -d0 -i $env_vars->{FEDORA_DS_PIDFILE}> $env_vars->{LDAPDIR}/logs 2>&1 &");
+ system("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd -D $env_vars->{FEDORA_DS_DIR} -d0 -i $env_vars->{FEDORA_DS_PIDFILE}> $env_vars->{LDAPDIR}/logs 2>&1 &");
} elsif ($self->{ldap} eq "openldap") {
openldap_start($env_vars->{SLAPD_CONF}, $uri, "$env_vars->{LDAPDIR}/logs");
}
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+ $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
+ $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
+
# Start slapd before smbd, but with the fifo on stdin
if (defined($self->{ldap})) {
$self->slapd_start($env_vars) or
if (defined($max_time)) {
$optarg = "--maximum-runtime=$max_time ";
}
+ if (defined($ENV{SMBD_OPTIONS})) {
+ $optarg.= " $ENV{SMBD_OPTIONS}";
+ }
my $ret = system("$valgrind $self->{bindir}/smbd $optarg $env_vars->{CONFIGURATION} -M single -i --leak-report-full");
if ($? == -1) {
print "Unable to start smbd: $ret: $!\n";
my $pidfile = "$fedora_ds_dir/logs/slapd-samba4.pid";
+ system("$self->{bindir}/ad2oLschema $configuration -H $ldapdir/schema-tmp.ldb --option=convert:target=fedora-ds -I $self->{setupdir}/schema-map-fedora-ds-1.0 -O $ldapdir/99_ad.ldif >&2") == 0 or die("schema conversion for Fedora DS failed");
+
my $dir = getcwd();
-chdir "$ENV{FEDORA_DS_PREFIX}/bin" || die;
- if (system("perl $ENV{FEDORA_DS_PREFIX}/bin/ds_newinst.pl $fedora_ds_inf >&2") != 0) {
+chdir "$ENV{FEDORA_DS_ROOT}/bin" || die;
+ if (system("perl $ENV{FEDORA_DS_ROOT}/sbin/setup-ds.pl --silent --file=$fedora_ds_inf >&2") != 0) {
chdir $dir;
- die("perl $ENV{FEDORA_DS_PREFIX}/bin/ds_newinst.pl $fedora_ds_inf FAILED: $?");
+ die("perl $ENV{FEDORA_DS_ROOT}/sbin/setup-ds.pl --silent --file=$fedora_ds_inf FAILED: $?");
}
chdir $dir || die;
- system("cat $fedora_ds_extra_ldif >> $fedora_ds_dir/dse.ldif");
-
- system("$self->{bindir}/ad2oLschema $configuration -H $ldapdir/schema-tmp.ldb --option=convert:target=fedora-ds -I $self->{setupdir}/schema-map-fedora-ds-1.0 -O $fedora_ds_dir/schema/99_ad.ldif >&2") == 0 or die("schema conversion for Fedora DS failed");
-
return ($fedora_ds_dir, $pidfile);
}
system("$self->{bindir}/ad2oLschema $configuration --option=convert:target=openldap -H $ldapdir/schema-tmp.ldb -I $self->{setupdir}/schema-map-openldap-2.3 -O $ldapdir/backend-schema.schema >&2") == 0 or die("schema conversion for OpenLDAP failed");
my $oldpath = $ENV{PATH};
- $ENV{PATH} = "/usr/local/sbin:/usr/sbin:/sbin:$ENV{PATH}";
+ my $olpath = "";
+ my $olroot = "";
+ if (defined $ENV{OPENLDAP_ROOT}) {
+ $olroot = "$ENV{OPENLDAP_ROOT}";
+ $olpath = "$olroot/libexec:$olroot/sbin:";
+ }
+ $ENV{PATH} = "$olpath/usr/local/sbin:/usr/sbin:/sbin:$ENV{PATH}";
unlink($modconf);
open(CONF, ">$modconf"); close(CONF);
+ if (system("slaptest -u -f $slapd_conf >&2") != 0) {
+ open(CONF, ">$modconf");
+ # enable slapd modules
+ print CONF "
+modulepath $olroot/libexec/openldap
+moduleload syncprov
+moduleload memberof
+moduleload refint
+";
+ close(CONF);
+ }
+ if (system("slaptest -u -f $slapd_conf >&2") != 0) {
+ open(CONF, ">$modconf");
+ # enable slapd modules
+ print CONF "
+modulepath $olroot/libexec/openldap
+moduleload back_hdb
+moduleload syncprov
+moduleload memberof
+moduleload refint
+";
+ close(CONF);
+ }
+
+ if (system("slaptest -u -f $slapd_conf >&2") != 0) {
+ open(CONF, ">$modconf");
+ # enable slapd modules
+ print CONF "
+moduleload back_hdb
+moduleload syncprov
+moduleload memberof
+moduleload refint
+";
+ close(CONF);
+ }
+
if (system("slaptest -u -f $slapd_conf >&2") != 0) {
open(CONF, ">$modconf");
# enable slapd modules
print CONF "
modulepath /usr/lib/ldap
-moduleload back_bdb
+moduleload back_hdb
moduleload syncprov
+moduleload memberof
+moduleload refint
+";
+ close(CONF);
+ }
+
+ if (system("slaptest -u -f $slapd_conf >&2") != 0) {
+ open(CONF, ">$modconf");
+ # enable slapd modules (Fedora layout)
+ print CONF "
+modulepath /usr/lib/openldap
+moduleload syncprov
+moduleload memberof
+moduleload refint
+";
+ close(CONF);
+ }
+
+ if (system("slaptest -u -f $slapd_conf >&2") != 0) {
+ open(CONF, ">$modconf");
+ # enable slapd modules (Fedora x86_64 layout)
+ print CONF "
+modulepath /usr/lib64/openldap
+moduleload syncprov
+moduleload memberof
+moduleload refint
";
close(CONF);
}
return ($slapd_conf, $pidfile);
}
+sub mk_keyblobs($$)
+{
+ my ($self, $tlsdir) = @_;
+
+ #TLS and PKINIT crypto blobs
+ my $dhfile = "$tlsdir/dhparms.pem";
+ my $cafile = "$tlsdir/ca.pem";
+ my $certfile = "$tlsdir/cert.pem";
+ my $reqkdc = "$tlsdir/req-kdc.der";
+ my $kdccertfile = "$tlsdir/kdc.pem";
+ my $keyfile = "$tlsdir/key.pem";
+ my $adminkeyfile = "$tlsdir/adminkey.pem";
+ my $reqadmin = "$tlsdir/req-admin.der";
+ my $admincertfile = "$tlsdir/admincert.pem";
+
+ mkdir($tlsdir, 0777);
+
+ #This is specified here to avoid draining entropy on every run
+ open(DHFILE, ">$dhfile");
+ print DHFILE <<EOF;
+-----BEGIN DH PARAMETERS-----
+MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
+svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
+YX70obsCAQI=
+-----END DH PARAMETERS-----
+EOF
+ close(DHFILE);
+
+ #Likewise, we pregenerate the key material. This allows the
+ #other certificates to be pre-generated
+ open(KEYFILE, ">$keyfile");
+ print KEYFILE <<EOF;
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpc
+ol3+S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H
+6H+pPqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQAB
+AoGAAqDLzFRR/BF1kpsiUfL4WFvTarCe9duhwj7ORc6fs785qAXuwUYAJ0Uvzmy6
+HqoGv3t3RfmeHDmjcpPHsbOKnsOQn2MgmthidQlPBMWtQMff5zdoYNUFiPS0XQBq
+szNW4PRjaA9KkLQVTwnzdXGkBSkn/nGxkaVu7OR3vJOBoo0CQQDO4upypesnbe6p
+9/xqfZ2uim8IwV1fLlFClV7WlCaER8tsQF4lEi0XSzRdXGUD/dilpY88Nb+xok/X
+8Z8OvgAXAkEA+pcLsx1gN7kxnARxv54jdzQjC31uesJgMKQXjJ0h75aUZwTNHmZQ
+vPxi6u62YiObrN5oivkixwFNncT9MxTxVQJBAMaWUm2SjlLe10UX4Zdm1MEB6OsC
+kVoX37CGKO7YbtBzCfTzJGt5Mwc1DSLA2cYnGJqIfSFShptALlwedot0HikCQAJu
+jNKEKnbf+TdGY8Q0SKvTebOW2Aeg80YFkaTvsXCdyXrmdQcifw4WdO9KucJiDhSz
+Y9hVapz7ykEJtFtWjLECQQDIlfc63I5ZpXfg4/nN4IJXUW6AmPVOYIA5215itgki
+cSlMYli1H9MEXH0pQMGv5Qyd0OYIx2DDg96mZ+aFvqSG
+-----END RSA PRIVATE KEY-----
+EOF
+ close(KEYFILE);
+
+ open(ADMINKEYFILE, ">$adminkeyfile");
+
+ print ADMINKEYFILE <<EOF;
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD0+OL7TQBj0RejbIH1+g5GeRaWaM9xF43uE5y7jUHEsi5owhZF
+5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMFxB6esnXhl0Jpip1JkUMM
+XLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xdl3JRlwIDAQAB
+AoGAP8mjCP628Ebc2eACQzOWjgEvwYCPK4qPmYOf1zJkArzG2t5XAGJ5WGrENRuB
+cm3XFh1lpmaADl982UdW3gul4gXUy6w4XjKK4vVfhyHj0kZ/LgaXUK9BAGhroJ2L
+osIOUsaC6jdx9EwSRctwdlF3wWJ8NK0g28AkvIk+FlolW4ECQQD7w5ouCDnf58CN
+u4nARx4xv5XJXekBvOomkCQAmuOsdOb6b9wn3mm2E3au9fueITjb3soMR31AF6O4
+eAY126rXAkEA+RgHzybzZEP8jCuznMqoN2fq/Vrs6+W3M8/G9mzGEMgLLpaf2Jiz
+I9tLZ0+OFk9tkRaoCHPfUOCrVWJZ7Y53QQJBAMhoA6rw0WDyUcyApD5yXg6rusf4
+ASpo/tqDkqUIpoL464Qe1tjFqtBM3gSXuhs9xsz+o0bzATirmJ+WqxrkKTECQHt2
+OLCpKqwAspU7N+w32kaUADoRLisCEdrhWklbwpQgwsIVsCaoEOpt0CLloJRYTANE
+yoZeAErTALjyZYZEPcECQQDlUi0N8DFxQ/lOwWyR3Hailft+mPqoPCa8QHlQZnlG
++cfgNl57YHMTZFwgUVFRdJNpjH/WdZ5QxDcIVli0q+Ko
+-----END RSA PRIVATE KEY-----
+EOF
+
+ #generated with
+ #hxtool issue-certificate --self-signed --issue-ca --ca-private-key=FILE:$KEYFILE \
+ # --subject="CN=CA,$BASEDN" --certificate="FILE:$CAFILE"
+
+ open(CAFILE, ">$cafile");
+ print CAFILE <<EOF;
+-----BEGIN CERTIFICATE-----
+MIIChTCCAe6gAwIBAgIUFZoF6jt0R+hQBdF7cWPy0tT3fGwwCwYJKoZIhvcNAQEFMFIxEzAR
+BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
+LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDcwMTIzMDU1MzA5WhgPMjAwODAxMjQw
+NTUzMDlaMFIxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
+MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+S9/6
+I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+pPqVIRLOmrWIm
+ai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABo1YwVDAOBgNVHQ8BAf8EBAMC
+AqQwEgYDVR0lBAswCQYHKwYBBQIDBTAdBgNVHQ4EFgQUwtm596AMotmzRU7IVdgrUvozyjIw
+DwYDVR0TBAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQBgzh5uLDmESGYv60iUdEfuk/T9
+VCpzb1z3VJVWt3uJoQYbcpR00SKeyMdlfTTLzO6tSPMmlk4hwqfvLkPzGCSObR4DRRYa0BtY
+2laBVlg9X59bGpMUvpFQfpvxjvFWNJDL+377ELCVpLNdoR23I9TKXlalj0bY5Ks46CVIrm6W
+EA==
+-----END CERTIFICATE-----
+EOF
+
+ #generated with GNUTLS internally in Samba.
+
+ open(CERTFILE, ">$certfile");
+ print CERTFILE <<EOF;
+-----BEGIN CERTIFICATE-----
+MIICYTCCAcygAwIBAgIE5M7SRDALBgkqhkiG9w0BAQUwZTEdMBsGA1UEChMUU2Ft
+YmEgQWRtaW5pc3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1
+dG9nZW5lcmF0ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMB4XDTA2MDgw
+NDA0MzY1MloXDTA4MDcwNDA0MzY1MlowZTEdMBsGA1UEChMUU2FtYmEgQWRtaW5p
+c3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0
+ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMIGcMAsGCSqGSIb3DQEBAQOB
+jAAwgYgCgYDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+
+S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+p
+PqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABoyUw
+IzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGCSqGSIb3DQEB
+BQOBgQAmkN6XxvDnoMkGcWLCTwzxGfNNSVcYr7TtL2aJh285Xw9zaxcm/SAZBFyG
+LYOChvh6hPU7joMdDwGfbiLrBnMag+BtGlmPLWwp/Kt1wNmrRhduyTQFhN3PP6fz
+nBr9vVny2FewB2gHmelaPS//tXdxivSXKz3NFqqXLDJjq7P8wA==
+-----END CERTIFICATE-----
+EOF
+ close(CERTFILE);
+
+ #KDC certificate
+ # hxtool request-create --subject="CN=krbtgt,cn=users,$basedn" --key=FILE:$KEYFILE $KDCREQ
+
+ # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE --type="pkinit-kdc" --pk-init-principal="krbtgt/$RELAM@$REALM" --req="$KDCREQ" --certificate="FILE:$KDCCERTFILE"
+
+ open(KDCCERTFILE, ">$kdccertfile");
+ print KDCCERTFILE <<EOF;
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAnWgAwIBAgIUDEhjaOT1ZjHjHHEn+l5eYO05oK8wCwYJKoZIhvcNAQEFMFIxEzAR
+BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
+LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDcwMTIzMDcwNzA4WhgPMjAwODAxMjQw
+NzA3MDhaMGYxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
+MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMQ8wDQYDVQQDDAZrcmJ0
+Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqDqkDAIdQwDUN8cOZaFl934XQL70nF
+yq+nD2KL0SfcTW5+WlyiXf5L3/oj+5pOYkdmt74MXd1PNv9Q5mjRl6bw34jPOSCgaQVp+Ne5
+PcEvlQ9jb8fof6k+pUhEs6atYiZqLfn1jKgqEXKjftjoc95TxBxn67atL2B5qkhZ966jAgMB
+AAGjgcgwgcUwDgYDVR0PAQH/BAQDAgWgMBIGA1UdJQQLMAkGBysGAQUCAwUwVAYDVR0RBE0w
+S6BJBgYrBgEFAgKgPzA9oBMbEVNBTUJBLkVYQU1QTEUuQ09NoSYwJKADAgEBoR0wGxsGa3Ji
+dGd0GxFTQU1CQS5FWEFNUExFLkNPTTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS+jPK
+MjAdBgNVHQ4EFgQUwtm596AMotmzRU7IVdgrUvozyjIwCQYDVR0TBAIwADANBgkqhkiG9w0B
+AQUFAAOBgQCMSgLkIv9RobE0a95H2ECA+5YABBwKXIt4AyN/HpV7iJdRx7B9PE6vM+nboVKY
+E7i7ECUc3bu6NgrLu7CKHelNclHWWMiZzSUwhkXyvG/LE9qtr/onNu9NfLt1OV+dwQwyLdEP
+n63FxSmsKg3dfi3ryQI/DIKeisvipwDtLqOn9g==
+-----END CERTIFICATE-----
+EOF
+
+ #hxtool request-create --subject="CN=Administrator,cn=users,$basedn" --key=FILE:$ADMINKEYFILE $ADMINREQFILE
+ #hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE --type="pkinit-client" --pk-init-principal="administrator@$REALM" --req="$ADMINREQFILE" --certificate="FILE:$ADMINCERTFILE"
+
+ open(ADMINCERTFILE, ">$admincertfile");
+ print ADMINCERTFILE <<EOF;
+-----BEGIN CERTIFICATE-----
+MIICwjCCAiugAwIBAgIUXyECoq4im33ByZDWZMGhtpvHYWEwCwYJKoZIhvcNAQEFMFIxEzAR
+BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
+LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDcwMTIzMDcyMzE2WhgPMjAwODAxMjQw
+NzIzMTZaMCgxDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1pbmlzdHJhdG9yMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5GeRaWaM9xF43uE5y7jUHE
+si5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMFxB6esnXhl0Jpip1JkUMM
+XLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xdl3JRlwIDAQABo4G8MIG5
+MA4GA1UdDwEB/wQEAwIFoDASBgNVHSUECzAJBgcrBgEFAgMEMEgGA1UdEQRBMD+gPQYGKwYB
+BQICoDMwMaATGxFTQU1CQS5FWEFNUExFLkNPTaEaMBigAwIBAaERMA8bDWFkbWluaXN0cmF0
+b3IwHwYDVR0jBBgwFoAUwtm596AMotmzRU7IVdgrUvozyjIwHQYDVR0OBBYEFCDzVsvJ8IDz
+wLYH8EONeUa5oVrGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADgYEAbTCnaPTieVZPV3bH
+UmAMbnF9+YN1mCbe2xZJ0xzve+Yw1XO82iv/9kZaZkcRkaQt2qcwsBK/aSPOgfqGx+mJ7hXQ
+AGWvAJhnWi25PawNaRysCN8WC6+nWKR4d2O2m5rpj3T9kH5WE7QbG0bCu92dGaS29FvWDCP3
+q9pRtDOoAZc=
+-----END CERTIFICATE-----
+EOF
+ close(ADMINCERTFILE);
+}
+
sub provision($$$$$$)
{
my ($self, $prefix, $server_role, $netbiosname, $netbiosalias, $swiface, $password) = @_;
my $realm = "SAMBA.EXAMPLE.COM";
my $dnsname = "samba.example.com";
my $basedn = "dc=samba,dc=example,dc=com";
- my $root = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
+ my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
+ chomp $unix_name;
+ my $unix_uid = $>;
+ my $unix_gids_str = $);
+ my @unix_gids = split(" ", $unix_gids_str);
my $srcdir="$RealBin/..";
-d $prefix or mkdir($prefix, 0777) or die("Unable to create $prefix");
my $prefix_abs = abs_path($prefix);
my $ncalrpcdir = "$prefix_abs/ncalrpc";
my $lockdir = "$prefix_abs/lockdir";
my $winbindd_socket_dir = "$prefix_abs/winbind_socket";
+ my $winbindd_priv_pipe_dir = "$piddir/smbd.tmp/winbind_pipe";
+ my $nsswrap_passwd = "$etcdir/passwd";
+ my $nsswrap_group = "$etcdir/group";
my $configuration = "--configfile=$conffile";
my $ldapdir = "$privatedir/ldap";
$tmpdir);
- my $localdomain = $domain;
- $localdomain = $netbiosname if $server_role eq "member server";
- my $localrealm = $realm;
- $localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
ncalrpc dir = $ncalrpcdir
lock dir = $lockdir
setup directory = $self->{setupdir}
+ modules dir = $self->{bindir}/modules
js include = $srcdir/scripting/libjs
winbindd socket directory = $winbindd_socket_dir
winbind separator = /
";
close(CONFFILE);
- die ("Unable to create key blobs") if
- (system("TLSDIR=$tlsdir $RealBin/mk-keyblobs.sh") != 0);
+ $self->mk_keyblobs($tlsdir);
open(KRB5CONF, ">$krb5_config");
print KRB5CONF "
";
close(KRB5CONF);
+ open(PWD, ">$nsswrap_passwd");
+ print PWD "
+root:x:0:0:root gecos:$prefix_abs:/bin/false
+$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
+nobody:x:65534:65533:nobody gecos:$prefix_abs:/bin/false
+";
+ close(PWD);
+
+ open(GRP, ">$nsswrap_group");
+ print GRP "
+root:x:0:
+wheel:x:10:
+users:x:100:
+nobody:x:65533:
+nogroup:x:65534:nobody
+";
+ close(GRP);
+
#Ensure the config file is valid before we start
if (system("$self->{bindir}/testparm $configuration -v --suppress-prompt >/dev/null 2>&1") != 0) {
system("$self->{bindir}/testparm -v --suppress-prompt $configuration >&2");
die("Failed to create a valid smb.conf configuration!");
}
- (system("($self->{bindir}/testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global 2> /dev/null | grep -i \"^$netbiosname\" ) >/dev/null 2>&1") == 0) or die("Failed to create a valid smb.conf configuration!");
+ (system("($self->{bindir}/testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global 2> /dev/null | grep -i \"^$netbiosname\" ) >/dev/null 2>&1") == 0) or die("Failed to create a valid smb.conf configuration! $self->{bindir}/testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global");
-my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provision");
+ my @provision_options = ();
+ push (@provision_options, "NSS_WRAPPER_PASSWD=\"$nsswrap_passwd\"");
+ push (@provision_options, "NSS_WRAPPER_GROUP=\"$nsswrap_group\"");
+ if (defined($ENV{PROVISION_PYTHON})) {
+ push (@provision_options, "$self->{bindir}/smbpython");
+ push (@provision_options, "$self->{setupdir}/provision.py");
+ } else {
+ push (@provision_options, "$self->{bindir}/smbscript");
+ push (@provision_options, "$self->{setupdir}/provision");
+ }
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
push (@provision_options, "--quiet");
- push (@provision_options, "--domain=$localdomain");
- push (@provision_options, "--realm=$localrealm");
+ push (@provision_options, "--domain=$domain");
+ push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
- push (@provision_options, "--root=$root");
+ push (@provision_options, "--root=$unix_name");
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
- push (@provision_options, "--root=$root");
+ push (@provision_options, "--server-role=\"$server_role\"");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
PASSWORD => $password,
LDAPDIR => $ldapdir,
WINBINDD_SOCKET_DIR => $winbindd_socket_dir,
+ WINBINDD_PRIV_PIPE_DIR => $winbindd_priv_pipe_dir,
NCALRPCDIR => $ncalrpcdir,
+ LOCKDIR => $lockdir,
CONFIGURATION => $configuration,
- SOCKET_WRAPPER_DEFAULT_IFACE => $swiface
+ SOCKET_WRAPPER_DEFAULT_IFACE => $swiface,
+ NSS_WRAPPER_PASSWD => $nsswrap_passwd,
+ NSS_WRAPPER_GROUP => $nsswrap_group,
};
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$unix_name --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
} elsif ($self->{ldap} eq "fedora-ds") {
($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ldapdir, $configuration) or die("Unable to create fedora ds directories");
push (@provision_options, "--ldap-module=nsuniqueid");
- push (@provision_options, "--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK");
+ push (@provision_options, "'--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK'");
}
$self->slapd_start($ret) or
die("couldn't start slapd");
}
- (system(@provision_options) == 0) or die("Unable to provision");
+ my $provision_cmd = join(" ", @provision_options);
+ (system($provision_cmd) == 0) or die("Unable to provision: \n$provision_cmd\n");
if (defined($self->{ldap})) {
$self->slapd_stop($ret) or
git.samba.org / samba.git / blobdiff