r25299: Modify the provision script to take an additional argument: --server-role
authorAndrew Bartlett <abartlet@samba.org>
Sat, 22 Sep 2007 12:57:17 +0000 (12:57 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 20:07:09 +0000 (15:07 -0500)
This must be set to either 'domain controller', 'domain member' or 'standalone'.

The default for the provision now changes to 'standalone'.

This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.

We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.

Andrew Bartlett
(This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)

12 files changed:
source4/ldap_server/ldap_server.c
source4/scripting/libjs/provision.js
source4/selftest/env/Samba4.pm
source4/setup/named.conf
source4/setup/provision
source4/setup/provision.smb.conf.dc [moved from source4/setup/provision.smb.conf with 61% similarity]
source4/setup/provision.smb.conf.member [new file with mode: 0644]
source4/setup/provision.smb.conf.standlone [new file with mode: 0644]
source4/setup/provision_self_join.ldif
source4/setup/provision_users.ldif
source4/setup/secrets.ldif
source4/setup/secrets_dc.ldif [new file with mode: 0644]

index a6753d46fa737cdc9407cecf67da5d1139430814..f2ffc401cbfc8251af21b0bcb9fa971ba5ef8011 100644 (file)
@@ -513,6 +513,18 @@ static void ldapsrv_task_init(struct task_server *task)
        NTSTATUS status;
        const struct model_ops *model_ops;
 
        NTSTATUS status;
        const struct model_ops *model_ops;
 
+       switch (lp_server_role()) {
+       case ROLE_STANDALONE:
+               task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
+               return;
+       case ROLE_DOMAIN_MEMBER:
+               task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
+               return;
+       case ROLE_DOMAIN_CONTROLLER:
+               /* Yes, we want an LDAP server */
+               break;
+       }
+
        task_server_set_title(task, "task[ldapsrv]");
 
        /* run the ldap server as a single process */
        task_server_set_title(task, "task[ldapsrv]");
 
        /* run the ldap server as a single process */
index d6d4909499a24aa795851a9b2d0f2d13f1bef4b8..502583507b2e88640a3c6747e27372fd1f66eda6 100644 (file)
@@ -489,6 +489,17 @@ function provision_fix_subobj(subobj, paths)
        subobj.NETLOGONPATH = paths.netlogon;
        subobj.SYSVOLPATH = paths.sysvol;
 
        subobj.NETLOGONPATH = paths.netlogon;
        subobj.SYSVOLPATH = paths.sysvol;
 
+       if (subobj.DOMAIN_CONF == undefined) {
+               subobj.DOMAIN_CONF = subobj.DOMAIN;
+       }
+       if (subobj.REALM_CONF == undefined) {
+               subobj.REALM_CONF = subobj.REALM;
+       }
+       if (subobj.SERVERROLE != "domain controller") {
+               subobj.REALM = subobj.HOSTNAME;
+               subobj.DOMAIN = subobj.HOSTNAME;
+       }
+
        return true;
 }
 
        return true;
 }
 
@@ -536,6 +547,8 @@ function provision_become_dc(subobj, message, erase, paths, session_info)
 
        setup_ldb("secrets.ldif", info, paths.secrets, false);
 
 
        setup_ldb("secrets.ldif", info, paths.secrets, false);
 
+       setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
        return true;
 }
 
        return true;
 }
 
@@ -571,8 +584,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
        /* only install a new smb.conf if there isn't one there already */
        var st = sys.stat(paths.smbconf);
        if (st == undefined) {
        /* only install a new smb.conf if there isn't one there already */
        var st = sys.stat(paths.smbconf);
        if (st == undefined) {
+               var smbconfsuffix;
+               if (subobj.ROLE == "domain controller") {
+                       smbconfsuffix = "dc";
+               } else if (subobj.ROLE == "member server") {
+                       smbconfsuffix = "member";
+               } else {
+                       smbconfsuffix = subobj.ROLE;
+               }
                message("Setting up " + paths.smbconf +"\n");
                message("Setting up " + paths.smbconf +"\n");
-               setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+               setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
                lp.reload();
        }
        /* only install a new shares config db if there is none */
                lp.reload();
        }
        /* only install a new shares config db if there is none */
@@ -724,7 +745,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
        message("Setting up sam.ldb users and groups\n");
        setup_add_ldif("provision_users.ldif", info, samdb, false);
 
        message("Setting up sam.ldb users and groups\n");
        setup_add_ldif("provision_users.ldif", info, samdb, false);
 
-       if (lp.get("server role") == "domain controller") {
+       if (subobj.SERVERROLE == "domain controller") {
                message("Setting up self join\n");
                setup_add_ldif("provision_self_join.ldif", info, samdb, false);
                setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
                message("Setting up self join\n");
                setup_add_ldif("provision_self_join.ldif", info, samdb, false);
                setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
@@ -737,6 +758,9 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
                sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
 
                sys.mkdir(paths.netlogon, 0755);
                sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
 
                sys.mkdir(paths.netlogon, 0755);
+
+               setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
        }
 
        if (setup_name_mappings(info, samdb) == false) {
        }
 
        if (setup_name_mappings(info, samdb) == false) {
@@ -809,8 +833,8 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
 function provision_dns(subobj, message, paths, session_info, credentials)
 {
        var lp = loadparm_init();
 function provision_dns(subobj, message, paths, session_info, credentials)
 {
        var lp = loadparm_init();
-       if (lp.get("server role") != "domain controller") {
-               message("No DNS zone required for role %s\n", lp.get("server role"));
+       if (subobj.SERVERROLE != "domain controller") {
+               message("No DNS zone required for role %s\n", subobj.SERVERROLE);
                return;
        }
        message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
                return;
        }
        message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
@@ -886,6 +910,7 @@ function provision_guess()
        var rdn_list;
        random_init(local);
 
        var rdn_list;
        random_init(local);
 
+       subobj.SERVERROLE   = strlower(lp.get("server role"));
        subobj.REALM        = strupper(lp.get("realm"));
        subobj.DOMAIN       = lp.get("workgroup");
        subobj.HOSTNAME     = hostname();
        subobj.REALM        = strupper(lp.get("realm"));
        subobj.DOMAIN       = lp.get("workgroup");
        subobj.HOSTNAME     = hostname();
@@ -1100,15 +1125,21 @@ function provision_validate(subobj, message)
        }
 
 
        }
 
 
-       if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+       if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
                message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
                message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
-                       lp.get("workgroup"), subobj.DOMAIN);
+                       lp.get("workgroup"), subobj.DOMAIN_CONF);
                return false;
        }
 
                return false;
        }
 
-       if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+       if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
                message("realm '%s' in smb.conf must match chosen realm '%s'\n",
                message("realm '%s' in smb.conf must match chosen realm '%s'\n",
-                       lp.get("realm"), subobj.REALM);
+                       lp.get("realm"), subobj.REALM_CONF);
+               return false;
+       }
+
+       if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
+               message("server role '%s' in smb.conf must match chosen role '%s'\n",
+                       lp.get("server role"), subobj.SERVERROLE);
                return false;
        }
 
                return false;
        }
 
index c8d2ccc94b8e4105e7937e9886a5e23b7dd41473..0cd9c2e2bec746221bde3379c888ac48944ceb9d 100644 (file)
@@ -297,10 +297,6 @@ sub provision($$$$$$)
                $tmpdir);
 
 
                $tmpdir);
 
 
-       my $localdomain = $domain;
-       $localdomain = $netbiosname if $server_role eq "member server";
-       my $localrealm = $realm;
-       $localrealm = $netbiosname if $server_role eq "member server";
        my $localbasedn = $basedn;
        $localbasedn = "DC=$netbiosname" if $server_role eq "member server";
 
        my $localbasedn = $basedn;
        $localbasedn = "DC=$netbiosname" if $server_role eq "member server";
 
@@ -416,9 +412,9 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
        push (@provision_options, split(' ', $configuration));
        push (@provision_options, "--host-name=$netbiosname");
        push (@provision_options, "--host-ip=$ifaceipv4");
        push (@provision_options, split(' ', $configuration));
        push (@provision_options, "--host-name=$netbiosname");
        push (@provision_options, "--host-ip=$ifaceipv4");
-       push (@provision_options, "--quiet");
-       push (@provision_options, "--domain=$localdomain");
-       push (@provision_options, "--realm=$localrealm");
+#      push (@provision_options, "--quiet");
+       push (@provision_options, "--domain=$domain");
+       push (@provision_options, "--realm=$realm");
        push (@provision_options, "--adminpass=$password");
        push (@provision_options, "--krbtgtpass=krbtgt$password");
        push (@provision_options, "--machinepass=machine$password");
        push (@provision_options, "--adminpass=$password");
        push (@provision_options, "--krbtgtpass=krbtgt$password");
        push (@provision_options, "--machinepass=machine$password");
@@ -426,6 +422,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
        push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
        push (@provision_options, "--password=$password");
        push (@provision_options, "--root=$root");
        push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
        push (@provision_options, "--password=$password");
        push (@provision_options, "--root=$root");
+       push (@provision_options, "--server-role=$server_role");
 
        my $ldap_uri= "$ldapdir/ldapi";
        $ldap_uri =~ s|/|%2F|g;
 
        my $ldap_uri= "$ldapdir/ldapi";
        $ldap_uri =~ s|/|%2F|g;
@@ -454,7 +451,7 @@ my @provision_options = ("$self->{bindir}/smbscript", "$self->{setupdir}/provisi
        if (defined($self->{ldap})) {
 
                 push (@provision_options, "--ldap-backend=$ldap_uri");
        if (defined($self->{ldap})) {
 
                 push (@provision_options, "--ldap-backend=$ldap_uri");
-               system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+               system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
 
                if ($self->{ldap} eq "openldap") {
                       ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
 
                if ($self->{ldap} eq "openldap") {
                       ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
index bb9f421db07551bb7b7fe939c19687fc4091f53d..025788093ef6cf5b6d342a121310ab522a1fb3b3 100644 (file)
@@ -3,11 +3,12 @@
 # the BIND nameserver.
 #
 
 # the BIND nameserver.
 #
 
-#insert this into options {}
+# If you have a very recent BIND, supporting GSS-TSIG, 
+# insert this into options {}  (otherwise omit, it is not required if we don't accept updates)
 tkey-gssapi-credential "DNS/${DNSDOMAIN}";
 tkey-domain "${REALM}";
 
 tkey-gssapi-credential "DNS/${DNSDOMAIN}";
 tkey-domain "${REALM}";
 
-#the zone file
+# You should always include the actual zone configuration reference:
 zone "${DNSDOMAIN}." IN {
         type master;
         file "${DNSDOMAIN}.zone";
 zone "${DNSDOMAIN}." IN {
         type master;
         file "${DNSDOMAIN}.zone";
index f6b9cde188b60d7ec429f91b691f18e7bd3f0551..b8f955dcf4a70f9b19124a07e9b88714f692c803 100755 (executable)
@@ -32,6 +32,7 @@ options = GetOptions(ARGV,
                'users=s',
                'quiet',
                'blank',
                'users=s',
                'quiet',
                'blank',
+               'server-role=s',
                'partitions-only',
                'ldap-base',
                'ldap-backend=s',
                'partitions-only',
                'ldap-base',
                'ldap-backend=s',
@@ -84,6 +85,7 @@ provision [options]
  --users       GROUPNAME       choose 'users' group
  --quiet                       Be quiet
  --blank                       do not add users or groups, just the structure
  --users       GROUPNAME       choose 'users' group
  --quiet                       Be quiet
  --blank                       do not add users or groups, just the structure
+ --server-role  ROLE            Set server role to provision for (default standalone)
  --partitions-only              Configure Samba's partitions, but do not modify them (ie, join a BDC)
  --ldap-base                   output only an LDIF file, suitable for creating an LDAP baseDN
  --ldap-backend LDAPSERVER      LDAP server to use for this provision
  --partitions-only              Configure Samba's partitions, but do not modify them (ie, join a BDC)
  --ldap-base                   output only an LDIF file, suitable for creating an LDAP baseDN
  --ldap-backend LDAPSERVER      LDAP server to use for this provision
@@ -112,6 +114,7 @@ if (options["realm"] == undefined ||
 var lp = loadparm_init();
 lp.set("realm", options.realm);
 lp.set("workgroup", options.domain);
 var lp = loadparm_init();
 lp.set("realm", options.realm);
 lp.set("workgroup", options.domain);
+lp.set("server role", options["server-role"]);
 lp.reload();
 
 var subobj = provision_guess();
 lp.reload();
 
 var subobj = provision_guess();
similarity index 61%
rename from source4/setup/provision.smb.conf
rename to source4/setup/provision.smb.conf.dc
index fe08d7e3be2bd20861351e78a25ca57d17daef2a..5b8e141cbf213776da7049b6612ea4dc2bb3d3a4 100644 (file)
@@ -1,8 +1,8 @@
 [globals]
        netbios name    = ${HOSTNAME}
 [globals]
        netbios name    = ${HOSTNAME}
-       workgroup       = ${DOMAIN}
-       realm           = ${REALM}
-       server role     = domain controller
+       workgroup       = ${DOMAIN_CONF}
+       realm           = ${REALM_CONF}
+       server role     = ${SERVERROLE}
 
 [netlogon]
        path = ${NETLOGONPATH}
 
 [netlogon]
        path = ${NETLOGONPATH}
diff --git a/source4/setup/provision.smb.conf.member b/source4/setup/provision.smb.conf.member
new file mode 100644 (file)
index 0000000..bc37d4f
--- /dev/null
@@ -0,0 +1,5 @@
+[globals]
+       netbios name    = ${HOSTNAME}
+       workgroup       = ${DOMAIN_CONF}
+       realm           = ${REALM_CONF}
+       server role     = ${SERVERROLE}
diff --git a/source4/setup/provision.smb.conf.standlone b/source4/setup/provision.smb.conf.standlone
new file mode 100644 (file)
index 0000000..bc37d4f
--- /dev/null
@@ -0,0 +1,5 @@
+[globals]
+       netbios name    = ${HOSTNAME}
+       workgroup       = ${DOMAIN_CONF}
+       realm           = ${REALM_CONF}
+       server role     = ${SERVERROLE}
index ff44a35f6d6e75120d78b0e89dda2e9872e65900..dca7b7c93e6c0e5eb06b5139ffa805471c54402a 100644 (file)
@@ -21,3 +21,21 @@ servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
 servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
 servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
 ${HOSTGUID_ADD}
 servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
 servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
 ${HOSTGUID_ADD}
+
+#Provide a account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: dns
+description: DNS Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+sAMAccountType: 805306368
+servicePrincipalName: DNS/${DNSDOMAIN}
+isCriticalSystemObject: TRUE
+sambaPassword:: ${DNSPASS_B64}
+
index f6fbb0bd528843ad189797116132832f8cb54437..030fe5d7425ad2a0bd6b7a72cf5d455e8e64eba1 100644 (file)
@@ -205,22 +205,6 @@ servicePrincipalName: kadmin/changepw
 isCriticalSystemObject: TRUE
 sambaPassword:: ${KRBTGTPASS_B64}
 
 isCriticalSystemObject: TRUE
 sambaPassword:: ${KRBTGTPASS_B64}
 
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: dns
-description: DNS Service Account
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-sAMAccountType: 805306368
-servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
-
 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: group
 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: group
index 80015b4b411bdaa2fdaf4e983711f0d4b9847c82..95cbe20e5f59b78e1c7db0c5ef1c1b1eadad3317 100644 (file)
@@ -8,47 +8,3 @@ objectClass: top
 objectClass: container
 cn: Primary Domains
 
 objectClass: container
 cn: Primary Domains
 
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:ldb:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format. 
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-servicePrincipalName: DNS/${DNSDOMAIN}
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
new file mode 100644 (file)
index 0000000..6446935
--- /dev/null
@@ -0,0 +1,44 @@
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+msDS-KeyVersionNumber: 1
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+sAMAccountName: krbtgt
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+objectSid: ${DOMAINSID}
+servicePrincipalName: kadmin/changepw
+krb5Keytab: HDB:ldb:${SAM_LDB}:
+#The trailing : here is a HACK, but it matches the Heimdal format. 
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+servicePrincipalName: DNS/${DNSDOMAIN}
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+