$ctx->{realm} = "SAMBA.EXAMPLE.COM";
$ctx->{dnsname} = "samba.example.com";
$ctx->{basedn} = "dc=samba,dc=example,dc=com";
+ $ctx->{sid_generator} = "internal";
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
chomp $unix_name;
#We don't want to pass our self-tests if the PAC code is wrong
gensec:require_pac = true
log level = $ctx->{server_loglevel}
- lanman auth = Yes
+ lanman auth = Yes";
+
+ if (defined($ctx->{sid_generator}) && $ctx->{sid_generator} ne "internal") {
+ print CONFFILE "
+ sid generator = $ctx->{sid_generator}";
+ }
+
+ print CONFFILE "
# Begin extra options
$ctx->{smb_conf_extra_options}
$ldap_uri =~ s|/|%2F|g;
$ldap_uri = "ldapi://$ldap_uri";
$ctx->{ldap_uri} = $ldap_uri;
+
+ if ($self->{ldap} eq "fedora-ds") {
+ $ctx->{sid_generator} = "backend";
+ }
}
my $ret = $self->provision_raw_step1($ctx);
#include "librpc/gen_ndr/ndr_security.h"
#include "../lib/util/util_ldb.h"
#include "ldb_wrap.h"
+#include "param/param.h"
struct samldb_ctx;
static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
{
struct ldb_context *ldb;
+ struct loadparm_context *lp_ctx;
+ enum sid_generator sid_generator;
int ret;
ldb = ldb_module_get_ctx(ac->module);
if (ret != LDB_SUCCESS) return ret;
}
- /* check if we have a valid SID */
- ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
- if ( ! ac->sid) {
- ret = samldb_add_step(ac, samldb_new_sid);
- if (ret != LDB_SUCCESS) return ret;
- } else {
- ret = samldb_add_step(ac, samldb_get_sid_domain);
+ lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+ struct loadparm_context);
+
+ sid_generator = lp_sid_generator(lp_ctx);
+ if (sid_generator == SID_GENERATOR_INTERNAL) {
+ /* check if we have a valid SID */
+ ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
+ if ( ! ac->sid) {
+ ret = samldb_add_step(ac, samldb_new_sid);
+ if (ret != LDB_SUCCESS) return ret;
+ } else {
+ ret = samldb_add_step(ac, samldb_get_sid_domain);
+ if (ret != LDB_SUCCESS) return ret;
+ }
+
+ ret = samldb_add_step(ac, samldb_notice_sid);
if (ret != LDB_SUCCESS) return ret;
}
- ret = samldb_add_step(ac, samldb_notice_sid);
- if (ret != LDB_SUCCESS) return ret;
-
/* finally proceed with adding the entry */
ret = samldb_add_step(ac, samldb_add_entry);
if (ret != LDB_SUCCESS) return ret;
struct loadparm_global
{
enum server_role server_role;
+ enum sid_generator sid_generator;
const char **smb_ports;
char *ncalrpc_dir;
{-1, NULL}
};
+static const struct enum_list enum_sid_generator[] = {
+ {SID_GENERATOR_INTERNAL, "internal"},
+ {SID_GENERATOR_BACKEND, "backend"},
+ {-1, NULL}
+};
#define GLOBAL_VAR(name) offsetof(struct loadparm_global, name)
#define LOCAL_VAR(name) offsetof(struct loadparm_service, name)
static struct parm_struct parm_table[] = {
{"server role", P_ENUM, P_GLOBAL, GLOBAL_VAR(server_role), NULL, enum_server_role},
+ {"sid generator", P_ENUM, P_GLOBAL, GLOBAL_VAR(sid_generator), NULL, enum_sid_generator},
{"dos charset", P_STRING, P_GLOBAL, GLOBAL_VAR(dos_charset), NULL, NULL},
{"unix charset", P_STRING, P_GLOBAL, GLOBAL_VAR(unix_charset), NULL, NULL},
int fn_name(struct loadparm_service *service, struct loadparm_service *sDefault) {return((service != NULL)? service->val : sDefault->val);}
_PUBLIC_ FN_GLOBAL_INTEGER(lp_server_role, server_role)
+_PUBLIC_ FN_GLOBAL_INTEGER(lp_sid_generator, sid_generator)
_PUBLIC_ FN_GLOBAL_LIST(lp_smb_ports, smb_ports)
_PUBLIC_ FN_GLOBAL_INTEGER(lp_nbt_port, nbt_port)
_PUBLIC_ FN_GLOBAL_INTEGER(lp_dgram_port, dgram_port)
ROLE_DOMAIN_CONTROLLER=2,
};
+enum sid_generator {
+ SID_GENERATOR_INTERNAL=0,
+ SID_GENERATOR_BACKEND=1,
+};
+
enum announce_as {/* Types of machine we can announce as. */
ANNOUNCE_AS_NT_SERVER=1,
ANNOUNCE_AS_WIN95=2,
struct loadparm_service *lp_default_service(struct loadparm_context *lp_ctx);
struct parm_struct *lp_parm_table(void);
int lp_server_role(struct loadparm_context *);
+int lp_sid_generator(struct loadparm_context *);
const char **lp_smb_ports(struct loadparm_context *);
int lp_nbt_port(struct loadparm_context *);
int lp_dgram_port(struct loadparm_context *);
self.fedoradsinf = None
self.fedoradspartitions = None
self.fedoradssasl = None
+ self.fedoradsdna = None
self.fedoradspam = None
self.fedoradsrefint = None
self.fedoradslinkedattributes = None
"fedorads-partitions.ldif")
paths.fedoradssasl = os.path.join(paths.ldapdir,
"fedorads-sasl.ldif")
+ paths.fedoradsdna = os.path.join(paths.ldapdir,
+ "fedorads-dna.ldif")
paths.fedoradspam = os.path.join(paths.ldapdir,
- "fedorads-pam.ldif")
+ "fedorads-pam.ldif")
paths.fedoradsrefint = os.path.join(paths.ldapdir,
"fedorads-refint.ldif")
paths.fedoradslinkedattributes = os.path.join(paths.ldapdir,
def make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
- targetdir):
+ targetdir, sid_generator):
"""Create a new smb.conf file based on a couple of basic settings.
"""
assert smbconf is not None
elif serverrole == "standalone":
smbconfsuffix = "standalone"
+ if sid_generator is None:
+ sid_generator = "internal"
+
assert domain is not None
domain = domain.upper()
privatedir_line = ""
lockdir_line = ""
+ if sid_generator == "internal":
+ sid_generator_line = ""
+ else:
+ sid_generator_line = "sid generator = " + sid_generator
+
sysvol = os.path.join(default_lp.get("lock dir"), "sysvol")
netlogon = os.path.join(sysvol, realm.lower(), "scripts")
"SERVERROLE": serverrole,
"NETLOGONPATH": netlogon,
"SYSVOLPATH": sysvol,
+ "SIDGENERATOR_LINE": sid_generator_line,
"PRIVATEDIR_LINE": privatedir_line,
"LOCKDIR_LINE": lockdir_line
})
#Make a new, random password between Samba and it's LDAP server
ldapadminpass=glue.generate_random_str(12)
+ sid_generator = "internal"
+ if ldap_backend_type == "fedora-ds":
+ sid_generator = "backend"
root_uid = findnss_uid([root or "root"])
nobody_uid = findnss_uid([nobody or "nobody"])
# only install a new smb.conf if there isn't one there already
if not os.path.exists(smbconf):
make_smbconf(smbconf, setup_path, hostname, domain, realm, serverrole,
- targetdir)
+ targetdir, sid_generator)
lp = param.LoadParm()
lp.load(smbconf)
ol_mmr_urls=ol_mmr_urls,
slapd_path=slapd_path,
setup_ds_path=setup_ds_path,
- ldap_dryrun_mode=ldap_dryrun_mode)
+ ldap_dryrun_mode=ldap_dryrun_mode,
+ domainsid=domainsid)
# Now use the backend credentials to access the databases
credentials = provision_backend.credentials
ldap_backend_type=None, ldap_backend_extra_port=None,
ol_mmr_urls=None,
setup_ds_path=None, slapd_path=None,
- nosync=False, ldap_dryrun_mode=False):
+ nosync=False, ldap_dryrun_mode=False,
+ domainsid=None):
"""Provision an LDAP backend for samba4
This works for OpenLDAP and Fedora DS
setup_ds_path=setup_ds_path,
slapd_path=slapd_path,
nosync=nosync,
- ldap_dryrun_mode=ldap_dryrun_mode)
+ ldap_dryrun_mode=ldap_dryrun_mode,
+ domainsid=domainsid)
elif ldap_backend_type == "openldap":
provision_openldap_backend(self, paths=paths, setup_path=setup_path,
setup_ds_path=None,
slapd_path=None,
nosync=False,
- ldap_dryrun_mode=False):
+ ldap_dryrun_mode=False,
+ domainsid=None):
if ldap_backend_extra_port is not None:
serverport = "ServerPort=%d" % ldap_backend_extra_port
{"SAMBADN": names.sambadn,
})
+ setup_file(setup_path("fedorads-dna.ldif"), paths.fedoradsdna,
+ {"DOMAINDN": names.domaindn,
+ "SAMBADN": names.sambadn,
+ "DOMAINSID": str(domainsid),
+ })
+
setup_file(setup_path("fedorads-pam.ldif"), paths.fedoradspam)
lnkattr = get_linked_attributes(names.schemadn,schema.ldb)
--- /dev/null
+dn: cn=Samba SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: Samba SIDs
+dnaType: sambaSID
+dnaMaxValue: 10000
+dnaMagicRegen: 0
+dnaFilter: (|(objectClass=user)(objectClass=group))
+dnaScope: ${DOMAINDN}
+dnaNextValue: 1000
+dnaSharedCfgDn: cn=Samba SIDs,ou=Ranges,${SAMBADN}
+dnaPrefix: ${DOMAINSID}-
+
+dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-pluginEnabled
+nsslapd-pluginEnabled: on
+-
cn: samba-admin
sn: samba-admin
userPassword: {CLEAR}${LDAPADMINPASS}
+
+dn: ou=Ranges,${SAMBADN}
+objectClass: top
+objectClass: organizationalUnit
+ou: Ranges
+
+dn: cn=Samba SIDs,ou=Ranges,${SAMBADN}
+objectClass: top
+objectClass: nsContainer
+cn: Samba SIDs
SchemaFile=/usr/share/dirsrv/data/60samba3.ldif
ConfigFile = ${LDAPDIR}/fedorads-partitions.ldif
ConfigFile = ${LDAPDIR}/fedorads-sasl.ldif
+ConfigFile = ${LDAPDIR}/fedorads-dna.ldif
ConfigFile = ${LDAPDIR}/fedorads-pam.ldif
ConfigFile = ${LDAPDIR}/fedorads-refint.ldif
ConfigFile = ${LDAPDIR}/fedorads-linked-attributes.ldif
workgroup = ${DOMAIN}
realm = ${REALM}
server role = ${SERVERROLE}
+ ${SIDGENERATOR_LINE}
${PRIVATEDIR_LINE}
${LOCKDIR_LINE}
workgroup = ${DOMAIN}
realm = ${REALM}
server role = ${SERVERROLE}
+ ${SIDGENERATOR_LINE}
${PRIVATEDIR_LINE}
${LOCKDIR_LINE}
workgroup = ${DOMAIN}
realm = ${REALM}
server role = ${SERVERROLE}
+ ${SIDGENERATOR_LINE}
${PRIVATEDIR_LINE}
${LOCKDIR_LINE}
git.samba.org / gd / samba / .git / commitdiff