Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
authorAndrew Bartlett <abartlet@samba.org>
Tue, 15 Jul 2008 10:27:43 +0000 (20:27 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 15 Jul 2008 10:27:43 +0000 (20:27 +1000)
(This used to be commit 7fb8179f214bbba95eb35d221cb9892b55afe121)

18 files changed:
source4/auth/credentials/credentials_files.c
source4/auth/ntlmssp/ntlmssp_client.c
source4/dsdb/samdb/samdb.c
source4/ldap_server/ldap_backend.c
source4/libcli/ldap/ldap_bind.c
source4/libcli/ldap/ldap_client.c
source4/libnet/libnet_samsync_ldb.c
source4/param/secrets.h
source4/scripting/python/samba/provision.py
source4/selftest/target/Samba4.pm
source4/setup/cn=samba-admin.ldif [new file with mode: 0644]
source4/setup/cn=samba.ldif [new file with mode: 0644]
source4/setup/provision
source4/setup/provision-backend
source4/setup/secrets_init.ldif
source4/setup/secrets_sasl_ldap.ldif [new file with mode: 0644]
source4/setup/secrets_simple_ldap.ldif [new file with mode: 0644]
source4/setup/slapd.conf

index 05b0bf56a8edd88698cc26553cde64b80e0507c9..6c3bb2531eaef6715557e0856bd7933b2226a9ef 100644 (file)
@@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
                "privateKeytab",
                "krb5Keytab",
                "servicePrincipalName",
+               "ldapBindDn",
                NULL
        };
        
@@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
                        /* set anonymous as the fallback, if the machine account won't work */
                        cli_credentials_set_anonymous(cred);
                        DEBUG(1, ("Could not open secrets.ldb\n"));
+                       talloc_free(mem_ctx);
                        return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
                }
        }
@@ -231,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
                               &msgs, attrs,
                               "%s", filter);
        if (ldb_ret == 0) {
-               DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n",
+               DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n",
                          filter, base));
                /* set anonymous as the fallback, if the machine account won't work */
                cli_credentials_set_anonymous(cred);
                talloc_free(mem_ctx);
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        } else if (ldb_ret != 1) {
-               DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
+               DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
                          ldb_ret, filter, base));
                /* set anonymous as the fallback, if the machine account won't work */
                cli_credentials_set_anonymous(cred);
@@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
                machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL);
                
                if (!machine_account) {
-                       DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n",
-                                 cli_credentials_get_domain(cred), filter, base));
-                       /* set anonymous as the fallback, if the machine account won't work */
-                       cli_credentials_set_anonymous(cred);
-                       talloc_free(mem_ctx);
-                       return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+                       const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+                       if (!ldap_bind_dn) {
+                               DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n",
+                                         filter, base));
+                               /* set anonymous as the fallback, if the machine account won't work */
+                               cli_credentials_set_anonymous(cred);
+                               talloc_free(mem_ctx);
+                               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+                       }
                }
        }
 
@@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
                cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
        }
 
-       cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+       if (machine_account) {
+               cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+       }
 
        cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
 
@@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
                                                      struct loadparm_context *lp_ctx)
 {
+       NTSTATUS status;
        char *filter;
        /* Bleh, nasty recursion issues: We are setting a machine
         * account here, so we don't want the 'pending' flag around
@@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
        cred->machine_account_pending = false;
        filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, 
                                       cli_credentials_get_domain(cred));
-       return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, 
+       status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, 
                                           SECRETS_PRIMARY_DOMAIN_DN,
                                           filter);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
+       }
+       return status;
 }
 
 /**
@@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
                                    struct event_context *event_ctx,
                                    struct loadparm_context *lp_ctx)
 {
+       NTSTATUS status;
        char *filter;
        /* Bleh, nasty recursion issues: We are setting a machine
         * account here, so we don't want the 'pending' flag around
@@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
        filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
                                       cli_credentials_get_realm(cred),
                                       cli_credentials_get_domain(cred));
-       return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, 
+       status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, 
                                           SECRETS_PRINCIPALS_DN,
                                           filter);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
+       }
+       return status;
 }
 
 /**
- * Fill in credentials for the machine trust account, from the secrets database.
+ * Fill in credentials for a particular prinicpal, from the secrets database.
  * 
  * @param cred Credentials structure to fill in
  * @retval NTSTATUS error detailing any failure
@@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
                                              struct loadparm_context *lp_ctx,
                                              const char *serviceprincipal)
 {
+       NTSTATUS status;
        char *filter;
        /* Bleh, nasty recursion issues: We are setting a machine
         * account here, so we don't want the 'pending' flag around
@@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
                                 cli_credentials_get_realm(cred),
                                 cli_credentials_get_domain(cred),
                                 serviceprincipal);
-       return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, 
+       status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, 
                                           SECRETS_PRINCIPALS_DN, filter);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status)));
+       }
+       return status;
 }
 
 /**
index e07c64befbcd026b19b68c37d2205451b35d128a..891761860c591b68c1a02ed675d37dad5aa1ca80 100644 (file)
@@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
                                DATA_BLOB in, DATA_BLOB *out) 
 {
        struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
+       const char *domain = gensec_ntlmssp_state->domain;
+       const char *workstation = cli_credentials_get_workstation(gensec_security->credentials);
+
+       /* These don't really matter in the initial packet, so don't panic if they are not set */
+       if (!domain) {
+               domain = "";
+       }
+
+       if (!workstation) {
+               workstation = "";
+       }
 
        if (gensec_ntlmssp_state->unicode) {
                gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
@@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
                  "NTLMSSP",
                  NTLMSSP_NEGOTIATE,
                  gensec_ntlmssp_state->neg_flags,
-                 gensec_ntlmssp_state->domain, 
-                 cli_credentials_get_workstation(gensec_security->credentials));
+                 domain, 
+                 workstation);
 
        gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
 
index acc2c2a9a15925e7171bda134c275fd5eca08a8c..b5b7ddfdc6d749fc2dfc3f4e2b38d36a32bc93c6 100644 (file)
@@ -39,6 +39,8 @@
 #include "dsdb/common/flags.h"
 #include "param/param.h"
 #include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
 
 char *samdb_relative_path(struct ldb_context *ldb,
                                 TALLOC_CTX *mem_ctx, 
@@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb,
        return full_name;
 }
 
+struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, 
+                                         struct event_context *event_ctx, 
+                                         struct loadparm_context *lp_ctx) 
+{
+       struct cli_credentials *cred = cli_credentials_init(mem_ctx);
+       if (!cred) {
+               return NULL;
+       }
+       cli_credentials_set_conf(cred, lp_ctx);
+
+       /* We don't want to use krb5 to talk to our samdb - recursion
+        * here would be bad, and this account isn't in the KDC
+        * anyway */
+       cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+       if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+                                                        SECRETS_LDAP_FILTER))) {
+               /* Perfectly OK - if not against an LDAP backend */
+               return NULL;
+       }
+       return cred;
+}
 
 /*
   connect to the SAM database
@@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
        struct ldb_context *ldb;
        ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, 
                               lp_sam_url(lp_ctx), session_info,
-                              NULL, 0, NULL);
+                              samdb_credentials(mem_ctx, ev_ctx, lp_ctx), 
+                              0, NULL);
        if (!ldb) {
                return NULL;
        }
index 2193c989cf356baa5d34e349d4cb0801e3f6eb4a..504dcf1c0f13550ba22196b908438a62cb7e88e5 100644 (file)
 #include "ldap_server/ldap_server.h"
 #include "lib/util/dlinklist.h"
 #include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb_wrap.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "param/param.h"
 #include "smbd/service_stream.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "lib/ldb_wrap.h"
 
 #define VALID_DN_SYNTAX(dn,i) do {\
        if (!(dn)) {\
@@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
                                     conn->lp_ctx,
                                     lp_sam_url(conn->lp_ctx), 
                                     conn->session_info,
-                                    NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+                                    samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx), 
+                                    conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
        if (conn->ldb == NULL) {
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
index e1569e72963b0a869294bca2a1e9fccba05039c1..65673116be1232b6e8c99e6024a5dc29050cf66a 100644 (file)
@@ -234,7 +234,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
         * Windows seem not to like double encryption */
        old_gensec_features = cli_credentials_get_gensec_features(creds);
        if (tls_enabled(conn->sock)) {
-               cli_credentials_set_gensec_features(creds, 0);
+               cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
        }
 
        /* this call also sets the gensec_want_features */
@@ -245,7 +245,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
                goto failed;
        }
 
-       /* reset the original gensec_features */
+       /* reset the original gensec_features (on the credentials
+        * context, so we don't tatoo it ) */
        cli_credentials_set_gensec_features(creds, old_gensec_features);
 
        if (conn->host) {
@@ -393,8 +394,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
                                            &sasl_socket);
                if (!NT_STATUS_IS_OK(status)) goto failed;
 
-               talloc_steal(conn->sock, sasl_socket);
-               talloc_unlink(conn, conn->sock);
                conn->sock = sasl_socket;
                packet_set_socket(conn->packet, conn->sock);
 
index bca867b0332694db9720297a14a8afccd9cb5dd9..844238afdb51d4bd24e825f03c06c3e5e918f0b6 100644 (file)
@@ -38,7 +38,6 @@
 #include "param/param.h"
 #include "libcli/resolve/resolve.h"
 
-
 /**
   create a new ldap_connection stucture. The event context is optional
 */
@@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
        char protocol[11];
        int ret;
 
-       result = talloc_zero(NULL, struct composite_context);
+       result = talloc_zero(conn, struct composite_context);
        if (result == NULL) goto failed;
        result->state = COMPOSITE_STATE_IN_PROGRESS;
        result->async.fn = NULL;
@@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
                SMB_ASSERT(sizeof(protocol)>10);
                SMB_ASSERT(sizeof(path)>1024);
        
+               /* LDAPI connections are to localhost, so give the local host name as the target for gensec */
+               conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx),  lp_realm(conn->lp_ctx));
+               if (composite_nomem(conn->host, state->ctx)) {
+                       return result;
+               }
+
                /* The %c specifier doesn't null terminate :-( */
                ZERO_STRUCT(path);
                ret = sscanf(url, "%10[^:]://%1025c", protocol, path);
index a79bf043a5157d8470aa5b7fd34b022f5a14497d..b223a74a31ed4debb20bdcce0183f35bb8eb0ccc 100644 (file)
@@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str
        state->secrets         = NULL;
        state->trusted_domains = NULL;
 
-       state->sam_ldb         = ldb_wrap_connect(mem_ctx, 
-                                                 ctx->event_ctx,
-                                                 ctx->lp_ctx, 
-                                                 lp_sam_url(ctx->lp_ctx), 
-                                                 r->in.session_info,
-                                                 ctx->cred, 0, NULL);
+       state->sam_ldb         = samdb_connect(mem_ctx, 
+                                              ctx->event_ctx,
+                                              ctx->lp_ctx, 
+                                              r->in.session_info);
 
        r2.out.error_string    = NULL;
        r2.in.binding_string   = r->in.binding_string;
index fa162ea66a37707c1f6654d83fbb0c01a79f839a..83b6dc7fdc62937c9e9ca87da59de39cbb481e5d 100644 (file)
@@ -33,6 +33,7 @@ struct machine_acct_pass {
 #define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))"
 #define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))"
 #define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))"
+#define SECRETS_LDAP_FILTER "(objectclass=ldapSecret)"
 
 /**
  * Use a TDB to store an incrementing random seed.
index 504044253e51a5a54f1abdf90f708efe3c3c1233..6102dc77ffa4435d293cbea3a8fdae0f986c9f95 100644 (file)
@@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
     secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
                       lp=lp)
     secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
+
+    if credentials is not None and credentials.authentication_requested():
+        if credentials.get_bind_dn() is not None:
+            setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), {
+                    "LDAPMANAGERDN": credentials.get_bind_dn(),
+                    "LDAPMANAGERPASS_B64": b64encode(credentials.get_password())
+                    })
+        else:
+            setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), {
+                    "LDAPADMINUSER": credentials.get_username(),
+                    "LDAPADMINREALM": credentials.get_realm(),
+                    "LDAPADMINPASS_B64": b64encode(credentials.get_password())
+                    })
+
     return secrets_ldb
 
 
@@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
             domain_oc = "samba4LocalDomain"
 
         setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
-            "DOMAINDN": names.domaindn,
-            "ACI": aci,
-            "DOMAIN_OC": domain_oc
-            })
+                "DOMAINDN": names.domaindn,
+                "ACI": aci,
+                "DOMAIN_OC": domain_oc
+                })
 
         message("Modifying DomainDN: " + names.domaindn + "")
         if domainguid is not None:
@@ -1265,15 +1279,27 @@ refint_attributes""" + refint_attributes + "\n"
                     "DOMAINDN": names.domaindn,
                     "CONFIGDN": names.configdn,
                     "SCHEMADN": names.schemadn,
-                    "LDAPMANAGERDN": names.ldapmanagerdn,
-                    "LDAPMANAGERPASS": adminpass,
                     "MEMBEROF_CONFIG": memberof_config})
         setup_file(setup_path("modules.conf"), paths.modulesconf,
                    {"REALM": names.realm})
         
-        setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user")))
-        setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config")))
-        setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema")))
+        setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user"))
+        setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config"))
+        setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema"))
+
+        if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba",  "cn=samba")):
+            os.makedirs(os.path.join(paths.ldapdir, "db", "samba",  "cn=samba"))
+
+        setup_file(setup_path("cn=samba.ldif"), 
+                   os.path.join(paths.ldapdir, "db", "samba",  "cn=samba.ldif"),
+                   { "UUID": str(uuid.uuid4()), 
+                     "LDAPTIME": timestring(int(time.time()))} )
+        setup_file(setup_path("cn=samba-admin.ldif"), 
+                              os.path.join(paths.ldapdir, "db", "samba",  "cn=samba", "cn=samba-admin.ldif"),
+                              {"LDAPADMINPASS_B64": b64encode(adminpass),
+                               "UUID": str(uuid.uuid4()), 
+                               "LDAPTIME": timestring(int(time.time()))} )
+
         mapping = "schema-map-openldap-2.3"
         backend_schema = "backend-schema.schema"
 
@@ -1294,7 +1320,12 @@ refint_attributes""" + refint_attributes + "\n"
     message("Hostname:            %s" % names.hostname)
     message("DNS Domain:          %s" % names.dnsdomain)
     message("Base DN:             %s" % names.domaindn)
-    message("LDAP admin DN:       %s" % names.ldapmanagerdn)
+
+    if ldap_backend_type == "openldap":
+        message("LDAP admin user:     samba-admin")
+    else:
+        message("LDAP admin DN:       %s" % names.ldapmanagerdn)
+
     message("LDAP admin password: %s" % adminpass)
     message(slapdcommand)
 
index 2347dfc742b78622984d548e457180f44539dcdd..896b0131055bc8f6523033913bda3ab610ccbb2f 100644 (file)
@@ -571,7 +571,6 @@ sub provision($$$$$$)
        server max protocol = SMB2
        notify:inotify = false
        ldb:nosync = true
-       system:anonymous = true
 #We don't want to pass our self-tests if the PAC code is wrong
        gensec:require_pac = true
        log level = $smbd_loglevel
@@ -719,8 +718,7 @@ nogroup:x:65534:nobody
        push (@provision_options, "--krbtgtpass=krbtgt$password");
        push (@provision_options, "--machinepass=machine$password");
        push (@provision_options, "--root=$unix_name");
-       push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
-       push (@provision_options, "--password=$password");
+
        push (@provision_options, "--server-role=\"$server_role\"");
 
        my $ldap_uri= "$ldapdir/ldapi";
@@ -753,15 +751,18 @@ nogroup:x:65534:nobody
        if (defined($self->{ldap})) {
 
                 push (@provision_options, "--ldap-backend=$ldap_uri");
-               system("$self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+               system("$self->{setupdir}/provision-backend $configuration --ldap-admin-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+
+               push (@provision_options, "--password=$password");
 
                if ($self->{ldap} eq "openldap") {
+                      push (@provision_options, "--username=samba-admin");
                       ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
                       push (@provision_options, "--ldap-backend-type=openldap");
                } elsif ($self->{ldap} eq "fedora-ds") {
+                      push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
                       ($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ldapdir, $configuration) or die("Unable to create fedora ds directories");
                       push (@provision_options, "--ldap-backend-type=fedora-ds");
-                      push (@provision_options, "'--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK'");
                  }
 
                $self->slapd_start($ret) or 
diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif
new file mode 100644 (file)
index 0000000..c59ffd9
--- /dev/null
@@ -0,0 +1,12 @@
+dn: cn=samba-admin
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241038Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif
new file mode 100644 (file)
index 0000000..3be6242
--- /dev/null
@@ -0,0 +1,11 @@
+dn: cn=Samba
+objectClass: top
+objectClass: container
+cn: Samba
+structuralObjectClass: container
+entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
+creatorsName:
+createTimestamp: 20080714010529Z
+entryCSN: 20080714010529.194412Z#000000#000#000000
+modifiersName:
+modifyTimestamp: 20080714010529Z
index c1d6cd157aa857601dec1ba1363c00652f4e57ae..7bd61fc1d882060db500596dad3930eb5bd57431 100755 (executable)
@@ -30,7 +30,7 @@ import os, sys
 sys.path.insert(0, "bin/python")
 
 import samba
-
+from samba.credentials import DONT_USE_KERBEROS
 from samba.auth import system_session
 import samba.getopt as options
 from samba import param
@@ -131,6 +131,8 @@ else:
 
 creds = credopts.get_credentials(lp)
 
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
 setup_dir = opts.setupdir
 if setup_dir is None:
        setup_dir = "setup"
index 54dc5839bfaf27d0f79078cce06e7df7102f2a08..845dc8679a2ad4a3e8ff8aad9725f2a2f52b5329 100755 (executable)
@@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN",
                                  help="set domain")
 parser.add_option("--host-name", type="string", metavar="HOSTNAME", 
                help="set hostname")
-parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD", 
-               help="choose LDAP manager password (otherwise random)")
+parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD", 
+               help="choose LDAP admin password (otherwise random)")
 parser.add_option("--root", type="string", metavar="USERNAME", 
                help="choose 'root' unix username")
 parser.add_option("--quiet", help="Be quiet", action="store_true")
@@ -96,7 +96,7 @@ if setup_dir is None:
 provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir,
                  realm=opts.realm, domain=opts.domain,
                  hostname=opts.host_name,
-                 adminpass=opts.ldap_manager_pass,
+                 adminpass=opts.ldap_admin_pass,
                  root=opts.root, serverrole=server_role, 
                  ldap_backend_type=opts.ldap_backend_type,
                  ldap_backend_port=opts.ldap_backend_port)
index 9eda47e4636f606f37a9bfc1e0f5cbdc4b2cec52..eb423a512230f33bcb57d7e01168e9412fe4556d 100644 (file)
@@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE
 #Add modules to the list to activate them by default
 #beware often order is important
 dn: @MODULES
-@LIST: update_keytab,operational,objectguid
+@LIST: update_keytab,operational,objectguid,rdn_name
 
diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif
new file mode 100644 (file)
index 0000000..81ccfee
--- /dev/null
@@ -0,0 +1,9 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPADMINPASS_B64}
+samAccountName: ${LDAPADMINUSER}
+realm: ${LDAPADMINREALM}
+
+
diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif
new file mode 100644 (file)
index 0000000..3f5ccd2
--- /dev/null
@@ -0,0 +1,6 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPMANAGERPASS_B64}
+ldapBindDn: ${LDAPMANAGERDN}
index 15b9d3104e82e5e292ff08e627d82b62383690df..b1ce6f6492e189a8a1c8c975bc0d53b80a80d2ed 100644 (file)
@@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema
 pidfile                ${LDAPDIR}/slapd.pid
 argsfile       ${LDAPDIR}/slapd.args
 sasl-realm ${DNSDOMAIN}
-access to * by * write
 
-allow update_anon
+#authz-regexp
+#          uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+#          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
 
-authz-regexp
-          uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
-          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+#authz-regexp
+#          uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+#          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
 
 authz-regexp
           uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
-          ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+          ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+          uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
+          ldap:///cn=samba??one?(cn=\$1)
+
+access to dn.base="" 
+       by dn=cn=samba-admin,cn=samba manage
+       by anonymous read
+       by * read
+
+access to dn.subtree="cn=samba"
+       by anonymous auth
+
+access to dn.subtree="${DOMAINDN}"
+       by dn=cn=samba-admin,cn=samba manage
+       by * read
+
+password-hash   {CLEARTEXT}
 
 include ${LDAPDIR}/modules.conf
 
@@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN}
 
 ${MEMBEROF_CONFIG}
 
+database       ldif
+suffix         cn=Samba
+directory       ${LDAPDIR}/db/samba
+
+
 database        hdb
 suffix         ${SCHEMADN}
 directory      ${LDAPDIR}/db/schema
@@ -78,9 +102,6 @@ index dnsRoot eq
 index nETBIOSName eq
 index cn eq
 
-rootdn          ${LDAPMANAGERDN}
-rootpw          ${LDAPMANAGERPASS}
-
 #syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
 #We only need this for the contextCSN attribute anyway....
 overlay syncprov