NTSTATUS status;
const struct model_ops *model_ops;
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ task_server_terminate(task, "ldap_server: no LDAP server required in standalone configuration");
+ return;
+ case ROLE_DOMAIN_MEMBER:
+ task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration");
+ return;
+ case ROLE_DOMAIN_CONTROLLER:
+ /* Yes, we want an LDAP server */
+ break;
+ }
+
task_server_set_title(task, "task[ldapsrv]");
/* run the ldap server as a single process */
subobj.NETLOGONPATH = paths.netlogon;
subobj.SYSVOLPATH = paths.sysvol;
+ if (subobj.DOMAIN_CONF == undefined) {
+ subobj.DOMAIN_CONF = subobj.DOMAIN;
+ }
+ if (subobj.REALM_CONF == undefined) {
+ subobj.REALM_CONF = subobj.REALM;
+ }
+ if (subobj.SERVERROLE != "domain controller") {
+ subobj.REALM = subobj.HOSTNAME;
+ subobj.DOMAIN = subobj.HOSTNAME;
+ }
+
return true;
}
setup_ldb("secrets.ldif", info, paths.secrets, false);
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
return true;
}
/* only install a new smb.conf if there isn't one there already */
var st = sys.stat(paths.smbconf);
if (st == undefined) {
+ var smbconfsuffix;
+ if (subobj.ROLE == "domain controller") {
+ smbconfsuffix = "dc";
+ } else if (subobj.ROLE == "member server") {
+ smbconfsuffix = "member";
+ } else {
+ smbconfsuffix = subobj.ROLE;
+ }
message("Setting up " + paths.smbconf +"\n");
- setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+ setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
lp.reload();
}
/* only install a new shares config db if there is none */
message("Setting up sam.ldb users and groups\n");
setup_add_ldif("provision_users.ldif", info, samdb, false);
- if (lp.get("server role") == "domain controller") {
+ if (subobj.SERVERROLE == "domain controller") {
message("Setting up self join\n");
setup_add_ldif("provision_self_join.ldif", info, samdb, false);
setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
sys.mkdir(paths.netlogon, 0755);
+
+ setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
}
if (setup_name_mappings(info, samdb) == false) {
function provision_dns(subobj, message, paths, session_info, credentials)
{
var lp = loadparm_init();
- if (lp.get("server role") != "domain controller") {
- message("No DNS zone required for role %s\n", lp.get("server role"));
+ if (subobj.SERVERROLE != "domain controller") {
+ message("No DNS zone required for role %s\n", subobj.SERVERROLE);
return;
}
message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
var rdn_list;
random_init(local);
+ subobj.SERVERROLE = strlower(lp.get("server role"));
subobj.REALM = strupper(lp.get("realm"));
subobj.DOMAIN = lp.get("workgroup");
subobj.HOSTNAME = hostname();
}
- if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+ if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
- lp.get("workgroup"), subobj.DOMAIN);
+ lp.get("workgroup"), subobj.DOMAIN_CONF);
return false;
}
- if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+ if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
message("realm '%s' in smb.conf must match chosen realm '%s'\n",
- lp.get("realm"), subobj.REALM);
+ lp.get("realm"), subobj.REALM_CONF);
+ return false;
+ }
+
+ if (strupper(lp.get("server role")) != strupper(subobj.SERVERROLE)) {
+ message("server role '%s' in smb.conf must match chosen role '%s'\n",
+ lp.get("server role"), subobj.SERVERROLE);
return false;
}
$tmpdir);
- my $localdomain = $domain;
- $localdomain = $netbiosname if $server_role eq "member server";
- my $localrealm = $realm;
- $localrealm = $netbiosname if $server_role eq "member server";
my $localbasedn = $basedn;
$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
push (@provision_options, split(' ', $configuration));
push (@provision_options, "--host-name=$netbiosname");
push (@provision_options, "--host-ip=$ifaceipv4");
- push (@provision_options, "--quiet");
- push (@provision_options, "--domain=$localdomain");
- push (@provision_options, "--realm=$localrealm");
+# push (@provision_options, "--quiet");
+ push (@provision_options, "--domain=$domain");
+ push (@provision_options, "--realm=$realm");
push (@provision_options, "--adminpass=$password");
push (@provision_options, "--krbtgtpass=krbtgt$password");
push (@provision_options, "--machinepass=machine$password");
push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn");
push (@provision_options, "--password=$password");
push (@provision_options, "--root=$root");
+ push (@provision_options, "--server-role=$server_role");
my $ldap_uri= "$ldapdir/ldapi";
$ldap_uri =~ s|/|%2F|g;
if (defined($self->{ldap})) {
push (@provision_options, "--ldap-backend=$ldap_uri");
- system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$localrealm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
+ system("$self->{bindir}/smbscript $self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$root --realm=$realm --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed");
if ($self->{ldap} eq "openldap") {
($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories");
# the BIND nameserver.
#
-#insert this into options {}
+# If you have a very recent BIND, supporting GSS-TSIG,
+# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
tkey-gssapi-credential "DNS/${DNSDOMAIN}";
tkey-domain "${REALM}";
-#the zone file
+# You should always include the actual zone configuration reference:
zone "${DNSDOMAIN}." IN {
type master;
file "${DNSDOMAIN}.zone";
'users=s',
'quiet',
'blank',
+ 'server-role=s',
'partitions-only',
'ldap-base',
'ldap-backend=s',
--users GROUPNAME choose 'users' group
--quiet Be quiet
--blank do not add users or groups, just the structure
+ --server-role ROLE Set server role to provision for (default standalone)
--partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
--ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
--ldap-backend LDAPSERVER LDAP server to use for this provision
var lp = loadparm_init();
lp.set("realm", options.realm);
lp.set("workgroup", options.domain);
+lp.set("server role", options["server-role"]);
lp.reload();
var subobj = provision_guess();
[globals]
netbios name = ${HOSTNAME}
- workgroup = ${DOMAIN}
- realm = ${REALM}
- server role = domain controller
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
[netlogon]
path = ${NETLOGONPATH}
--- /dev/null
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
--- /dev/null
+[globals]
+ netbios name = ${HOSTNAME}
+ workgroup = ${DOMAIN_CONF}
+ realm = ${REALM_CONF}
+ server role = ${SERVERROLE}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
+
+#Provide a account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: dns
+description: DNS Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+sAMAccountType: 805306368
+servicePrincipalName: DNS/${DNSDOMAIN}
+isCriticalSystemObject: TRUE
+sambaPassword:: ${DNSPASS_B64}
+
isCriticalSystemObject: TRUE
sambaPassword:: ${KRBTGTPASS_B64}
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: dns
-description: DNS Service Account
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-sAMAccountType: 805306368
-servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
-sambaPassword:: ${DNSPASS_B64}
-
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
objectClass: container
cn: Primary Domains
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:ldb:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format.
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
-servicePrincipalName: DNS/${DNSDOMAIN}
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
--- /dev/null
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+msDS-KeyVersionNumber: 1
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+sAMAccountName: krbtgt
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+objectSid: ${DOMAINSID}
+servicePrincipalName: kadmin/changepw
+krb5Keytab: HDB:ldb:${SAM_LDB}:
+#The trailing : here is a HACK, but it matches the Heimdal format.
+
+# A hook from our credentials system into HDB, as we must be on a KDC,
+# we can look directly into the database.
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+whenCreated: ${LDAPTIME}
+whenChanged: ${LDAPTIME}
+servicePrincipalName: DNS/${DNSDOMAIN}
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+
git.samba.org / kai / samba.git / commitdiff