From 9caa8d3da12707c9409339fd294114fd489da648 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:04:06 +1000 Subject: Try to make NTLMSSP less fussy for unimportant messages. We don't really care (because nobody uses them) what we send as the domain and workstation in the negotiate packet. Andrew Bartlett (This used to be commit 9ac07e14873df2c18d0e9501691c2d4c4047e218) --- source4/auth/ntlmssp/ntlmssp_client.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index e07c64befb..891761860c 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, DATA_BLOB in, DATA_BLOB *out) { struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; + const char *domain = gensec_ntlmssp_state->domain; + const char *workstation = cli_credentials_get_workstation(gensec_security->credentials); + + /* These don't really matter in the initial packet, so don't panic if they are not set */ + if (!domain) { + domain = ""; + } + + if (!workstation) { + workstation = ""; + } if (gensec_ntlmssp_state->unicode) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; @@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security, "NTLMSSP", NTLMSSP_NEGOTIATE, gensec_ntlmssp_state->neg_flags, - gensec_ntlmssp_state->domain, - cli_credentials_get_workstation(gensec_security->credentials)); + domain, + workstation); gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE; -- cgit From f5d18f4d241907950e079dcbfe1c724358187ec0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:05:41 +1000 Subject: Allow ldap credentials to be (optionally) stored in secrets.ldb This includes a simple bind DN, or SASL credentials. The error messages are reworked as on systems without an LDAP backend, we will fail to find this record very often. Andrew Bartlett (This used to be commit 95825ae6d5e9d9846f3a7505a81ebe603826227e) --- source4/auth/credentials/credentials_files.c | 44 +++++++++++++++++++++------- 1 file changed, 33 insertions(+), 11 deletions(-) (limited to 'source4') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 05b0bf56a8..bba3fdc308 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "privateKeytab", "krb5Keytab", "servicePrincipalName", + "ldapBindDn", NULL }; @@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } } @@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL); if (!machine_account) { - DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", - cli_credentials_get_domain(cred), filter, base)); - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL); + if (!ldap_bind_dn) { + DEBUG(5, ("(normal if no LDAP backend required) Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", + filter, base)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } } @@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); } - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + if (machine_account) { + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + } cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status))); + } + return status; } /** @@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, struct event_context *event_ctx, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status))); + } + return status; } /** - * Fill in credentials for the machine trust account, from the secrets database. + * Fill in credentials for a particular prinicpal, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure @@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c struct loadparm_context *lp_ctx, const char *serviceprincipal) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status))); + } + return status; } /** -- cgit From 532899386b229fc4e72303d18e951686634c8757 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:07:13 +1000 Subject: Use secrets.ldb to store credentials to contact LDAP backend. This makes Samba4 behave much like Samba3 did, and use a single set of administrative credentials for it's connection to LDAP. Andrew Bartlett (This used to be commit e396a59788d77aa2fbf3b523c3773fe0e5c976c0) --- source4/dsdb/samdb/samdb.c | 27 ++++++++++++++++++++++++++- source4/ldap_server/ldap_backend.c | 9 +++++---- source4/libnet/libnet_samsync_ldb.c | 10 ++++------ 3 files changed, 35 insertions(+), 11 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index acc2c2a9a1..b5b7ddfdc6 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -39,6 +39,8 @@ #include "dsdb/common/flags.h" #include "param/param.h" #include "lib/events/events.h" +#include "auth/credentials/credentials.h" +#include "param/secrets.h" char *samdb_relative_path(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb, return full_name; } +struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, + struct loadparm_context *lp_ctx) +{ + struct cli_credentials *cred = cli_credentials_init(mem_ctx); + if (!cred) { + return NULL; + } + cli_credentials_set_conf(cred, lp_ctx); + + /* We don't want to use krb5 to talk to our samdb - recursion + * here would be bad, and this account isn't in the KDC + * anyway */ + cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + + if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL, + SECRETS_LDAP_FILTER))) { + /* Perfectly OK - if not against an LDAP backend */ + return NULL; + } + return cred; +} /* connect to the SAM database @@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct ldb_context *ldb; ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_sam_url(lp_ctx), session_info, - NULL, 0, NULL); + samdb_credentials(mem_ctx, ev_ctx, lp_ctx), + 0, NULL); if (!ldb) { return NULL; } diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 2193c989cf..504dcf1c0f 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -21,13 +21,13 @@ #include "ldap_server/ldap_server.h" #include "lib/util/dlinklist.h" #include "libcli/ldap/ldap.h" -#include "lib/ldb/include/ldb.h" -#include "lib/ldb/include/ldb_errors.h" -#include "lib/ldb_wrap.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "param/param.h" #include "smbd/service_stream.h" +#include "dsdb/samdb/samdb.h" +#include "lib/ldb/include/ldb_errors.h" +#include "lib/ldb_wrap.h" #define VALID_DN_SYNTAX(dn,i) do {\ if (!(dn)) {\ @@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) conn->lp_ctx, lp_sam_url(conn->lp_ctx), conn->session_info, - NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); + samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx), + conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); if (conn->ldb == NULL) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index a79bf043a5..b223a74a31 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str state->secrets = NULL; state->trusted_domains = NULL; - state->sam_ldb = ldb_wrap_connect(mem_ctx, - ctx->event_ctx, - ctx->lp_ctx, - lp_sam_url(ctx->lp_ctx), - r->in.session_info, - ctx->cred, 0, NULL); + state->sam_ldb = samdb_connect(mem_ctx, + ctx->event_ctx, + ctx->lp_ctx, + r->in.session_info); r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string; -- cgit From ab00b65dde3fad666425cd9b4b6e45dabc33b279 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:08:57 +1000 Subject: Cleanup ldap_bind_sasl. With these changes, we don't leak the LDAP socket, and don't reset all credentials feature flags, just the ones we are actually incompatible with. Andrew Bartlett (This used to be commit 72e52a301102941c41ab423e0212fe9a1aed0405) --- source4/libcli/ldap/ldap_bind.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source4') diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index e1569e7296..65673116be 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -234,7 +234,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, * Windows seem not to like double encryption */ old_gensec_features = cli_credentials_get_gensec_features(creds); if (tls_enabled(conn->sock)) { - cli_credentials_set_gensec_features(creds, 0); + cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)); } /* this call also sets the gensec_want_features */ @@ -245,7 +245,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, goto failed; } - /* reset the original gensec_features */ + /* reset the original gensec_features (on the credentials + * context, so we don't tatoo it ) */ cli_credentials_set_gensec_features(creds, old_gensec_features); if (conn->host) { @@ -393,8 +394,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, &sasl_socket); if (!NT_STATUS_IS_OK(status)) goto failed; - talloc_steal(conn->sock, sasl_socket); - talloc_unlink(conn, conn->sock); conn->sock = sasl_socket; packet_set_socket(conn->packet, conn->sock); -- cgit From 2b1f2712f18a6fa7dcd60e2ed54ac157e9c54889 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:09:32 +1000 Subject: Add a standard filter for finding the LDAP secrets. (This used to be commit 28c784966809d634e8497e0716b30bad018467b4) --- source4/param/secrets.h | 1 + 1 file changed, 1 insertion(+) (limited to 'source4') diff --git a/source4/param/secrets.h b/source4/param/secrets.h index fa162ea66a..83b6dc7fdc 100644 --- a/source4/param/secrets.h +++ b/source4/param/secrets.h @@ -33,6 +33,7 @@ struct machine_acct_pass { #define SECRETS_PRIMARY_REALM_FILTER "(&(realm=%s)(objectclass=primaryDomain))" #define SECRETS_KRBTGT_SEARCH "(&((|(realm=%s)(flatname=%s))(samAccountName=krbtgt)))" #define SECRETS_PRINCIPAL_SEARCH "(&(|(realm=%s)(flatname=%s))(servicePrincipalName=%s))" +#define SECRETS_LDAP_FILTER "(objectclass=ldapSecret)" /** * Use a TDB to store an incrementing random seed. -- cgit From 403f4f94ffec28d1c1dc910e1960531f4c14534b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:10:29 +1000 Subject: Make up a full hostname for ldapi connections. The DIGEST-MD5 SASL method requires a hostname, so provide one. Andrew Bartlett (This used to be commit edfb2ed1f22bc735af5a0c3d3ae6ab6771d28f2c) --- source4/libcli/ldap/ldap_client.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index bca867b033..844238afdb 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -38,7 +38,6 @@ #include "param/param.h" #include "libcli/resolve/resolve.h" - /** create a new ldap_connection stucture. The event context is optional */ @@ -298,7 +297,7 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con char protocol[11]; int ret; - result = talloc_zero(NULL, struct composite_context); + result = talloc_zero(conn, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; result->async.fn = NULL; @@ -336,6 +335,12 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con SMB_ASSERT(sizeof(protocol)>10); SMB_ASSERT(sizeof(path)>1024); + /* LDAPI connections are to localhost, so give the local host name as the target for gensec */ + conn->host = talloc_asprintf(conn, "%s.%s", lp_netbios_name(conn->lp_ctx), lp_realm(conn->lp_ctx)); + if (composite_nomem(conn->host, state->ctx)) { + return result; + } + /* The %c specifier doesn't null terminate :-( */ ZERO_STRUCT(path); ret = sscanf(url, "%10[^:]://%1025c", protocol, path); -- cgit From a6b842f9634cbeb4075c2bbaf7e49c19104602be Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:15:12 +1000 Subject: Connect to the LDAP backend with SASL credentials. This reworks our LDAP backend code to move from anonymous access to a shared-secret SASL-protected connection. (SASL selects NTLM or DIGEST-MD5 on my system). To get this working, we must pre-populate the LDAP backend with a DN to store ths SASL secret on, and we use back-ldif for this. This gives us a reasonable basis to deploy a replicated OpenLDAP backend solution. Andrew Bartlett (This used to be commit cd0745253c4a9ec59a035e830e54d74a05b71aaa) --- source4/scripting/python/samba/provision.py | 47 +++++++++++++++++++++++------ source4/selftest/target/Samba4.pm | 2 +- source4/setup/cn=samba-admin.ldif | 12 ++++++++ source4/setup/cn=samba.ldif | 11 +++++++ source4/setup/provision | 4 ++- source4/setup/secrets_init.ldif | 2 +- source4/setup/secrets_sasl_ldap.ldif | 9 ++++++ source4/setup/secrets_simple_ldap.ldif | 6 ++++ source4/setup/slapd.conf | 39 ++++++++++++++++++------ 9 files changed, 111 insertions(+), 21 deletions(-) create mode 100644 source4/setup/cn=samba-admin.ldif create mode 100644 source4/setup/cn=samba.ldif create mode 100644 source4/setup/secrets_sasl_ldap.ldif create mode 100644 source4/setup/secrets_simple_ldap.ldif (limited to 'source4') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 504044253e..d0f612c7a8 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -604,6 +604,20 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp): secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials, lp=lp) secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif")) + + if credentials.authentication_requested: + if credentials.get_bind_dn() is not None: + setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), { + "LDAPMANAGERDN": credentials.get_bind_dn(), + "LDAPMANAGERPASS_B64": b64encode(credentials.get_password()) + }) + else: + setup_add_ldif(secrets_ldb, setup_path("secrets_sasl_ldap.ldif"), { + "LDAPADMINUSER": credentials.get_username(), + "LDAPADMINREALM": credentials.get_realm(), + "LDAPADMINPASS_B64": b64encode(credentials.get_password()) + }) + return secrets_ldb @@ -754,10 +768,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, domain_oc = "samba4LocalDomain" setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { - "DOMAINDN": names.domaindn, - "ACI": aci, - "DOMAIN_OC": domain_oc - }) + "DOMAINDN": names.domaindn, + "ACI": aci, + "DOMAIN_OC": domain_oc + }) message("Modifying DomainDN: " + names.domaindn + "") if domainguid is not None: @@ -1265,15 +1279,30 @@ refint_attributes""" + refint_attributes + "\n" "DOMAINDN": names.domaindn, "CONFIGDN": names.configdn, "SCHEMADN": names.schemadn, - "LDAPMANAGERDN": names.ldapmanagerdn, - "LDAPMANAGERPASS": adminpass, "MEMBEROF_CONFIG": memberof_config}) setup_file(setup_path("modules.conf"), paths.modulesconf, {"REALM": names.realm}) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "user"))) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "config"))) - setup_db_config(setup_path, os.path.join(paths.ldapdir, os.path.join("db", "schema"))) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "user")) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "config")) + setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema")) + + if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")): + os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")) + + setup_file(setup_path("cn=samba.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"), + { "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + setup_file(setup_path("cn=samba-admin.ldif"), + os.path.join(paths.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"), + {"LDAPADMINPASS_B64": b64encode(adminpass), + "UUID": str(uuid.uuid4()), + "LDAPTIME": timestring(int(time.time()))} ) + +#"LDAPMANAGERDN": names.ldapmanagerdn, + + mapping = "schema-map-openldap-2.3" backend_schema = "backend-schema.schema" diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm index 2347dfc742..0be1acf371 100644 --- a/source4/selftest/target/Samba4.pm +++ b/source4/selftest/target/Samba4.pm @@ -719,7 +719,7 @@ nogroup:x:65534:nobody push (@provision_options, "--krbtgtpass=krbtgt$password"); push (@provision_options, "--machinepass=machine$password"); push (@provision_options, "--root=$unix_name"); - push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn"); + push (@provision_options, "--username=samba-admin"); push (@provision_options, "--password=$password"); push (@provision_options, "--server-role=\"$server_role\""); diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif new file mode 100644 index 0000000000..c59ffd9ab6 --- /dev/null +++ b/source4/setup/cn=samba-admin.ldif @@ -0,0 +1,12 @@ +dn: cn=samba-admin +objectClass: top +objectClass: person +cn: samba-admin +userPassword:: ${LDAPADMINPASS_B64} +structuralObjectClass: person +entryUUID: ${UUID} +creatorsName: +createTimestamp: ${LDAPTIME} +entryCSN: 20080714010529.241038Z#000000#000#000000 +modifiersName: +modifyTimestamp: ${LDAPTIME} diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif new file mode 100644 index 0000000000..3be6242fe3 --- /dev/null +++ b/source4/setup/cn=samba.ldif @@ -0,0 +1,11 @@ +dn: cn=Samba +objectClass: top +objectClass: container +cn: Samba +structuralObjectClass: container +entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68 +creatorsName: +createTimestamp: 20080714010529Z +entryCSN: 20080714010529.194412Z#000000#000#000000 +modifiersName: +modifyTimestamp: 20080714010529Z diff --git a/source4/setup/provision b/source4/setup/provision index c1d6cd157a..7bd61fc1d8 100755 --- a/source4/setup/provision +++ b/source4/setup/provision @@ -30,7 +30,7 @@ import os, sys sys.path.insert(0, "bin/python") import samba - +from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session import samba.getopt as options from samba import param @@ -131,6 +131,8 @@ else: creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) + setup_dir = opts.setupdir if setup_dir is None: setup_dir = "setup" diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif index 9eda47e463..eb423a5122 100644 --- a/source4/setup/secrets_init.ldif +++ b/source4/setup/secrets_init.ldif @@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE #Add modules to the list to activate them by default #beware often order is important dn: @MODULES -@LIST: update_keytab,operational,objectguid +@LIST: update_keytab,operational,objectguid,rdn_name diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif new file mode 100644 index 0000000000..81ccfee209 --- /dev/null +++ b/source4/setup/secrets_sasl_ldap.ldif @@ -0,0 +1,9 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPADMINPASS_B64} +samAccountName: ${LDAPADMINUSER} +realm: ${LDAPADMINREALM} + + diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif new file mode 100644 index 0000000000..3f5ccd2df1 --- /dev/null +++ b/source4/setup/secrets_simple_ldap.ldif @@ -0,0 +1,6 @@ +dn: CN=SAMDB Credentials +objectClass: top +objectClass: ldapSecret +cn: SAMDB Credentials +secret:: ${LDAPMANAGERPASS_B64} +ldapBindDn: ${LDAPMANAGERDN} diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf index 15b9d3104e..b1ce6f6492 100644 --- a/source4/setup/slapd.conf +++ b/source4/setup/slapd.conf @@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema pidfile ${LDAPDIR}/slapd.pid argsfile ${LDAPDIR}/slapd.args sasl-realm ${DNSDOMAIN} -access to * by * write -allow update_anon +#authz-regexp +# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) -authz-regexp - uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) +#authz-regexp +# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth +# ldap:///${DOMAINDN}??sub?(samAccountName=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth - ldap:///${DOMAINDN}??sub?(samAccountName=\$1) + ldap:///cn=samba??one?(cn=\$1) + +authz-regexp + uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth + ldap:///cn=samba??one?(cn=\$1) + +access to dn.base="" + by dn=cn=samba-admin,cn=samba manage + by anonymous read + by * read + +access to dn.subtree="cn=samba" + by anonymous auth + +access to dn.subtree="${DOMAINDN}" + by dn=cn=samba-admin,cn=samba manage + by * read + +password-hash {CLEARTEXT} include ${LDAPDIR}/modules.conf @@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN} ${MEMBEROF_CONFIG} +database ldif +suffix cn=Samba +directory ${LDAPDIR}/db/samba + + database hdb suffix ${SCHEMADN} directory ${LDAPDIR}/db/schema @@ -78,9 +102,6 @@ index dnsRoot eq index nETBIOSName eq index cn eq -rootdn ${LDAPMANAGERDN} -rootpw ${LDAPMANAGERPASS} - #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov -- cgit From 0f1eea267257eff0d75a702ee0793a86834fb76a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:46:32 +1000 Subject: Rework provision to handle both simple and SASL binds. Fedora DS is still setup for simple binds only, at this point. (it also fails on other issues). Andrew Bartlett (This used to be commit b24c572d5a38c1f6906751c2ad2f809e1995b510) --- source4/scripting/python/samba/provision.py | 10 ++++++---- source4/selftest/target/Samba4.pm | 11 ++++++----- source4/setup/provision-backend | 6 +++--- 3 files changed, 15 insertions(+), 12 deletions(-) (limited to 'source4') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index d0f612c7a8..f27cc17290 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1300,9 +1300,6 @@ refint_attributes""" + refint_attributes + "\n" "UUID": str(uuid.uuid4()), "LDAPTIME": timestring(int(time.time()))} ) -#"LDAPMANAGERDN": names.ldapmanagerdn, - - mapping = "schema-map-openldap-2.3" backend_schema = "backend-schema.schema" @@ -1323,7 +1320,12 @@ refint_attributes""" + refint_attributes + "\n" message("Hostname: %s" % names.hostname) message("DNS Domain: %s" % names.dnsdomain) message("Base DN: %s" % names.domaindn) - message("LDAP admin DN: %s" % names.ldapmanagerdn) + + if ldap_backend_type == "openldap": + message("LDAP admin user: samba-admin") + else: + message("LDAP admin DN: %s" % names.ldapmanagerdn) + message("LDAP admin password: %s" % adminpass) message(slapdcommand) diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm index 0be1acf371..896b013105 100644 --- a/source4/selftest/target/Samba4.pm +++ b/source4/selftest/target/Samba4.pm @@ -571,7 +571,6 @@ sub provision($$$$$$) server max protocol = SMB2 notify:inotify = false ldb:nosync = true - system:anonymous = true #We don't want to pass our self-tests if the PAC code is wrong gensec:require_pac = true log level = $smbd_loglevel @@ -719,8 +718,7 @@ nogroup:x:65534:nobody push (@provision_options, "--krbtgtpass=krbtgt$password"); push (@provision_options, "--machinepass=machine$password"); push (@provision_options, "--root=$unix_name"); - push (@provision_options, "--username=samba-admin"); - push (@provision_options, "--password=$password"); + push (@provision_options, "--server-role=\"$server_role\""); my $ldap_uri= "$ldapdir/ldapi"; @@ -753,15 +751,18 @@ nogroup:x:65534:nobody if (defined($self->{ldap})) { push (@provision_options, "--ldap-backend=$ldap_uri"); - system("$self->{setupdir}/provision-backend $configuration --ldap-manager-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); + system("$self->{setupdir}/provision-backend $configuration --ldap-admin-pass=$password --root=$unix_name --realm=$realm --domain=$domain --host-name=$netbiosname --ldap-backend-type=$self->{ldap}>&2") == 0 or die("backend provision failed"); + + push (@provision_options, "--password=$password"); if ($self->{ldap} eq "openldap") { + push (@provision_options, "--username=samba-admin"); ($ret->{SLAPD_CONF}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ldapdir, $configuration) or die("Unable to create openldap directories"); push (@provision_options, "--ldap-backend-type=openldap"); } elsif ($self->{ldap} eq "fedora-ds") { + push (@provision_options, "--simple-bind-dn=cn=Manager,$localbasedn"); ($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ldapdir, $configuration) or die("Unable to create fedora ds directories"); push (@provision_options, "--ldap-backend-type=fedora-ds"); - push (@provision_options, "'--aci=aci:: KHRhcmdldGF0dHIgPSAiKiIpICh2ZXJzaW9uIDMuMDthY2wgImZ1bGwgYWNjZXNzIHRvIGFsbCBieSBhbGwiO2FsbG93IChhbGwpKHVzZXJkbiA9ICJsZGFwOi8vL2FueW9uZSIpOykK'"); } $self->slapd_start($ret) or diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend index 54dc5839bf..845dc8679a 100755 --- a/source4/setup/provision-backend +++ b/source4/setup/provision-backend @@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN", help="set domain") parser.add_option("--host-name", type="string", metavar="HOSTNAME", help="set hostname") -parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD", - help="choose LDAP manager password (otherwise random)") +parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD", + help="choose LDAP admin password (otherwise random)") parser.add_option("--root", type="string", metavar="USERNAME", help="choose 'root' unix username") parser.add_option("--quiet", help="Be quiet", action="store_true") @@ -96,7 +96,7 @@ if setup_dir is None: provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir, realm=opts.realm, domain=opts.domain, hostname=opts.host_name, - adminpass=opts.ldap_manager_pass, + adminpass=opts.ldap_admin_pass, root=opts.root, serverrole=server_role, ldap_backend_type=opts.ldap_backend_type, ldap_backend_port=opts.ldap_backend_port) -- cgit From e400b3ec4e7f32406ed8803ed22612033511d99a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 18:44:58 +1000 Subject: Fix asking for credentials for non-LDAP provisions. (This used to be commit 78416f4840df4f8d1f9cc5e46a48b19c86888050) --- source4/scripting/python/samba/provision.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index f27cc17290..6102dc77ff 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -605,7 +605,7 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp): lp=lp) secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif")) - if credentials.authentication_requested: + if credentials is not None and credentials.authentication_requested(): if credentials.get_bind_dn() is not None: setup_add_ldif(secrets_ldb, setup_path("secrets_simple_ldap.ldif"), { "LDAPMANAGERDN": credentials.get_bind_dn(), -- cgit From 63d91e9ab0ecc1e80edff27ae09b249c68453106 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 19:31:37 +1000 Subject: Kill of some bogus debugs for the world who does not use the LDAP backend (This used to be commit 5bde586bdb4a1523a62a764b9ff292a4a8cee4fe) --- source4/auth/credentials/credentials_files.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index bba3fdc308..6c3bb2531e 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -233,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n", filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", ldb_ret, filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); @@ -259,7 +259,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!machine_account) { const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL); if (!ldap_bind_dn) { - DEBUG(5, ("(normal if no LDAP backend required) Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", + DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); -- cgit