13 files changed, 427 insertions, 17 deletions

diff --git a/ipa-install/README b/ipa-install/README
index e69de29b..b9ae2cfd 100644
--- a/ipa-install/README
+++ b/ipa-install/README
@@ -0,0 +1,5 @@
+
+Required packages:
+krb5-server
+fedora-ds-base
+openldap-clients
diff --git a/ipa-install/share/60samba.ldif b/ipa-install/share/60samba.ldif
new file mode 100644
index 00000000..d3a6d31b
--- /dev/null
+++ b/ipa-install/share/60samba.ldif
@@ -0,0 +1,152 @@
+## schema file for Fedora DS
+##
+## Schema for storing Samba user accounts and group maps in LDAP
+## OIDs are owned by the Samba Team
+##
+## Prerequisite schemas - uid         (cosine.schema)
+##                      - displayName (inetorgperson.schema)
+##                      - gidNumber   (nis.schema)
+##
+## 1.3.6.1.4.1.7165.2.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.2.2.x - objectClasseses
+##
+## Printer support
+## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses
+##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.4.2.x - objectClasseses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
+dn: cn=schema
+##
+#######################################################################
+##                Attributes used by Samba 3.0 schema                ##
+#######################################################################
+##
+## Password hashes##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+##
+## Account flags in string format ([UWDX     ])
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+##
+## Password timestamps & policies
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
+##
+## string settings
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+##
+## SID, of any type
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+##
+## Primary group SID, compatible with ntSid
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+##
+## group mapping attributes
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+##
+## Store info on the domain
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##	SUP name )
+##
+##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##	DESC 'Privileges List'
+##	EQUALITY caseIgnoreIA5Match
+##	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+# "min password length"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "password history"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "user must logon to change password"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "maximum password age"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "minimum password age"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "lockout duration"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "reset count minutes"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "bad lockout attempt"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "disconnect time"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "refuse machine password change"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+##
+#######################################################################
+##              objectClasses: used by Samba 3.0 schema               ##
+#######################################################################
+##
+## The X.500 data model (and therefore LDAPv3) says that each entry can
+## only have one structural objectClasses.  OpenLDAP 2.0 does not enforce
+## this currently but will in v2.1
+##
+## added new objectClasses: (and OID) for 3.0 to help us deal with backwards
+## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours))
+##
+## Group mapping info
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY  ( displayName $ description $ sambaSIDList ))
+##
+## Trust password for trust relationships (any kind)
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))
+##
+## Whole-of-domain info
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
+##
+## used for idmap_ldap module
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) 
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) )
+## retired during privilege rewrite
+##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##	DESC 'Samba Privilege'
+##	MUST ( sambaSID )
+##	MAY ( sambaPrivilegeList ) )
diff --git a/ipa-install/share/Makefile b/ipa-install/share/Makefile
index bffac02a..380480bc 100644
--- a/ipa-install/share/Makefile
+++ b/ipa-install/share/Makefile
@@ -3,6 +3,7 @@ SHAREDIR = $(DESTDIR)/usr/share/ipa
 install:
 	-mkdir -p $(SHAREDIR)
 	install -m 644 *.ldif $(SHAREDIR)
+	install -m 644 *.template $(SHAREDIR)
 
 clean:
-	rm -f *~
\ No newline at end of file
+	rm -f *~
diff --git a/ipa-install/share/bootstrap-template.ldif b/ipa-install/share/bootstrap-template.ldif
index f6af4222..d83f715b 100644
--- a/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-install/share/bootstrap-template.ldif
@@ -1,25 +1,33 @@
+dn: $SUFFIX
+changetype: modify
+add: objectClass
+objectClass: pilotObject
+info: IPA V1.0
 
 # default, $REALM
 dn: ou=default,$SUFFIX
+changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: default
 
 # users, default, $REALM
-dn: cn=users,ou=default,$SUFFIX
-objectClass: nsContainer
+dn: ou=users,ou=default,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
 objectClass: top
-cn: users
+ou: users
 
 # groups, default, $REALM
-dn: cn=groups,ou=default,$SUFFIX
-objectClass: nsContainer
+dn: ou=groups,ou=default,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
 objectClass: top
-cn: groups
+ou: groups
 
 # computers, default, $REALM
-dn: cn=computers,ou=default,$SUFFIX
-objectClass: nsContainer
-objectClass: top
-cn: computers
+#dn: ou=computers,ou=default,$SUFFIX
+#objectClass: organizationalUnit
+#objectClass: top
+#ou: computers
 
diff --git a/ipa-install/share/default-aci.ldif b/ipa-install/share/default-aci.ldif
new file mode 100644
index 00000000..dc729ceb
--- /dev/null
+++ b/ipa-install/share/default-aci.ldif
@@ -0,0 +1,8 @@
+# $SUFFIX (base entry)
+dn: $SUFFIX
+changetype: modify
+replace: aci
+aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";)
+aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
+aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow(read, search,compare)userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
+aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
diff --git a/ipa-install/share/kdc.conf.template b/ipa-install/share/kdc.conf.template
new file mode 100644
index 00000000..69e769e3
--- /dev/null
+++ b/ipa-install/share/kdc.conf.template
@@ -0,0 +1,14 @@
+[kdcdefaults]
+ v4_mode = nopreauth
+
+[realms]
+ $REALM = {
+  master_key_type = des3-hmac-sha1
+  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
+  max_life = 7d
+  max_renewable_life = 14d
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  default_principal_flags = +preauth
+;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ }
diff --git a/ipa-install/share/kerberos.ldif b/ipa-install/share/kerberos.ldif
new file mode 100644
index 00000000..ae4564f6
--- /dev/null
+++ b/ipa-install/share/kerberos.ldif
@@ -0,0 +1,26 @@
+#kerberos base object
+dn: cn=kerberos,$SUFFIX
+changetype: add
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
+
+#kerberos user
+dn: uid=kdc,cn=kerberos,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: kdc
+userPassword: $PASSWORD
+
+#sasl mapping
+dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
+changetype: add
+objectclass: top
+objectclass: nsSaslMapping
+cn: kerberos
+nsSaslMapRegexString: \(.*\)@\(.*\)
+nsSaslMapBaseDNTemplate: $SUFFIX
+nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
+
diff --git a/ipa-install/share/krb5.conf.template b/ipa-install/share/krb5.conf.template
new file mode 100644
index 00000000..5030df4f
--- /dev/null
+++ b/ipa-install/share/krb5.conf.template
@@ -0,0 +1,35 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = $REALM
+ dns_lookup_realm = true
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[domain_realm]
+ .$DOMAIN = $REALM
+ $DOMAIN = $REALM
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }
+
+[dbmodules]
+  $REALM = {
+    db_library = kldap
+    ldap_servers = ldap://127.0.0.1/
+    ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
+    ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
+;    ldap_kadmind_dn = cn=Directory Manager
+    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
+  }
+
diff --git a/ipa-install/src/ipa-server-install b/ipa-install/src/ipa-server-install
index e19d0afd..ad49d44d 100644
--- a/ipa-install/src/ipa-server-install
+++ b/ipa-install/src/ipa-server-install
@@ -29,6 +29,7 @@ VERSION = "%prog .1"
 import logging
 from optparse import OptionParser
 import ipa.dsinstance
+import ipa.krbinstance
 
 def parse_options():
     parser = OptionParser(version=VERSION)
@@ -38,6 +39,8 @@ def parse_options():
                       help="host address (name or IP address)")
     parser.add_option("-p", "--password", dest="password",
                       help="admin password")
+    parser.add_option("-m", "--master-password", dest="master_password",
+                      help="kerberos master password")
 
     options, args = parser.parse_args()
 
@@ -55,6 +58,11 @@ def main():
     ds = ipa.dsinstance.DsInstance()
     ds.create_instance(options.realm_name, options.host_name, options.password)
 
+    krb = ipa.krbinstance.KrbInstance()
+    krb.create_instance(options.realm_name, options.host_name, options.password, options.master_password)
+    #restart ds after the krb instance have add the sasl map
+    ds.restart()
+
     return 0
 
 main()
diff --git a/ipa-install/src/ipa/__init__.py b/ipa-install/src/ipa/__init__.py
new file mode 100644
index 00000000..8e20eb1b
--- /dev/null
+++ b/ipa-install/src/ipa/__init__.py
@@ -0,0 +1 @@
+__all__ = ["dsinstance", "krbinstance"]
diff --git a/ipa-install/src/ipa/dsinstance.py b/ipa-install/src/ipa/dsinstance.py
index 43f112e5..1569ec33 100644
--- a/ipa-install/src/ipa/dsinstance.py
+++ b/ipa-install/src/ipa/dsinstance.py
@@ -6,7 +6,7 @@
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; version 2 only
+# published by the Free Software Foundation; version 2 or later
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -136,6 +136,8 @@ class DsInstance:
     def __add_default_schemas(self):
         shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
                         self.schema_dirname() + "60kerberos.ldif")
+        shutil.copyfile(SHARE_DIR + "60samba.ldif",
+                        self.schema_dirname() + "60samba.ldif")
 
     def __enable_ssl(self):
         dirname = self.config_dirname()
@@ -146,7 +148,7 @@ class DsInstance:
     def __add_default_layout(self):
         txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
         inf_fd = write_tmp_file(txt)
-        args = ["/usr/bin/ldapadd", "-xv", "-D", "cn=Directory Manager",
+        args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
                 "-w", self.admin_password, "-f", inf_fd.name]
         run(args)
 
diff --git a/ipa-install/src/ipa/krbinstance.py b/ipa-install/src/ipa/krbinstance.py
new file mode 100644
index 00000000..59eb2cef
--- /dev/null
+++ b/ipa-install/src/ipa/krbinstance.py
@@ -0,0 +1,153 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+from random import Random
+from time import gmtime
+
+SHARE_DIR = "/usr/share/ipa/"
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x for x in s]
+    return ",".join(terms)
+
+def generate_kdc_password():
+    rndpwd = ''
+    r = Random()
+    r.seed(gmtime())
+    for x in range(12):
+        rndpwd += chr(r.randint(32,126))
+    return rndpwd
+
+def template_str(txt, vars):
+    return string.Template(txt).substitute(vars)
+
+def template_file(infilename, vars):
+    txt = open(infilename).read()
+    return template_str(txt, vars)
+
+def write_tmp_file(txt):
+    fd = tempfile.NamedTemporaryFile()
+    fd.write(txt)
+    fd.flush()
+
+    return fd
+
+def ldap_mod(fd, dn, pwd):
+    args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
+    run(args)
+
+def run(args, stdin=None):
+    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if stdin:
+        stdout,stderr = p.communicate(stdin)
+    else:
+        stdout,stderr = p.communicate()
+    logging.info(stdout)
+    logging.info(stderr)
+
+    if p.returncode != 0:
+        raise subprocess.CalledProcessError(p.returncode, args[0])
+    
+class KrbInstance:
+    def __init__(self):
+        self.realm_name = None
+        self.host_name = None
+        self.admin_password = None
+        self.master_password = None
+        self.suffix = None
+        self.kdc_password = None
+        self.sub_dict = None
+
+    def create_instance(self, realm_name, host_name, admin_password, master_password):
+        self.realm_name = realm_name
+        self.host_name = host_name
+        self.admin_password = admin_password
+        self.master_password = master_password
+        
+	self.suffix = realm_to_suffix(self.realm_name)
+        self.kdc_password = generate_kdc_password()
+
+        self.__setup_sub_dict()
+
+        self.__configure_ldap()
+        self.__create_instance()
+        self.start()
+
+    def stop(self):
+        run(["/sbin/service", "krb5kdc", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "krb5kdc", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "krb5kdc", "restart"])
+
+    def __configure_kdc_account_password(self):
+        hexpwd = ''
+	for x in self.kdc_password:
+            hexpwd += (hex(ord(x))[2:])
+        pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
+        pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+        pwd_fd.close()
+
+    def __setup_sub_dict(self):
+        self.sub_dict = dict(FQHN=self.host_name,
+                             PASSWORD=self.kdc_password,
+                             SUFFIX=self.suffix,
+                             REALM=self.realm_name)
+
+    def __configure_ldap(self):
+
+	#TODO: test that the ldif is ok with any random charcter we may use in the password
+        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
+        kerberos_fd = write_tmp_file(kerberos_txt)
+        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+	name = kerberos_fd.name
+        kerberos_fd.close()
+        os.unlink(name)
+
+	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
+        aci_txt = template_file(SHARE_DIR + "default_aci.ldif", self.sub_dict)
+        aci_fd = write_tmp_file(aci_txt) 
+        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+	name = aci_fd.name
+        aci_fd.close()
+        os.unlink(name)
+
+    def __create_instance(self):
+        kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
+        kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
+        kdc_fd.write(kdc_conf)
+        kdc_fd.close()
+
+        krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
+        krb5_fd = open("/etc/krb5.conf", "w+")
+        krb5_fd.write(krb5_conf)
+        krb5_fd.close()
+
+        #populate the directory with the realm structure
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+        run(args)
diff --git a/ipa-install/test/test-users.ldif b/ipa-install/test/test-users.ldif
index a61bd3c9..424eedb5 100644
--- a/ipa-install/test/test-users.ldif
+++ b/ipa-install/test/test-users.ldif
@@ -1,5 +1,5 @@
 # test, users, default, $REALM
-dn: uid=test,cn=users,ou=default,$SUFFIX
+dn: uid=test,ou=users,ou=default,$SUFFIX
 uidNumber: 1001
 uid: test
 gecos: test
@@ -17,7 +17,4 @@ objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: account
 objectClass: top
-objectClass: krbprincipalaux
 cn: test
-userPassword:: e1NTSEF9T0FNVnNCL2hjYlJFRVlQaU9kYy9BY0dmNmdBaFdpYVNub2VPenc9PQ=
- =