From b8444b64a32d698b01acce2a1307723cc69a472b Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 24 Sep 2010 23:25:49 -0700
Subject: s4-provision: switch to dns-HOSTNAME instead of dns

We now use a host specific account name for the DNS account, which is
the account used for dynamic DNS updates. We also setup the
servicePrincipalName for automatic update, and add both DNS/${DNSDOMAIN}
and DNS/${DNSNAME} for compatibility with both the old and new SPNs

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/setup/provision_dns_add.ldif | 10 +++++++---
 source4/setup/secrets_dns.ldif       |  5 +++--
 source4/setup/secrets_self_join.ldif | 13 -------------
 3 files changed, 10 insertions(+), 18 deletions(-)
 delete mode 100644 source4/setup/secrets_self_join.ldif

(limited to 'source4/setup')

diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif
index ac818a573de..a0a8187030d 100644
--- a/source4/setup/provision_dns_add.ldif
+++ b/source4/setup/provision_dns_add.ldif
@@ -88,15 +88,19 @@ dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
 
 
 # NOTE: This account is SAMBA4 specific!
-dn: CN=dns,CN=Users,${DOMAINDN}
+# we have it to avoid the need for the bind daemon to
+# have access to the whole secrets.keytab for the domain,
+# otherwise bind could impersonate any user
+dn: CN=dns-${HOSTNAME},CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: user
-description: DNS Service Account
+description: DNS Service Account for ${HOSTNAME}
 userAccountControl: 514
 accountExpires: 9223372036854775807
-sAMAccountName: dns
+sAMAccountName: dns-${HOSTNAME}
+servicePrincipalName: DNS/${DNSNAME}
 servicePrincipalName: DNS/${DNSDOMAIN}
 userPassword:: ${DNSPASS_B64}
 isCriticalSystemObject: TRUE
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif
index 840d1d6c43a..641bce6382d 100644
--- a/source4/setup/secrets_dns.ldif
+++ b/source4/setup/secrets_dns.ldif
@@ -1,11 +1,12 @@
 #Update a keytab for the external DNS server to use 
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+dn: samAccountName=dns-${HOSTNAME},CN=Principals
 objectClass: top
 objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSDOMAIN}
+servicePrincipalName: DNS/${DNSNAME}
 msDS-KeyVersionNumber: 1
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}
-samAccountName: dns
+samAccountName: dns-${HOSTNAME}
diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif
deleted file mode 100644
index 22be0cab0ba..00000000000
--- a/source4/setup/secrets_self_join.ldif
+++ /dev/null
@@ -1,13 +0,0 @@
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-saltPrincipal: ${SALT_PRINCIPAL}
-- 
cgit