[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] Adjust ldap-tools/ldap-debian-edu-install

Wolfgang Schweer gitlab at salsa.debian.org
Wed Sep 30 22:08:27 BST 2020



Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
ae911357 by Wolfgang Schweer at 2020-09-30T23:03:31+02:00
Adjust ldap-tools/ldap-debian-edu-install

Drop Samba related code (deprecated NT4-style domain) to fix LDAP setup. Anyone
knowing a better way to fix the broken main server installation should go ahead.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


2 changed files:

- debian/changelog
- ldap-tools/ldap-debian-edu-install


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+debian-edu-config (2.11.31) UNRELEASED; urgency=medium
+
+  * ldap-tools/ldap-debian-edu-install:
+    - Drop Samba related code (deprecated NT4-style domain) to fix LDAP setup.
+
+ -- Wolfgang Schweer <wschweer at arcor.de>  Wed, 30 Sep 2020 22:39:19 +0200
+
 debian-edu-config (2.11.30) unstable; urgency=medium
 
   [ Wolfgang Schweer ]


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -194,15 +194,6 @@ dns_stop() {
     fi
 }
 
-smbd_stop() {
-    # make sure to stop smbd service, to avoid: 'ldap admin dn' is missing.
-    PID=`pidof smbd || /bin/true`
-    if [ -n "$PID" ]; then
-        echo "info: stopping smbd with pid $PID"
-       service smdb stop
-    fi
-}
-
 # Init tree
 init_ldap () {
 
@@ -296,14 +287,6 @@ cn=kadmin-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
 EOF
 
   ## bootstrap ldap with passwords inserted:
-
-  # generate Samba passwd already here
-  SAMBAPWD=$(slappasswd -g -h {CLEARTEXT})
-  # then generate hashed Samba password, this will be needed for bootstrapping
-  # cn=smbadmin in root.ldif
-  SAMBAPWDHASH=$(slappasswd -u -s "$SAMBAPWD")
- 
-  # first portion of bootstrap (everything except samba.ldif)
   for ldif in \
     /etc/ldap/root.ldif \
     /etc/ldap/ipnetworks.ldif \
@@ -315,7 +298,6 @@ EOF
     /etc/ldap/ltsp.ldif \
     /etc/ldap/firstuser.ldif \
     /etc/ldap/krb5.ldif
- 
   do
       if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
 	-e "s/\$MAC/$MAC/" \
@@ -326,8 +308,6 @@ EOF
 	-e "s:\$TEACHERSDN64:$TEACHERSDN64:" \
 	-e "s:\$KDCPWDHASH:$KDCPWDHASH:" \
 	-e "s:\$ROOTPWDSSHAHASH:$ROOTPWDSSHAHASH:" \
-        -e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
-        -e "s:\$SAMBAPWD:$SAMBAPWD:" \
         -e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
         -e "s:\$FIRSTUSERGECOS:$FIRSTUSERGECOS:" \
         -e "s:\$FIRSTUSERLASTNAME:$FIRSTUSERLASTNAME:" \
@@ -361,133 +341,10 @@ EOF
       service slapd start
       slapd_started=true
   fi
-
-  PID=`pidof slapd || /bin/true`
-  if [ -z "$PID" ]; then
-      echo "error: the LDAP server is not running. Skipping Samba setup." 1>&2
-      exit 1
-  else
-
-    # Samba will also need DNS to bind to LDAP
-    service named start
-
-    # sync DNS from LDAP for the first time... (this has to run as uid ,,bind''!)
-    su -s /bin/sh -c "PATH=/usr/sbin:/sbin:/usr/bin:/bin /usr/sbin/ldap2bind" - bind
-
-    cat > /etc/samba/smb-debian-edu-ldapbootstrap.conf <<EOF
-#
-# Samba configuration Skolelinux LDAP bootstrap, this file is temporary
-#
-
-#======================= Global Settings =======================
-
-[global]
-
-   server role = classic primary domain controller
-   acl allow execute always = true
-   netbios name = TJENER 
-   security = USER
-   workgroup = SKOLELINUX
-   encrypt passwords = true
-   passdb backend = ldapsam:"ldapi:///"
-   ldapsam:trusted = yes
-   ldap suffix = ou=samba,dc=skole,dc=skolelinux,dc=no
-   ldap admin dn = "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
-   ldap ssl = no
-   local master = yes
-   domain logons = yes
-   domain master = yes
-   preferred master = yes
-   lanman auth = yes
-   ntlm auth = yes
-   os level = 127 
-   name resolve order = bcast host lmhosts wins
-   wins support = yes
-   dns proxy = yes
-EOF
-
-    # Store root's password temporarily in secrets.tdb (for
-    # cn=admin,ou=ldap-access,BASEDN)
-    smbpasswd -c /etc/samba/smb-debian-edu-ldapbootstrap.conf -w "$ROOTPWDCLEAR"
-
-    # This will initialize the sambaDomainName=<DOMAIN> object in LDAP
-    # and generate a sambaSID for <DOMAIN>.
-    net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getlocalsid &> /dev/null
-
-    echo "info: Fetching SMB domain SID."
-    SAMBASID=`net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getdomainsid | awk '/SKOLELINUX/ { print $6 }'`
-
-    # start from scratch with secrets.tdb
-    rm -f /var/lib/samba/private/secrets.tdb
-
-
-    # remove the bootstrap smb.conf again; this file was really temporary.
-    rm -f /etc/samba/smb-debian-edu-ldapbootstrap.conf
-
-    # now set up our auto-generated Samba password (created further
-    # above) that shall be used in smb.conf and with ldapscripts
-    # (i.e. for cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no)
-    smbpasswd -c /etc/samba/smb.conf -w "$SAMBAPWD"
-
-    # cp ldapscripts related template files to /etc/ldapscripts.
-    cp /usr/share/debian-edu-config/debian-edu.ldapscripts.passwd \
-       /usr/share/debian-edu-config/debian-edu.addmachine.template  /etc/ldapscripts
-
-    # then put $SAMBAPWD also into /etc/ldapscripts/debian-edu.ldapscripts.passwd
-    chmod 0600 /etc/ldapscripts/debian-edu.ldapscripts.passwd
-    sed -i "s:\$SAMBAPWD:$SAMBAPWD:" /etc/ldapscripts/debian-edu.ldapscripts.passwd
-
-    if [ -z "$SAMBASID" ] ; then
-      echo "error: unable to fetch Samba SID. Bootstrapping failed, exiting."
-      exit 1
-    fi
-    # the next line is unknowingly dirty, but it fixes a ,,Can't fetch
-    # domain SID for name: TJENER'' error if running ,,net
-    # getlocalsid'' after the bootstrap.
-    net getlocalsid -s /dev/null &> /dev/null
-
-    # and now stop slapd again and restore start-stop-daemon script
-    remember_RESTARTSLAPD=$RESTARTSLAPD
-    slapd_stop
-    RESTARTSLAPD=$remember_RESTART_SLAPD
-    dns_stop
-    smbd_stop
-
-    if [ -x /sbin/start-stop-daemon.REAL ] ; then
-        mv /sbin/start-stop-daemon.FAKE /sbin/start-stop-daemon
-    fi
-
-  fi
-
-  # Generate NT/LM hashes for Samba's Administrator account
-  SAMBA_ADMPWD_HASHES=$(perl -MCrypt::SmbHash -e "print join(q[:],ntlmgen \$ARGV[0]), $/;" "$ROOTPWDCLEAR")
-  SAMBA_ADMPWD_LMHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f1)
-  SAMBA_ADMPWD_NTHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f2)
-
-  # perform the rest of the LDAP bootstrap
-  for ldif in \
-    /etc/ldap/samba.ldif
-
-  do
-      if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-	-e "s:\$SAMBASID:$SAMBASID:" \
-	-e "s:\$SAMBAPWD:$SAMBAPWD:" \
-	-e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
-	-e "s:\$SAMBA_ADMPWD_LMHASH:$SAMBA_ADMPWD_LMHASH:" \
-	-e "s:\$SAMBA_ADMPWD_NTHASH:$SAMBA_ADMPWD_NTHASH:" \
-	-e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
-	  | /usr/sbin/slapadd ; then
-	  echo "info: added '$ldif' to ldap database."
-      else
-	  echo "error: Unable to load '$ldif'"
-	  exit 1
-      fi
-  done
   # again: the database must be owned by openldap
   if getent passwd openldap | grep  -q openldap ; then
      chown -R openldap:openldap /var/lib/ldap
   fi
-
 }
 
 # Create ldap-tree on the initial install
@@ -500,13 +357,6 @@ if slapcat 2> /dev/null | grep -q "dn: cn=all-hosts" ; then
 else
   init_ldap
 
-# Instead of registering unix groups in samba like this
-#   net groupmap add unixgroup=teachers \
-#        type=domain ntgroup="teachers" \
-#        comment="All teachers in the institution"
-# we add the sambaSID attribute to LDAP objects when they are created,
-# with static RID part.
-
   ## initialize Kerberos KDC, use gosa-admin account to access ldap:
   if [ -x /usr/share/debian-edu-config/tools/kerberos-kdc-init ] ; then
       if /usr/share/debian-edu-config/tools/kerberos-kdc-init "$GOSAPWD" ; then



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/ae911357a2a933ff279961aabf275d2a6daff89d

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/ae911357a2a933ff279961aabf275d2a6daff89d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20200930/7e9cf4e9/attachment-0001.html>


More information about the debian-edu-commits mailing list