[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] Adjust ldap-tools/ldap-debian-edu-install
Wolfgang Schweer
gitlab at salsa.debian.org
Wed Sep 30 22:08:27 BST 2020
Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config
Commits:
ae911357 by Wolfgang Schweer at 2020-09-30T23:03:31+02:00
Adjust ldap-tools/ldap-debian-edu-install
Drop Samba related code (deprecated NT4-style domain) to fix LDAP setup. Anyone
knowing a better way to fix the broken main server installation should go ahead.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
2 changed files:
- debian/changelog
- ldap-tools/ldap-debian-edu-install
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+debian-edu-config (2.11.31) UNRELEASED; urgency=medium
+
+ * ldap-tools/ldap-debian-edu-install:
+ - Drop Samba related code (deprecated NT4-style domain) to fix LDAP setup.
+
+ -- Wolfgang Schweer <wschweer at arcor.de> Wed, 30 Sep 2020 22:39:19 +0200
+
debian-edu-config (2.11.30) unstable; urgency=medium
[ Wolfgang Schweer ]
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -194,15 +194,6 @@ dns_stop() {
fi
}
-smbd_stop() {
- # make sure to stop smbd service, to avoid: 'ldap admin dn' is missing.
- PID=`pidof smbd || /bin/true`
- if [ -n "$PID" ]; then
- echo "info: stopping smbd with pid $PID"
- service smdb stop
- fi
-}
-
# Init tree
init_ldap () {
@@ -296,14 +287,6 @@ cn=kadmin-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
EOF
## bootstrap ldap with passwords inserted:
-
- # generate Samba passwd already here
- SAMBAPWD=$(slappasswd -g -h {CLEARTEXT})
- # then generate hashed Samba password, this will be needed for bootstrapping
- # cn=smbadmin in root.ldif
- SAMBAPWDHASH=$(slappasswd -u -s "$SAMBAPWD")
-
- # first portion of bootstrap (everything except samba.ldif)
for ldif in \
/etc/ldap/root.ldif \
/etc/ldap/ipnetworks.ldif \
@@ -315,7 +298,6 @@ EOF
/etc/ldap/ltsp.ldif \
/etc/ldap/firstuser.ldif \
/etc/ldap/krb5.ldif
-
do
if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
-e "s/\$MAC/$MAC/" \
@@ -326,8 +308,6 @@ EOF
-e "s:\$TEACHERSDN64:$TEACHERSDN64:" \
-e "s:\$KDCPWDHASH:$KDCPWDHASH:" \
-e "s:\$ROOTPWDSSHAHASH:$ROOTPWDSSHAHASH:" \
- -e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
- -e "s:\$SAMBAPWD:$SAMBAPWD:" \
-e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
-e "s:\$FIRSTUSERGECOS:$FIRSTUSERGECOS:" \
-e "s:\$FIRSTUSERLASTNAME:$FIRSTUSERLASTNAME:" \
@@ -361,133 +341,10 @@ EOF
service slapd start
slapd_started=true
fi
-
- PID=`pidof slapd || /bin/true`
- if [ -z "$PID" ]; then
- echo "error: the LDAP server is not running. Skipping Samba setup." 1>&2
- exit 1
- else
-
- # Samba will also need DNS to bind to LDAP
- service named start
-
- # sync DNS from LDAP for the first time... (this has to run as uid ,,bind''!)
- su -s /bin/sh -c "PATH=/usr/sbin:/sbin:/usr/bin:/bin /usr/sbin/ldap2bind" - bind
-
- cat > /etc/samba/smb-debian-edu-ldapbootstrap.conf <<EOF
-#
-# Samba configuration Skolelinux LDAP bootstrap, this file is temporary
-#
-
-#======================= Global Settings =======================
-
-[global]
-
- server role = classic primary domain controller
- acl allow execute always = true
- netbios name = TJENER
- security = USER
- workgroup = SKOLELINUX
- encrypt passwords = true
- passdb backend = ldapsam:"ldapi:///"
- ldapsam:trusted = yes
- ldap suffix = ou=samba,dc=skole,dc=skolelinux,dc=no
- ldap admin dn = "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
- ldap ssl = no
- local master = yes
- domain logons = yes
- domain master = yes
- preferred master = yes
- lanman auth = yes
- ntlm auth = yes
- os level = 127
- name resolve order = bcast host lmhosts wins
- wins support = yes
- dns proxy = yes
-EOF
-
- # Store root's password temporarily in secrets.tdb (for
- # cn=admin,ou=ldap-access,BASEDN)
- smbpasswd -c /etc/samba/smb-debian-edu-ldapbootstrap.conf -w "$ROOTPWDCLEAR"
-
- # This will initialize the sambaDomainName=<DOMAIN> object in LDAP
- # and generate a sambaSID for <DOMAIN>.
- net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getlocalsid &> /dev/null
-
- echo "info: Fetching SMB domain SID."
- SAMBASID=`net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getdomainsid | awk '/SKOLELINUX/ { print $6 }'`
-
- # start from scratch with secrets.tdb
- rm -f /var/lib/samba/private/secrets.tdb
-
-
- # remove the bootstrap smb.conf again; this file was really temporary.
- rm -f /etc/samba/smb-debian-edu-ldapbootstrap.conf
-
- # now set up our auto-generated Samba password (created further
- # above) that shall be used in smb.conf and with ldapscripts
- # (i.e. for cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no)
- smbpasswd -c /etc/samba/smb.conf -w "$SAMBAPWD"
-
- # cp ldapscripts related template files to /etc/ldapscripts.
- cp /usr/share/debian-edu-config/debian-edu.ldapscripts.passwd \
- /usr/share/debian-edu-config/debian-edu.addmachine.template /etc/ldapscripts
-
- # then put $SAMBAPWD also into /etc/ldapscripts/debian-edu.ldapscripts.passwd
- chmod 0600 /etc/ldapscripts/debian-edu.ldapscripts.passwd
- sed -i "s:\$SAMBAPWD:$SAMBAPWD:" /etc/ldapscripts/debian-edu.ldapscripts.passwd
-
- if [ -z "$SAMBASID" ] ; then
- echo "error: unable to fetch Samba SID. Bootstrapping failed, exiting."
- exit 1
- fi
- # the next line is unknowingly dirty, but it fixes a ,,Can't fetch
- # domain SID for name: TJENER'' error if running ,,net
- # getlocalsid'' after the bootstrap.
- net getlocalsid -s /dev/null &> /dev/null
-
- # and now stop slapd again and restore start-stop-daemon script
- remember_RESTARTSLAPD=$RESTARTSLAPD
- slapd_stop
- RESTARTSLAPD=$remember_RESTART_SLAPD
- dns_stop
- smbd_stop
-
- if [ -x /sbin/start-stop-daemon.REAL ] ; then
- mv /sbin/start-stop-daemon.FAKE /sbin/start-stop-daemon
- fi
-
- fi
-
- # Generate NT/LM hashes for Samba's Administrator account
- SAMBA_ADMPWD_HASHES=$(perl -MCrypt::SmbHash -e "print join(q[:],ntlmgen \$ARGV[0]), $/;" "$ROOTPWDCLEAR")
- SAMBA_ADMPWD_LMHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f1)
- SAMBA_ADMPWD_NTHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f2)
-
- # perform the rest of the LDAP bootstrap
- for ldif in \
- /etc/ldap/samba.ldif
-
- do
- if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
- -e "s:\$SAMBASID:$SAMBASID:" \
- -e "s:\$SAMBAPWD:$SAMBAPWD:" \
- -e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
- -e "s:\$SAMBA_ADMPWD_LMHASH:$SAMBA_ADMPWD_LMHASH:" \
- -e "s:\$SAMBA_ADMPWD_NTHASH:$SAMBA_ADMPWD_NTHASH:" \
- -e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
- | /usr/sbin/slapadd ; then
- echo "info: added '$ldif' to ldap database."
- else
- echo "error: Unable to load '$ldif'"
- exit 1
- fi
- done
# again: the database must be owned by openldap
if getent passwd openldap | grep -q openldap ; then
chown -R openldap:openldap /var/lib/ldap
fi
-
}
# Create ldap-tree on the initial install
@@ -500,13 +357,6 @@ if slapcat 2> /dev/null | grep -q "dn: cn=all-hosts" ; then
else
init_ldap
-# Instead of registering unix groups in samba like this
-# net groupmap add unixgroup=teachers \
-# type=domain ntgroup="teachers" \
-# comment="All teachers in the institution"
-# we add the sambaSID attribute to LDAP objects when they are created,
-# with static RID part.
-
## initialize Kerberos KDC, use gosa-admin account to access ldap:
if [ -x /usr/share/debian-edu-config/tools/kerberos-kdc-init ] ; then
if /usr/share/debian-edu-config/tools/kerberos-kdc-init "$GOSAPWD" ; then
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/ae911357a2a933ff279961aabf275d2a6daff89d
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/ae911357a2a933ff279961aabf275d2a6daff89d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20200930/7e9cf4e9/attachment-0001.html>
More information about the debian-edu-commits
mailing list