[Pkg-samba-maint] [Git][samba-team/samba][master] 3 commits: Mask services as appropriate in samba and winbind postinst (Closes: #863285)
Mathieu Parent
gitlab at salsa.debian.org
Sat Apr 7 09:58:20 UTC 2018
Mathieu Parent pushed to branch master at Debian Samba Team / samba
Commits:
e0dde224 by Mathieu Parent at 2018-04-06T23:22:28+02:00
Mask services as appropriate in samba and winbind postinst (Closes: #863285)
- mask samba-ad-dc unless server role = active directory domain controller (as before)
- mask smbd and nmbd when server role = active directory domain controller
- mask nmbd when disable netbios = yes (Closes: #866125)
- - - - -
3d6e47f3 by Mathieu Parent at 2018-04-07T11:56:09+02:00
Set smbspool_krb5_wrapper permissions to 0700 (Closes: #894720, #372270)
- - - - -
49b1cb0b by Mathieu Parent at 2018-04-07T11:57:34+02:00
Changelog for previous commits
- - - - -
4 changed files:
- debian/changelog
- debian/rules
- debian/samba.postinst
- debian/winbind.postinst
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+samba (2:4.8.0+dfsg-2) UNRELEASED; urgency=medium
+
+ * Remove unused and outdated debian/README.debian (debian/README.Debian is
+ used instead)
+ * Mask services as appropriate in samba and winbind postinst (Closes: #863285)
+ - mask samba-ad-dc unless server role = active directory domain controller
+ (as before)
+ - mask smbd and nmbd when server role = active directory domain controller
+ - mask nmbd when disable netbios = yes (Closes: #866125)
+ * Set smbspool_krb5_wrapper permissions to 0700 (Closes: #894720, #372270)
+
+ -- Mathieu Parent <sathieu at debian.org> Sat, 07 Apr 2018 11:56:32 +0200
+
samba (2:4.8.0+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
=====================================
debian/rules
=====================================
--- a/debian/rules
+++ b/debian/rules
@@ -218,6 +218,9 @@ endif
ifneq (,$(filter samba, $(shell dh_listpackages)))
chmod 1777 debian/samba/var/spool/samba/
endif
+ifneq (,$(filter smbclient, $(shell dh_listpackages)))
+ chmod 0700 debian/smbclient/usr/lib/*/samba/smbspool_krb5_wrapper
+endif
override_dh_missing:
dh_missing --fail-missing
=====================================
debian/samba.postinst
=====================================
--- a/debian/samba.postinst
+++ b/debian/samba.postinst
@@ -1,11 +1,39 @@
#!/bin/sh
-#
-# Post-installation script for the Samba package for Debian GNU/Linux
-#
-#
set -e
+mask_services() {
+ local reason="$1"
+ shift
+ local masked_count=0
+ mkdir -p /etc/systemd/system
+ echo "${reason}: Masking $*"
+ echo "Please ignore the following error about deb-systemd-helper not finding those services."
+ while true; do
+ local service_name="$1"
+ if [ -z "$service_name" ]; then
+ break
+ fi
+ shift
+ if [ ! -e "/etc/systemd/system/${service_name}" ]; then
+ ln -s /dev/null "/etc/systemd/system/${service_name}"
+ echo "(${service_name} masked)"
+ masked_count=$((masked_count+1))
+ elif [ -h "/etc/systemd/system/${service_name}" ] \
+ && [ "$(realpath /etc/systemd/system/${service_name})" = /dev/null ] \
+ ; then
+ echo "(${service_name} already masked)"
+ else
+ echo "WARNING ${service_name} should be masked. The install may fail."
+ fi
+ done
+ # In case this system is running systemd, we make systemd reload the unit files
+ # to pick up changes.
+ if [ "${masked_count}" -ge 1 -a -d /run/systemd/system ] ; then
+ systemctl --system daemon-reload >/dev/null || true
+ fi
+}
+
# We generate several files during the postinst, and we don't want
# them to be readable only by root.
umask 022
@@ -36,31 +64,28 @@ then
fi
# mimic source4/smbd/server.c and mask service before it fails
+# NB: server role = active directory domain controller is what we need to properly support
+# NB: server services = smb is not compiled in
+# NB: dcerpc endpoint servers = remote is for developpement
+# NB: dcerpc endpoint servers = mapiproxy is for OpenChange which is dead
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
SERVER_SERVICES=`samba-tool testparm --parameter-name="server services" 2>/dev/null | tail -1`
DCERPC_ENDPOINT_SERVERS=`samba-tool testparm --parameter-name="dcerpc endpoint servers" 2>/dev/null | tail -1`
+DISABLE_NETBIOS=`samba-tool testparm --parameter-name="disable netbios" 2>/dev/null | tail -1`
+
if [ "$SERVER_ROLE" != "active directory domain controller" ] \
&& ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' ) \
; then
- if [ ! -e /etc/systemd/system/samba-ad-dc.service ]; then
- mkdir -p /etc/systemd/system
- echo "Samba is not being run as an AD Domain Controller, masking samba-ad-dc.service."
- echo "Please ignore the following error about deb-systemd-helper not finding samba-ad-dc.service."
- ln -s /dev/null /etc/systemd/system/samba-ad-dc.service
- # In case this system is running systemd, we make systemd reload the unit files
- # to pick up changes.
- if [ -d /run/systemd/system ] ; then
- systemctl --system daemon-reload >/dev/null || true
- fi
- elif [ -h /etc/systemd/system/samba-ad-dc.service ] \
- && [ "`realpath /etc/systemd/system/samba-ad-dc.service`" = /dev/null ] \
- ; then
- echo "Samba is not being run as an AD Domain Controller."
- echo "Please ignore the following error about deb-systemd-helper not finding samba-ad-dc.service."
- fi
+ mask_services "Samba is not being run as an AD Domain Controller" samba-ad-dc.service
fi
+if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
+ mask_services "Samba is being run as an AD Domain Controller" smbd.service nmbd.service
+elif [ "$DISABLE_NETBIOS" = Yes ]; then
+ mask_services "NetBIOS is disabled" nmbd.service
+fi
+
#DEBHELPER#
exit 0
=====================================
debian/winbind.postinst
=====================================
--- a/debian/winbind.postinst
+++ b/debian/winbind.postinst
@@ -1,7 +1,39 @@
-#! /bin/sh
+#!/bin/sh
set -e
+mask_services() {
+ local reason="$1"
+ shift
+ local masked_count=0
+ mkdir -p /etc/systemd/system
+ echo "${reason}: Masking $*"
+ echo "Please ignore the following error about deb-systemd-helper not finding those services."
+ while true; do
+ local service_name="$1"
+ if [ -z "$service_name" ]; then
+ break
+ fi
+ shift
+ if [ ! -e "/etc/systemd/system/${service_name}" ]; then
+ ln -s /dev/null "/etc/systemd/system/${service_name}"
+ echo "(${service_name} masked)"
+ masked_count=$((masked_count+1))
+ elif [ -h "/etc/systemd/system/${service_name}" ] \
+ && [ "$(realpath /etc/systemd/system/${service_name})" = /dev/null ] \
+ ; then
+ echo "(${service_name} already masked)"
+ else
+ echo "WARNING ${service_name} should be masked. The install may fail."
+ fi
+ done
+ # In case this system is running systemd, we make systemd reload the unit files
+ # to pick up changes.
+ if [ "${masked_count}" -ge 1 -a -d /run/systemd/system ] ; then
+ systemctl --system daemon-reload >/dev/null || true
+ fi
+}
+
getent group winbindd_priv >/dev/null 2>&1 ||
addgroup --system --force-badname --quiet winbindd_priv
@@ -10,4 +42,9 @@ mkdir -pv "$winbindd_privileged_socket_directory"
chgrp -c winbindd_priv "$winbindd_privileged_socket_directory"
chmod -c 0750 "$winbindd_privileged_socket_directory"
+SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
+if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
+ mask_services "Samba is being run as an AD Domain Controller" winbind.service
+fi
+
#DEBHELPER#
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/a79247e46a07765b33c71a51d501a42e6b8e43ce...49b1cb0be48e140cbe4a22965d287d1c8bdc3190
---
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/a79247e46a07765b33c71a51d501a42e6b8e43ce...49b1cb0be48e140cbe4a22965d287d1c8bdc3190
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20180407/5fab646b/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list