IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Write state dir to smb.conf

Browse Source 
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This commit is contained in:
Christian Heimes
2020-07-09 10:56:51 +02:00
parent 02986ff42b
commit 64b20aad28
4 changed files with 66 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install/share/Makefile.am
View File

@@ -58,6 +58,7 @@ dist_app_DATA = \
krb.con.template \
krbrealm.con.template \
smb.conf.template \
smb.conf.registry.template \
smb.conf.empty \
referint-conf.ldif \
dna.ldif \

35
install/share/smb.conf.registry.template Normal file
View File

@@ -0,0 +1,35 @@
[global]
workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://$LDAPI_SOCKET
disable spoolss = yes
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = $SUFFIX
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
idmap config * : backend = tdb
idmap config * : range = 0 - 0
idmap config $NETBIOS_NAME : backend = sss
idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
max smbd processes = 1000

40
install/share/smb.conf.template
View File

@@ -1,35 +1,7 @@
### Added by IPA Installer ###
# DO NOT EDIT #
[global]
workgroup = $NETBIOS_NAME
netbios name = $HOST_NETBIOS_NAME
realm = $REALM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://$LDAPI_SOCKET
disable spoolss = yes
ldapsam:trusted=yes
ldap ssl = off
ldap suffix = $SUFFIX
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
idmap config * : backend = tdb
idmap config * : range = 0 - 0
idmap config $NETBIOS_NAME : backend = sss
idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
max smbd processes = 1000
debug pid = yes
state directory = $SAMBA_DIR
cache directory = $SAMBA_DIR
include = registry

43
ipaserver/install/adtrustinstance.py
View File

@@ -458,12 +458,12 @@ class ADTRUSTInstance(service.Service):
api.Backend.ldap2.add_entry(entry)
def __write_smb_conf(self):
conf_fd = open(self.smb_conf, "w")
conf_fd.write('### Added by IPA Installer ###\n')
conf_fd.write('[global]\n')
conf_fd.write('debug pid = yes\n')
conf_fd.write('config backend = registry\n')
conf_fd.close()
template = os.path.join(
paths.USR_SHARE_IPA_DIR, "smb.conf.template"
)
conf = ipautil.template_file(template, self.sub_dict)
with open(self.smb_conf, "w") as f:
f.write(conf)
def __add_plugin_conf(self, name, plugin_cn, ldif_file):
"""
@@ -536,12 +536,14 @@ class ADTRUSTInstance(service.Service):
self.print_msg(UPGRADE_ERROR % dict(dn=targets_dn))
def __write_smb_registry(self):
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
"""Import IPA specific config into Samba registry
template = os.path.join(paths.USR_SHARE_IPA_DIR, "smb.conf.template")
Configuration is imported after __write_smb_conf() has modified
smb.conf to include registry.
"""
template = os.path.join(
paths.USR_SHARE_IPA_DIR, "smb.conf.registry.template"
)
conf = ipautil.template_file(template, self.sub_dict)
with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
tmp_conf.write(conf)
@@ -739,13 +741,16 @@ class ADTRUSTInstance(service.Service):
logger.info("EXTID Service startup entry already exists.")
def __setup_sub_dict(self):
self.sub_dict = dict(REALM = self.realm,
SUFFIX = self.suffix,
NETBIOS_NAME = self.netbios_name,
HOST_NETBIOS_NAME = self.host_netbios_name,
SMB_DN = self.smb_dn,
LDAPI_SOCKET = self.ldapi_socket,
FQDN = self.fqdn)
self.sub_dict = dict(
REALM=self.realm,
SUFFIX=self.suffix,
NETBIOS_NAME=self.netbios_name,
HOST_NETBIOS_NAME=self.host_netbios_name,
SMB_DN=self.smb_dn,
LDAPI_SOCKET=self.ldapi_socket,
FQDN=self.fqdn,
SAMBA_DIR=paths.SAMBA_DIR,
)
def setup(self, fqdn, realm_name, netbios_name,
reset_netbios_name, rid_base, secondary_rid_base,
@@ -820,8 +825,8 @@ class ADTRUSTInstance(service.Service):
self.step("creating samba domain object", \
self.__create_samba_domain_object)
self.step("retrieve local idmap range", self.__retrieve_local_range)
self.step("creating samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
self.step("creating samba config registry", self.__write_smb_registry)
self.step("adding cifs Kerberos principal",
self.request_service_keytab)
self.step("adding cifs and host Kerberos principals to the adtrust agents group", \