Added krbinstance to configure the kerberos server

Added/Modified ldif files to add the needed schemas and basic DIT, SASL configuration and ACLs Added tenmpate files foir kerberos configuration Added required packages section to README Minor mods to dsinstance Untested!
2025-02-25 18:55:28 -06:00 · 2007-06-28 19:09:54 -04:00 · 2007-06-28 19:09:54 -04:00 · 820479471e
commit 820479471e
parent cdbaccb928
13 changed files with 427 additions and 17 deletions
--- a/ipa-install/README
+++ b/ipa-install/README
@ -0,0 +1,5 @@
+
+Required packages:
+krb5-server
+fedora-ds-base
+openldap-clients
--- a/ipa-install/share/60samba.ldif
+++ b/ipa-install/share/60samba.ldif
@ -0,0 +1,152 @@
+## schema file for Fedora DS
+##
+## Schema for storing Samba user accounts and group maps in LDAP
+## OIDs are owned by the Samba Team
+##
+## Prerequisite schemas - uid         (cosine.schema)
+##                      - displayName (inetorgperson.schema)
+##                      - gidNumber   (nis.schema)
+##
+## 1.3.6.1.4.1.7165.2.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.2.2.x - objectClasseses
+##
+## Printer support
+## 1.3.6.1.4.1.7165.2.3.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.2.3.2.x - objectClasseses
+##
+## Samba4
+## 1.3.6.1.4.1.7165.4.1.x - attributeTypess
+## 1.3.6.1.4.1.7165.4.2.x - objectClasseses
+## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls
+## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
+## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
+##
+dn: cn=schema
+##
+#######################################################################
+##                Attributes used by Samba 3.0 schema                ##
+#######################################################################
+##
+## Password hashes##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
+##
+## Account flags in string format ([UWDX     ])
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+##
+## Password timestamps & policies
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Timestamp of when the user is allowed to update the password' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timestamp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
+##
+## string settings
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'List of user workstations the user is allowed to logon to' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+##
+## SID, of any type
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+##
+## Primary group SID, compatible with ntSid
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+##
+## group mapping attributes
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+##
+## Store info on the domain
+##
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 
+##	SUP name )
+##
+##attributeTypes: ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
+##	DESC 'Privileges List'
+##	EQUALITY caseIgnoreIA5Match
+##	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+# "min password length"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "password history"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "user must logon to change password"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "maximum password age"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "minimum password age"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "lockout duration"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "reset count minutes"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "bad lockout attempt"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "disconnect time"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+# "refuse machine password change"
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+##
+#######################################################################
+##              objectClasses: used by Samba 3.0 schema               ##
+#######################################################################
+##
+## The X.500 data model (and therefore LDAPv3) says that each entry can
+## only have one structural objectClasses.  OpenLDAP 2.0 does not enforce
+## this currently but will in v2.1
+##
+## added new objectClasses: (and OID) for 3.0 to help us deal with backwards
+## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY DESC 'Samba 3.0 Auxilary SAM Account' MUST ( uid $ sambaSID ) MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours))
+##
+## Group mapping info
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY  ( displayName $ description $ sambaSIDList ))
+##
+## Trust password for trust relationships (any kind)
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL DESC 'Samba Trust Password' MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ))
+##
+## Whole-of-domain info
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ))
+##
+## used for idmap_ldap module
+##
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY DESC 'Pool for allocating UNIX uids/gids' MUST ( uidNumber $ gidNumber ) ) 
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY DESC 'Mapping from a SID to an ID' MUST ( sambaSID ) MAY ( uidNumber $ gidNumber ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL DESC 'Structural Class for a SID' MUST ( sambaSID ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL DESC 'Samba Share Section' MUST ( sambaShareName ) MAY ( description ) )
+objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL DESC 'Samba Configuration Option' MUST ( sambaOptionName ) MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoption $ description ) )
+## retired during privilege rewrite
+##objectClasses: ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY
+##	DESC 'Samba Privilege'
+##	MUST ( sambaSID )
+##	MAY ( sambaPrivilegeList ) )
--- a/ipa-install/share/Makefile
+++ b/ipa-install/share/Makefile
@ -3,6 +3,7 @@ SHAREDIR = $(DESTDIR)/usr/share/ipa
 install:
 	-mkdir -p $(SHAREDIR)
 	install -m 644 *.ldif $(SHAREDIR)
+	install -m 644 *.template $(SHAREDIR)

 clean:
-	rm -f *~
+	rm -f *~
--- a/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-install/share/bootstrap-template.ldif
@ -1,25 +1,33 @@
+dn: $SUFFIX
+changetype: modify
+add: objectClass
+objectClass: pilotObject
+info: IPA V1.0

 # default, $REALM
 dn: ou=default,$SUFFIX
+changetype: add
 objectClass: organizationalUnit
 objectClass: top
 ou: default

 # users, default, $REALM
-dn: cn=users,ou=default,$SUFFIX
-objectClass: nsContainer
+dn: ou=users,ou=default,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
 objectClass: top
-cn: users
+ou: users

 # groups, default, $REALM
-dn: cn=groups,ou=default,$SUFFIX
-objectClass: nsContainer
+dn: ou=groups,ou=default,$SUFFIX
+changetype: add
+objectClass: organizationalUnit
 objectClass: top
-cn: groups
+ou: groups

 # computers, default, $REALM
-dn: cn=computers,ou=default,$SUFFIX
-objectClass: nsContainer
-objectClass: top
-cn: computers
+#dn: ou=computers,ou=default,$SUFFIX
+#objectClass: organizationalUnit
+#objectClass: top
+#ou: computers

--- a/ipa-install/share/default-aci.ldif
+++ b/ipa-install/share/default-aci.ldif
@ -0,0 +1,8 @@
+# $SUFFIX (base entry)
+dn: $SUFFIX
+changetype: modify
+replace: aci
+aci: (targetattr!="userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";)
+aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber | |secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title || userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
+aci: (targetattr="krbPrincipalKey")(version 3.0; acl "KDC System Account"; allow(read, search,compare)userdn="ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
+aci: (targetattr="*")(version 3.0; acl "Directory Administrators can manage all entries"; allow(all)groupdn="ldap:///cn=Directory Administrators,$SUFFIX";)
--- a/ipa-install/share/kdc.conf.template
+++ b/ipa-install/share/kdc.conf.template
@ -0,0 +1,14 @@
+[kdcdefaults]
+ v4_mode = nopreauth
+
+[realms]
+ $REALM = {
+  master_key_type = des3-hmac-sha1
+  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
+  max_life = 7d
+  max_renewable_life = 14d
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  default_principal_flags = +preauth
+;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ }
--- a/ipa-install/share/kerberos.ldif
+++ b/ipa-install/share/kerberos.ldif
@ -0,0 +1,26 @@
+#kerberos base object
+dn: cn=kerberos,$SUFFIX
+changetype: add
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow(all)userdn= "ldap:///uid=kdc,cn=kerberos,$SUFFIX";)
+
+#kerberos user
+dn: uid=kdc,cn=kerberos,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: kdc
+userPassword: $PASSWORD
+
+#sasl mapping
+dn: cn=kerberos,cn=mapping,cn=sasl,cn=config
+changetype: add
+objectclass: top
+objectclass: nsSaslMapping
+cn: kerberos
+nsSaslMapRegexString: \(.*\)@\(.*\)
+nsSaslMapBaseDNTemplate: $SUFFIX
+nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2)
+
--- a/ipa-install/share/krb5.conf.template
+++ b/ipa-install/share/krb5.conf.template
@ -0,0 +1,35 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = $REALM
+ dns_lookup_realm = true
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[domain_realm]
+ .$DOMAIN = $REALM
+ $DOMAIN = $REALM
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }
+
+[dbmodules]
+  $REALM = {
+    db_library = kldap
+    ldap_servers = ldap://127.0.0.1/
+    ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
+    ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
+;    ldap_kadmind_dn = cn=Directory Manager
+    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
+  }
+
--- a/ipa-install/src/ipa-server-install
+++ b/ipa-install/src/ipa-server-install
@ -29,6 +29,7 @@ VERSION = "%prog .1"
 import logging
 from optparse import OptionParser
 import ipa.dsinstance
+import ipa.krbinstance

 def parse_options():
    parser = OptionParser(version=VERSION)
@ -38,6 +39,8 @@ def parse_options():
                      help="host address (name or IP address)")
    parser.add_option("-p", "--password", dest="password",
                      help="admin password")
+    parser.add_option("-m", "--master-password", dest="master_password",
+                      help="kerberos master password")

    options, args = parser.parse_args()

@ -55,6 +58,11 @@ def main():
    ds = ipa.dsinstance.DsInstance()
    ds.create_instance(options.realm_name, options.host_name, options.password)

+    krb = ipa.krbinstance.KrbInstance()
+    krb.create_instance(options.realm_name, options.host_name, options.password, options.master_password)
+    #restart ds after the krb instance have add the sasl map
+    ds.restart()
+
    return 0

 main()
--- a/ipa-install/src/ipa/init.py
+++ b/ipa-install/src/ipa/init.py
@ -0,0 +1 @@
+__all__ = ["dsinstance", "krbinstance"]
--- a/ipa-install/src/ipa/dsinstance.py
+++ b/ipa-install/src/ipa/dsinstance.py
@ -6,7 +6,7 @@
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; version 2 only
+# published by the Free Software Foundation; version 2 or later
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
@ -136,6 +136,8 @@ class DsInstance:
    def __add_default_schemas(self):
        shutil.copyfile(SHARE_DIR + "60kerberos.ldif",
                        self.schema_dirname() + "60kerberos.ldif")
+        shutil.copyfile(SHARE_DIR + "60samba.ldif",
+                        self.schema_dirname() + "60samba.ldif")

    def __enable_ssl(self):
        dirname = self.config_dirname()
@ -146,7 +148,7 @@ class DsInstance:
    def __add_default_layout(self):
        txt = template_file(SHARE_DIR + "bootstrap-template.ldif", self.sub_dict)
        inf_fd = write_tmp_file(txt)
-        args = ["/usr/bin/ldapadd", "-xv", "-D", "cn=Directory Manager",
+        args = ["/usr/bin/ldapmodify", "-xv", "-D", "cn=Directory Manager",
                "-w", self.admin_password, "-f", inf_fd.name]
        run(args)

--- a/ipa-install/src/ipa/krbinstance.py
+++ b/ipa-install/src/ipa/krbinstance.py
@ -0,0 +1,153 @@
+#! /usr/bin/python -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+from random import Random
+from time import gmtime
+
+SHARE_DIR = "/usr/share/ipa/"
+
+def realm_to_suffix(realm_name):
+    s = realm_name.split(".")
+    terms = ["dc=" + x for x in s]
+    return ",".join(terms)
+
+def generate_kdc_password():
+    rndpwd = ''
+    r = Random()
+    r.seed(gmtime())
+    for x in range(12):
+        rndpwd += chr(r.randint(32,126))
+    return rndpwd
+
+def template_str(txt, vars):
+    return string.Template(txt).substitute(vars)
+
+def template_file(infilename, vars):
+    txt = open(infilename).read()
+    return template_str(txt, vars)
+
+def write_tmp_file(txt):
+    fd = tempfile.NamedTemporaryFile()
+    fd.write(txt)
+    fd.flush()
+
+    return fd
+
+def ldap_mod(fd, dn, pwd):
+    args = ["/usr/bin/ldapmodify", "-h", "127.0.0.1", "-xv", "-D", dn, "-w", pwd, "-f", fd.name]
+    run(args)
+
+def run(args, stdin=None):
+    p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if stdin:
+        stdout,stderr = p.communicate(stdin)
+    else:
+        stdout,stderr = p.communicate()
+    logging.info(stdout)
+    logging.info(stderr)
+
+    if p.returncode != 0:
+        raise subprocess.CalledProcessError(p.returncode, args[0])
+    
+class KrbInstance:
+    def __init__(self):
+        self.realm_name = None
+        self.host_name = None
+        self.admin_password = None
+        self.master_password = None
+        self.suffix = None
+        self.kdc_password = None
+        self.sub_dict = None
+
+    def create_instance(self, realm_name, host_name, admin_password, master_password):
+        self.realm_name = realm_name
+        self.host_name = host_name
+        self.admin_password = admin_password
+        self.master_password = master_password
+        
+	self.suffix = realm_to_suffix(self.realm_name)
+        self.kdc_password = generate_kdc_password()
+
+        self.__setup_sub_dict()
+
+        self.__configure_ldap()
+        self.__create_instance()
+        self.start()
+
+    def stop(self):
+        run(["/sbin/service", "krb5kdc", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "krb5kdc", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "krb5kdc", "restart"])
+
+    def __configure_kdc_account_password(self):
+        hexpwd = ''
+	for x in self.kdc_password:
+            hexpwd += (hex(ord(x))[2:])
+        pwd_fd = open("/var/kerberos/krb5kdc/ldappwd", "a+")
+        pwd_fd.write("uid=kdc,cn=kerberos,"+self.suffix+"#{HEX}"+hexpwd+"\n")
+        pwd_fd.close()
+
+    def __setup_sub_dict(self):
+        self.sub_dict = dict(FQHN=self.host_name,
+                             PASSWORD=self.kdc_password,
+                             SUFFIX=self.suffix,
+                             REALM=self.realm_name)
+
+    def __configure_ldap(self):
+
+	#TODO: test that the ldif is ok with any random charcter we may use in the password
+        kerberos_txt = template_file(SHARE_DIR + "kerberos.ldif", self.sub_dict)
+        kerberos_fd = write_tmp_file(kerberos_txt)
+        ldap_mod(kerberos_fd, "cn=Directory Manager", self.admin_password)
+	name = kerberos_fd.name
+        kerberos_fd.close()
+        os.unlink(name)
+
+	#Change the default ACL to avoid anonimous access to kerberos keys and othe hashes
+        aci_txt = template_file(SHARE_DIR + "default_aci.ldif", self.sub_dict)
+        aci_fd = write_tmp_file(aci_txt) 
+        ldap_mod(aci_fd, "cn=Directory Manager", self.admin_password)
+	name = aci_fd.name
+        aci_fd.close()
+        os.unlink(name)
+
+    def __create_instance(self):
+        kdc_conf = template_file(SHARE_DIR+"kdc.conf.template", self.sub_dict)
+        kdc_fd = open("/var/kerberos/krb5kdc/kdc.conf", "w+")
+        kdc_fd.write(kdc_conf)
+        kdc_fd.close()
+
+        krb5_conf = template_file(SHARE_DIR+"krb5.conf.template", self.sub_dict)
+        krb5_fd = open("/etc/krb5.conf", "w+")
+        krb5_fd.write(krb5_conf)
+        krb5_fd.close()
+
+        #populate the directory with the realm structure
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+        run(args)
--- a/ipa-install/test/test-users.ldif
+++ b/ipa-install/test/test-users.ldif
@ -1,5 +1,5 @@
 # test, users, default, $REALM
-dn: uid=test,cn=users,ou=default,$SUFFIX
+dn: uid=test,ou=users,ou=default,$SUFFIX
 uidNumber: 1001
 uid: test
 gecos: test
@ -17,7 +17,4 @@ objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: account
 objectClass: top
-objectClass: krbprincipalaux
 cn: test
-userPassword:: e1NTSEF9T0FNVnNCL2hjYlJFRVlQaU9kYy9BY0dmNmdBaFdpYVNub2VPenc9PQ=
- =