diff -urN smeserver-samba-0.1.0/createlinks smeserver-samba-0.1.0.provision-update/createlinks --- smeserver-samba-0.1.0/createlinks 2014-11-23 00:07:36.000000000 -0800 +++ smeserver-samba-0.1.0.provision-update/createlinks 2016-06-18 21:54:07.781770465 -0700 @@ -25,9 +25,7 @@ event_link("adjust-samba-down", $event, "01"); event_link("initialize-default-databases", $event, "01"); event_link("provision-domain-controller", $event, "01"); -event_link("samba-disable-password-policy", $event, "02"); event_link("samba-reset-defaults", $event, "02"); -event_link("samba-create-ad-LDAP-access", $event, "03"); event_link("samba-create-domain-admins", $event,"03"); event_link("adjust-samba-up", $event, "50"); @@ -39,9 +37,7 @@ ##Links for bootstrap-intialize-samba event $event = "bootstrap-initialize-samba"; event_link("provision-domain-controller", $event, "02"); -event_link("samba-disable-password-policy", $event, "02"); event_link("samba-reset-defaults", $event, "02"); -event_link("samba-create-ad-LDAP-access", $event, "03"); event_link("samba-create-domain-admins", $event,"03"); diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller 2014-11-20 21:54:06.000000000 -0800 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller 2016-06-18 16:53:12.000000000 -0700 @@ -13,6 +13,7 @@ use strict; use warnings; use esmith::ConfigDB; +use esmith::AD; ##Pull arguments my $event = $ARGV [0]; @@ -38,19 +39,59 @@ ##Remove existing smb.conf file or the provision will error out unlink ('/etc/samba/smb.conf') if (-e '/etc/samba/smb.conf'); +##Generate complex password for SME Server runtime transactions with AD +##Encrypt and stash the password locally +my @set = ('0'..'9','A'..'Z','a'..'z'); +my $set = ''; +my $provisionPass = join '' => map $set[rand @set], 1..20; + +warn "Creating and stashing complex password for AD transactions.\n"; + +my $encrypted_pass = MIME::Base64::encode($provisionPass); +unlink '/etc/samba/AD.pw'; +unless ( open( WR, ">/etc/samba/AD.pw" ) ) { + die "Samba provisioning error: Unable to create Active Directory LDAP password\n"; + return undef; +} +print WR "$encrypted_pass\n"; +close WR; +chmod 0600, '/etc/samba/AD.pw'; + + ##Initialize Samba Domain +warn "Samba domain: Provisining Active Directory."; my $provision = "/usr/bin/samba-tool domain provision --server-role=dc " . "--domain=$WorkGroup " . "--realm=$DomainName " . - "--adminpass=$AdminPass " . + "--adminpass=$provisionPass " . "--dns-backend=SAMBA_INTERNAL " . "--use-rfc2307 " . "--use-xattrs=yes"; system ($provision); - die "Unable to provision Samba in $event" if ($? == -1); +##Disable default Samba password policy so we can control it in the SME UI +warn "Samba domain: Disabling default Samba password policy.\n"; + +my $policy_reset = "/usr/bin/samba-tool domain passwordsettings set " . + "--complexity=off " . + "--min-pwd-length=0 " . + "--min-pwd-age=0 " . + "--max-pwd-age=365 " . + "-U Administrator\%$provisionPass"; +system ($policy_reset); +die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1); + +##Change administrator password from the stashed password to the admin password +warn "Samba domain: Setting Admin Password\n"; +my $set_admin_pass = "/usr/bin/samba-tool user setpassword Administrator " . + "--newpassword=" . $AdminPass . " " . + "-U Administrator\%" . $provisionPass; + +system ($set_admin_pass); +die "Samba domain error: Unable to SME Server admin password.\n" if ($? == -1); + ##Set samba key to initialized in bootstrap-console so it doesn't initialize again if ($event eq 'bootstrap-initialize-samba') { diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 2014-11-22 23:59:18.000000000 -0800 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 1969-12-31 16:00:00.000000000 -0800 @@ -1,64 +0,0 @@ -#!/usr/bin/perl -#------------------------------------------------------------ -#This action generates a special Active Directory user -#to be used for SME Server access to the Active Directory. -#The password for this user will be stored encrypted to -#/etc/samba/AD.pw -# -#Copyright 2014 Koozali Foundation, Inc. -#11/15/2014: G.Zartman -# -#The code contained herein can be distributed under the same -#license as Perl -# -#TO DO: -# -#------------------------------------------------------------ -package esmith::thisaction; - -use strict; -use warnings; -use esmith::ConfigDB; -use MIME::Base64(); - -##Pull arguments -my $event = $ARGV [0]; -my $AdminPass = $ARGV [1]; - -die 'Active Directory access error: Missing admin password' unless ($AdminPass); - -##Generate an ad_admin password, encrypt it, then write it to /etc/samba/AD.pw -my @set = ('0'..'9','A'..'Z','a'..'z'); -my $set = ''; -my $pass = join '' => map $set[rand @set], 1..20; - -warn "Creating stashed password for ad_admin\n"; - -my $encrypted_pass = MIME::Base64::encode($pass); -unlink '/etc/samba/AD.pw'; -unless ( open( WR, ">/etc/samba/AD.pw" ) ) { - die "Samba provisioning error: Unable to create Active Directory LDAP password\n"; - return undef; -} -print WR "$encrypted_pass\n"; -close WR; -chmod 0600, '/etc/samba/AD.pw'; - -warn "ad_admin: $pass\n"; - -##Set ad_admin account to active directory as a domain admin -my $add_admin = "/usr/bin/samba-tool user create " . - "ad_admin $pass " . - "-U Administrator\%$AdminPass"; -system ($add_admin); -die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1); - -my $add_members = "/usr/bin/samba-tool group addmembers " . - "\'Domain Admins\' ". - "ad_admin " . - "-U Administrator\%$AdminPass"; -system ($add_members); -die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1); - -1; - diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins 2014-11-20 21:54:57.000000000 -0800 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins 2016-06-18 21:20:11.000000000 -0700 @@ -14,6 +14,7 @@ use strict; use warnings; use esmith::ConfigDB; +use esmith::AD; ##Pull arguments my $event = $ARGV [0]; @@ -22,22 +23,20 @@ die 'Samba provisioning error: Missing admin password' unless ($AdminPass); ##Bail if called by bootstrap-initialize-samba and it has already been run -## my $cdb = esmith::ConfigDB->open; if ($event eq 'bootstrap-initialize-samba' && $cdb->get_prop('bootstrap-console','Samba') eq 'initialized') { exit(); } -##Set admin samba accounts and add to Domain Admin + +##Create admin and root accounts in AD and add to Domain Admin my $add_admin = "/usr/bin/samba-tool user create " . "admin $AdminPass " . "-U Administrator\%$AdminPass"; system ($add_admin); - warn "Unable create admin Samba user\n" if ($? == -1); - my $add_root = "/usr/bin/samba-tool user create " . "root $AdminPass " . "-U Administrator\%$AdminPass"; @@ -51,4 +50,19 @@ system ($add_members); warn "Unable to add admin and root users to Domain Admins group\n" if ($? == -1); + +##Create ad_admin account and add it to domain admins for runtime access to acive directory +my $add_ad_admin = "/usr/bin/samba-tool user create " . + "ad_admin " . esmith::AD::getADPass() . " " . + "-U Administrator\%$AdminPass"; +system ($add_ad_admin); +die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1); + +$add_members = "/usr/bin/samba-tool group addmembers " . + "\'Domain Admins\' ". + "ad_admin " . + "-U Administrator\%$AdminPass"; +#system ($add_members); +die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1); + 1; diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy 2014-11-22 23:59:18.000000000 -0800 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy 1969-12-31 16:00:00.000000000 -0800 @@ -1,41 +0,0 @@ -#!/usr/bin/perl -#------------------------------------------------------------ -#This action disables the build-in Samba password policy. -#If we leave the default policy in place, creating a user -#may fail and it may be difficult to capture this failure. -#Instead, we will use SME's password strength checking. -# -#Copyright 2014 Koozali Foundation, Inc. -#11/22/2014: G.Zartman -# -#The code contained herein can be distributed under the same -#license as Perl -# -#TO DO: -# -#------------------------------------------------------------ -package esmith::thisaction; - -use strict; -use warnings; - -##Pull arguments -my $event = $ARGV [0]; -my $AdminPass = $ARGV [1]; - -die 'Active Directory access error: Missing admin password' unless ($AdminPass); - -##Disable the Samba password policy using samba-tool -warn "Samba domain: Disabling default Samba password policy\n"; - -my $samba_tool = "/usr/bin/samba-tool domain passwordsettings set " . - "--complexity=off " . - "--min-pwd-length=0 " . - "--min-pwd-age=0 " . - "--max-pwd-age=365 " . - "-U Administrator\%$AdminPass"; -system ($samba_tool); -die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1); - -1; -