| 1 |
gzartman |
1.1 |
diff -urN smeserver-samba-0.1.0/createlinks smeserver-samba-0.1.0.provision-update/createlinks |
| 2 |
|
|
--- smeserver-samba-0.1.0/createlinks 2014-11-23 00:07:36.000000000 -0800 |
| 3 |
|
|
+++ smeserver-samba-0.1.0.provision-update/createlinks 2016-06-18 21:54:07.781770465 -0700 |
| 4 |
|
|
@@ -25,9 +25,7 @@ |
| 5 |
|
|
event_link("adjust-samba-down", $event, "01"); |
| 6 |
|
|
event_link("initialize-default-databases", $event, "01"); |
| 7 |
|
|
event_link("provision-domain-controller", $event, "01"); |
| 8 |
|
|
-event_link("samba-disable-password-policy", $event, "02"); |
| 9 |
|
|
event_link("samba-reset-defaults", $event, "02"); |
| 10 |
|
|
-event_link("samba-create-ad-LDAP-access", $event, "03"); |
| 11 |
|
|
event_link("samba-create-domain-admins", $event,"03"); |
| 12 |
|
|
event_link("adjust-samba-up", $event, "50"); |
| 13 |
|
|
|
| 14 |
|
|
@@ -39,9 +37,7 @@ |
| 15 |
|
|
##Links for bootstrap-intialize-samba event |
| 16 |
|
|
$event = "bootstrap-initialize-samba"; |
| 17 |
|
|
event_link("provision-domain-controller", $event, "02"); |
| 18 |
|
|
-event_link("samba-disable-password-policy", $event, "02"); |
| 19 |
|
|
event_link("samba-reset-defaults", $event, "02"); |
| 20 |
|
|
-event_link("samba-create-ad-LDAP-access", $event, "03"); |
| 21 |
|
|
event_link("samba-create-domain-admins", $event,"03"); |
| 22 |
|
|
|
| 23 |
|
|
|
| 24 |
|
|
diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller |
| 25 |
|
|
--- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller 2014-11-20 21:54:06.000000000 -0800 |
| 26 |
|
|
+++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller 2016-06-18 16:53:12.000000000 -0700 |
| 27 |
|
|
@@ -13,6 +13,7 @@ |
| 28 |
|
|
use strict; |
| 29 |
|
|
use warnings; |
| 30 |
|
|
use esmith::ConfigDB; |
| 31 |
|
|
+use esmith::AD; |
| 32 |
|
|
|
| 33 |
|
|
##Pull arguments |
| 34 |
|
|
my $event = $ARGV [0]; |
| 35 |
|
|
@@ -38,19 +39,59 @@ |
| 36 |
|
|
##Remove existing smb.conf file or the provision will error out |
| 37 |
|
|
unlink ('/etc/samba/smb.conf') if (-e '/etc/samba/smb.conf'); |
| 38 |
|
|
|
| 39 |
|
|
+##Generate complex password for SME Server runtime transactions with AD |
| 40 |
|
|
+##Encrypt and stash the password locally |
| 41 |
|
|
+my @set = ('0'..'9','A'..'Z','a'..'z'); |
| 42 |
|
|
+my $set = ''; |
| 43 |
|
|
+my $provisionPass = join '' => map $set[rand @set], 1..20; |
| 44 |
|
|
+ |
| 45 |
|
|
+warn "Creating and stashing complex password for AD transactions.\n"; |
| 46 |
|
|
+ |
| 47 |
|
|
+my $encrypted_pass = MIME::Base64::encode($provisionPass); |
| 48 |
|
|
+unlink '/etc/samba/AD.pw'; |
| 49 |
|
|
+unless ( open( WR, ">/etc/samba/AD.pw" ) ) { |
| 50 |
|
|
+ die "Samba provisioning error: Unable to create Active Directory LDAP password\n"; |
| 51 |
|
|
+ return undef; |
| 52 |
|
|
+} |
| 53 |
|
|
+print WR "$encrypted_pass\n"; |
| 54 |
|
|
+close WR; |
| 55 |
|
|
+chmod 0600, '/etc/samba/AD.pw'; |
| 56 |
|
|
+ |
| 57 |
|
|
+ |
| 58 |
|
|
##Initialize Samba Domain |
| 59 |
|
|
+warn "Samba domain: Provisining Active Directory."; |
| 60 |
|
|
my $provision = "/usr/bin/samba-tool domain provision --server-role=dc " . |
| 61 |
|
|
"--domain=$WorkGroup " . |
| 62 |
|
|
"--realm=$DomainName " . |
| 63 |
|
|
- "--adminpass=$AdminPass " . |
| 64 |
|
|
+ "--adminpass=$provisionPass " . |
| 65 |
|
|
"--dns-backend=SAMBA_INTERNAL " . |
| 66 |
|
|
"--use-rfc2307 " . |
| 67 |
|
|
"--use-xattrs=yes"; |
| 68 |
|
|
|
| 69 |
|
|
system ($provision); |
| 70 |
|
|
- |
| 71 |
|
|
die "Unable to provision Samba in $event" if ($? == -1); |
| 72 |
|
|
|
| 73 |
|
|
+##Disable default Samba password policy so we can control it in the SME UI |
| 74 |
|
|
+warn "Samba domain: Disabling default Samba password policy.\n"; |
| 75 |
|
|
+ |
| 76 |
|
|
+my $policy_reset = "/usr/bin/samba-tool domain passwordsettings set " . |
| 77 |
|
|
+ "--complexity=off " . |
| 78 |
|
|
+ "--min-pwd-length=0 " . |
| 79 |
|
|
+ "--min-pwd-age=0 " . |
| 80 |
|
|
+ "--max-pwd-age=365 " . |
| 81 |
|
|
+ "-U Administrator\%$provisionPass"; |
| 82 |
|
|
+system ($policy_reset); |
| 83 |
|
|
+die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1); |
| 84 |
|
|
+ |
| 85 |
|
|
+##Change administrator password from the stashed password to the admin password |
| 86 |
|
|
+warn "Samba domain: Setting Admin Password\n"; |
| 87 |
|
|
+my $set_admin_pass = "/usr/bin/samba-tool user setpassword Administrator " . |
| 88 |
|
|
+ "--newpassword=" . $AdminPass . " " . |
| 89 |
|
|
+ "-U Administrator\%" . $provisionPass; |
| 90 |
|
|
+ |
| 91 |
|
|
+system ($set_admin_pass); |
| 92 |
|
|
+die "Samba domain error: Unable to SME Server admin password.\n" if ($? == -1); |
| 93 |
|
|
+ |
| 94 |
|
|
##Set samba key to initialized in bootstrap-console so it doesn't initialize again |
| 95 |
|
|
if ($event eq 'bootstrap-initialize-samba') { |
| 96 |
|
|
|
| 97 |
|
|
diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access |
| 98 |
|
|
--- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 2014-11-22 23:59:18.000000000 -0800 |
| 99 |
|
|
+++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 1969-12-31 16:00:00.000000000 -0800 |
| 100 |
|
|
@@ -1,64 +0,0 @@ |
| 101 |
|
|
-#!/usr/bin/perl |
| 102 |
|
|
-#------------------------------------------------------------ |
| 103 |
|
|
-#This action generates a special Active Directory user |
| 104 |
|
|
-#to be used for SME Server access to the Active Directory. |
| 105 |
|
|
-#The password for this user will be stored encrypted to |
| 106 |
|
|
-#/etc/samba/AD.pw |
| 107 |
|
|
-# |
| 108 |
|
|
-#Copyright 2014 Koozali Foundation, Inc. |
| 109 |
|
|
-#11/15/2014: G.Zartman <gzartman@koozali.org> |
| 110 |
|
|
-# |
| 111 |
|
|
-#The code contained herein can be distributed under the same |
| 112 |
|
|
-#license as Perl |
| 113 |
|
|
-# |
| 114 |
|
|
-#TO DO: |
| 115 |
|
|
-# |
| 116 |
|
|
-#------------------------------------------------------------ |
| 117 |
|
|
-package esmith::thisaction; |
| 118 |
|
|
- |
| 119 |
|
|
-use strict; |
| 120 |
|
|
-use warnings; |
| 121 |
|
|
-use esmith::ConfigDB; |
| 122 |
|
|
-use MIME::Base64(); |
| 123 |
|
|
- |
| 124 |
|
|
-##Pull arguments |
| 125 |
|
|
-my $event = $ARGV [0]; |
| 126 |
|
|
-my $AdminPass = $ARGV [1]; |
| 127 |
|
|
- |
| 128 |
|
|
-die 'Active Directory access error: Missing admin password' unless ($AdminPass); |
| 129 |
|
|
- |
| 130 |
|
|
-##Generate an ad_admin password, encrypt it, then write it to /etc/samba/AD.pw |
| 131 |
|
|
-my @set = ('0'..'9','A'..'Z','a'..'z'); |
| 132 |
|
|
-my $set = ''; |
| 133 |
|
|
-my $pass = join '' => map $set[rand @set], 1..20; |
| 134 |
|
|
- |
| 135 |
|
|
-warn "Creating stashed password for ad_admin\n"; |
| 136 |
|
|
- |
| 137 |
|
|
-my $encrypted_pass = MIME::Base64::encode($pass); |
| 138 |
|
|
-unlink '/etc/samba/AD.pw'; |
| 139 |
|
|
-unless ( open( WR, ">/etc/samba/AD.pw" ) ) { |
| 140 |
|
|
- die "Samba provisioning error: Unable to create Active Directory LDAP password\n"; |
| 141 |
|
|
- return undef; |
| 142 |
|
|
-} |
| 143 |
|
|
-print WR "$encrypted_pass\n"; |
| 144 |
|
|
-close WR; |
| 145 |
|
|
-chmod 0600, '/etc/samba/AD.pw'; |
| 146 |
|
|
- |
| 147 |
|
|
-warn "ad_admin: $pass\n"; |
| 148 |
|
|
- |
| 149 |
|
|
-##Set ad_admin account to active directory as a domain admin |
| 150 |
|
|
-my $add_admin = "/usr/bin/samba-tool user create " . |
| 151 |
|
|
- "ad_admin $pass " . |
| 152 |
|
|
- "-U Administrator\%$AdminPass"; |
| 153 |
|
|
-system ($add_admin); |
| 154 |
|
|
-die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1); |
| 155 |
|
|
- |
| 156 |
|
|
-my $add_members = "/usr/bin/samba-tool group addmembers " . |
| 157 |
|
|
- "\'Domain Admins\' ". |
| 158 |
|
|
- "ad_admin " . |
| 159 |
|
|
- "-U Administrator\%$AdminPass"; |
| 160 |
|
|
-system ($add_members); |
| 161 |
|
|
-die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1); |
| 162 |
|
|
- |
| 163 |
|
|
-1; |
| 164 |
|
|
- |
| 165 |
|
|
diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins |
| 166 |
|
|
--- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins 2014-11-20 21:54:57.000000000 -0800 |
| 167 |
|
|
+++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins 2016-06-18 21:20:11.000000000 -0700 |
| 168 |
|
|
@@ -14,6 +14,7 @@ |
| 169 |
|
|
use strict; |
| 170 |
|
|
use warnings; |
| 171 |
|
|
use esmith::ConfigDB; |
| 172 |
|
|
+use esmith::AD; |
| 173 |
|
|
|
| 174 |
|
|
##Pull arguments |
| 175 |
|
|
my $event = $ARGV [0]; |
| 176 |
|
|
@@ -22,22 +23,20 @@ |
| 177 |
|
|
die 'Samba provisioning error: Missing admin password' unless ($AdminPass); |
| 178 |
|
|
|
| 179 |
|
|
##Bail if called by bootstrap-initialize-samba and it has already been run |
| 180 |
|
|
-## |
| 181 |
|
|
my $cdb = esmith::ConfigDB->open; |
| 182 |
|
|
if ($event eq 'bootstrap-initialize-samba' && |
| 183 |
|
|
$cdb->get_prop('bootstrap-console','Samba') eq 'initialized') { |
| 184 |
|
|
exit(); |
| 185 |
|
|
} |
| 186 |
|
|
|
| 187 |
|
|
-##Set admin samba accounts and add to Domain Admin |
| 188 |
|
|
+ |
| 189 |
|
|
+##Create admin and root accounts in AD and add to Domain Admin |
| 190 |
|
|
my $add_admin = "/usr/bin/samba-tool user create " . |
| 191 |
|
|
"admin $AdminPass " . |
| 192 |
|
|
"-U Administrator\%$AdminPass"; |
| 193 |
|
|
system ($add_admin); |
| 194 |
|
|
- |
| 195 |
|
|
warn "Unable create admin Samba user\n" if ($? == -1); |
| 196 |
|
|
|
| 197 |
|
|
- |
| 198 |
|
|
my $add_root = "/usr/bin/samba-tool user create " . |
| 199 |
|
|
"root $AdminPass " . |
| 200 |
|
|
"-U Administrator\%$AdminPass"; |
| 201 |
|
|
@@ -51,4 +50,19 @@ |
| 202 |
|
|
system ($add_members); |
| 203 |
|
|
warn "Unable to add admin and root users to Domain Admins group\n" if ($? == -1); |
| 204 |
|
|
|
| 205 |
|
|
+ |
| 206 |
|
|
+##Create ad_admin account and add it to domain admins for runtime access to acive directory |
| 207 |
|
|
+my $add_ad_admin = "/usr/bin/samba-tool user create " . |
| 208 |
|
|
+ "ad_admin " . esmith::AD::getADPass() . " " . |
| 209 |
|
|
+ "-U Administrator\%$AdminPass"; |
| 210 |
|
|
+system ($add_ad_admin); |
| 211 |
|
|
+die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1); |
| 212 |
|
|
+ |
| 213 |
|
|
+$add_members = "/usr/bin/samba-tool group addmembers " . |
| 214 |
|
|
+ "\'Domain Admins\' ". |
| 215 |
|
|
+ "ad_admin " . |
| 216 |
|
|
+ "-U Administrator\%$AdminPass"; |
| 217 |
|
|
+#system ($add_members); |
| 218 |
|
|
+die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1); |
| 219 |
|
|
+ |
| 220 |
|
|
1; |
| 221 |
|
|
diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy |
| 222 |
|
|
--- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy 2014-11-22 23:59:18.000000000 -0800 |
| 223 |
|
|
+++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy 1969-12-31 16:00:00.000000000 -0800 |
| 224 |
|
|
@@ -1,41 +0,0 @@ |
| 225 |
|
|
-#!/usr/bin/perl |
| 226 |
|
|
-#------------------------------------------------------------ |
| 227 |
|
|
-#This action disables the build-in Samba password policy. |
| 228 |
|
|
-#If we leave the default policy in place, creating a user |
| 229 |
|
|
-#may fail and it may be difficult to capture this failure. |
| 230 |
|
|
-#Instead, we will use SME's password strength checking. |
| 231 |
|
|
-# |
| 232 |
|
|
-#Copyright 2014 Koozali Foundation, Inc. |
| 233 |
|
|
-#11/22/2014: G.Zartman <gzartman@koozali.org> |
| 234 |
|
|
-# |
| 235 |
|
|
-#The code contained herein can be distributed under the same |
| 236 |
|
|
-#license as Perl |
| 237 |
|
|
-# |
| 238 |
|
|
-#TO DO: |
| 239 |
|
|
-# |
| 240 |
|
|
-#------------------------------------------------------------ |
| 241 |
|
|
-package esmith::thisaction; |
| 242 |
|
|
- |
| 243 |
|
|
-use strict; |
| 244 |
|
|
-use warnings; |
| 245 |
|
|
- |
| 246 |
|
|
-##Pull arguments |
| 247 |
|
|
-my $event = $ARGV [0]; |
| 248 |
|
|
-my $AdminPass = $ARGV [1]; |
| 249 |
|
|
- |
| 250 |
|
|
-die 'Active Directory access error: Missing admin password' unless ($AdminPass); |
| 251 |
|
|
- |
| 252 |
|
|
-##Disable the Samba password policy using samba-tool |
| 253 |
|
|
-warn "Samba domain: Disabling default Samba password policy\n"; |
| 254 |
|
|
- |
| 255 |
|
|
-my $samba_tool = "/usr/bin/samba-tool domain passwordsettings set " . |
| 256 |
|
|
- "--complexity=off " . |
| 257 |
|
|
- "--min-pwd-length=0 " . |
| 258 |
|
|
- "--min-pwd-age=0 " . |
| 259 |
|
|
- "--max-pwd-age=365 " . |
| 260 |
|
|
- "-U Administrator\%$AdminPass"; |
| 261 |
|
|
-system ($samba_tool); |
| 262 |
|
|
-die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1); |
| 263 |
|
|
- |
| 264 |
|
|
-1; |
| 265 |
|
|
- |
Parent Directory
| 
Revision Log
| 
Revision Graph
