/[smeserver]/rpms/smeserver-samba/sme9/smeserver-samba-0.1.0-provision_password.patch
ViewVC logotype

Contents of /rpms/smeserver-samba/sme9/smeserver-samba-0.1.0-provision_password.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sat Jul 30 17:51:00 2016 UTC (8 years, 3 months ago) by gzartman
Branch: MAIN
CVS Tags: HEAD
* Sat Jun 18 2016 Greg Zartman <gzartman@koozali.org> 0.1.0-3
- Reconfigure provision event to account for default Samba
  complex password policy
- Abstract core LDAP queries in esmith::AD using runtime binding

1 diff -urN smeserver-samba-0.1.0/createlinks smeserver-samba-0.1.0.provision-update/createlinks
2 --- smeserver-samba-0.1.0/createlinks 2014-11-23 00:07:36.000000000 -0800
3 +++ smeserver-samba-0.1.0.provision-update/createlinks 2016-06-18 21:54:07.781770465 -0700
4 @@ -25,9 +25,7 @@
5 event_link("adjust-samba-down", $event, "01");
6 event_link("initialize-default-databases", $event, "01");
7 event_link("provision-domain-controller", $event, "01");
8 -event_link("samba-disable-password-policy", $event, "02");
9 event_link("samba-reset-defaults", $event, "02");
10 -event_link("samba-create-ad-LDAP-access", $event, "03");
11 event_link("samba-create-domain-admins", $event,"03");
12 event_link("adjust-samba-up", $event, "50");
13
14 @@ -39,9 +37,7 @@
15 ##Links for bootstrap-intialize-samba event
16 $event = "bootstrap-initialize-samba";
17 event_link("provision-domain-controller", $event, "02");
18 -event_link("samba-disable-password-policy", $event, "02");
19 event_link("samba-reset-defaults", $event, "02");
20 -event_link("samba-create-ad-LDAP-access", $event, "03");
21 event_link("samba-create-domain-admins", $event,"03");
22
23
24 diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller
25 --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/provision-domain-controller 2014-11-20 21:54:06.000000000 -0800
26 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/provision-domain-controller 2016-06-18 16:53:12.000000000 -0700
27 @@ -13,6 +13,7 @@
28 use strict;
29 use warnings;
30 use esmith::ConfigDB;
31 +use esmith::AD;
32
33 ##Pull arguments
34 my $event = $ARGV [0];
35 @@ -38,19 +39,59 @@
36 ##Remove existing smb.conf file or the provision will error out
37 unlink ('/etc/samba/smb.conf') if (-e '/etc/samba/smb.conf');
38
39 +##Generate complex password for SME Server runtime transactions with AD
40 +##Encrypt and stash the password locally
41 +my @set = ('0'..'9','A'..'Z','a'..'z');
42 +my $set = '';
43 +my $provisionPass = join '' => map $set[rand @set], 1..20;
44 +
45 +warn "Creating and stashing complex password for AD transactions.\n";
46 +
47 +my $encrypted_pass = MIME::Base64::encode($provisionPass);
48 +unlink '/etc/samba/AD.pw';
49 +unless ( open( WR, ">/etc/samba/AD.pw" ) ) {
50 + die "Samba provisioning error: Unable to create Active Directory LDAP password\n";
51 + return undef;
52 +}
53 +print WR "$encrypted_pass\n";
54 +close WR;
55 +chmod 0600, '/etc/samba/AD.pw';
56 +
57 +
58 ##Initialize Samba Domain
59 +warn "Samba domain: Provisining Active Directory.";
60 my $provision = "/usr/bin/samba-tool domain provision --server-role=dc " .
61 "--domain=$WorkGroup " .
62 "--realm=$DomainName " .
63 - "--adminpass=$AdminPass " .
64 + "--adminpass=$provisionPass " .
65 "--dns-backend=SAMBA_INTERNAL " .
66 "--use-rfc2307 " .
67 "--use-xattrs=yes";
68
69 system ($provision);
70 -
71 die "Unable to provision Samba in $event" if ($? == -1);
72
73 +##Disable default Samba password policy so we can control it in the SME UI
74 +warn "Samba domain: Disabling default Samba password policy.\n";
75 +
76 +my $policy_reset = "/usr/bin/samba-tool domain passwordsettings set " .
77 + "--complexity=off " .
78 + "--min-pwd-length=0 " .
79 + "--min-pwd-age=0 " .
80 + "--max-pwd-age=365 " .
81 + "-U Administrator\%$provisionPass";
82 +system ($policy_reset);
83 +die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1);
84 +
85 +##Change administrator password from the stashed password to the admin password
86 +warn "Samba domain: Setting Admin Password\n";
87 +my $set_admin_pass = "/usr/bin/samba-tool user setpassword Administrator " .
88 + "--newpassword=" . $AdminPass . " " .
89 + "-U Administrator\%" . $provisionPass;
90 +
91 +system ($set_admin_pass);
92 +die "Samba domain error: Unable to SME Server admin password.\n" if ($? == -1);
93 +
94 ##Set samba key to initialized in bootstrap-console so it doesn't initialize again
95 if ($event eq 'bootstrap-initialize-samba') {
96
97 diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access
98 --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 2014-11-22 23:59:18.000000000 -0800
99 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-ad-LDAP-access 1969-12-31 16:00:00.000000000 -0800
100 @@ -1,64 +0,0 @@
101 -#!/usr/bin/perl
102 -#------------------------------------------------------------
103 -#This action generates a special Active Directory user
104 -#to be used for SME Server access to the Active Directory.
105 -#The password for this user will be stored encrypted to
106 -#/etc/samba/AD.pw
107 -#
108 -#Copyright 2014 Koozali Foundation, Inc.
109 -#11/15/2014: G.Zartman <gzartman@koozali.org>
110 -#
111 -#The code contained herein can be distributed under the same
112 -#license as Perl
113 -#
114 -#TO DO:
115 -#
116 -#------------------------------------------------------------
117 -package esmith::thisaction;
118 -
119 -use strict;
120 -use warnings;
121 -use esmith::ConfigDB;
122 -use MIME::Base64();
123 -
124 -##Pull arguments
125 -my $event = $ARGV [0];
126 -my $AdminPass = $ARGV [1];
127 -
128 -die 'Active Directory access error: Missing admin password' unless ($AdminPass);
129 -
130 -##Generate an ad_admin password, encrypt it, then write it to /etc/samba/AD.pw
131 -my @set = ('0'..'9','A'..'Z','a'..'z');
132 -my $set = '';
133 -my $pass = join '' => map $set[rand @set], 1..20;
134 -
135 -warn "Creating stashed password for ad_admin\n";
136 -
137 -my $encrypted_pass = MIME::Base64::encode($pass);
138 -unlink '/etc/samba/AD.pw';
139 -unless ( open( WR, ">/etc/samba/AD.pw" ) ) {
140 - die "Samba provisioning error: Unable to create Active Directory LDAP password\n";
141 - return undef;
142 -}
143 -print WR "$encrypted_pass\n";
144 -close WR;
145 -chmod 0600, '/etc/samba/AD.pw';
146 -
147 -warn "ad_admin: $pass\n";
148 -
149 -##Set ad_admin account to active directory as a domain admin
150 -my $add_admin = "/usr/bin/samba-tool user create " .
151 - "ad_admin $pass " .
152 - "-U Administrator\%$AdminPass";
153 -system ($add_admin);
154 -die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1);
155 -
156 -my $add_members = "/usr/bin/samba-tool group addmembers " .
157 - "\'Domain Admins\' ".
158 - "ad_admin " .
159 - "-U Administrator\%$AdminPass";
160 -system ($add_members);
161 -die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1);
162 -
163 -1;
164 -
165 diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins
166 --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-create-domain-admins 2014-11-20 21:54:57.000000000 -0800
167 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-create-domain-admins 2016-06-18 21:20:11.000000000 -0700
168 @@ -14,6 +14,7 @@
169 use strict;
170 use warnings;
171 use esmith::ConfigDB;
172 +use esmith::AD;
173
174 ##Pull arguments
175 my $event = $ARGV [0];
176 @@ -22,22 +23,20 @@
177 die 'Samba provisioning error: Missing admin password' unless ($AdminPass);
178
179 ##Bail if called by bootstrap-initialize-samba and it has already been run
180 -##
181 my $cdb = esmith::ConfigDB->open;
182 if ($event eq 'bootstrap-initialize-samba' &&
183 $cdb->get_prop('bootstrap-console','Samba') eq 'initialized') {
184 exit();
185 }
186
187 -##Set admin samba accounts and add to Domain Admin
188 +
189 +##Create admin and root accounts in AD and add to Domain Admin
190 my $add_admin = "/usr/bin/samba-tool user create " .
191 "admin $AdminPass " .
192 "-U Administrator\%$AdminPass";
193 system ($add_admin);
194 -
195 warn "Unable create admin Samba user\n" if ($? == -1);
196
197 -
198 my $add_root = "/usr/bin/samba-tool user create " .
199 "root $AdminPass " .
200 "-U Administrator\%$AdminPass";
201 @@ -51,4 +50,19 @@
202 system ($add_members);
203 warn "Unable to add admin and root users to Domain Admins group\n" if ($? == -1);
204
205 +
206 +##Create ad_admin account and add it to domain admins for runtime access to acive directory
207 +my $add_ad_admin = "/usr/bin/samba-tool user create " .
208 + "ad_admin " . esmith::AD::getADPass() . " " .
209 + "-U Administrator\%$AdminPass";
210 +system ($add_ad_admin);
211 +die "Samba provisioning error: Unable to create ad_admin user in Active Directory.\n" if ($? == -1);
212 +
213 +$add_members = "/usr/bin/samba-tool group addmembers " .
214 + "\'Domain Admins\' ".
215 + "ad_admin " .
216 + "-U Administrator\%$AdminPass";
217 +#system ($add_members);
218 +die "Samba provisioning error: Unable to add ad_admin user to the Domain Admins group.\n" if ($? == -1);
219 +
220 1;
221 diff -urN smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy
222 --- smeserver-samba-0.1.0/root/etc/e-smith/events/actions/samba-disable-password-policy 2014-11-22 23:59:18.000000000 -0800
223 +++ smeserver-samba-0.1.0.provision-update/root/etc/e-smith/events/actions/samba-disable-password-policy 1969-12-31 16:00:00.000000000 -0800
224 @@ -1,41 +0,0 @@
225 -#!/usr/bin/perl
226 -#------------------------------------------------------------
227 -#This action disables the build-in Samba password policy.
228 -#If we leave the default policy in place, creating a user
229 -#may fail and it may be difficult to capture this failure.
230 -#Instead, we will use SME's password strength checking.
231 -#
232 -#Copyright 2014 Koozali Foundation, Inc.
233 -#11/22/2014: G.Zartman <gzartman@koozali.org>
234 -#
235 -#The code contained herein can be distributed under the same
236 -#license as Perl
237 -#
238 -#TO DO:
239 -#
240 -#------------------------------------------------------------
241 -package esmith::thisaction;
242 -
243 -use strict;
244 -use warnings;
245 -
246 -##Pull arguments
247 -my $event = $ARGV [0];
248 -my $AdminPass = $ARGV [1];
249 -
250 -die 'Active Directory access error: Missing admin password' unless ($AdminPass);
251 -
252 -##Disable the Samba password policy using samba-tool
253 -warn "Samba domain: Disabling default Samba password policy\n";
254 -
255 -my $samba_tool = "/usr/bin/samba-tool domain passwordsettings set " .
256 - "--complexity=off " .
257 - "--min-pwd-length=0 " .
258 - "--min-pwd-age=0 " .
259 - "--max-pwd-age=365 " .
260 - "-U Administrator\%$AdminPass";
261 -system ($samba_tool);
262 -die "Samba domain error: Unable to disable default password policy.\n" if ($? == -1);
263 -
264 -1;
265 -

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed