|
375 |
fi |
375 |
fi |
376 |
} |
376 |
} |
377 |
|
377 |
|
|
|
378 |
create_dns_spn() { |
379 |
spn_account_name_password=$(makepasswd --chars=18) |
380 |
|
381 |
spn_account_name="dns-$hostname" |
382 |
|
383 |
samba-tool user add "$spn_account_name" "$spn_account_name_password=" |
384 |
|
385 |
samba-tool user setexpiry --noexpiry "$spn_account_name" |
386 |
|
387 |
ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF |
388 |
dn: CN=$spn_account_name,CN=Users,$samba4_ldap_base |
389 |
changetype: modify |
390 |
replace: servicePrincipalName |
391 |
servicePrincipalName: DNS/$hostname.$domainname |
392 |
%EOF |
393 |
|
394 |
# get msDS-KeyVersionNumber |
395 |
msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb samAccountName="$spn_account_name" msDS-KeyVersionNumber\ |
396 |
| sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p') |
397 |
if [ -z "$msdsKeyVersion" ]; then |
398 |
echo "ERROR: Could not determine msDS-KeyVersionNumber of $spn_account_name account!" |
399 |
msdsKeyVersion=1 |
400 |
fi |
401 |
|
402 |
ldbadd -H /var/lib/samba/private/secrets.ldb <<-%EOF |
403 |
dn: samAccountName=$spn_account_name,CN=Principals |
404 |
objectClass: kerberosSecret |
405 |
privateKeytab: dns.keytab |
406 |
realm: $kerberos_realm |
407 |
sAMAccountName: $spn_account_name |
408 |
secret: $spn_account_name_password |
409 |
servicePrincipalName: DNS/$hostname.$domainname |
410 |
name: $spn_account_name |
411 |
msDS-KeyVersionNumber: $msdsKeyVersion |
412 |
%EOF |
413 |
} |
414 |
|
378 |
### --- END helper functions --- |
415 |
### --- END helper functions --- |
379 |
|
416 |
|
380 |
extract_binddn_and_bindpwd_from_args "$@" |
417 |
extract_binddn_and_bindpwd_from_args "$@" |
|
514 |
|
551 |
|
515 |
fi |
552 |
fi |
516 |
|
553 |
|
517 |
/usr/share/univention-samba4/scripts/create_dns-host_spn.py |
554 |
create_dns_spn |
518 |
|
555 |
|
519 |
if [ $JS_LAST_EXECUTED_VERSION -lt 1 ]; then |
556 |
if [ $JS_LAST_EXECUTED_VERSION -lt 1 ]; then |
520 |
## set default ACLs so sysvol-sync can read files and directories |
557 |
## set default ACLs so sysvol-sync can read files and directories |