|
1408 |
if not "hosts/static/%s" % self.ad_server_ip in self.ucr: |
1408 |
if not "hosts/static/%s" % self.ad_server_ip in self.ucr: |
1409 |
msg=[] |
1409 |
msg=[] |
1410 |
msg.append("") |
1410 |
msg.append("") |
1411 |
msg.append("Error: given IP %s was not mapped to a hostname in phase I.") |
1411 |
msg.append("Error: given IP %s was not mapped to a hostname in phase I." % (self.ad_server_ip,)) |
1412 |
msg.append(" Please complete phase I of the takeover before initiating the FSMO takeover.") |
1412 |
msg.append(" Please complete phase I of the takeover before initiating the FSMO takeover.") |
1413 |
log.error("\n".join(msg)) |
1413 |
log.error("\n".join(msg)) |
1414 |
raise TakeoverError(_("The Active Directory domain join was not completed successfully yet.")) |
1414 |
raise TakeoverError(_("The Active Directory domain join was not completed successfully yet.")) |
|
1732 |
if dns_SPN_account_password[0] == '-': ## avoid passing an option |
1732 |
if dns_SPN_account_password[0] == '-': ## avoid passing an option |
1733 |
dns_SPN_account_password= '#%s' % dns_SPN_account_password |
1733 |
dns_SPN_account_password= '#%s' % dns_SPN_account_password |
1734 |
dns_SPN_account_name = "dns-%s" % self.ucr["hostname"] |
1734 |
dns_SPN_account_name = "dns-%s" % self.ucr["hostname"] |
1735 |
run_and_output_to_log(["samba-tool", "user", "add", dns_SPN_account_name, dns_SPN_account_password], log.debug, print_commandline = False) |
1735 |
|
|
|
1736 |
dnsKeyVersion = 1 ## default |
1737 |
msgs = self.samdb.search(base="CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]), scope=samba.ldb.SCOPE_BASE, |
1738 |
attrs=["msDS-KeyVersionNumber"]) |
1739 |
if msgs: |
1740 |
log.warn("CN=%s,CN=User already exists in sam.ldb" % dns_SPN_account_name) |
1741 |
run_and_output_to_log(["samba-tool", "user", "setpassword", dns_SPN_account_name, "--newpassword=%s" % (dns_SPN_account_password, )], log.debug, print_commandline = False) |
1742 |
else: |
1743 |
returncode = run_and_output_to_log(["samba-tool", "user", "add", dns_SPN_account_name, dns_SPN_account_password], log.debug, print_commandline = False) |
1744 |
if returncode != 0: |
1745 |
log.error("Adding CN=%s,CN=User failed!" % dns_SPN_account_name) |
1746 |
return |
1747 |
|
1736 |
run_and_output_to_log(["samba-tool", "user", "setexpiry", "--noexpiry", dns_SPN_account_name], log.debug) |
1748 |
run_and_output_to_log(["samba-tool", "user", "setexpiry", "--noexpiry", dns_SPN_account_name], log.debug) |
1737 |
delta = ldb.Message() |
1749 |
delta = ldb.Message() |
1738 |
delta.dn = ldb.Dn(self.samdb, "CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"])) |
1750 |
delta.dn = ldb.Dn(self.samdb, "CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"])) |
|
1739 |
delta["servicePrincipalName"] = ldb.MessageElement("DNS/%s" % self.local_fqdn, ldb.FLAG_MOD_REPLACE, "servicePrincipalName") |
1751 |
delta["servicePrincipalName"] = ldb.MessageElement("DNS/%s" % self.local_fqdn, ldb.FLAG_MOD_REPLACE, "servicePrincipalName") |
1740 |
self.samdb.modify(delta) |
1752 |
self.samdb.modify(delta) |
1741 |
|
1753 |
|
1742 |
dnsKeyVersion = 1 ## default |
|
|
1743 |
msgs = self.samdb.search(base="CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]), scope=samba.ldb.SCOPE_BASE, |
1754 |
msgs = self.samdb.search(base="CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]), scope=samba.ldb.SCOPE_BASE, |
1744 |
attrs=["msDS-KeyVersionNumber"]) |
1755 |
attrs=["msDS-KeyVersionNumber"]) |
1745 |
if msgs: |
1756 |
if msgs: |
|
1747 |
dnsKeyVersion = obj["msDS-KeyVersionNumber"][0] |
1758 |
dnsKeyVersion = obj["msDS-KeyVersionNumber"][0] |
1748 |
|
1759 |
|
1749 |
secretsdb = samba.Ldb(os.path.join(SAMBA_PRIVATE_DIR, "secrets.ldb"), session_info=system_session(self.lp), lp=self.lp) |
1760 |
secretsdb = samba.Ldb(os.path.join(SAMBA_PRIVATE_DIR, "secrets.ldb"), session_info=system_session(self.lp), lp=self.lp) |
1750 |
secretsdb.add({"dn": "samAccountName=%s,CN=Principals" % dns_SPN_account_name, |
1761 |
msgs = secretsdb.search(base="samAccountName=%s,CN=Principals" % (dns_SPN_account_name,), scope=samba.ldb.SCOPE_BASE, |
1751 |
"objectClass": "kerberosSecret", |
1762 |
attrs=["msDS-KeyVersionNumber"]) |
1752 |
"privateKeytab": "dns.keytab", |
1763 |
if msgs: |
1753 |
"realm": self.ucr["kerberos/realm"], |
1764 |
log.warn("samAccountName=%s,CN=Principals already exists in secrets.ldb" % dns_SPN_account_name) |
1754 |
"sAMAccountName": dns_SPN_account_name, |
1765 |
if "msDS-KeyVersionNumber" in obj: |
1755 |
"secret": dns_SPN_account_password, |
1766 |
if dnsKeyVersion != obj["msDS-KeyVersionNumber"][0]: |
1756 |
"servicePrincipalName": "DNS/%s" % self.local_fqdn, |
1767 |
delta = ldb.Message() |
1757 |
"saltPrincipal": "DNS/%s@%s" % (self.local_fqdn, self.ucr["kerberos/realm"]), |
1768 |
delta.dn = obj.dn |
1758 |
"name": dns_SPN_account_name, |
1769 |
delta["secret"] = ldb.MessageElement(dns_SPN_account_password, ldb.FLAG_MOD_REPLACE, "secret") |
1759 |
"msDS-KeyVersionNumber": dnsKeyVersion}) |
1770 |
delta["kvno"] = ldb.MessageElement(dnsKeyVersion, ldb.FLAG_MOD_REPLACE, "msDS-KeyVersionNumber") |
|
|
1771 |
secretsdb.modify(delta) |
1772 |
else: |
1773 |
secretsdb.add({"dn": "samAccountName=%s,CN=Principals" % dns_SPN_account_name, |
1774 |
"objectClass": "kerberosSecret", |
1775 |
"privateKeytab": "dns.keytab", |
1776 |
"realm": self.ucr["kerberos/realm"], |
1777 |
"sAMAccountName": dns_SPN_account_name, |
1778 |
"secret": dns_SPN_account_password, |
1779 |
"servicePrincipalName": "DNS/%s" % self.local_fqdn, |
1780 |
"saltPrincipal": "DNS/%s@%s" % (self.local_fqdn, self.ucr["kerberos/realm"]), |
1781 |
"name": dns_SPN_account_name, |
1782 |
"msDS-KeyVersionNumber": dnsKeyVersion}) |
1760 |
|
1783 |
|
1761 |
# returncode = run_and_output_to_log(["/usr/share/univention-samba4/scripts/create_dns-host_spn.py"], log.debug) |
1784 |
# returncode = run_and_output_to_log(["/usr/share/univention-samba4/scripts/create_dns-host_spn.py"], log.debug) |
1762 |
# if returncode != 0: |
1785 |
# if returncode != 0: |