From b5e5c2a84bee4c6a1ac9087b7b0d9fb0da120d39 Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Thu, 10 Jan 2013 20:30:44 +0000 Subject: [PATCH] First pass at automating the behavior of disabling/enabling local admin account. git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@14855 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-server/lib/perl/xCAT/Template.pm | 36 +++++++++++++++++++ .../windows/datacenter.win2012.x86_64.tmpl | 3 ++ .../datacenter.win2012.x86_64.tmpl.uefi | 3 ++ .../windows/hypervisor.hyperv2012.x86_64.tmpl | 3 ++ .../hypervisor.hyperv2012.x86_64.tmpl.uefi | 3 ++ .../windows/standard.win2012.x86_64.tmpl | 3 ++ .../windows/standard.win2012.x86_64.tmpl.uefi | 3 ++ 7 files changed, 54 insertions(+) diff --git a/xCAT-server/lib/perl/xCAT/Template.pm b/xCAT-server/lib/perl/xCAT/Template.pm index a9d3f8971..b21b7eb78 100644 --- a/xCAT-server/lib/perl/xCAT/Template.pm +++ b/xCAT-server/lib/perl/xCAT/Template.pm @@ -34,6 +34,7 @@ my $idir; my $node; my %loggedrealms; my $lastmachinepassdata; +my $localadminenabled; #indicate whether Windows template has local logins enabled or not my %tab_replacement=( "noderes:nfsserver"=>"noderes:xcatmaster", "noderes:tftpserver"=>"noderes:xcatmaster", @@ -190,6 +191,8 @@ sub subvars { $inc =~ s/#WINTIMEZONE#/xCAT::TZUtils::get_wintimezone()/eg; $inc =~ s/#WINPRODKEY:([^#]+)#/get_win_prodkey($1)/eg; $inc =~ s/#WINADJOIN#/windows_join_data()/eg; + $inc =~ s/#WINACCOUNTDATA#/windows_account_data()/eg; + $inc =~ s/#WINDISABLENULLADMIN#/windows_disable_null_admin()/eg; $inc =~ s/#HOSTNAME#/$node/g; my $nrtab = xCAT::Table->new("noderes"); @@ -259,6 +262,39 @@ sub subvars { close($outh); return 0; } +sub windows_disable_null_admin { +#in the event where windows_account_data has not set an administrator user, we explicitly disable the administrator user + unless ($localadminenabled) { + return ' + + 100 + cmd /c %systemroot%\system32\net.exe user Administrator /active:no + +'; + } + return ""; +} +sub windows_account_data { +#this will add domain accounts if configured to be in active directory +#it will also put in an administrator password for local account, *if* specified + my $passtab = xCAT::Table->new('passwd',-create=>0); + my $useraccountxml=""; + $localadminenabled=0; + if ($passtab) { + my $passent = $passtab->getAttribs({key=>"system",username=>"Administrator"},['password']); + if ($passent and $passent->{password}) { + $useraccountxml="\n".$passent->{password}."\ntrue</PlainText>\n</AdministratorPassword>\n"; + $useraccountxml.="<!-- Plaintext=false would only protect against the most cursory over the shoulder glance, this implementation opts not to even give the illusion of privacy by only doing plaintext. -->\n"; + $localadminenabled=1; + } + } + + unless ($::XCATSITEVALS{directoryprovider} eq "activedirectory" and $::XCATSITEVALS{domain}) { + return $useraccountxml; + } + $useraccountxml.="<DomainAccounts><DomainAccountList>\n<DomainAccount wcm:action=\"add\">\n<Group>Administrators</Group>\n<Name>Domain Admins</Name>\n</DomainAccount>\n<Domain>".$::XCATSITEVALS{domain}."</Domain>\n</DomainAccountList>\n</DomainAccounts>\n"; + return $useraccountxml; +} #this will examine table data, decide *if* a Microsoft-Windows-UnattendedJoin is warranted #there are two variants in how to proceed: #-Hide domain administrator from node: xCAT will use MACHINEPASSWORD to do joining to AD. Currently requires SSL be enabled on DC. Samba 4 TODO diff --git a/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl b/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl index 08569fe28..9f6a45654 100644 --- a/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl +++ b/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl @@ -108,6 +108,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName> diff --git a/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl.uefi b/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl.uefi index 070cc9255..8c7fcbb8b 100644 --- a/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl.uefi +++ b/xCAT-server/share/xcat/install/windows/datacenter.win2012.x86_64.tmpl.uefi @@ -120,6 +120,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName> diff --git a/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl b/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl index 52d37ea1d..5503e9688 100644 --- a/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl +++ b/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl @@ -107,6 +107,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName> diff --git a/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl.uefi b/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl.uefi index 9928fca3b..c483f6b7e 100644 --- a/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl.uefi +++ b/xCAT-server/share/xcat/install/windows/hypervisor.hyperv2012.x86_64.tmpl.uefi @@ -117,6 +117,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName> diff --git a/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl b/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl index f208d2040..b4acfd446 100644 --- a/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl +++ b/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl @@ -108,6 +108,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName> diff --git a/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl.uefi b/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl.uefi index d189ecb6f..ba8a33645 100644 --- a/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl.uefi +++ b/xCAT-server/share/xcat/install/windows/standard.win2012.x86_64.tmpl.uefi @@ -118,6 +118,9 @@ </FirewallGroups> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + #WINDISABLENULLADMIN# + </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>#TABLE:nodelist:$NODE:node#</ComputerName>