Realm is now almost fully online

12 years ago · c39d52d4c9
parent b6e7d7b515
commit c39d52d4c9
9 changed files with 101 additions and 59 deletions
--- a/confskel/openldap/ldap/slapd.conf
+++ b/confskel/openldap/ldap/slapd.conf
@ -87,6 +87,7 @@ authz-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth" "uid=@@@
 #
 access to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName,krb5KeyVersionNumber,krb5MaxLife,krb5MaxRenew,krb5KDCFlags
 by dn="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
+ by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@" write
 by sockurl.regex="^ldapi:///$" write
 by anonymous auth
 by self write
--- a/confskel/openldap/ldif/olcDatabase.ldif
+++ b/confskel/openldap/ldif/olcDatabase.ldif
@ -11,7 +11,8 @@ olcAccess: {0}to attrs=userPassword,shadowLastChange,krb5Key,krb5PrincipalName
 olcAccess: {1}to dn.base=""  by * read
 olcAccess: {2}to *  by dn.base="uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm
 ,@@@REALM_DCNAME@@@" write  by sockurl.regex="^ldapi:///$" write by dynacl/ac
- i write
+ i write  by group/groupOfNames/member.exact="cn=@@@ADMINGROUP@@@,ou=groups,ou
+ =core,ou=realm,@@@REALM_DCNAME@@@" write
 olcAddContentAcl: FALSE
 olcLastMod: TRUE
 olcMaxDerefDepth: 15
--- a/confskel/openldap/skel.ldif
+++ b/confskel/openldap/skel.ldif
@ -122,11 +122,38 @@ modifyTimestamp: @@@TIMESTAMP@@@Z

 dn: cn=@@@ADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
 cn: @@@ADMINGROUP@@@
+description: Realm Administrators
 emsdescription: Group
 emsplugins: PosixGroup
 emsplugins: KerberosGroup
 emstype: GroupEntry
-gidNumber: 999
+gidNumber: 900
+objectClass: groupOfNames
+objectClass: emsGroup
+objectClass: posixGroup
+objectClass: tdeAccountObject
+emsmodules: kerberos
+emsmodules: posix
+member: cn=placeholder,@@@REALM_DCNAME@@@
+member: uid=@@@ADMINUSER@@@,ou=users,ou=core,ou=realm,@@@REALM_DCNAME@@@
+memberUid: @@@ADMINUSER@@@
+tdeBuiltinAccount: TRUE
+emsmodelclass: EMSGroup
+structuralObjectClass: groupOfNames
+creatorsName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+createTimestamp: @@@TIMESTAMP@@@Z
+entryCSN: @@@TIMESTAMP@@@.000000Z#000000#000#000000
+modifiersName: cn=@@@ROOTUSER@@@,@@@REALM_DCNAME@@@
+modifyTimestamp: @@@TIMESTAMP@@@Z
+
+dn: cn=@@@LOCALADMINGROUP@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
+cn: @@@LOCALADMINGROUP@@@
+description: Machine Administrators
+emsdescription: Group
+emsplugins: PosixGroup
+emsplugins: KerberosGroup
+emstype: GroupEntry
+gidNumber: 901
 objectClass: groupOfNames
 objectClass: emsGroup
 objectClass: posixGroup
@ -166,7 +193,7 @@ cn: Realm Administrator
 emsdescription: Admin User Entry
 emsprimarygroupdn: cn=@@@ADMINUSER@@@,ou=groups,ou=core,ou=realm,@@@REALM_DCNAME@@@
 emstype: UserEntry
-gidNumber: 999
+gidNumber: 900
 givenName: Realm
 homeDirectory: /home/@@@ADMINUSER@@@
 krb5KDCFlags: 586
--- a/src/ldapcontroller.cpp
+++ b/src/ldapcontroller.cpp
@ -230,7 +230,7 @@ void LDAPController::save() {
 	load();
 }

-void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) {
+void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, int ldifSchemaNumber=-1, uid_t userid=-1, gid_t groupid=-1) {
 	SHA1 sha;
 	sha.process(rootPassword, strlen(rootPassword));
 	TQString rootpw_hash = sha.base64Hash();
@ -271,6 +271,7 @@ void replacePlaceholdersInFile(TQString infile, TQString outfile, LDAPRealmConfi
 				line.replace("@@@ROOTPW_SHA@@@", rootpw_hash);
 				line.replace("@@@ADMINUSER@@@", adminUserName);
 				line.replace("@@@ADMINGROUP@@@", adminGroupName);
+				line.replace("@@@LOCALADMINGROUP@@@", machineAdminGroupName);
 				line.replace("@@@ADMINPW_SHA@@@", adminpw_hash);
 				line.replace("@@@PKINIT_REQUIRE_EKU@@@", (realmconfig.pkinit_require_eku)?"yes":"no");
 				line.replace("@@@PKINIT_REQUIRE_KRBTGT_OTHERNAME@@@", (realmconfig.pkinit_require_krbtgt_otherName)?"yes":"no");
@ -420,7 +421,7 @@ int LDAPController::initializeNewKerberosRealm(TQString realmName, TQString *err
 	return 1;	// Failure
 }

-int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
+int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr) {
 	int ldifSchemaNumber;

 	ProcessingDialog pdialog(dialogparent);
@ -429,6 +430,9 @@ int LDAPController::createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig r
 	pdialog.setActiveWindow();
 	tqApp->processEvents();

+	// Reset improperly uninitialized variables
+	realmconfig.bonded = true;
+
 	// Find the templates
 	TQString templateDir = locate("data", "kcmldapcontroller/skel/heimdal/heimdal.defaults");
 	templateDir.replace("heimdal/heimdal.defaults", "");
@ -471,14 +475,14 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	mkdir(TQString(destDir + "ldap/slapd.d/cn=config").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);
 	mkdir(TQString(destDir + "ldap/slapd.d/cn=config/cn=schema").ascii(), S_IRUSR|S_IWUSR|S_IXUSR);

-	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/heimdal.defaults", destDir + "heimdal.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/kadmind.acl", destDir + "heimdal-kdc/kadmind.acl", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/kdc.conf", destDir + "heimdal-kdc/kdc.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "heimdal/krb5.conf", destDir + "krb5.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);

-	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
-	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "openldap/skel.ldif", configTempDir.name() + "skel.ldif", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+// 	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.conf", destDir + "ldap/slapd.conf", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);
+	replacePlaceholdersInFile(templateDir + "openldap/ldap/slapd.defaults", destDir + "ldap/slapd.defaults", realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword);

 	struct stat sb;
 	uid_t slapd_uid = 0;
@ -490,27 +494,27 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME

 	// Base database configuration
 	ldifSchemaNumber = 1;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/olcDatabase.ldif", destDir + "ldap/slapd.d/cn=config/" + TQString("olcDatabase={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);

 	// Schema files
 	ldifSchemaNumber = 0;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 1;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/cosine.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}cosine.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 2;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/inetorgperson.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}inetorgperson.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 3;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2307bis.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2307bis.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 4;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/rfc2739.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}rfc2739.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 5;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/ppolicy.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ppolicy.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 6;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/ems-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}ems-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 7;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/hdb.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}hdb.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
 	ldifSchemaNumber = 8;
-	replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);
+	replacePlaceholdersInFile(templateDir + "openldap/ldif/tde-core.ldif", destDir + "ldap/slapd.d/cn=config/cn=schema/" + TQString("cn={%1}tde-core.ldif").arg(ldifSchemaNumber), realmconfig, adminUserName, adminGroupName, machineAdminGroupName, adminPassword, rootUserName, rootPassword, ldifSchemaNumber, slapd_uid, slapd_gid);

 	// Set permissions
 	chmod(TQString(destDir + "heimdal.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);
@ -519,7 +523,7 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	chmod(TQString(destDir + "krb5.conf").ascii(), S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);

 	chmod(TQString(configTempDir.name() + "skel.ldif").ascii(), S_IRUSR|S_IWUSR);
-	chmod(TQString(destDir + "ldap/slapd.conf").ascii(), S_IRUSR|S_IWUSR);
+// 	chmod(TQString(destDir + "ldap/slapd.conf").ascii(), S_IRUSR|S_IWUSR);
 	chmod(TQString(destDir + "ldap/slapd.defaults").ascii(), S_IRUSR|S_IWUSR|S_IRGRP);

 	pdialog.setStatusMessage(i18n("Loading initial database into LDAP..."));
@ -566,9 +570,7 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 		return -1;
 	}

-	// RAJA FIXME
 	// Move all those new Heimdal entries to the correct tree/branch
-	// ,o=kerberos,cn=kerberos control,ou=master services,ou=core,ou=realm,dc=cluster90,dc=edu
 	TQStringList domainChunks = TQStringList::split(".", realmconfig.name.lower());
 	TQString basedcname = "dc=" + domainChunks.join(",dc=");
 	LDAPCredentials* credentials = new LDAPCredentials;
@ -586,11 +588,15 @@ configTempDir.setAutoDelete(false);	// RAJA DEBUG ONLY FIXME
 	delete ldap_mgr;
 	delete credentials;

-	// RAJA FIXME
-	// Write the ldap.conf file!
+	// Write the TDE realm configuration file
+	LDAPRealmConfigList realms;
+	realms.insert(realmconfig.name, realmconfig);
+	LDAPManager::writeTDERealmList(realms, m_systemconfig);
+	m_systemconfig->writeEntry("DefaultRealm", realmconfig.name);
+	m_systemconfig->sync();

-	// RAJA FIXME
-	// Clean out all realms from the TDE configuration files and insert this realm ONLY!
+	pdialog.setStatusMessage(i18n("Configuring local system..."));
+	LDAPManager::writeLDAPConfFile(realmconfig);

 	// RAJA FIXME
 	pdialog.closeDialog();
--- a/src/ldapcontroller.h
+++ b/src/ldapcontroller.h
@ -30,6 +30,8 @@
 #include <tqpushbutton.h>
 #include <tqcombobox.h>

+#include <libtdeldap.h>
+
 #include "ldapcontrollerconfigbase.h"

 enum sc_command {
@ -40,25 +42,6 @@ enum sc_command {
 	SC_SETDBPERMS
 };

-// PRIVATE
-class LDAPRealmConfig
-{
-	public:
-		TQString name;
-		bool bonded;
-		long uid_offset;
-		long gid_offset;
-		TQStringList domain_mappings;
-		TQString kdc;
-		int kdc_port;
-		TQString admin_server;
-		int admin_server_port;
-		bool pkinit_require_eku;
-		bool pkinit_require_krbtgt_otherName;
-		bool win2k_pkinit;
-		bool win2k_pkinit_require_binding;
-};
-
 class LDAPController: public KCModule
 {
 	Q_OBJECT
@ -75,7 +58,7 @@ class LDAPController: public KCModule
 		virtual const KAboutData *aboutData() const { return myAboutData; };

 	public:
-		int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr);
+		int createNewLDAPRealm(TQWidget* dialogparent, LDAPRealmConfig realmconfig, TQString adminUserName, TQString adminGroupName, TQString machineAdminGroupName, const char * adminPassword, TQString rootUserName, const char * rootPassword, TQString adminRealm, TQString *errstr);

 		// FIXME
 		// This should be moved to a TDE core library
--- a/src/realmfinishpage.cpp
+++ b/src/realmfinishpage.cpp
@ -44,6 +44,7 @@ RealmFinishPage::RealmFinishPage(TQWidget *parent, const char *name ) : RealmFin

 	connect(ldapAdminUsername, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));
 	connect(ldapAdminGroupname, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));
+	connect(ldapMachineAdminGroupname, TQT_SIGNAL(textChanged(const TQString&)), this, TQT_SLOT(validateEntries()));

 	m_parentWizard = dynamic_cast<KWizard*>(parent);
 	m_parentDialog = dynamic_cast<KDialogBase*>(parent);
@ -55,7 +56,7 @@ RealmFinishPage::~RealmFinishPage(){

 void RealmFinishPage::validateEntries() {
 	if (m_parentWizard) {
-		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "")) {
+		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "")) {
 			m_parentWizard->finishButton()->setEnabled(true);
 		}
 		else {
@ -63,7 +64,7 @@ void RealmFinishPage::validateEntries() {
 		}
 	}
 	if (m_parentDialog) {
-		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "")) {
+		if ((ldapAdminUsername->text() != "") && (ldapAdminGroupname->text() != "") && (ldapMachineAdminGroupname->text() != "")) {
 			m_parentDialog->enableButton(KDialogBase::Ok, true);
 		}
 		else {
--- a/src/realmfinishpagedlg.ui
+++ b/src/realmfinishpagedlg.ui
@ -8,7 +8,7 @@
 			<property name="name">
 				<cstring>unnamed</cstring>
 			</property>
-			<widget class="TQLabel" row="0" column="0" rowspan="9" colspan="1">
+			<widget class="TQLabel" row="0" column="0" rowspan="10" colspan="1">
 				<property name="name">
 					<cstring>px_introSidebar</cstring>
 				</property>
@ -99,7 +99,7 @@
 					<cstring>unnamed</cstring>
 				</property>
 				<property name="text">
-					<string>Administration Group</string>
+					<string>Realm Administration Group</string>
 				</property>
 			</widget>
 			<widget class="KLineEdit" row="5" column="2">
@ -112,15 +112,28 @@
 					<cstring>unnamed</cstring>
 				</property>
 				<property name="text">
-					<string>LDAP Realm</string>
+					<string>Machine Administration Group</string>
 				</property>
 			</widget>
 			<widget class="KLineEdit" row="6" column="2">
+				<property name="name">
+					<cstring>ldapMachineAdminGroupname</cstring>
+				</property>
+			</widget>
+			<widget class="TQLabel" row="7" column="1">
+				<property name="name">
+					<cstring>unnamed</cstring>
+				</property>
+				<property name="text">
+					<string>LDAP Realm</string>
+				</property>
+			</widget>
+			<widget class="KLineEdit" row="7" column="2">
 				<property name="name">
 					<cstring>ldapAdminRealm</cstring>
 				</property>
 			</widget>
-			<spacer row="7" column="1">
+			<spacer row="8" column="1">
 				<property name="name">
 					<cstring>Spacer6</cstring>
 				</property>
@ -137,7 +150,7 @@
 					</size>
 				</property>
 			</spacer>
-			<spacer row="7" column="1">
+			<spacer row="9" column="1">
 				<property name="name">
 					<cstring>Spacer5</cstring>
 				</property>
--- a/src/realmintropagedlg.ui
+++ b/src/realmintropagedlg.ui
@ -99,8 +99,8 @@
 				<height>30</height>
 				</size>
 			</property>
-			</spacer>
-			<spacer row="7" column="1">
+		</spacer>
+		<spacer row="7" column="1">
 			<property name="name">
 				<cstring>Spacer5</cstring>
 			</property>
--- a/src/realmwizard.cpp
+++ b/src/realmwizard.cpp
@ -88,6 +88,8 @@ RealmWizard::RealmWizard(LDAPController* controller, TQString fqdn, TQWidget *pa
 	realmpage->txtKDC->setText(m_fqdn);
 	realmpage->txtAdminServer->setText(m_fqdn);
 	realmpage->realmNameChanged();
+	finishpage->ldapAdminGroupname->setText("realmadmins");
+	finishpage->ldapMachineAdminGroupname->setText("machineadmins");

 	// Other setup
 	finishpage->ldapAdminRealm->setEnabled(false);
@ -203,12 +205,20 @@ void RealmWizard::accept() {
 	TQString errorString;
 	// RAJA FIXME
 	// root account should not be locked to "admin"!
-	if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), &errorString) == 0) {
+	backButton()->setEnabled(false);
+	nextButton()->setEnabled(false);
+	finishButton()->setEnabled(false);
+	cancelButton()->setEnabled(false);
+	if (m_controller->createNewLDAPRealm(this, m_realmconfig, finishpage->ldapAdminUsername->text(), finishpage->ldapAdminGroupname->text(), finishpage->ldapMachineAdminGroupname->text(), finishpage->ldapAdminPassword->password(), "admin", finishpage->ldapAdminPassword->password(), finishpage->ldapAdminRealm->text(), &errorString) == 0) {
 		done(0);
 	}
 	else {
 		KMessageBox::error(this, i18n("<qt><b>Unable to create new realm!</b><p>Details: %1</qt>").arg(errorString), i18n("Unable to create new realm"));
 	}
+
+	backButton()->setEnabled(true);
+	finishButton()->setEnabled(true);
+	cancelButton()->setEnabled(true);
 }

 /** calls all save functions after resetting all features/ OS/ theme selections to Trinity default */