[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-586-g9d9bd31
Andrew Bartlett
abartlet at samba.org
Sun Sep 20 21:40:04 MDT 2009
The branch, master has been updated
via 9d9bd31bf9069f8e0ddf0cd49da49e96dbec8ea5 (commit)
via bfddb6816f50f629d29e476327a921212fd63a2d (commit)
via 1d4a16acd7e6c5bd664f2276d4d8e86efb36baaf (commit)
via 509a2bb97c5ccb13c4c2f885f3961f2880aceb91 (commit)
from 11bfbc516077d1cead94d0bc70ef24267b9014e7 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9d9bd31bf9069f8e0ddf0cd49da49e96dbec8ea5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Sep 20 20:28:42 2009 -0700
s4:py_security Add missing header
commit bfddb6816f50f629d29e476327a921212fd63a2d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Sep 20 16:27:24 2009 -0700
s4:provision Use code to store domain join in 'net join' as well
This ensures we only have one codepath to store the secret, and
therefore that we have a single choke point for setting the
saltPrincipal, which we were previously skipping.
Andrew Bartlett
commit 1d4a16acd7e6c5bd664f2276d4d8e86efb36baaf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Sep 20 15:38:29 2009 -0700
s4:ldb print out which LDB the transaction is still active on.
commit 509a2bb97c5ccb13c4c2f885f3961f2880aceb91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 19 20:40:17 2009 -0700
s4:provision split provision of DNS zone and self join keytab
-----------------------------------------------------------------------
Summary of changes:
source4/lib/ldb/common/ldb.c | 4 +-
source4/libnet/libnet_join.c | 286 ++-------------------------
source4/libnet/libnet_vampire.c | 49 +++--
source4/librpc/ndr/py_security.c | 5 +
source4/librpc/ndr/py_security.h | 23 +++
source4/param/config.mk | 2 +-
source4/param/provision.c | 131 ++++++++++++-
source4/param/provision.h | 16 ++
source4/scripting/python/samba/provision.py | 99 ++++++++--
source4/setup/secrets_dc.ldif | 24 ---
source4/setup/secrets_dns.ldif | 11 +
source4/setup/secrets_self_join.ldif | 13 ++
12 files changed, 333 insertions(+), 330 deletions(-)
create mode 100644 source4/librpc/ndr/py_security.h
delete mode 100644 source4/setup/secrets_dc.ldif
create mode 100644 source4/setup/secrets_dns.ldif
create mode 100644 source4/setup/secrets_self_join.ldif
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c
index 613451a..b75d837 100644
--- a/source4/lib/ldb/common/ldb.c
+++ b/source4/lib/ldb/common/ldb.c
@@ -41,8 +41,8 @@ static int ldb_context_destructor(void *ptr)
if (ldb->transaction_active) {
ldb_debug(ldb, LDB_DEBUG_FATAL,
- "A transaction is still active in ldb context [%p]",
- ldb);
+ "A transaction is still active in ldb context [%p] on %s",
+ ldb, (const char *)ldb_get_opaque(ldb, "ldb_url"));
}
return 0;
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 86ad685..fc7de10 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -33,6 +33,7 @@
#include "auth/credentials/credentials_krb5.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "param/param.h"
+#include "param/provision.h"
/*
* complete a domain join, when joining to a AD domain:
@@ -860,254 +861,6 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
return status;
}
-NTSTATUS libnet_set_join_secrets(struct libnet_context *ctx,
- TALLOC_CTX *mem_ctx,
- struct libnet_set_join_secrets *r)
-{
- TALLOC_CTX *tmp_mem;
- int ret, rtn;
- struct ldb_context *ldb;
- struct ldb_dn *base_dn;
- struct ldb_message **msgs, *msg;
- const char *sct;
- const char * const attrs[] = {
- "whenChanged",
- "secret",
- "priorSecret",
- "priorChanged",
- "krb5Keytab",
- "privateKeytab",
- NULL
- };
-
- tmp_mem = talloc_new(mem_ctx);
- if (!tmp_mem) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Open the secrets database */
- ldb = secrets_db_connect(tmp_mem, ctx->event_ctx, ctx->lp_ctx);
- if (!ldb) {
- r->out.error_string
- = talloc_asprintf(mem_ctx,
- "Could not open secrets database");
- talloc_free(tmp_mem);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
- /*
- * now prepare the record for secrets.ldb
- */
- sct = talloc_asprintf(tmp_mem, "%d", r->in.join_type);
- if (!sct) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- msg = ldb_msg_new(tmp_mem);
- if (!msg) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- base_dn = ldb_dn_new(tmp_mem, ldb, "cn=Primary Domains");
- if (!base_dn) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- msg->dn = ldb_dn_copy(tmp_mem, base_dn);
- if ( ! ldb_dn_add_child_fmt(msg->dn, "flatname=%s", r->in.domain_name)) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "flatname", r->in.domain_name);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (r->in.realm) {
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "realm", r->in.realm);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "kerberosSecret");
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secret", r->in.join_password);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "samAccountName", r->in.account_name);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secureChannelType", sct);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (r->in.kvno) {
- rtn = samdb_msg_add_uint(ldb, tmp_mem, msg, "msDS-KeyVersionNumber",
- r->in.kvno);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- if (r->in.domain_sid) {
- rtn = samdb_msg_add_dom_sid(ldb, tmp_mem, msg, "objectSid",
- r->in.domain_sid);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- /*
- * search for the secret record
- * - remove the records we find
- * - and fetch the old secret and store it under priorSecret
- */
- ret = gendb_search(ldb,
- tmp_mem, base_dn,
- &msgs, attrs,
- "(|" SECRETS_PRIMARY_DOMAIN_FILTER "(realm=%s))",
- r->in.domain_name, r->in.realm);
- if (ret == 0) {
- rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "privateKeytab", "secrets.keytab");
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- } else if (ret == -1) {
- r->out.error_string
- = talloc_asprintf(mem_ctx,
- "Search for domain: %s and realm: %s failed: %s",
- r->in.domain_name, r->in.realm, ldb_errstring(ldb));
- talloc_free(tmp_mem);
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- } else {
- const struct ldb_val *private_keytab;
- const struct ldb_val *krb5_main_keytab;
- const struct ldb_val *prior_secret;
- const struct ldb_val *prior_modified_time;
- int i;
-
- for (i = 0; i < ret; i++) {
- ldb_delete(ldb, msgs[i]->dn);
- }
-
- prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
- if (prior_secret) {
- rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorSecret", prior_secret);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
- rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secret", r->in.join_password);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- prior_modified_time = ldb_msg_find_ldb_val(msgs[0],
- "whenChanged");
- if (prior_modified_time) {
- rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorWhenChanged",
- prior_modified_time);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
-
- rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "samAccountName", r->in.account_name);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secureChannelType", sct);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* We will want to keep the keytab names */
- private_keytab = ldb_msg_find_ldb_val(msgs[0], "privateKeytab");
- if (private_keytab) {
- rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "privateKeytab", private_keytab);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
- krb5_main_keytab = ldb_msg_find_ldb_val(msgs[0], "krb5Keytab");
- if (krb5_main_keytab) {
- rtn = samdb_msg_set_value(ldb, tmp_mem, msg,
- "krb5Keytab", krb5_main_keytab);
- if (rtn == -1) {
- r->out.error_string = NULL;
- talloc_free(tmp_mem);
- return NT_STATUS_NO_MEMORY;
- }
- }
- }
-
- /* create the secret */
- ret = ldb_add(ldb, msg);
- if (ret != 0) {
- r->out.error_string = talloc_asprintf(mem_ctx, "Failed to create secret record %s",
- ldb_dn_get_linearized(msg->dn));
- talloc_free(tmp_mem);
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- return NT_STATUS_OK;
-}
-
static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
TALLOC_CTX *mem_ctx,
struct libnet_Join *r)
@@ -1115,11 +868,12 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
NTSTATUS status;
TALLOC_CTX *tmp_mem;
struct libnet_JoinDomain *r2;
- struct libnet_set_join_secrets *r3;
+ struct provision_store_self_join_settings *set_secrets;
uint32_t acct_type = 0;
const char *account_name;
const char *netbios_name;
-
+ const char *error_string;
+
r->out.error_string = NULL;
tmp_mem = talloc_new(mem_ctx);
@@ -1179,26 +933,26 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
return status;
}
- r3 = talloc(tmp_mem, struct libnet_set_join_secrets);
- if (!r3) {
+ set_secrets = talloc(tmp_mem, struct provision_store_self_join_settings);
+ if (!set_secrets) {
r->out.error_string = NULL;
talloc_free(tmp_mem);
return NT_STATUS_NO_MEMORY;
}
- ZERO_STRUCTP(r3);
- r3->in.domain_name = r2->out.domain_name;
- r3->in.realm = r2->out.realm;
- r3->in.account_name = account_name;
- r3->in.netbios_name = netbios_name;
- r3->in.join_type = r->in.join_type;
- r3->in.join_password = r2->out.join_password;
- r3->in.kvno = r2->out.kvno;
- r3->in.domain_sid = r2->out.domain_sid;
+ ZERO_STRUCTP(set_secrets);
+ set_secrets->domain_name = r2->out.domain_name;
+ set_secrets->realm = r2->out.realm;
+ set_secrets->account_name = account_name;
+ set_secrets->netbios_name = netbios_name;
+ set_secrets->secure_channel_type = r->in.join_type;
+ set_secrets->machine_password = r2->out.join_password;
+ set_secrets->key_version_number = r2->out.kvno;
+ set_secrets->domain_sid = r2->out.domain_sid;
- status = libnet_set_join_secrets(ctx, r3, r3);
+ status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
if (!NT_STATUS_IS_OK(status)) {
- r->out.error_string = talloc_steal(mem_ctx, r3->out.error_string);
+ r->out.error_string = talloc_steal(mem_ctx, error_string);
talloc_free(tmp_mem);
return status;
}
@@ -1206,11 +960,11 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
/* move all out parameter to the callers TALLOC_CTX */
r->out.error_string = NULL;
r->out.join_password = r2->out.join_password;
- talloc_steal(mem_ctx, r2->out.join_password);
+ talloc_reparent(r2, mem_ctx, r2->out.join_password);
r->out.domain_sid = r2->out.domain_sid;
- talloc_steal(mem_ctx, r2->out.domain_sid);
+ talloc_reparent(r2, mem_ctx, r2->out.domain_sid);
r->out.domain_name = r2->out.domain_name;
- talloc_steal(mem_ctx, r2->out.domain_name);
+ talloc_reparent(r2, mem_ctx, r2->out.domain_name);
talloc_free(tmp_mem);
return NT_STATUS_OK;
}
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index 327a64d..19453a4 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -595,10 +595,11 @@ NTSTATUS libnet_Vampire(struct libnet_context *ctx, TALLOC_CTX *mem_ctx,
struct libnet_Vampire *r)
{
struct libnet_JoinDomain *join;
- struct libnet_set_join_secrets *set_secrets;
+ struct provision_store_self_join_settings *set_secrets;
struct libnet_BecomeDC b;
struct vampire_state *s;
struct ldb_message *msg;
+ const char *error_string;
int ldb_ret;
uint32_t i;
NTSTATUS status;
@@ -709,40 +710,52 @@ NTSTATUS libnet_Vampire(struct libnet_context *ctx, TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_DB_ERROR;
}
- /* commit the transaction - this commits all the changes in
- the ldb from the whole vampire. Note that this commit
+ /* prepare the transaction - this prepares to commit all the changes in
+ the ldb from the whole vampire. Note that this
triggers the writing of the linked attribute backlinks.
*/
- if (ldb_transaction_commit(s->ldb) != LDB_SUCCESS) {
- printf("Failed to commit vampire transaction\n");
+ if (ldb_transaction_prepare_commit(s->ldb) != LDB_SUCCESS) {
+ printf("Failed to prepare_commit vampire transaction\n");
return NT_STATUS_INTERNAL_DB_ERROR;
}
- set_secrets = talloc_zero(s, struct libnet_set_join_secrets);
+ set_secrets = talloc(s, struct provision_store_self_join_settings);
if (!set_secrets) {
+ r->out.error_string = NULL;
+ talloc_free(s);
return NT_STATUS_NO_MEMORY;
}
-
- set_secrets->in.domain_name = join->out.domain_name;
- set_secrets->in.realm = join->out.realm;
- set_secrets->in.account_name = account_name;
- set_secrets->in.netbios_name = netbios_name;
- set_secrets->in.join_type = SEC_CHAN_BDC;
- set_secrets->in.join_password = join->out.join_password;
- set_secrets->in.kvno = join->out.kvno;
- set_secrets->in.domain_sid = join->out.domain_sid;
- status = libnet_set_join_secrets(ctx, set_secrets, set_secrets);
+ ZERO_STRUCTP(set_secrets);
+ set_secrets->domain_name = join->out.domain_name;
+ set_secrets->realm = join->out.realm;
+ set_secrets->account_name = account_name;
+ set_secrets->netbios_name = netbios_name;
+ set_secrets->secure_channel_type = SEC_CHAN_BDC;
+ set_secrets->machine_password = join->out.join_password;
+ set_secrets->key_version_number = join->out.kvno;
+ set_secrets->domain_sid = join->out.domain_sid;
+
+ status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
if (!NT_STATUS_IS_OK(status)) {
- r->out.error_string = talloc_steal(mem_ctx, set_secrets->out.error_string);
+ r->out.error_string = talloc_steal(mem_ctx, error_string);
talloc_free(s);
return status;
}
r->out.domain_name = talloc_steal(r, join->out.domain_name);
r->out.domain_sid = talloc_steal(r, join->out.domain_sid);
- talloc_free(s);
+ /* commit the transaction now we know the secrets were written
+ * out properly
+ */
+ if (ldb_transaction_commit(s->ldb) != LDB_SUCCESS) {
+ printf("Failed to commit vampire transaction\n");
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ talloc_free(s);
+
return NT_STATUS_OK;
}
diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c
index 02dc059..1b185a5 100644
--- a/source4/librpc/ndr/py_security.c
+++ b/source4/librpc/ndr/py_security.c
@@ -23,6 +23,11 @@
#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
#endif
+PyObject *py_dom_sid_FromSid(struct dom_sid *sid)
+{
+ return py_talloc_reference(&dom_sid_Type, sid);
+}
+
static void PyType_AddMethods(PyTypeObject *type, PyMethodDef *methods)
{
PyObject *dict;
diff --git a/source4/librpc/ndr/py_security.h b/source4/librpc/ndr/py_security.h
new file mode 100644
index 0000000..9d200fa
--- /dev/null
+++ b/source4/librpc/ndr/py_security.h
@@ -0,0 +1,23 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba utility functions
+ Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2008
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "libcli/security/security.h"
+
+/* a lone prototype for this function, because it's python */
+PyObject *py_dom_sid_FromSid(struct dom_sid *sid);
diff --git a/source4/param/config.mk b/source4/param/config.mk
index 6e5290b..45eb836 100644
--- a/source4/param/config.mk
+++ b/source4/param/config.mk
@@ -13,7 +13,7 @@ PUBLIC_HEADERS += param/param.h
PC_FILES += $(paramsrcdir)/samba-hostconfig.pc
[SUBSYSTEM::PROVISION]
-PRIVATE_DEPENDENCIES = LIBPYTHON pyldb pyparam_util
+PRIVATE_DEPENDENCIES = LIBPYTHON pyldb pyparam_util python_dcerpc_security
PROVISION_OBJ_FILES = $(paramsrcdir)/provision.o $(param_OBJ_FILES)
diff --git a/source4/param/provision.c b/source4/param/provision.c
index bbc6837..355af79 100644
--- a/source4/param/provision.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list