[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Wed Dec 22 04:21:01 MST 2010
The branch, master has been updated
via 935b985 s4-tests: Tests for Validated-SPN implementation.
via 3ba42be s4-acl: Implementation of Validated-SPN validated write
via 9aaacee s4-dsdb: Added a helper function to get the default dns domain as string.
from 2c657d8 s3:libsmb/namequery.c: don't leak 'pserver'
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 935b985d23f84738259a42cbcd889fa6022d5d65
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Wed Dec 22 12:27:50 2010 +0200
s4-tests: Tests for Validated-SPN implementation.
Test setting spn on RWDC, RODC and regular computer object.
Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date: Wed Dec 22 12:20:24 CET 2010 on sn-devel-104
commit 3ba42be7c178062c2e865d5197a5f3346f6b9a17
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Wed Dec 22 12:27:15 2010 +0200
s4-acl: Implementation of Validated-SPN validated write
If this right is granted to a user, they may modify the SPN of an object with some value restrictions
serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname.
InstanceType can be samAccountName or dnsHostName.
commit 9aaacee6cd19adf615f941771fe9d490b7dae3c4
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Wed Dec 22 12:19:46 2010 +0200
s4-dsdb: Added a helper function to get the default dns domain as string.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/common/util.c | 19 +++
source4/dsdb/samdb/ldb_modules/acl.c | 215 +++++++++++++++++++++++++
source4/dsdb/tests/python/acl.py | 288 ++++++++++++++++++++++++++++++++--
3 files changed, 508 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 36f6933..b2d4be0 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3952,6 +3952,25 @@ const char *samdb_forest_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
return forest_name;
}
+/* returns back the default domain DNS name */
+const char *samdb_default_domain_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx)
+{
+ const char *domain_name = ldb_dn_canonical_string(mem_ctx,
+ ldb_get_default_basedn(ldb));
+ char *p;
+
+ if (domain_name == NULL) {
+ return NULL;
+ }
+
+ p = strchr(domain_name, '/');
+ if (p) {
+ *p = '\0';
+ }
+
+ return domain_name;
+}
+
/*
validate that an DSA GUID belongs to the specified user sid.
The user SID must be a domain controller account (either RODC or
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 7fc626a..42e08cd 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -41,6 +41,8 @@
#include "dsdb/samdb/ldb_modules/util.h"
#include "dsdb/samdb/ldb_modules/schema.h"
#include "lib/util/tsort.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
struct extended_access_check_attribute {
const char *oa_name;
@@ -431,6 +433,208 @@ static int acl_sDRightsEffective(struct ldb_module *module,
"sDRightsEffective", flags);
}
+static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
+ const char *spn_value,
+ int userAccountControl,
+ const char *samAccountName,
+ const char *dnsHostName,
+ const char *netbios_name,
+ const char *ntds_guid)
+{
+ int ret;
+ krb5_context krb_ctx;
+ krb5_error_code kerr;
+ krb5_principal principal;
+ char *instanceName;
+ char *serviceType;
+ char *serviceName;
+ const char *realm;
+ const char *guid_str;
+ const char *forest_name = samdb_forest_name(ldb, mem_ctx);
+ const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
+ struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+ struct loadparm_context);
+ bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
+ (userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
+
+ kerr = smb_krb5_init_context_basic(mem_ctx,
+ lp_ctx,
+ &krb_ctx);
+ if (kerr != 0) {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "Could not initialize kerberos context.");
+ }
+
+ ret = krb5_parse_name(krb_ctx, spn_value, &principal);
+ if (ret) {
+ krb5_free_context(krb_ctx);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ instanceName = principal->name.name_string.val[1];
+ serviceType = principal->name.name_string.val[0];
+ realm = krb5_principal_get_realm(krb_ctx, principal);
+ guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
+ ntds_guid,
+ forest_name);
+ if (principal->name.name_string.len == 3) {
+ serviceName = principal->name.name_string.val[2];
+ } else {
+ serviceName = NULL;
+ }
+
+ if (serviceName) {
+ if (!is_dc) {
+ goto fail;
+ }
+ if (strcasecmp(serviceType, "ldap") == 0) {
+ if (strcasecmp(serviceName, netbios_name) != 0 &&
+ strcasecmp(serviceName, forest_name) != 0) {
+ goto fail;
+ }
+
+ } else if (strcasecmp(serviceType, "gc") == 0) {
+ if (strcasecmp(serviceName, forest_name) != 0) {
+ goto fail;
+ }
+ } else {
+ if (strcasecmp(serviceName, base_domain) != 0 &&
+ strcasecmp(serviceName, netbios_name) != 0) {
+ goto fail;
+ }
+ }
+ }
+ /* instanceName can be samAccountName without $ or dnsHostName
+ * or "ntds_guid._msdcs.forest_domain for DC objects */
+ if (strncasecmp(instanceName, samAccountName, strlen(samAccountName - 1)) == 0) {
+ goto success;
+ } else if (strcasecmp(instanceName, dnsHostName) == 0) {
+ goto success;
+ } else if (is_dc) {
+ if (strcasecmp(instanceName, guid_str) == 0) {
+ goto success;
+ }
+ } else {
+ goto fail;
+ }
+fail:
+ krb5_free_principal(krb_ctx, principal);
+ krb5_free_context(krb_ctx);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+
+success:
+ krb5_free_principal(krb_ctx, principal);
+ krb5_free_context(krb_ctx);
+ return LDB_SUCCESS;
+}
+
+static int acl_check_spn(TALLOC_CTX *mem_ctx,
+ struct ldb_module *module,
+ struct ldb_request *req,
+ struct security_descriptor *sd,
+ struct dom_sid *sid,
+ const struct GUID *oc_guid,
+ const struct dsdb_attribute *attr)
+{
+ int ret;
+ unsigned int i;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_result *acl_res;
+ struct ldb_result *netbios_res;
+ struct ldb_message_element *el;
+ struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
+ int userAccountControl;
+ const char *samAccountName;
+ const char *dnsHostName;
+ const char *netbios_name;
+ const struct GUID *ntds = samdb_ntds_objectGUID(ldb);
+ const char *ntds_guid = GUID_string(tmp_ctx, ntds);
+
+ static const char *acl_attrs[] = {
+ "samAccountName",
+ "dnsHostName",
+ "userAccountControl",
+ NULL
+ };
+ static const char *netbios_attrs[] = {
+ "nETBIOSName",
+ NULL
+ };
+ /* if we have wp, we can do whatever we like */
+ if (acl_check_access_on_attribute(module,
+ tmp_ctx,
+ sd,
+ sid,
+ SEC_ADS_WRITE_PROP,
+ attr) == LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_VALIDATE_SPN,
+ SEC_ADS_SELF_WRITE,
+ sid);
+
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ dsdb_acl_debug(sd, acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ ret = dsdb_module_search_dn(module, tmp_ctx,
+ &acl_res, req->op.mod.message->dn,
+ acl_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_DELETED);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ userAccountControl = ldb_msg_find_attr_as_int(acl_res->msgs[0], "userAccountControl", 0);
+ dnsHostName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "dnsHostName", NULL);
+ samAccountName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "samAccountName", NULL);
+
+ ret = dsdb_module_search(module, tmp_ctx,
+ &netbios_res, partitions_dn,
+ LDB_SCOPE_ONELEVEL,
+ netbios_attrs,
+ DSDB_FLAG_NEXT_MODULE,
+ "(ncName=%s)",
+ ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
+
+ netbios_name = ldb_msg_find_attr_as_string(netbios_res->msgs[0], "nETBIOSName", NULL);
+
+ el = ldb_msg_find_element(req->op.mod.message, "servicePrincipalName");
+ if (!el) {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "Error finding element for servicePrincipalName.");
+ }
+
+ for (i=0; i < el->num_values; i++) {
+ ret = acl_validate_spn_value(tmp_ctx,
+ ldb,
+ (char *)el->values[i].data,
+ userAccountControl,
+ samAccountName,
+ dnsHostName,
+ netbios_name,
+ ntds_guid);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ }
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
static int acl_add(struct ldb_module *module, struct ldb_request *req)
{
int ret;
@@ -758,6 +962,17 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (ret != LDB_SUCCESS) {
goto fail;
}
+ } else if (ldb_attr_cmp("servicePrincipalName", req->op.mod.message->elements[i].name) == 0) {
+ ret = acl_check_spn(tmp_ctx,
+ module,
+ req,
+ sd,
+ sid,
+ guid,
+ attr);
+ if (ret != LDB_SUCCESS) {
+ goto fail;
+ }
} else {
/* This basic attribute existence check with the right errorcode
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 12f653b..977221f 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -21,10 +21,10 @@ from ldb import ERR_OPERATIONS_ERROR
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE
from samba.ndr import ndr_pack, ndr_unpack
-from samba.dcerpc import security
+from samba.dcerpc import security, drsuapi, misc, netlogon, nbt
from samba.auth import system_session
-from samba import gensec, sd_utils
+from samba import gensec, sd_utils, join
from samba.samdb import SamDB
from samba.credentials import Credentials
import samba.tests
@@ -47,6 +47,12 @@ if len(args) < 1:
sys.exit(1)
host = args[0]
+if not "://" in host:
+ ldaphost = "ldap://%s" % host
+else:
+ ldaphost = host
+ start = host.rindex("://")
+ host = host.lstrip(start+3)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
@@ -87,7 +93,7 @@ class AclTests(samba.tests.TestCase):
creds_tmp.set_workstation(creds.get_workstation())
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
| gensec.FEATURE_SEAL)
- ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
+ ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
return ldb_target
# Test if we have any additional groups for users than default ones
@@ -238,7 +244,7 @@ class AclAddTests(AclTests):
def test_add_anonymous(self):
"""Test add operation with anonymous user"""
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
try:
anonymous.newuser("test_add_anonymous", self.user_pass)
except LdbError, (num, _):
@@ -574,7 +580,7 @@ Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
def test_modify_anonymous(self):
"""Test add operation with anonymous user"""
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
self.ldb_admin.newuser("test_anonymous", "samba123@")
m = Message()
m.dn = Dn(anonymous, self.get_user_dn("test_anonymous"))
@@ -658,7 +664,7 @@ class AclSearchTests(AclTests):
def test_search_anonymous1(self):
"""Verify access of rootDSE with the correct request"""
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
res = anonymous.search("", expression="(objectClass=*)", scope=SCOPE_BASE)
self.assertEquals(len(res), 1)
#verify some of the attributes
@@ -674,7 +680,7 @@ class AclSearchTests(AclTests):
def test_search_anonymous2(self):
"""Make sure we cannot access anything else"""
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
try:
res = anonymous.search("", expression="(objectClass=*)", scope=SCOPE_SUBTREE)
except LdbError, (num, _):
@@ -702,7 +708,7 @@ class AclSearchTests(AclTests):
mod = "(A;CI;LC;;;AN)"
self.sd_utils.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod)
self.ldb_admin.create_ou("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn)
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
res = anonymous.search("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn,
expression="(objectClass=*)", scope=SCOPE_SUBTREE)
self.assertEquals(len(res), 1)
@@ -997,7 +1003,7 @@ class AclDeleteTests(AclTests):
def test_delete_anonymous(self):
"""Test add operation with anonymous user"""
- anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp)
+ anonymous = SamDB(url=ldaphost, credentials=self.creds_tmp, lp=lp)
self.ldb_admin.newuser("test_anonymous", "samba123@")
try:
@@ -1556,11 +1562,265 @@ class AclExtendedTests(AclTests):
self.assertEqual(len(res),1)
self.assertTrue("nTSecurityDescriptor" in res[0].keys())
+class AclSPNTests(AclTests):
+
+ def setUp(self):
+ super(AclSPNTests, self).setUp()
+ self.dcname = "TESTSRV8"
+ self.rodcname = "TESTRODC8"
+ self.computername = "testcomp8"
+ self.test_user = "spn_test_user8"
+ self.computerdn = "CN=%s,CN=computers,%s" % (self.computername, self.base_dn)
+ self.dc_dn = "CN=%s,OU=Domain Controllers,%s" % (self.dcname, self.base_dn)
+ self.site = "Default-First-Site-Name"
+ self.rodcctx = samba.join.dc_join(server=host, creds=creds, lp=lp, site=self.site, netbios_name=self.rodcname,
+ targetdir=None, domain=None)
+ self.dcctx = samba.join.dc_join(server=host, creds=creds, lp=lp, site=self.site, netbios_name=self.dcname,
+ targetdir=None, domain=None)
+ self.ldb_admin.newuser(self.test_user, self.user_pass)
+ self.ldb_user1 = self.get_ldb_connection(self.test_user, self.user_pass)
+ self.user_sid1 = self.sd_utils.get_object_sid(self.get_user_dn(self.test_user))
+ self.create_computer(self.computername, self.dcctx.dnsdomain)
+ self.create_rodc(self.rodcctx)
+ self.create_dc(self.dcctx)
+
+ def tearDown(self):
+ super(AclSPNTests, self).tearDown()
+ self.rodcctx.cleanup_old_join()
+ self.dcctx.cleanup_old_join()
+ delete_force(self.ldb_admin, "cn=%s,cn=computers,%s" % (self.computername, self.base_dn))
+ delete_force(self.ldb_admin, self.get_user_dn(self.test_user))
+
+ def replace_spn(self, _ldb, dn, spn):
+ print "Setting spn %s on %s" % (spn, dn)
+ res = self.ldb_admin.search(dn, expression="(objectClass=*)",
+ scope=SCOPE_BASE, attrs=["servicePrincipalName"])
+ if "servicePrincipalName" in res[0].keys():
+ flag = FLAG_MOD_REPLACE
+ else:
+ flag = FLAG_MOD_ADD
+
+ msg = Message()
+ msg.dn = Dn(self.ldb_admin, dn)
+ msg["servicePrincipalName"] = MessageElement(spn, flag,
+ "servicePrincipalName")
+ _ldb.modify(msg)
+
+ def create_computer(self, computername, domainname):
+ dn = "CN=%s,CN=computers,%s" % (computername, self.base_dn)
+ samaccountname = computername + "$"
+ dnshostname = "%s.%s" % (computername, domainname)
+ self.ldb_admin.add({
+ "dn": dn,
+ "objectclass": "computer",
+ "sAMAccountName": samaccountname,
+ "userAccountControl": str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
+ "dNSHostName": dnshostname})
+
+ # same as for join_RODC, but do not set any SPNs
+ def create_rodc(self, ctx):
+ ctx.krbtgt_dn = "CN=krbtgt_%s,CN=Users,%s" % (ctx.myname, ctx.base_dn)
+
+ ctx.never_reveal_sid = [ "<SID=%s-%s>" % (ctx.domsid, security.DOMAIN_RID_RODC_DENY),
+ "<SID=%s>" % security.SID_BUILTIN_ADMINISTRATORS,
+ "<SID=%s>" % security.SID_BUILTIN_SERVER_OPERATORS,
+ "<SID=%s>" % security.SID_BUILTIN_BACKUP_OPERATORS,
+ "<SID=%s>" % security.SID_BUILTIN_ACCOUNT_OPERATORS ]
+ ctx.reveal_sid = "<SID=%s-%s>" % (ctx.domsid, security.DOMAIN_RID_RODC_ALLOW)
+
+ mysid = ctx.get_mysid()
+ admin_dn = "<SID=%s>" % mysid
+ ctx.managedby = admin_dn
+
+ ctx.userAccountControl = (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |
+ samba.dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION |
+ samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT)
+
+ ctx.connection_dn = "CN=RODC Connection (FRS),%s" % ctx.ntds_dn
+ ctx.secure_channel_type = misc.SEC_CHAN_RODC
+ ctx.RODC = True
+ ctx.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
+ drsuapi.DRSUAPI_DRS_PER_SYNC |
+ drsuapi.DRSUAPI_DRS_GET_ANC |
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
+ drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
+
+ ctx.join_add_objects()
+
+ def create_dc(self, ctx):
+ ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION
+ ctx.secure_channel_type = misc.SEC_CHAN_BDC
+ ctx.replica_flags = (drsuapi.DRSUAPI_DRS_WRIT_REP |
+ drsuapi.DRSUAPI_DRS_INIT_SYNC |
+ drsuapi.DRSUAPI_DRS_PER_SYNC |
+ drsuapi.DRSUAPI_DRS_FULL_SYNC_IN_PROGRESS |
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
+
+ ctx.join_add_objects()
+
+ def dc_spn_test(self, ctx):
+ netbiosdomain = self.dcctx.get_domain_name()
+ try:
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s/%s" % (ctx.myname, netbiosdomain))
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+
+ mod = "(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;%s)" % str(self.user_sid1)
+ self.sd_utils.dacl_add_ace(ctx.acct_dn, mod)
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s/%s" % (ctx.myname, netbiosdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s" % (ctx.myname))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s.%s/%s" %
+ (ctx.myname, ctx.dnsdomain, netbiosdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s/%s" % (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "HOST/%s.%s/%s" %
+ (ctx.myname, ctx.dnsdomain, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "GC/%s.%s/%s" %
+ (ctx.myname, ctx.dnsdomain, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s/%s" % (ctx.myname, netbiosdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s.%s/%s" %
+ (ctx.myname, ctx.dnsdomain, netbiosdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s" % (ctx.myname))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s/%s" % (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s.%s/%s" %
+ (ctx.myname, ctx.dnsdomain, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "DNS/%s/%s" % (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "RestrictedKrbHost/%s/%s" %
+ (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "RestrictedKrbHost/%s" %
+ (ctx.myname))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/%s/%s" %
+ (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/%s/%s" %
+ (ctx.myname, ctx.dnsdomain))
+ self.replace_spn(self.ldb_user1, ctx.acct_dn, "ldap/%s._msdcs.%s" %
+ (ctx.ntds_guid, ctx.dnsdomain))
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list