[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Jun 23 04:12:04 MDT 2010
The branch, master has been updated
via ff5ace2... s4:selftest Fix up netbios names for rpc_echo test
via aba99e4... s4:selftest For the moment the server role '2008_R2' is case sensitive
via 58a7b9a... s4:selftest Change netbios aliases to shorter names.
via 1acd49c... s4:selftest Add 2003 and 2008R2 test environments and tests
via 86ed5eb... s4:net Remove warnings for 2000 native mode and Samba4.
via d0f52dd... s4:provision Raise default max functional level to 2008R2
via b26125b... s4:provision Remove am_rodc from Schema
via ebc2da1... s4:libnet When joining a domain, update msDS-SupportedEncryptionTypes
via c4482bf... libds:common Remove DS_DC_* domain functionality flags
via 80701e5... s4:kdc Use msDS-SupportedEncTypes in our KDC
from 06ed666... doc: Remove the documentation of the sequence command of wbinfo.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ff5ace20a26f90179b63fe4730b7d81b77cca3fe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 13:50:55 2010 +1000
s4:selftest Fix up netbios names for rpc_echo test
commit aba99e4464af8d74de01d45ecc0dda69fbd23fec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 10:24:14 2010 +1000
s4:selftest For the moment the server role '2008_R2' is case sensitive
commit 58a7b9af3f139df70feeefe6d6875935e1eea832
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 09:53:20 2010 +1000
s4:selftest Change netbios aliases to shorter names.
This makes the netbios names more sensible, and the aliases shorter.
(the name localfl2008rc2dc7 was too long...)
Andrew Bartlett
commit 1acd49c524f40d27e1bef09e1dcc572863894b01
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 22:17:40 2010 +1000
s4:selftest Add 2003 and 2008R2 test environments and tests
These tests were chosen particularly because they are known to test things
that vary across the functional levels.
Andrew Bartlett
commit 86ed5eb8923e477f3336cbf4a0bedb69b2f3c288
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 21:41:49 2010 +1000
s4:net Remove warnings for 2000 native mode and Samba4.
We now support 2000 native mode, and so we just need to warn about mixed mode.
Andrew Bartlett
commit d0f52ddac23a0b1af3718627af00469ae13ab762
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 21:40:15 2010 +1000
s4:provision Raise default max functional level to 2008R2
We don't support many of the extra features, but that applies across many
other parts of AD. Allow the admin to join a 2008R2 domain if he or she wants.
This also makes it possible to test 2008R2 domain code in 'make test'
Andrew Bartlett
commit b26125b7d3242895038065ddece32554436ba474
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 23:18:53 2010 +1000
s4:provision Remove am_rodc from Schema
The SamDB created in the schema code isn't real enough to care if it's an
rodc or not.
commit ebc2da10cdd63e5151f9b1138f9da91b408830c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 21:20:27 2010 +1000
s4:libnet When joining a domain, update msDS-SupportedEncryptionTypes
We need this for our DC to have clients use AES keys to us
commit c4482bf53e26c43edccb0871fa5525a590a1026c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 21 20:19:02 2010 +1000
libds:common Remove DS_DC_* domain functionality flags
These are just a subset of the DS_DOMAIN_ functionality flags, are compared and often confused with each other. Just make them one set.
Andrew Bartlett
commit 80701e5f29567e4ad75a66eb6c8711f817b361b8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 13 13:19:23 2010 +1000
s4:kdc Use msDS-SupportedEncTypes in our KDC
We need to honour this, otherwise we will send AES-encrypted tickets
to unprepared Kerberos targets.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
libds/common/flags.h | 12 +--
selftest/target/Samba4.pm | 112 ++++++++++++++++++-
source4/dsdb/pydsdb.c | 10 --
source4/kdc/db-glue.c | 84 ++++++++++-----
source4/lib/ldb/tests/python/ldap_schema.py | 16 ++--
source4/libnet/libnet_become_dc.c | 4 +-
source4/libnet/libnet_join.c | 32 ++++++
.../scripting/python/samba/netcmd/domainlevel.py | 22 ++---
source4/scripting/python/samba/provision.py | 11 +-
source4/scripting/python/samba/schema.py | 5 +-
source4/selftest/tests.sh | 86 ++++++++--------
11 files changed, 266 insertions(+), 128 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 396df7c..be1e839 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -170,19 +170,15 @@
#define SEARCH_FLAG_NEVERVALUEAUDIT 0x0000100
#define SEARCH_FLAG_RODC_ATTRIBUTE 0x0000200
-/* "domainFunctionality", "forestFunctionality" in the rootDSE */
+/* "domainFunctionality", "forestFunctionality" and "domainControllerFunctionality" in the rootDSE */
#define DS_DOMAIN_FUNCTION_2000 0
-#define DS_DOMAIN_FUNCTION_2003_MIXED 1
+#define DS_DOMAIN_FUNCTION_2003_MIXED 1 /* Not a valid/meaningfulxs
+ * domainControllerFunctionality
+ * Level */
#define DS_DOMAIN_FUNCTION_2003 2
#define DS_DOMAIN_FUNCTION_2008 3
#define DS_DOMAIN_FUNCTION_2008_R2 4
-/* "domainControllerFunctionality" in the rootDSE */
-#define DS_DC_FUNCTION_2000 0
-#define DS_DC_FUNCTION_2003 2
-#define DS_DC_FUNCTION_2008 3
-#define DS_DC_FUNCTION_2008_R2 4
-
/* sa->systemFlags on attributes */
#define DS_FLAG_ATTR_NOT_REPLICATED 0x00000001
#define DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER 0x00000002
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c19f162..f3eebf1 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -838,8 +838,8 @@ sub provision_member($$$)
my $ret = $self->provision($prefix,
"member server",
- "localmember3",
"localmember",
+ "member3",
"SAMBADOMAIN",
"samba.example.com",
"2008",
@@ -881,15 +881,15 @@ sub provision_rpc_proxy($$$)
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING RPC PROXY...";
- my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:localdc1
+ my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:localdc
dcerpc endpoint servers = epmapper, remote
dcerpc_remote:interfaces = rpcecho
";
my $ret = $self->provision($prefix,
"member server",
- "localrpcproxy4",
"localrpcproxy",
+ "rpcproxy4",
"SAMBADOMAIN",
"samba.example.com",
"2008",
@@ -926,8 +926,8 @@ sub provision_vampire_dc($$$)
# We do this so that we don't run the provision. That's the job of 'net vampire'.
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
- "localvampiredc2",
"localvampiredc",
+ "dc2",
"SAMBADOMAIN",
"samba.example.com",
"2008",
@@ -983,8 +983,8 @@ sub provision_dc($$)
print "PROVISIONING DC...";
my $ret = $self->provision($prefix,
"domain controller",
- "localdc1",
"localdc",
+ "dc1",
"SAMBADOMAIN",
"samba.example.com",
"2008",
@@ -1012,7 +1012,7 @@ sub provision_fl2000dc($$)
print "PROVISIONING DC...";
my $ret = $self->provision($prefix,
"domain controller",
- "localfl2000dc5",
+ "dc5",
"localfl2000dc",
"SAMBA2000",
"samba2000.example.com",
@@ -1027,6 +1027,50 @@ sub provision_fl2000dc($$)
return $ret;
}
+sub provision_fl2003dc($$)
+{
+ my ($self, $prefix) = @_;
+
+ print "PROVISIONING DC...";
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "dc6",
+ "localfl2003dc",
+ "SAMBA2003",
+ "samba2003.example.com",
+ "2003",
+ 6,
+ "locDCpass6",
+ "127.0.0.6", "");
+
+ $self->add_wins_config("$prefix/private") or
+ die("Unable to add wins configuration");
+
+ return $ret;
+}
+
+sub provision_fl2008r2dc($$)
+{
+ my ($self, $prefix) = @_;
+
+ print "PROVISIONING DC...";
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "dc7",
+ "localfl2000r2dc",
+ "SAMBA2008R2",
+ "samba2008R2.example.com",
+ "2008_R2",
+ 7,
+ "locDCpass7",
+ "127.0.0.7", "");
+
+ $self->add_wins_config("$prefix/private") or
+ die("Unable to add wins configuration");
+
+ return $ret;
+}
+
sub teardown_env($$)
{
my ($self, $envvars) = @_;
@@ -1104,6 +1148,10 @@ sub setup_env($$$)
return $self->setup_dc("$path/dc");
} elsif ($envname eq "fl2000dc") {
return $self->setup_fl2000dc("$path/fl2000dc");
+ } elsif ($envname eq "fl2003dc") {
+ return $self->setup_fl2003dc("$path/fl2003dc");
+ } elsif ($envname eq "fl2008r2dc") {
+ return $self->setup_fl2008r2dc("$path/fl2008r2dc");
} elsif ($envname eq "rpc_proxy") {
if (not defined($self->{vars}->{dc})) {
$self->setup_dc("$path/dc");
@@ -1144,6 +1192,26 @@ sub setup_env($$$)
$ret->{FL2000DC_USERNAME} = $fl2000dc_ret->{USERNAME};
$ret->{FL2000DC_PASSWORD} = $fl2000dc_ret->{PASSWORD};
}
+ if (not defined($self->{vars}->{fl2003dc})) {
+ my $fl2003dc_ret = $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{dc});
+
+ $ret->{FL2003DC_SERVER} = $fl2003dc_ret->{SERVER};
+ $ret->{FL2003DC_SERVER_IP} = $fl2003dc_ret->{SERVER_IP};
+ $ret->{FL2003DC_NETBIOSNAME} = $fl2003dc_ret->{NETBIOSNAME};
+ $ret->{FL2003DC_NETBIOSALIAS} = $fl2003dc_ret->{NETBIOSALIAS};
+ $ret->{FL2003DC_USERNAME} = $fl2003dc_ret->{USERNAME};
+ $ret->{FL2003DC_PASSWORD} = $fl2003dc_ret->{PASSWORD};
+ }
+ if (not defined($self->{vars}->{fl2008r2dc})) {
+ my $fl2008r2dc_ret = $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{dc});
+
+ $ret->{FL2008R2DC_SERVER} = $fl2008r2dc_ret->{SERVER};
+ $ret->{FL2008R2DC_SERVER_IP} = $fl2008r2dc_ret->{SERVER_IP};
+ $ret->{FL2008R2DC_NETBIOSNAME} = $fl2008r2dc_ret->{NETBIOSNAME};
+ $ret->{FL2008R2DC_NETBIOSALIAS} = $fl2008r2dc_ret->{NETBIOSALIAS};
+ $ret->{FL2008R2DC_USERNAME} = $fl2008r2dc_ret->{USERNAME};
+ $ret->{FL2008R2DC_PASSWORD} = $fl2008r2dc_ret->{PASSWORD};
+ }
return $ret;
} else {
die("Samba4 can't provide environment '$envname'");
@@ -1212,6 +1280,38 @@ sub setup_fl2000dc($$)
return $env;
}
+sub setup_fl2003dc($$)
+{
+ my ($self, $path) = @_;
+
+ my $env = $self->provision_fl2003dc($path);
+
+ $self->check_or_start($env,
+ ($ENV{SMBD_MAXTIME} or 7500));
+
+ $self->wait_for_start($env);
+
+ $self->{vars}->{fl2003dc} = $env;
+
+ return $env;
+}
+
+sub setup_fl2008r2dc($$)
+{
+ my ($self, $path) = @_;
+
+ my $env = $self->provision_fl2008r2dc($path);
+
+ $self->check_or_start($env,
+ ($ENV{SMBD_MAXTIME} or 7500));
+
+ $self->wait_for_start($env);
+
+ $self->{vars}->{fl2008r2dc} = $env;
+
+ return $env;
+}
+
sub setup_vampire_dc($$$)
{
my ($self, $path, $dc_vars) = @_;
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index bddda8d..4060b32 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -578,14 +578,4 @@ void initdsdb(void)
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008));
PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
-
- /* "domainControllerFunctionality" flags in the rootDSE */
- PyModule_AddObject(m, "DS_DC_FUNCTION_2000",
- PyInt_FromLong(DS_DC_FUNCTION_2000));
- PyModule_AddObject(m, "DS_DC_FUNCTION_2003",
- PyInt_FromLong(DS_DC_FUNCTION_2003));
- PyModule_AddObject(m, "DS_DC_FUNCTION_2008",
- PyInt_FromLong(DS_DC_FUNCTION_2008));
- PyModule_AddObject(m, "DS_DC_FUNCTION_2008_R2",
- PyInt_FromLong(DS_DC_FUNCTION_2008_R2));
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 6e06625..8eb3f79 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -191,11 +191,45 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
talloc_free(entry_ex->ctx);
}
+/* Determine, by translation between the encryption types allowed in
+ * the msDS-SupportedEncTypes and their Kerberos defined values, if a
+ * given encryption type is permitted for this target principal at
+ * this time. */
+static bool allowed_enc_type(enum samba_kdc_ent_type ent_type,
+ uint32_t supported_enc_types_bitmap, uint32_t enc_type_enum)
+{
+ switch (ent_type) {
+ case SAMBA_KDC_ENT_TYPE_KRBTGT:
+ case SAMBA_KDC_ENT_TYPE_TRUST:
+ /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
+ supported_enc_types_bitmap &= (~ENC_CRC32|ENC_RSA_MD5);
+ case SAMBA_KDC_ENT_TYPE_SERVER:
+ switch (enc_type_enum) {
+ case ENCTYPE_DES_CBC_CRC:
+ return supported_enc_types_bitmap & ENC_CRC32;
+ case ENCTYPE_DES_CBC_MD5:
+ return supported_enc_types_bitmap & ENC_RSA_MD5;
+ case ENCTYPE_ARCFOUR_HMAC_MD5:
+ return supported_enc_types_bitmap & ENC_RC4_HMAC_MD5;
+ case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+ return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES128;
+ case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+ return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES256;
+ default:
+ return false;
+ }
+ default:
+ return true;
+ /* Return all enc types to everyone else */
+ }
+}
+
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
- TALLOC_CTX *mem_ctx,
- struct ldb_message *msg,
- unsigned int userAccountControl,
- hdb_entry_ex *entry_ex)
+ TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ unsigned int userAccountControl,
+ enum samba_kdc_ent_type ent_type,
+ hdb_entry_ex *entry_ex)
{
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
@@ -210,6 +244,16 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
+ /* Supported Enc Types for TGS-REQ to this target */
+ uint32_t supported_enc_types = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncTypes",
+ ENC_CRC32|ENC_RSA_MD5|ENC_RC4_HMAC_MD5);
+
+ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ /* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */
+ supported_enc_types &= ENC_CRC32|ENC_RSA_MD5;
+ }
+
entry_ex->entry.keys.val = NULL;
entry_ex->entry.keys.len = 0;
@@ -323,7 +367,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
+ if (hash && supported_enc_types & ENC_RC4_HMAC_MD5) {
Key key;
key.mkvno = 0;
@@ -343,24 +387,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (pkb4) {
for (i=0; i < pkb4->num_keys; i++) {
- bool use = true;
Key key;
if (!pkb4->keys[i].value) continue;
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- switch (pkb4->keys[i].keytype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD5:
- break;
- default:
- use = false;
- break;
- }
+ if (!allowed_enc_type(ent_type, supported_enc_types, pkb4->keys[i].keytype)) {
+ continue;
}
- if (!use) continue;
-
key.mkvno = 0;
key.salt = NULL;
@@ -412,24 +446,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
} else if (pkb3) {
for (i=0; i < pkb3->num_keys; i++) {
- bool use = true;
Key key;
if (!pkb3->keys[i].value) continue;
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- switch (pkb3->keys[i].keytype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD5:
- break;
- default:
- use = false;
- break;
- }
+ if (!allowed_enc_type(ent_type, supported_enc_types, pkb3->keys[i].keytype)) {
+ continue;
}
- if (!use) continue;
-
key.mkvno = 0;
key.salt = NULL;
@@ -701,7 +725,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, p, msg, userAccountControl,
- entry_ex);
+ ent_type, entry_ex);
if (ret) {
/* Could be bougus data in the entry, or out of memory */
goto out;
diff --git a/source4/lib/ldb/tests/python/ldap_schema.py b/source4/lib/ldb/tests/python/ldap_schema.py
index 8e6865a..8d1f0d0 100755
--- a/source4/lib/ldb/tests/python/ldap_schema.py
+++ b/source4/lib/ldb/tests/python/ldap_schema.py
@@ -20,7 +20,7 @@ from ldb import ERR_CONSTRAINT_VIOLATION
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_REPLACE
from samba import Ldb
-from samba.dsdb import DS_DC_FUNCTION_2003
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003
from subunit.run import SubunitTestRunner
import unittest
@@ -278,7 +278,7 @@ systemOnly: FALSE
# 1. Create attribute without systemFlags
# msDS-IntId should be created if forest functional
- # level is >= DS_DC_FUNCTION_2003
+ # level is >= DS_DOMAIN_FUNCTION_2003
# and missing otherwise
(attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-1-")
ldif = self._make_attr_ldif(attr_name, attr_dn)
@@ -300,7 +300,7 @@ systemOnly: FALSE
res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"])
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name)
- if self.forest_level >= DS_DC_FUNCTION_2003:
+ if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
if self._is_schema_base_object(res[0]):
self.assertTrue("msDS-IntId" not in res[0])
else:
@@ -319,7 +319,7 @@ systemOnly: FALSE
# 2. Create attribute with systemFlags = FLAG_SCHEMA_BASE_OBJECT
# msDS-IntId should be created if forest functional
- # level is >= DS_DC_FUNCTION_2003
+ # level is >= DS_DOMAIN_FUNCTION_2003
# and missing otherwise
(attr_name, attr_ldap_name, attr_dn) = self._make_obj_names("msDS-IntId-Attr-2-")
ldif = self._make_attr_ldif(attr_name, attr_dn)
@@ -342,7 +342,7 @@ systemOnly: FALSE
res = self.ldb.search(attr_dn, scope=SCOPE_BASE, attrs=["*"])
self.assertEquals(len(res), 1)
self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_name)
- if self.forest_level >= DS_DC_FUNCTION_2003:
+ if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
if self._is_schema_base_object(res[0]):
self.assertTrue("msDS-IntId" not in res[0])
else:
@@ -384,7 +384,7 @@ systemOnly: FALSE
# 1. Create Class without systemFlags
# msDS-IntId should be created if forest functional
- # level is >= DS_DC_FUNCTION_2003
+ # level is >= DS_DOMAIN_FUNCTION_2003
# and missing otherwise
(class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-1-")
ldif = self._make_class_ldif(class_dn, class_name)
@@ -421,7 +421,7 @@ systemOnly: FALSE
# 2. Create Class with systemFlags = FLAG_SCHEMA_BASE_OBJECT
# msDS-IntId should be created if forest functional
- # level is >= DS_DC_FUNCTION_2003
+ # level is >= DS_DOMAIN_FUNCTION_2003
# and missing otherwise
(class_name, class_ldap_name, class_dn) = self._make_obj_names("msDS-IntId-Class-3-")
ldif = self._make_class_ldif(class_dn, class_name)
@@ -469,7 +469,7 @@ systemOnly: FALSE
attrs=["systemFlags", "msDS-IntId", "attributeID", "cn"])
self.assertTrue(len(res) > 1)
for ldb_msg in res:
- if self.forest_level >= DS_DC_FUNCTION_2003:
+ if self.forest_level >= DS_DOMAIN_FUNCTION_2003:
if self._is_schema_base_object(ldb_msg):
self.assertTrue("msDS-IntId" not in ldb_msg)
else:
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index d64e415..833f5d3 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -739,9 +739,9 @@ struct libnet_BecomeDC_state {
static int32_t get_dc_function_level(struct loadparm_context *lp_ctx)
{
- /* per default we are (Windows) 2008 compatible */
+ /* per default we are (Windows) 2008 R2 compatible */
return lp_parm_int(lp_ctx, NULL, "ads", "dc function level",
- DS_DC_FUNCTION_2008);
+ DS_DOMAIN_FUNCTION_2008_R2);
}
static void becomeDC_recv_cldap(struct tevent_req *req);
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 289756c..ad3ed81 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -323,6 +323,38 @@ static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_J
}
}
+ msg = ldb_msg_new(tmp_ctx);
+ if (!msg) {
+ r->out.error_string = NULL;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ msg->dn = res->msgs[0]->dn;
+
+ rtn = ldb_msg_add_fmt(msg, "msDS-SupportedEncryptionTypes",
+ "%lu",
+ (long unsigned int)(ENC_CRC32 | ENC_RSA_MD5 |
+ ENC_RC4_HMAC_MD5 |
+ ENC_HMAC_SHA1_96_AES128 |
+ ENC_HMAC_SHA1_96_AES256));
+ if (rtn == -1) {
+ r->out.error_string = NULL;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rtn = dsdb_replace(remote_ldb, msg, 0);
--
Samba Shared Repository
More information about the samba-cvs
mailing list