[SCM] Samba Shared Repository - branch master updated
Matthieu Patou
mat at samba.org
Fri Nov 12 13:25:02 MST 2010
The branch, master has been updated
via 24477ca ktpass: also use userPrincipalName for locating the principal
via f4e9f12 ktpass: fix the search path for when running in samba's source dir
via e0f64b7 python: use the ldbMessage + modify notation instead of modify_ldif that we try to avoid
via 5a6f3f1 Fix typo
via f5ea6f4 unit tests: add testing for dns account password change
via 81eb798 upgradeprovision: use relaxed control while adding missing object container
via a9c430b upgradeprovision: fix pb with dns-hostname, regenerate a correct keytab
via 8227d1f upgradeprovision: use the relax/(upgrade)provision when modifying object
via 757764a upgradeprovision: use the (upgrade)provision control also
via add39bc upgradeprovision: update revision for forestupdate and domainupdate objects
via 2990b4f samldb: relax groupType modification checks
via 35c9c2d Update WHATSNEW4 to add information related to samba_backup
via d1feb03 Add a script to make backup of samba provision
from 37bd313 s4:objectclass LDB module - we should not simply ignore additional "objectClass" attribute changes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 24477cacc9b12cef01ee06cf6ce4db9bb87b5fae
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 19 17:24:27 2010 +0400
ktpass: also use userPrincipalName for locating the principal
Autobuild-User: Matthieu Patou <mat at samba.org>
Autobuild-Date: Fri Nov 12 20:24:23 UTC 2010 on sn-devel-104
commit f4e9f125e0e4a9ab236595b79315ad26b7ca9d8b
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 19 17:23:57 2010 +0400
ktpass: fix the search path for when running in samba's source dir
commit e0f64b77ebb5ecbd1bdabe9f2b3cf368421b34e6
Author: Matthieu Patou <mat at matws.net>
Date: Fri Nov 12 20:45:07 2010 +0300
python: use the ldbMessage + modify notation instead of modify_ldif that we try to avoid
commit 5a6f3f14fbf9bf96904e7f17e75aadac00427f96
Author: Matthieu Patou <mat at matws.net>
Date: Mon Nov 8 14:09:04 2010 +0300
Fix typo
commit f5ea6f4b4ca21b2771b383cf9ed9295c69857bcb
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 26 16:38:42 2010 +0400
unit tests: add testing for dns account password change
commit 81eb7985e6d79852b3e25814cd15d6be56245d64
Author: Matthieu Patou <mat at matws.net>
Date: Fri Nov 12 20:00:57 2010 +0300
upgradeprovision: use relaxed control while adding missing object container
commit a9c430bdd2e07e8111d1073238059de6c6f478d5
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 26 16:37:50 2010 +0400
upgradeprovision: fix pb with dns-hostname, regenerate a correct keytab
commit 8227d1f68ef7a4750d23d0c34402dbc0c1d14a3e
Author: Matthieu Patou <mat at matws.net>
Date: Sat Oct 23 22:01:30 2010 +0400
upgradeprovision: use the relax/(upgrade)provision when modifying object
For certain attribute we use the relax/provision control so that we
try to respect checks as this is not a good idea to always force
unwanted behavior.
commit 757764ab1bb3056377f050fd91b43bbc45a3c7a2
Author: Matthieu Patou <mat at matws.net>
Date: Sat Oct 23 22:00:04 2010 +0400
upgradeprovision: use the (upgrade)provision control also
commit add39bc40bc89d2f3fac86f1cddea3947caafbfa
Author: Matthieu Patou <mat at matws.net>
Date: Sat Oct 23 21:57:16 2010 +0400
upgradeprovision: update revision for forestupdate and domainupdate objects
commit 2990b4fbb1acf74e98b55ce63fea3e2fe280d60e
Author: Matthieu Patou <mat at matws.net>
Date: Fri Nov 12 19:58:09 2010 +0300
samldb: relax groupType modification checks
Allow programs with the PROVISION control to bypass groupType checks.
This is needed by upgradeprovision for older alpha (11, 10 ...)
commit 35c9c2dc8aaea1019a8d611b52957c84db1feec5
Author: Matthieu Patou <mat at matws.net>
Date: Fri Oct 22 13:37:32 2010 +0400
Update WHATSNEW4 to add information related to samba_backup
commit d1feb03889935425b83e2bd5007bd90fddc62927
Author: Matthieu Patou <mat at matws.net>
Date: Fri Oct 22 13:28:40 2010 +0400
Add a script to make backup of samba provision
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW4.txt | 59 +++---------------
source4/dsdb/samdb/ldb_modules/samldb.c | 59 ++++++++++--------
source4/scripting/bin/ktpass.sh | 6 ++-
source4/scripting/bin/samba_backup | 65 ++++++++++++++++++++
source4/scripting/bin/upgradeprovision | 50 +++++++++++++--
.../python/samba/tests/upgradeprovisionneeddc.py | 4 +
source4/scripting/python/samba/upgradehelpers.py | 61 ++++++++++++++++--
7 files changed, 214 insertions(+), 90 deletions(-)
create mode 100755 source4/scripting/bin/samba_backup
Changeset truncated at 500 lines:
diff --git a/WHATSNEW4.txt b/WHATSNEW4.txt
index 200e47e..1741221 100644
--- a/WHATSNEW4.txt
+++ b/WHATSNEW4.txt
@@ -1,4 +1,4 @@
-What's new in Samba 4 alpha13
+What's new in Samba 4 alpha14
=============================
Samba 4 is the ambitious next version of the Samba suite that is being
@@ -6,16 +6,13 @@ developed in parallel to the stable 3.x series. The main emphasis in
this branch is support for the Active Directory logon protocols used
by Windows 2000 and above.
-Samba4 alpha13 follows on from the alpha release series we have been
-publishing since September 2007. Since this file has referred to alpha 12
-for a while before any release happened and since Debian packages
-have been published that presumed the existance of a alpha12 release
-we are skipping alpha12 and going straight to alpha13.
+Samba4 alpha14 follows on from the alpha release series we have been
+publishing since September 2007.
WARNINGS
========
-Samba4 alpha13 is not a final Samba release. That is more a reference
+Samba4 alpha14 is not a final Samba release. That is more a reference
to Samba4's lack of the features we expect you will need than a
statement of code quality, but clearly it hasn't seen a broad
deployment yet. If you were to upgrade Samba3 (or indeed Windows) to
@@ -65,7 +62,7 @@ working on modules to map between AD-like behaviours and this backend.
We are aiming for Samba 4 to be powerful frontend to large
directories.
-CHANGES SINCE alpha11
+CHANGES SINCE alpha13
=====================
We have continued our commitment to provide a full DRS implementation for our
@@ -76,46 +73,10 @@ http://wiki.samba.org/index.php/Samba4_DRS_TODO_List
Beside this the release includes (among a lot of other things):
-* a new build system based on WAF
-Andrew Tridgell (tridge) invested much time to bring this up. He achieved a
-marvellous work which brings us faster building, easier management and smaller
-binaries.
-
-* enhancements in Samba4 winbind to provide a fairly good implementation of the
-most important functions needed by "libnss_winbind" and "pam_winbind"
-This two components allow a user/group mapping for Windows accounts on UNIX and
-UNIX-like systems. Therefore also these accounts can be used to connect to
-services as "ssh", "login", "Xsession" and so on.
-More informations available at http://wiki.samba.org/index.php/Samba4/Winbind
-and for winbind in general, "libnss_winbind" and "pam_winbind" in the Samba 3.X
-documentation.
-
-* server side NT ACLs manipulation
-These can now also be set on the command line directly on the server. See
-"net acl" for further informations.
-
-* dynamic DNS updates
-Up-to-date DNS entries are essential for Active Directory deployments. As for
-the moment Samba4 isn't yet capable to interoperate with Microsofts AD DNS
-server (regarding RPCs, ADs zone entries...) a kind of update script has been
-developed. It also permits the update of the "grant" and "resource" lists.
-
-* registry improvements
-The registry code was reworked, improved and retested. This was achieved by the
-new torture tests written by gd and some additional testing against Windows
-("regedit" - Windows Registry Editor and "regedt32" - Windows NT Registry Editor).
-Also some real bugs were fixed.
-
-* new Kerberos HEIMDAL release
-Andrew Bartlett (abartlet) imported a new release with various bugfixes
-
-* DCE/RPC code unification work
-Stefan Metzmacher (metze) started his work to unify these codebases between s3
-and s4
-
-* And much more
-We always try to fix bugs and keep improving the (source) quality of our
-program.
+* a script for backuping production provision
+Although still in development, samba4 is already used in a couple of production sites
+and such kind of use case is intensifying. This script is intendended for administrators
+to allow them to make a periodic backup of the provision in case of problem.
CHANGES
=======
@@ -140,7 +101,7 @@ KNOWN ISSUES
and server. (The NTP work in the previous alphas are partly to assist
with this problem).
-- The DRS replication code often fails, and is very new
+- The DRS replication code fails, and is very new
- Users upgrading existing databases to Samba4 should carefully
consult upgrading-samba4.txt. We have made a number of changes in
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 4b8a303..338b131 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1281,35 +1281,40 @@ static int samldb_group_type_change(struct samldb_ctx *ac)
* On each step also the group type itself
* (security/distribution) is variable. */
- switch (group_type) {
- case GTYPE_SECURITY_GLOBAL_GROUP:
- case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
- /* change to "universal" allowed */
- if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) ||
- (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) {
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- break;
-
- case GTYPE_SECURITY_UNIVERSAL_GROUP:
- case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
- /* each change allowed */
- break;
-
- case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
- case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
- /* change to "universal" allowed */
- if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) ||
- (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) {
+ if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID) == NULL) {
+ switch (group_type) {
+ case GTYPE_SECURITY_GLOBAL_GROUP:
+ case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
+ /* change to "universal" allowed */
+ if ((old_group_type == GTYPE_SECURITY_DOMAIN_LOCAL_GROUP) ||
+ (old_group_type == GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)) {
+ ldb_set_errstring(ldb,
+ "samldb: Change from security/distribution local group forbidden!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ break;
+
+ case GTYPE_SECURITY_UNIVERSAL_GROUP:
+ case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
+ /* each change allowed */
+ break;
+ case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
+ case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
+ /* change to "universal" allowed */
+ if ((old_group_type == GTYPE_SECURITY_GLOBAL_GROUP) ||
+ (old_group_type == GTYPE_DISTRIBUTION_GLOBAL_GROUP)) {
+ ldb_set_errstring(ldb,
+ "samldb: Change from security/distribution global group forbidden!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ break;
+
+ case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
+ default:
+ /* we don't allow this "groupType" values */
return LDB_ERR_UNWILLING_TO_PERFORM;
+ break;
}
- break;
-
- case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
- default:
- /* we don't allow this "groupType" values */
- return LDB_ERR_UNWILLING_TO_PERFORM;
- break;
}
account_type = ds_gtype2atype(group_type);
diff --git a/source4/scripting/bin/ktpass.sh b/source4/scripting/bin/ktpass.sh
index 92b1976..74f740a 100755
--- a/source4/scripting/bin/ktpass.sh
+++ b/source4/scripting/bin/ktpass.sh
@@ -55,6 +55,9 @@ if [ -z "$enc" ]; then
fi
if [ -z "$path" ]; then
path=`dirname $0`/../bin/
+ if [ ! -f ${path}ldbsearch ]; then
+ path=`dirname $0`/../../bin/
+ fi
fi
if [ -z "$outfile" -o -z "$princ" -o -z "$pass" ]; then
echo "At least one mandatory parameter (--out, --princ, --pass) was not specified"
@@ -63,7 +66,8 @@ fi
if [ -z $host ]; then
host=`hostname`
fi
-kvno=`${path}ldbsearch -H ldap://$host "(|(samaccountname=$princ)(serviceprincipalname=$princ))" msds-keyversionnumber -k 1 -N 2>/dev/null| grep -i msds-keyversionnumber`
+
+kvno=`${path}ldbsearch -H ldap://$host "(|(samaccountname=$princ)(serviceprincipalname=$princ)(userprincipalname=$princ))" msds-keyversionnumber -k 1 -N 2>/dev/null| grep -i msds-keyversionnumber`
if [ "$kvno" == "" ]; then
echo -ne "Unable to find kvno for principal $princ\n"
echo -ne " check that you are authentified with kerberos\n"
diff --git a/source4/scripting/bin/samba_backup b/source4/scripting/bin/samba_backup
new file mode 100755
index 0000000..fabf60c
--- /dev/null
+++ b/source4/scripting/bin/samba_backup
@@ -0,0 +1,65 @@
+#!/bin/sh
+#
+# Copyright (C) Matthieu Patou <mat at matws.net> 2010
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+FROMWHERE=/usr/local/samba
+WHERE=/usr/local/backups
+if [ -n "$1" ] && [ "$1" = "-h" -o "$1" = "--usage" ]; then
+ echo "samba_backup [provisiondir] [destinationdir]"
+ echo "Will backup your provision located in provisiondir to archive stored in destinationdir"
+ echo "Default provisiondir: $FROMWHERE"
+ echo "Default destinationdir: $WHERE"
+ exit 0
+fi
+
+[ -n "$1" -a -d "$1" ]&&FROMWHERE=$1
+[ -n "$2" -a -d "$2" ]&&WHERE=$2
+
+DIRS="private etc sysvol"
+#Number of days to keep the backup
+DAYS=90
+WHEN=`date +%d%m%y`
+
+cd $FROMWHERE
+for d in $DIRS;do
+ relativedirname=`find . -type d -name "$d" -prune`
+ n=`echo $d | sed 's/\//_/g'`
+ if [ "$d" = "private" ]; then
+ find $refativedirname -name "*.ldb.bak" -exec rm {} \;
+ for ldb in `find $refativedirname -name "*.ldb"`; do
+ tdbbackup $ldb
+ if [ $? -ne 0 ]; then
+ echo "Error while backuping $ldb"
+ exit 1
+ fi
+ done
+ tar cjf ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 $relativedirname --exclude=*.ldb >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "Error while archiving ${WHERE}/samba4_${n}.${WHEN}.tar.bz2"
+ exit 1
+ fi
+ find $refativedirname -name "*.ldb.bak" -exec rm {} \;
+ else
+ tar cjf ${WHERE}/${n}.${WHEN}.tar.bz2 $relativedirname >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "Error while archiving ${WHERE}/${n}.${WHEN}.tar.bz2"
+ exit 1
+ fi
+ fi
+done
+
+find $WHERE -name "samba4_*bz2" -mtime +90 -exec rm {} \; >/dev/null 2>&1
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index dc81710..5d217ab 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -60,7 +60,7 @@ from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
delta_update_basesamdb, update_policyids,
update_machine_account_password,
search_constructed_attrs_stored,
- int64range2str,
+ int64range2str, update_dns_account_password,
increment_calculated_keyversion_number)
replace=2**FLAG_MOD_REPLACE
@@ -378,7 +378,10 @@ def handle_special_case(att, delta, new, old, usn, basedn, aldb):
if (str(old[0].dn) == "%s" % (str(names.rootdn))
and att == "subRefs" and flag == FLAG_MOD_REPLACE):
return True
-
+ #Allow to change revision of ForestUpdates objects
+ if (att == "revision" or att == "objectVersion"):
+ if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0:
+ return True
if str(delta.dn).endswith("CN=DisplaySpecifiers, %s" % names.configdn):
return True
@@ -487,7 +490,7 @@ def handle_special_add(samdb, dn, names):
if len(res) > 0 and len(res2) == 0:
message(CHANGE, "Existing object %s must be replaced by %s,"
"Renaming old object" % (str(oldDn), str(dn)))
- samdb.rename(oldDn, objDn, ["relax:0"])
+ samdb.rename(oldDn, objDn, ["relax:0", "local_oid:1.3.6.1.4.1.7165.4.3.16:0"])
return 0
@@ -599,7 +602,7 @@ def add_missing_object(ref_samdb, samdb, dn, names, basedn, hash, index):
delta.dn = dn
if not skip:
message(CHANGE,"Object %s will be added" % dn)
- samdb.add(delta, ["relax:0"])
+ samdb.add(delta, ["relax:0", "local_oid:1.3.6.1.4.1.7165.4.3.16:0"])
else:
message(CHANGE,"Object %s was skipped" % dn)
@@ -651,7 +654,9 @@ def add_deletedobj_containers(ref_samdb, samdb, names):
delta.dn = Dn(samdb, str(reference[0]["dn"]))
for att in hashAttrNotCopied.keys():
delta.remove(att)
- samdb.add(delta)
+
+ modcontrols = ["relax:0", "local_oid:1.3.6.1.4.1.7165.4.3.16:0"]
+ samdb.add(delta, modcontrols)
listwko = []
res = samdb.search(expression="(objectClass=*)", base=part,
@@ -981,10 +986,17 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
delta.dn = dn
if len(delta.items()) >1:
attributes=", ".join(delta.keys())
+ modcontrols = []
+ relaxedatt = ['iscriticalsystemobject', 'grouptype']
+ # Let's try to reduce as much as possible the use of relax control
+ #for checkedatt in relaxedatt:
+ for attr in delta.keys():
+ if attr.lower() in relaxedatt:
+ modcontrols = ["relax:0", "local_oid:1.3.6.1.4.1.7165.4.3.16:0"]
message(CHANGE, "%s is different from the reference one, changed"
" attributes: %s\n" % (dn, attributes))
changed += 1
- samdb.modify(delta)
+ samdb.modify(delta, modcontrols)
return changed
def reload_full_schema(samdb, names):
@@ -1713,8 +1725,34 @@ if __name__ == '__main__':
# as the delta_upgrade
schemareloadclosure()
sync_calculated_attributes(ldbs.sam, names)
+ res = ldbs.sam.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+ if len(res) > 0:
+ message(SIMPLE, "You still have the old dns object for managing"
+ "dynamic DNS, but you didn't supply --full so "
+ "correct update can't be done")
+ ldbs.groupedRollback()
+ new_ldbs.groupedRollback()
+ shutil.rmtree(provisiondir)
+ sys.exit(1)
# 14)
update_secrets(new_ldbs.secrets, ldbs.secrets, message)
+ # 14bis)
+ res = ldbs.sam.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+
+ if (len(res) == 1):
+ ldbs.sam.delete(res[0]["dn"])
+ res2 = ldbs.secrets.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"])
+ update_dns_account_password(ldbs.sam, ldbs.secrets, names)
+ message(SIMPLE, "IMPORTANT !!! "
+ "If you were using Dynamic DNS before you need"
+ " to update your configuration, so that the "
+ "tkey-gssapi-credential has the following value:"
+ "DNS/%s.%s" % (names.netbiosname.lower(), names.realm.lower()))
# 15)
message(SIMPLE, "Update machine account")
update_machine_account_password(ldbs.sam, ldbs.secrets, names)
diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
index e30906f..d4d6b84 100644
--- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
+++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
@@ -29,6 +29,7 @@ from samba.upgradehelpers import (get_paths, get_ldbs,
find_provision_key_parameters, identic_rename,
updateOEMInfo, getOEMInfo, update_gpo,
delta_update_basesamdb,
+ update_dns_account_password,
search_constructed_attrs_stored,
increment_calculated_keyversion_number)
from samba.tests import env_loadparm, TestCaseInTempDir
@@ -157,6 +158,9 @@ class UpgradeProvisionWithLdbTestCase(TestCaseInTempDir):
oem = getOEMInfo(self.ldbs.sam, basedn)
self.assertNotEquals(oem, "")
+ def test_update_dns_account(self):
+ update_dns_account_password(self.ldbs.sam, self.ldbs.secrets, self.names)
+
def test_updateOEMInfo(self):
realm = self.lp.get("realm")
basedn = "DC=%s" % realm.replace(".", ", DC=")
diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index b1258d2..e8f1471 100755
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -632,6 +632,13 @@ def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
delta.dn = current[0].dn
secrets_ldb.modify(delta)
+ res2 = secrets_ldb.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"])
+
+ if (len(res2) == 1):
+ messagefunc(SIMPLE, "Remove old dns account")
+ secrets_ldb.delete(res2[0]["dn"])
+
def getOEMInfo(samdb, rootdn):
"""Return OEM Information on the top level
Samba4 use to store version info in this field
@@ -828,14 +835,13 @@ def update_machine_account_password(samdb, secrets_ldb, names):
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
+ msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
-
- samdb.modify_ldif("""
-dn: """ + str(res[0].dn) + """
-changetype: modify
-replace: clearTextPassword
-clearTextPassword:: """ + base64.b64encode(machinepass.encode('utf-16-le')) + """
-""")
+ mputf16 = machinepass.encode('utf-16-le')
+ msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ ldb.FLAG_MOD_REPLACE,
+ "clearTextPassword")
+ samdb.modify(msg)
res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
attrs=["msDs-keyVersionNumber"])
@@ -855,6 +861,47 @@ clearTextPassword:: """ + base64.b64encode(machinepass.encode('utf-16-le')) + ""
raise ProvisioningError("Unable to find a Secure Channel"
"of type SEC_CHAN_BDC")
+def update_dns_account_password(samdb, secrets_ldb, names):
+ """Update (change) the password of the dns both in the SAM db and in
+ secret one
+
+ :param samdb: An LDB object related to the sam.ldb file of a given provision
+ :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
+ provision
+ :param names: List of key provision parameters"""
+
+ expression = "samAccountName=dns-%s" % names.netbiosname
+ secrets_msg = secrets_ldb.search(expression=expression)
+ if len(secrets_msg) == 1:
+ res = samdb.search(expression=expression, attrs=[])
+ assert(len(res) == 1)
+
+ msg = ldb.Message(res[0].dn)
+ machinepass = samba.generate_random_password(128, 255)
+ mputf16 = machinepass.encode('utf-16-le')
+ msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ ldb.FLAG_MOD_REPLACE,
+ "clearTextPassword")
+
+ samdb.modify(msg)
+
+ res = samdb.search(expression=expression,
+ attrs=["msDs-keyVersionNumber"])
+ assert(len(res) == 1)
+ kvno = str(res[0]["msDs-keyVersionNumber"])
+
+ msg = ldb.Message(secrets_msg[0].dn)
+ msg["secret"] = ldb.MessageElement(machinepass,
+ ldb.FLAG_MOD_REPLACE,
+ "secret")
+ msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
+ ldb.FLAG_MOD_REPLACE,
+ "msDS-KeyVersionNumber")
+
+ secrets_ldb.modify(msg)
+ else:
+ raise ProvisioningError("Unable to find an object"
+ " with %s" % expression )
def search_constructed_attrs_stored(samdb, rootdn, attrs):
"""Search a given sam DB for calculated attributes that are
--
Samba Shared Repository
More information about the samba-cvs
mailing list