[SCM] Samba Shared Repository - branch master updated

Andrew Tridgell tridge at samba.org
Tue Sep 28 22:37:01 MDT 2010


The branch, master has been updated
       via  3131082 s4-spnupdate: when we are a RODC we need to use the WriteSPN DRS call
       via  739a4e4 s4-drsutils: expose DsBind() call in drs_utils.py
       via  06022da s4-kerberos: use TZ=GMT when we are invoking krb5 code in helpers
      from  3b0d6fd s4-rodc: RODC should not accept requests for role transfer

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 31310826e02a398eec6569a9150a798ee216f745
Author: Andrew Tridgell <tridge at samba.org>
Date:   Tue Sep 28 20:47:03 2010 -0700

    s4-spnupdate: when we are a RODC we need to use the WriteSPN DRS call
    
    we can't do SPN updates via sam writes and replication, as the sam is
    read-only

commit 739a4e4e2361fad17a4d041e2e0b4fc73a9d18c2
Author: Andrew Tridgell <tridge at samba.org>
Date:   Tue Sep 28 20:46:15 2010 -0700

    s4-drsutils: expose DsBind() call in drs_utils.py
    
    this will be used by samba_spnupdate

commit 06022dad70ec11ddbedc09a4a1fffe127ced2a06
Author: Andrew Tridgell <tridge at samba.org>
Date:   Tue Sep 28 20:43:58 2010 -0700

    s4-kerberos: use TZ=GMT when we are invoking krb5 code in helpers
    
    Our helper scripts can fail on Fedora with the PDT timezone (Western
    USA). This is the same issue we found with Heimdal earlier today, the
    24 second difference between GMT and UTC, but this time in MIT
    Kerberos as linked into bind9.
    
    By forcing TZ=GMT in these scripts we avoid the problem
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source4/scripting/bin/samba_dnsupdate       |    6 ++
 source4/scripting/bin/samba_spnupdate       |   73 ++++++++++++++++++++++----
 source4/scripting/python/samba/drs_utils.py |   75 ++++++++++++++-------------
 3 files changed, 107 insertions(+), 47 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 5ed46c3..a8a7e59 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -27,6 +27,12 @@ import tempfile
 # and don't get swallowed by a timeout
 os.putenv('PYTHONUNBUFFERED', '1')
 
+# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
+# heimdal can get mutual authentication errors due to the 24 second difference
+# between UTC and GMT when using some zone files (eg. the PDT zone from
+# the US)
+os.putenv("TZ", "GMT")
+
 # Find right directory when running from source tree
 sys.path.insert(0, "bin/python")
 
diff --git a/source4/scripting/bin/samba_spnupdate b/source4/scripting/bin/samba_spnupdate
index 7c9ed4f..6a69f48 100755
--- a/source4/scripting/bin/samba_spnupdate
+++ b/source4/scripting/bin/samba_spnupdate
@@ -24,6 +24,12 @@ import os, sys
 # and don't get swallowed by a timeout
 os.putenv('PYTHONUNBUFFERED', '1')
 
+# forcing GMT avoids a problem in some timezones with kerberos. Both MIT
+# heimdal can get mutual authentication errors due to the 24 second difference
+# between UTC and GMT when using some zone files (eg. the PDT zone from
+# the US)
+os.putenv("TZ", "GMT")
+
 # Find right directory when running from source tree
 sys.path.insert(0, "bin/python")
 
@@ -102,9 +108,6 @@ except ldb.LdbError, (num, msg):
     print("Unable to open sam database %s : %s" % (lp.get("sam database"), msg))
     sys.exit(1)
 
-if samdb.am_rodc():
-    # don't try and update SPNs on RODC
-    exit(0)
 
 # get the substitution dictionary
 sub_vars = get_subst_vars(samdb)
@@ -132,6 +135,8 @@ if not res or len(res) != 1:
     print("Failed to find computer object for %s$" % sub_vars['NETBIOSNAME'])
     sys.exit(1)
 
+machine_dn = res[0]["dn"]
+
 old_spns = []
 for s in res[0]['servicePrincipalName']:
     old_spns.append(s)
@@ -159,10 +164,58 @@ if add_list == []:
         print("Nothing to add")
     sys.exit(0)
 
-# build the modify request
-msg = ldb.Message()
-msg.dn = res[0]['dn']
-msg[""] = ldb.MessageElement(add_list,
-			     ldb.FLAG_MOD_ADD, "servicePrincipalName")
-res = samdb.modify(msg)
-sys.exit(0)
+def local_update(add_list):
+    '''store locally'''
+    global res
+    msg = ldb.Message()
+    msg.dn = res[0]['dn']
+    msg[""] = ldb.MessageElement(add_list,
+                                 ldb.FLAG_MOD_ADD, "servicePrincipalName")
+    res = samdb.modify(msg)
+
+def call_rodc_update(d):
+    '''RODCs need to use the writeSPN DRS call'''
+    global lp, sub_vars
+    from samba import drs_utils
+    from samba.dcerpc import drsuapi, nbt
+    from samba.net import Net
+
+    if opts.verbose:
+        print("Using RODC SPN update")
+
+    creds = credopts.get_credentials(lp)
+    creds.set_machine_account(lp)
+
+    net = Net(creds=creds, lp=lp)
+    try:
+        cldap_ret = net.finddc(domain, nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE)
+    except Exception, reason:
+        print("Unable to find writeable DC for domain '%s' to send DRS writeSPN to : %s" % (domain, reason))
+        sys.exit(1)
+    server = cldap_ret.pdc_dns_name
+    try:
+        drs = drsuapi.drsuapi('ncacn_ip_tcp:%s[seal,print]' % server, lp, creds)
+        drs_handle = drs_utils.drs_DsBind(drs)
+    except Exception, reason:
+        print("Unable to connect to DC '%s' for domain '%s' : %s" % (server, domain, reason))
+        sys.exit(1)
+    req1 = drsuapi.DsWriteAccountSpnRequest1()
+    req1.operation = drsuapi.DRSUAPI_DS_SPN_OPERATION_ADD
+    req1.object_dn = str(machine_dn)
+    req1.count = 0
+    spn_names = []
+    for n in add_list:
+        if n.find('E3514235-4B06-11D1-AB04-00C04FC2DCD2') != -1:
+            # this one isn't allowed for RODCs, but we don't know why yet
+            continue
+        ns = drsuapi.DsNameString()
+        ns.str = n
+        spn_names.append(ns)
+        req1.count = req1.count + 1
+    req1.spn_names = spn_names
+    (level, res) = drs.DsWriteAccountSpn(drs_handle, 1, req1)
+
+if samdb.am_rodc():
+    call_rodc_update(add_list)
+else:
+    local_update(add_list)
diff --git a/source4/scripting/python/samba/drs_utils.py b/source4/scripting/python/samba/drs_utils.py
index 936bfbb..0382178 100644
--- a/source4/scripting/python/samba/drs_utils.py
+++ b/source4/scripting/python/samba/drs_utils.py
@@ -23,53 +23,54 @@ from samba.dcerpc import drsuapi, misc
 from samba.net import Net
 import samba, ldb
 
+
+def drs_DsBind(drs):
+    '''make a DsBind call, returning the binding handle'''
+    bind_info = drsuapi.DsBindInfoCtr()
+    bind_info.length = 28
+    bind_info.info = drsuapi.DsBindInfo28()
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_BASE;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
+    bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
+    (info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info)
+    return handle
+
 class drs_Replicate:
     '''DRS replication calls'''
 
     def __init__(self, binding_string, lp, creds, samdb):
         self.drs = drsuapi.drsuapi(binding_string, lp, creds)
-        self.drs_handle = self.drs_DsBind()
+        self.drs_handle = drs_DsBind(self.drs)
         self.net = Net(creds=creds, lp=lp)
         self.samdb = samdb
         self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs)
 
 
-    def drs_DsBind(self):
-        '''make a DsBind call, returning the binding handle'''
-        bind_info = drsuapi.DsBindInfoCtr()
-        bind_info.length = 28
-        bind_info.info = drsuapi.DsBindInfo28()
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_BASE;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
-        bind_info.info.supported_extensions	|= drsuapi.DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
-        (info, handle) = self.drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID), bind_info)
-        return handle
-
 
     def drs_get_rodc_partial_attribute_set(self):
         '''get a list of attributes for RODC replication'''


-- 
Samba Shared Repository


More information about the samba-cvs mailing list