[SCM] Samba Shared Repository - branch master updated

Thu Sep 30 16:26:02 MDT 2010

The branch, master has been updated
       via  6a029cd autobuild: push of ref/notes/commits isn't allowed in master
       via  176ecce s4-provision: wipe the old keytabs when provisioning
       via  67a0461 s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab
       via  75a542a s4-drs: put the GCSPN flag into the repsTo if requested
       via  87f67d3 s4-libnet: wipe the old keytab when exporting
       via  57f6770 s4-dsdb: silence the domainFunctionality not setup warning
      from  e90b964 autobuild: added much better email reporting

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6a029cd9ca662863724920030bb3a325cee28691
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 14:42:02 2010 -0700

    autobuild: push of ref/notes/commits isn't allowed in master
    
    metze may enable this later
    
    Autobuild-User: Andrew Tridgell <tridge at samba.org>
    Autobuild-Date: Thu Sep 30 22:25:02 UTC 2010 on sn-devel-104

commit 176ecce9a661c9145620c3f7af9d13025ed0616c
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 12:45:00 2010 -0700

    s4-provision: wipe the old keytabs when provisioning
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 67a04613e9106f9ab6c014c57a971d75854908f7
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 12:44:39 2010 -0700

    s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab
    
    we need to fetch the msDS-keyVersionNumber from the writeable DC
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 75a542a1d93f6f015d866a01d25d5978e9b32583
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 12:43:45 2010 -0700

    s4-drs: put the GCSPN flag into the repsTo if requested
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 87f67d336919172845f53067c67d1eab8e7ef18a
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 12:43:14 2010 -0700

    s4-libnet: wipe the old keytab when exporting
    
    this prevents confusion with old keytab entries
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 57f67701a694b03f7c227c0f58729bf6d3733bbc
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Sep 30 12:42:35 2010 -0700

    s4-dsdb: silence the domainFunctionality not setup warning

-----------------------------------------------------------------------

Summary of changes:
 script/autobuild.py                               |    4 +++-
 source4/dsdb/common/util.c                        |    3 ++-
 source4/libnet/libnet_export_keytab.c             |    2 ++
 source4/rpc_server/drsuapi/getncchanges.c         |    6 ++++++
 source4/rpc_server/drsuapi/updaterefs.c           |    2 ++
 source4/scripting/python/samba/join.py            |    7 +++++--
 source4/scripting/python/samba/provision.py       |   20 ++++++++++++++++----
 source4/scripting/python/samba/tests/provision.py |   16 +++++++++++++---
 8 files changed, 49 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/script/autobuild.py b/script/autobuild.py
index 62cef69..f1e29a7 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -270,7 +270,9 @@ def rebase_tree(url):
 def push_to(url):
     print("Pushing to %s" % url)
     if options.mark:
-        run_cmd("EDITOR=script/commit_mark.sh git notes edit HEAD", dir=test_master)
+        run_cmd("EDITOR=script/commit_mark.sh git commit --amend -c HEAD", dir=test_master)
+        # the notes method doesn't work yet, as metze hasn't allowed refs/notes/* in master
+        # run_cmd("EDITOR=script/commit_mark.sh git notes edit HEAD", dir=test_master)
     run_cmd("git remote add -t master pushto %s" % url, show=True, dir=test_master)
     run_cmd("git push pushto +HEAD:master", show=True, dir=test_master)
 
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index a5d0f60..3259eab 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -3059,7 +3059,8 @@ int dsdb_functional_level(struct ldb_context *ldb)
 	int *domainFunctionality =
 		talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int);
 	if (!domainFunctionality) {
-		DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n"));
+		/* this is expected during initial provision */
+		DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n"));
 		return DS_DOMAIN_FUNCTION_2000;
 	}
 	return *domainFunctionality;
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index f7ab88f..e8a0a13 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -45,6 +45,8 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	unlink(r->in.keytab_name);
+
 	ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
 	if(ret) {
 		r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index c04a8c7..54b0430 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1589,6 +1589,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 		ureq.options = DRSUAPI_DRS_ADD_REF |
 			DRSUAPI_DRS_ASYNC_OP |
 			DRSUAPI_DRS_GETCHG_CHECK;
+
+		/* we also need to pass through the
+		   DRSUAPI_DRS_REF_GCSPN bit so that repsTo gets flagged
+		   to send notifies using the GC SPN */
+		ureq.options |= (req10->replica_flags & DRSUAPI_DRS_REF_GCSPN);
+
 		werr = drsuapi_UpdateRefs(b_state, mem_ctx, &ureq);
 		if (!W_ERROR_IS_OK(werr)) {
 			DEBUG(0,(__location__ ": Failed UpdateRefs in DsGetNCChanges - %s\n",
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index d628388..a089586 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -66,6 +66,8 @@ static WERROR uref_add_dest(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 	ZERO_STRUCT(reps.r[reps.count]);
 	reps.r[reps.count].version = 1;
 	reps.r[reps.count].ctr.ctr1 = *dest;
+	/* add the GCSPN flag if the client asked for it */
+	reps.r[reps.count].ctr.ctr1.replica_flags |= (options & DRSUAPI_DRS_REF_GCSPN);
 	reps.count++;
 
 	werr = dsdb_savereps(sam_ctx, mem_ctx, dn, "repsTo", reps.r, reps.count);
diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py
index 34f3ebb..6cd18b4 100644
--- a/source4/scripting/python/samba/join.py
+++ b/source4/scripting/python/samba/join.py
@@ -119,7 +119,7 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None,
             "useraccountcontrol" : str(samba.dsdb.UF_NORMAL_ACCOUNT |
                                        samba.dsdb.UF_ACCOUNTDISABLE),
             "showinadvancedviewonly" : "TRUE",
-            "description" : "tricky account"}
+            "description" : "krbtgt for %s" % ctx.samname}
         ctx.samdb.add(rec, ["rodc_join:1:1"])
 
         # now we need to search for the samAccountName attribute on the krbtgt DN,
@@ -210,6 +210,8 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None,
                               ctx.acct_pass,
                               force_change_at_next_login=False,
                               username=ctx.samname)
+        res = ctx.samdb.search(base=ctx.acct_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-keyVersionNumber"])
+        ctx.key_version_number = res[0]["msDS-keyVersionNumber"]
 
 
     def join_provision(ctx):
@@ -281,7 +283,8 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None,
                             netbiosname=ctx.myname,
                             domainsid=security.dom_sid(ctx.domsid),
                             machinepass=ctx.acct_pass,
-                            secure_channel_type=misc.SEC_CHAN_RODC)
+                            secure_channel_type=misc.SEC_CHAN_RODC,
+                            key_version_number=ctx.key_version_number)
 
 
 
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 9e22d58..1d0abf4 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -389,6 +389,7 @@ def provision_paths_from_lp(lp, dnsdomain):
     # This is stored without path prefix for the "privateKeytab" attribute in
     # "secrets_dns.ldif".
     paths.dns_keytab = "dns.keytab"
+    paths.keytab = "secrets.keytab"
 
     paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
     paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb")
@@ -781,7 +782,7 @@ def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir,
             })
 
 
-def setup_secretsdb(path, setup_path, session_info, backend_credentials, lp):
+def setup_secretsdb(paths, setup_path, session_info, backend_credentials, lp):
     """Setup the secrets database.
 
    :note: This function does not handle exceptions and transaction on purpose,
@@ -794,8 +795,19 @@ def setup_secretsdb(path, setup_path, session_info, backend_credentials, lp):
     :param lp: Loadparm context
     :return: LDB handle for the created secrets database
     """
-    if os.path.exists(path):
-        os.unlink(path)
+    if os.path.exists(paths.secrets):
+        os.unlink(paths.secrets)
+
+    keytab_path = os.path.join(paths.private_dir, paths.keytab)
+    if os.path.exists(keytab_path):
+        os.unlink(keytab_path)
+
+    dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab)
+    if os.path.exists(dns_keytab_path):
+        os.unlink(dns_keytab_path)
+
+    path = paths.secrets
+
     secrets_ldb = Ldb(path, session_info=session_info, 
                       lp=lp)
     secrets_ldb.erase()
@@ -1513,7 +1525,7 @@ def provision(setup_dir, logger, session_info,
         share_ldb.load_ldif_file_add(setup_path("share.ldif"))
 
     logger.info("Setting up secrets.ldb")
-    secrets_ldb = setup_secretsdb(paths.secrets, setup_path, 
+    secrets_ldb = setup_secretsdb(paths, setup_path,
         session_info=session_info,
         backend_credentials=provision_backend.secrets_credentials, lp=lp)
 
diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py
index 37b256a..58bb030 100644
--- a/source4/scripting/python/samba/tests/provision.py
+++ b/source4/scripting/python/samba/tests/provision.py
@@ -18,7 +18,7 @@
 #
 
 import os
-from samba.provision import setup_secretsdb, findnss
+from samba.provision import setup_secretsdb, findnss, ProvisionPaths
 import samba.tests
 from samba.tests import env_loadparm, TestCase
 
@@ -36,7 +36,12 @@ def create_dummy_secretsdb(path, lp=None):
     """
     if lp is None:
         lp = env_loadparm()
-    secrets_ldb = setup_secretsdb(path, setup_path, None, None, lp=lp)
+    paths = ProvisionPaths()
+    paths.secrets = path
+    paths.private_dir = os.path.dirname(path)
+    paths.keytab = "no.keytab"
+    paths.dns_keytab = "no.dns.keytab"
+    secrets_ldb = setup_secretsdb(paths, setup_path, None, None, lp=lp)
     secrets_ldb.transaction_commit()
     return secrets_ldb
 
@@ -47,7 +52,12 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
 
     def test_setup_secretsdb(self):
         path = os.path.join(self.tempdir, "secrets.ldb")
-        ldb = setup_secretsdb(path, setup_path, None, None, lp=env_loadparm())
+        paths = ProvisionPaths()
+        paths.secrets = path
+        paths.private_dir = os.path.dirname(path)
+        paths.keytab = "no.keytab"
+        paths.dns_keytab = "no.dns.keytab"
+        ldb = setup_secretsdb(paths, setup_path, None, None, lp=env_loadparm())
         try:
             self.assertEquals("LSA Secrets",
                  ldb.searchone(basedn="CN=LSA Secrets", attribute="CN"))


-- 
Samba Shared Repository
