[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Jun 24 12:36:02 MDT 2011
The branch, master has been updated
via d7cc857 s4:selftest: test ntvfs.cifs with s4u2proxy
via 67b2e2d s4:selftest: use wildcards for ntvfs.cifs tests in knownfail and skip files
via a7d2492 selftest/Samba4: correctly upper case the netbiosname variable
via ad45072 s4:kdc: implement samba_kdc_check_s4u2proxy()
via dee41bc s4:samba-tool: add "delegation" subcommands for S4U2Proxy and related stuff
via 4b26fc0 s4:python/samba/samdb: add toggle_userAccountFlags() helper function
via 2996945 HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
via 7229b0d HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
via b96efe0 HEIMDAL:kdc: use the correct client realm in the EncTicketPart
from 61ad606 Add NT_STATUS_IO_REPARSE_DATA_INVALID
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d7cc8571f756659661285f38ba61ff92683194f7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 18 19:13:43 2011 +0100
s4:selftest: test ntvfs.cifs with s4u2proxy
Pair-Programmed-With: Björn Baumbach <bb at sernet.de>
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
commit 67b2e2d67917c9201ec2fb30b5aa89e2b407960c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 2 12:53:48 2011 +0200
s4:selftest: use wildcards for ntvfs.cifs tests in knownfail and skip files
metze
commit a7d2492cf7a398d7577863151fa823c62e8469b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 18:50:51 2011 +0200
selftest/Samba4: correctly upper case the netbiosname variable
metze
commit ad45072aaf91a412df8fa1c7a7cc73891b370675
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 11:41:49 2011 +0200
s4:kdc: implement samba_kdc_check_s4u2proxy()
metze
commit dee41bcdf20d54ca2c323c154b4f212065d0de0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 16:59:24 2011 +0200
s4:samba-tool: add "delegation" subcommands for S4U2Proxy and related stuff
For now this only works on the local sam.ldb, but it shouldn't be hard
to improve it to talk to remove servers.
Pair-Programmed-With: Björn Baumbach <bb at sernet.de>
metze
commit 4b26fc098087579018a2817906c140fa9cb8887e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 16:37:26 2011 +0200
s4:python/samba/samdb: add toggle_userAccountFlags() helper function
And let enable_account() use it.
Pair-Programmed-With: Björn Baumbach <bb at sernet.de>
metze
commit 2996945de6cc6ab223da977b806ca7737c43ec7f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 12:40:33 2011 +0200
HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
commit 7229b0d5b2515cc4d487b80f77dc532104aa68d3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 11:53:37 2011 +0200
HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
commit b96efe069bd0a8d67c8d787a96415f8b02205462
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 24 11:08:33 2011 +0200
HEIMDAL:kdc: use the correct client realm in the EncTicketPart
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.
metze
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba4.pm | 67 ++++-
source4/auth/sam.c | 1 +
source4/heimdal/kdc/krb5tgs.c | 30 ++-
source4/kdc/db-glue.c | 105 ++++++++
source4/scripting/python/samba/netcmd/__init__.py | 2 +
.../scripting/python/samba/netcmd/delegation.py | 267 ++++++++++++++++++++
source4/scripting/python/samba/samdb.py | 45 +++-
source4/selftest/knownfail | 7 +-
source4/selftest/skip | 49 ++---
source4/selftest/tests.py | 8 +-
10 files changed, 515 insertions(+), 66 deletions(-)
create mode 100644 source4/scripting/python/samba/netcmd/delegation.py
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index b76fd98..70e3cf7 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -456,10 +456,11 @@ EOF
sub provision_raw_prepare($$$$$$$$$$)
{
- my ($self, $prefix, $server_role, $netbiosname,
+ my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
$swiface, $password, $kdc_ipv4) = @_;
my $ctx;
+ my $netbiosname = uc($hostname);
unless(-d $prefix or mkdir($prefix, 0777)) {
warn("Unable to create $prefix");
@@ -480,6 +481,7 @@ sub provision_raw_prepare($$$$$$$$$$)
$ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
$ctx->{server_role} = $server_role;
+ $ctx->{hostname} = $hostname;
$ctx->{netbiosname} = $netbiosname;
$ctx->{swiface} = $swiface;
$ctx->{password} = $password;
@@ -548,7 +550,7 @@ sub provision_raw_prepare($$$$$$$$$$)
}
push (@provision_options, "$self->{srcdir}/source4/setup/provision");
push (@provision_options, "--configfile=$ctx->{smb_conf}");
- push (@provision_options, "--host-name=$ctx->{netbiosname}");
+ push (@provision_options, "--host-name=$ctx->{hostname}");
push (@provision_options, "--host-ip=$ctx->{ipv4}");
push (@provision_options, "--quiet");
push (@provision_options, "--domain=$ctx->{domain}");
@@ -672,7 +674,7 @@ nogroup:x:65534:nobody
my $ret = {
KRB5_CONFIG => $ctx->{krb5_conf},
PIDDIR => $ctx->{piddir},
- SERVER => $ctx->{netbiosname},
+ SERVER => $ctx->{hostname},
SERVER_IP => $ctx->{ipv4},
NETBIOSNAME => $ctx->{netbiosname},
DOMAIN => $ctx->{domain},
@@ -715,12 +717,12 @@ sub provision_raw_step2($$$)
sub provision($$$$$$$$$)
{
- my ($self, $prefix, $server_role, $netbiosname,
+ my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
$swiface, $password, $kdc_ipv4, $extra_smbconf_options) = @_;
my $ctx = $self->provision_raw_prepare($prefix, $server_role,
- $netbiosname,
+ $hostname,
$domain, $realm, $functional_level,
$swiface, $password, $kdc_ipv4);
@@ -734,10 +736,11 @@ sub provision($$$$$$$$$)
max xmit = 32K
server max protocol = SMB2
- $extra_smbconf_options
host msdfs = $msdfs
lanman auth = yes
+ $extra_smbconf_options
+
[tmp]
path = $ctx->{tmpdir}
read only = no
@@ -764,8 +767,10 @@ sub provision($$$$$$$$$)
ntvfs handler = cifs
cifs:server = $ctx->{netbiosname}
cifs:share = tmp
-#There is no username specified here, instead the client is expected
-#to log in with kerberos, and the serverwill use delegated credentials.
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
[simple]
path = $ctx->{tmpdir}
@@ -875,9 +880,23 @@ sub provision_rpc_proxy($$$)
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING RPC PROXY...";
- my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
- dcerpc endpoint servers = epmapper, remote
- dcerpc_remote:interfaces = rpcecho
+ my $extra_smbconf_options = "
+
+ # rpc_proxy
+ dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
+ dcerpc endpoint servers = epmapper, remote
+ dcerpc_remote:interfaces = rpcecho
+
+[cifs_to_dc]
+ read only = no
+ ntvfs handler = cifs
+ cifs:server = $dcvars->{SERVER}
+ cifs:share = cifs
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
+
";
my $ret = $self->provision($prefix,
@@ -896,6 +915,8 @@ sub provision_rpc_proxy($$$)
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ # The joind runs in the context of the rpc_proxy/member for now
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
@@ -907,6 +928,30 @@ sub provision_rpc_proxy($$$)
return undef;
}
+ # Setting up delegation runs in the context of the DC for now
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
+ # Setting up delegation runs in the context of the DC for now
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} $dcvars->{CONFIGURATION}";
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
$ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
$ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
$ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 83ed790..24a40fc 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -41,6 +41,7 @@
"msDS-SecondaryKrbTgtNumber", \
"msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
+ "msDS-AllowedToDelegateTo", \
\
/* passwords */ \
"dBCSPwd", \
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 66170cb..e4fdb14 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -505,21 +505,35 @@ check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
- krb5_const_principal server)
+ hdb_entry_ex *server,
+ krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
int i;
- /* if client delegates to itself, that ok */
- if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
- return 0;
+ /*
+ * constrained_delegation (S4U2Proxy) only works within
+ * the same realm. We use the already canonicalized version
+ * of the principals here, while "target" is the principal
+ * provided by the client.
+ */
+ if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ kdc_log(context, config, 0,
+ "Bad request for constrained delegation");
+ return ret;
+ }
if (clientdb->hdb_check_constrained_delegation) {
- ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
+ ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
+ /* if client delegates to itself, that ok */
+ if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
+ return 0;
+
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);
@@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context,
if (acl) {
for (i = 0; i < acl->len; i++) {
- if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
+ if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
return 0;
}
}
@@ -901,7 +915,7 @@ tgs_make_reply(krb5_context context,
ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
if (ret)
goto out;
- et.crealm = tgt->crealm;
+ et.crealm = tgt_name->realm;
et.cname = tgt_name->name;
ek.key = et.key;
@@ -2026,7 +2040,7 @@ server_lookup:
}
ret = check_constrained_delegation(context, config, clientdb,
- client, sp);
+ client, server, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s as %s to %s not allowed",
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 72262ac..080cf70 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1667,6 +1667,111 @@ samba_kdc_check_s4u2proxy(krb5_context context,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
+ krb5_error_code ret;
+ char *tmp = NULL;
+ const char *client_dn = NULL;
+ const char *target_principal_name = NULL;
+ struct ldb_message_element *el;
+ struct ldb_val val;
+ unsigned int i;
+ bool found = false;
+ struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
+
+ TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2proxy");
+
+ if (!mem_ctx) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret,
+ "samba_kdc_check_s4u2proxy:"
+ " talloc_named() failed!");
+ return ret;
+ }
+
+ client_dn = ldb_dn_get_linearized(p->msg->dn);
+ if (!client_dn) {
+ if (errno == 0) {
+ errno = ENOMEM;
+ }
+ ret = errno;
+ krb5_set_error_message(context, ret,
+ "samba_kdc_check_s4u2proxy:"
+ " ldb_dn_get_linearized() failed!");
+ return ret;
+ }
+
+ /*
+ * The main heimdal code already checked that the target_principal
+ * belongs to the same realm as the client.
+ *
+ * So we just need the principal without the realm,
+ * as that is what is configured in the "msDS-AllowedToDelegateTo"
+ * attribute.
+ */
+ ret = krb5_unparse_name_flags(context, target_principal,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM, &tmp);
+ if (ret) {
+ talloc_free(mem_ctx);
+ krb5_set_error_message(context, ret,
+ "samba_kdc_check_s4u2proxy:"
+ " krb5_unparse_name() failed!");
+ return ret;
+ }
+ DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] for target[%s]\n",
+ client_dn, tmp));
+
+ target_principal_name = talloc_strdup(mem_ctx, tmp);
+ SAFE_FREE(tmp);
+ if (target_principal_name == NULL) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret,
+ "samba_kdc_check_s4u2proxy:"
+ " talloc_strdup() failed!");
+ return ret;
+ }
+
+ el = ldb_msg_find_element(p->msg, "msDS-AllowedToDelegateTo");
+ if (el == NULL) {
+ goto bad_option;
+ }
+
+ val = data_blob_string_const(target_principal_name);
+
+ for (i=0; i<el->num_values; i++) {
+ struct ldb_val *val1 = &val;
+ struct ldb_val *val2 = &el->values[i];
+ int cmp;
+
+ if (val1->length != val2->length) {
+ continue;
+ }
+
+ cmp = strncasecmp((const char *)val1->data,
+ (const char *)val2->data,
+ val1->length);
+ if (cmp != 0) {
+ continue;
+ }
+
+ found = true;
+ break;
+ }
+
+ if (!found) {
+ goto bad_option;
+ }
+
+ DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] allowed target[%s]\n",
+ client_dn, tmp));
+ talloc_free(mem_ctx);
+ return 0;
+
+bad_option:
+ krb5_set_error_message(context, ret,
+ "samba_kdc_check_s4u2proxy: client[%s] "
+ "not allowed for delegation to target[%s]",
+ client_dn,
+ target_principal_name);
+ talloc_free(mem_ctx);
return KRB5KDC_ERR_BADOPTION;
}
diff --git a/source4/scripting/python/samba/netcmd/__init__.py b/source4/scripting/python/samba/netcmd/__init__.py
index 1373cb2..bc5b0f6 100644
--- a/source4/scripting/python/samba/netcmd/__init__.py
+++ b/source4/scripting/python/samba/netcmd/__init__.py
@@ -214,3 +214,5 @@ from samba.netcmd.testparm import cmd_testparm
commands["testparm"] = cmd_testparm()
from samba.netcmd.dbcheck import cmd_dbcheck
commands["dbcheck"] = cmd_dbcheck()
+from samba.netcmd.delegation import cmd_delegation
+commands["delegation"] = cmd_delegation()
diff --git a/source4/scripting/python/samba/netcmd/delegation.py b/source4/scripting/python/samba/netcmd/delegation.py
new file mode 100644
index 0000000..1307c14
--- /dev/null
+++ b/source4/scripting/python/samba/netcmd/delegation.py
@@ -0,0 +1,267 @@
+#!/usr/bin/env python
+#
+# delegation management
+#
+# Copyright Matthieu Patou mat at samba.org 2010
+# Copyright Stefan Metzmacher metze at samba.org 2011
+# Copyright Bjoern Baumbach bb at sernet.de 2011
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.getopt as options
+import ldb
+import re
+from samba import provision
+from samba import dsdb
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba.netcmd import (
+ Command,
+ CommandError,
+ SuperCommand,
+ Option
+ )
+
+def _get_user_realm_domain(user):
+ """ get the realm or the domain and the base user
+ from user like:
+ * username
+ * DOMAIN\username
+ * username at REALM
+ """
+ baseuser = user
+ realm = ""
+ domain = ""
+ m = re.match(r"(\w+)\\(\w+$)", user)
+ if m:
+ domain = m.group(1)
+ baseuser = m.group(2)
+ return (baseuser.lower(), domain.upper(), realm)
+ m = re.match(r"(\w+)@(\w+)", user)
+ if m:
+ baseuser = m.group(1)
+ realm = m.group(2)
+ return (baseuser.lower(), domain, realm.upper())
+
+class cmd_delegation_show(Command):
+ """Show the delegation setting of an account."""
+ synopsis = "%prog delegation show <accountname>"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ takes_args = ["accountname"]
+
+ def run(self, accountname, credopts=None, sambaopts=None, versionopts=None):
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+ paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
+ sam = SamDB(paths.samdb, session_info=system_session(),
+ credentials=creds, lp=lp)
+ # TODO once I understand how, use the domain info to naildown
+ # to the correct domain
+ (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
+ print "Searching for: %s" % (cleanedaccount)
+ res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
+ scope=ldb.SCOPE_SUBTREE,
+ attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
+ if len(res) != 1:
+ raise CommandError("Account %s found %d times" % (accountname, len(res)))
+
+ uac = int(res[0].get("userAccountControl")[0])
+ allowed = res[0].get("msDS-AllowedToDelegateTo")
+
+ print "Account-DN: %s" % str(res[0].dn)
+
+ if uac & dsdb.UF_TRUSTED_FOR_DELEGATION:
+ print "UF_TRUSTED_FOR_DELEGATION: 1"
+ else:
+ print "UF_TRUSTED_FOR_DELEGATION: 0"
+
+ if uac & dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION:
+ print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 1"
+ else:
+ print "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION: 0"
+
+ if allowed != None:
+ for a in allowed:
+ print "msDS-AllowedToDelegateTo: %s" % (str(a))
+
+class cmd_delegation_for_any_service(Command):
+ """Set/unset UF_TRUSTED_FOR_DELEGATION for an account."""
+ synopsis = "%prog delegation for-any-service <accountname> on|off"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "credopts": options.CredentialsOptions,
+ "versionopts": options.VersionOptions,
+ }
+
+ takes_args = ["accountname", "onoff"]
+
+ def run(self, accountname, onoff, credopts=None, sambaopts=None, versionopts=None):
+
+ on = False
+ if onoff == "on":
+ on = True
+ elif onoff == "off":
+ on = False
+ else:
+ raise CommandError("Invalid argument [%s]" % onoff)
+
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+ paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
+ sam = SamDB(paths.samdb, session_info=system_session(),
+ credentials=creds, lp=lp)
+ # TODO once I understand how, use the domain info to naildown
+ # to the correct domain
--
Samba Shared Repository
More information about the samba-cvs
mailing list