[SCM] Samba Shared Repository - branch master updated
Amitay Isaacs
amitay at samba.org
Thu Nov 17 22:19:01 MST 2011
The branch, master has been updated
via cd3f552 s3-py-passdb: Fix handling of uninitialized gid values
via 9318e00 dsdb: Fix the password expiry calculation
via d0e9f22 s3-passdb_test: Policy values are converted to signed integer
via 244ecc8 s4-s3-upgrade: Add --verbose option to print extra details
via f93ec5a s4-auth log details about any token we fail to convert to a unix token
via e6c77f5 s4-s3-upgrade: Fix idmap types ID_TYPE_UID/ID_TYPE_GID instead of UID/GID
via 6a2a2df samba-tool: Fix the domain account policy max_pwd_age calculation
via c48a2aa s4-s3-upgrade: Fix the minimum and maximum password age calculation
via e80dbdc s4-s3-upgrade now look for -1 as the special 'not set' value
from 32e825d s3/packaging: Fix rpm build issues on RHEL.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cd3f552f4f632204edc8064a1ad332e703a28e72
Author: Amitay Isaacs <amitay at gmail.com>
Date: Fri Nov 18 14:35:56 2011 +1100
s3-py-passdb: Fix handling of uninitialized gid values
Uninitialized gid value is set to -1 and return as such from python
passdb api.
Autobuild-User: Amitay Isaacs <amitay at samba.org>
Autobuild-Date: Fri Nov 18 06:18:33 CET 2011 on sn-devel-104
commit 9318e00a1fab1e6eda6495c44b69d95a980b1e5e
Author: Amitay Isaacs <amitay at gmail.com>
Date: Fri Nov 18 10:34:44 2011 +1100
dsdb: Fix the password expiry calculation
As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if
pwdLastSet = null, or
pwdLastSet = 0, or
(maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
commit d0e9f22654be1c9972c5b5ba6b3ebe808f27c678
Author: Amitay Isaacs <amitay at gmail.com>
Date: Fri Nov 18 09:55:38 2011 +1100
s3-passdb_test: Policy values are converted to signed integer
No need to check value for 0xffffffff (4294967295).
commit 244ecc844dc36584a01ec5248c68060f6bb97114
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Nov 17 18:51:14 2011 +1100
s4-s3-upgrade: Add --verbose option to print extra details
commit f93ec5a0274b3b14a5ad2cff287fcb5e48d59731
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 17 18:24:24 2011 +1100
s4-auth log details about any token we fail to convert to a unix token
Now that entries are being added into the idmap DB from Samba3, and
may be UID or GID but not BOTH, failures are more likely.
Andrew Bartlett
commit e6c77f523b8ed8332ecb4d50a6af7eaa7e6f19af
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Nov 17 16:08:16 2011 +1100
s4-s3-upgrade: Fix idmap types ID_TYPE_UID/ID_TYPE_GID instead of UID/GID
commit 6a2a2dfa5f510fcab964588c29c2991859bbc83f
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Nov 17 09:34:57 2011 +1100
samba-tool: Fix the domain account policy max_pwd_age calculation
Windows sets maxPwdAge to -0x8000000000000000 when maximum password
age is set to 0 days.
commit c48a2aa43854636763cd6472ceba7f0c70185689
Author: Amitay Isaacs <amitay at gmail.com>
Date: Wed Nov 16 12:59:52 2011 +1100
s4-s3-upgrade: Fix the minimum and maximum password age calculation
Windows sets maxPwdAge to -0x8000000000000000 when maximum password age
is set to 0 days.
commit e80dbdcab1831bd07e76863acaea4e356f71cf98
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 16 16:51:06 2011 +1100
s4-s3-upgrade now look for -1 as the special 'not set' value
this is possible because we know the py_passdb will always set -1
here, not passing though 0xFFFFFFFF.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source3/passdb/py_passdb.c | 4 ++--
source4/auth/unix_token.c | 17 +++++++++++++++++
source4/dsdb/common/util.c | 2 +-
source4/scripting/python/samba/netcmd/domain.py | 17 +++++++++++++----
source4/scripting/python/samba/tests/samba3.py | 4 ++--
source4/scripting/python/samba/upgrade.py | 18 +++++++++---------
6 files changed, 44 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c
index de27839..46f2e90 100644
--- a/source3/passdb/py_passdb.c
+++ b/source3/passdb/py_passdb.c
@@ -975,7 +975,7 @@ static PyObject *py_groupmap_get_gid(PyObject *obj, void *closure)
GROUP_MAP *group_map = (GROUP_MAP *)pytalloc_get_ptr(obj);
PyObject *py_gid;
- py_gid = PyInt_FromLong(group_map->gid);
+ py_gid = Py_BuildValue("i", group_map->gid);
return py_gid;
}
@@ -2317,7 +2317,7 @@ static PyObject *py_pdb_get_account_policy(pytalloc_Object *self)
type = account_policy_name_to_typenum(names[i]);
status = methods->get_account_policy(methods, type, &value);
if (NT_STATUS_IS_OK(status)) {
- PyDict_SetItemString(py_acct_policy, names[i], PyInt_FromLong(value));
+ PyDict_SetItemString(py_acct_policy, names[i], Py_BuildValue("i", value));
}
}
diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c
index 765bf06..24f3226 100644
--- a/source4/auth/unix_token.c
+++ b/source4/auth/unix_token.c
@@ -78,6 +78,11 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
} else if (ids[0].xid.type == ID_TYPE_UID) {
(*sec)->uid = ids[0].xid.id;
} else {
+ char *sid_str = dom_sid_string(mem_ctx, ids[0].sid);
+ DEBUG(0, ("Unable to convert first SID (%s) in user token to a UID. Conversion was returned as type %d, full token:\n",
+ sid_str, (int)ids[0].xid.type));
+ security_token_debug(0, 0, token);
+ talloc_free(sid_str);
return NT_STATUS_INVALID_SID;
}
@@ -87,6 +92,11 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
(*sec)->groups[g] = ids[1].xid.id;
g++;
} else {
+ char *sid_str = dom_sid_string(mem_ctx, ids[1].sid);
+ DEBUG(0, ("Unable to convert second SID (%s) in user token to a GID. Conversion was returned as type %d, full token:\n",
+ sid_str, (int)ids[1].xid.type));
+ security_token_debug(0, 0, token);
+ talloc_free(sid_str);
return NT_STATUS_INVALID_SID;
}
@@ -96,10 +106,17 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
(*sec)->groups[g] = ids[s].xid.id;
g++;
} else {
+ char *sid_str = dom_sid_string(mem_ctx, ids[s].sid);
+ DEBUG(0, ("Unable to convert SID (%s) at index %u in user token to a GID. Conversion was returned as type %d, full token:\n",
+ sid_str, (unsigned int)s, (int)ids[s].xid.type));
+ security_token_debug(0, 0, token);
+ talloc_free(sid_str);
return NT_STATUS_INVALID_SID;
}
}
+ DEBUG(5, ("Successfully converted security token to a unix token:"));
+ security_token_debug(0, 5, token);
TALLOC_FREE(ids);
return NT_STATUS_OK;
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index cae6bd4..826a1e4 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -505,7 +505,7 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
"maxPwdAge", NULL);
- if (maxPwdAge == 0) {
+ if (maxPwdAge == 0 || maxPwdAge == -0x8000000000000000ULL) {
return 0x7FFFFFFFFFFFFFFFULL;
} else {
attr_time -= maxPwdAge;
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index f1ebf7e..0e6083a 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -386,7 +386,10 @@ class cmd_domain_passwordsettings(Command):
cur_min_pwd_len = int(res[0]["minPwdLength"][0])
# ticks -> days
cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
- cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000:
+ cur_max_pwd_age = 0
+ else:
+ cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except Exception, e:
raise CommandError("Could not retrieve password properties!", e)
@@ -482,7 +485,10 @@ class cmd_domain_passwordsettings(Command):
raise CommandError("Maximum password age must be in the range of 0 to 999!")
# days -> ticks
- max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
+ if max_pwd_age == 0:
+ max_pwd_age_ticks = -0x8000000000000000
+ else:
+ max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7))
m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks),
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
@@ -522,6 +528,7 @@ class cmd_domain_samba3upgrade(Command):
Option("--targetdir", type="string", metavar="DIR",
help="Path prefix where the new Samba 4.0 AD domain should be initialised"),
Option("--quiet", help="Be quiet", action="store_true"),
+ Option("--verbose", help="Be verbose", action="store_true"),
Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]",
help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"),
]
@@ -529,7 +536,7 @@ class cmd_domain_samba3upgrade(Command):
takes_args = ["smbconf"]
def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None,
- quiet=False, use_xattrs=None, sambaopts=None, versionopts=None):
+ quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None):
if not os.path.exists(smbconf):
raise CommandError("File %s does not exist" % smbconf)
@@ -544,7 +551,9 @@ class cmd_domain_samba3upgrade(Command):
raise CommandError("Please specify either dbdir or testparm")
logger = self.get_logger()
- if quiet:
+ if verbose:
+ logger.setLevel(logging.DEBUG)
+ elif quiet:
logger.setLevel(logging.WARNING)
else:
logger.setLevel(logging.INFO)
diff --git a/source4/scripting/python/samba/tests/samba3.py b/source4/scripting/python/samba/tests/samba3.py
index fb1eb5a..e8852cd 100644
--- a/source4/scripting/python/samba/tests/samba3.py
+++ b/source4/scripting/python/samba/tests/samba3.py
@@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir):
def test_policy(self):
policy = self.pdb.get_account_policy()
self.assertEquals(0, policy['bad lockout attempt'])
- self.assertEquals(4294967295, policy['disconnect time'])
+ self.assertEquals(-1, policy['disconnect time'])
self.assertEquals(0, policy['lockout duration'])
self.assertEquals(999999999, policy['maximum password age'])
self.assertEquals(0, policy['minimum password age'])
@@ -151,7 +151,7 @@ class PassdbTestCase(TestCaseInTempDir):
def test_get_group(self):
group = self.pdb.getgrsid(dom_sid("S-1-5-32-544"))
self.assertEquals("Administrators", group.nt_name)
- self.assertEquals(4294967295, group.gid)
+ self.assertEquals(-1, group.gid)
self.assertEquals(5, group.sid_name_use)
def test_groupsids(self):
diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 0636d2b..bf91201 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -60,15 +60,15 @@ def import_sam_policy(samdb, policy, logger):
ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength')
min_pw_age_unix = policy['minimum password age']
- min_pw_age_nt = 0 - unix2nttime(min_pw_age_unix)
+ min_pw_age_nt = int(-min_pw_age_unix * (1e7 * 60 * 60 * 24))
m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE,
'minPwdAge')
max_pw_age_unix = policy['maximum password age']
- if (max_pw_age_unix == 0xFFFFFFFF):
- max_pw_age_nt = 0
+ if max_pw_age_unix == -1:
+ max_pw_age_nt = -0x8000000000000000
else:
- max_pw_age_nt = unix2nttime(max_pw_age_unix)
+ max_pw_age_nt = int(-max_pw_age_unix * (1e7 * 60 * 60 * 24))
m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE,
'maxPwdAge')
@@ -91,7 +91,7 @@ def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
:param idmapdb: Samba4 IDMAP database
:param sid: user/group sid
:param xid: user/group id
- :param xid_type: type of id (UID/GID)
+ :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID)
:param logger: Logger object
"""
@@ -237,7 +237,7 @@ def add_users_to_group(samdb, group, members, logger):
samdb.modify(m)
except ldb.LdbError, (ecode, emsg):
if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS:
- logger.info("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
+ logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg)
elif ecode == ldb.ERR_NO_SUCH_OBJECT:
raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg))
else:
@@ -674,8 +674,8 @@ Please fix this account before attempting to upgrade again
logger.info("Importing groups")
for g in grouplist:
# Ignore uninitialized groups (gid = -1)
- if g.gid != 0xffffffff:
- add_idmap_entry(result.idmap, g.sid, g.gid, "GID", logger)
+ if g.gid != -1:
+ add_idmap_entry(result.idmap, g.sid, g.gid, "ID_TYPE_GID", logger)
add_group_from_mapping_entry(result.samdb, g, logger)
# Export users to samba4 backend
@@ -685,7 +685,7 @@ Please fix this account before attempting to upgrade again
continue
s4_passdb.add_sam_account(userdata[username])
if username in uids:
- add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "UID", logger)
+ add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
logger.info("Adding users to groups")
for g in grouplist:
--
Samba Shared Repository
More information about the samba-cvs
mailing list