[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Aug 27 17:49:04 MDT 2012
The branch, master has been updated
via 11a5646 VERSION: Move on to beta8
via c41894c VERSION: Mark as the beta7 release
via 3460340 WHATSNEW: prepare for 4.0 beta7
via 24f3147 selftest: Fix comment in blackbox_s3upgrade.sh
via 444c9ff s4-classicupgrade: Do the setting of the sysvol ACLs last, after idmap is configured
via 5aa9a6c s3-passdb: Allow reload of the static passdb from python
via f873d42 auth/credentials: Rework credentials handling to try and find the most recent machine pw
via 1a8fd71 selftest: Add test of smbclient --machine-pass against and using both s3 and s4
via e66fa2c auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
via 43904cb s4-dsdb: Remove double-free in update_keytab module
via 8c20539 s4-dsdb: Add secrets_tdb_sync - an ldb module to keep secrets.tdb in sync
via f2d9be5 s3-secrets: Use talloc_stackframe() in secrets_init_path()
via 5adf8c8 s3-secrets: Handle all valid ROLE_ values in get_default_sec_channel()
via 708ce41 s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
via 62373b8 lib/krb5_wrap: Move enctype conversion functions into a simple helper file
via d5b9972 s4-classicupgrade: Read WINS DB before the provision
via 85f1c4f s4-classicupgrade: Do all the queries of data before the provision()
via 738f4ac s4-classicupgrade: Use s3param.get_context() instead of result.lp
via 1ed6070 lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrap
via 0f7aa3d lib/krb5_wrap: Bring list of all enc types into krb5_wrap
via 8613539 s4-libnet: Ensure termination of enctype array in libnet_export_keytab()
via 098c5ec examples: Remove security=share and security=server from example smb.conf
via e17bf6a s3-param: Avoid assert on use of talloc_tos() without stackframe
from f118eae s4-torture: Test for #9058
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 11a5646cd47bb8e845aa364120979194d95b3e16
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 28 07:43:06 2012 +1000
VERSION: Move on to beta8
We actually expect beta7 to be the last beta, but to avoid
confusion I won't mark it as rc1 until the actual release candidate.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 28 01:48:16 CEST 2012 on sn-devel-104
commit c41894c7dd512eeddacb6810405b64ad180af6e0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 28 07:41:11 2012 +1000
VERSION: Mark as the beta7 release
commit 3460340bf2cc65a89d441478a12bfc2deb3fd55f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 28 07:39:36 2012 +1000
WHATSNEW: prepare for 4.0 beta7
commit 24f3147019899cdc05cd95a53ce91ded7436c9a6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 22:39:35 2012 +1000
selftest: Fix comment in blackbox_s3upgrade.sh
commit 444c9ffad75cfe4f1948a09a870c87b17aed21a9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 22:38:53 2012 +1000
s4-classicupgrade: Do the setting of the sysvol ACLs last, after idmap is configured
This will allow files to be correctly owned by the idmap that is imported.
This appears to fix an issue that came up after s3fs-compatible ACLs were
merged into provision.
Andrew Bartlett
commit 5aa9a6c936cbf4fb8a7a9d9a03b1678d6419e78f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 22:37:19 2012 +1000
s3-passdb: Allow reload of the static passdb from python
This is then used in provision when the passdb backend is forced.
Andrew Bartlett
commit f873d422b153c55754c0d1e83670cda7c3a7f7e3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 21:37:19 2012 +1000
auth/credentials: Rework credentials handling to try and find the most recent machine pw
As winbindd will update secrets.tdb but not secrets.ldb, we need to detect this and use secrets.tdb
Andrew Bartlett
commit 1a8fd711d7e4f97a6749b5d6c4806b11c38f20f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 21:02:28 2012 +1000
selftest: Add test of smbclient --machine-pass against and using both s3 and s4
This uses both smbclient binaries to ensure that both work in both environments.
Andrew Bartlett
commit e66fa2c8134a886f52419f4a33992b200b00ff49
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 21:01:10 2012 +1000
auth/credentials: Expand secrets.tdb fetch of secrets to preserve workstation and realm
These would otherwise be set during the fetch from the secrets.ldb, but are wiped when that fails.
Andrew Bartlett
commit 43904cb4f5e775a5ba72553d1a59ffd30204a83d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 19:46:11 2012 +1000
s4-dsdb: Remove double-free in update_keytab module
commit 8c205395c69fd4cfdde87441589395c782219e1e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 19:29:38 2012 +1000
s4-dsdb: Add secrets_tdb_sync - an ldb module to keep secrets.tdb in sync
secrets_tdb_sync is a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.
While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.
Andrew Bartlett
commit f2d9be5af601741444bc5ff3d91edce38acff024
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 19:42:44 2012 +1000
s3-secrets: Use talloc_stackframe() in secrets_init_path()
commit 5adf8c8634ccc2dc63fb1f64d3dfa11449c78272
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 19:28:56 2012 +1000
s3-secrets: Handle all valid ROLE_ values in get_default_sec_channel()
commit 708ce41b32881e5a45c38929be66f9a1392dda8a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 19:28:22 2012 +1000
s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
secrets_tdb_sync will be a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.
While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.
Andrew Bartlett
commit 62373b8a509fb874728c351e8039f94e3a1dd6db
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 18:34:02 2012 +1000
lib/krb5_wrap: Move enctype conversion functions into a simple helper file
commit d5b9972215071d3d09b586fcc371c69002f89192
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 17:27:16 2012 +1000
s4-classicupgrade: Read WINS DB before the provision
commit 85f1c4fdfdda7e9c765c6c4ab7f50519c657a409
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 17:20:51 2012 +1000
s4-classicupgrade: Do all the queries of data before the provision()
This allows provision to change the s3 smb.conf settings if required.
Andrew Bartlett
commit 738f4ac058ab49239271539fe66d09bfa81a138b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 16:56:35 2012 +1000
s4-classicupgrade: Use s3param.get_context() instead of result.lp
We should not need the guessed values here, but by changing to using the s3 loadparm context
we can move this block to before the provision.
Andrew Bartlett
commit 1ed607057087cd5e9f1deebe472a1a6d9009a32f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 15:52:47 2012 +1000
lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrap
commit 0f7aa3db52ac10177993e8f05569c7d378d66440
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 15:51:52 2012 +1000
lib/krb5_wrap: Bring list of all enc types into krb5_wrap
commit 861353972d967ecbd1552d49f157f8e04904bcce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 15:34:41 2012 +1000
s4-libnet: Ensure termination of enctype array in libnet_export_keytab()
commit 098c5ecdba63b29752b6c0b0030684cf0ef76196
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 27 15:22:45 2012 +1000
examples: Remove security=share and security=server from example smb.conf
commit e17bf6af22a672ae42f458e8904531d0c36c088f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 28 07:46:49 2012 +1000
s3-param: Avoid assert on use of talloc_tos() without stackframe
This is hit during samba-tool domain classicupgrade
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 70 ++++---
auth/credentials/credentials_secrets.c | 104 ++++++---
examples/smb.conf.default | 2 +-
lib/krb5_wrap/enctype_convert.c | 104 ++++++++
lib/krb5_wrap/krb5_samba.h | 8 +
lib/krb5_wrap/wscript_build | 2 +-
selftest/knownfail | 1 +
source3/include/secrets.h | 6 +
source3/param/loadparm.c | 5 +-
source3/passdb/machine_account_secrets.c | 89 +++++++-
source3/passdb/pdb_interface.c | 5 +-
source3/passdb/py_passdb.c | 18 ++
source3/passdb/secrets.c | 9 +-
.../script/tests/test_smbclient_machine_auth.sh | 21 ++
source3/selftest/tests.py | 3 +
source4/auth/kerberos/srv_keytab.c | 45 ----
source4/dsdb/samdb/ldb_modules/samba_secrets.c | 1 +
.../{update_keytab.c => secrets_tdb_sync.c} | 254 +++++++++++---------
source4/dsdb/samdb/ldb_modules/update_keytab.c | 2 -
.../dsdb/samdb/ldb_modules/wscript_build_server | 9 +
source4/kdc/db-glue.c | 20 --
source4/libnet/libnet_export_keytab.c | 10 +-
.../scripting/python/samba/provision/__init__.py | 15 +-
source4/scripting/python/samba/tests/provision.py | 2 +
.../python/samba/tests/upgradeprovision.py | 2 +-
.../python/samba/tests/upgradeprovisionneeddc.py | 2 +-
source4/scripting/python/samba/upgrade.py | 79 ++++---
source4/selftest/tests.py | 3 +
source4/setup/tests/blackbox_s3upgrade.sh | 2 +-
source4/utils/tests/test_smbclient.sh | 34 +++
31 files changed, 620 insertions(+), 309 deletions(-)
create mode 100644 lib/krb5_wrap/enctype_convert.c
create mode 100755 source3/script/tests/test_smbclient_machine_auth.sh
copy source4/dsdb/samdb/ldb_modules/{update_keytab.c => secrets_tdb_sync.c} (56%)
create mode 100755 source4/utils/tests/test_smbclient.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 781a283..14c0561 100644
--- a/VERSION
+++ b/VERSION
@@ -67,7 +67,7 @@ SAMBA_VERSION_ALPHA_RELEASE=
# e.g. SAMBA_VERSION_BETA_RELEASE=1 #
# -> "4.0.0beta1" #
########################################################
-SAMBA_VERSION_BETA_RELEASE=7
+SAMBA_VERSION_BETA_RELEASE=8
########################################################
# For 'pre' releases the version will be #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2aebbc2..d9f2333 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,4 @@
-What's new in Samba 4.0 beta6
+What's new in Samba 4.0 beta7
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
@@ -11,17 +11,20 @@ and above.
WARNINGS
========
-Samba 4.0 beta6 is not a final Samba release, however we are now making
-good progress towards a Samba 4.0 release, of which this is a preview.
-Be aware the this release contains the best of all of Samba's
+Samba 4.0 beta7 is not a final Samba release, however we are now making
+good progress towards a Samba 4.0 release. However, this is expected to be the
+last beta release before we start on our release candidate series.
+
+This release contains the best of all of Samba's
technology parts, both a file server (that you can reasonably expect
to upgrade existing Samba 3.x releases to) and the AD domain
controller work previously known as 'samba4'.
Samba 4.0 is subjected to an awesome battery of tests on an automated
basis, we have found Samba 4.0 to be very stable in it's behaviour.
-However, we still recommend against upgrading production servers from
-Samba 3.x release to Samba 4.0 beta at this stage.
+However, as with all our pre-releases we still recommend against
+upgrading production servers from Samba 3.x release to Samba 4.0 beta
+at this stage.
If you are upgrading, or looking to develop, test or deploy Samba 4.0
beta releases, you should backup all configuration and data.
@@ -35,10 +38,16 @@ Samba 4.0 as an AD DC should use the 'samba-tool domain
classicupgrade' command. See the wiki for more details:
https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO
-Users upgrading from Samba 4.0 alpha and beta releases since alpha15
-should run 'samba-tool dbcheck --cross-ncs --fix'. Users upgrading
-from earlier alpha releases should contact the team for advice.
+Users upgrading from Samba 4.0 alpha and beta releases since alpha15
+should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting
+Samba. Users upgrading from earlier alpha releases should contact the
+team for advice.
+Users upgrading an AD DC from any previous release should run
+'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share
+with those matching the GPOs in LDAP and the defaults from an initial
+provision. This will set an underlying POSIX ACL if required (eg not
+using the NTVFS file server).
NEW FEATURES
============
@@ -89,29 +98,36 @@ Python programs to interface to Samba's internals, and many tools and
internal workings of the DC code is now implemented in python.
-CHANGES SINCE beta5
+CHANGES SINCE beta6
=====================
-For a list of changes since beta5, please see the git log.
+For a list of changes since beta6, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log samba-4.0.0beta5..samba-4.0.0beta6
+$ git log samba-4.0.0beta6..samba-4.0.0beta7
Some major user-visible changes include:
-- Provision is now faster, as we now correctly use the database
- indices during the provision
+- ACLs are now set during provision at the POSIX layer for the sysvol
+ share. This allows group policies to be modified by Domain
+ Administrators (Policy Administrators) that are not the actual
+ Administrator user.
+
+- A number of verified fixes for expanding memory use across the AD
+ domain controller, including in the Bind9 DLZ module.
-- Support for handling of Extended Signatures (Session Key Protection)
+- A fix for bug #9097 (the winbind in the AD DC would lock up under
+ parallel requests).
-- A (unverified at this time) fix for expanding memory use in our
- AD DRS replication server.
+- wbinfo --ping-dc now returns helpful information on what failed and
+ against which DC it failed
-- A fix for supporting the userWorkstations restriction in the KDC
+- SMB3 encryption support
-- Support for upgrading classic domains that may not have all the
- default domain policies set.
+- New 'samba-tool ntacl' commands:
+ - samba-tool ntacl sysvolreset
+ - samba-tool ntacl sysvolcheck
Less visible, but important changes under the hood include:
@@ -122,7 +138,12 @@ Less visible, but important changes under the hood include:
- Patches to ensure that talloc_tos() and talloc_stackframe() are
always used correctly.
-- Preparation for correctly setting POSIX ACLs during provision.
+- We can now test the implementation of NT -> POSIX ACL mapping in a
+ unit test with VFS bindings exposing both to python. We also store
+ the posix ACL in a tdb during make test, allowing testing of this
+ feature on all platforms, regardless of local FS settings.
+
+- Python bindings for the source3 async libsmb library (for use in testing)
KNOWN ISSUES
============
@@ -130,13 +151,6 @@ KNOWN ISSUES
- This release makes the s3fs file server the default, as this is the
file server combination we will use for the Samba 4.0 release.
-- Modifying of group policies by members of the Domain Administrators
- group is not possible with the s3fs file server, only with the ntvfs
- file server. This is due to the underlying POSIX ACL not being set
- at provision time. Recursivly giving 'domain administrators' write
- access to the contents of the sysvol share using a windows client
- will fix this in the interim.
-
- For similar reasons, sites with ACLs stored by the ntvfs file server
may wish to continue to use that file server implementation, as a
posix ACL will similarly not be set in this case.
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index ab7f5e8..3304200 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -203,6 +203,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
char *filter;
char *error_string;
const char *domain;
+ const char *realm;
+ bool secrets_tdb_password_more_recent;
+ time_t secrets_tdb_lct = 0;
+ char *secrets_tdb_password = NULL;
+ char *keystr;
+ char *keystr_upper = NULL;
+ char *secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+ struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
+ TDB_DEFAULT, O_RDWR, 0600,
+ DBWRAP_LOCK_ORDER_1);
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -211,47 +221,79 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
/* We have to do this, as the fallback in
* cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
domain = cli_credentials_get_domain(cred);
+ realm = cli_credentials_get_realm(cred);
+
+ if (db_ctx) {
+ TDB_DATA dbuf;
+ keystr = talloc_asprintf(cred, "%s/%s",
+ SECRETS_MACHINE_LAST_CHANGE_TIME,
+ domain);
+ keystr_upper = strupper_talloc(cred, keystr);
+ TALLOC_FREE(keystr);
+ status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
+ &dbuf);
+ TALLOC_FREE(keystr_upper);
+ if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
+ secrets_tdb_lct = IVAL(dbuf.dptr,0);
+ }
+ TALLOC_FREE(dbuf.dptr);
+
+ keystr = talloc_asprintf(cred, "%s/%s",
+ SECRETS_MACHINE_PASSWORD,
+ domain);
+ keystr_upper = strupper_talloc(cred, keystr);
+ TALLOC_FREE(keystr);
+ status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
+ &dbuf);
+ if (NT_STATUS_IS_OK(status)) {
+ secrets_tdb_password = (char *)dbuf.dptr;
+ }
+ }
+
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
domain);
status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter, &error_string);
- if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
+ if (secrets_tdb_password == NULL) {
+ secrets_tdb_password_more_recent = false;
+ } else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
|| NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
- TDB_DATA dbuf;
- char *secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
- struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
- TDB_DEFAULT, O_RDWR, 0600,
- DBWRAP_LOCK_ORDER_1);
+ secrets_tdb_password_more_recent = true;
+ } else if (secrets_tdb_lct > cli_credentials_get_password_last_changed_time(cred)) {
+ secrets_tdb_password_more_recent = true;
+ } else if (secrets_tdb_lct == cli_credentials_get_password_last_changed_time(cred)) {
+ secrets_tdb_password_more_recent = strcmp(secrets_tdb_password, cli_credentials_get_password(cred)) != 0;
+ } else {
+ secrets_tdb_password_more_recent = false;
+ }
+
+ if (secrets_tdb_password_more_recent) {
+ char *machine_account = talloc_asprintf(cred, "%s$", lpcfg_netbios_name(lp_ctx));
+ cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
+ cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
+ cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
+ cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ TALLOC_FREE(machine_account);
+ } else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
+ || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
if (db_ctx) {
- char *keystr;
- char *keystr_upper;
- keystr = talloc_asprintf(cred, "%s/%s",
- SECRETS_MACHINE_PASSWORD,
- domain);
- keystr_upper = strupper_talloc(cred, keystr);
- TALLOC_FREE(keystr);
- status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
- &dbuf);
-
- if (NT_STATUS_IS_OK(status)) {
- char *machine_account = talloc_asprintf(cred, "%s$", lpcfg_netbios_name(lp_ctx));
- cli_credentials_set_password(cred, (const char *)dbuf.dptr, CRED_SPECIFIED);
- cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
- TALLOC_FREE(machine_account);
- TALLOC_FREE(dbuf.dptr);
- } else {
- error_string = talloc_asprintf(cred,
- "Failed to fetch machine account password from "
- "secrets.ldb: %s and failed to fetch %s from %s",
- error_string, keystr_upper, secrets_tdb);
- }
- TALLOC_FREE(keystr_upper);
- TALLOC_FREE(secrets_tdb);
+ error_string = talloc_asprintf(cred,
+ "Failed to fetch machine account password from "
+ "secrets.ldb: %s and failed to fetch %s from %s",
+ error_string, keystr_upper, secrets_tdb);
+ } else {
+ error_string = talloc_asprintf(cred,
+ "Failed to fetch machine account password from "
+ "secrets.ldb: %s and failed to open %s",
+ error_string, secrets_tdb);
}
}
+ TALLOC_FREE(secrets_tdb_password);
+ TALLOC_FREE(secrets_tdb);
+ TALLOC_FREE(db_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
error_string, nt_errstr(status)));
diff --git a/examples/smb.conf.default b/examples/smb.conf.default
index b4e3d63..dad8c97 100644
--- a/examples/smb.conf.default
+++ b/examples/smb.conf.default
@@ -29,7 +29,7 @@
server string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible
-# values are share, user, server, domain and ads. Most people will want
+# values are user, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = user
diff --git a/lib/krb5_wrap/enctype_convert.c b/lib/krb5_wrap/enctype_convert.c
new file mode 100644
index 0000000..446384e
--- /dev/null
+++ b/lib/krb5_wrap/enctype_convert.c
@@ -0,0 +1,104 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Kerberos utility functions
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2012
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "krb5_samba.h"
+#include "librpc/gen_ndr/netlogon.h"
+
+const krb5_enctype *samba_all_enctypes(void)
+{
+ /* TODO: Find a way not to have to use a fixed list */
+ static const krb5_enctype enctypes[] = {
+ KRB5_ENCTYPE_DES_CBC_CRC,
+ KRB5_ENCTYPE_DES_CBC_MD5,
+ KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ 0
+ };
+ return enctypes;
+};
+
+/* Translate between the IETF encryption type values and the Microsoft
+ * msDS-SupportedEncryptionTypes values */
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum)
+{
+ switch (enc_type_enum) {
+ case ENCTYPE_DES_CBC_CRC:
+ return ENC_CRC32;
+ case ENCTYPE_DES_CBC_MD5:
+ return ENC_RSA_MD5;
+ case ENCTYPE_ARCFOUR_HMAC_MD5:
+ return ENC_RC4_HMAC_MD5;
+ case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+ return ENC_HMAC_SHA1_96_AES128;
+ case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+ return ENC_HMAC_SHA1_96_AES256;
+ default:
+ return 0;
+ }
+}
+
+/* Translate between the Microsoft msDS-SupportedEncryptionTypes values
+ * and the IETF encryption type values */
+krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap)
+{
+ switch (enctype_bitmap) {
+ case ENC_CRC32:
+ return ENCTYPE_DES_CBC_CRC;
+ case ENC_RSA_MD5:
+ return ENCTYPE_DES_CBC_MD5;
+ case ENC_RC4_HMAC_MD5:
+ return ENCTYPE_ARCFOUR_HMAC;
+ case ENC_HMAC_SHA1_96_AES128:
+ return ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ case ENC_HMAC_SHA1_96_AES256:
+ return ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ default:
+ return 0;
+ }
+}
+
+/* Return an array of krb5_enctype values */
+krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
+ uint32_t enctype_bitmap,
+ krb5_enctype **enctypes)
+{
+ unsigned int i, j = 0;
+ *enctypes = talloc_zero_array(mem_ctx, krb5_enctype,
+ (8 * sizeof(enctype_bitmap)) + 1);
+ if (!*enctypes) {
+ return ENOMEM;
+ }
+ for (i = 0; i < (8 * sizeof(enctype_bitmap)); i++) {
+ uint32_t bit_value = (1 << i) & enctype_bitmap;
+ if (bit_value & enctype_bitmap) {
+ (*enctypes)[j] = ms_suptype_to_ietf_enctype(bit_value);
+ if (!(*enctypes)[j]) {
+ continue;
+ }
+ j++;
+ }
+ }
+ (*enctypes)[j] = 0;
+ return 0;
+}
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 9db43b7..c823c73 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -293,6 +293,14 @@ krb5_boolean smb_krb5_kt_compare(krb5_context context,
krb5_enctype enctype);
#endif
+const krb5_enctype *samba_all_enctypes(void);
+
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
+krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap);
+krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
+ uint32_t enctype_bitmap,
+ krb5_enctype **enctypes);
+
#endif /* HAVE_KRB5 */
int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/wscript_build b/lib/krb5_wrap/wscript_build
index 961a0a4..1a65d28 100755
--- a/lib/krb5_wrap/wscript_build
+++ b/lib/krb5_wrap/wscript_build
@@ -5,7 +5,7 @@ if bld.CONFIG_SET('SAMBA4_USES_HEIMDAL'):
add_deps = ' asn1'
bld.SAMBA_LIBRARY('krb5samba',
- source='krb5_samba.c gss_samba.c keytab_util.c',
+ source='krb5_samba.c gss_samba.c keytab_util.c enctype_convert.c',
deps='samba-util asn1util talloc krb5 com_err gssapi' + add_deps,
private_library=True
)
diff --git a/selftest/knownfail b/selftest/knownfail
index 100fd01..7276543 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -42,6 +42,7 @@
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,smb2,bigendian\]
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2\]
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2,bigendian\]
+^samba3.blackbox.smbclient_machine_auth.plain \(s3dc:local\)# the S3dc does not currently set up a self-join
^samba3.raw.samba3hide.samba3hide\((s3dc|plugin_s4_dc)\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.acls.generic\(s3dc\) # This fails against smbd
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index fa215ff..57a1be0 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -126,6 +126,12 @@ void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
bool secrets_store_generic(const char *owner, const char *key, const char *secret);
char *secrets_fetch_generic(const char *owner, const char *key);
+bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain,
+ const char *realm,
+ const char *salting_principal, uint32_t supported_enc_types,
+ const struct dom_sid *domain_sid, uint32_t last_change_time,
+ bool delete_join);
+
/* The following definitions come from passdb/secrets_lsa.c */
NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx,
const char *secret_name,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d9ce4b4..c92b631 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -2784,13 +2784,14 @@ static bool handle_dos_charset(struct loadparm_context *unused, int snum, const
static bool handle_realm(struct loadparm_context *unused, int snum, const char *pszParmValue, char **ptr)
{
bool ret = true;
- char *realm = strupper_talloc(talloc_tos(), pszParmValue);
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *realm = strupper_talloc(frame, pszParmValue);
char *dnsdomain = strlower_talloc(realm, pszParmValue);
ret &= string_set(&Globals.szRealm, pszParmValue);
ret &= string_set(&Globals.szRealm_upper, realm);
ret &= string_set(&Globals.szRealm_lower, dnsdomain);
- TALLOC_FREE(realm);
+ TALLOC_FREE(frame);
return ret;
}
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index ebd7b4c..300455a 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -307,7 +307,8 @@ void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain)
enum netr_SchannelType get_default_sec_channel(void)
{
if (lp_server_role() == ROLE_DOMAIN_BDC ||
- lp_server_role() == ROLE_DOMAIN_PDC) {
+ lp_server_role() == ROLE_DOMAIN_PDC ||
+ lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
return SEC_CHAN_BDC;
} else {
return SEC_CHAN_WKSTA;
@@ -471,6 +472,92 @@ bool secrets_store_machine_password(const char *pass, const char *domain,
return ret;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list