[SCM] Samba Shared Repository - branch v4-1-test updated
Karolin Seeger
kseeger at samba.org
Fri Sep 6 05:00:04 MDT 2013
The branch, v4-1-test has been updated
via 3beda4c WHATSNEW: Update changes since 4.1.0rc2.
via cfa4e2a Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query.
via 3912eeb9 Move the retry logic when site_name is passed in a NULL or "" to the wrapper function.
via 2d7fe2b Move the manipulation of site_name into the caller function dsgetdcname().
via 0c046a4 Refactor dsgetdcname to be called via a wrapper function.
via a616bbc dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it.
via 317f960 smbd: Correctly return INFO_LENGTH_MISMATCH for smb1
via 26ac864 smbd: Fix error return for STREAM_INFO
via db4e8a7 smbd: Revert a93f9c3
via 0e91fd6 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo
via 9444c6f smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo
via b4427b9 smbd: qfsinfo has fixed/variable buffers
via 3691f46 smbd: qfilepathinfo has fixed/variable buffers
via 6ee8231 smbd: Use #defines in smb2_getinfo_send
via a9ef99c s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data
via 25fbced s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data
via 342afee s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler
via 5e75d4b s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data
via 2b411e6 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small
via a654601 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
via 1e653e4 selftest: Add a basic test of samba_upgradedns
via 79b7888 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ
via 0d7c1f0 selftest: Test creation of the dns-SERVER account during selftest
via e00be93 scripting/samba_upgradedns: Tighten up exception and attribute list handling
via fee6fa5 scripting/join.py: Handle creating the dns-NAME account during a DC join
via e6cbc39 WHATSNEW: Add paragraph about SMB2/3 support for client tools/library.
from cf677c4 WHATSNEW: Add release notes for Samba 4.1.0rc3.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit 3beda4cffdf36e10a85fdcb8f9cb31ba04fc9cf8
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Sep 6 11:11:39 2013 +0200
WHATSNEW: Update changes since 4.1.0rc2.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-1-test): Fri Sep 6 12:59:28 CEST 2013 on sn-devel-104
commit cfa4e2a8ae97b02a112c132f2154c22a9fc53314
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 14:07:43 2013 -0700
Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 4 01:19:05 CEST 2013 on sn-devel-104
(cherry picked from commit bdab6f9431715fbfd28f8cc0dfb4dde2966f22f3)
commit 3912eeb93f633c0511147c34205b0813748d273a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:20:52 2013 -0700
Move the retry logic when site_name is passed in a NULL or "" to the wrapper function.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 68e7b1c9446c7d1274b0fb85b59b90ac1a7f6041)
commit 2d7fe2b9afed0e16a750f918eab30f017b4198fc
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:08:46 2013 -0700
Move the manipulation of site_name into the caller function dsgetdcname().
Leave dsgetdcname_internal() only using const char *site_name.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 181c11066bd53b07015a199f56eb71182e89ff71)
commit 0c046a4e5814616d504d755a81901a6eeabea401
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:04:37 2013 -0700
Refactor dsgetdcname to be called via a wrapper function.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit 66006be7ef703b2935334633d27641050cee5f58)
commit a616bbcfd8e8f70ab482bc0957693966b956f693
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 3 12:13:45 2013 -0700
dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it.
Bug 5917 - Samba does not work on site with Read Only Domain Controller
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Richard Sharpe <rsharpe at samba.org>
(cherry picked from commit dd12bfbcbf359c1642cc2e968aec62ae904aad5d)
commit 317f960a34d8079714ee68b5d00d651d3a4bd45e
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:40:19 2013 +0000
smbd: Correctly return INFO_LENGTH_MISMATCH for smb1
This is required if the client offered less buffer than the fixed portion
of the info level data requires
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1b1935b876a14154ef74e447bf53eb7cd0a5dde9)
commit 26ac864a120405b7d3fcd15a8dcd5f696146d5da
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:39:17 2013 +0000
smbd: Fix error return for STREAM_INFO
The stream_info marshalling follows its own rules. This needs unifying
eventually...
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5634f240fd4273cb7327111140ccbea0fd41e3fc)
commit db4e8a75e3a00e55e93eb6ab8ca9ce75652b4f9f
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:38:29 2013 +0000
smbd: Revert a93f9c3
This was too broad and has been replaced by finer-grained error checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b37edda32930fec372d6467d442f67532c3fbd33)
commit 0e91fd6f6f80f25901771dc2c008a0293019bc2d
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:37:34 2013 +0000
smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo
Also, don't overflow the client buffer
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9)
commit 9444c6fce8dd99543957fd22d7274a69fc2b200f
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:36:03 2013 +0000
smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo
We have to return this error if the client offered less than the fixed
portion of the infolevel data requires
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 91939614760837b2ac2c6bb8b5daac108a4f4670)
commit b4427b92f143d90730d144ab24233f8540d83538
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:06:27 2013 +0000
smbd: qfsinfo has fixed/variable buffers
The error message will have to change depending whether the buffer is
too small for the fixed or variable buffers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ac41df91a5a425633fc716ca02187e753879d795)
commit 3691f463adcc7000f262ac1d925021618ec71e4d
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 27 09:06:27 2013 +0000
smbd: qfilepathinfo has fixed/variable buffers
The error message will have to change depending whether the buffer is
too small for the fixed or variable buffers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 53123996033594f68a3fc9037474aada3aef0750)
commit 6ee82318869610e6f8c7f13099851373b2e711f8
Author: Volker Lendecke <vl at samba.org>
Date: Mon Aug 26 08:36:14 2013 +0000
smbd: Use #defines in smb2_getinfo_send
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Tue Aug 27 15:08:08 CEST 2013 on sn-devel-104
(cherry picked from commit 323cccd35d06c7327c19dc5cb891043507624d7d)
commit a9ef99ca7880a0a192c61ea31df232449a057b29
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 16:43:39 2013 +0200
s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit 270d29a743a030653037cb176f3764bec3c79b6c)
commit 25fbcedf3d60cc979fb906fa8fe067a989ed19e4
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 15:52:06 2013 +0200
s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit ec46f6b91941e38dd92f8e0fb0f278592e3157b6)
commit 342afeefbe1786021ce5127284bee3f29808bb4c
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri Jul 5 11:32:27 2013 +0200
s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit 616777f029e462f53c5118d79de8c6405a5fb7c1)
commit 5e75d4bfcc965cd062f51fcf8aa6e9290953509a
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Fri Jul 5 11:03:16 2013 +0200
s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit a91d2b05bab329a8a9772c2c79a3b1e02933182e)
commit 2b411e6219fbce5ef1499da4a141d31a8a295e89
Author: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Date: Wed Jul 10 08:59:58 2013 +0200
s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke at SerNet.DE>
(cherry picked from commit a93f9c3d33e442c84d0c9da7eb5d25ca4b54fc33)
commit a6546016fa552407ea6ccd9c7ddb43737601484e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 21:00:28 2012 +1100
torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9
This exercises some more of the dlz_bind9 code outside BIND, by
sending in a ticket to be access checked, wrapped either in SPNEGO or
just in GSSAPI.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104
(cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840)
The last 6 patches address bug #9091 - When replicating DNS for bind9_dlz we
need to create the server-DNS account remotely.
commit 1e653e402588a386bf747e49b20c2ccd0dbf46f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 10:06:39 2012 +1100
selftest: Add a basic test of samba_upgradedns
This does not check that the command runs correctly, but does at least check
that the command runs to completion without errors.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa)
commit 79b78888474d062152283a9c9e080756a96f1346
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 28 09:25:11 2012 +1100
selftest: Start internal DNS server on domain provisioned for BIND9_DLZ
This shows that the internal server can use the dns-SERVER account.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d)
commit 0d7c1f07ef7eed313b0185fadcadcb26b7ee9197
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 26 10:03:47 2012 +1100
selftest: Test creation of the dns-SERVER account during selftest
We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a
dns-SERVER account.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902)
commit e00be93e07ddfc2d1dfbbe0f8213ca2df1e2d48d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 24 09:12:04 2012 +1100
scripting/samba_upgradedns: Tighten up exception and attribute list handling
This avoids asking for attributes that will not be used, and looks only for the
expected exceptions, rather than all exceptions.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd)
commit fee6fa5e2f2a56ef3d8a02d9cd4348f2cccb0a3f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 24 08:56:50 2012 +1100
scripting/join.py: Handle creating the dns-NAME account during a DC join
This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the
domain.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060)
commit e6cbc396ef66df6ad6d9c122417ed1b7fe95c395
Author: Jeremy Allison <jra at samba.org>
Date: Fri Sep 6 10:09:52 2013 +0200
WHATSNEW: Add paragraph about SMB2/3 support for client tools/library.
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 83 ++++++++++++++++++++++++++-
python/samba/join.py | 73 ++++++++++++++++++++++-
python/samba/provision/sambadns.py | 11 +++-
selftest/target/Samba4.pm | 4 +-
source3/libsmb/dsgetdcname.c | 85 ++++++++++++++++++++------
source3/smbd/globals.h | 2 +
source3/smbd/smb2_getinfo.c | 47 +++++++++++++--
source3/smbd/trans2.c | 55 +++++++++++++++++-
source4/scripting/bin/samba_upgradedns | 30 ++++++---
source4/selftest/tests.py | 3 +-
source4/setup/secrets_dns.ldif | 2 +-
source4/torture/dns/dlz_bind9.c | 78 ++++++++++++++++++++++++
source4/torture/winbind/winbind.c | 1 +
testprogs/blackbox/test_samba_upgradedns.sh | 37 ++++++++++++
14 files changed, 461 insertions(+), 50 deletions(-)
create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 13174f0..eeb6307 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -19,6 +19,73 @@ releases candidates, you should backup all configuration and data.
NEW FEATURES
============
+Client tools support SMB2/3
+===========================
+
+Samba 4.1.0 contains the first release of our client tools
+and client library that work over the new protocols SMB2 or SMB3.
+Note that SMB3 only works either to a Samba server version 4.0.0
+or above, or to a Windows Server running Windows 2012 or Windows 8.
+
+The default protocol for smbclient and smbcacls is still
+SMB1 (the NT1 protocol dialect). An SMB2 or SMB3 connection
+can be selected in one of two ways. The easiest way to test
+the new protocol connection is to add the -mMAX_PROTOCOL
+command line switch to either smbclient or smbcacls.
+
+For example, to connect using SMB3 with smbclient a user
+would type:
+
+smbclient //server/share -Uuser%password -mSMB3
+
+Another example of connecting using SMB2 using smbcacls
+would be:
+
+smbcacls //server/share -Uuser%password -mSMB2 filename
+
+Note that when connecting using SMB2 or SMB3 protocols
+the UNIX extensions are no longer available inside the
+smbclient command set. This is due to UNIX extensions
+not yet being defined for the SMB2 or SMB3 protocols.
+
+The second way to select SMB2 or SMB3 connections is to
+set the "client max protocol" parameter in the [global]
+section of your smb.conf.
+
+Setting this parameter will cause all client connections
+from Samba and its client tools to offer the requested
+max protocol to a server on every connection request.
+
+For example, to cause all client tools (including winbindd,
+rpcclient, and the libsmbclient library) to attempt use SMB3
+by default add the line:
+
+client max protocol = SMB3
+
+to the [global] section of your smb.conf. This has not
+been as widely tested as the -mPROTOCOL options, but
+is intended to work correctly in the final release of
+4.1.0.
+
+Encrypted transport
+===================
+
+Although Samba servers have supported encrypted transport
+connections using the UNIX extensions for many years,
+selecting SMB3 transport allows encrypted transport
+connections to Windows servers that support SMB3, as
+well as Samba servers.
+
+In order to enable this, add the "-e" option to the
+smbclient command line.
+
+For example, to connect to a Windows 2012 server over
+SMB3 and select an encrypted transport you would use
+the following command line:
+
+smbclient //Win2012Server/share -Uuser%password -mSMB3 -e
+
+
Directory database replication (AD DC mode)
===========================================
@@ -88,7 +155,8 @@ COMMIT HIGHLIGHTS
=================
o Jeremy Allison <jra at samba.org>
- * Add SMB2 and SMB3 support for smbclient.
+ * Add SMB2 and SMB3 support for client tools and client library.
+ * Add support for SMB3 Encrypted transport.
o David Disseldorp <ddiss at samba.org>
@@ -105,6 +173,7 @@ o Michael Adam <obnox at samba.org>
o Jeremy Allison <jra at samba.org>
+ * BUG 5917: Fix working on site with Read Only Domain Controller.
* BUG 9974: Add SMB2 and SMB3 support for smbclient.
* BUG 10063: Fix memory leak in source3/lib/util.c:1493.
* BUG 10121: Masks incorrectly applied to UNIX extension permission
@@ -115,6 +184,11 @@ o Christian Ambach <ambi at samba.org>
* BUG 9911: Build Samba 4.0.x on AIX with IBM XL C/C++.
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 9091: When replicating DNS for bind9_dlz we need to create the
+ server-DNS account remotely.
+
+
o Günther Deschner <gd at samba.org>
* BUG 9615: Winbind unable to retrieve user information from AD.
* BUG 9899: winbind_lookup_names() fails because of
@@ -124,6 +198,8 @@ o Günther Deschner <gd at samba.org>
o Volker Lendecke <vl at samba.org>
* BUG 10086: smbd: Fix async echo handler forking.
+ * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo
+ requests.
* BUG 10114: Handle Dropbox (write-only-directory) case correctly
in pathname lookup.
@@ -153,6 +229,11 @@ o Richard Sharpe <realrichardsharpe at gmail.com>
out by Samba.
+o Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
+ * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo
+ requests.
+
+
CHANGES SINCE 4.1.0rc1
======================
diff --git a/python/samba/join.py b/python/samba/join.py
index c55c22c..b2f4da4 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -26,9 +26,12 @@ from samba.ndr import ndr_pack
from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs
from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
+from samba.provision.common import setup_path
from samba.schema import Schema
from samba.net import Net
from samba.provision.sambadns import setup_bind9_dns
+from samba import read_and_sub_file
+from base64 import b64encode
import logging
import talloc
import random
@@ -179,6 +182,19 @@ class dc_join(object):
attrs=["msDS-krbTgtLink"])
if res:
ctx.del_noerror(res[0].dn, recursive=True)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)),
+ attrs=[])
+ if res:
+ ctx.del_noerror(res[0].dn, recursive=True)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
+ attrs=[])
+ if res:
+ raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)))
+
if ctx.connection_dn is not None:
ctx.del_noerror(ctx.connection_dn)
if ctx.krbtgt_dn is not None:
@@ -579,6 +595,56 @@ class dc_join(object):
"userAccountControl")
ctx.samdb.modify(m)
+ if ctx.dns_backend.startswith("BIND9_"):
+ ctx.dnspass = samba.generate_random_password(128, 255)
+
+ recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"),
+ {"DNSDOMAIN": ctx.dnsdomain,
+ "DOMAINDN": ctx.base_dn,
+ "HOSTNAME" : ctx.myname,
+ "DNSPASS_B64": b64encode(ctx.dnspass),
+ "DNSNAME" : ctx.dnshostname}))
+ for changetype, msg in recs:
+ assert changetype == ldb.CHANGETYPE_NONE
+ print "Adding DNS account %s with dns/ SPN" % msg["dn"]
+
+ # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP)
+ del msg["clearTextPassword"]
+ # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP
+ del msg["isCriticalSystemObject"]
+ try:
+ ctx.samdb.add(msg)
+ dns_acct_dn = msg["dn"]
+ except ldb.LdbError, (num, _):
+ if num != ldb.ERR_ENTRY_ALREADY_EXISTS:
+ raise
+
+ # The account password set operation should normally be done over
+ # LDAP. Windows 2000 DCs however allow this only with SSL
+ # connections which are hard to set up and otherwise refuse with
+ # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet
+ # over SAMR.
+ print "Setting account password for %s" % ctx.samname
+ try:
+ ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+ % ldb.binary_encode(ctx.myname),
+ ctx.dnspass,
+ force_change_at_next_login=False,
+ username=ctx.samname)
+ except ldb.LdbError, (num, _):
+ if num != ldb.ERR_UNWILLING_TO_PERFORM:
+ pass
+ ctx.net.set_password(account_name="dns-" % ctx.myname,
+ domain_name=ctx.domain_name,
+ newpassword=ctx.dnspass)
+
+ res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE,
+ attrs=["msDS-KeyVersionNumber"])
+ if "msDS-KeyVersionNumber" in res[0]:
+ ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0])
+ else:
+ ctx.dns_key_version_number = None
+
def join_add_objects2(ctx):
"""add the various objects needed for the join, for subdomains post replication"""
@@ -861,13 +927,12 @@ class dc_join(object):
key_version_number=ctx.key_version_number)
if ctx.dns_backend.startswith("BIND9_"):
- dnspass = samba.generate_random_password(128, 255)
-
setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
ctx.names, ctx.paths, ctx.lp, logger,
dns_backend=ctx.dns_backend,
- dnspass=dnspass, os_level=ctx.behavior_version,
- targetdir=ctx.targetdir)
+ dnspass=ctx.dnspass, os_level=ctx.behavior_version,
+ targetdir=ctx.targetdir,
+ key_version_number=ctx.dns_key_version_number)
def join_setup_trusts(ctx):
"""provision the local SAM."""
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index a5a45cf..4acc24b 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname,
def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
- dnsdomain, dns_keytab_path, dnspass):
+ dnsdomain, dns_keytab_path, dnspass, key_version_number):
"""Add DNS specific bits to a secrets database.
:param secretsdb: Ldb Handle to the secrets database
@@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm,
except OSError:
pass
+ if key_version_number is None:
+ key_version_number = 1
+
setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), {
"REALM": realm,
"DNSDOMAIN": dnsdomain,
"DNS_KEYTAB": dns_keytab_path,
"DNSPASS_B64": b64encode(dnspass),
+ "KEY_VERSION_NUMBER": str(key_version_number),
"HOSTNAME": names.hostname,
"DNSNAME" : '%s.%s' % (
names.netbiosname.lower(), names.dnsdomain.lower())
@@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
dns_backend, os_level, site=None, dnspass=None, hostip=None,
- hostip6=None, targetdir=None):
+ hostip6=None, targetdir=None, key_version_number=None):
"""Provision DNS information (assuming BIND9 backend in DC role)
:param samdb: LDB object connected to sam.ldb file
@@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger,
secretsdb_setup_dns(secretsdb, names,
paths.private_dir, realm=names.realm,
dnsdomain=names.dnsdomain,
- dns_keytab_path=paths.dns_keytab, dnspass=dnspass)
+ dns_keytab_path=paths.dns_keytab, dnspass=dnspass,
+ key_version_number=key_version_number)
create_dns_dir(logger, paths)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e574b48..37f7102 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1069,7 +1069,7 @@ sub provision_promoted_dc($$$)
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
- $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
@@ -1520,7 +1520,7 @@ sub provision_chgdcpass($$)
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, "server services = -dns", "",
+ undef, "", "",
$extra_provision_options);
return undef unless(defined $ret);
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 028a31b..6818b01 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -320,7 +320,6 @@ static NTSTATUS dsgetdcname_cache_fetch(TALLOC_CTX *mem_ctx,
const char *domain_name,
const struct GUID *domain_guid,
uint32_t flags,
- const char *site_name,
struct netr_DsRGetDCNameInfo **info_p)
{
char *key;
@@ -393,7 +392,7 @@ static NTSTATUS dsgetdcname_cached(TALLOC_CTX *mem_ctx,
NTSTATUS status;
status = dsgetdcname_cache_fetch(mem_ctx, domain_name, domain_guid,
- flags, site_name, info);
+ flags, info);
if (!NT_STATUS_IS_OK(status)
&& !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
DEBUG(10,("dsgetdcname_cached: cache fetch failed with: %s\n",
@@ -1094,12 +1093,10 @@ static bool is_closest_site(struct netr_DsRGetDCNameInfo *info)
}
/********************************************************************
- dsgetdcname.
-
- This will be the only public function here.
+ Internal dsgetdcname.
********************************************************************/
-NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
+static NTSTATUS dsgetdcname_internal(TALLOC_CTX *mem_ctx,
struct messaging_context *msg_ctx,
const char *domain_name,
const struct GUID *domain_guid,
@@ -1109,15 +1106,14 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
{
NTSTATUS status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct netr_DsRGetDCNameInfo *myinfo = NULL;
- char *query_site = NULL;
bool first = true;
struct netr_DsRGetDCNameInfo *first_info = NULL;
- DEBUG(10,("dsgetdcname: domain_name: %s, "
+ DEBUG(10,("dsgetdcname_internal: domain_name: %s, "
"domain_guid: %s, site_name: %s, flags: 0x%08x\n",
domain_name,
domain_guid ? GUID_string(mem_ctx, domain_guid) : "(null)",
- site_name, flags));
+ site_name ? site_name : "(null)", flags));
*info = NULL;
@@ -1126,18 +1122,12 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- if ((site_name == NULL) || (site_name[0] == '\0')) {
- query_site = sitename_fetch(domain_name);
- } else {
- query_site = SMB_STRDUP(site_name);
- }
-
if (flags & DS_FORCE_REDISCOVERY) {
goto rediscover;
}
status = dsgetdcname_cached(mem_ctx, msg_ctx, domain_name, domain_guid,
- flags, query_site, &myinfo);
+ flags, site_name, &myinfo);
if (NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -1148,12 +1138,10 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
rediscover:
status = dsgetdcname_rediscover(mem_ctx, msg_ctx, domain_name,
- domain_guid, flags, query_site,
+ domain_guid, flags, site_name,
&myinfo);
done:
- SAFE_FREE(query_site);
-
if (!NT_STATUS_IS_OK(status)) {
if (!first) {
*info = first_info;
@@ -1168,10 +1156,67 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
first = false;
first_info = myinfo;
/* TODO: may use the next_closest_site here */
- query_site = SMB_STRDUP(myinfo->client_site_name);
+ site_name = myinfo->client_site_name;
goto rediscover;
}
*info = myinfo;
return NT_STATUS_OK;
}
+
+/********************************************************************
+ dsgetdcname.
+
+ This will be the only public function here.
+********************************************************************/
+
+NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx,
+ struct messaging_context *msg_ctx,
+ const char *domain_name,
+ const struct GUID *domain_guid,
+ const char *site_name,
+ uint32_t flags,
+ struct netr_DsRGetDCNameInfo **info)
+{
+ NTSTATUS status;
+ const char *query_site = NULL;
+ char *ptr_to_free = NULL;
+ bool retry_query_with_null = false;
+
+ if ((site_name == NULL) || (site_name[0] == '\0')) {
+ ptr_to_free = sitename_fetch(domain_name);
+ if (ptr_to_free != NULL) {
+ retry_query_with_null = true;
+ }
+ query_site = ptr_to_free;
+ } else {
+ query_site = site_name;
+ }
+
+ status = dsgetdcname_internal(mem_ctx,
+ msg_ctx,
+ domain_name,
+ domain_guid,
+ query_site,
+ flags,
+ info);
+
+ SAFE_FREE(ptr_to_free);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
+ return status;
+ }
+
+ /* Should we try again with site_name == NULL ? */
+ if (retry_query_with_null) {
+ status = dsgetdcname_internal(mem_ctx,
+ msg_ctx,
+ domain_name,
+ domain_guid,
+ NULL,
+ flags,
+ info);
+ }
+
+ return status;
+}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index d618aea..9ea5e25 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -138,6 +138,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
char *lock_data,
uint16_t flags2,
unsigned int max_data_bytes,
+ size_t *fixed_portion,
char **ppdata,
unsigned int *pdata_size);
@@ -155,6 +156,7 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn,
uint16_t info_level,
uint16_t flags2,
unsigned int max_data_bytes,
+ size_t *fixed_portion,
struct smb_filename *smb_fname,
char **ppdata,
int *ret_data_len);
diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c
index 5616c84..449aeb3 100644
--- a/source3/smbd/smb2_getinfo.c
+++ b/source3/smbd/smb2_getinfo.c
@@ -159,7 +159,10 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq)
return;
}
- if (!NT_STATUS_IS_OK(call_status)) {
+ /* some GetInfo responses set STATUS_BUFFER_OVERFLOW and return partial,
+ but valid data */
+ if (!(NT_STATUS_IS_OK(call_status) ||
+ NT_STATUS_EQUAL(call_status, STATUS_BUFFER_OVERFLOW))) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list