[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Aug 31 18:59:04 MDT 2014
The branch, master has been updated
via 470e5b8 s4-netlogond: Give a better error if we do not have a flatname attribute
via b9e1736 join.py: Ensure to fill in samAccountName so we get the domain$ account
via 8485cc9 s3-rpc_client: Do not give NT_STATUS_NO_MEMORY when the source string was NULL
via 5602377 set_dc_type_and_flags_trustinfo: Use init_dc_connection and wb_open_internal_pipe
via 1c979b1 dsdb: improve debugging in DsCrackNameOneFilter
via 7a29173 winbindd: Add debugging to assist in locating errors creating NETLOGON pipes
via 7356152 passdb: Use sam_get_results_trust() and implement pdb_samba_dsdb_get_trusteddom_pw
via 80be699 auth: Split out fetching trusted domain into sam_get_results_trust()
via 36085a2 provision: Only create hard links for ForestDnsZones if it exists on this DC
via b50d7a0 selftest: Improve connection between primary domain and subdomain for krb5
via b6ade7d dsdb: Make log message more clear
via aa6a740 selftest: Set admin password on subdom_dc environment
via a348959 winbindd: Do not segfault if the trusted domain has no SID
via 0edc147 join.py: Ensure we set the SID of the parent domain on the trust record
via 964e412 python: Use the security.dom_sid type for ctx.domsid in join.py and provision
via c9f613f dsdb: Permit creation of partitions of type INSTANCE_TYPE_UNINSTANT
via 204337f provision: Use names.domainsid and names.domainguid
via 79ee8fc s4-gensec: Fix spelling in debug message
via 6ad24d0 provision: Only calculate ForestDNSZone GUID if we need it
via c11a89a join.py: Reinstate full_nc_list and make creation of NTDS-DSA object common
via 05375cd selftest: Pass DC_REALM to the subdom_dc environment
via 1fb7901 dsdb: Change acl module to look for instanceType flag rather than list of NCs
from bfdc874 Various updates to the pidl README file.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 470e5b82222c214ad0cd06fb550d3221be2a7997
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 22 17:49:32 2014 +1200
s4-netlogond: Give a better error if we do not have a flatname attribute
Change-Id: I3bc283b6fab4326131084d1abb89cb486af7b35a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 1 02:58:46 CEST 2014 on sn-devel-104
commit b9e1736216413f6583fac6948998f29531fa630d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 22 17:49:06 2014 +1200
join.py: Ensure to fill in samAccountName so we get the domain$ account
Otherwise, we get a random samAccountName
Andrew Bartlett
Change-Id: I87ea532fe22c1b2d2effd52859da3b357f692b5a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8485cc9448f0114510f80a1ad40b50be991bbc42
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 18 14:13:39 2014 +1200
s3-rpc_client: Do not give NT_STATUS_NO_MEMORY when the source string was NULL
Change-Id: I25a4dcc2239267ee7c219e965693027ca2981983
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 5602377fcec03ee57cb87c1600b519484c6adc10
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 18 13:14:04 2014 +1200
set_dc_type_and_flags_trustinfo: Use init_dc_connection and wb_open_internal_pipe
This means we call this code, and mark trusted domains as active directory, when we are an AD DC.
Otherwise, in the previous case we would not have domain->active_directory set, and would fail on
connection_ok() due to not having a full connection to our internal DC
Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1c979b1cfc483b88f169e90ba20f773001bcfc26
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 18 10:08:24 2014 +1200
dsdb: improve debugging in DsCrackNameOneFilter
Change-Id: I64d8e1eb94d833dc8ebf18fecdf32a83470a087e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
1
commit 7a29173af87fe112af24fd3c4209307e87d2f23a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 18 10:07:03 2014 +1200
winbindd: Add debugging to assist in locating errors creating NETLOGON pipes
Change-Id: If15483c37ed43267c6474ce8b5e9d96254745bca
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 735615293b24d19ef279cff1970bd65999bb9de7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 15 15:01:31 2014 +1200
passdb: Use sam_get_results_trust() and implement pdb_samba_dsdb_get_trusteddom_pw
We now return the plaintext passwords for trusted domains so winbindd can use them.
Change-Id: Ifcd59b0be815d25b73bdbc41db7477895461c7b6
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 80be6993c9d21c91ce8b3d9941b93a7f1c6ba579
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 15 15:00:25 2014 +1200
auth: Split out fetching trusted domain into sam_get_results_trust()
This new helper function will also be used by pdb_samba_dsdb.
Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 36085a222cb4b837568f00192828594d26692c0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 14 14:47:38 2014 +1200
provision: Only create hard links for ForestDnsZones if it exists on this DC
We might be a subdomain, and not host this partition.
Andrew Bartlett
Change-Id: I9aa32c5692cd9fd0a6bced8bea37cd8593b31906
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
commit b50d7a0f34867072195777915858e2396d452092
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 17:30:51 2014 +1200
selftest: Improve connection between primary domain and subdomain for krb5
Two things help here: The join is done on the lower case name, so we
can match it in the krb5.conf, and we share the krb5.conf between the
"dc" environment and the "subdom_dc" environment. Between these two
measures, this means we can get tickets using the domain trust.
If we used cwrap for DNS queries and we had our internal DNS set up correctly,
we could avoid this (because that is not case sensitive),
but otherwise we need to get SUB.samba.example.org into the krb5.conf,
and this is harder to do an a generic way.
Andrew Bartlett
Change-Id: If378915112728aaf47aa68ce0b071a7e09d756ad
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit b6ade7d04b3aacba5a215561d6f910a0fd255d63
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 15:53:44 2014 +1200
dsdb: Make log message more clear
Change-Id: Ibf3c55748e755d2f6dae57293bfde11cdf7ba3ae
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit aa6a7401632f09e8fd7da6f1d09dbb4b80b7b518
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 13:36:09 2014 +1200
selftest: Set admin password on subdom_dc environment
Change-Id: Ib9edae20004ea6f5a500efcfcd7bbd9fc8015c25
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit a348959088348560fe31fdc73b8482214c4021bf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 11:47:54 2014 +1200
winbindd: Do not segfault if the trusted domain has no SID
Currently we abort, as skipping the domain would make the loop much more complex for a situation not yet seen in the real world.
Andrew Bartlett
Change-Id: Ie1e269eb25047d662d8fd0f771ee20de1d48706b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 0edc1476b7c492cfda877bc2ac36df9d13e0abad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 11:46:51 2014 +1200
join.py: Ensure we set the SID of the parent domain on the trust record
Change-Id: Ifaf3f2d1240d983a48ee1874fdc9c266354f6754
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 964e412ead6af1ef2ccfba351161e9a865a251ac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 11 11:23:57 2014 +1200
python: Use the security.dom_sid type for ctx.domsid in join.py and provision
Change-Id: I1266f77184d68aae6a39a73bac8a432fdd707b2e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit c9f613f60ddf61f27ff67a7bbef8b93022099335
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 19:26:46 2014 +1200
dsdb: Permit creation of partitions of type INSTANCE_TYPE_UNINSTANT
This is only allowed when we are creating the objects from a DsAddEntry call, not over LDAP.
Change-Id: Ieec6b07556d58741ec04fede8bf9940811f12a62
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 204337f454d1225fb7bf8525448000f2c30e0011
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 8 18:43:47 2014 +1200
provision: Use names.domainsid and names.domainguid
This is better than passing around parameters to functions all over
the provision stack and makes it easier to pass in a seperate forest
SID when we start to support subdomains.
Change-Id: I3787f4f3433ca04628f888135c7c0c8195379542
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 79ee8fc82cf3f96d64419a905b46d20ce2c17a64
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 16 15:36:46 2013 +1300
s4-gensec: Fix spelling in debug message
Change-Id: Ia0218c4b1f714d1b829ab0ce5851a4d02a1bf5df
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 6ad24d072e360da95e5313a47fb5a312e722593a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 16 14:43:39 2013 +1300
provision: Only calculate ForestDNSZone GUID if we need it
Change-Id: Ie33812627ce7ececda681c2d784b1ca97b1b73c4
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit c11a89a2c1ea54c26533dde34d0c28cc24664a98
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 16 14:34:43 2013 +1300
join.py: Reinstate full_nc_list and make creation of NTDS-DSA object common
The new function join_ntdsdsa_obj() returns the object, to be added over LDAP or DsAddEntry().
Andrew Bartlett
Change-Id: I41ac256fb3d4edffc617af4ae580acd941b4de83
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 05375cde8354a785c190cd75b051e3e508312b37
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 9 17:14:45 2013 +1200
selftest: Pass DC_REALM to the subdom_dc environment
This allows 'samba-tool drs kcc' to be run during the environment setup.
Andrew Bartlett
Change-Id: I5d25470f1530b28be0a9413d13c48442fabb1a84
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
commit 1fb79011c1bec85515789f985314b0ea30016746
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 6 15:48:29 2013 +1200
dsdb: Change acl module to look for instanceType flag rather than list of NCs
This avoids any DNs being a free pass beyond the ACL code, instead it is based on the CN=Partitions ACL.
Andrew Bartlett
Change-Id: Ib2f4abe0165e47fa4a71925d126c2eeec68df119
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/join.py | 96 ++++++++++---------
python/samba/netcmd/domain.py | 4 +
python/samba/provision/__init__.py | 71 ++++++++-------
python/samba/provision/sambadns.py | 39 ++++----
python/samba/upgrade.py | 2 +-
python/samba/upgradehelpers.py | 2 +-
selftest/target/Samba4.pm | 13 +++-
source3/passdb/pdb_samba_dsdb.c | 125 ++++++++++++++++++++++++-
source3/rpc_client/cli_pipe.c | 11 +-
source3/winbindd/winbindd_cm.c | 56 ++++++++----
source3/winbindd/winbindd_rpc.c | 10 ++-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/auth/sam.c | 74 +++++++++++++++
source4/dsdb/common/util.c | 8 +-
source4/dsdb/samdb/cracknames.c | 4 +-
source4/dsdb/samdb/ldb_modules/acl.c | 97 ++++++++++++++++---
source4/dsdb/samdb/ldb_modules/instancetype.c | 24 ++++-
source4/dsdb/tests/python/acl.py | 2 +
source4/kdc/db-glue.c | 52 +++-------
source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 +
20 files changed, 510 insertions(+), 184 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/join.py b/python/samba/join.py
index a5211bc..d9e5e8c 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -66,6 +66,7 @@ class dc_join(object):
ctx.promote_from_dn = None
ctx.nc_list = []
+ ctx.full_nc_list = []
ctx.creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
ctx.net = Net(creds=ctx.creds, lp=ctx.lp)
@@ -93,7 +94,8 @@ class dc_join(object):
ctx.root_dn = str(ctx.samdb.get_root_basedn())
ctx.schema_dn = str(ctx.samdb.get_schema_basedn())
ctx.config_dn = str(ctx.samdb.get_config_basedn())
- ctx.domsid = ctx.samdb.get_domain_sid()
+ ctx.domsid = security.dom_sid(ctx.samdb.get_domain_sid())
+ ctx.forestsid = ctx.domsid
ctx.domain_name = ctx.get_domain_name()
ctx.forest_domain_name = ctx.get_forest_domain_name()
ctx.invocation_id = misc.GUID(str(uuid.uuid4()))
@@ -370,7 +372,7 @@ class dc_join(object):
def create_tmp_samdb(ctx):
'''create a temporary samdb object for schema queries'''
- ctx.tmp_schema = Schema(security.dom_sid(ctx.domsid),
+ ctx.tmp_schema = Schema(ctx.domsid,
schemadn=ctx.schema_dn)
ctx.tmp_samdb = SamDB(session_info=system_session(), url=None, auto_connect=False,
credentials=ctx.creds, lp=ctx.lp, global_schema=False,
@@ -447,8 +449,8 @@ class dc_join(object):
return ctr.objects
- def join_add_ntdsdsa(ctx):
- '''add the ntdsdsa object'''
+ def join_ntdsdsa_obj(ctx):
+ '''return the ntdsdsa object to add'''
print "Adding %s" % ctx.ntds_dn
rec = {
@@ -467,16 +469,28 @@ class dc_join(object):
if ctx.RODC:
rec["objectCategory"] = "CN=NTDS-DSA-RO,%s" % ctx.schema_dn
- rec["msDS-HasFullReplicaNCs"] = ctx.nc_list
+ rec["msDS-HasFullReplicaNCs"] = ctx.full_nc_list
rec["options"] = "37"
- ctx.samdb.add(rec, ["rodc_join:1:1"])
else:
rec["objectCategory"] = "CN=NTDS-DSA,%s" % ctx.schema_dn
- rec["HasMasterNCs"] = nc_list
+ rec["HasMasterNCs"] = []
+ for nc in nc_list:
+ if nc in ctx.full_nc_list:
+ rec["HasMasterNCs"].append(nc)
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
- rec["msDS-HasMasterNCs"] = ctx.nc_list
+ rec["msDS-HasMasterNCs"] = ctx.full_nc_list
rec["options"] = "1"
rec["invocationId"] = ndr_pack(ctx.invocation_id)
+
+ return rec
+
+ def join_add_ntdsdsa(ctx):
+ '''add the ntdsdsa object'''
+
+ rec = ctx.join_ntdsdsa_obj()
+ if ctx.RODC:
+ ctx.samdb.add(rec, ["rodc_join:1:1"])
+ else:
ctx.DsAddEntry([rec])
# find the GUID of our NTDS DN
@@ -672,26 +686,7 @@ class dc_join(object):
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
rec["msDS-Behavior-Version"] = str(ctx.behavior_version)
- rec2 = {
- "dn" : ctx.ntds_dn,
- "objectclass" : "nTDSDSA",
- "systemFlags" : str(samba.dsdb.SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE),
- "dMDLocation" : ctx.schema_dn}
-
- nc_list = [ ctx.base_dn, ctx.config_dn, ctx.schema_dn ]
-
- if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
- rec2["msDS-Behavior-Version"] = str(ctx.behavior_version)
-
- if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
- rec2["msDS-HasDomainNCs"] = ctx.base_dn
-
- rec2["objectCategory"] = "CN=NTDS-DSA,%s" % ctx.schema_dn
- rec2["HasMasterNCs"] = nc_list
- if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
- rec2["msDS-HasMasterNCs"] = ctx.nc_list
- rec2["options"] = "1"
- rec2["invocationId"] = ndr_pack(ctx.invocation_id)
+ rec2 = ctx.join_ntdsdsa_obj()
objects = ctx.DsAddEntry([rec, rec2])
if len(objects) != 2:
@@ -735,6 +730,9 @@ class dc_join(object):
ctx.paths = presult.paths
ctx.names = presult.names
+ # Fix up the forestsid, it may be different if we are joining as a subdomain
+ ctx.names.forestsid = ctx.forestsid
+
def join_provision_own_domain(ctx):
"""Provision the local SAM."""
@@ -756,19 +754,18 @@ class dc_join(object):
raise DCJoinException("Can't find naming context on partition DN %s in %s" % (ctx.partition_dn, ctx.samdb.url))
try:
- domguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
+ ctx.names.domainguid = str(misc.GUID(ldb.Dn(ctx.samdb, res[0]['ncName'][0]).get_extended_component('GUID')))
except KeyError:
raise DCJoinException("Can't find GUID in naming master on partition DN %s" % res[0]['ncName'][0])
- ctx.logger.info("Got domain GUID %s" % domguid)
+ ctx.logger.info("Got domain GUID %s" % ctx.names.domainguid)
ctx.logger.info("Calling own domain provision")
secrets_ldb = Ldb(ctx.paths.secrets, session_info=system_session(), lp=ctx.lp)
presult = provision_fill(ctx.local_samdb, secrets_ldb,
- ctx.logger, ctx.names, ctx.paths, domainsid=security.dom_sid(ctx.domsid),
- domainguid=domguid,
+ ctx.logger, ctx.names, ctx.paths,
dom_for_fun_level=DS_DOMAIN_FUNCTION_2003,
targetdir=ctx.targetdir, samdb_fill=FILL_SUBDOMAIN,
machinepass=ctx.acct_pass, serverrole="active directory domain controller",
@@ -927,13 +924,13 @@ class dc_join(object):
realm=ctx.realm,
dnsdomain=ctx.dnsdomain,
netbiosname=ctx.myname,
- domainsid=security.dom_sid(ctx.domsid),
+ domainsid=ctx.domsid,
machinepass=ctx.acct_pass,
secure_channel_type=ctx.secure_channel_type,
key_version_number=ctx.key_version_number)
if ctx.dns_backend.startswith("BIND9_"):
- setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid),
+ setup_bind9_dns(ctx.local_samdb, secrets_ldb,
ctx.names, ctx.paths, ctx.lp, ctx.logger,
dns_backend=ctx.dns_backend,
dnspass=ctx.dnspass, os_level=ctx.behavior_version,
@@ -970,7 +967,7 @@ class dc_join(object):
info = lsa.TrustDomainInfoInfoEx()
info.domain_name.string = ctx.dnsdomain
info.netbios_name.string = ctx.domain_name
- info.sid = security.dom_sid(ctx.domsid)
+ info.sid = ctx.domsid
info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
@@ -1040,7 +1037,8 @@ class dc_join(object):
"flatname" : ctx.forest_domain_name,
"trustPartner" : ctx.dnsforest,
"trustAuthIncoming" : ndr_pack(outgoing),
- "trustAuthOutgoing" : ndr_pack(outgoing)
+ "trustAuthOutgoing" : ndr_pack(outgoing),
+ "securityIdentifier" : ndr_pack(ctx.forestsid)
}
ctx.local_samdb.add(rec)
@@ -1048,23 +1046,32 @@ class dc_join(object):
"dn" : "cn=%s$,cn=users,%s" % (ctx.forest_domain_name, ctx.base_dn),
"objectclass" : "user",
"userAccountControl" : str(samba.dsdb.UF_INTERDOMAIN_TRUST_ACCOUNT),
- "clearTextPassword" : ctx.trustdom_pass.encode('utf-16-le')
+ "clearTextPassword" : ctx.trustdom_pass.encode('utf-16-le'),
+ "samAccountName" : "%s$" % ctx.forest_domain_name
}
ctx.local_samdb.add(rec)
def do_join(ctx):
- # full_nc_list is the list of naming context (NC) for which we will
- # send a updateRef command to the partner DC
+ # nc_list is the list of naming context (NC) for which we will
+ # replicate in and send a updateRef command to the partner DC
+
+ # full_nc_list is the list of naming context (NC) we hold
+ # read/write copies of. These are not subsets of each other.
ctx.nc_list = [ ctx.config_dn, ctx.schema_dn ]
+ ctx.full_nc_list = [ ctx.base_dn, ctx.config_dn, ctx.schema_dn ]
- if not ctx.subdomain:
+ if ctx.subdomain and ctx.dns_backend != "NONE":
+ ctx.full_nc_list += [ctx.domaindns_zone]
+
+ elif not ctx.subdomain:
ctx.nc_list += [ctx.base_dn]
+
if ctx.dns_backend != "NONE":
ctx.nc_list += [ctx.domaindns_zone]
-
- if ctx.dns_backend != "NONE":
- ctx.nc_list += [ctx.forestdns_zone]
+ ctx.nc_list += [ctx.forestdns_zone]
+ ctx.full_nc_list += [ctx.domaindns_zone]
+ ctx.full_nc_list += [ctx.forestdns_zone]
if ctx.promote_existing:
ctx.promote_possible()
@@ -1204,7 +1211,8 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
logger.info("DNS name of new naming master is %s" % ctx.server)
ctx.base_dn = samba.dn_from_dns_name(dnsdomain)
- ctx.domsid = str(security.random_sid())
+ ctx.forestsid = ctx.domsid
+ ctx.domsid = security.random_sid()
ctx.acct_dn = None
ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)
ctx.trustdom_pass = samba.generate_random_password(128, 128)
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 9e9b30d..fe34f94 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -35,6 +35,7 @@ from samba.join import join_RODC, join_DC, join_subdomain
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc import drsuapi
+from samba.dcerpc import security
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.netcmd import (
Command,
@@ -406,6 +407,9 @@ class cmd_domain_provision(Command):
if ldap_backend_forced_uri is not None:
self.logger.warn("You have specified to use an fixed URI %s for connecting to your LDAP server backend. This is NOT RECOMMENDED, as our default communiation over ldapi:// is more secure and much less")
+ if domain_sid is not None:
+ domain_sid = security.dom_sid(domain_sid)
+
session = system_session()
try:
result = provision(self.logger,
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 477c5dd..ca80e42 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -164,6 +164,9 @@ class ProvisionNames(object):
self.hostname = None
self.sitename = None
self.smbconf = None
+ self.domainsid = None
+ self.forestsid = None
+ self.domainguid = None
self.name_map = {}
@@ -262,6 +265,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
"objectSid","msDS-Behavior-Version" ])
names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
+ names.forestsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
if res6[0].get("msDS-Behavior-Version") is None or \
int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
names.domainlevel = DS_DOMAIN_FUNCTION_2000
@@ -1219,7 +1223,7 @@ def setup_samdb(path, session_info, provision_backend, lp, names,
return samdb
-def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
+def fill_samdb(samdb, lp, names, logger, policyguid,
policyguid_dc, fill, adminpass, krbtgtpass, machinepass, dns_backend,
dnspass, invocationid, ntdsguid, serverrole, am_rodc=False,
dom_for_fun_level=None, schema=None, next_rid=None, dc_rid=None):
@@ -1266,23 +1270,23 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
samdb.set_opaque_integer("domainControllerFunctionality",
domainControllerFunctionality)
- samdb.set_domain_sid(str(domainsid))
+ samdb.set_domain_sid(str(names.domainsid))
samdb.set_invocation_id(invocationid)
logger.info("Adding DomainDN: %s" % names.domaindn)
# impersonate domain admin
- admin_session_info = admin_session(lp, str(domainsid))
+ admin_session_info = admin_session(lp, str(names.domainsid))
samdb.set_session_info(admin_session_info)
- if domainguid is not None:
- domainguid_line = "objectGUID: %s\n-" % domainguid
+ if names.domainguid is not None:
+ domainguid_line = "objectGUID: %s\n-" % names.domainguid
else:
domainguid_line = ""
- descr = b64encode(get_domain_descriptor(domainsid))
+ descr = b64encode(get_domain_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
"DOMAINDN": names.domaindn,
- "DOMAINSID": str(domainsid),
+ "DOMAINSID": str(names.domainsid),
"DESCRIPTOR": descr,
"DOMAINGUID": domainguid_line
})
@@ -1301,7 +1305,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
logger.info("Adding configuration container")
- descr = b64encode(get_config_descriptor(domainsid))
+ descr = b64encode(get_config_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), {
"CONFIGDN": names.configdn,
"DESCRIPTOR": descr,
@@ -1335,12 +1339,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
if fill == FILL_FULL:
logger.info("Setting up sam.ldb configuration data")
- partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
- sites_descr = b64encode(get_config_sites_descriptor(domainsid))
- ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid))
- protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid))
- protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
- protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid))
+ partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid))
+ sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
+ ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
+ protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid))
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
+ protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
@@ -1379,7 +1383,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
})
logger.info("Adding users container")
- users_desc = b64encode(get_domain_users_descriptor(domainsid))
+ users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
"DOMAINDN": names.domaindn,
"USERS_DESCRIPTOR": users_desc
@@ -1388,7 +1392,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Adding computers container")
- computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
+ computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
"DOMAINDN": names.domaindn,
"COMPUTERS_DESCRIPTOR": computers_desc
@@ -1398,11 +1402,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
setup_path("provision_computers_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Setting up sam.ldb data")
- infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
- lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(domainsid))
- system_desc = b64encode(get_domain_delete_protected1_descriptor(domainsid))
- builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
- controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
+ infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid))
+ lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
+ system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
+ builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
+ controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
@@ -1427,7 +1431,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"SCHEMADN": names.schemadn})
logger.info("Setting up well known security principals")
- protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
"CONFIGDN": names.configdn,
"WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
@@ -1441,7 +1445,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
logger.info("Setting up sam.ldb users and groups")
setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
"DOMAINDN": names.domaindn,
- "DOMAINSID": str(domainsid),
+ "DOMAINSID": str(names.domainsid),
"ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
})
@@ -1452,7 +1456,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
dns_backend=dns_backend,
dnspass=dnspass,
machinepass=machinepass,
- domainsid=domainsid,
+ domainsid=names.domainsid,
next_rid=next_rid,
dc_rid=dc_rid,
policyguid=policyguid,
@@ -1747,7 +1751,7 @@ def interface_ips_v6(lp):
def provision_fill(samdb, secrets_ldb, logger, names, paths,
- domainsid, schema=None,
+ schema=None,
targetdir=None, samdb_fill=FILL_FULL,
hostip=None, hostip6=None,
next_rid=1000, dc_rid=None, adminpass=None, krbtgtpass=None,
@@ -1778,7 +1782,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
dnspass = samba.generate_random_password(128, 255)
samdb = fill_samdb(samdb, lp, names, logger=logger,
- domainsid=domainsid, schema=schema, domainguid=domainguid,
+ schema=schema,
policyguid=policyguid, policyguid_dc=policyguid_dc,
fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
invocationid=invocationid, machinepass=machinepass,
@@ -1795,14 +1799,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
policyguid_dc)
if not skip_sysvolacl:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
- paths.root_gid, domainsid, names.dnsdomain,
+ paths.root_gid, names.domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
logger.info("Setting acl on sysvol skipped")
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm, dnsdomain=names.dnsdomain,
- netbiosname=names.netbiosname, domainsid=domainsid,
+ netbiosname=names.netbiosname, domainsid=names.domainsid,
machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC)
# Now set up the right msDS-SupportedEncryptionTypes into the DB
@@ -1823,7 +1827,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
# It might be that this attribute does not exist in this schema
raise
- setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger,
+ setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger,
hostip=hostip, hostip6=hostip6, dns_backend=dns_backend,
dnspass=dnspass, os_level=dom_for_fun_level,
targetdir=targetdir, fill_level=samdb_fill)
@@ -1952,8 +1956,6 @@ def provision(logger, session_info, smbconf=None,
if domainsid is None:
domainsid = security.random_sid()
- else:
- domainsid = security.dom_sid(domainsid)
root_uid = findnss_uid([root or "root"])
nobody_uid = findnss_uid([nobody or "nobody"])
@@ -2049,6 +2051,9 @@ def provision(logger, session_info, smbconf=None,
names.hostip = hostip
names.hostip6 = hostip6
+ names.domainguid = domainguid
+ names.domainsid = domainsid
+ names.forestsid = domainsid
if serverrole is None:
serverrole = lp.get("server role")
@@ -2152,9 +2157,9 @@ def provision(logger, session_info, smbconf=None,
if samdb_fill == FILL_FULL:
provision_fill(samdb, secrets_ldb, logger, names, paths,
schema=schema, targetdir=targetdir, samdb_fill=samdb_fill,
- hostip=hostip, hostip6=hostip6, domainsid=domainsid,
+ hostip=hostip, hostip6=hostip6,
next_rid=next_rid, dc_rid=dc_rid, adminpass=adminpass,
- krbtgtpass=krbtgtpass, domainguid=domainguid,
+ krbtgtpass=krbtgtpass,
policyguid=policyguid, policyguid_dc=policyguid_dc,
invocationid=invocationid, machinepass=machinepass,
ntdsguid=ntdsguid, dns_backend=dns_backend,
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 87fb486..9dbea4e 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -252,13 +252,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
})
domainzone_guid = get_domainguid(samdb, domainzone_dn)
- forestzone_guid = get_domainguid(samdb, forestzone_dn)
-
domainzone_guid = str(uuid.uuid4())
- forestzone_guid = str(uuid.uuid4())
-
domainzone_dns = ldb.Dn(samdb, domainzone_dn).canonical_ex_str().strip()
- forestzone_dns = ldb.Dn(samdb, forestzone_dn).canonical_ex_str().strip()
protected1_desc = get_domain_delete_protected1_descriptor(domainsid)
protected2_desc = get_domain_delete_protected2_descriptor(domainsid)
@@ -278,6 +273,10 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
})
if fill_level != FILL_SUBDOMAIN:
+ forestzone_guid = get_domainguid(samdb, forestzone_dn)
+ forestzone_guid = str(uuid.uuid4())
+ forestzone_dns = ldb.Dn(samdb, forestzone_dn).canonical_ex_str().strip()
+
setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
"ZONE_DN": forestzone_dn,
"ZONE_GUID": forestzone_guid,
@@ -807,22 +806,26 @@ def create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid):
# Link dns partitions and metadata
--
Samba Shared Repository
More information about the samba-cvs
mailing list