[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Jul 8 22:57:03 UTC 2015
The branch, master has been updated
via 7447abc s4:torture/rpc: extend and improve rpc.lsa.trusted.domains
via d9d6707 s4:torture/rpc: add missing
in comments
via 84b0d1f s4:torture/rpc: handle NT_STATUS_NO_SUCH_DOMAIN in test_query_each_TrustDom()
via 80be365 testprogs/blackbox: add test_trust_utils.sh
via 03fc85e testprogs/blackbox: let test_kinit_trusts.sh verify that setpassword (via LDAP) is rejected
via b2ad31a testprogs/blackbox: let test_kinit_trusts.sh test a enterprise upn from the other foreset
via 7605c5d selftest/Samba4: setup forest UPN and SPN namespaces for ad_dc and fl2008r2dc
via 7ee4f23 testprogs/blackbox: add test_kinit_trusts.sh
via 90956d6 selftest/Samba4: setup trusts between forest:fl2008r2dc/ad_dc and externl:fl2003dc/ad_dc
via cab82eb samba-tool: add 'domain trust *' commands
via 41f08b1 python/samba: add on optional 'special_name' argument to CredentialsOptions()
via 3dd3338 python/samba: add current_unix_time()
via fcc6b5c s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation()
via ef8f55a s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info()
via 9af2561 s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains
via c123274 s3:winbindd: add wb_irpc_GetForestTrustInformation()
via 8e196b4 s3:winbindd: implement winbind_GetForestTrustInformation()
via 56c7f88 librpc/idl: add winbind_GetForestTrustInformation()
via 70cea2b s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
via 6f859f4 s3:winbindd: add wb_irpc_LogonControl()
via 03e846b s3:winbindd: implement _winbind_LogonControl*()
via ee5e25b librpc/idl: add winbind_LogonControl()
via f9246d7 s4:rpc_server/lsa: remove unused code
via c98f96d s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
via 666ac7c s4:dsdb/common: add dsdb_trust_merge_forest_info() helper function
via f043ee9 s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and dsdb_trust_verify_forest_info()
via 46e2a97 s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper function
via e7c4d2e s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper function
via ac4c4a9 s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
via 98dc410 s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
via df7f745 s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
via c57fef8 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
via a02300c s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
via 0b4bdee s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts
via 38c30b9 s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper function
via a56d9fe s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2()
via 8a63dd8 s4:dsdb/password_hash: reject interdomain trust password changes via LDAP
via dd23d8e s4:dsdb/common: supported trusted domains in samdb_set_password_sid()
via 81c2760 s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()
via aded6f6 s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
via 1a84cb7 s4:dsdb/netlogon: add support for CLDAP requests with AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
via 0deb1d9 s4:auth/sam: remove unused sam_get_results_trust()
via 347d540 s3:pdb_samba_dsdb: make use of dsdb_trust_search_tdo()
via 839645d s4:kdc/db-glue: make use of dsdb_trust_search_tdo()
via a251811 s4:dsdb/common: add dsdb_trust_search_tdo*() helper functions
via 143b654 s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM
via a11f874 s4:dsdb/common: add helper functions for trusted domain objects (tdo)
via 2d98800 heimdal:kdc: add support for HDB_ERR_WRONG_REALM
via c63f360 heimdal:kdc: generic support for 3part servicePrincipalNames
via 454db47 heimdal:lib/krb5: add krb5_mk_error_ext() helper function
via fca11ed heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
via 3a14835 s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal
via 3943f02 s4:kdc/db-glue: preferr the previous password for trust accounts
via f05c0bc s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry()
from cbe9fed Spelling correction: exlusive -> exclusive and semantincs -> semantics
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7447abc44c325751aa7010dedc3553038a5cfdb5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 20 00:05:00 2015 +0200
s4:torture/rpc: extend and improve rpc.lsa.trusted.domains
This adds a lot more validation arround trust credentials and
krb5 interaction.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 8 21:41:17 CEST 2015 on sn-devel-104
commit d9d670713b5ced151454961642cf4c494bc883e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 30 12:08:22 2015 +0200
s4:torture/rpc: add missing \n in comments
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84b0d1f96730410c9169f9a09f4a67aea1b5b9a8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 30 12:06:11 2015 +0200
s4:torture/rpc: handle NT_STATUS_NO_SUCH_DOMAIN in test_query_each_TrustDom()
lsa_EnumTrusts() may also return non direct trusted domains in the forest.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 80be365e629cd0d02efdb17d72447e0f89dc77d3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 13:35:17 2015 +0200
testprogs/blackbox: add test_trust_utils.sh
This tests 'samba-tool domain trust *' commands.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 03fc85e39b65b746c47195b3d1582dfacd87d577
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 11 18:58:42 2015 +0200
testprogs/blackbox: let test_kinit_trusts.sh verify that setpassword (via LDAP) is rejected
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2ad31ac0d28ce31b7c05fc79068a3e715d404d3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 15:07:49 2015 +0200
testprogs/blackbox: let test_kinit_trusts.sh test a enterprise upn from the other foreset
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7605c5d6e8fd68576d096b18a69a458e2888c30a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 11 13:45:59 2015 +0200
selftest/Samba4: setup forest UPN and SPN namespaces for ad_dc and fl2008r2dc
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ee4f23821eb63699c4a67ff18003e3b955e0765
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 11 15:07:40 2015 +0100
testprogs/blackbox: add test_kinit_trusts.sh
That verifies kinit and smbclient work across trusts.
It also tests a trust password change and a following
access.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 90956d608814cd83c0edee6521bc11a29c76826f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 11 09:58:07 2015 +0100
selftest/Samba4: setup trusts between forest:fl2008r2dc/ad_dc and externl:fl2003dc/ad_dc
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cab82ebda706bbad258e218e90fe3d70ebf5ea21
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 21 14:44:44 2015 +0100
samba-tool: add 'domain trust *' commands
Available subcommands:
create - Create a domain or forest trust.
delete - Delete a domain trust.
list - List domain trusts.
namespaces - Manage forest trust namespaces.
show - Show trusted domain details.
validate - Validate a domain trust.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41f08b19642780a49f14b547b7a775a3f0904166
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 27 21:45:47 2015 +0000
python/samba: add on optional 'special_name' argument to CredentialsOptions()
This way we have have two sets or credentials on the command line,
while at least one uses some prefix (special_name) for the arguments.
The default options without special_name are:
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
With special_name='local-dc' it's:
Credentials Options (local-dc):
--local-dc-simple-bind-dn=DN
DN to use for a simple bind
--local-dc-password=PASSWORD
Password
--local-dc-username=USERNAME
Username
--local-dc-workgroup=WORKGROUP
Workgroup
--local-dc-no-pass Don't ask for a password
--local-dc-kerberos=KERBEROS
Use Kerberos
--local-dc-ipaddress=IPADDRESS
IP address of server
--local-dc-machine-pass
Use stored machine account password
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3dd33380185a91f3d92a0f5dda692d1220beadef
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 22 11:23:09 2015 +0000
python/samba: add current_unix_time()
This is needed to get the time from modules in python/samba/netcmd/
where a time.py exist.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fcc6b5c56a976eb65d141e08f378e8597a7be8bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Apr 11 09:31:36 2015 +0000
s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation()
This should only work on a forest root domain controller and a forest function
level >= 2003.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ef8f55ad8aab065220e9eca5a71046bb3181c1a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 29 16:29:53 2015 +0100
s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info()
This collects the whole information about the local forest,
including all domains and defined top level names (uPNSuffixes and
msDS-SPNSuffixes).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9af2561325ae241f6b76aa827d9fd67ebfa8d4f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 14:40:03 2015 +0100
s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains
We redirect this to remote DC as netr_GetForestTrustInformation() via an IRPC
call to winbindd.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c123274423ef638f895c4090aef57ce3fd052e01
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 13:32:37 2015 +0100
s3:winbindd: add wb_irpc_GetForestTrustInformation()
This allows the netlogon server to forward netr_DrsGetForestTrustInformation()
to winbindd in order to do the work.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e196b428b4046b03785beb417c33f7aa2430d18
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 13:07:14 2015 +0100
s3:winbindd: implement winbind_GetForestTrustInformation()
We use in internal connection to our local LSA server
in order to update the local msDS-TrustForestTrustInfo attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56c7f885a58a3d69350a90d90687f22a5f9794e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 23 13:07:14 2015 +0100
librpc/idl: add winbind_GetForestTrustInformation()
This will be used by the netr_DrsGetForestTrustInformation()
in order to contact remote domains via winbindd.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 70cea2b85c3adbc3f43aa05a3135898361bbed44
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 15 16:44:26 2014 +0100
s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f859f40b8186ed384cde15c0ae15ebfb5dbfde8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 23 00:04:37 2014 +0100
s3:winbindd: add wb_irpc_LogonControl()
This can be called by the netlogon server to pass netr_LogonControl*()
to a winbindd child process in order to do the real work.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 03e846bc276ea532b5a31ca8c3043cd0e0c3d669
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 23 09:04:42 2014 +0100
s3:winbindd: implement _winbind_LogonControl*()
This implements NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}.
These are triggered by the netlogon server (currently only as AD DC) via IRPC.
While NETLOGON_CONTROL_REDISCOVER ignores an optional '\dcname' at the end of
the specified domain name for now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee5e25b5b324b34929da98aeeb1c2b13d191d9d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 19 10:36:29 2014 +0100
librpc/idl: add winbind_LogonControl()
This will be used by the netr_LogonControl()
in order to contact remote domains via winbindd.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9246d78f7fb4a4ec629ca525ccc97506ab6e483
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 16:12:32 2015 +0100
s4:rpc_server/lsa: remove unused code
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c98f96d1b1047b119f343af457ae672e0032d9db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 28 08:55:43 2015 +0000
s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.
Storing is now done within a transaction in order to avoid races
and inconsistent values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 666ac7c5b796cf29aa278af6c429726864aba3bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add dsdb_trust_merge_forest_info() helper function
This is used to merge the netr_GetForestTrustInformation() result with
the existing information in msDS-TrustForestTrustInfo.
New top level names are added with LSA_TLN_DISABLED_NEW
while all others keep their flags.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f043ee97ac7c0f16eb9367d7783b6ec8d8ce8114
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and dsdb_trust_verify_forest_info()
These will be used in dcesrv_lsa_lsaRSetForestTrustInformation() in the
following order:
- dsdb_trust_normalize_forest_info_step1() verifies the input
forest_trust_information and does some basic normalization.
- the output of step1 is used in dsdb_trust_verify_forest_info()
to verify overall view of trusts and forests, this may generate
collision records and marks records as conflicting.
- dsdb_trust_normalize_forest_info_step2() prepares the records
to be stored in the msDS-TrustForestTrustInfo attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 46e2a97a2b965745c38a96037fabb655f1f0454e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper function
This emulates a lsa_TrustDomainInfoInfoEx struct for our own domain.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e7c4d2e7ebc51790023b90dc0c4261a85965d73c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac4c4a95e567e3d2edd85def0e67c2b4fa39fe59
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 3 18:30:36 2015 +0100
s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 98dc4100abb3fa6aad7cb41b8f2ab80aa28a3a19
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 30 15:13:03 2015 +0200
s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.
Otherwise other code will get INTERNAL_DB_CORRUPTION errors.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit df7f7450990bfd6b7caa99ea3739de4708e2ba26
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 30 15:10:47 2015 +0200
s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.
flatName and trustPartner have the same value for downlevel trusts.
And both are required.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c57fef89e1c65fc5e530dec2448b9e898bf14336
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 9 13:19:06 2015 +0100
s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a02300c0c78acd9c131e212e69225b9b84b4393f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 22 22:02:25 2014 +0100
s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b4bdee4a1696e09bed99cb261d9cf243ca432a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 15:53:37 2015 +0000
s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 38c30b9d68651c50049eb0badf6913c387769d44
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper function
This extracts the current and previous nt hashes from trustAuthIncoming
as the passed TDO ldb_message.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a56d9fe5da4c544e7f1d8e72934ac322105a3fbf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 30 09:42:15 2015 +0000
s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2()
For domain trusts we need to extract NL_PASSWORD_VERSION from the password
buffer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8a63dd8bbccfaf5537ddf37f1037566bd73ff28c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 30 12:31:01 2015 +0200
s4:dsdb/password_hash: reject interdomain trust password changes via LDAP
Only the LSA and NETLOGON server should be able to change this, otherwise
the incoming passwords in the trust account and trusted domain object
get out of sync.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd23d8e1b2a512c6e59b44796ab86e0144128528
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 10:42:08 2015 +0000
s4:dsdb/common: supported trusted domains in samdb_set_password_sid()
We also need to update trustAuthIncoming of the trustedDomain object.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 81c276047ad18128556116f8e19161f6dff586bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 10:42:08 2015 +0000
s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()
This will simplify the following commits.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aded6f6551a363cdf3fbe486c55d5ebe3f58e647
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 5 12:09:34 2015 +0100
s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
For trust account we need to store version number provided by the client.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a84cb7d0b2a3a5a860c6f06f73ef574ed55dace
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 25 15:14:44 2015 +0000
s4:dsdb/netlogon: add support for CLDAP requests with AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
Windows reuses the ACB_AUTOLOCK flag to handle SEC_CHAN_DNS_DOMAIN domains,
but this not documented yet...
This is triggered by the NETLOGON_CONTROL_REDISCOVER with a domain string
of "example.com\somedc.example.com".
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0deb1d9c4ab2e283aaedab68c9b6f50c03edd36a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 30 10:22:46 2015 +0200
s4:auth/sam: remove unused sam_get_results_trust()
This is replaced by dsdb_trust_search_tdo() now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 347d54047fe5b64c4e5ff240c390b7ca63c65298
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 30 10:17:51 2015 +0200
s3:pdb_samba_dsdb: make use of dsdb_trust_search_tdo()
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 839645d23851f8eaad9f68a5f2b1fa2d4ec8b1e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 30 10:17:51 2015 +0200
s4:kdc/db-glue: make use of dsdb_trust_search_tdo()
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2518116b71f602ca5872710c9f1f740cac677dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add dsdb_trust_search_tdo*() helper functions
These are more generic and will replace the existing sam_get_results_trust().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 143b654ad2ec0e7c2d8dfa19e68abba06f4549ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 10 14:43:01 2015 +0100
s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM
We lookup the principal against our trust routing table
and return HDB_ERR_WRONG_REALM and the realm of the next trust hoop.
Routing within our own forest is not supported yet.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a11f874dc7a91c9bd6b111573af44fc90630168d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 2 13:12:36 2015 +0100
s4:dsdb/common: add helper functions for trusted domain objects (tdo)
The most important things is the dsdb_trust_routing_table with the
dsdb_trust_routing_table_load() and dsdb_trust_routing_by_name() functions.
The routing table has knowledge about trusted domains/forests and
enables the dsdb_trust_routing_by_name() function to find the direct trust
that is responsable for the given name.
This will be used in the kdc and later winbindd to handle cross-trust/forest
routing.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d98800219e1bc434cccc09322b4b509879d2a7d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 10 14:37:29 2015 +0100
heimdal:kdc: add support for HDB_ERR_WRONG_REALM
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.
entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).
This is needed to route enterprise principals between AD domain trusts.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c63f3607881154e1bf86bdd1009f9cdec4a47576
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 12 00:07:14 2015 +0100
heimdal:kdc: generic support for 3part servicePrincipalNames
This is not DRSUAPI specific, it works for all 3 part principals.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 454db47eac1816efc28e3bdae188e784ee3a502e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 13 08:55:11 2015 +0100
heimdal:lib/krb5: add krb5_mk_error_ext() helper function
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fca11edc0b476f5b87b3301da32fd0409d9590c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 10 13:27:57 2015 +0100
heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3a14835d18905b162929d65175f7ee24a99d522a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 10 10:25:20 2015 +0200
s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal
We should always return the principal from the values stored in the database.
This also means we need to ignore a missing HDB_F_CANON.
This was demonstrated by running some new tests against windows.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3943f02691d167cf092a19a10c5bdf4302ab33c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 1 05:33:10 2015 +0200
s4:kdc/db-glue: preferr the previous password for trust accounts
If no kvno is specified we should return the keys with the lowest value.
For the initial value this means we return the current key with kvno 0 (NULL on
the wire). Later we return the previous key with kvno current - 1.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f05c0bc6397d783681fb0b4a82677493e96f3398
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 10 20:31:20 2015 +0000
s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry()
We should fallback to the current password if the trusted KDC used a wrong kvno.
After commit 6f8b868a29fe47a3b589616fde97099829933ce0, we always have the
previous password filled. With the trust creation we typically don't
have a TRUST_AUTH_TYPE_VERSION in the current nor in the previous array.
This means current_kvno is 0. And now previous_kvno is 255.
A FreeIPA/MIT KDC uses kvno=1 in the referral ticket, which triggered
the 'Request for unknown kvno 1 - current kvno is 0' case.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/samba-tool.8.xml | 35 +
librpc/idl/netlogon.idl | 6 +-
librpc/idl/winbind.idl | 22 +
python/samba/__init__.py | 4 +
python/samba/getopt.py | 37 +-
python/samba/netcmd/domain.py | 2206 +++++++++++++++++
selftest/knownfail | 11 -
selftest/selftest.pl | 10 +
selftest/target/Samba4.pm | 122 +-
source3/passdb/pdb_samba_dsdb.c | 29 +-
source3/winbindd/winbindd_dual_srv.c | 808 ++++++
source3/winbindd/winbindd_irpc.c | 119 +-
source4/auth/sam.c | 74 -
source4/dsdb/common/util.c | 402 ++-
source4/dsdb/common/util_trusts.c | 3132 ++++++++++++++++++++++++
source4/dsdb/samdb/ldb_modules/netlogon.c | 47 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 16 +
source4/dsdb/samdb/samdb.h | 2 +
source4/dsdb/wscript_build | 2 +-
source4/heimdal/kdc/kerberos5.c | 26 +-
source4/heimdal/kdc/krb5tgs.c | 31 +-
source4/heimdal/kdc/misc.c | 7 +
source4/heimdal/lib/hdb/hdb_err.et | 1 +
source4/heimdal/lib/krb5/init_creds_pw.c | 21 +
source4/heimdal/lib/krb5/mk_error.c | 49 +-
source4/heimdal/lib/krb5/version-script.map | 1 +
source4/kdc/db-glue.c | 360 ++-
source4/kdc/kpasswdd.c | 2 +-
source4/librpc/rpc/pyrpc.h | 3 +
source4/rpc_server/lsa/dcesrv_lsa.c | 859 +++----
source4/rpc_server/netlogon/dcerpc_netlogon.c | 919 +++++--
source4/selftest/tests.py | 4 +
source4/torture/rpc/lsa.c | 1741 ++++++++++++-
testprogs/blackbox/test_kinit_trusts.sh | 105 +
testprogs/blackbox/test_trust_utils.sh | 138 ++
35 files changed, 10413 insertions(+), 938 deletions(-)
create mode 100644 source4/dsdb/common/util_trusts.c
create mode 100755 testprogs/blackbox/test_kinit_trusts.sh
create mode 100755 testprogs/blackbox/test_trust_utils.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9cb304b..b3235f9 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -253,6 +253,41 @@
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
</refsect3>
+<refsect3>
+ <title>domain trust</title>
+ <para>Domain and forest trust management.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Create a domain or forest trust.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Delete a domain trust.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust list <replaceable>options</replaceable> [options]</title>
+ <para>List domain trusts.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
+ <para>Manage forest trust namespaces.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Show trusted domain details.</para>
+</refsect3>
+
+<refsect3>
+ <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Validate a domain trust.</para>
+</refsect3>
+
<refsect2>
<title>drs</title>
<para>Manage Directory Replication Services (DRS).</para>
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index b0ede39..19daaf6 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -871,7 +871,7 @@ interface netlogon
[string,charset(UTF16)] uint16 *trusted_domain_name;
} netr_NETLOGON_INFO_4;
- typedef union {
+ typedef [public] union {
[case(1)] netr_NETLOGON_INFO_1 *info1;
[case(2)] netr_NETLOGON_INFO_2 *info2;
[case(3)] netr_NETLOGON_INFO_3 *info3;
@@ -880,7 +880,7 @@ interface netlogon
} netr_CONTROL_QUERY_INFORMATION;
/* function_code values */
- typedef [v1_enum] enum {
+ typedef [v1_enum,public] enum {
NETLOGON_CONTROL_QUERY = 0x00000001,
NETLOGON_CONTROL_REPLICATE = 0x00000002,
NETLOGON_CONTROL_SYNCHRONIZE = 0x00000003,
@@ -920,7 +920,7 @@ interface netlogon
/*****************/
/* Function 0x0E */
- typedef union {
+ typedef [public,switch_type(netr_LogonControlCode)] union {
[case(NETLOGON_CONTROL_REDISCOVER)] [string,charset(UTF16)] uint16 *domain;
[case(NETLOGON_CONTROL_TC_QUERY)] [string,charset(UTF16)] uint16 *domain;
[case(NETLOGON_CONTROL_TRANSPORT_NOTIFY)] [string,charset(UTF16)] uint16 *domain;
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 39e89c3..5b61950 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -192,4 +192,26 @@ interface winbind
[in,out,ref] NL_DNS_NAME_INFO_ARRAY *dns_names
);
+ /*
+ * do a netr_LogonControl2Ex() against the right DC
+ */
+ typedef [v1_enum] enum netr_LogonControlCode netr_LogonControlCode;
+ typedef [switch_type(netr_LogonControlCode)] union netr_CONTROL_DATA_INFORMATION netr_CONTROL_DATA_INFORMATION;
+ typedef [switch_type(uint32)] union netr_CONTROL_QUERY_INFORMATION netr_CONTROL_QUERY_INFORMATION;
+
+ WERROR winbind_LogonControl(
+ [in] netr_LogonControlCode function_code,
+ [in] uint32 level,
+ [in,ref][switch_is(function_code)] netr_CONTROL_DATA_INFORMATION *data,
+ [out,ref][switch_is(level)] netr_CONTROL_QUERY_INFORMATION *query
+ );
+
+ /*
+ * do a netr_GetForestTrustInformation() against the right DC
+ */
+ WERROR winbind_GetForestTrustInformation(
+ [in,unique] [string,charset(UTF16)] uint16 *trusted_domain_name,
+ [in] uint32 flags,
+ [out,ref] lsa_ForestTrustInformation **forest_trust_info
+ );
}
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 1d1f27d..84b0b1f 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -24,6 +24,7 @@ __docformat__ = "restructuredText"
import os
import sys
+import time
import samba.param
@@ -358,6 +359,9 @@ def dn_from_dns_name(dnsdomain):
"""return a DN from a DNS name domain/forest root"""
return "DC=" + ",DC=".join(dnsdomain.split("."))
+def current_unix_time():
+ return int(time.time())
+
import _glue
version = _glue.version
interface_ips = _glue.interface_ips
diff --git a/python/samba/getopt.py b/python/samba/getopt.py
index 0f97658..13139b2 100644
--- a/python/samba/getopt.py
+++ b/python/samba/getopt.py
@@ -125,38 +125,55 @@ def parse_kerberos_arg(arg, opt_str):
class CredentialsOptions(optparse.OptionGroup):
"""Command line options for specifying credentials."""
- def __init__(self, parser):
+ def __init__(self, parser, special_name=None):
+ self.special_name = special_name
+ if special_name is not None:
+ self.section = "Credentials Options (%s)" % special_name
+ else:
+ self.section = "Credentials Options"
+
self.ask_for_password = True
self.ipaddress = None
self.machine_pass = False
- optparse.OptionGroup.__init__(self, parser, "Credentials Options")
- self.add_option("--simple-bind-dn", metavar="DN", action="callback",
+ optparse.OptionGroup.__init__(self, parser, self.section)
+ self._add_option("--simple-bind-dn", metavar="DN", action="callback",
callback=self._set_simple_bind_dn, type=str,
help="DN to use for a simple bind")
- self.add_option("--password", metavar="PASSWORD", action="callback",
+ self._add_option("--password", metavar="PASSWORD", action="callback",
help="Password", type=str, callback=self._set_password)
- self.add_option("-U", "--username", metavar="USERNAME",
+ self._add_option("-U", "--username", metavar="USERNAME",
action="callback", type=str,
help="Username", callback=self._parse_username)
- self.add_option("-W", "--workgroup", metavar="WORKGROUP",
+ self._add_option("-W", "--workgroup", metavar="WORKGROUP",
action="callback", type=str,
help="Workgroup", callback=self._parse_workgroup)
- self.add_option("-N", "--no-pass", action="callback",
+ self._add_option("-N", "--no-pass", action="callback",
help="Don't ask for a password",
callback=self._set_no_password)
- self.add_option("-k", "--kerberos", metavar="KERBEROS",
+ self._add_option("-k", "--kerberos", metavar="KERBEROS",
action="callback", type=str,
help="Use Kerberos", callback=self._set_kerberos)
- self.add_option("", "--ipaddress", metavar="IPADDRESS",
+ self._add_option("", "--ipaddress", metavar="IPADDRESS",
action="callback", type=str,
help="IP address of server",
callback=self._set_ipaddress)
- self.add_option("-P", "--machine-pass",
+ self._add_option("-P", "--machine-pass",
action="callback",
help="Use stored machine account password",
callback=self._set_machine_pass)
self.creds = Credentials()
+ def _add_option(self, *args1, **kwargs):
+ if self.special_name is None:
+ return self.add_option(*args1, **kwargs)
+
+ args2 = ()
+ for a in args1:
+ if not a.startswith("--"):
+ continue
+ args2 += (a.replace("--", "--%s-" % self.special_name),)
+ self.add_option(*args2, **kwargs)
+
def _parse_username(self, option, opt_str, arg, parser):
self.creds.parse_string(arg)
self.machine_pass = False
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index f8e32f0..f0710f2 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -27,15 +27,23 @@ import ldb
import string
import os
import sys
+import ctypes
+import random
import tempfile
import logging
+from getpass import getpass
from samba.net import Net, LIBNET_JOIN_AUTOMATIC
import samba.ntacls
from samba.join import join_RODC, join_DC, join_subdomain
from samba.auth import system_session
from samba.samdb import SamDB
+from samba.ndr import ndr_unpack, ndr_pack, ndr_print
from samba.dcerpc import drsuapi
+from samba.dcerpc import drsblobs
+from samba.dcerpc import lsa
+from samba.dcerpc import netlogon
from samba.dcerpc import security
+from samba.dcerpc import nbt
from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.netcmd import (
Command,
@@ -1460,6 +1468,2203 @@ class cmd_domain_samba3upgrade(cmd_domain_classicupgrade):
hidden = True
+class LocalDCCredentialsOptions(options.CredentialsOptions):
+ def __init__(self, parser):
+ options.CredentialsOptions.__init__(self, parser, special_name="local-dc")
+
+class DomainTrustCommand(Command):
+ """List domain trusts."""
+
+ def __init__(self):
+ Command.__init__(self)
+ self.local_lp = None
+
+ self.local_server = None
+ self.local_binding_string = None
+ self.local_creds = None
+
+ self.remote_server = None
+ self.remote_binding_string = None
+ self.remote_creds = None
+
+ WERR_OK = 0x00000000
+ WERR_INVALID_FUNCTION = 0x00000001
+ WERR_NERR_ACFNOTLOADED = 0x000008B3
+
+ NT_STATUS_NOT_FOUND = 0xC0000225
+ NT_STATUS_OBJECT_NAME_NOT_FOUND = 0xC0000034
+ NT_STATUS_INVALID_PARAMETER = 0xC000000D
+ NT_STATUS_INVALID_INFO_CLASS = 0xC0000003
+ NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE = 0xC002002E
+
+ def _uint32(self, v):
+ return ctypes.c_uint32(v).value
+
+ def check_runtime_error(self, runtime, val):
+ if runtime is None:
+ return False
+
+ err32 = self._uint32(runtime[0])
+ if err32 == val:
+ return True
+
+ return False
+
+ class LocalRuntimeError(CommandError):
+ def __init__(exception_self, self, runtime, message):
+ err32 = self._uint32(runtime[0])
+ errstr = runtime[1]
+ msg = "LOCAL_DC[%s]: %s - ERROR(0x%08X) - %s" % (
+ self.local_server, message, err32, errstr)
+ CommandError.__init__(exception_self, msg)
+
+ class RemoteRuntimeError(CommandError):
+ def __init__(exception_self, self, runtime, message):
+ err32 = self._uint32(runtime[0])
+ errstr = runtime[1]
+ msg = "REMOTE_DC[%s]: %s - ERROR(0x%08X) - %s" % (
+ self.remote_server, message, err32, errstr)
+ CommandError.__init__(exception_self, msg)
+
+ class LocalLdbError(CommandError):
+ def __init__(exception_self, self, ldb_error, message):
+ errval = ldb_error[0]
+ errstr = ldb_error[1]
+ msg = "LOCAL_DC[%s]: %s - ERROR(%d) - %s" % (
+ self.local_server, message, errval, errstr)
+ CommandError.__init__(exception_self, msg)
+
+ def setup_local_server(self, sambaopts, localdcopts):
+ if self.local_server is not None:
+ return self.local_server
+
+ lp = sambaopts.get_loadparm()
+
+ local_server = localdcopts.ipaddress
+ if local_server is None:
+ server_role = lp.server_role()
+ if server_role != "ROLE_ACTIVE_DIRECTORY_DC":
+ raise CommandError("Invalid server_role %s" % (server_role))
+ local_server = lp.get('netbios name')
+ local_transport = "ncalrpc"
+ local_binding_options = ""
+ local_binding_options += ",auth_type=ncalrpc_as_system"
+ local_ldap_url = None
+ local_creds = None
+ else:
+ local_transport = "ncacn_np"
+ local_binding_options = ""
+ local_ldap_url = "ldap://%s" % local_server
+ local_creds = localdcopts.get_credentials(lp)
+
+ self.local_lp = lp
+
+ self.local_server = local_server
+ self.local_binding_string = "%s:%s[%s]" % (local_transport, local_server, local_binding_options)
+ self.local_ldap_url = local_ldap_url
+ self.local_creds = local_creds
+ return self.local_server
+
+ def new_local_lsa_connection(self):
+ return lsa.lsarpc(self.local_binding_string, self.local_lp, self.local_creds)
+
+ def new_local_netlogon_connection(self):
+ return netlogon.netlogon(self.local_binding_string, self.local_lp, self.local_creds)
+
+ def new_local_ldap_connection(self):
+ return SamDB(url=self.local_ldap_url,
+ session_info=system_session(),
+ credentials=self.local_creds,
+ lp=self.local_lp)
+
+ def setup_remote_server(self, credopts, domain,
+ require_pdc=True,
+ require_writable=True):
+
+ if require_pdc:
+ assert require_writable
+
+ if self.remote_server is not None:
+ return self.remote_server
+
+ self.remote_server = "__unknown__remote_server__.%s" % domain
+ assert self.local_server is not None
+
+ remote_creds = credopts.get_credentials(self.local_lp)
+ remote_server = credopts.ipaddress
+ remote_binding_options = ""
+
+ # TODO: we should also support NT4 domains
+ # we could use local_netlogon.netr_DsRGetDCNameEx2() with the remote domain name
+ # and delegate NBT or CLDAP to the local netlogon server
+ try:
+ remote_net = Net(remote_creds, self.local_lp, server=remote_server)
+ remote_flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
+ if require_writable:
+ remote_flags |= nbt.NBT_SERVER_WRITABLE
+ if require_pdc:
+ remote_flags |= nbt.NBT_SERVER_PDC
+ remote_info = remote_net.finddc(flags=remote_flags, domain=domain, address=remote_server)
+ except Exception:
+ raise CommandError("Failed to find a writeable DC for domain '%s'" % domain)
+ flag_map = {
+ nbt.NBT_SERVER_PDC: "PDC",
+ nbt.NBT_SERVER_GC: "GC",
+ nbt.NBT_SERVER_LDAP: "LDAP",
+ nbt.NBT_SERVER_DS: "DS",
+ nbt.NBT_SERVER_KDC: "KDC",
+ nbt.NBT_SERVER_TIMESERV: "TIMESERV",
+ nbt.NBT_SERVER_CLOSEST: "CLOSEST",
+ nbt.NBT_SERVER_WRITABLE: "WRITABLE",
+ nbt.NBT_SERVER_GOOD_TIMESERV: "GOOD_TIMESERV",
+ nbt.NBT_SERVER_NDNC: "NDNC",
+ nbt.NBT_SERVER_SELECT_SECRET_DOMAIN_6: "SELECT_SECRET_DOMAIN_6",
+ nbt.NBT_SERVER_FULL_SECRET_DOMAIN_6: "FULL_SECRET_DOMAIN_6",
+ nbt.NBT_SERVER_ADS_WEB_SERVICE: "ADS_WEB_SERVICE",
+ nbt.NBT_SERVER_DS_8: "DS_8",
+ nbt.NBT_SERVER_HAS_DNS_NAME: "HAS_DNS_NAME",
+ nbt.NBT_SERVER_IS_DEFAULT_NC: "IS_DEFAULT_NC",
+ nbt.NBT_SERVER_FOREST_ROOT: "FOREST_ROOT",
+ }
+ server_type_string = self.generic_bitmap_to_string(flag_map,
+ remote_info.server_type, names_only=True)
+ self.outf.write("RemoteDC Netbios[%s] DNS[%s] ServerType[%s]\n" % (
+ remote_info.pdc_name,
+ remote_info.pdc_dns_name,
+ server_type_string))
+
+ self.remote_server = remote_info.pdc_dns_name
+ self.remote_binding_string="ncacn_np:%s[%s]" % (self.remote_server, remote_binding_options)
+ self.remote_creds = remote_creds
+ return self.remote_server
+
+ def new_remote_lsa_connection(self):
+ return lsa.lsarpc(self.remote_binding_string, self.local_lp, self.remote_creds)
+
+ def new_remote_netlogon_connection(self):
+ return netlogon.netlogon(self.remote_binding_string, self.local_lp, self.remote_creds)
+
+ def get_lsa_info(self, conn, policy_access):
+ objectAttr = lsa.ObjectAttribute()
+ objectAttr.sec_qos = lsa.QosInfo()
+
+ policy = conn.OpenPolicy2(''.decode('utf-8'),
+ objectAttr, policy_access)
+
+ info = conn.QueryInfoPolicy2(policy, lsa.LSA_POLICY_INFO_DNS)
+
+ return (policy, info)
+
+ def get_netlogon_dc_info(self, conn, server):
+ info = conn.netr_DsRGetDCNameEx2(server,
+ None, 0, None, None, None,
+ netlogon.DS_RETURN_DNS_NAME)
+ return info
+
+ def netr_DomainTrust_to_name(self, t):
+ if t.trust_type == lsa.LSA_TRUST_TYPE_DOWNLEVEL:
+ return t.netbios_name
+
+ return t.dns_name
+
+ def netr_DomainTrust_to_type(self, a, t):
+ primary = None
+ primary_parent = None
+ for _t in a:
+ if _t.trust_flags & netlogon.NETR_TRUST_FLAG_PRIMARY:
+ primary = _t
+ if not _t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
+ primary_parent = a[_t.parent_index]
+ break
+
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_IN_FOREST:
+ if t is primary_parent:
+ return "Parent"
+
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_TREEROOT:
+ return "TreeRoot"
+
+ parent = a[t.parent_index]
+ if parent is primary:
+ return "Child"
+
+ return "Shortcut"
+
+ if t.trust_attributes & lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE:
+ return "Forest"
+
+ return "External"
+
+ def netr_DomainTrust_to_transitive(self, t):
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_IN_FOREST:
+ return "Yes"
+
+ if t.trust_attributes & lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE:
+ return "No"
+
+ if t.trust_attributes & lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE:
+ return "Yes"
+
+ return "No"
+
+ def netr_DomainTrust_to_direction(self, t):
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_INBOUND and \
+ t.trust_flags & netlogon.NETR_TRUST_FLAG_OUTBOUND:
+ return "BOTH"
+
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_INBOUND:
+ return "INCOMING"
+
+ if t.trust_flags & netlogon.NETR_TRUST_FLAG_OUTBOUND:
+ return "OUTGOING"
+
+ return "INVALID"
+
+ def generic_enum_to_string(self, e_dict, v, names_only=False):
+ try:
+ w = e_dict[v]
+ except KeyError:
+ v32 = self._uint32(v)
+ w = "__unknown__%08X__" % v32
+
+ r = "0x%x (%s)" % (v, w)
+ return r;
+
+ def generic_bitmap_to_string(self, b_dict, v, names_only=False):
+
+ s = []
+
+ c = v
+ for b in sorted(b_dict.keys()):
--
Samba Shared Repository
More information about the samba-cvs
mailing list