[SCM] Samba Shared Repository - branch master updated
Garming Sam
garming at samba.org
Thu Jun 16 06:38:04 UTC 2016
The branch, master has been updated
via e2743b1 flapping: temporarily add samba_dnsupdate test
via b4d2e10 drs: Send DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP by default
via 7f651d3 selftest: Remove print attribute from getnc_exop test
via c752e93 selftest: Add a DNS test matching Windows
via 9394e14 dns_server: Fix typo in dns_authoritative_for_zone() name.
via f67a3c2 selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool mode
via ba22d29 selftest: Always set up a resolv.conf and use it in samba_dnsupdate
via f5aaa1e selftest: Ensure we write 127. addresses into DNS
via 26b475f samba_dnsupdate: Give the administrator more detail when DNS lookups fail
via 8f1659e samba_dnsupdate: Implement RPC <ZONE> prefix in dns_update_list
via b1ab37e samba_dnsupdate: Simplify logic and add more verbose debugging
via 72d5fa7 samba_dnsupdate: Allow admin to force a particular IP into samba_dnsupdate
via e382249 dns_update_list: Add in NS records
via c9aefa9 samba_dnsupdate: Add a mode that calls samba-tool dns, rather than nsupdate
via 789ec34 samba_dnsupdate: Work around a bug in nsupdate
via de2e955 samba_dnsupdate: Fix typo in -no-substitutions name
via 4b16cbd tests/drs: cleanup some whitespace
via e37af46 drsuapi.idl: Add attid used in testing in idl
via 7748f68 selftest: Check a user with only primaryGroupID is correct in samr.GetUserGroups() reply
via 57e6b80 selftest: Test that primaryGroupID is first in samr.GetUserGroups() reply
via f2f6db8 selftest: Add alias membership to the tokengroups test
via 1a5f0c7 s4-samr: Rework GetGroupsForUser to use memberOf
via d660e66 s4-libcli/raw: Fix compiler errors when building with --address-sanitizer
via 8d70553 s4-kcc: Fix compiler errors when building with --address-sanitizer
via 4717688 s3-vfs/snapper: Fix compiler errors when building with --address-sanitizer
via 5e895c2 s3-libnet: Fix compiler errors when building with --address-sanitizer
via c0a9302 s3-client: Fix compiler errors when building with --address-sanitizer
via c86d508 libgpo: Fix compiler errors when building with --address-sanitizer
via 9dcf1d4 libcli/smb: Fix compiler errors when building with --address-sanitizer
via afcb2b8 selftest: Expand tokenGroups test to also compare with samr.GetGroupsForUser
via 533ded5 selftest: Expand tokenGroups test to also build nested groups
via 20eb605 s4-samr: Fix samr.QueryUserInfo level 1 primary group
via 215c20b samba-tool domain join: Refuse to re-join a DC with a still-valid password
via 2d79b61 samba-tool: Improve fsmo handling
via 9173f20 selftest: Rebase DrsBaseTestCase on SambaToolCmdTest
from 721b21b selftest: add test for DNS updates with TKEY/TSIG
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e2743b110fbd9731c38160c2a9919a3f5e82f1fc
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jun 15 16:32:23 2016 +1200
flapping: temporarily add samba_dnsupdate test
This should be removed when we can run nsupdate on sn-devel
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Thu Jun 16 08:37:56 CEST 2016 on sn-devel-144
commit b4d2e1016d1d35a01450f4d616cf7a32c7c151e2
Author: Garming <garming at catalyst.net.nz>
Date: Wed Jun 15 10:05:34 2016 +1200
drs: Send DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP by default
This flag is not implemented in Samba, however, on an RODC replicating from
Windows, failing to send this flag leaves out group memberships.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f651d344b8a293c510885d3ddc2c303e397c03e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 14 19:55:44 2016 +1200
selftest: Remove print attribute from getnc_exop test
This otherwise fills the logs with every object
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c752e93fc5960d2d31d80fcf608eff0fbfa784a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 10 15:40:59 2016 +1200
selftest: Add a DNS test matching Windows
This performs the same steps as Windows does
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 9394e146261f2aa3c186b4c2f90dd33da2457891
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue May 31 10:48:15 2016 +1200
dns_server: Fix typo in dns_authoritative_for_zone() name.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f67a3c2eb95ca1c91319c5b4cdf2c18c190ab253
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 1 15:58:30 2015 +1200
selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool mode
This can be extended, but already checks the basic functionality
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit ba22d291446aefbae8a02346e5b7edbc9265dc4a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 10 15:43:37 2016 +1200
selftest: Always set up a resolv.conf and use it in samba_dnsupdate
This allows samba_dnsupdate to be tested without resolv_wrapper.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit f5aaa1ea31c78060cc732a8ee176ca7ac13be865
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 28 15:07:49 2015 +1200
selftest: Ensure we write 127. addresses into DNS
The --all-interfaces option is required both with and without the dns_host_file
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 26b475fb3239e5669a38a054fb42007654898bdf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 13 11:34:36 2015 +1200
samba_dnsupdate: Give the administrator more detail when DNS lookups fail
This avoids treating server errors identically to name-not-present status values
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 8f1659e540e661326791c3ca25789d9c50d85298
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 11 12:37:01 2015 +1200
samba_dnsupdate: Implement RPC <ZONE> prefix in dns_update_list
This allows us to update the stub records as well as the zone itself.
Based on a proposed syntax by metze.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit b1ab37ec5bfcfb66c905c7d8b756d46154d7388b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 10 12:15:04 2015 +1200
samba_dnsupdate: Simplify logic and add more verbose debugging
By reducing the intendation this code is a little clearer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 72d5fa79a0024aa13e92d7e93d5f1ed7472b6553
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 7 14:57:20 2015 +1200
samba_dnsupdate: Allow admin to force a particular IP into samba_dnsupdate
This should help in deployements beyind NAT.
It will also help in testing.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit e3822497c87dade49ac85374e695f0a4f10bbc70
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 2 13:37:54 2015 +1300
dns_update_list: Add in NS records
This is as suggested by metze in 4383ec5b83d12bd19749582217f082cbaa31a128
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c9aefa93c1f79e692791e4d384aca2e20e8f6f3f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 26 12:29:23 2015 +1300
samba_dnsupdate: Add a mode that calls samba-tool dns, rather than nsupdate
This mode is more likely to work when we change hostname or IP
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 789ec3400773e795977c4f466872cbb81727d99a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 25 17:26:05 2015 +0200
samba_dnsupdate: Work around a bug in nsupdate
The doio_send() function of bind fails on a short write with sendmsg().
See https://bugzilla.redhat.com/show_bug.cgi?id=1250921
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de2e955e3e9be62e3853dcc45f49adabba1e2d75
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu May 26 14:12:40 2016 +1200
samba_dnsupdate: Fix typo in -no-substitutions name
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b16cbda46fb2c9a41785793cb47a6035dd46629
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jun 8 11:11:15 2016 +1200
tests/drs: cleanup some whitespace
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
commit e37af464e1cac32091ab45c36dfda6fe7dc85748
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jun 8 14:19:42 2016 +1200
drsuapi.idl: Add attid used in testing in idl
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
commit 7748f680477894a9392e574d8cac41ec029dbf42
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 9 14:56:02 2016 +1200
selftest: Check a user with only primaryGroupID is correct in samr.GetUserGroups() reply
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 57e6b80d359a062d8a9bd0b4d9dd92008b4cab03
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 9 14:55:24 2016 +1200
selftest: Test that primaryGroupID is first in samr.GetUserGroups() reply
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit f2f6db869d70a529f192c5ca68bf83bbcd8f3065
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 9 14:54:47 2016 +1200
selftest: Add alias membership to the tokengroups test
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 1a5f0c7a7fa11447fecc87c3c7e0aa0a3f22162a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 8 16:49:01 2016 +1200
s4-samr: Rework GetGroupsForUser to use memberOf
By reading the SID values from the memberOf links, we avoid an un-indexed search on
the member attribute.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit d660e66a4a9fd405f45625142420937f4fafe3d0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:43:29 2016 +1200
s4-libcli/raw: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 8d70553b72e543e833c35173a6e566d1ea0fdccd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:43:13 2016 +1200
s4-kcc: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 47176885bfbe72bf5b8ba3a2e09e362c61454b64
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:43:01 2016 +1200
s3-vfs/snapper: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 5e895c293f216b453b3aca9c4144589a0f2a0caf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:42:41 2016 +1200
s3-libnet: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c0a930249a3b5d38e0cee6d7cded0f84404c1db1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:42:33 2016 +1200
s3-client: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit c86d508f65b6232cf7af3433e0701b3cfe9cf3a5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:42:23 2016 +1200
libgpo: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 9dcf1d4826a1c547f722b9b78a061f3f086ed9aa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 7 15:42:15 2016 +1200
libcli/smb: Fix compiler errors when building with --address-sanitizer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit afcb2b8d31c82d06f1a01de72b87209054581ad5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 8 14:46:07 2016 +1200
selftest: Expand tokenGroups test to also compare with samr.GetGroupsForUser
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 533ded5ac6084e3d021046888597b7719052f037
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 8 14:45:47 2016 +1200
selftest: Expand tokenGroups test to also build nested groups
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 20eb605fee55d9c57afa8579d22043a0d3d48381
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 9 14:56:44 2016 +1200
s4-samr: Fix samr.QueryUserInfo level 1 primary group
Because of this typo, the primary group ID was returned as 0
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 215c20b94b3dbc9c739bb78cfe83f8787d92cc76
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 31 14:54:45 2016 +1200
samba-tool domain join: Refuse to re-join a DC with a still-valid password
While the DC will eventually get back to the same state, it can take a
while, so try harder not to overwrite our already-working account
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 2d79b61731318fc5b4db0044668f9dd90a6482f2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 3 14:50:55 2016 +1200
samba-tool: Improve fsmo handling
This makes a clear seperation between data and display variables
and improves the tests.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 9173f2027c682a85becdbed86820985c294cc049
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 1 21:27:07 2016 +1200
selftest: Rebase DrsBaseTestCase on SambaToolCmdTest
This then makes SambaToolCmdTest based on BlackboxTestCase.
This allows us to use better command output testing in the fsmo tests
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 4 +-
libgpo/gpo_fetch.c | 2 +-
librpc/idl/drsuapi.idl | 2 +
python/samba/drs_utils.py | 3 +-
python/samba/join.py | 151 ++++++++------
python/samba/netcmd/fsmo.py | 80 ++++----
python/samba/tests/blackbox/samba_dnsupdate.py | 59 ++++++
python/samba/tests/dns_tkey.py | 76 +++++++
python/samba/tests/samba_tool/base.py | 2 +-
python/samba/tests/samba_tool/fsmo.py | 22 ++-
python/samba/tests/samba_tool/{fsmo.py => join.py} | 16 +-
selftest/flapping | 1 +
selftest/selftest.pl | 1 +
selftest/target/Samba4.pm | 14 +-
source3/client/clitar.c | 2 +-
source3/libnet/libnet_dssync_passdb.c | 2 +-
source3/modules/vfs_snapper.c | 8 +-
source4/dns_server/dns_query.c | 4 +-
source4/dns_server/dns_server.h | 4 +-
source4/dns_server/dns_utils.c | 4 +-
source4/dsdb/kcc/kcc_topology.c | 7 +-
source4/dsdb/tests/python/token_group.py | 149 +++++++++++++-
source4/libcli/raw/rawsearch.c | 4 +-
source4/rpc_server/samr/dcesrv_samr.c | 111 ++++++++---
source4/scripting/bin/samba_dnsupdate | 220 +++++++++++++++++++--
source4/selftest/tests.py | 4 +
source4/setup/dns_update_list | 7 +
source4/torture/drs/python/drs_base.py | 3 +-
source4/torture/drs/python/fsmo.py | 30 ++-
source4/torture/drs/python/getnc_exop.py | 6 +-
30 files changed, 803 insertions(+), 195 deletions(-)
create mode 100644 python/samba/tests/blackbox/samba_dnsupdate.py
copy python/samba/tests/samba_tool/{fsmo.py => join.py} (61%)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 4332374..135538b 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3501,8 +3501,8 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
{
struct tevent_req *req;
struct smbXcli_req_state *state = NULL;
- struct iovec *iov;
- int i, num_iov;
+ struct iovec *iov = NULL;
+ int i, num_iov = 0;
NTSTATUS status;
bool defer = true;
struct smbXcli_session *last_session = NULL;
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 07141d4..97ecd62 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -156,7 +156,7 @@ NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
NTSTATUS result;
char *server, *service, *nt_path, *unix_path;
char *nt_ini_path, *unix_ini_path;
- struct cli_state *cli;
+ struct cli_state *cli = NULL;
result = gpo_explode_filesyspath(mem_ctx, cache_dir, gpo->file_sys_path,
diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl
index 4e1e11c..67f9604 100644
--- a/librpc/idl/drsuapi.idl
+++ b/librpc/idl/drsuapi.idl
@@ -525,11 +525,13 @@ interface drsuapi
DRSUAPI_ATTID_systemFlags = 0x00090177,
DRSUAPI_ATTID_serverReference = 0x00090203,
DRSUAPI_ATTID_serverReferenceBL = 0x00090204,
+ DRSUAPI_ATTID_nonSecurityMember = 0x00090212,
DRSUAPI_ATTID_initialAuthIncoming = 0x0009021b,
DRSUAPI_ATTID_initialAuthOutgoing = 0x0009021c,
DRSUAPI_ATTID_wellKnownObjects = 0x0009026a,
DRSUAPI_ATTID_dNSHostName = 0x0009026b,
DRSUAPI_ATTID_isMemberOfPartialAttributeSet = 0x0009027f,
+ DRSUAPI_ATTID_managedBy = 0x0009028d,
DRSUAPI_ATTID_userPrincipalName = 0x00090290,
DRSUAPI_ATTID_groupType = 0x000902ee,
DRSUAPI_ATTID_servicePrincipalName = 0x00090303,
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index 87c9a86..6c8afae 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -220,7 +220,8 @@ class drs_Replicate(object):
req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
drsuapi.DRSUAPI_DRS_PER_SYNC |
drsuapi.DRSUAPI_DRS_GET_ANC |
- drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
+ drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
if rodc:
req8.replica_flags |= (
drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
diff --git a/python/samba/join.py b/python/samba/join.py
index 103e4d9..3532a7f 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -170,6 +170,7 @@ class dc_join(object):
ctx.managedby = None
ctx.subdomain = False
ctx.adminpass = None
+ ctx.partition_dn = None
def del_noerror(ctx, dn, recursive=False):
if recursive:
@@ -185,71 +186,97 @@ class dc_join(object):
except Exception:
pass
+ def cleanup_old_accounts(ctx):
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
+ attrs=["msDS-krbTgtLink", "objectSID"])
+ if len(res) == 0:
+ return
+
+ creds = Credentials()
+ creds.guess(ctx.lp)
+ try:
+ creds.set_machine_account(ctx.lp)
+ machine_samdb = SamDB(url="ldap://%s" % ctx.server,
+ session_info=system_session(),
+ credentials=creds, lp=ctx.lp)
+ except:
+ pass
+ else:
+ token_res = machine_samdb.search(scope=ldb.SCOPE_BASE, base="", attrs=["tokenGroups"])
+ if token_res[0]["tokenGroups"][0] \
+ == res[0]["objectSID"][0]:
+ raise DCJoinException("Not removing account %s which "
+ "looks like a Samba DC account "
+ "maching the password we already have. "
+ "To override, remove secrets.ldb and secrets.tdb"
+ % ctx.samname)
+
+ ctx.del_noerror(res[0].dn, recursive=True)
+
+ if "msDS-Krbtgtlink" in res[0]:
+ new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0]
+ del_noerror(ctx.new_krbtgt_dn)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' %
+ (ldb.binary_encode("dns-%s" % ctx.myname),
+ ldb.binary_encode("dns/%s" % ctx.dnshostname)),
+ attrs=[])
+ if res:
+ ctx.del_noerror(res[0].dn, recursive=True)
+
+ res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+ expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
+ attrs=[])
+ if res:
+ raise DCJoinException("Not removing account %s which looks like "
+ "a Samba DNS service account but does not "
+ "have servicePrincipalName=%s" %
+ (ldb.binary_encode("dns-%s" % ctx.myname),
+ ldb.binary_encode("dns/%s" % ctx.dnshostname)))
+
+
def cleanup_old_join(ctx):
"""Remove any DNs from a previous join."""
- try:
- # find the krbtgt link
- print("checking sAMAccountName")
- if ctx.subdomain:
- res = None
- else:
- res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
- expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
- attrs=["msDS-krbTgtLink"])
- if res:
- ctx.del_noerror(res[0].dn, recursive=True)
-
- res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
- expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)),
- attrs=[])
- if res:
- ctx.del_noerror(res[0].dn, recursive=True)
-
- res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
- expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
- attrs=[])
- if res:
- raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)))
-
- if ctx.connection_dn is not None:
- ctx.del_noerror(ctx.connection_dn)
- if ctx.krbtgt_dn is not None:
- ctx.del_noerror(ctx.krbtgt_dn)
- ctx.del_noerror(ctx.ntds_dn)
- ctx.del_noerror(ctx.server_dn, recursive=True)
- if ctx.topology_dn:
- ctx.del_noerror(ctx.topology_dn)
- if ctx.partition_dn:
- ctx.del_noerror(ctx.partition_dn)
- if res:
- ctx.new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0]
- ctx.del_noerror(ctx.new_krbtgt_dn)
-
- if ctx.subdomain:
- binding_options = "sign"
- lsaconn = lsa.lsarpc("ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options),
- ctx.lp, ctx.creds)
-
- objectAttr = lsa.ObjectAttribute()
- objectAttr.sec_qos = lsa.QosInfo()
-
- pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
- objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
-
- name = lsa.String()
- name.string = ctx.realm
- info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
-
- lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
-
- name = lsa.String()
- name.string = ctx.forest_domain_name
- info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
-
- lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+ # find the krbtgt link
+ if not ctx.subdomain:
+ ctx.cleanup_old_accounts()
+
+ if ctx.connection_dn is not None:
+ ctx.del_noerror(ctx.connection_dn)
+ if ctx.krbtgt_dn is not None:
+ ctx.del_noerror(ctx.krbtgt_dn)
+ ctx.del_noerror(ctx.ntds_dn)
+ ctx.del_noerror(ctx.server_dn, recursive=True)
+ if ctx.topology_dn:
+ ctx.del_noerror(ctx.topology_dn)
+ if ctx.partition_dn:
+ ctx.del_noerror(ctx.partition_dn)
+
+ if ctx.subdomain:
+ binding_options = "sign"
+ lsaconn = lsa.lsarpc("ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options),
+ ctx.lp, ctx.creds)
+
+ objectAttr = lsa.ObjectAttribute()
+ objectAttr.sec_qos = lsa.QosInfo()
+
+ pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
+ objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
+
+ name = lsa.String()
+ name.string = ctx.realm
+ info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+ lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+
+ name = lsa.String()
+ name.string = ctx.forest_domain_name
+ info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+ lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
- except Exception:
- pass
def promote_possible(ctx):
"""confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted"""
diff --git a/python/samba/netcmd/fsmo.py b/python/samba/netcmd/fsmo.py
index 3d14939..1351654 100644
--- a/python/samba/netcmd/fsmo.py
+++ b/python/samba/netcmd/fsmo.py
@@ -42,15 +42,15 @@ def get_fsmo_roleowner(samdb, roledn, role):
scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
except LdbError, (num, msg):
if num == ldb.ERR_NO_SUCH_OBJECT:
- return "* The '%s' role is not present in this domain" % role
+ raise CommandError("The '%s' role is not present in this domain" % role)
raise
if 'fSMORoleOwner' in res[0]:
- master_owner = res[0]["fSMORoleOwner"][0]
- return master_owner
+ master_owner = (ldb.Dn(samdb, res[0]["fSMORoleOwner"][0]))
else:
- master_owner = "* The '%s' role does not have an FSMO roleowner" % role
- return master_owner
+ master_owner = None
+
+ return master_owner
def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
@@ -155,7 +155,7 @@ def transfer_role(outf, role, samdb):
naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
infrastructure_dn = "CN=Infrastructure," + domain_dn
schema_dn = str(samdb.get_schema_basedn())
- new_owner = samdb.get_dsServiceName()
+ new_owner = ldb.Dn(samdb, samdb.get_dsServiceName())
m = ldb.Message()
m.dn = ldb.Dn(samdb, "")
if role == "rid":
@@ -191,21 +191,21 @@ def transfer_role(outf, role, samdb):
else:
raise CommandError("Invalid FSMO role.")
- if not '*' in master_owner:
- if master_owner != new_owner:
- try:
- samdb.modify(m)
- except LdbError, (num, msg):
- raise CommandError("Transfer of '%s' role failed: %s" %
- (role, msg))
+ if master_owner is None:
+ outf.write("Cannot transfer, no DC assigned to the %s role. Try 'seize' instead\n" % role)
+ return False
- outf.write("FSMO transfer of '%s' role successful\n" % role)
- return True
- else:
- outf.write("This DC already has the '%s' FSMO role\n" % role)
- return False
+ if master_owner != new_owner:
+ try:
+ samdb.modify(m)
+ except LdbError, (num, msg):
+ raise CommandError("Transfer of '%s' role failed: %s" %
+ (role, msg))
+
+ outf.write("FSMO transfer of '%s' role successful\n" % role)
+ return True
else:
- outf.write("%s\n" % master_owner)
+ outf.write("This DC already has the '%s' FSMO role\n" % role)
return False
class cmd_fsmo_seize(Command):
@@ -267,7 +267,8 @@ You must provide an Admin user and password."""),
#first try to transfer to avoid problem if the owner is still active
seize = False
master_owner = get_fsmo_roleowner(samdb, m.dn, role)
- if not '*' in master_owner:
+ # if there is a different owner
+ if master_owner is not None:
# if there is a different owner
if master_owner != serviceName:
# if --force isn't given, attempt transfer
@@ -322,7 +323,7 @@ You must provide an Admin user and password."""),
#first try to transfer to avoid problem if the owner is still active
seize = False
master_owner = get_fsmo_roleowner(samdb, m.dn, role)
- if not '*' in master_owner:
+ if master_owner is not None:
# if there is a different owner
if master_owner != serviceName:
# if --force isn't given, attempt transfer
@@ -420,24 +421,25 @@ class cmd_fsmo_show(Command):
domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
- infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn,
- "infrastructure")
- pdcEmulator = get_fsmo_roleowner(samdb, domain_dn, "pdc")
- namingMaster = get_fsmo_roleowner(samdb, naming_dn, "naming")
- schemaMaster = get_fsmo_roleowner(samdb, schema_dn, "schema")
- ridMaster = get_fsmo_roleowner(samdb, rid_dn, "rid")
- domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn,
- "domaindns")
- forestdnszonesMaster = get_fsmo_roleowner(samdb, forestdns_dn,
- "forestdns")
-
- self.message("SchemaMasterRole owner: " + schemaMaster)
- self.message("InfrastructureMasterRole owner: " + infrastructureMaster)
- self.message("RidAllocationMasterRole owner: " + ridMaster)
- self.message("PdcEmulationMasterRole owner: " + pdcEmulator)
- self.message("DomainNamingMasterRole owner: " + namingMaster)
- self.message("DomainDnsZonesMasterRole owner: " + domaindnszonesMaster)
- self.message("ForestDnsZonesMasterRole owner: " + forestdnszonesMaster)
+ masters = [(schema_dn, "schema", "SchemaMasterRole"),
+ (infrastructure_dn, "infrastructure", "InfrastructureMasterRole"),
+ (rid_dn, "rid", "RidAllocationMasterRole"),
+ (domain_dn, "pdc", "PdcEmulationMasterRole"),
+ (naming_dn, "naming", "DomainNamingMasterRole"),
+ (domaindns_dn, "domaindns", "DomainDnsZonesMasterRole"),
+ (forestdns_dn, "forestdns", "ForestDnsZonesMasterRole"),
+ ]
+
+ for master in masters:
+ (dn, short_name, long_name) = master
+ try:
+ master = get_fsmo_roleowner(samdb, dn, short_name)
+ if master is not None:
+ self.message("%s owner: %s" % (long_name, str(master)))
+ else:
+ self.message("%s has no current owner" % (long_name))
+ except CommandError, e:
+ self.message("%s: * %s" % (long_name, e.message))
class cmd_fsmo_transfer(Command):
"""Transfer the role."""
diff --git a/python/samba/tests/blackbox/samba_dnsupdate.py b/python/samba/tests/blackbox/samba_dnsupdate.py
new file mode 100644
index 0000000..852a31a
--- /dev/null
+++ b/python/samba/tests/blackbox/samba_dnsupdate.py
@@ -0,0 +1,59 @@
+# Blackbox tests for "samba_dnsupdate" command
+# Copyright (C) Kamen Mazdrashki <kamenim at samba.org> 2011
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2015
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.tests
+
+class SambaDnsUpdateTests(samba.tests.BlackboxTestCase):
+ """Blackbox test case for samba_dnsupdate."""
+
+ def setUp(self):
+ self.server_ip = samba.tests.env_get_var_value("DNS_SERVER_IP")
+ super(SambaDnsUpdateTests, self).setUp()
+ try:
+ out = self.check_output("samba_dnsupdate --verbose")
+ self.assertTrue("Looking for DNS entry" in out)
+ except samba.tests.BlackboxProcessError:
+ pass
+
+ def test_samba_dnsupate_no_change(self):
+ out = self.check_output("samba_dnsupdate --verbose")
+ self.assertTrue("No DNS updates needed" in out)
+
+ def test_samba_dnsupate_set_ip(self):
+ try:
+ out = self.check_output("samba_dnsupdate --verbose --current-ip=10.0.0.1")
+ self.assertTrue(" DNS updates and" in out)
+ self.assertTrue(" DNS deletes needed" in out)
+ except samba.tests.BlackboxProcessError:
+ pass
+
+ try:
+ out = self.check_output("samba_dnsupdate --verbose --use-nsupdate --current-ip=10.0.0.1")
+ except samba.tests.BlackboxProcessError:
+ self.fail("Error calling samba_dnsupdate")
+
+ self.assertTrue("No DNS updates needed" in out)
+ try:
+ out = self.check_output("samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip=%s" % self.server_ip)
+ except samba.tests.BlackboxProcessError:
+ self.fail("Error calling samba_dnsupdate")
+
+ self.assertTrue(" DNS updates and" in out)
+ self.assertTrue(" DNS deletes needed" in out)
+ out = self.check_output("samba_dnsupdate --verbose")
+ self.assertTrue("No DNS updates needed" in out)
diff --git a/python/samba/tests/dns_tkey.py b/python/samba/tests/dns_tkey.py
index e47a647..f424e07 100644
--- a/python/samba/tests/dns_tkey.py
+++ b/python/samba/tests/dns_tkey.py
@@ -484,4 +484,80 @@ class TestDNSUpdates(DNSTest):
rcode = self.search_record(self.newrecname)
self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
+ def test_update_tsig_windows(self):
+ "test DNS update with correct TSIG record (follow Windows pattern)"
+
+ newrecname = "win" + self.newrecname
+ rr_class = dns.DNS_QCLASS_IN
+ ttl = 1200
+
+ p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+ q = self.make_name_question(self.get_dns_domain(),
+ dns.DNS_QTYPE_SOA,
+ dns.DNS_QCLASS_IN)
+ questions = []
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ updates = []
+ r = dns.res_rec()
+ r.name = newrecname
+ r.rr_type = dns.DNS_QTYPE_A
+ r.rr_class = dns.DNS_QCLASS_ANY
+ r.ttl = 0
+ r.length = 0
+ updates.append(r)
+ r = dns.res_rec()
+ r.name = newrecname
+ r.rr_type = dns.DNS_QTYPE_AAAA
+ r.rr_class = dns.DNS_QCLASS_ANY
+ r.ttl = 0
+ r.length = 0
+ updates.append(r)
+ r = dns.res_rec()
+ r.name = newrecname
+ r.rr_type = dns.DNS_QTYPE_A
+ r.rr_class = rr_class
+ r.ttl = ttl
+ r.length = 0xffff
+ r.rdata = "10.1.45.64"
+ updates.append(r)
+ p.nscount = len(updates)
+ p.nsrecs = updates
+
+ prereqs = []
+ r = dns.res_rec()
+ r.name = newrecname
+ r.rr_type = dns.DNS_QTYPE_CNAME
+ r.rr_class = dns.DNS_QCLASS_NONE
+ r.ttl = 0
+ r.length = 0
+ prereqs.append(r)
+ p.ancount = len(prereqs)
+ p.answers = prereqs
+
+ (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_REFUSED)
+
+ self.tkey_trans()
+ mac = self.sign_packet(p, self.key_name)
+ (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+ self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+ self.verify_packet(response, response_p, mac)
+
+ # Check the record is around
+ rcode = self.search_record(newrecname)
--
Samba Shared Repository
More information about the samba-cvs
mailing list