[SCM] Samba Shared Repository - branch master updated

Garming Sam garming at samba.org
Thu Jun 16 06:38:04 UTC 2016


The branch, master has been updated
       via  e2743b1 flapping: temporarily add samba_dnsupdate test
       via  b4d2e10 drs: Send DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP by default
       via  7f651d3 selftest: Remove print attribute from getnc_exop test
       via  c752e93 selftest: Add a DNS test matching Windows
       via  9394e14 dns_server: Fix typo in dns_authoritative_for_zone() name.
       via  f67a3c2 selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool mode
       via  ba22d29 selftest: Always set up a resolv.conf and use it in samba_dnsupdate
       via  f5aaa1e selftest: Ensure we write 127. addresses into DNS
       via  26b475f samba_dnsupdate: Give the administrator more detail when DNS lookups fail
       via  8f1659e samba_dnsupdate: Implement RPC <ZONE> prefix in dns_update_list
       via  b1ab37e samba_dnsupdate: Simplify logic and add more verbose debugging
       via  72d5fa7 samba_dnsupdate: Allow admin to force a particular IP into samba_dnsupdate
       via  e382249 dns_update_list: Add in NS records
       via  c9aefa9 samba_dnsupdate: Add a mode that calls samba-tool dns, rather than nsupdate
       via  789ec34 samba_dnsupdate: Work around a bug in nsupdate
       via  de2e955 samba_dnsupdate: Fix typo in -no-substitutions name
       via  4b16cbd tests/drs: cleanup some whitespace
       via  e37af46 drsuapi.idl: Add attid used in testing in idl
       via  7748f68 selftest: Check a user with only primaryGroupID is correct in samr.GetUserGroups() reply
       via  57e6b80 selftest: Test that primaryGroupID is first in samr.GetUserGroups() reply
       via  f2f6db8 selftest: Add alias membership to the tokengroups test
       via  1a5f0c7 s4-samr: Rework GetGroupsForUser to use memberOf
       via  d660e66 s4-libcli/raw: Fix compiler errors when building with --address-sanitizer
       via  8d70553 s4-kcc: Fix compiler errors when building with --address-sanitizer
       via  4717688 s3-vfs/snapper: Fix compiler errors when building with --address-sanitizer
       via  5e895c2 s3-libnet: Fix compiler errors when building with --address-sanitizer
       via  c0a9302 s3-client: Fix compiler errors when building with --address-sanitizer
       via  c86d508 libgpo: Fix compiler errors when building with --address-sanitizer
       via  9dcf1d4 libcli/smb: Fix compiler errors when building with --address-sanitizer
       via  afcb2b8 selftest: Expand tokenGroups test to also compare with samr.GetGroupsForUser
       via  533ded5 selftest: Expand tokenGroups test to also build nested groups
       via  20eb605 s4-samr: Fix samr.QueryUserInfo level 1 primary group
       via  215c20b samba-tool domain join: Refuse to re-join a DC with a still-valid password
       via  2d79b61 samba-tool: Improve fsmo handling
       via  9173f20 selftest: Rebase DrsBaseTestCase on SambaToolCmdTest
      from  721b21b selftest: add test for DNS updates with TKEY/TSIG

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e2743b110fbd9731c38160c2a9919a3f5e82f1fc
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jun 15 16:32:23 2016 +1200

    flapping: temporarily add samba_dnsupdate test
    
    This should be removed when we can run nsupdate on sn-devel
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Garming Sam <garming at samba.org>
    Autobuild-Date(master): Thu Jun 16 08:37:56 CEST 2016 on sn-devel-144

commit b4d2e1016d1d35a01450f4d616cf7a32c7c151e2
Author: Garming <garming at catalyst.net.nz>
Date:   Wed Jun 15 10:05:34 2016 +1200

    drs: Send DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP by default
    
    This flag is not implemented in Samba, however, on an RODC replicating from
    Windows, failing to send this flag leaves out group memberships.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7f651d344b8a293c510885d3ddc2c303e397c03e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 14 19:55:44 2016 +1200

    selftest: Remove print attribute from getnc_exop test
    
    This otherwise fills the logs with every object
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit c752e93fc5960d2d31d80fcf608eff0fbfa784a0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jun 10 15:40:59 2016 +1200

    selftest: Add a DNS test matching Windows
    
    This performs the same steps as Windows does
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 9394e146261f2aa3c186b4c2f90dd33da2457891
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue May 31 10:48:15 2016 +1200

    dns_server: Fix typo in dns_authoritative_for_zone() name.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit f67a3c2eb95ca1c91319c5b4cdf2c18c190ab253
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Sep 1 15:58:30 2015 +1200

    selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool mode
    
    This can be extended, but already checks the basic functionality
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit ba22d291446aefbae8a02346e5b7edbc9265dc4a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jun 10 15:43:37 2016 +1200

    selftest: Always set up a resolv.conf and use it in samba_dnsupdate
    
    This allows samba_dnsupdate to be tested without resolv_wrapper.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit f5aaa1ea31c78060cc732a8ee176ca7ac13be865
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Aug 28 15:07:49 2015 +1200

    selftest: Ensure we write 127. addresses into DNS
    
    The --all-interfaces option is required both with and without the dns_host_file
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 26b475fb3239e5669a38a054fb42007654898bdf
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Aug 13 11:34:36 2015 +1200

    samba_dnsupdate: Give the administrator more detail when DNS lookups fail
    
    This avoids treating server errors identically to name-not-present status values
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 8f1659e540e661326791c3ca25789d9c50d85298
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Aug 11 12:37:01 2015 +1200

    samba_dnsupdate: Implement RPC <ZONE> prefix in dns_update_list
    
    This allows us to update the stub records as well as the zone itself.
    
    Based on a proposed syntax by metze.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit b1ab37ec5bfcfb66c905c7d8b756d46154d7388b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 10 12:15:04 2015 +1200

    samba_dnsupdate: Simplify logic and add more verbose debugging
    
    By reducing the intendation this code is a little clearer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 72d5fa79a0024aa13e92d7e93d5f1ed7472b6553
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Aug 7 14:57:20 2015 +1200

    samba_dnsupdate: Allow admin to force a particular IP into samba_dnsupdate
    
    This should help in deployements beyind NAT.
    
    It will also help in testing.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit e3822497c87dade49ac85374e695f0a4f10bbc70
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Mar 2 13:37:54 2015 +1300

    dns_update_list: Add in NS records
    
    This is as suggested by metze in 4383ec5b83d12bd19749582217f082cbaa31a128
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit c9aefa93c1f79e692791e4d384aca2e20e8f6f3f
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Feb 26 12:29:23 2015 +1300

    samba_dnsupdate: Add a mode that calls samba-tool dns, rather than nsupdate
    
    This mode is more likely to work when we change hostname or IP
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 789ec3400773e795977c4f466872cbb81727d99a
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Aug 25 17:26:05 2015 +0200

    samba_dnsupdate: Work around a bug in nsupdate
    
    The doio_send() function of bind fails on a short write with sendmsg().
    
    See https://bugzilla.redhat.com/show_bug.cgi?id=1250921
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit de2e955e3e9be62e3853dcc45f49adabba1e2d75
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu May 26 14:12:40 2016 +1200

    samba_dnsupdate: Fix typo in -no-substitutions name
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4b16cbda46fb2c9a41785793cb47a6035dd46629
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jun 8 11:11:15 2016 +1200

    tests/drs: cleanup some whitespace
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960

commit e37af464e1cac32091ab45c36dfda6fe7dc85748
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jun 8 14:19:42 2016 +1200

    drsuapi.idl: Add attid used in testing in idl
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960

commit 7748f680477894a9392e574d8cac41ec029dbf42
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 9 14:56:02 2016 +1200

    selftest: Check a user with only primaryGroupID is correct in samr.GetUserGroups() reply
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 57e6b80d359a062d8a9bd0b4d9dd92008b4cab03
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 9 14:55:24 2016 +1200

    selftest: Test that primaryGroupID is first in samr.GetUserGroups() reply
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit f2f6db869d70a529f192c5ca68bf83bbcd8f3065
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 9 14:54:47 2016 +1200

    selftest: Add alias membership to the tokengroups test
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 1a5f0c7a7fa11447fecc87c3c7e0aa0a3f22162a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jun 8 16:49:01 2016 +1200

    s4-samr: Rework GetGroupsForUser to use memberOf
    
    By reading the SID values from the memberOf links, we avoid an un-indexed search on
    the member attribute.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit d660e66a4a9fd405f45625142420937f4fafe3d0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:43:29 2016 +1200

    s4-libcli/raw: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 8d70553b72e543e833c35173a6e566d1ea0fdccd
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:43:13 2016 +1200

    s4-kcc: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 47176885bfbe72bf5b8ba3a2e09e362c61454b64
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:43:01 2016 +1200

    s3-vfs/snapper: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 5e895c293f216b453b3aca9c4144589a0f2a0caf
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:42:41 2016 +1200

    s3-libnet: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit c0a930249a3b5d38e0cee6d7cded0f84404c1db1
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:42:33 2016 +1200

    s3-client: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit c86d508f65b6232cf7af3433e0701b3cfe9cf3a5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:42:23 2016 +1200

    libgpo: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 9dcf1d4826a1c547f722b9b78a061f3f086ed9aa
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 7 15:42:15 2016 +1200

    libcli/smb: Fix compiler errors when building with --address-sanitizer
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit afcb2b8d31c82d06f1a01de72b87209054581ad5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jun 8 14:46:07 2016 +1200

    selftest: Expand tokenGroups test to also compare with samr.GetGroupsForUser
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 533ded5ac6084e3d021046888597b7719052f037
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jun 8 14:45:47 2016 +1200

    selftest: Expand tokenGroups test to also build nested groups
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 20eb605fee55d9c57afa8579d22043a0d3d48381
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jun 9 14:56:44 2016 +1200

    s4-samr: Fix samr.QueryUserInfo level 1 primary group
    
    Because of this typo, the primary group ID was returned as 0
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 215c20b94b3dbc9c739bb78cfe83f8787d92cc76
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue May 31 14:54:45 2016 +1200

    samba-tool domain join: Refuse to re-join a DC with a still-valid password
    
    While the DC will eventually get back to the same state, it can take a
    while, so try harder not to overwrite our already-working account
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 2d79b61731318fc5b4db0044668f9dd90a6482f2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jun 3 14:50:55 2016 +1200

    samba-tool: Improve fsmo handling
    
    This makes a clear seperation between data and display variables
    and improves the tests.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 9173f2027c682a85becdbed86820985c294cc049
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jun 1 21:27:07 2016 +1200

    selftest: Rebase DrsBaseTestCase on SambaToolCmdTest
    
    This then makes SambaToolCmdTest based on BlackboxTestCase.
    
    This allows us to use better command output testing in the fsmo tests
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 libcli/smb/smbXcli_base.c                          |   4 +-
 libgpo/gpo_fetch.c                                 |   2 +-
 librpc/idl/drsuapi.idl                             |   2 +
 python/samba/drs_utils.py                          |   3 +-
 python/samba/join.py                               | 151 ++++++++------
 python/samba/netcmd/fsmo.py                        |  80 ++++----
 python/samba/tests/blackbox/samba_dnsupdate.py     |  59 ++++++
 python/samba/tests/dns_tkey.py                     |  76 +++++++
 python/samba/tests/samba_tool/base.py              |   2 +-
 python/samba/tests/samba_tool/fsmo.py              |  22 ++-
 python/samba/tests/samba_tool/{fsmo.py => join.py} |  16 +-
 selftest/flapping                                  |   1 +
 selftest/selftest.pl                               |   1 +
 selftest/target/Samba4.pm                          |  14 +-
 source3/client/clitar.c                            |   2 +-
 source3/libnet/libnet_dssync_passdb.c              |   2 +-
 source3/modules/vfs_snapper.c                      |   8 +-
 source4/dns_server/dns_query.c                     |   4 +-
 source4/dns_server/dns_server.h                    |   4 +-
 source4/dns_server/dns_utils.c                     |   4 +-
 source4/dsdb/kcc/kcc_topology.c                    |   7 +-
 source4/dsdb/tests/python/token_group.py           | 149 +++++++++++++-
 source4/libcli/raw/rawsearch.c                     |   4 +-
 source4/rpc_server/samr/dcesrv_samr.c              | 111 ++++++++---
 source4/scripting/bin/samba_dnsupdate              | 220 +++++++++++++++++++--
 source4/selftest/tests.py                          |   4 +
 source4/setup/dns_update_list                      |   7 +
 source4/torture/drs/python/drs_base.py             |   3 +-
 source4/torture/drs/python/fsmo.py                 |  30 ++-
 source4/torture/drs/python/getnc_exop.py           |   6 +-
 30 files changed, 803 insertions(+), 195 deletions(-)
 create mode 100644 python/samba/tests/blackbox/samba_dnsupdate.py
 copy python/samba/tests/samba_tool/{fsmo.py => join.py} (61%)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 4332374..135538b 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3501,8 +3501,8 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 {
 	struct tevent_req *req;
 	struct smbXcli_req_state *state = NULL;
-	struct iovec *iov;
-	int i, num_iov;
+	struct iovec *iov = NULL;
+	int i, num_iov = 0;
 	NTSTATUS status;
 	bool defer = true;
 	struct smbXcli_session *last_session = NULL;
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 07141d4..97ecd62 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -156,7 +156,7 @@ NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
 	NTSTATUS result;
 	char *server, *service, *nt_path, *unix_path;
 	char *nt_ini_path, *unix_ini_path;
-	struct cli_state *cli;
+	struct cli_state *cli = NULL;
 
 
 	result = gpo_explode_filesyspath(mem_ctx, cache_dir, gpo->file_sys_path,
diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl
index 4e1e11c..67f9604 100644
--- a/librpc/idl/drsuapi.idl
+++ b/librpc/idl/drsuapi.idl
@@ -525,11 +525,13 @@ interface drsuapi
 		DRSUAPI_ATTID_systemFlags			= 0x00090177,
 		DRSUAPI_ATTID_serverReference			= 0x00090203,
 		DRSUAPI_ATTID_serverReferenceBL			= 0x00090204,
+		DRSUAPI_ATTID_nonSecurityMember			= 0x00090212,
 		DRSUAPI_ATTID_initialAuthIncoming		= 0x0009021b,
 		DRSUAPI_ATTID_initialAuthOutgoing		= 0x0009021c,
 		DRSUAPI_ATTID_wellKnownObjects			= 0x0009026a,
 		DRSUAPI_ATTID_dNSHostName			= 0x0009026b,
 		DRSUAPI_ATTID_isMemberOfPartialAttributeSet	= 0x0009027f,
+		DRSUAPI_ATTID_managedBy				= 0x0009028d,
 		DRSUAPI_ATTID_userPrincipalName			= 0x00090290,
 		DRSUAPI_ATTID_groupType				= 0x000902ee,
 		DRSUAPI_ATTID_servicePrincipalName		= 0x00090303,
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index 87c9a86..6c8afae 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -220,7 +220,8 @@ class drs_Replicate(object):
             req8.replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
                                   drsuapi.DRSUAPI_DRS_PER_SYNC |
                                   drsuapi.DRSUAPI_DRS_GET_ANC |
-                                  drsuapi.DRSUAPI_DRS_NEVER_SYNCED)
+                                  drsuapi.DRSUAPI_DRS_NEVER_SYNCED |
+                                  drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP)
             if rodc:
                 req8.replica_flags |= (
                     drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
diff --git a/python/samba/join.py b/python/samba/join.py
index 103e4d9..3532a7f 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -170,6 +170,7 @@ class dc_join(object):
         ctx.managedby = None
         ctx.subdomain = False
         ctx.adminpass = None
+        ctx.partition_dn = None
 
     def del_noerror(ctx, dn, recursive=False):
         if recursive:
@@ -185,71 +186,97 @@ class dc_join(object):
         except Exception:
             pass
 
+    def cleanup_old_accounts(ctx):
+        res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+                               expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
+                               attrs=["msDS-krbTgtLink", "objectSID"])
+        if len(res) == 0:
+            return
+
+        creds = Credentials()
+        creds.guess(ctx.lp)
+        try:
+            creds.set_machine_account(ctx.lp)
+            machine_samdb = SamDB(url="ldap://%s" % ctx.server,
+                                  session_info=system_session(),
+                                credentials=creds, lp=ctx.lp)
+        except:
+            pass
+        else:
+            token_res = machine_samdb.search(scope=ldb.SCOPE_BASE, base="", attrs=["tokenGroups"])
+            if token_res[0]["tokenGroups"][0] \
+               == res[0]["objectSID"][0]:
+                raise DCJoinException("Not removing account %s which "
+                                   "looks like a Samba DC account "
+                                   "maching the password we already have.  "
+                                   "To override, remove secrets.ldb and secrets.tdb"
+                                % ctx.samname)
+
+        ctx.del_noerror(res[0].dn, recursive=True)
+
+        if "msDS-Krbtgtlink" in res[0]:
+            new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0]
+            del_noerror(ctx.new_krbtgt_dn)
+
+        res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+                               expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' %
+                               (ldb.binary_encode("dns-%s" % ctx.myname),
+                                ldb.binary_encode("dns/%s" % ctx.dnshostname)),
+                               attrs=[])
+        if res:
+            ctx.del_noerror(res[0].dn, recursive=True)
+
+        res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
+                               expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
+                            attrs=[])
+        if res:
+            raise DCJoinException("Not removing account %s which looks like "
+                               "a Samba DNS service account but does not "
+                               "have servicePrincipalName=%s" %
+                               (ldb.binary_encode("dns-%s" % ctx.myname),
+                                ldb.binary_encode("dns/%s" % ctx.dnshostname)))
+
+
     def cleanup_old_join(ctx):
         """Remove any DNs from a previous join."""
-        try:
-            # find the krbtgt link
-            print("checking sAMAccountName")
-            if ctx.subdomain:
-                res = None
-            else:
-                res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
-                                       expression='sAMAccountName=%s' % ldb.binary_encode(ctx.samname),
-                                       attrs=["msDS-krbTgtLink"])
-                if res:
-                    ctx.del_noerror(res[0].dn, recursive=True)
-
-                res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
-                                       expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)),
-                                       attrs=[])
-                if res:
-                    ctx.del_noerror(res[0].dn, recursive=True)
-
-                res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
-                                       expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname),
-                                       attrs=[])
-                if res:
-                    raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)))
-
-            if ctx.connection_dn is not None:
-                ctx.del_noerror(ctx.connection_dn)
-            if ctx.krbtgt_dn is not None:
-                ctx.del_noerror(ctx.krbtgt_dn)
-            ctx.del_noerror(ctx.ntds_dn)
-            ctx.del_noerror(ctx.server_dn, recursive=True)
-            if ctx.topology_dn:
-                ctx.del_noerror(ctx.topology_dn)
-            if ctx.partition_dn:
-                ctx.del_noerror(ctx.partition_dn)
-            if res:
-                ctx.new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0]
-                ctx.del_noerror(ctx.new_krbtgt_dn)
-
-            if ctx.subdomain:
-                binding_options = "sign"
-                lsaconn = lsa.lsarpc("ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options),
-                                     ctx.lp, ctx.creds)
-
-                objectAttr = lsa.ObjectAttribute()
-                objectAttr.sec_qos = lsa.QosInfo()
-
-                pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
-                                                 objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
-
-                name = lsa.String()
-                name.string = ctx.realm
-                info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
-
-                lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
-
-                name = lsa.String()
-                name.string = ctx.forest_domain_name
-                info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
-
-                lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+        # find the krbtgt link
+        if not ctx.subdomain:
+            ctx.cleanup_old_accounts()
+
+        if ctx.connection_dn is not None:
+            ctx.del_noerror(ctx.connection_dn)
+        if ctx.krbtgt_dn is not None:
+            ctx.del_noerror(ctx.krbtgt_dn)
+        ctx.del_noerror(ctx.ntds_dn)
+        ctx.del_noerror(ctx.server_dn, recursive=True)
+        if ctx.topology_dn:
+            ctx.del_noerror(ctx.topology_dn)
+        if ctx.partition_dn:
+            ctx.del_noerror(ctx.partition_dn)
+
+        if ctx.subdomain:
+            binding_options = "sign"
+            lsaconn = lsa.lsarpc("ncacn_ip_tcp:%s[%s]" % (ctx.server, binding_options),
+                                 ctx.lp, ctx.creds)
+
+            objectAttr = lsa.ObjectAttribute()
+            objectAttr.sec_qos = lsa.QosInfo()
+
+            pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
+                                             objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
+
+            name = lsa.String()
+            name.string = ctx.realm
+            info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+            lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
+
+            name = lsa.String()
+            name.string = ctx.forest_domain_name
+            info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+
+            lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
 
-        except Exception:
-            pass
 
     def promote_possible(ctx):
         """confirm that the account is just a bare NT4 BDC or a member server, so can be safely promoted"""
diff --git a/python/samba/netcmd/fsmo.py b/python/samba/netcmd/fsmo.py
index 3d14939..1351654 100644
--- a/python/samba/netcmd/fsmo.py
+++ b/python/samba/netcmd/fsmo.py
@@ -42,15 +42,15 @@ def get_fsmo_roleowner(samdb, roledn, role):
                            scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
     except LdbError, (num, msg):
         if num == ldb.ERR_NO_SUCH_OBJECT:
-            return "* The '%s' role is not present in this domain" % role
+            raise CommandError("The '%s' role is not present in this domain" % role)
         raise
 
     if 'fSMORoleOwner' in res[0]:
-        master_owner = res[0]["fSMORoleOwner"][0]
-        return master_owner
+        master_owner = (ldb.Dn(samdb, res[0]["fSMORoleOwner"][0]))
     else:
-        master_owner = "* The '%s' role does not have an FSMO roleowner" % role
-        return master_owner
+        master_owner = None
+
+    return master_owner
 
 
 def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
@@ -155,7 +155,7 @@ def transfer_role(outf, role, samdb):
     naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
     infrastructure_dn = "CN=Infrastructure," + domain_dn
     schema_dn = str(samdb.get_schema_basedn())
-    new_owner = samdb.get_dsServiceName()
+    new_owner = ldb.Dn(samdb, samdb.get_dsServiceName())
     m = ldb.Message()
     m.dn = ldb.Dn(samdb, "")
     if role == "rid":
@@ -191,21 +191,21 @@ def transfer_role(outf, role, samdb):
     else:
         raise CommandError("Invalid FSMO role.")
 
-    if not '*' in master_owner:
-        if master_owner != new_owner:
-            try:
-                samdb.modify(m)
-            except LdbError, (num, msg):
-                raise CommandError("Transfer of '%s' role failed: %s" %
-                                   (role, msg))
+    if master_owner is None:
+        outf.write("Cannot transfer, no DC assigned to the %s role.  Try 'seize' instead\n" % role)
+        return False
 
-            outf.write("FSMO transfer of '%s' role successful\n" % role)
-            return True
-        else:
-            outf.write("This DC already has the '%s' FSMO role\n" % role)
-            return False
+    if master_owner != new_owner:
+        try:
+            samdb.modify(m)
+        except LdbError, (num, msg):
+            raise CommandError("Transfer of '%s' role failed: %s" %
+                               (role, msg))
+
+        outf.write("FSMO transfer of '%s' role successful\n" % role)
+        return True
     else:
-        outf.write("%s\n" % master_owner)
+        outf.write("This DC already has the '%s' FSMO role\n" % role)
         return False
 
 class cmd_fsmo_seize(Command):
@@ -267,7 +267,8 @@ You must provide an Admin user and password."""),
         #first try to transfer to avoid problem if the owner is still active
         seize = False
         master_owner = get_fsmo_roleowner(samdb, m.dn, role)
-        if not '*' in master_owner:
+        # if there is a different owner
+        if master_owner is not None:
             # if there is a different owner
             if master_owner != serviceName:
                 # if --force isn't given, attempt transfer
@@ -322,7 +323,7 @@ You must provide an Admin user and password."""),
         #first try to transfer to avoid problem if the owner is still active
         seize = False
         master_owner = get_fsmo_roleowner(samdb, m.dn, role)
-        if not '*' in master_owner:
+        if master_owner is not None:
             # if there is a different owner
             if master_owner != serviceName:
                 # if --force isn't given, attempt transfer
@@ -420,24 +421,25 @@ class cmd_fsmo_show(Command):
         domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
         forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
 
-        infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn,
-                                                  "infrastructure")
-        pdcEmulator = get_fsmo_roleowner(samdb, domain_dn, "pdc")
-        namingMaster = get_fsmo_roleowner(samdb, naming_dn, "naming")
-        schemaMaster = get_fsmo_roleowner(samdb, schema_dn, "schema")
-        ridMaster = get_fsmo_roleowner(samdb, rid_dn, "rid")
-        domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn,
-                                                  "domaindns")
-        forestdnszonesMaster = get_fsmo_roleowner(samdb, forestdns_dn,
-                                                  "forestdns")
-
-        self.message("SchemaMasterRole owner: " + schemaMaster)
-        self.message("InfrastructureMasterRole owner: " + infrastructureMaster)
-        self.message("RidAllocationMasterRole owner: " + ridMaster)
-        self.message("PdcEmulationMasterRole owner: " + pdcEmulator)
-        self.message("DomainNamingMasterRole owner: " + namingMaster)
-        self.message("DomainDnsZonesMasterRole owner: " + domaindnszonesMaster)
-        self.message("ForestDnsZonesMasterRole owner: " + forestdnszonesMaster)
+        masters = [(schema_dn, "schema", "SchemaMasterRole"),
+                   (infrastructure_dn, "infrastructure", "InfrastructureMasterRole"),
+                   (rid_dn, "rid", "RidAllocationMasterRole"),
+                   (domain_dn, "pdc", "PdcEmulationMasterRole"),
+                   (naming_dn, "naming", "DomainNamingMasterRole"),
+                   (domaindns_dn, "domaindns", "DomainDnsZonesMasterRole"),
+                   (forestdns_dn, "forestdns", "ForestDnsZonesMasterRole"),
+        ]
+
+        for master in masters:
+            (dn, short_name, long_name) = master
+            try:
+                master = get_fsmo_roleowner(samdb, dn, short_name)
+                if master is not None:
+                    self.message("%s owner: %s" % (long_name, str(master)))
+                else:
+                    self.message("%s has no current owner" % (long_name))
+            except CommandError, e:
+                self.message("%s: * %s" % (long_name, e.message))
 
 class cmd_fsmo_transfer(Command):
     """Transfer the role."""
diff --git a/python/samba/tests/blackbox/samba_dnsupdate.py b/python/samba/tests/blackbox/samba_dnsupdate.py
new file mode 100644
index 0000000..852a31a
--- /dev/null
+++ b/python/samba/tests/blackbox/samba_dnsupdate.py
@@ -0,0 +1,59 @@
+# Blackbox tests for "samba_dnsupdate" command
+# Copyright (C) Kamen Mazdrashki <kamenim at samba.org> 2011
+# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2015
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.tests
+
+class SambaDnsUpdateTests(samba.tests.BlackboxTestCase):
+    """Blackbox test case for samba_dnsupdate."""
+
+    def setUp(self):
+        self.server_ip = samba.tests.env_get_var_value("DNS_SERVER_IP")
+        super(SambaDnsUpdateTests, self).setUp()
+        try:
+            out = self.check_output("samba_dnsupdate --verbose")
+            self.assertTrue("Looking for DNS entry" in out)
+        except samba.tests.BlackboxProcessError:
+            pass
+
+    def test_samba_dnsupate_no_change(self):
+        out = self.check_output("samba_dnsupdate --verbose")
+        self.assertTrue("No DNS updates needed" in out)
+
+    def test_samba_dnsupate_set_ip(self):
+        try:
+            out = self.check_output("samba_dnsupdate --verbose --current-ip=10.0.0.1")
+            self.assertTrue(" DNS updates and" in out)
+            self.assertTrue(" DNS deletes needed" in out)
+        except samba.tests.BlackboxProcessError:
+            pass
+
+        try:
+            out = self.check_output("samba_dnsupdate --verbose --use-nsupdate --current-ip=10.0.0.1")
+        except samba.tests.BlackboxProcessError:
+            self.fail("Error calling samba_dnsupdate")
+
+        self.assertTrue("No DNS updates needed" in out)
+        try:
+            out = self.check_output("samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip=%s" % self.server_ip)
+        except samba.tests.BlackboxProcessError:
+            self.fail("Error calling samba_dnsupdate")
+
+        self.assertTrue(" DNS updates and" in out)
+        self.assertTrue(" DNS deletes needed" in out)
+        out = self.check_output("samba_dnsupdate --verbose")
+        self.assertTrue("No DNS updates needed" in out)
diff --git a/python/samba/tests/dns_tkey.py b/python/samba/tests/dns_tkey.py
index e47a647..f424e07 100644
--- a/python/samba/tests/dns_tkey.py
+++ b/python/samba/tests/dns_tkey.py
@@ -484,4 +484,80 @@ class TestDNSUpdates(DNSTest):
         rcode = self.search_record(self.newrecname)
         self.assert_rcode_equals(rcode, dns.DNS_RCODE_NXDOMAIN)
 
+    def test_update_tsig_windows(self):
+        "test DNS update with correct TSIG record (follow Windows pattern)"
+
+        newrecname = "win" + self.newrecname
+        rr_class = dns.DNS_QCLASS_IN
+        ttl = 1200
+
+        p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+        q = self.make_name_question(self.get_dns_domain(),
+                                    dns.DNS_QTYPE_SOA,
+                                    dns.DNS_QCLASS_IN)
+        questions = []
+        questions.append(q)
+        self.finish_name_packet(p, questions)
+
+        updates = []
+        r = dns.res_rec()
+        r.name = newrecname
+        r.rr_type = dns.DNS_QTYPE_A
+        r.rr_class = dns.DNS_QCLASS_ANY
+        r.ttl = 0
+        r.length = 0
+        updates.append(r)
+        r = dns.res_rec()
+        r.name = newrecname
+        r.rr_type = dns.DNS_QTYPE_AAAA
+        r.rr_class = dns.DNS_QCLASS_ANY
+        r.ttl = 0
+        r.length = 0
+        updates.append(r)
+        r = dns.res_rec()
+        r.name = newrecname
+        r.rr_type = dns.DNS_QTYPE_A
+        r.rr_class = rr_class
+        r.ttl = ttl
+        r.length = 0xffff
+        r.rdata = "10.1.45.64"
+        updates.append(r)
+        p.nscount = len(updates)
+        p.nsrecs = updates
+
+        prereqs = []
+        r = dns.res_rec()
+        r.name = newrecname
+        r.rr_type = dns.DNS_QTYPE_CNAME
+        r.rr_class = dns.DNS_QCLASS_NONE
+        r.ttl = 0
+        r.length = 0
+        prereqs.append(r)
+        p.ancount = len(prereqs)
+        p.answers = prereqs
+
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_dns_rcode_equals(response, dns.DNS_RCODE_REFUSED)
+
+        self.tkey_trans()
+        mac = self.sign_packet(p, self.key_name)
+        (response, response_p) = self.dns_transaction_udp(p, self.server_ip)
+        self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
+        self.verify_packet(response, response_p, mac)
+
+        # Check the record is around
+        rcode = self.search_record(newrecname)


-- 
Samba Shared Repository



More information about the samba-cvs mailing list