[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Jul 28 02:13:03 UTC 2017
The branch, master has been updated
via 1ea6b51 s4-rpc_server: Improve debug of new endpoints
via bc48c4b s4-rpc_server: ensure we get a new endpoint for netlogon
via 0554bc2 s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified
via 88db634 s4-dsdb/netlogon: allow missing ntver in cldap ping
via 22a94b7 s4:torture/ldap: Test netlogon without NtVer
via 69f593e repl: Remove old TODO
via 50b638d getncchanges.c: Remove unused null_scope variable
via dddcf80 getnc_exop.py: Fix typo in function name
via 475a320 libnet: Initialize req_level in become_dc tests
via 4bd8467 drs_utils: HWM in 'samba-tool drs replicate --local' always zero
via 314b96e drs: support sync-forced for 'samba-tool drs replicate --local'
via 47a90dc selftest: Use get_creds_ccache_name() in fsmo.py
via e917825 selftest: Add and use new helper function get_creds_ccache_name()
via 7ad34d1 selftest: Use new --krb5-ccache in drs_base.py
via 4cc5ceb selftest: Port DrsBaseTestCase._{en,dis}able_all_repl() to self.runsubcmd()
via f7c46ed selftest: Port DrsBaseTestCase._disable_inbound_repl() to self.runsubcmd()
via cc3d836 selftest: Port DrsBaseTestCase._enable_inbound_repl() to self.runsubcmd()
via 09ce35e selftest: Port DrsBaseTestCase._net_drs_replicate() to self.runsubcmd()
via 24de78e selftest: Remove unused import in ridalloc_exop.py
via f9bd16d selftest: Use self.runsubcmd() in DrsReplicaSyncTestCase
via 6a75d4a selftest: Use self.runsubcmd() to run samba-tool for _test_force_demote in ridalloc_exop.py
via 37cf29e selftest: Use self.runsubcmd() to run samba-tool for _test_join in ridalloc_exop.py
via f7089c0 python/getopt: Add --krb5-ccache (for samba-tool etc) to match the C binaries
via dc940ad pycredentials: Add set_named_ccache()
via a5f6295 selftest: Add tests for credentials.get_named_ccache()
via 9dd8936 pycredentials: Add get_name() for a credentials cache
via 35cbed2 pycredentials: Allow optional "name" argument to get_named_ccache() to be missing
from 5445b2b s3: smbd: Modernize Avahi DEBUG macros and long if statements
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1ea6b5168f146d23d139b570084cb32ec02538fe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 27 11:10:43 2017 +1200
s4-rpc_server: Improve debug of new endpoints
This helps us know what process model is required and what one is in use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12939
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jul 28 04:12:08 CEST 2017 on sn-devel-144
commit bc48c4b54b9c50d76fc967a1aa4fa013079605bc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 27 11:44:12 2017 +1200
s4-rpc_server: ensure we get a new endpoint for netlogon
If we share the single process RPC servers with the multi-process RPC servers
on the same endpoint, they will default to running in an single process
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12939
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0554bc237f1b84d672d36781bead8b2c33f2e5a4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 25 14:26:45 2017 +1200
s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified
The previous patch set this incorrectly to NETLOGON_NT_VERSION_1
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 88db634ed84647e5105c4b4fdf37d5892bebfd8d
Author: Arvid Requate <requate at univention.de>
Date: Thu Jun 22 13:37:13 2017 +0200
s4-dsdb/netlogon: allow missing ntver in cldap ping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392
Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 22a94b728bd5d513b2002b62c129271d2210ed73
Author: Arvid Requate <requate at univention.de>
Date: Tue Jun 20 20:05:17 2017 +0200
s4:torture/ldap: Test netlogon without NtVer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392
Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 69f593ec5a89411fb3e2cbf62f2092c3073fa0f7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jun 20 13:14:43 2017 +1200
repl: Remove old TODO
This TODO was added in 2007 before we supported linked attributes.
It's no longer relevant.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 50b638d15cceafc4f3e78d1fab8c7ed0a6e44a1f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jun 12 11:20:54 2017 +1200
getncchanges.c: Remove unused null_scope variable
This was added in 4cc6b5a69b1f94d96a73ac1 but the very next commit
(f1c6bab60e52624f5f3) removed where it was set, which meant the variable
was always false and seemingly pointless.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dddcf80660dd883ee24a1dfa13fd5cfe4cd49e62
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jun 7 11:13:52 2017 +1200
getnc_exop.py: Fix typo in function name
This drove me crazy when I tried to search for it.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 475a3206461f5458059f8f530b45f0b1ae636739
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jun 19 10:26:48 2017 +1200
libnet: Initialize req_level in become_dc tests
The net.api.become.dc tests would always pass the request into
libnet_vampire_cb_store_chunk() with req_level=0, which meant that
storing the chunk didn't use the correct replica_flags/exop.
I noticed this problem when working on client-side support for GET_TGT.
My changes relied on the critical-only request flag being passed down
into replmd, but because the request flags weren't passed correctly, my
changes caused the become_dc tests to fail.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4bd8467018eee181588c13490edbea26b488ee36
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Jun 7 16:56:18 2017 +1200
drs_utils: HWM in 'samba-tool drs replicate --local' always zero
The code to check for the 'repsFrom' highwatermark didn't have any
effect because the hwm variable was overwritten (initialized to all
zeroes) further down.
Using a zero HWM probably wouldn't have impacted functionality because
we were still correctly using the uptodatenessvector, which should
avoid a full replication.
This was introduced in commit e2ba17d26af42974e5d, presumably by
accident.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 314b96e18371e92cde8172c3f3739b52970ee2d7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon May 29 17:06:55 2017 +1200
drs: support sync-forced for 'samba-tool drs replicate --local'
The sync-forced option wasn't being passed into the replication request
when the --local option was used. This meant if outbound replication
were disabled on the target DC, then the replicate --local command would
fail.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 47a90dcc570b24665dc116586ce13d0ffbb3a3c6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:31:15 2017 +1200
selftest: Use get_creds_ccache_name() in fsmo.py
This avoids a new kinit for every role transfer
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e91782541e1e814772fa4bcfaad85d354b53a3a5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:29:14 2017 +1200
selftest: Add and use new helper function get_creds_ccache_name()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7ad34d120614f2449816025fc84a1ecb4979222b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:25:19 2017 +1200
selftest: Use new --krb5-ccache in drs_base.py
This means that instead of doing a new kinit, the process-wide ccache
is re-used, which is much faster.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4cc5ceb297e310f749d7449b38207dd70554a009
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:11:12 2017 +1200
selftest: Port DrsBaseTestCase._{en,dis}able_all_repl() to self.runsubcmd()
This avoids forking a subprocess with self.check_run()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f7c46ed56c1473f3faa58a4e3e588451b84776b2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:09:54 2017 +1200
selftest: Port DrsBaseTestCase._disable_inbound_repl() to self.runsubcmd()
This avoids forking a subprocess with self.check_run()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cc3d83677bdf7330aa37e47ce95cf26546b90ad5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 16:01:56 2017 +1200
selftest: Port DrsBaseTestCase._enable_inbound_repl() to self.runsubcmd()
This avoids forking a subprocess with self.check_run()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 09ce35ecf30863e131401c9d8d58274402d427c1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 15:25:36 2017 +1200
selftest: Port DrsBaseTestCase._net_drs_replicate() to self.runsubcmd()
This avoids forking a subprocess with self.check_run()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 24de78e16ae213041f3bc3eab66ae5f386b19c38
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 15:06:10 2017 +1200
selftest: Remove unused import in ridalloc_exop.py
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f9bd16d8f38db61b095e238cb32110719dea56c3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 7 12:53:25 2017 +1200
selftest: Use self.runsubcmd() in DrsReplicaSyncTestCase
This will allow catching the correct error messages and failure when _net_drs_replicate()
is reworked to not use a subprocess.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6a75d4a8cf3faa2d81835abae6c5a58246fa12b0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 15:05:08 2017 +1200
selftest: Use self.runsubcmd() to run samba-tool for _test_force_demote in ridalloc_exop.py
This is the standard way to run samba-tool from in the test scripts and allows
assertion that the command ran as expected
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 37cf29ef7dcad72f606b293aba59f8293d7a8ae2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 15:02:00 2017 +1200
selftest: Use self.runsubcmd() to run samba-tool for _test_join in ridalloc_exop.py
This is the standard way to run samba-tool from in the test scripts and allows
assertion that the command ran as expected
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f7089c0262e629ee3f321207ff1f6e3246af5f3b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 14:52:39 2017 +1200
python/getopt: Add --krb5-ccache (for samba-tool etc) to match the C binaries
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dc940ad0e0dfd62d4c7375edaa6bf70a2c9efe1e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 14:51:22 2017 +1200
pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a5f62958cccdef7f4938f64c1033cd263b1f2e0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 14:48:39 2017 +1200
selftest: Add tests for credentials.get_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 9dd89361c2bca656ee113b25f41c8a9fb3bbabeb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 14:47:01 2017 +1200
pycredentials: Add get_name() for a credentials cache
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 35cbed2934ded2ea1ebc27b893526e3d7d2da6de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 6 14:44:46 2017 +1200
pycredentials: Allow optional "name" argument to get_named_ccache() to be missing
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 77 ++++++++++++++++++-
python/samba/drs_utils.py | 18 +++--
python/samba/getopt.py | 7 ++
python/samba/netcmd/drs.py | 9 ++-
python/samba/tests/__init__.py | 7 ++
python/samba/tests/krb5_credentials.py | 112 ++++++++++++++++++++++++++++
source4/dsdb/repl/replicated_objects.c | 2 -
source4/dsdb/samdb/ldb_modules/netlogon.c | 6 +-
source4/libnet/libnet_become_dc.c | 2 +-
source4/rpc_server/dcerpc_server.c | 23 +++++-
source4/rpc_server/drsuapi/getncchanges.c | 3 +-
source4/rpc_server/service_rpc.c | 16 ++++
source4/selftest/tests.py | 3 +
source4/torture/drs/python/drs_base.py | 70 ++++++++++-------
source4/torture/drs/python/fsmo.py | 5 +-
source4/torture/drs/python/getnc_exop.py | 14 ++--
source4/torture/drs/python/replica_sync.py | 23 ++++--
source4/torture/drs/python/ridalloc_exop.py | 29 ++++---
source4/torture/ldap/netlogon.c | 48 ++++++++++++
19 files changed, 392 insertions(+), 82 deletions(-)
create mode 100644 python/samba/tests/krb5_credentials.py
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index caf30bf..638ae8d 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -31,6 +31,8 @@
#include <tevent.h>
#include "libcli/auth/libcli_auth.h"
#include "auth/credentials/credentials_internal.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
void initcredentials(void);
@@ -526,7 +528,7 @@ static PyObject *PyCredentialCacheContainer_from_ccache_container(struct ccache_
static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
{
PyObject *py_lp_ctx = Py_None;
- char *ccache_name;
+ char *ccache_name = NULL;
struct loadparm_context *lp_ctx;
struct ccache_container *ccc;
struct tevent_context *event_ctx;
@@ -569,6 +571,48 @@ static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
return NULL;
}
+static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
+{
+ struct loadparm_context *lp_ctx = NULL;
+ enum credentials_obtained obt = CRED_SPECIFIED;
+ const char *error_string = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ char *newval = NULL;
+ PyObject *py_lp_ctx = Py_None;
+ int _obt = obt;
+ int ret;
+
+ if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
+ return NULL;
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+ if (lp_ctx == NULL) {
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ ret = cli_credentials_set_ccache(PyCredentials_AsCliCredentials(self),
+ lp_ctx,
+ newval, CRED_SPECIFIED,
+ &error_string);
+
+ if (ret != 0) {
+ PyErr_SetString(PyExc_RuntimeError,
+ error_string != NULL ? error_string : "NULL");
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ talloc_free(mem_ctx);
+ Py_RETURN_NONE;
+}
+
static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args)
{
unsigned int gensec_features;
@@ -754,6 +798,9 @@ static PyMethodDef py_creds_methods[] = {
{ "guess", py_creds_guess, METH_VARARGS, NULL },
{ "set_machine_account", py_creds_set_machine_account, METH_VARARGS, NULL },
{ "get_named_ccache", py_creds_get_named_ccache, METH_VARARGS, NULL },
+ { "set_named_ccache", py_creds_set_named_ccache, METH_VARARGS,
+ "S.set_named_ccache(krb5_ccache_name, obtained, lp) -> None\n"
+ "Set credentials to KRB5 Credentials Cache (by name)." },
{ "set_gensec_features", py_creds_set_gensec_features, METH_VARARGS, NULL },
{ "get_gensec_features", py_creds_get_gensec_features, METH_NOARGS, NULL },
{ "get_forced_sasl_mech", py_creds_get_forced_sasl_mech, METH_NOARGS,
@@ -793,10 +840,38 @@ PyTypeObject PyCredentials = {
.tp_methods = py_creds_methods,
};
+static PyObject *py_ccache_name(PyObject *self, PyObject *unused)
+{
+ struct ccache_container *ccc = NULL;
+ char *name = NULL;
+ PyObject *py_name = NULL;
+ int ret;
+
+ ccc = pytalloc_get_type(self, struct ccache_container);
+
+ ret = krb5_cc_get_full_name(ccc->smb_krb5_context->krb5_context,
+ ccc->ccache, &name);
+ if (ret == 0) {
+ py_name = PyString_FromStringOrNULL(name);
+ SAFE_FREE(name);
+ } else {
+ PyErr_SetString(PyExc_RuntimeError,
+ "Failed to get ccache name");
+ return NULL;
+ }
+ return py_name;
+}
+
+static PyMethodDef py_ccache_container_methods[] = {
+ { "get_name", py_ccache_name, METH_NOARGS,
+ "S.get_name() -> name\nObtain KRB5 credentials cache name." },
+ { NULL }
+};
PyTypeObject PyCredentialCacheContainer = {
.tp_name = "credentials.CredentialCacheContainer",
.tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_methods = py_ccache_container_methods,
};
MODULE_INIT_FUNC(credentials)
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index 8624f3f..b9ed059 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -200,7 +200,7 @@ class drs_Replicate(object):
def replicate(self, dn, source_dsa_invocation_id, destination_dsa_guid,
schema=False, exop=drsuapi.DRSUAPI_EXOP_NONE, rodc=False,
- replica_flags=None, full_sync=True):
+ replica_flags=None, full_sync=True, sync_forced=False):
'''replicate a single DN'''
# setup for a GetNCChanges call
@@ -211,7 +211,13 @@ class drs_Replicate(object):
req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
req8.naming_context.dn = dn
+ # Default to a full replication if we don't find an upToDatenessVector
udv = None
+ hwm = drsuapi.DsReplicaHighWaterMark()
+ hwm.tmp_highest_usn = 0
+ hwm.reserved_usn = 0
+ hwm.highest_usn = 0
+
if not full_sync:
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
attrs=["repsFrom"])
@@ -238,12 +244,6 @@ class drs_Replicate(object):
udv.cursors = cursors_v1
udv.count = len(cursors_v1)
- # If we can't find an upToDateVector, or where told not to, replicate fully
- hwm = drsuapi.DsReplicaHighWaterMark()
- hwm.tmp_highest_usn = 0
- hwm.reserved_usn = 0
- hwm.highest_usn = 0
-
req8.highwatermark = hwm
req8.uptodateness_vector = udv
@@ -262,6 +262,10 @@ class drs_Replicate(object):
drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING)
else:
req8.replica_flags |= drsuapi.DRSUAPI_DRS_WRIT_REP
+
+ if sync_forced:
+ req8.replica_flags |= drsuapi.DRSUAPI_DRS_SYNC_FORCED
+
req8.max_object_count = 402
req8.max_ndr_size = 402116
req8.extended_op = exop
diff --git a/python/samba/getopt.py b/python/samba/getopt.py
index 9e1fb83..4f1c602 100644
--- a/python/samba/getopt.py
+++ b/python/samba/getopt.py
@@ -158,6 +158,10 @@ class CredentialsOptions(optparse.OptionGroup):
action="callback",
help="Use stored machine account password",
callback=self._set_machine_pass)
+ self._add_option("--krb5-ccache", metavar="KRB5CCNAME",
+ action="callback", type=str,
+ help="Kerberos Credentials cache",
+ callback=self._set_krb5_ccache)
self.creds = Credentials()
def _add_option(self, *args1, **kwargs):
@@ -198,6 +202,9 @@ class CredentialsOptions(optparse.OptionGroup):
def _set_simple_bind_dn(self, option, opt_str, arg, parser):
self.creds.set_bind_dn(arg)
+ def _set_krb5_ccache(self, option, opt_str, arg, parser):
+ self.creds.set_named_ccache(arg)
+
def get_credentials(self, lp, fallback_machine=False):
"""Obtain the credentials set on the command-line.
diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
index b9b876a..e1886b9 100644
--- a/python/samba/netcmd/drs.py
+++ b/python/samba/netcmd/drs.py
@@ -241,7 +241,8 @@ class cmd_drs_kcc(Command):
-def drs_local_replicate(self, SOURCE_DC, NC, full_sync=False, single_object=False):
+def drs_local_replicate(self, SOURCE_DC, NC, full_sync=False, single_object=False,
+ sync_forced=False):
'''replicate from a source DC to the local SAM'''
self.server = SOURCE_DC
@@ -284,7 +285,7 @@ def drs_local_replicate(self, SOURCE_DC, NC, full_sync=False, single_object=Fals
(num_objects, num_links) = repl.replicate(NC,
source_dsa_invocation_id, destination_dsa_guid,
rodc=rodc, full_sync=full_sync,
- exop=exop)
+ exop=exop, sync_forced=sync_forced)
except Exception, e:
raise CommandError("Error replicating DN %s" % NC, e)
self.samdb.transaction_commit()
@@ -332,7 +333,9 @@ class cmd_drs_replicate(Command):
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
if local:
- drs_local_replicate(self, SOURCE_DC, NC, full_sync=full_sync, single_object=single_object)
+ drs_local_replicate(self, SOURCE_DC, NC, full_sync=full_sync,
+ single_object=single_object,
+ sync_forced=sync_forced)
return
if local_online:
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index 07c68c4..2ddfd9d 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -67,6 +67,13 @@ class TestCase(unittest.TestCase):
def get_credentials(self):
return cmdline_credentials
+ def get_creds_ccache_name(self):
+ creds = self.get_credentials()
+ ccache = creds.get_named_ccache(self.get_loadparm())
+ ccache_name = ccache.get_name()
+
+ return ccache_name
+
def hexdump(self, src):
N = 0
result = ''
diff --git a/python/samba/tests/krb5_credentials.py b/python/samba/tests/krb5_credentials.py
new file mode 100644
index 0000000..cad19da
--- /dev/null
+++ b/python/samba/tests/krb5_credentials.py
@@ -0,0 +1,112 @@
+# Integration tests for pycredentials
+#
+# Copyright (C) Catalyst IT Ltd. 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from samba.tests import TestCase, delete_force
+import os
+
+import samba
+from samba.auth import system_session
+from samba.credentials import (
+ Credentials,
+)
+from samba.dsdb import (
+ UF_WORKSTATION_TRUST_ACCOUNT,
+ UF_PASSWD_NOTREQD,
+ UF_NORMAL_ACCOUNT)
+from samba.samdb import SamDB
+
+"""KRB5 Integration tests for pycredentials.
+
+Seperated from py_credentials so as to allow running against just one
+environment so we know the server that we add the user on will be our
+KDC
+
+"""
+
+MACHINE_NAME = "krb5credstest"
+
+class PyKrb5CredentialsTests(TestCase):
+
+ def setUp(self):
+ super(PyKrb5CredentialsTests, self).setUp()
+
+ self.server = os.environ["SERVER"]
+ self.domain = os.environ["DOMAIN"]
+ self.host = os.environ["SERVER_IP"]
+ self.lp = self.get_loadparm()
+
+ self.credentials = self.get_credentials()
+
+ self.session = system_session()
+ self.ldb = SamDB(url="ldap://%s" % self.host,
+ session_info=self.session,
+ credentials=self.credentials,
+ lp=self.lp)
+
+ self.create_machine_account()
+
+
+ def tearDown(self):
+ super(PyKrb5CredentialsTests, self).tearDown()
+ delete_force(self.ldb, self.machine_dn)
+
+ def test_get_named_ccache(self):
+ name = "MEMORY:py_creds_machine"
+ ccache = self.machine_creds.get_named_ccache(self.lp,
+ name)
+ self.assertEqual(ccache.get_name(), name)
+
+ def test_get_unnamed_ccache(self):
+ ccache = self.machine_creds.get_named_ccache(self.lp)
+ self.assertIsNotNone(ccache.get_name())
+
+ def test_set_named_ccache(self):
+ ccache = self.machine_creds.get_named_ccache(self.lp)
+
+ creds = Credentials()
+ creds.set_named_ccache(ccache.get_name())
+
+ ccache2 = creds.get_named_ccache(self.lp)
+ self.assertEqual(ccache.get_name(), ccache2.get_name())
+
+ #
+ # Create the machine account
+ def create_machine_account(self):
+ self.machine_pass = samba.generate_random_password(32, 32)
+ self.machine_name = MACHINE_NAME
+ self.machine_dn = "cn=%s,%s" % (self.machine_name, self.ldb.domain_dn())
+
+ # remove the account if it exists, this will happen if a previous test
+ # run failed
+ delete_force(self.ldb, self.machine_dn)
+
+ utf16pw = unicode(
+ '"' + self.machine_pass.encode('utf-8') + '"', 'utf-8'
+ ).encode('utf-16-le')
+ self.ldb.add({
+ "dn": self.machine_dn,
+ "objectclass": "computer",
+ "sAMAccountName": "%s$" % self.machine_name,
+ "userAccountControl":
+ str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
+ "unicodePwd": utf16pw})
+
+ self.machine_creds = Credentials()
+ self.machine_creds.guess(self.get_loadparm())
+ self.machine_creds.set_password(self.machine_pass)
+ self.machine_creds.set_username(self.machine_name + "$")
+ self.machine_creds.set_workstation(self.machine_name)
diff --git a/source4/dsdb/repl/replicated_objects.c b/source4/dsdb/repl/replicated_objects.c
index e5fec1f..862fafa 100644
--- a/source4/dsdb/repl/replicated_objects.c
+++ b/source4/dsdb/repl/replicated_objects.c
@@ -835,8 +835,6 @@ WERROR dsdb_replicated_objects_commit(struct ldb_context *ldb,
return WERR_NOT_ENOUGH_MEMORY;
}
- /* TODO: handle linked attributes */
-
/* wrap the extended operation in a transaction
See [MS-DRSR] 3.3.2 Transactions
*/
diff --git a/source4/dsdb/samdb/ldb_modules/netlogon.c b/source4/dsdb/samdb/ldb_modules/netlogon.c
index c5f194d..80599b8 100644
--- a/source4/dsdb/samdb/ldb_modules/netlogon.c
+++ b/source4/dsdb/samdb/ldb_modules/netlogon.c
@@ -425,7 +425,7 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
*domain_guid = NULL;
*domain_sid = NULL;
*acct_control = -1;
- *version = -1;
+ *version = NETLOGON_NT_VERSION_5;
if (tree->operation != LDB_OP_AND) goto failed;
@@ -486,10 +486,6 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
*domain = lpcfg_dnsdomain(lp_ctx);
}
- if (*version == -1) {
- goto failed;
- }
-
return NT_STATUS_OK;
failed:
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 43a3209..e9153a0 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -2673,7 +2673,7 @@ static WERROR becomeDC_drsuapi_pull_partition_recv(struct libnet_BecomeDC_state
struct libnet_BecomeDC_Partition *partition,
struct drsuapi_DsGetNCChanges *r)
{
- uint32_t req_level = 0;
+ uint32_t req_level = r->in.level;
struct drsuapi_DsGetNCChangesRequest5 *req5 = NULL;
struct drsuapi_DsGetNCChangesRequest8 *req8 = NULL;
struct drsuapi_DsGetNCChangesRequest10 *req10 = NULL;
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index ef02e32..6a985c5 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -275,7 +275,8 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
enum dcerpc_transport_t transport;
char *ep_string = NULL;
bool use_single_process = true;
-
+ const char *ep_process_string;
+
/*
* If we are not using handles, there is no need for force
* this service into using a single process.
@@ -354,8 +355,15 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
* If we have mulitiple endpoints on port 0, they each
* get an epemeral port (currently by walking up from
* 1024).
+ *
+ * Because one endpoint can only have one process
+ * model, we add a new IP_TCP endpoint for each model.
+ *
+ * This woks in conjunction with the forced overwrite
+ * of ep->use_single_process below.
*/
- if (!use_single_process && transport == NCACN_IP_TCP) {
+ if (ep->use_single_process != use_single_process
+ && transport == NCACN_IP_TCP) {
add_ep = true;
}
}
@@ -437,8 +445,15 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
/* Re-get the string as we may have set a port */
ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
- DEBUG(4,("dcesrv_interface_register: interface '%s' registered on endpoint '%s'\n",
- iface->name, ep_string));
+ if (use_single_process) {
+ ep_process_string = "single process required";
+ } else {
+ ep_process_string = "multi process compatible";
+ }
+
+ DBG_INFO("dcesrv_interface_register: interface '%s' "
+ "registered on endpoint '%s' (%s)\n",
+ iface->name, ep_string, ep_process_string);
TALLOC_FREE(ep_string);
return NT_STATUS_OK;
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index a2063aa..096162d 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -2022,7 +2022,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
uint32_t link_total = 0;
uint32_t link_given = 0;
struct ldb_dn *search_dn = NULL;
- bool am_rodc, null_scope=false;
+ bool am_rodc;
enum security_user_level security_level;
struct ldb_context *sam_ctx;
struct dom_sid *user_sid;
@@ -2553,7 +2553,6 @@ allowed:
for (i=getnc_state->num_processed;
i<getnc_state->num_records &&
- !null_scope &&
(r->out.ctr->ctr6.object_count < max_objects)
&& !max_wait_reached;
i++) {
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index 44c0d53..3ff9f6f 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -81,6 +81,10 @@ static void dcesrv_task_init(struct task_server *task)
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(e->ep_description);
+ const char *transport_str
+ = derpc_transport_string_by_transport(transport);
+
+ struct dcesrv_if_list *iface_list;
/*
--
Samba Shared Repository
More information about the samba-cvs
mailing list