[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Wed Jul 11 03:20:06 UTC 2018

The branch, master has been updated
       via  5c58ccb wscript: Add --with-system-heimdalkrb5
       via  0940f85 WHATSNEW: Added entries for PSOs, domain backup/restore, and rename
      from  36b4b56 pass 'rdonly' or 'directory' flag to open a directory file.


- Log -----------------------------------------------------------------
commit 5c58ccba71022e165b2617674a1225ec9b960183
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 10 14:51:02 2018 -0700

    wscript: Add --with-system-heimdalkrb5
    Add the configure option --with-system-heimdalkrb5 to build Samba
    explicitly with a system Heimdal kerberos library. This does the same as
    the more complicated syntax
    and it also enforces the conflicts with MIT Kerbros and the AD DC
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Jul 11 05:18:59 CEST 2018 on sn-devel-144

commit 0940f8560fc67caf79c1b4090bf6cbfc644ddc93
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Wed Jul 11 10:15:12 2018 +1200

    WHATSNEW: Added entries for PSOs, domain backup/restore, and rename
    Added WHATSNEW blurbs for the following features:
    - Password Settings Objects
    - Domain backup and restore
    - Domain rename tool
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>


Summary of changes:
 WHATSNEW.txt                         | 51 ++++++++++++++++++++++++++++++++++++
 buildtools/wafsamba/samba_bundled.py |  2 ++
 buildtools/wafsamba/wscript          |  1 +
 wscript                              | 20 ++++++++++++++
 4 files changed, 74 insertions(+)

Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5ddf7c4..7823612 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -112,6 +112,57 @@ samba has not been built with the --without-ldb-lmdb option.
 Please note this is an experimental feature and is not recommended for
 production deployments.
+Password Settings Objects
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+Domain backup and restore
+A new samba-tool command has been added that allows administrators to create a
+backup-file of their domain DB. In the event of a catastrophic failure of the
+domain, this backup-file can be used to restore Samba services.
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+Domain rename tool
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
diff --git a/buildtools/wafsamba/samba_bundled.py b/buildtools/wafsamba/samba_bundled.py
index aa6199e..253d604 100644
--- a/buildtools/wafsamba/samba_bundled.py
+++ b/buildtools/wafsamba/samba_bundled.py
@@ -85,6 +85,8 @@ def minimum_library_version(conf, libname, default):
 def LIB_MAY_BE_BUNDLED(conf, libname):
+    if libname in conf.env.SYSTEM_LIBS:
+        return False
     if libname in conf.env.BUNDLED_LIBS:
         return True
     if '!%s' % libname in conf.env.BUNDLED_LIBS:
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 1567c4b..0eef330 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -269,6 +269,7 @@ def configure(conf):
     conf.env.MODULESDIR = Options.options.MODULESDIR
     conf.env.PRIVATELIBDIR = Options.options.PRIVATELIBDIR
     conf.env.BUNDLED_LIBS = Options.options.BUNDLED_LIBS.split(',')
+    conf.env.SYSTEM_LIBS = ()
     conf.env.PRIVATE_LIBS = Options.options.PRIVATE_LIBS.split(',')
     conf.env.BUILTIN_LIBRARIES = Options.options.BUILTIN_LIBRARIES.split(',')
     conf.env.NONSHARED_BINARIES = Options.options.NONSHARED_BINARIES.split(',')
diff --git a/wscript b/wscript
index b1b69c1..19fc6d1 100644
--- a/wscript
+++ b/wscript
@@ -62,6 +62,14 @@ def set_options(opt):
+    opt.add_option('--with-system-heimdalkrb5',
+                   help=('build Samba with system Heimdal Kerberos. ' +
+                         'Requires --without-ad-dc' and
+                         'conflicts with --with-system-mitkrb5'),
+                   action='store_true',
+                   dest='with_system_heimdalkrb5',
+                   default=False)
                    help='disable AD DC functionality (enables only Samba FS (File Server, Winbind, NMBD) and client utilities.',
                    action='store_true', dest='without_ad_dc', default=False)
@@ -206,6 +214,18 @@ def configure(conf):
     if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
         conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
+    if Options.options.with_system_heimdalkrb5:
+        if Options.options.with_system_mitkrb5:
+            raise Utils.WafError('--with-system-heimdalkrb5 conflicts with ' +
+                                 '--with-system-mitkrb5')
+        if not Options.options.without_ad_dc:
+            raise Utils.WafError('--with-system-heimdalkrb5 requires ' +
+                                 '--without-ad-dc')
+        conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken',
+                                 'hx509', 'wind', 'gssapi', 'hcrypto',
+                                 'krb5', 'heimbase', 'asn1_compile',
+                                 'compile_et', 'kdc', 'hdb', 'heimntlm')
     # Only process heimdal_build for non-MIT KRB5 builds
     # When MIT KRB5 checks are done as above, conf.env.KRB5_VENDOR will be set
     # to the lowcased output of 'krb5-config --vendor'.

Samba Shared Repository

More information about the samba-cvs mailing list