[SCM] Samba Shared Repository - branch v4-9-test updated

Karolin Seeger kseeger at samba.org
Thu Sep 13 09:37:02 UTC 2018

The branch, v4-9-test has been updated
       via  efbb842 WHATSNEW: 'samba-tool ou' command: manage organizational units
       via  9bb128f samba_dnsupdate: honor 'dns zone scavenging' option, only update if needed
       via  b94c676 WHATSNEW.txt: announce 4.9.0 trust improvements
      from  c9743ba wafsamba: Fix 'make -j<jobs>'


- Log -----------------------------------------------------------------
commit efbb84245bb68aee4b3542481534a1108059a798
Author: Björn Baumbach <bb at sernet.de>
Date:   Wed Sep 12 12:04:13 2018 +0200

    WHATSNEW: 'samba-tool ou' command: manage organizational units
    Signed-off-by: Björn Baumbach <bb at sernet.de>
    Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-9-test): Thu Sep 13 11:36:40 CEST 2018 on sn-devel-144

commit 9bb128fc78527d77ddabc4c4dc21f77788b6cc22
Author: Björn Baumbach <bb at sernet.de>
Date:   Wed Sep 5 16:54:01 2018 +0200

    samba_dnsupdate: honor 'dns zone scavenging' option, only update if needed
    Since scavenging is implemented the samba_dnsupdate command always updates all
    dns records required by the dc. This is not needed if dns zone scavenging
    is not enabled.
    This avoids the repeating TSIG error messages:
     # samba_dnsupdate --option='dns zone scavenging = yes' 2>&1 | uniq -c
         29 ; TSIG error with server: tsig verify failure
          1 Failed update of 29 entries
     # echo ${PIPESTATUS[0]}
     # samba_dnsupdate --option='dns zone scavenging = no' 2>&1 | uniq -c
     # echo ${PIPESTATUS[0]}
    Note that this results in about 60 lines in the log file,
    which triggered every 10 minutes ("dnsupdate:name interval=600" is the default).
    This restores the behavior before 8ef42d4dab4dfaf5ad225b33f7748914f14dcd8c,
    if "dns zone scavenging" is not switched on (which is still the default).
    Avoiding the message from happening at all is subject for more debugging,
    most likely they are caused by bugs in 'nsupdate -g' (from the bind package).
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13605
    Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Björn Baumbach <bb at sernet.de>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit b94c676eb1a8e50255cf5e23c8178bcf1270e8d2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Sep 12 11:28:24 2018 +0200

    WHATSNEW.txt: announce 4.9.0 trust improvements
    Signed-off-by: Stefan Metzmacher <metze at samba.org>


Summary of changes:
 WHATSNEW.txt                          | 51 +++++++++++++++++++++++++++++++++++
 selftest/knownfail.d/dns              |  2 --
 source4/scripting/bin/samba_dnsupdate | 15 ++++++++++-
 3 files changed, 65 insertions(+), 3 deletions(-)

Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 07cd9f2..ec7fb2a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -215,6 +215,25 @@ accounts including creating a new computer and resetting the password.
 This allows an 'offline join' of a member server or workstation to the
 Samba AD domain.
+New 'samba-tool ou' command
+The new 'samba-tool ou' command allows to manage organizational units.
+Available subcommands are:
+  create       - Create an organizational unit.
+  delete       - Delete an organizational unit.
+  list         - List all organizational units
+  listobjects  - List all objects in an organizational unit.
+  move         - Move an organizational unit.
+  rename       - Rename an organizational unit.
+In addition to the ou commands, there are new subcommands for the user
+and group management, which can make use of the organizational units:
+  group move   - Move a group to an organizational unit/container.
+  user move    - Move a user to an organizational unit/container.
+  user show    - Display a user AD object.
 Samba performance tool now operates against Microsoft Windows AD
@@ -265,6 +284,38 @@ feature, currently it should be enabled from the DNS Manager tool from
 Windows. Also the feature needs to have been enabled by setting the smb.conf
 parameter "dns zone scavenging = yes".
+Improved support for trusted domains (as AD DC)
+The support for trusted domains/forests has been further improved.
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+The following features are new in 4.9 (compared to 4.8):
+- It's now possible to add users/groups of a trusted domain
+  into domain groups. The group memberships are expanded
+  on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+  created when members (as SID) of a trusted domain/forest
+  are added to a group.
+- The 'samba-tool group *members' commands allow
+  members to be specified as foreign SIDs.
+However there are currently still a few limitations:
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+  in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+  not supported. It's possible to create such a trust,
+  but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+  one single domain.
 CTDB changes
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
index 99b0f1d..a517665 100644
--- a/selftest/knownfail.d/dns
+++ b/selftest/knownfail.d/dns
@@ -69,5 +69,3 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\)
 # The SOA override should not pass against the RODC, it must not overstamp
diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 071cebe..fda3beb 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -102,6 +102,8 @@ else:
 nsupdate_cmd = lp.get('nsupdate command')
+dns_zone_scavenging = lp.get("dns zone scavenging")
 if len(IPs) == 0:
     print "No IP interfaces - skipping DNS updates"
@@ -847,7 +849,18 @@ for d in dns_list:
         rebuild_cache = True
         if opts.verbose:
             print "need cache add: %s" % d
-    update_list.append(d)
+    if dns_zone_scavenging:
+        update_list.append(d)
+        if opts.verbose:
+            print "scavenging requires update: %s" % d
+    elif opts.all_names:
+        update_list.append(d)
+        if opts.verbose:
+            print "force update: %s" % d
+    elif not check_dns_name(d):
+        update_list.append(d)
+        if opts.verbose:
+            print "need update: %s" % d
 for c in cache_list:
     found = False

Samba Shared Repository

More information about the samba-cvs mailing list