[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Thu Sep 13 09:37:02 UTC 2018
The branch, v4-9-test has been updated
via efbb842 WHATSNEW: 'samba-tool ou' command: manage organizational units
via 9bb128f samba_dnsupdate: honor 'dns zone scavenging' option, only update if needed
via b94c676 WHATSNEW.txt: announce 4.9.0 trust improvements
from c9743ba wafsamba: Fix 'make -j<jobs>'
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit efbb84245bb68aee4b3542481534a1108059a798
Author: Björn Baumbach <bb at sernet.de>
Date: Wed Sep 12 12:04:13 2018 +0200
WHATSNEW: 'samba-tool ou' command: manage organizational units
Signed-off-by: Björn Baumbach <bb at sernet.de>
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Thu Sep 13 11:36:40 CEST 2018 on sn-devel-144
commit 9bb128fc78527d77ddabc4c4dc21f77788b6cc22
Author: Björn Baumbach <bb at sernet.de>
Date: Wed Sep 5 16:54:01 2018 +0200
samba_dnsupdate: honor 'dns zone scavenging' option, only update if needed
Since scavenging is implemented the samba_dnsupdate command always updates all
dns records required by the dc. This is not needed if dns zone scavenging
is not enabled.
This avoids the repeating TSIG error messages:
# samba_dnsupdate --option='dns zone scavenging = yes' 2>&1 | uniq -c
29 ; TSIG error with server: tsig verify failure
1 Failed update of 29 entries
# echo ${PIPESTATUS[0]}
29
# samba_dnsupdate --option='dns zone scavenging = no' 2>&1 | uniq -c
# echo ${PIPESTATUS[0]}
0
Note that this results in about 60 lines in the log file,
which triggered every 10 minutes ("dnsupdate:name interval=600" is the default).
This restores the behavior before 8ef42d4dab4dfaf5ad225b33f7748914f14dcd8c,
if "dns zone scavenging" is not switched on (which is still the default).
Avoiding the message from happening at all is subject for more debugging,
most likely they are caused by bugs in 'nsupdate -g' (from the bind package).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13605
Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bb at sernet.de>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b94c676eb1a8e50255cf5e23c8178bcf1270e8d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 12 11:28:24 2018 +0200
WHATSNEW.txt: announce 4.9.0 trust improvements
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 51 +++++++++++++++++++++++++++++++++++
selftest/knownfail.d/dns | 2 --
source4/scripting/bin/samba_dnsupdate | 15 ++++++++++-
3 files changed, 65 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 07cd9f2..ec7fb2a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -215,6 +215,25 @@ accounts including creating a new computer and resetting the password.
This allows an 'offline join' of a member server or workstation to the
Samba AD domain.
+New 'samba-tool ou' command
+---------------------------
+
+The new 'samba-tool ou' command allows to manage organizational units.
+
+Available subcommands are:
+ create - Create an organizational unit.
+ delete - Delete an organizational unit.
+ list - List all organizational units
+ listobjects - List all objects in an organizational unit.
+ move - Move an organizational unit.
+ rename - Rename an organizational unit.
+
+In addition to the ou commands, there are new subcommands for the user
+and group management, which can make use of the organizational units:
+ group move - Move a group to an organizational unit/container.
+ user move - Move a user to an organizational unit/container.
+ user show - Display a user AD object.
+
Samba performance tool now operates against Microsoft Windows AD
----------------------------------------------------------------
@@ -265,6 +284,38 @@ feature, currently it should be enabled from the DNS Manager tool from
Windows. Also the feature needs to have been enabled by setting the smb.conf
parameter "dns zone scavenging = yes".
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has been further improved.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+
+The following features are new in 4.9 (compared to 4.8):
+
+- It's now possible to add users/groups of a trusted domain
+ into domain groups. The group memberships are expanded
+ on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+ created when members (as SID) of a trusted domain/forest
+ are added to a group.
+- The 'samba-tool group *members' commands allow
+ members to be specified as foreign SIDs.
+
+However there are currently still a few limitations:
+
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+ in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+ not supported. It's possible to create such a trust,
+ but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+ one single domain.
+
CTDB changes
------------
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
index 99b0f1d..a517665 100644
--- a/selftest/knownfail.d/dns
+++ b/selftest/knownfail.d/dns
@@ -69,5 +69,3 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\)
# The SOA override should not pass against the RODC, it must not overstamp
samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\)
-.*samba.tests.blackbox.samba_dnsupdate.SambaDnsUpdateTests.test_samba_dnsupate_set_ip
-.*samba.tests.blackbox.samba_dnsupdate.SambaDnsUpdateTests.test_samba_dnsupate_no_change
diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 071cebe..fda3beb 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -102,6 +102,8 @@ else:
nsupdate_cmd = lp.get('nsupdate command')
+dns_zone_scavenging = lp.get("dns zone scavenging")
+
if len(IPs) == 0:
print "No IP interfaces - skipping DNS updates"
sys.exit(0)
@@ -847,7 +849,18 @@ for d in dns_list:
rebuild_cache = True
if opts.verbose:
print "need cache add: %s" % d
- update_list.append(d)
+ if dns_zone_scavenging:
+ update_list.append(d)
+ if opts.verbose:
+ print "scavenging requires update: %s" % d
+ elif opts.all_names:
+ update_list.append(d)
+ if opts.verbose:
+ print "force update: %s" % d
+ elif not check_dns_name(d):
+ update_list.append(d)
+ if opts.verbose:
+ print "need update: %s" % d
for c in cache_list:
found = False
--
Samba Shared Repository
More information about the samba-cvs
mailing list