summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2013-02-20 14:59:42 +1030
committerRusty Russell <rusty@rustcorp.com.au>2013-02-20 07:09:19 +0100
commit2f4b21bb57c4f96c5f5b57a69d022c142d8088d5 (patch)
treeccc1865699e47eaf9702953ae9a59f746fe4afa2
parent3c9c3029f2bcf10ef614dd9f923d02232db3ac8d (diff)
downloadsamba-2f4b21bb57c4f96c5f5b57a69d022c142d8088d5.tar.gz
samba-2f4b21bb57c4f96c5f5b57a69d022c142d8088d5.tar.bz2
samba-2f4b21bb57c4f96c5f5b57a69d022c142d8088d5.zip
ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
-rw-r--r--auth/credentials/credentials_secrets.c4
-rw-r--r--docs-xml/manpages/net.8.xml2
-rw-r--r--docs-xml/manpages/smbpasswd.8.xml4
-rw-r--r--docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml2
-rw-r--r--docs-xml/smbdotconf/domain/machinepasswordtimeout.xml2
-rw-r--r--docs-xml/smbdotconf/ldap/ldapadmindn.xml2
-rw-r--r--docs-xml/smbdotconf/security/kerberosmethod.xml4
-rw-r--r--docs-xml/smbdotconf/security/privatedir.xml2
-rwxr-xr-xexamples/misc/adssearch.pl18
-rw-r--r--lib/tdb/man/tdbbackup.8.xml5
-rwxr-xr-xselftest/target/Samba3.pm3
-rw-r--r--selftest/target/Samba4.pm2
-rw-r--r--source3/include/secrets.h2
-rw-r--r--source3/passdb/py_passdb.c2
-rw-r--r--source3/passdb/secrets.c8
-rw-r--r--source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c13
-rw-r--r--source4/scripting/python/samba/tests/provision.py9
-rw-r--r--source4/scripting/python/samba/tests/upgradeprovision.py2
-rw-r--r--source4/scripting/python/samba/tests/upgradeprovisionneeddc.py2
19 files changed, 59 insertions, 29 deletions
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index a44fe1c8b8..730f047672 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -245,7 +245,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+ secrets_tdb = lpcfg_private_path(cred, lp_ctx,
+ lpcfg_use_ntdb(lp_ctx) ?
+ "secrets.ntdb" : "secrets.tdb");
if (!secrets_tdb) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 3765af9be9..01044e1045 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1001,7 +1001,7 @@ local server. You need to run this against the PDC, from a Samba machine joined
<refsect2>
<title>RPC GETSID</title>
-<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
+<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para>
</refsect2>
diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml
index 376044ccaf..88e7e86460 100644
--- a/docs-xml/manpages/smbpasswd.8.xml
+++ b/docs-xml/manpages/smbpasswd.8.xml
@@ -326,7 +326,7 @@
has been compiled with LDAP support. The <parameter>-w</parameter>
switch is used to specify the password to be used with the
<smbconfoption name="ldap admin dn"/>. Note that the password is stored in
- the <filename>secrets.tdb</filename> and is keyed off
+ the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
of the admin's DN. This means that if the value of <parameter>ldap
admin dn</parameter> ever changes, the password will need to be
manually updated as well.
@@ -343,7 +343,7 @@
has been compiled with LDAP support. The <parameter>-W</parameter>
switch is used to specify the password to be used with the
<smbconfoption name="ldap admin dn"/>. Note that the password is stored in
- the <filename>secrets.tdb</filename> and is keyed off
+ the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
of the admin's DN. This means that if the value of <parameter>ldap
admin dn</parameter> ever changes, the password will need to be
manually updated as well.
diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
index 0d682c2b5b..842856bf83 100644
--- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
+++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
@@ -129,7 +129,7 @@
<itemizedlist>
<listitem>
<para>
- The data from the module may be send encrypted, with a key stored in secrets.tdb. The
+ The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The
Receiver then has to use the same key. The module does AES block encryption over the
data to send.
</para>
diff --git a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml
index a8e312ba36..4f55e81f00 100644
--- a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml
+++ b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml
@@ -9,7 +9,7 @@
If a Samba server is a member of a Windows NT Domain (see the <smbconfoption
name="security">domain</smbconfoption> parameter) then periodically a running smbd process will try and change
the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb
- </filename>. This parameter specifies how often this password will be changed, in seconds. The default is one
+ </filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>). This parameter specifies how often this password will be changed, in seconds. The default is one
week (expressed in seconds), the same as a Windows NT Domain member server.
</para>
diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
index 442d242679..b5fe0fbca0 100644
--- a/docs-xml/smbdotconf/ldap/ldapadmindn.xml
+++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
@@ -8,7 +8,7 @@
<para>
The <smbconfoption name="ldap admin dn"/> defines the Distinguished Name (DN) name used by Samba to contact
the ldap server when retreiving user account information. The <smbconfoption name="ldap admin dn"/> is used
- in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename>
+ in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>)
file. See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
man page for more information on how to accomplish this.
</para>
diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml
index 3a11e06be9..cc8a69bc70 100644
--- a/docs-xml/smbdotconf/security/kerberosmethod.xml
+++ b/docs-xml/smbdotconf/security/kerberosmethod.xml
@@ -8,7 +8,7 @@
<para>Valid options are:</para>
<itemizedlist>
- <listitem><para>secrets only - use only the secrets.tdb for
+ <listitem><para>secrets only - use only the secrets.(n)tdb for
ticket verification (default)</para></listitem>
<listitem><para>system keytab - use only the system keytab
@@ -17,7 +17,7 @@
<listitem><para>dedicated keytab - use a dedicated keytab
for ticket verification</para></listitem>
- <listitem><para>secrets and keytab - use the secrets.tdb
+ <listitem><para>secrets and keytab - use the secrets.(n)tdb
first, then the system keytab</para></listitem>
</itemizedlist>
diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml
index 46d4a8297c..2f4b5766de 100644
--- a/docs-xml/smbdotconf/security/privatedir.xml
+++ b/docs-xml/smbdotconf/security/privatedir.xml
@@ -7,7 +7,7 @@
<description>
<para>This parameters defines the directory
smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
- and <filename moreinfo="none">secrets.tdb</filename>.
+ and <filename moreinfo="none">secrets.tdb</filename> (or <filename moreinfo="none">secrets.ntdb</filename>).
</para>
</description>
diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl
index 13a85bede9..02c4464abb 100755
--- a/examples/misc/adssearch.pl
+++ b/examples/misc/adssearch.pl
@@ -42,11 +42,13 @@ my $rebind_url;
my $tdbdump = "/usr/bin/tdbdump";
+my $ntdbdump = "/usr/bin/ntdbdump";
my $testparm = "/usr/bin/testparm";
my $net = "/usr/bin/net";
my $dig = "/usr/bin/dig";
my $nmblookup = "/usr/bin/nmblookup";
my $secrets_tdb = "/etc/samba/secrets.tdb";
+my $secrets_ntdb = "/etc/samba/secrets.ntdb";
my $klist = "/usr/bin/klist";
my $kinit = "/usr/bin/kinit";
my $workgroup = "";
@@ -723,13 +725,21 @@ sub get_machine_password {
my $workgroup = shift || "";
$workgroup = uc($workgroup);
- my ($found, $tmp);
- -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
- -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+ my ($found, $tmp, $dbdump, $db);
+ if (-r $secrets_ntdb) {
+ -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n";
+ $dbdump = $ntdbdump;
+ $db = $secrets_ntdb;
+ } else {
+ -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
+ -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+ $dbdump = $tdbdump;
+ $db = $secrets_tdb;
+ }
# get machine-password
my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
- open(SECRETS,"$tdbdump $secrets_tdb |");
+ open(SECRETS,"$dbdump $db |");
while(my $line = <SECRETS>) {
chomp($line);
if ($found) {
diff --git a/lib/tdb/man/tdbbackup.8.xml b/lib/tdb/man/tdbbackup.8.xml
index 02936cf0d6..c15cc14e2d 100644
--- a/lib/tdb/man/tdbbackup.8.xml
+++ b/lib/tdb/man/tdbbackup.8.xml
@@ -92,6 +92,11 @@
<para>tdbbackup -v [-s suffix] *.tdb</para>
<para>
+ Note that Samba 4 can use .ntdb files instead, so you should
+ use <command>ntdbbackup</command> on those files.
+ </para>
+
+ <para>
Samba .tdb files are stored in various locations, be sure to run backup all
.tdb file on the system. Important files includes:
</para>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8546bd2895..c71419d4ba 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -418,6 +418,9 @@ $ret->{USERNAME} = KTEST\\Administrator
system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
chmod 0600, "$prefix/private/secrets.tdb";
+#Make sure there's no old ntdb file.
+ system("rm -f $prefix/private/secrets.ntdb");
+
#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
#
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 8ad62326cd..e9e003704e 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1512,7 +1512,7 @@ sub provision_chgdcpass($$)
# Remove secrets.tdb from this environment to test that we still start up
# on systems without the new matching secrets.tdb records
- unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) {
+ unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
return undef;
}
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 57a1be0c3e..1eeb24c1c9 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -82,7 +82,7 @@ struct afs_keyfile {
/* The following definitions come from passdb/secrets.c */
-bool secrets_init_path(const char *private_dir);
+bool secrets_init_path(const char *private_dir, bool use_ntdb);
bool secrets_init(void);
struct db_context *secrets_db_ctx(void);
void secrets_shutdown(void);
diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c
index 6984061714..3fd14cdc41 100644
--- a/source3/passdb/py_passdb.c
+++ b/source3/passdb/py_passdb.c
@@ -3638,7 +3638,7 @@ static PyObject *py_set_secrets_dir(PyObject *self, PyObject *args)
}
/* Initialize secrets database */
- if (!secrets_init_path(private_dir)) {
+ if (!secrets_init_path(private_dir, lp_use_ntdb())) {
PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'",
private_dir);
talloc_free(frame);
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 8f314a76cf..f97510db21 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -55,7 +55,7 @@ static void get_rand_seed(void *userdata, int *new_seed)
}
/* open up the secrets database with specified private_dir path */
-bool secrets_init_path(const char *private_dir)
+bool secrets_init_path(const char *private_dir, bool use_ntdb)
{
char *fname = NULL;
unsigned char dummy;
@@ -70,8 +70,8 @@ bool secrets_init_path(const char *private_dir)
}
frame = talloc_stackframe();
- fname = talloc_asprintf(frame, "%s/secrets.tdb",
- private_dir);
+ fname = talloc_asprintf(frame, "%s/secrets.%s",
+ private_dir, use_ntdb ? "ntdb" : "tdb");
if (fname == NULL) {
TALLOC_FREE(frame);
return False;
@@ -105,7 +105,7 @@ bool secrets_init_path(const char *private_dir)
/* open up the secrets database */
bool secrets_init(void)
{
- return secrets_init_path(lp_private_dir());
+ return secrets_init_path(lp_private_dir(), lp_use_ntdb());
}
struct db_context *secrets_db_ctx(void)
diff --git a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c
index e90fc77068..e3d8485c61 100644
--- a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c
+++ b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c
@@ -474,7 +474,8 @@ static int secrets_tdb_sync_init(struct ldb_module *module)
struct ldb_context *ldb;
struct secrets_tdb_sync_private *data;
char *private_dir, *p;
- const char *secrets_ldb;
+ const char *secrets_ldb, *secrets_ntdb;
+ bool use_ntdb;
ldb = ldb_module_get_ctx(module);
@@ -498,11 +499,17 @@ static int secrets_tdb_sync_init(struct ldb_module *module)
p = strrchr(private_dir, '/');
if (p) {
*p = '\0';
- secrets_init_path(private_dir);
} else {
- secrets_init_path(".");
+ private_dir = talloc_strdup(data, ".");
}
+ /* If there's an ntdb file, force code to load that. */
+ secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb",
+ private_dir);
+ use_ntdb = file_exist(secrets_ntdb);
+
+ secrets_init_path(private_dir, use_ntdb);
+
TALLOC_FREE(private_dir);
data->secrets_tdb = secrets_db_ctx();
diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py
index 992179124b..929e7074f7 100644
--- a/source4/scripting/python/samba/tests/provision.py
+++ b/source4/scripting/python/samba/tests/provision.py
@@ -55,8 +55,9 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
def test_setup_secretsdb(self):
path = os.path.join(self.tempdir, "secrets.ldb")
- secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
paths = ProvisionPaths()
+ secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
+ secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb")
paths.secrets = path
paths.private_dir = os.path.dirname(path)
paths.keytab = "no.keytab"
@@ -68,8 +69,10 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
finally:
del ldb
os.unlink(path)
- os.unlink(secrets_tdb_path)
-
+ if os.path.exists(secrets_tdb_path):
+ os.unlink(secrets_tdb_path)
+ if os.path.exists(secrets_ntdb_path):
+ os.unlink(secrets_ntdb_path)
class FindNssTests(TestCase):
"""Test findnss() function."""
diff --git a/source4/scripting/python/samba/tests/upgradeprovision.py b/source4/scripting/python/samba/tests/upgradeprovision.py
index c1c70c4a88..93a6731c83 100644
--- a/source4/scripting/python/samba/tests/upgradeprovision.py
+++ b/source4/scripting/python/samba/tests/upgradeprovision.py
@@ -126,7 +126,7 @@ class UpdateSecretsTests(samba.tests.TestCaseInTempDir):
self.assertEquals(newmodules.msgs, refmodules.msgs)
def tearDown(self):
- for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]:
+ for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]:
path = os.path.join(self.tempdir, name)
if os.path.exists(path):
os.unlink(path)
diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
index 1de123c71d..a7cb298ed7 100644
--- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
+++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
@@ -172,7 +172,7 @@ class UpgradeProvisionWithLdbTestCase(TestCaseInTempDir):
self.assertTrue(re.match(".*upgrade to.*", str(oem2)))
def tearDown(self):
- for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]:
+ for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]:
path = os.path.join(self.tempdir, name)
if os.path.exists(path):
os.unlink(path)