diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-06-10 22:08:20 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-06-15 09:18:33 +0200 |
commit | b8815dc23d36468cce9b615335ed62f119eb8f35 (patch) | |
tree | f98b02f81e3fce8fbedadecf7f847e90bf40f4fa /source4 | |
parent | b9a75d8438470065633c1ff69c653eaa799d5718 (diff) | |
download | samba-b8815dc23d36468cce9b615335ed62f119eb8f35.tar.gz samba-b8815dc23d36468cce9b615335ed62f119eb8f35.tar.bz2 samba-b8815dc23d36468cce9b615335ed62f119eb8f35.zip |
lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
Diffstat (limited to 'source4')
23 files changed, 48 insertions, 39 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 58a12fbc53..d0ff50afc6 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -630,6 +630,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context * break; case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL); break; } diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 87a7d27559..4a4307c895 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -341,7 +341,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } return NT_STATUS_OK; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: if (!is_local_name && !is_my_domain) { DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n", user_info->mapped.domain_name)); diff --git a/source4/cldap_server/cldap_server.c b/source4/cldap_server/cldap_server.c index 78712bfecf..a6248d4493 100644 --- a/source4/cldap_server/cldap_server.c +++ b/source4/cldap_server/cldap_server.c @@ -205,7 +205,7 @@ static void cldapd_task_init(struct task_server *task) task_server_terminate(task, "cldap_server: no CLDAP server required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want an CLDAP server */ break; } diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c index 34e4fe36ba..3592258a8b 100644 --- a/source4/dns_server/dns_server.c +++ b/source4/dns_server/dns_server.c @@ -698,7 +698,7 @@ static void dns_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "dns: no DNS required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a DNS */ break; } diff --git a/source4/dsdb/dns/dns_update.c b/source4/dsdb/dns/dns_update.c index 9ab56f7d9f..3e10447f0f 100644 --- a/source4/dsdb/dns/dns_update.c +++ b/source4/dsdb/dns/dns_update.c @@ -594,7 +594,7 @@ static void dnsupdate_task_init(struct task_server *task) NTSTATUS status; struct dnsupdate_service *service; - if (lpcfg_server_role(task->lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { /* not useful for non-DC */ return; } diff --git a/source4/dsdb/kcc/kcc_service.c b/source4/dsdb/kcc/kcc_service.c index ac19522698..8b35d6f01a 100644 --- a/source4/dsdb/kcc/kcc_service.c +++ b/source4/dsdb/kcc/kcc_service.c @@ -183,7 +183,7 @@ static void kccsrv_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a KCC */ break; } diff --git a/source4/dsdb/repl/drepl_service.c b/source4/dsdb/repl/drepl_service.c index e12ff1e819..3d28676b8f 100644 --- a/source4/dsdb/repl/drepl_service.c +++ b/source4/dsdb/repl/drepl_service.c @@ -434,7 +434,7 @@ static void dreplsrv_task_init(struct task_server *task) task_server_terminate(task, "dreplsrv: no DSDB replication required in domain member configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want DSDB replication */ break; } diff --git a/source4/echo_server/echo_server.c b/source4/echo_server/echo_server.c index 60729d8535..3501c8993f 100644 --- a/source4/echo_server/echo_server.c +++ b/source4/echo_server/echo_server.c @@ -303,7 +303,7 @@ static void echo_task_init(struct task_server *task) task_server_terminate(task, "echo: Not starting echo server " \ "for domain members", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want to run the echo server */ break; } diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 5424d213e8..a8939069aa 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -871,7 +871,11 @@ static void kdc_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "kdc: no KDC required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true); + return; + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a KDC */ break; } diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index b773716bd2..886c684ff3 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -907,7 +907,7 @@ static void ldapsrv_task_init(struct task_server *task) task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want an LDAP server */ break; } diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c index f99f195d03..3f0fa542fe 100644 --- a/source4/nbt_server/dgram/netlogon.c +++ b/source4/nbt_server/dgram/netlogon.c @@ -54,7 +54,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, samctx = iface->nbtsrv->sam_ctx; - if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER + if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC || !samdb_is_pdc(samctx)) { DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n")); return; diff --git a/source4/nbt_server/register.c b/source4/nbt_server/register.c index fb2f9913c5..f5517b249a 100644 --- a/source4/nbt_server/register.c +++ b/source4/nbt_server/register.c @@ -289,7 +289,7 @@ void nbtd_register_names(struct nbtd_server *nbtsrv) aliases++; } - if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) { bool is_pdc = samdb_is_pdc(nbtsrv->sam_ctx); if (is_pdc) { nbtd_register_name(nbtsrv, lpcfg_workgroup(nbtsrv->task->lp_ctx), diff --git a/source4/param/tests/loadparm.c b/source4/param/tests/loadparm.c index fd4885ef7d..f375bb4238 100644 --- a/source4/param/tests/loadparm.c +++ b/source4/param/tests/loadparm.c @@ -157,7 +157,7 @@ static bool test_server_role_dc_specified(struct torture_context *tctx) { struct loadparm_context *lp_ctx = loadparm_init(tctx); torture_assert(tctx, lpcfg_set_option(lp_ctx, "server role=domain controller"), "lpcfg_set_option failed"); - torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_DOMAIN_CONTROLLER, "ROLE should be DC"); + torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_ACTIVE_DIRECTORY_DC, "ROLE should be DC"); torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_USER, "security should be USER"); return true; } diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index 2aee678bd4..87799db595 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -1269,7 +1269,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call, } } - if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { return WERR_NOT_SUPPORTED; } diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c index 68985d81aa..afbbb23e36 100644 --- a/source4/rpc_server/common/server_info.c +++ b/source4/rpc_server/common/server_info.c @@ -75,7 +75,7 @@ uint32_t dcesrv_common_get_server_type(TALLOC_CTX *mem_ctx, struct tevent_contex case ROLE_DOMAIN_MEMBER: default_server_announce |= SV_TYPE_DOMAIN_MEMBER; break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: { struct ldb_context *samctx; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index f1b8740078..cece2b7523 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -420,7 +420,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal case ROLE_DOMAIN_MEMBER: role = DS_ROLE_MEMBER_SERVER; break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: if (samdb_is_pdc(state->sam_ldb)) { role = DS_ROLE_PRIMARY_DC; } else { @@ -439,7 +439,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal W_ERROR_HAVE_NO_MEMORY(domain); /* TODO: what is with dns_domain and forest and guid? */ break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: flags = DS_ROLE_PRIMARY_DS_RUNNING; if (state->mixed_domain == 1) { diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index cc3b2c8bce..d987fbaaef 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -500,7 +500,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount", 0); switch (state->role) { - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* This pulls the NetBIOS name from the cn=NTDS Settings,cn=<NETBIOS name of PDC>,.... string */ @@ -511,8 +511,8 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state } break; case ROLE_DOMAIN_PDC: - info->role = SAMR_ROLE_DOMAIN_PDC; - break; + case ROLE_DOMAIN_BDC: + return NT_STATUS_INTERNAL_ERROR; case ROLE_DOMAIN_MEMBER: info->role = SAMR_ROLE_DOMAIN_MEMBER; break; @@ -606,7 +606,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state, { switch (state->role) { - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* This pulls the NetBIOS name from the cn=NTDS Settings,cn=<NETBIOS name of PDC>,.... string */ diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 65835ce00c..343e33e355 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -532,7 +532,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None, if lp.get("server role").lower() != serverrole: raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole)) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": if domain is None: # This will, for better or worse, default to 'WORKGROUP' domain = lp.get("workgroup") @@ -658,7 +658,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir, lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb"))) shares = {} - if serverrole == "domain controller": + if serverrole == "active directory domain controller": shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol") shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(), "scripts") @@ -1489,7 +1489,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc, next_rid=next_rid, dc_rid=dc_rid) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": # Set up group policies (domain policy and domain controller # policy) create_default_gpo(paths.sysvol, names.dnsdomain, policyguid, @@ -1568,11 +1568,12 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, _ROLES_MAP = { "ROLE_STANDALONE": "standalone", "ROLE_DOMAIN_MEMBER": "member server", - "ROLE_DOMAIN_BDC": "domain controller", - "ROLE_DOMAIN_PDC": "domain controller", - "dc": "domain controller", + "ROLE_DOMAIN_BDC": "active directory domain controller", + "ROLE_DOMAIN_PDC": "active directory domain controller", + "dc": "active directory domain controller", "member": "member server", - "domain controller": "domain controller", + "domain controller": "active directory domain controller", + "active directory domain controller": "active directory domain controller", "member server": "member server", "standalone": "standalone", } @@ -1584,7 +1585,7 @@ def sanitize_server_role(role): :param role: Server role :raise ValueError: If the role can not be interpreted :return: Sanitized server role (one of "member server", - "domain controller", "standalone") + "active directory domain controller", "standalone") """ try: return _ROLES_MAP[role] @@ -1614,7 +1615,7 @@ def provision(logger, session_info, credentials, smbconf=None, try: serverrole = sanitize_server_role(serverrole) except ValueError: - raise ProvisioningError('server role (%s) should be one of "domain controller", "member server", "standalone"' % serverrole) + raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone"' % serverrole) if ldapadminpass is None: # Make a new, random password between Samba and it's LDAP server @@ -1735,7 +1736,7 @@ def provision(logger, session_info, credentials, smbconf=None, if paths.sysvol and not os.path.exists(paths.sysvol): os.makedirs(paths.sysvol, 0775) - if not use_ntvfs and serverrole == "domain controller": + if not use_ntvfs and serverrole == "active directory domain controller": if paths.sysvol is None: raise MissingShareError("sysvol", paths.smbconf) @@ -1813,7 +1814,7 @@ def provision(logger, session_info, credentials, smbconf=None, serverrole=serverrole, schema=schema, fill=samdb_fill, am_rodc=am_rodc) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": if paths.netlogon is None: raise MissingShareError("netlogon", paths.smbconf) @@ -1848,7 +1849,7 @@ def provision(logger, session_info, credentials, smbconf=None, logger.info("A Kerberos configuration suitable for Samba 4 has been " "generated at %s", paths.krb5conf) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": create_dns_update_list(lp, logger, paths) backend_result = provision_backend.post_setup() @@ -1913,7 +1914,7 @@ def provision_become_dc(smbconf=None, targetdir=None, realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn, configdn=configdn, serverdn=serverdn, domain=domain, hostname=hostname, hostip=None, domainsid=domainsid, - machinepass=machinepass, serverrole="domain controller", + machinepass=machinepass, serverrole="active directory domain controller", sitename=sitename, dns_backend=dns_backend, dnspass=dnspass) res.lp.set("debuglevel", str(debuglevel)) return res diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index ecbb220d8f..d632e87ea7 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -98,7 +98,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) * on non-DCs */ - if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) { signing_setting = SMB_SIGNING_REQUIRED; } else { signing_setting = SMB_SIGNING_OFF; diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 1a3bc9ce35..83cae18bf3 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -136,7 +136,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 * on non-DCs */ - if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) { signing_setting = SMB_SIGNING_REQUIRED; } else { signing_setting = SMB_SIGNING_OFF; diff --git a/source4/smbd/server.c b/source4/smbd/server.c index b877e29b98..21560f981f 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -392,7 +392,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ return 1; } - if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) { if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) { DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); exit(1); diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 4d6177bdc7..45a4b98f31 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -162,7 +162,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx, if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) && ((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) || - (lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) && + (lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) && (dom_sid_equal(state->domain->info->sid, state->service->primary_sid))) { state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO; diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index 7bed235ae6..a904470e19 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -264,8 +264,7 @@ static void winbind_task_init(struct task_server *task) return; } break; - case ROLE_DOMAIN_CONTROLLER: - case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: primary_sid = secrets_get_domain_sid(service, service->task->lp_ctx, lpcfg_workgroup(service->task->lp_ctx), @@ -279,6 +278,10 @@ static void winbind_task_init(struct task_server *task) return; } break; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + task_server_terminate(task, "Cannot start 'samba' winbindd as a 'classic samba' DC: use winbindd instead", true); + return; } service->primary_sid = primary_sid; |