diff options
-rw-r--r-- | source4/dsdb/common/util.c | 57 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/tests/samba3sam.py | 9 | ||||
-rwxr-xr-x[-rw-r--r--] | source4/lib/ldb/tests/python/sec_descriptor.py | 8 | ||||
-rw-r--r-- | source4/scripting/python/samba/samdb.py | 26 | ||||
-rwxr-xr-x | source4/setup/domainlevel | 35 | ||||
-rwxr-xr-x | source4/setup/newuser | 2 | ||||
-rwxr-xr-x | source4/setup/setexpiry | 2 | ||||
-rw-r--r-- | source4/smbd/server.c | 3 | ||||
-rwxr-xr-x | testprogs/blackbox/test_kinit.sh | 2 |
9 files changed, 91 insertions, 53 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 39fdfe94a5..1fe5979c69 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1433,6 +1433,63 @@ struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx } /* + * This works out if we are running on a supported forest/domain function + * level. Basically this means that we don't support mixed/interim (NT 4 DC + * support) levels. + * If errmsg isn't NULL we write in an adequate error message for printing out + * to the screen. + */ +bool samdb_is_capable_dc(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, + char **errmsg) +{ + int32_t level_forest, level_domain, level_domain_mixed; + bool ret = true; + + level_forest = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_partitions_dn(ldb, mem_ctx), "msDS-Behavior-Version", + NULL); + level_domain = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_base_dn(ldb), "msDS-Behavior-Version", NULL); + level_domain_mixed = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_base_dn(ldb), "nTMixedDomain", NULL); + + if (errmsg != NULL) + *errmsg = talloc_asprintf(mem_ctx, ""); + + if (level_forest == -1 || level_domain == -1 || level_domain_mixed == -1) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: Invalid values for forest and/or domain function level!" + ); + } + + if (level_forest == DS_DOMAIN_FUNCTION_2003_MIXED) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported!" + ); + } + if ((level_domain == DS_DOMAIN_FUNCTION_2000 && level_domain_mixed != 0) + || level_domain == DS_DOMAIN_FUNCTION_2003_MIXED) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported!" + ); + } + + if ((!ret) && (errmsg != NULL)) { + *errmsg = talloc_strdup_append(*errmsg, + "\nPlease raise the domain and/or forest level to an adequate value. Use for this the 'domainlevel' tool, the MS AD MMC tools or manipulate the needed attributes directly." + ); + } + + return ret; +} + +/* work out if we are the PDC for the domain of the current open ldb */ bool samdb_is_pdc(struct ldb_context *ldb) diff --git a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py index 75aaeb7366..fe96b88221 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py +++ b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py @@ -323,8 +323,6 @@ nextRid: y lastLogon: x description: x objectSid: S-1-5-21-4231626423-2410014848-2360679739-552 -primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512 - """) self.ldb.add({ @@ -486,11 +484,8 @@ primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512 self.assertEquals(str(res[0]["lastLogon"]), "x") self.assertEquals(str(res[0]["primaryGroupID"]), "512") - # TODO: There should actually be two results, A and X. The - # primaryGroupID of X seems to get corrupted somewhere, and the - # objectSid isn't available during the generation of remote (!) data, - # which can be observed with the following search. Also note that Xs - # objectSid seems to be fine in the previous search for objectSid... */ + # Note that Xs "objectSid" seems to be fine in the previous search for + # "objectSid"... #res = ldb.search(expression="(primaryGroupID=*)", NULL, ldb. SCOPE_DEFAULT, attrs) #print len(res) + " results found" #for i in range(len(res)): diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index 58a345450b..01df86e909 100644..100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -24,11 +24,11 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session -from samba import Ldb, DS_BEHAVIOR_WIN2008 +from samba import Ldb, DS_DOMAIN_FUNCTION_2008 from subunit import SubunitTestRunner import unittest -parser = optparse.OptionParser("ldap [options] <host>") +parser = optparse.OptionParser("sec_descriptor [options] <host>") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) @@ -374,7 +374,7 @@ changetype: add member: """ + user_dn self.ldb_admin.modify_ldif(ldif) self.results = { - # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008 + # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 "ds_behavior_win2003" : { "100" : "O:EAG:DU", "101" : "O:DAG:DU", @@ -481,7 +481,7 @@ member: """ + user_dn res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ attrs=['msDS-Behavior-Version']) res = int(res[0]['msDS-Behavior-Version'][0]) - if res < DS_BEHAVIOR_WIN2008: + if res < DS_DOMAIN_FUNCTION_2008: self.DS_BEHAVIOR = "ds_behavior_win2003" else: self.DS_BEHAVIOR = "ds_behavior_win2008" diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 28352f202f..239dd6a6ea 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -107,15 +107,16 @@ pwdLastSet: 0 """ % (user_dn) self.modify_ldif(mod) - def newuser(self, username, unixname, password, force_password_change_at_next_login=False): + def newuser(self, username, unixname, password, force_password_change_at_next_login_req=False): """Adds a new user Note: This call adds also the ID mapping for winbind; therefore it works *only* on SAMBA 4. - :param username: Name of the new user. - :param unixname: Name of the unix user to map to. + :param username: Name of the new user + :param unixname: Name of the unix user to map to :param password: Password for the new user + :param force_password_change_at_next_login_req: Force password change """ self.transaction_start() try: @@ -129,7 +130,7 @@ pwdLastSet: 0 # Sets the password for it self.setpassword("(dn=" + user_dn + ")", password, - force_password_change_at_next_login) + force_password_change_at_next_login_req) # Gets the user SID (for the account mapping setup) res = self.search(user_dn, scope=ldb.SCOPE_BASE, @@ -153,7 +154,7 @@ pwdLastSet: 0 raise self.transaction_commit() - def setpassword(self, filter, password, force_password_change_at_next_login=False): + def setpassword(self, filter, password, force_password_change_at_next_login_req=False): """Sets the password for a user Note: This call uses the "userPassword" attribute to set the password. @@ -162,7 +163,7 @@ pwdLastSet: 0 :param filter: LDAP filter to find the user (eg samccountname=name) :param password: Password for the user - :param force_password_change_at_next_login: Force password change + :param force_password_change_at_next_login_req: Force password change """ self.transaction_start() try: @@ -180,8 +181,9 @@ userPassword:: %s self.modify_ldif(setpw) - if force_password_change_at_next_login: - self.force_password_change_at_next_login(user_dn) + if force_password_change_at_next_login_req: + self.force_password_change_at_next_login( + "(dn=" + str(user_dn) + ")") # modify the userAccountControl to remove the disabled bit self.enable_account(filter) @@ -190,24 +192,24 @@ userPassword:: %s raise self.transaction_commit() - def setexpiry(self, filter, expiry_seconds, noexpiry=False): + def setexpiry(self, filter, expiry_seconds, no_expiry_req=False): """Sets the account expiry for a user :param filter: LDAP filter to find the user (eg samccountname=name) :param expiry_seconds: expiry time from now in seconds - :param noexpiry: if set, then don't expire password + :param no_expiry_req: if set, then don't expire password """ self.transaction_start() try: res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, expression=filter, attrs=["userAccountControl", "accountExpires"]) - assert len(res) == 1 + assert(len(res) == 1) user_dn = res[0].dn userAccountControl = int(res[0]["userAccountControl"][0]) accountExpires = int(res[0]["accountExpires"][0]) - if noexpiry: + if no_expiry_req: userAccountControl = userAccountControl | 0x10000 accountExpires = 0 else: diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel index 9386d199ac..b49150ff2d 100755 --- a/source4/setup/domainlevel +++ b/source4/setup/domainlevel @@ -41,7 +41,7 @@ credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--forest", - help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) + help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support the 2003 with mixed domains (NT4 DC support) level.", type=str) parser.add_option("--domain", help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) opts, args = parser.parse_args() @@ -69,48 +69,40 @@ res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"]) assert(len(res_forest) == 1) -res_forest_mixed = samdb.search("CN=" + lp.get("workgroup") + - ",CN=Partitions,CN=Configuration," + domain_dn, - scope=ldb.SCOPE_BASE, attrs=["nTMixedDomain"]) -assert(len(res_forest_mixed) == 1) - res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version", "nTMixedDomain"]) assert(len(res_domain) == 1) try: level_forest = int(res_forest[0]["msDS-Behavior-Version"][0]) - level_forest_mixed = int(res_forest_mixed[0]["nTMixedDomain"][0]) level_domain = int(res_domain[0]["msDS-Behavior-Version"][0]) level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0]) if level_forest < 0 or level_domain < 0: print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!" sys.exit(1) - if level_forest > level_domain or (level_forest_mixed < level_domain_mixed): + if level_forest > level_domain: print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!" sys.exit(1) except: - print "ERROR: Could not retrieve the actual domain and forest level!" + print "ERROR: Could not retrieve the actual domain and/or forest level!" if args[0] == "show": print "So the levels can't be displayed!" sys.exit(1) if args[0] == "show": message("Domain and forest function level for domain '" + domain_dn + "'") - if (level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0) or level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: - message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) forest level. This isn't supported! Please raise!") + if level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: + message("\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported! Please raise!") if (level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0) or level_domain == DS_DOMAIN_FUNCTION_2003_MIXED: message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported! Please raise!") message("") - if level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0: - outstr = "2000 mixed (NT4 DC support)" - elif level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed == 0: + if level_forest == DS_DOMAIN_FUNCTION_2000: outstr = "2000" elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: - outstr = "2003 interim (NT4 DC support)" + outstr = "2003 with mixed domains/interim (NT4 DC support)" elif level_forest == DS_DOMAIN_FUNCTION_2003: outstr = "2003" elif level_forest == DS_DOMAIN_FUNCTION_2008: @@ -126,7 +118,7 @@ if args[0] == "show": elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0: outstr = "2000" elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED: - outstr = "2003 interim (NT4 DC support)" + outstr = "2003 with mixed domains/interim (NT4 DC support)" elif level_domain == DS_DOMAIN_FUNCTION_2003: outstr = "2003" elif level_domain == DS_DOMAIN_FUNCTION_2008: @@ -193,7 +185,7 @@ elif args[0] == "raise": print "ERROR: Wrong argument '" + arg + "'!" sys.exit(1) - if new_level_forest <= level_forest and level_forest_mixed == 0: + if new_level_forest <= level_forest: print "ERROR: Forest function level can't be smaller equal to the actual one!" sys.exit(1) @@ -201,15 +193,6 @@ elif args[0] == "raise": print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!" sys.exit(1) - # Deactivate mixed/interim forest support - if level_forest_mixed != 0: - m = ldb.Message() - m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup") - + ",CN=Partitions,CN=Configuration," + domain_dn) - m["nTMixedDomain"] = ldb.MessageElement("0", - ldb.FLAG_MOD_REPLACE, "nTMixedDomain") - samdb.modify(m) - m = ldb.Message() m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration," + domain_dn) diff --git a/source4/setup/newuser b/source4/setup/newuser index 422677c301..10af55a458 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -60,4 +60,4 @@ creds = credopts.get_credentials(lp) samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) -samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login) +samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login) diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry index 6c6305ceaf..1572555b8c 100755 --- a/source4/setup/setexpiry +++ b/source4/setup/setexpiry @@ -61,4 +61,4 @@ creds = credopts.get_credentials(lp) samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) -samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry) +samdb.setexpiry(filter, days*24*3600, no_expiry_req=opts.noexpiry) diff --git a/source4/smbd/server.c b/source4/smbd/server.c index a96991e646..8aad26dd2c 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -407,6 +407,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ } DEBUG(0,("%s: using '%s' process model\n", binary_name, model)); + status = server_service_startup(event_ctx, cmdline_lp_ctx, model, lp_server_services(cmdline_lp_ctx)); if (!NT_STATUS_IS_OK(status)) { @@ -425,7 +426,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ return 0; } - int main(int argc, const char *argv[]) +int main(int argc, const char *argv[]) { return binary_smbd_main("samba", argc, argv); } diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 91f21f473b..0a15802a28 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -69,7 +69,7 @@ echo $USERPASS > ./tmpuserpassfile testit "set user password with kerberos ccache" $VALGRIND $net password set $DOMAIN\\nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=`expr $failed + 1` -testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1` +testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -k yes $@ || failed=`expr $failed + 1` KRB5CCNAME="$PREFIX/tmpuserccache" export KRB5CCNAME |