summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/common/util.c57
-rw-r--r--source4/dsdb/samdb/ldb_modules/tests/samba3sam.py9
-rwxr-xr-x[-rw-r--r--]source4/lib/ldb/tests/python/sec_descriptor.py8
-rw-r--r--source4/scripting/python/samba/samdb.py26
-rwxr-xr-xsource4/setup/domainlevel35
-rwxr-xr-xsource4/setup/newuser2
-rwxr-xr-xsource4/setup/setexpiry2
-rw-r--r--source4/smbd/server.c3
-rwxr-xr-xtestprogs/blackbox/test_kinit.sh2
9 files changed, 91 insertions, 53 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 39fdfe94a5..1fe5979c69 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1433,6 +1433,63 @@ struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx
}
/*
+ * This works out if we are running on a supported forest/domain function
+ * level. Basically this means that we don't support mixed/interim (NT 4 DC
+ * support) levels.
+ * If errmsg isn't NULL we write in an adequate error message for printing out
+ * to the screen.
+ */
+bool samdb_is_capable_dc(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
+ char **errmsg)
+{
+ int32_t level_forest, level_domain, level_domain_mixed;
+ bool ret = true;
+
+ level_forest = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+ samdb_partitions_dn(ldb, mem_ctx), "msDS-Behavior-Version",
+ NULL);
+ level_domain = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+ samdb_base_dn(ldb), "msDS-Behavior-Version", NULL);
+ level_domain_mixed = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+ samdb_base_dn(ldb), "nTMixedDomain", NULL);
+
+ if (errmsg != NULL)
+ *errmsg = talloc_asprintf(mem_ctx, "");
+
+ if (level_forest == -1 || level_domain == -1 || level_domain_mixed == -1) {
+ ret = false;
+ if (errmsg != NULL)
+ *errmsg = talloc_strdup_append(*errmsg,
+ "\nATTENTION: Invalid values for forest and/or domain function level!"
+ );
+ }
+
+ if (level_forest == DS_DOMAIN_FUNCTION_2003_MIXED) {
+ ret = false;
+ if (errmsg != NULL)
+ *errmsg = talloc_strdup_append(*errmsg,
+ "\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported!"
+ );
+ }
+ if ((level_domain == DS_DOMAIN_FUNCTION_2000 && level_domain_mixed != 0)
+ || level_domain == DS_DOMAIN_FUNCTION_2003_MIXED) {
+ ret = false;
+ if (errmsg != NULL)
+ *errmsg = talloc_strdup_append(*errmsg,
+ "\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported!"
+ );
+ }
+
+ if ((!ret) && (errmsg != NULL)) {
+ *errmsg = talloc_strdup_append(*errmsg,
+ "\nPlease raise the domain and/or forest level to an adequate value. Use for this the 'domainlevel' tool, the MS AD MMC tools or manipulate the needed attributes directly."
+ );
+ }
+
+ return ret;
+}
+
+/*
work out if we are the PDC for the domain of the current open ldb
*/
bool samdb_is_pdc(struct ldb_context *ldb)
diff --git a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py
index 75aaeb7366..fe96b88221 100644
--- a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py
+++ b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py
@@ -323,8 +323,6 @@ nextRid: y
lastLogon: x
description: x
objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
-primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512
-
""")
self.ldb.add({
@@ -486,11 +484,8 @@ primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512
self.assertEquals(str(res[0]["lastLogon"]), "x")
self.assertEquals(str(res[0]["primaryGroupID"]), "512")
- # TODO: There should actually be two results, A and X. The
- # primaryGroupID of X seems to get corrupted somewhere, and the
- # objectSid isn't available during the generation of remote (!) data,
- # which can be observed with the following search. Also note that Xs
- # objectSid seems to be fine in the previous search for objectSid... */
+ # Note that Xs "objectSid" seems to be fine in the previous search for
+ # "objectSid"...
#res = ldb.search(expression="(primaryGroupID=*)", NULL, ldb. SCOPE_DEFAULT, attrs)
#print len(res) + " results found"
#for i in range(len(res)):
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
index 58a345450b..01df86e909 100644..100755
--- a/source4/lib/ldb/tests/python/sec_descriptor.py
+++ b/source4/lib/ldb/tests/python/sec_descriptor.py
@@ -24,11 +24,11 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba.auth import system_session
-from samba import Ldb, DS_BEHAVIOR_WIN2008
+from samba import Ldb, DS_DOMAIN_FUNCTION_2008
from subunit import SubunitTestRunner
import unittest
-parser = optparse.OptionParser("ldap [options] <host>")
+parser = optparse.OptionParser("sec_descriptor [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
@@ -374,7 +374,7 @@ changetype: add
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.results = {
- # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
+ # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
"ds_behavior_win2003" : {
"100" : "O:EAG:DU",
"101" : "O:DAG:DU",
@@ -481,7 +481,7 @@ member: """ + user_dn
res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
attrs=['msDS-Behavior-Version'])
res = int(res[0]['msDS-Behavior-Version'][0])
- if res < DS_BEHAVIOR_WIN2008:
+ if res < DS_DOMAIN_FUNCTION_2008:
self.DS_BEHAVIOR = "ds_behavior_win2003"
else:
self.DS_BEHAVIOR = "ds_behavior_win2008"
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index 28352f202f..239dd6a6ea 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -107,15 +107,16 @@ pwdLastSet: 0
""" % (user_dn)
self.modify_ldif(mod)
- def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
+ def newuser(self, username, unixname, password, force_password_change_at_next_login_req=False):
"""Adds a new user
Note: This call adds also the ID mapping for winbind; therefore it works
*only* on SAMBA 4.
- :param username: Name of the new user.
- :param unixname: Name of the unix user to map to.
+ :param username: Name of the new user
+ :param unixname: Name of the unix user to map to
:param password: Password for the new user
+ :param force_password_change_at_next_login_req: Force password change
"""
self.transaction_start()
try:
@@ -129,7 +130,7 @@ pwdLastSet: 0
# Sets the password for it
self.setpassword("(dn=" + user_dn + ")", password,
- force_password_change_at_next_login)
+ force_password_change_at_next_login_req)
# Gets the user SID (for the account mapping setup)
res = self.search(user_dn, scope=ldb.SCOPE_BASE,
@@ -153,7 +154,7 @@ pwdLastSet: 0
raise
self.transaction_commit()
- def setpassword(self, filter, password, force_password_change_at_next_login=False):
+ def setpassword(self, filter, password, force_password_change_at_next_login_req=False):
"""Sets the password for a user
Note: This call uses the "userPassword" attribute to set the password.
@@ -162,7 +163,7 @@ pwdLastSet: 0
:param filter: LDAP filter to find the user (eg samccountname=name)
:param password: Password for the user
- :param force_password_change_at_next_login: Force password change
+ :param force_password_change_at_next_login_req: Force password change
"""
self.transaction_start()
try:
@@ -180,8 +181,9 @@ userPassword:: %s
self.modify_ldif(setpw)
- if force_password_change_at_next_login:
- self.force_password_change_at_next_login(user_dn)
+ if force_password_change_at_next_login_req:
+ self.force_password_change_at_next_login(
+ "(dn=" + str(user_dn) + ")")
# modify the userAccountControl to remove the disabled bit
self.enable_account(filter)
@@ -190,24 +192,24 @@ userPassword:: %s
raise
self.transaction_commit()
- def setexpiry(self, filter, expiry_seconds, noexpiry=False):
+ def setexpiry(self, filter, expiry_seconds, no_expiry_req=False):
"""Sets the account expiry for a user
:param filter: LDAP filter to find the user (eg samccountname=name)
:param expiry_seconds: expiry time from now in seconds
- :param noexpiry: if set, then don't expire password
+ :param no_expiry_req: if set, then don't expire password
"""
self.transaction_start()
try:
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
expression=filter,
attrs=["userAccountControl", "accountExpires"])
- assert len(res) == 1
+ assert(len(res) == 1)
user_dn = res[0].dn
userAccountControl = int(res[0]["userAccountControl"][0])
accountExpires = int(res[0]["accountExpires"][0])
- if noexpiry:
+ if no_expiry_req:
userAccountControl = userAccountControl | 0x10000
accountExpires = 0
else:
diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel
index 9386d199ac..b49150ff2d 100755
--- a/source4/setup/domainlevel
+++ b/source4/setup/domainlevel
@@ -41,7 +41,7 @@ credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--forest",
- help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+ help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support the 2003 with mixed domains (NT4 DC support) level.", type=str)
parser.add_option("--domain",
help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
opts, args = parser.parse_args()
@@ -69,48 +69,40 @@ res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn,
scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
assert(len(res_forest) == 1)
-res_forest_mixed = samdb.search("CN=" + lp.get("workgroup") +
- ",CN=Partitions,CN=Configuration," + domain_dn,
- scope=ldb.SCOPE_BASE, attrs=["nTMixedDomain"])
-assert(len(res_forest_mixed) == 1)
-
res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
attrs=["msDS-Behavior-Version", "nTMixedDomain"])
assert(len(res_domain) == 1)
try:
level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
- level_forest_mixed = int(res_forest_mixed[0]["nTMixedDomain"][0])
level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0])
if level_forest < 0 or level_domain < 0:
print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!"
sys.exit(1)
- if level_forest > level_domain or (level_forest_mixed < level_domain_mixed):
+ if level_forest > level_domain:
print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!"
sys.exit(1)
except:
- print "ERROR: Could not retrieve the actual domain and forest level!"
+ print "ERROR: Could not retrieve the actual domain and/or forest level!"
if args[0] == "show":
print "So the levels can't be displayed!"
sys.exit(1)
if args[0] == "show":
message("Domain and forest function level for domain '" + domain_dn + "'")
- if (level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0) or level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
- message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) forest level. This isn't supported! Please raise!")
+ if level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
+ message("\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported! Please raise!")
if (level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0) or level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported! Please raise!")
message("")
- if level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0:
- outstr = "2000 mixed (NT4 DC support)"
- elif level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed == 0:
+ if level_forest == DS_DOMAIN_FUNCTION_2000:
outstr = "2000"
elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
- outstr = "2003 interim (NT4 DC support)"
+ outstr = "2003 with mixed domains/interim (NT4 DC support)"
elif level_forest == DS_DOMAIN_FUNCTION_2003:
outstr = "2003"
elif level_forest == DS_DOMAIN_FUNCTION_2008:
@@ -126,7 +118,7 @@ if args[0] == "show":
elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0:
outstr = "2000"
elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
- outstr = "2003 interim (NT4 DC support)"
+ outstr = "2003 with mixed domains/interim (NT4 DC support)"
elif level_domain == DS_DOMAIN_FUNCTION_2003:
outstr = "2003"
elif level_domain == DS_DOMAIN_FUNCTION_2008:
@@ -193,7 +185,7 @@ elif args[0] == "raise":
print "ERROR: Wrong argument '" + arg + "'!"
sys.exit(1)
- if new_level_forest <= level_forest and level_forest_mixed == 0:
+ if new_level_forest <= level_forest:
print "ERROR: Forest function level can't be smaller equal to the actual one!"
sys.exit(1)
@@ -201,15 +193,6 @@ elif args[0] == "raise":
print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!"
sys.exit(1)
- # Deactivate mixed/interim forest support
- if level_forest_mixed != 0:
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
- + ",CN=Partitions,CN=Configuration," + domain_dn)
- m["nTMixedDomain"] = ldb.MessageElement("0",
- ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
- samdb.modify(m)
-
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration,"
+ domain_dn)
diff --git a/source4/setup/newuser b/source4/setup/newuser
index 422677c301..10af55a458 100755
--- a/source4/setup/newuser
+++ b/source4/setup/newuser
@@ -60,4 +60,4 @@ creds = credopts.get_credentials(lp)
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
-samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login)
+samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login)
diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry
index 6c6305ceaf..1572555b8c 100755
--- a/source4/setup/setexpiry
+++ b/source4/setup/setexpiry
@@ -61,4 +61,4 @@ creds = credopts.get_credentials(lp)
samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
-samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry)
+samdb.setexpiry(filter, days*24*3600, no_expiry_req=opts.noexpiry)
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index a96991e646..8aad26dd2c 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -407,6 +407,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
}
DEBUG(0,("%s: using '%s' process model\n", binary_name, model));
+
status = server_service_startup(event_ctx, cmdline_lp_ctx, model,
lp_server_services(cmdline_lp_ctx));
if (!NT_STATUS_IS_OK(status)) {
@@ -425,7 +426,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
return 0;
}
- int main(int argc, const char *argv[])
+int main(int argc, const char *argv[])
{
return binary_smbd_main("samba", argc, argv);
}
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 91f21f473b..0a15802a28 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -69,7 +69,7 @@ echo $USERPASS > ./tmpuserpassfile
testit "set user password with kerberos ccache" $VALGRIND $net password set $DOMAIN\\nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
-testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1`
+testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -k yes $@ || failed=`expr $failed + 1`
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME