diff options
-rw-r--r-- | auth/credentials/credentials_secrets.c | 4 | ||||
-rw-r--r-- | docs-xml/manpages/net.8.xml | 2 | ||||
-rw-r--r-- | docs-xml/manpages/smbpasswd.8.xml | 4 | ||||
-rw-r--r-- | docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 | ||||
-rw-r--r-- | docs-xml/smbdotconf/domain/machinepasswordtimeout.xml | 2 | ||||
-rw-r--r-- | docs-xml/smbdotconf/ldap/ldapadmindn.xml | 2 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/kerberosmethod.xml | 4 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/privatedir.xml | 2 | ||||
-rwxr-xr-x | examples/misc/adssearch.pl | 18 | ||||
-rw-r--r-- | lib/tdb/man/tdbbackup.8.xml | 5 | ||||
-rwxr-xr-x | selftest/target/Samba3.pm | 3 | ||||
-rw-r--r-- | selftest/target/Samba4.pm | 2 | ||||
-rw-r--r-- | source3/include/secrets.h | 2 | ||||
-rw-r--r-- | source3/passdb/py_passdb.c | 2 | ||||
-rw-r--r-- | source3/passdb/secrets.c | 8 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c | 13 | ||||
-rw-r--r-- | source4/scripting/python/samba/tests/provision.py | 9 | ||||
-rw-r--r-- | source4/scripting/python/samba/tests/upgradeprovision.py | 2 | ||||
-rw-r--r-- | source4/scripting/python/samba/tests/upgradeprovisionneeddc.py | 2 |
19 files changed, 59 insertions, 29 deletions
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index a44fe1c8b8..730f047672 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -245,7 +245,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb"); + secrets_tdb = lpcfg_private_path(cred, lp_ctx, + lpcfg_use_ntdb(lp_ctx) ? + "secrets.ntdb" : "secrets.tdb"); if (!secrets_tdb) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 3765af9be9..01044e1045 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1001,7 +1001,7 @@ local server. You need to run this against the PDC, from a Samba machine joined <refsect2> <title>RPC GETSID</title> -<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para> +<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para> </refsect2> diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml index 376044ccaf..88e7e86460 100644 --- a/docs-xml/manpages/smbpasswd.8.xml +++ b/docs-xml/manpages/smbpasswd.8.xml @@ -326,7 +326,7 @@ has been compiled with LDAP support. The <parameter>-w</parameter> switch is used to specify the password to be used with the <smbconfoption name="ldap admin dn"/>. Note that the password is stored in - the <filename>secrets.tdb</filename> and is keyed off + the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off of the admin's DN. This means that if the value of <parameter>ldap admin dn</parameter> ever changes, the password will need to be manually updated as well. @@ -343,7 +343,7 @@ has been compiled with LDAP support. The <parameter>-W</parameter> switch is used to specify the password to be used with the <smbconfoption name="ldap admin dn"/>. Note that the password is stored in - the <filename>secrets.tdb</filename> and is keyed off + the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off of the admin's DN. This means that if the value of <parameter>ldap admin dn</parameter> ever changes, the password will need to be manually updated as well. diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml index 0d682c2b5b..842856bf83 100644 --- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml @@ -129,7 +129,7 @@ <itemizedlist> <listitem> <para> - The data from the module may be send encrypted, with a key stored in secrets.tdb. The + The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The Receiver then has to use the same key. The module does AES block encryption over the data to send. </para> diff --git a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml index a8e312ba36..4f55e81f00 100644 --- a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml +++ b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml @@ -9,7 +9,7 @@ If a Samba server is a member of a Windows NT Domain (see the <smbconfoption name="security">domain</smbconfoption> parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb - </filename>. This parameter specifies how often this password will be changed, in seconds. The default is one + </filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>). This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server. </para> diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml index 442d242679..b5fe0fbca0 100644 --- a/docs-xml/smbdotconf/ldap/ldapadmindn.xml +++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml @@ -8,7 +8,7 @@ <para> The <smbconfoption name="ldap admin dn"/> defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The <smbconfoption name="ldap admin dn"/> is used - in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> + in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>) file. See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> man page for more information on how to accomplish this. </para> diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml index 3a11e06be9..cc8a69bc70 100644 --- a/docs-xml/smbdotconf/security/kerberosmethod.xml +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -8,7 +8,7 @@ <para>Valid options are:</para> <itemizedlist> - <listitem><para>secrets only - use only the secrets.tdb for + <listitem><para>secrets only - use only the secrets.(n)tdb for ticket verification (default)</para></listitem> <listitem><para>system keytab - use only the system keytab @@ -17,7 +17,7 @@ <listitem><para>dedicated keytab - use a dedicated keytab for ticket verification</para></listitem> - <listitem><para>secrets and keytab - use the secrets.tdb + <listitem><para>secrets and keytab - use the secrets.(n)tdb first, then the system keytab</para></listitem> </itemizedlist> diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml index 46d4a8297c..2f4b5766de 100644 --- a/docs-xml/smbdotconf/security/privatedir.xml +++ b/docs-xml/smbdotconf/security/privatedir.xml @@ -7,7 +7,7 @@ <description> <para>This parameters defines the directory smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename> - and <filename moreinfo="none">secrets.tdb</filename>. + and <filename moreinfo="none">secrets.tdb</filename> (or <filename moreinfo="none">secrets.ntdb</filename>). </para> </description> diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl index 13a85bede9..02c4464abb 100755 --- a/examples/misc/adssearch.pl +++ b/examples/misc/adssearch.pl @@ -42,11 +42,13 @@ my $rebind_url; my $tdbdump = "/usr/bin/tdbdump"; +my $ntdbdump = "/usr/bin/ntdbdump"; my $testparm = "/usr/bin/testparm"; my $net = "/usr/bin/net"; my $dig = "/usr/bin/dig"; my $nmblookup = "/usr/bin/nmblookup"; my $secrets_tdb = "/etc/samba/secrets.tdb"; +my $secrets_ntdb = "/etc/samba/secrets.ntdb"; my $klist = "/usr/bin/klist"; my $kinit = "/usr/bin/kinit"; my $workgroup = ""; @@ -723,13 +725,21 @@ sub get_machine_password { my $workgroup = shift || ""; $workgroup = uc($workgroup); - my ($found, $tmp); - -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; - -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + my ($found, $tmp, $dbdump, $db); + if (-r $secrets_ntdb) { + -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n"; + $dbdump = $ntdbdump; + $db = $secrets_ntdb; + } else { + -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; + -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + $dbdump = $tdbdump; + $db = $secrets_tdb; + } # get machine-password my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup); - open(SECRETS,"$tdbdump $secrets_tdb |"); + open(SECRETS,"$dbdump $db |"); while(my $line = <SECRETS>) { chomp($line); if ($found) { diff --git a/lib/tdb/man/tdbbackup.8.xml b/lib/tdb/man/tdbbackup.8.xml index 02936cf0d6..c15cc14e2d 100644 --- a/lib/tdb/man/tdbbackup.8.xml +++ b/lib/tdb/man/tdbbackup.8.xml @@ -92,6 +92,11 @@ <para>tdbbackup -v [-s suffix] *.tdb</para> <para> + Note that Samba 4 can use .ntdb files instead, so you should + use <command>ntdbbackup</command> on those files. + </para> + + <para> Samba .tdb files are stored in various locations, be sure to run backup all .tdb file on the system. Important files includes: </para> diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8546bd2895..c71419d4ba 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -418,6 +418,9 @@ $ret->{USERNAME} = KTEST\\Administrator system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb"); chmod 0600, "$prefix/private/secrets.tdb"; +#Make sure there's no old ntdb file. + system("rm -f $prefix/private/secrets.ntdb"); + #This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with: # "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232" # diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 8ad62326cd..e9e003704e 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1512,7 +1512,7 @@ sub provision_chgdcpass($$) # Remove secrets.tdb from this environment to test that we still start up # on systems without the new matching secrets.tdb records - unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) { + unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); return undef; } diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 57a1be0c3e..1eeb24c1c9 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -82,7 +82,7 @@ struct afs_keyfile { /* The following definitions come from passdb/secrets.c */ -bool secrets_init_path(const char *private_dir); +bool secrets_init_path(const char *private_dir, bool use_ntdb); bool secrets_init(void); struct db_context *secrets_db_ctx(void); void secrets_shutdown(void); diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index 6984061714..3fd14cdc41 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -3638,7 +3638,7 @@ static PyObject *py_set_secrets_dir(PyObject *self, PyObject *args) } /* Initialize secrets database */ - if (!secrets_init_path(private_dir)) { + if (!secrets_init_path(private_dir, lp_use_ntdb())) { PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'", private_dir); talloc_free(frame); diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 8f314a76cf..f97510db21 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -55,7 +55,7 @@ static void get_rand_seed(void *userdata, int *new_seed) } /* open up the secrets database with specified private_dir path */ -bool secrets_init_path(const char *private_dir) +bool secrets_init_path(const char *private_dir, bool use_ntdb) { char *fname = NULL; unsigned char dummy; @@ -70,8 +70,8 @@ bool secrets_init_path(const char *private_dir) } frame = talloc_stackframe(); - fname = talloc_asprintf(frame, "%s/secrets.tdb", - private_dir); + fname = talloc_asprintf(frame, "%s/secrets.%s", + private_dir, use_ntdb ? "ntdb" : "tdb"); if (fname == NULL) { TALLOC_FREE(frame); return False; @@ -105,7 +105,7 @@ bool secrets_init_path(const char *private_dir) /* open up the secrets database */ bool secrets_init(void) { - return secrets_init_path(lp_private_dir()); + return secrets_init_path(lp_private_dir(), lp_use_ntdb()); } struct db_context *secrets_db_ctx(void) diff --git a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c index e90fc77068..e3d8485c61 100644 --- a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c +++ b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c @@ -474,7 +474,8 @@ static int secrets_tdb_sync_init(struct ldb_module *module) struct ldb_context *ldb; struct secrets_tdb_sync_private *data; char *private_dir, *p; - const char *secrets_ldb; + const char *secrets_ldb, *secrets_ntdb; + bool use_ntdb; ldb = ldb_module_get_ctx(module); @@ -498,11 +499,17 @@ static int secrets_tdb_sync_init(struct ldb_module *module) p = strrchr(private_dir, '/'); if (p) { *p = '\0'; - secrets_init_path(private_dir); } else { - secrets_init_path("."); + private_dir = talloc_strdup(data, "."); } + /* If there's an ntdb file, force code to load that. */ + secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb", + private_dir); + use_ntdb = file_exist(secrets_ntdb); + + secrets_init_path(private_dir, use_ntdb); + TALLOC_FREE(private_dir); data->secrets_tdb = secrets_db_ctx(); diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py index 992179124b..929e7074f7 100644 --- a/source4/scripting/python/samba/tests/provision.py +++ b/source4/scripting/python/samba/tests/provision.py @@ -55,8 +55,9 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): def test_setup_secretsdb(self): path = os.path.join(self.tempdir, "secrets.ldb") - secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") paths = ProvisionPaths() + secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") + secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb") paths.secrets = path paths.private_dir = os.path.dirname(path) paths.keytab = "no.keytab" @@ -68,8 +69,10 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): finally: del ldb os.unlink(path) - os.unlink(secrets_tdb_path) - + if os.path.exists(secrets_tdb_path): + os.unlink(secrets_tdb_path) + if os.path.exists(secrets_ntdb_path): + os.unlink(secrets_ntdb_path) class FindNssTests(TestCase): """Test findnss() function.""" diff --git a/source4/scripting/python/samba/tests/upgradeprovision.py b/source4/scripting/python/samba/tests/upgradeprovision.py index c1c70c4a88..93a6731c83 100644 --- a/source4/scripting/python/samba/tests/upgradeprovision.py +++ b/source4/scripting/python/samba/tests/upgradeprovision.py @@ -126,7 +126,7 @@ class UpdateSecretsTests(samba.tests.TestCaseInTempDir): self.assertEquals(newmodules.msgs, refmodules.msgs) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py index 1de123c71d..a7cb298ed7 100644 --- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py +++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py @@ -172,7 +172,7 @@ class UpgradeProvisionWithLdbTestCase(TestCaseInTempDir): self.assertTrue(re.match(".*upgrade to.*", str(oem2))) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) |