From 2f4b21bb57c4f96c5f5b57a69d022c142d8088d5 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 20 Feb 2013 14:59:42 +1030 Subject: ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb' Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell Reviewed-by: Andrew Bartlett Autobuild-User(master): Rusty Russell Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104 --- auth/credentials/credentials_secrets.c | 4 +++- docs-xml/manpages/net.8.xml | 2 +- docs-xml/manpages/smbpasswd.8.xml | 4 ++-- docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +- docs-xml/smbdotconf/domain/machinepasswordtimeout.xml | 2 +- docs-xml/smbdotconf/ldap/ldapadmindn.xml | 2 +- docs-xml/smbdotconf/security/kerberosmethod.xml | 4 ++-- docs-xml/smbdotconf/security/privatedir.xml | 2 +- examples/misc/adssearch.pl | 18 ++++++++++++++---- lib/tdb/man/tdbbackup.8.xml | 5 +++++ selftest/target/Samba3.pm | 3 +++ selftest/target/Samba4.pm | 2 +- source3/include/secrets.h | 2 +- source3/passdb/py_passdb.c | 2 +- source3/passdb/secrets.c | 8 ++++---- source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c | 13 ++++++++++--- source4/scripting/python/samba/tests/provision.py | 9 ++++++--- .../scripting/python/samba/tests/upgradeprovision.py | 2 +- .../python/samba/tests/upgradeprovisionneeddc.py | 2 +- 19 files changed, 59 insertions(+), 29 deletions(-) diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index a44fe1c8b8..730f047672 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -245,7 +245,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb"); + secrets_tdb = lpcfg_private_path(cred, lp_ctx, + lpcfg_use_ntdb(lp_ctx) ? + "secrets.ntdb" : "secrets.tdb"); if (!secrets_tdb) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 3765af9be9..01044e1045 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1001,7 +1001,7 @@ local server. You need to run this against the PDC, from a Samba machine joined RPC GETSID -Fetch domain SID and store it in the local secrets.tdb. +Fetch domain SID and store it in the local secrets.tdb (or secrets.ntdb). diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml index 376044ccaf..88e7e86460 100644 --- a/docs-xml/manpages/smbpasswd.8.xml +++ b/docs-xml/manpages/smbpasswd.8.xml @@ -326,7 +326,7 @@ has been compiled with LDAP support. The -w switch is used to specify the password to be used with the . Note that the password is stored in - the secrets.tdb and is keyed off + the secrets.tdb (or secrets.ntdb) and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well. @@ -343,7 +343,7 @@ has been compiled with LDAP support. The -W switch is used to specify the password to be used with the . Note that the password is stored in - the secrets.tdb and is keyed off + the secrets.tdb (or secrets.ntdb) and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well. diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml index 0d682c2b5b..842856bf83 100644 --- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml @@ -129,7 +129,7 @@ - The data from the module may be send encrypted, with a key stored in secrets.tdb. The + The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The Receiver then has to use the same key. The module does AES block encryption over the data to send. diff --git a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml index a8e312ba36..4f55e81f00 100644 --- a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml +++ b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml @@ -9,7 +9,7 @@ If a Samba server is a member of a Windows NT Domain (see the domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb - . This parameter specifies how often this password will be changed, in seconds. The default is one + (or private/secrets.ntdb). This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server. diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml index 442d242679..b5fe0fbca0 100644 --- a/docs-xml/smbdotconf/ldap/ldapadmindn.xml +++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml @@ -8,7 +8,7 @@ The defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The is used - in conjunction with the admin dn password stored in the private/secrets.tdb + in conjunction with the admin dn password stored in the private/secrets.tdb (or private/secrets.ntdb) file. See the smbpasswd 8 man page for more information on how to accomplish this. diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml index 3a11e06be9..cc8a69bc70 100644 --- a/docs-xml/smbdotconf/security/kerberosmethod.xml +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -8,7 +8,7 @@ Valid options are: - secrets only - use only the secrets.tdb for + secrets only - use only the secrets.(n)tdb for ticket verification (default) system keytab - use only the system keytab @@ -17,7 +17,7 @@ dedicated keytab - use a dedicated keytab for ticket verification - secrets and keytab - use the secrets.tdb + secrets and keytab - use the secrets.(n)tdb first, then the system keytab diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml index 46d4a8297c..2f4b5766de 100644 --- a/docs-xml/smbdotconf/security/privatedir.xml +++ b/docs-xml/smbdotconf/security/privatedir.xml @@ -7,7 +7,7 @@ This parameters defines the directory smbd will use for storing such files as smbpasswd - and secrets.tdb. + and secrets.tdb (or secrets.ntdb). diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl index 13a85bede9..02c4464abb 100755 --- a/examples/misc/adssearch.pl +++ b/examples/misc/adssearch.pl @@ -42,11 +42,13 @@ my $rebind_url; my $tdbdump = "/usr/bin/tdbdump"; +my $ntdbdump = "/usr/bin/ntdbdump"; my $testparm = "/usr/bin/testparm"; my $net = "/usr/bin/net"; my $dig = "/usr/bin/dig"; my $nmblookup = "/usr/bin/nmblookup"; my $secrets_tdb = "/etc/samba/secrets.tdb"; +my $secrets_ntdb = "/etc/samba/secrets.ntdb"; my $klist = "/usr/bin/klist"; my $kinit = "/usr/bin/kinit"; my $workgroup = ""; @@ -723,13 +725,21 @@ sub get_machine_password { my $workgroup = shift || ""; $workgroup = uc($workgroup); - my ($found, $tmp); - -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; - -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + my ($found, $tmp, $dbdump, $db); + if (-r $secrets_ntdb) { + -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n"; + $dbdump = $ntdbdump; + $db = $secrets_ntdb; + } else { + -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; + -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + $dbdump = $tdbdump; + $db = $secrets_tdb; + } # get machine-password my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup); - open(SECRETS,"$tdbdump $secrets_tdb |"); + open(SECRETS,"$dbdump $db |"); while(my $line = ) { chomp($line); if ($found) { diff --git a/lib/tdb/man/tdbbackup.8.xml b/lib/tdb/man/tdbbackup.8.xml index 02936cf0d6..c15cc14e2d 100644 --- a/lib/tdb/man/tdbbackup.8.xml +++ b/lib/tdb/man/tdbbackup.8.xml @@ -91,6 +91,11 @@ tdbbackup -v [-s suffix] *.tdb + + Note that Samba 4 can use .ntdb files instead, so you should + use ntdbbackup on those files. + + Samba .tdb files are stored in various locations, be sure to run backup all .tdb file on the system. Important files includes: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8546bd2895..c71419d4ba 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -418,6 +418,9 @@ $ret->{USERNAME} = KTEST\\Administrator system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb"); chmod 0600, "$prefix/private/secrets.tdb"; +#Make sure there's no old ntdb file. + system("rm -f $prefix/private/secrets.ntdb"); + #This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with: # "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232" # diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 8ad62326cd..e9e003704e 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1512,7 +1512,7 @@ sub provision_chgdcpass($$) # Remove secrets.tdb from this environment to test that we still start up # on systems without the new matching secrets.tdb records - unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) { + unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); return undef; } diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 57a1be0c3e..1eeb24c1c9 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -82,7 +82,7 @@ struct afs_keyfile { /* The following definitions come from passdb/secrets.c */ -bool secrets_init_path(const char *private_dir); +bool secrets_init_path(const char *private_dir, bool use_ntdb); bool secrets_init(void); struct db_context *secrets_db_ctx(void); void secrets_shutdown(void); diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index 6984061714..3fd14cdc41 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -3638,7 +3638,7 @@ static PyObject *py_set_secrets_dir(PyObject *self, PyObject *args) } /* Initialize secrets database */ - if (!secrets_init_path(private_dir)) { + if (!secrets_init_path(private_dir, lp_use_ntdb())) { PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'", private_dir); talloc_free(frame); diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 8f314a76cf..f97510db21 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -55,7 +55,7 @@ static void get_rand_seed(void *userdata, int *new_seed) } /* open up the secrets database with specified private_dir path */ -bool secrets_init_path(const char *private_dir) +bool secrets_init_path(const char *private_dir, bool use_ntdb) { char *fname = NULL; unsigned char dummy; @@ -70,8 +70,8 @@ bool secrets_init_path(const char *private_dir) } frame = talloc_stackframe(); - fname = talloc_asprintf(frame, "%s/secrets.tdb", - private_dir); + fname = talloc_asprintf(frame, "%s/secrets.%s", + private_dir, use_ntdb ? "ntdb" : "tdb"); if (fname == NULL) { TALLOC_FREE(frame); return False; @@ -105,7 +105,7 @@ bool secrets_init_path(const char *private_dir) /* open up the secrets database */ bool secrets_init(void) { - return secrets_init_path(lp_private_dir()); + return secrets_init_path(lp_private_dir(), lp_use_ntdb()); } struct db_context *secrets_db_ctx(void) diff --git a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c index e90fc77068..e3d8485c61 100644 --- a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c +++ b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c @@ -474,7 +474,8 @@ static int secrets_tdb_sync_init(struct ldb_module *module) struct ldb_context *ldb; struct secrets_tdb_sync_private *data; char *private_dir, *p; - const char *secrets_ldb; + const char *secrets_ldb, *secrets_ntdb; + bool use_ntdb; ldb = ldb_module_get_ctx(module); @@ -498,11 +499,17 @@ static int secrets_tdb_sync_init(struct ldb_module *module) p = strrchr(private_dir, '/'); if (p) { *p = '\0'; - secrets_init_path(private_dir); } else { - secrets_init_path("."); + private_dir = talloc_strdup(data, "."); } + /* If there's an ntdb file, force code to load that. */ + secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb", + private_dir); + use_ntdb = file_exist(secrets_ntdb); + + secrets_init_path(private_dir, use_ntdb); + TALLOC_FREE(private_dir); data->secrets_tdb = secrets_db_ctx(); diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py index 992179124b..929e7074f7 100644 --- a/source4/scripting/python/samba/tests/provision.py +++ b/source4/scripting/python/samba/tests/provision.py @@ -55,8 +55,9 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): def test_setup_secretsdb(self): path = os.path.join(self.tempdir, "secrets.ldb") - secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") paths = ProvisionPaths() + secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") + secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb") paths.secrets = path paths.private_dir = os.path.dirname(path) paths.keytab = "no.keytab" @@ -68,8 +69,10 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): finally: del ldb os.unlink(path) - os.unlink(secrets_tdb_path) - + if os.path.exists(secrets_tdb_path): + os.unlink(secrets_tdb_path) + if os.path.exists(secrets_ntdb_path): + os.unlink(secrets_ntdb_path) class FindNssTests(TestCase): """Test findnss() function.""" diff --git a/source4/scripting/python/samba/tests/upgradeprovision.py b/source4/scripting/python/samba/tests/upgradeprovision.py index c1c70c4a88..93a6731c83 100644 --- a/source4/scripting/python/samba/tests/upgradeprovision.py +++ b/source4/scripting/python/samba/tests/upgradeprovision.py @@ -126,7 +126,7 @@ class UpdateSecretsTests(samba.tests.TestCaseInTempDir): self.assertEquals(newmodules.msgs, refmodules.msgs) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py index 1de123c71d..a7cb298ed7 100644 --- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py +++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py @@ -172,7 +172,7 @@ class UpgradeProvisionWithLdbTestCase(TestCaseInTempDir): self.assertTrue(re.match(".*upgrade to.*", str(oem2))) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) -- cgit