From b8815dc23d36468cce9b615335ed62f119eb8f35 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 10 Jun 2012 22:08:20 +1000 Subject: lib/param: Create a seperate server role for "active directory domain controller" This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett --- dfs_server/dfs_server_ad.c | 6 ++--- lib/param/loadparm_server_role.c | 4 +++- lib/param/param_enums.c | 9 ++++---- lib/param/util.c | 1 + libds/common/roles.h | 10 +++----- source3/include/smb_macros.h | 2 +- source4/auth/ntlm/auth.c | 1 + source4/auth/ntlm/auth_sam.c | 2 +- source4/cldap_server/cldap_server.c | 2 +- source4/dns_server/dns_server.c | 2 +- source4/dsdb/dns/dns_update.c | 2 +- source4/dsdb/kcc/kcc_service.c | 2 +- source4/dsdb/repl/drepl_service.c | 2 +- source4/echo_server/echo_server.c | 2 +- source4/kdc/kdc.c | 6 ++++- source4/ldap_server/ldap_server.c | 2 +- source4/nbt_server/dgram/netlogon.c | 2 +- source4/nbt_server/register.c | 2 +- source4/param/tests/loadparm.c | 2 +- source4/rpc_server/backupkey/dcesrv_backupkey.c | 2 +- source4/rpc_server/common/server_info.c | 2 +- source4/rpc_server/lsa/dcesrv_lsa.c | 4 ++-- source4/rpc_server/samr/dcesrv_samr.c | 8 +++---- .../scripting/python/samba/provision/__init__.py | 27 +++++++++++----------- source4/smb_server/smb/signing.c | 2 +- source4/smb_server/smb2/negprot.c | 2 +- source4/smbd/server.c | 2 +- source4/winbind/wb_init_domain.c | 2 +- source4/winbind/wb_server.c | 7 ++++-- 29 files changed, 64 insertions(+), 55 deletions(-) diff --git a/dfs_server/dfs_server_ad.c b/dfs_server/dfs_server_ad.c index b7004c5506..6b71f70984 100644 --- a/dfs_server/dfs_server_ad.c +++ b/dfs_server/dfs_server_ad.c @@ -447,7 +447,7 @@ static NTSTATUS dodomain_referral(struct loadparm_context *lp_ctx, /* In the future this needs to be fetched from the ldb */ uint32_t found_domain = 2; - if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { DEBUG(10 ,("Received a domain referral request on a non DC\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -529,7 +529,7 @@ static NTSTATUS dodc_referral(struct loadparm_context *lp_ctx, struct dfs_referral_type *referrals; const char *referral_str; - if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { return NT_STATUS_INVALID_PARAMETER; } @@ -640,7 +640,7 @@ static NTSTATUS dosysvol_referral(struct loadparm_context *lp_ctx, NTSTATUS status; struct dfs_referral_type *referrals; - if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { return NT_STATUS_INVALID_PARAMETER; } diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c index 5a1f4984fe..46515dadbd 100644 --- a/lib/param/loadparm_server_role.c +++ b/lib/param/loadparm_server_role.c @@ -41,6 +41,7 @@ static const struct srv_role_tab { { ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" }, { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" }, { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" }, + { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" }, { 0, NULL } }; @@ -83,7 +84,7 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do break; case SEC_ADS: if (domain_logons) { - role = ROLE_DOMAIN_CONTROLLER; + role = ROLE_DOMAIN_BDC; break; } role = ROLE_DOMAIN_MEMBER; @@ -158,6 +159,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security) case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: + case ROLE_ACTIVE_DIRECTORY_DC: if (security == SEC_USER || security == SEC_ADS || security == SEC_DOMAIN) { valid = true; } diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c index 5f4cd61bf6..08d60101d1 100644 --- a/lib/param/param_enums.c +++ b/lib/param/param_enums.c @@ -78,10 +78,11 @@ static const struct enum_list enum_server_role[] = { {ROLE_STANDALONE, "standalone"}, {ROLE_DOMAIN_MEMBER, "member server"}, {ROLE_DOMAIN_MEMBER, "member"}, - /* note that currently - ROLE_DOMAIN_CONTROLLER == ROLE_DOMAIN_BDC */ - {ROLE_DOMAIN_CONTROLLER, "domain controller"}, - {ROLE_DOMAIN_CONTROLLER, "dc"}, + {ROLE_DOMAIN_PDC, "classic primary domain controller"}, + {ROLE_DOMAIN_BDC, "classic backup domain controller"}, + {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"}, + {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"}, + {ROLE_ACTIVE_DIRECTORY_DC, "dc"}, {-1, NULL} }; diff --git a/lib/param/util.c b/lib/param/util.c index f60abb9773..98894fc747 100644 --- a/lib/param/util.c +++ b/lib/param/util.c @@ -260,6 +260,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx) switch (lpcfg_server_role(lp_ctx)) { case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: return lpcfg_workgroup(lp_ctx); default: return lpcfg_netbios_name(lp_ctx); diff --git a/libds/common/roles.h b/libds/common/roles.h index 9dc9a00d28..4772c8d7d3 100644 --- a/libds/common/roles.h +++ b/libds/common/roles.h @@ -30,18 +30,14 @@ enum server_role { ROLE_DOMAIN_MEMBER = 1, ROLE_DOMAIN_BDC = 2, ROLE_DOMAIN_PDC = 3, + + /* not in samr.idl */ + ROLE_ACTIVE_DIRECTORY_DC = 4, /* To determine the role automatically, this is not a valid role */ ROLE_AUTO = 100 }; -/* keep compatibility with the s4 'ROLE_DOMAIN_CONTROLLER' by mapping - * it to ROLE_DOMAIN_BDC. The PDC/BDC split is really historical from - * NT4 domains which were not multi-master, but even in AD there is - * only one machine that has the PDC FSMO role in a domain. -*/ -#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC - /* security levels for 'security =' option -------------- diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index 048e560024..73f8fb3165 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -190,7 +190,7 @@ copy an IP address from one buffer to another Check to see if we are a DC for this domain *****************************************************************************/ -#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC) +#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) /* * If you add any entries to KERBEROS_VERIFY defines, please modify the below expressions diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 58a12fbc53..d0ff50afc6 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -630,6 +630,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context * break; case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL); break; } diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 87a7d27559..4a4307c895 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -341,7 +341,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } return NT_STATUS_OK; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: if (!is_local_name && !is_my_domain) { DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n", user_info->mapped.domain_name)); diff --git a/source4/cldap_server/cldap_server.c b/source4/cldap_server/cldap_server.c index 78712bfecf..a6248d4493 100644 --- a/source4/cldap_server/cldap_server.c +++ b/source4/cldap_server/cldap_server.c @@ -205,7 +205,7 @@ static void cldapd_task_init(struct task_server *task) task_server_terminate(task, "cldap_server: no CLDAP server required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want an CLDAP server */ break; } diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c index 34e4fe36ba..3592258a8b 100644 --- a/source4/dns_server/dns_server.c +++ b/source4/dns_server/dns_server.c @@ -698,7 +698,7 @@ static void dns_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "dns: no DNS required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a DNS */ break; } diff --git a/source4/dsdb/dns/dns_update.c b/source4/dsdb/dns/dns_update.c index 9ab56f7d9f..3e10447f0f 100644 --- a/source4/dsdb/dns/dns_update.c +++ b/source4/dsdb/dns/dns_update.c @@ -594,7 +594,7 @@ static void dnsupdate_task_init(struct task_server *task) NTSTATUS status; struct dnsupdate_service *service; - if (lpcfg_server_role(task->lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { /* not useful for non-DC */ return; } diff --git a/source4/dsdb/kcc/kcc_service.c b/source4/dsdb/kcc/kcc_service.c index ac19522698..8b35d6f01a 100644 --- a/source4/dsdb/kcc/kcc_service.c +++ b/source4/dsdb/kcc/kcc_service.c @@ -183,7 +183,7 @@ static void kccsrv_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a KCC */ break; } diff --git a/source4/dsdb/repl/drepl_service.c b/source4/dsdb/repl/drepl_service.c index e12ff1e819..3d28676b8f 100644 --- a/source4/dsdb/repl/drepl_service.c +++ b/source4/dsdb/repl/drepl_service.c @@ -434,7 +434,7 @@ static void dreplsrv_task_init(struct task_server *task) task_server_terminate(task, "dreplsrv: no DSDB replication required in domain member configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want DSDB replication */ break; } diff --git a/source4/echo_server/echo_server.c b/source4/echo_server/echo_server.c index 60729d8535..3501c8993f 100644 --- a/source4/echo_server/echo_server.c +++ b/source4/echo_server/echo_server.c @@ -303,7 +303,7 @@ static void echo_task_init(struct task_server *task) task_server_terminate(task, "echo: Not starting echo server " \ "for domain members", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want to run the echo server */ break; } diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 5424d213e8..a8939069aa 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -871,7 +871,11 @@ static void kdc_task_init(struct task_server *task) case ROLE_DOMAIN_MEMBER: task_server_terminate(task, "kdc: no KDC required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true); + return; + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want a KDC */ break; } diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index b773716bd2..886c684ff3 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -907,7 +907,7 @@ static void ldapsrv_task_init(struct task_server *task) task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration", false); return; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* Yes, we want an LDAP server */ break; } diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c index f99f195d03..3f0fa542fe 100644 --- a/source4/nbt_server/dgram/netlogon.c +++ b/source4/nbt_server/dgram/netlogon.c @@ -54,7 +54,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot, samctx = iface->nbtsrv->sam_ctx; - if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER + if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC || !samdb_is_pdc(samctx)) { DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n")); return; diff --git a/source4/nbt_server/register.c b/source4/nbt_server/register.c index fb2f9913c5..f5517b249a 100644 --- a/source4/nbt_server/register.c +++ b/source4/nbt_server/register.c @@ -289,7 +289,7 @@ void nbtd_register_names(struct nbtd_server *nbtsrv) aliases++; } - if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) { bool is_pdc = samdb_is_pdc(nbtsrv->sam_ctx); if (is_pdc) { nbtd_register_name(nbtsrv, lpcfg_workgroup(nbtsrv->task->lp_ctx), diff --git a/source4/param/tests/loadparm.c b/source4/param/tests/loadparm.c index fd4885ef7d..f375bb4238 100644 --- a/source4/param/tests/loadparm.c +++ b/source4/param/tests/loadparm.c @@ -157,7 +157,7 @@ static bool test_server_role_dc_specified(struct torture_context *tctx) { struct loadparm_context *lp_ctx = loadparm_init(tctx); torture_assert(tctx, lpcfg_set_option(lp_ctx, "server role=domain controller"), "lpcfg_set_option failed"); - torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_DOMAIN_CONTROLLER, "ROLE should be DC"); + torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_ACTIVE_DIRECTORY_DC, "ROLE should be DC"); torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_USER, "security should be USER"); return true; } diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index 2aee678bd4..87799db595 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -1269,7 +1269,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call, } } - if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) { return WERR_NOT_SUPPORTED; } diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c index 68985d81aa..afbbb23e36 100644 --- a/source4/rpc_server/common/server_info.c +++ b/source4/rpc_server/common/server_info.c @@ -75,7 +75,7 @@ uint32_t dcesrv_common_get_server_type(TALLOC_CTX *mem_ctx, struct tevent_contex case ROLE_DOMAIN_MEMBER: default_server_announce |= SV_TYPE_DOMAIN_MEMBER; break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: { struct ldb_context *samctx; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index f1b8740078..cece2b7523 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -420,7 +420,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal case ROLE_DOMAIN_MEMBER: role = DS_ROLE_MEMBER_SERVER; break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: if (samdb_is_pdc(state->sam_ldb)) { role = DS_ROLE_PRIMARY_DC; } else { @@ -439,7 +439,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal W_ERROR_HAVE_NO_MEMORY(domain); /* TODO: what is with dns_domain and forest and guid? */ break; - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: flags = DS_ROLE_PRIMARY_DS_RUNNING; if (state->mixed_domain == 1) { diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index cc3b2c8bce..d987fbaaef 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -500,7 +500,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount", 0); switch (state->role) { - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* This pulls the NetBIOS name from the cn=NTDS Settings,cn=,.... string */ @@ -511,8 +511,8 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state } break; case ROLE_DOMAIN_PDC: - info->role = SAMR_ROLE_DOMAIN_PDC; - break; + case ROLE_DOMAIN_BDC: + return NT_STATUS_INTERNAL_ERROR; case ROLE_DOMAIN_MEMBER: info->role = SAMR_ROLE_DOMAIN_MEMBER; break; @@ -606,7 +606,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state, { switch (state->role) { - case ROLE_DOMAIN_CONTROLLER: + case ROLE_ACTIVE_DIRECTORY_DC: /* This pulls the NetBIOS name from the cn=NTDS Settings,cn=,.... string */ diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 65835ce00c..343e33e355 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -532,7 +532,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None, if lp.get("server role").lower() != serverrole: raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole)) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": if domain is None: # This will, for better or worse, default to 'WORKGROUP' domain = lp.get("workgroup") @@ -658,7 +658,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir, lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb"))) shares = {} - if serverrole == "domain controller": + if serverrole == "active directory domain controller": shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol") shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(), "scripts") @@ -1489,7 +1489,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc, next_rid=next_rid, dc_rid=dc_rid) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": # Set up group policies (domain policy and domain controller # policy) create_default_gpo(paths.sysvol, names.dnsdomain, policyguid, @@ -1568,11 +1568,12 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, _ROLES_MAP = { "ROLE_STANDALONE": "standalone", "ROLE_DOMAIN_MEMBER": "member server", - "ROLE_DOMAIN_BDC": "domain controller", - "ROLE_DOMAIN_PDC": "domain controller", - "dc": "domain controller", + "ROLE_DOMAIN_BDC": "active directory domain controller", + "ROLE_DOMAIN_PDC": "active directory domain controller", + "dc": "active directory domain controller", "member": "member server", - "domain controller": "domain controller", + "domain controller": "active directory domain controller", + "active directory domain controller": "active directory domain controller", "member server": "member server", "standalone": "standalone", } @@ -1584,7 +1585,7 @@ def sanitize_server_role(role): :param role: Server role :raise ValueError: If the role can not be interpreted :return: Sanitized server role (one of "member server", - "domain controller", "standalone") + "active directory domain controller", "standalone") """ try: return _ROLES_MAP[role] @@ -1614,7 +1615,7 @@ def provision(logger, session_info, credentials, smbconf=None, try: serverrole = sanitize_server_role(serverrole) except ValueError: - raise ProvisioningError('server role (%s) should be one of "domain controller", "member server", "standalone"' % serverrole) + raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone"' % serverrole) if ldapadminpass is None: # Make a new, random password between Samba and it's LDAP server @@ -1735,7 +1736,7 @@ def provision(logger, session_info, credentials, smbconf=None, if paths.sysvol and not os.path.exists(paths.sysvol): os.makedirs(paths.sysvol, 0775) - if not use_ntvfs and serverrole == "domain controller": + if not use_ntvfs and serverrole == "active directory domain controller": if paths.sysvol is None: raise MissingShareError("sysvol", paths.smbconf) @@ -1813,7 +1814,7 @@ def provision(logger, session_info, credentials, smbconf=None, serverrole=serverrole, schema=schema, fill=samdb_fill, am_rodc=am_rodc) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": if paths.netlogon is None: raise MissingShareError("netlogon", paths.smbconf) @@ -1848,7 +1849,7 @@ def provision(logger, session_info, credentials, smbconf=None, logger.info("A Kerberos configuration suitable for Samba 4 has been " "generated at %s", paths.krb5conf) - if serverrole == "domain controller": + if serverrole == "active directory domain controller": create_dns_update_list(lp, logger, paths) backend_result = provision_backend.post_setup() @@ -1913,7 +1914,7 @@ def provision_become_dc(smbconf=None, targetdir=None, realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn, configdn=configdn, serverdn=serverdn, domain=domain, hostname=hostname, hostip=None, domainsid=domainsid, - machinepass=machinepass, serverrole="domain controller", + machinepass=machinepass, serverrole="active directory domain controller", sitename=sitename, dns_backend=dns_backend, dnspass=dnspass) res.lp.set("debuglevel", str(debuglevel)) return res diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index ecbb220d8f..d632e87ea7 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -98,7 +98,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) * on non-DCs */ - if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) { signing_setting = SMB_SIGNING_REQUIRED; } else { signing_setting = SMB_SIGNING_OFF; diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 1a3bc9ce35..83cae18bf3 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -136,7 +136,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 * on non-DCs */ - if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) { signing_setting = SMB_SIGNING_REQUIRED; } else { signing_setting = SMB_SIGNING_OFF; diff --git a/source4/smbd/server.c b/source4/smbd/server.c index b877e29b98..21560f981f 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -392,7 +392,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ return 1; } - if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) { + if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) { if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) { DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); exit(1); diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 4d6177bdc7..45a4b98f31 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -162,7 +162,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx, if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) && ((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) || - (lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) && + (lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) && (dom_sid_equal(state->domain->info->sid, state->service->primary_sid))) { state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO; diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index 7bed235ae6..a904470e19 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -264,8 +264,7 @@ static void winbind_task_init(struct task_server *task) return; } break; - case ROLE_DOMAIN_CONTROLLER: - case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: primary_sid = secrets_get_domain_sid(service, service->task->lp_ctx, lpcfg_workgroup(service->task->lp_ctx), @@ -279,6 +278,10 @@ static void winbind_task_init(struct task_server *task) return; } break; + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + task_server_terminate(task, "Cannot start 'samba' winbindd as a 'classic samba' DC: use winbindd instead", true); + return; } service->primary_sid = primary_sid; -- cgit