From 10fe59bed9556a6bf61004e9da6fd8544737a48a Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 21:25:49 +0200 Subject: s4:domainlevel - fixed another error The second "nTMixedDomain" attribute (under Partitions/Domain-DN) is only a copy of the one under the directory root object. Therefore there doesn't exist the "Windows 2000 Mixed" forest level. --- source4/setup/domainlevel | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) (limited to 'source4') diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel index 9386d199ac..b49150ff2d 100755 --- a/source4/setup/domainlevel +++ b/source4/setup/domainlevel @@ -41,7 +41,7 @@ credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--forest", - help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) + help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support the 2003 with mixed domains (NT4 DC support) level.", type=str) parser.add_option("--domain", help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) opts, args = parser.parse_args() @@ -69,48 +69,40 @@ res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"]) assert(len(res_forest) == 1) -res_forest_mixed = samdb.search("CN=" + lp.get("workgroup") + - ",CN=Partitions,CN=Configuration," + domain_dn, - scope=ldb.SCOPE_BASE, attrs=["nTMixedDomain"]) -assert(len(res_forest_mixed) == 1) - res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version", "nTMixedDomain"]) assert(len(res_domain) == 1) try: level_forest = int(res_forest[0]["msDS-Behavior-Version"][0]) - level_forest_mixed = int(res_forest_mixed[0]["nTMixedDomain"][0]) level_domain = int(res_domain[0]["msDS-Behavior-Version"][0]) level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0]) if level_forest < 0 or level_domain < 0: print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!" sys.exit(1) - if level_forest > level_domain or (level_forest_mixed < level_domain_mixed): + if level_forest > level_domain: print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!" sys.exit(1) except: - print "ERROR: Could not retrieve the actual domain and forest level!" + print "ERROR: Could not retrieve the actual domain and/or forest level!" if args[0] == "show": print "So the levels can't be displayed!" sys.exit(1) if args[0] == "show": message("Domain and forest function level for domain '" + domain_dn + "'") - if (level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0) or level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: - message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) forest level. This isn't supported! Please raise!") + if level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: + message("\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported! Please raise!") if (level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0) or level_domain == DS_DOMAIN_FUNCTION_2003_MIXED: message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported! Please raise!") message("") - if level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0: - outstr = "2000 mixed (NT4 DC support)" - elif level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed == 0: + if level_forest == DS_DOMAIN_FUNCTION_2000: outstr = "2000" elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED: - outstr = "2003 interim (NT4 DC support)" + outstr = "2003 with mixed domains/interim (NT4 DC support)" elif level_forest == DS_DOMAIN_FUNCTION_2003: outstr = "2003" elif level_forest == DS_DOMAIN_FUNCTION_2008: @@ -126,7 +118,7 @@ if args[0] == "show": elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0: outstr = "2000" elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED: - outstr = "2003 interim (NT4 DC support)" + outstr = "2003 with mixed domains/interim (NT4 DC support)" elif level_domain == DS_DOMAIN_FUNCTION_2003: outstr = "2003" elif level_domain == DS_DOMAIN_FUNCTION_2008: @@ -193,7 +185,7 @@ elif args[0] == "raise": print "ERROR: Wrong argument '" + arg + "'!" sys.exit(1) - if new_level_forest <= level_forest and level_forest_mixed == 0: + if new_level_forest <= level_forest: print "ERROR: Forest function level can't be smaller equal to the actual one!" sys.exit(1) @@ -201,15 +193,6 @@ elif args[0] == "raise": print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!" sys.exit(1) - # Deactivate mixed/interim forest support - if level_forest_mixed != 0: - m = ldb.Message() - m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup") - + ",CN=Partitions,CN=Configuration," + domain_dn) - m["nTMixedDomain"] = ldb.MessageElement("0", - ldb.FLAG_MOD_REPLACE, "nTMixedDomain") - samdb.modify(m) - m = ldb.Message() m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration," + domain_dn) -- cgit From dedd32d323db406c966170565e7716dc7634e4ce Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 22:17:35 +0200 Subject: s4:server.c - add linespace (only cosmetic) --- source4/smbd/server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/smbd/server.c b/source4/smbd/server.c index a96991e646..8aad26dd2c 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -407,6 +407,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ } DEBUG(0,("%s: using '%s' process model\n", binary_name, model)); + status = server_service_startup(event_ctx, cmdline_lp_ctx, model, lp_server_services(cmdline_lp_ctx)); if (!NT_STATUS_IS_OK(status)) { @@ -425,7 +426,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ return 0; } - int main(int argc, const char *argv[]) +int main(int argc, const char *argv[]) { return binary_smbd_main("samba", argc, argv); } -- cgit From 6ec69f3e779997c34f5f446f2983f5fb7ddb62fb Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 22:49:55 +0200 Subject: s4:dsdb/common/util - Check for the right forest/domain function level This adds a function which performs the check for the supported forest and domain function levels. On an unsuccessful result a textual error message can be created (parameter "errmsg" != NULL) which gives hints for the user to help him fixing the issue. --- source4/dsdb/common/util.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) (limited to 'source4') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 39fdfe94a5..1fe5979c69 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1432,6 +1432,63 @@ struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx return server_site_dn; } +/* + * This works out if we are running on a supported forest/domain function + * level. Basically this means that we don't support mixed/interim (NT 4 DC + * support) levels. + * If errmsg isn't NULL we write in an adequate error message for printing out + * to the screen. + */ +bool samdb_is_capable_dc(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, + char **errmsg) +{ + int32_t level_forest, level_domain, level_domain_mixed; + bool ret = true; + + level_forest = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_partitions_dn(ldb, mem_ctx), "msDS-Behavior-Version", + NULL); + level_domain = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_base_dn(ldb), "msDS-Behavior-Version", NULL); + level_domain_mixed = (int32_t) samdb_search_int64(ldb, mem_ctx, -1, + samdb_base_dn(ldb), "nTMixedDomain", NULL); + + if (errmsg != NULL) + *errmsg = talloc_asprintf(mem_ctx, ""); + + if (level_forest == -1 || level_domain == -1 || level_domain_mixed == -1) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: Invalid values for forest and/or domain function level!" + ); + } + + if (level_forest == DS_DOMAIN_FUNCTION_2003_MIXED) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported!" + ); + } + if ((level_domain == DS_DOMAIN_FUNCTION_2000 && level_domain_mixed != 0) + || level_domain == DS_DOMAIN_FUNCTION_2003_MIXED) { + ret = false; + if (errmsg != NULL) + *errmsg = talloc_strdup_append(*errmsg, + "\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported!" + ); + } + + if ((!ret) && (errmsg != NULL)) { + *errmsg = talloc_strdup_append(*errmsg, + "\nPlease raise the domain and/or forest level to an adequate value. Use for this the 'domainlevel' tool, the MS AD MMC tools or manipulate the needed attributes directly." + ); + } + + return ret; +} + /* work out if we are the PDC for the domain of the current open ldb */ -- cgit From 1516f673565ecba8ad0fc10500bb94bcd539e58b Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 23:16:04 +0200 Subject: s4:sec_descriptor - fix constant --- source4/lib/ldb/tests/python/sec_descriptor.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) mode change 100644 => 100755 source4/lib/ldb/tests/python/sec_descriptor.py (limited to 'source4') diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py old mode 100644 new mode 100755 index 58a345450b..01df86e909 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -24,11 +24,11 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session -from samba import Ldb, DS_BEHAVIOR_WIN2008 +from samba import Ldb, DS_DOMAIN_FUNCTION_2008 from subunit import SubunitTestRunner import unittest -parser = optparse.OptionParser("ldap [options] ") +parser = optparse.OptionParser("sec_descriptor [options] ") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) @@ -374,7 +374,7 @@ changetype: add member: """ + user_dn self.ldb_admin.modify_ldif(ldif) self.results = { - # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008 + # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 "ds_behavior_win2003" : { "100" : "O:EAG:DU", "101" : "O:DAG:DU", @@ -481,7 +481,7 @@ member: """ + user_dn res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ attrs=['msDS-Behavior-Version']) res = int(res[0]['msDS-Behavior-Version'][0]) - if res < DS_BEHAVIOR_WIN2008: + if res < DS_DOMAIN_FUNCTION_2008: self.DS_BEHAVIOR = "ds_behavior_win2003" else: self.DS_BEHAVIOR = "ds_behavior_win2008" -- cgit From 500fc020b2776392428426af0d5976c74ec8fd9b Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 23:27:47 +0200 Subject: s4:samba3sam.py test - remove the primary group ID attribute here This shouldn't be specified on creation time (Windows Server doesn't allow that). Hope this also fixes the test (see buildfarm). --- source4/dsdb/samdb/ldb_modules/tests/samba3sam.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py index 75aaeb7366..fe96b88221 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py +++ b/source4/dsdb/samdb/ldb_modules/tests/samba3sam.py @@ -323,8 +323,6 @@ nextRid: y lastLogon: x description: x objectSid: S-1-5-21-4231626423-2410014848-2360679739-552 -primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512 - """) self.ldb.add({ @@ -486,11 +484,8 @@ primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512 self.assertEquals(str(res[0]["lastLogon"]), "x") self.assertEquals(str(res[0]["primaryGroupID"]), "512") - # TODO: There should actually be two results, A and X. The - # primaryGroupID of X seems to get corrupted somewhere, and the - # objectSid isn't available during the generation of remote (!) data, - # which can be observed with the following search. Also note that Xs - # objectSid seems to be fine in the previous search for objectSid... */ + # Note that Xs "objectSid" seems to be fine in the previous search for + # "objectSid"... #res = ldb.search(expression="(primaryGroupID=*)", NULL, ldb. SCOPE_DEFAULT, attrs) #print len(res) + " results found" #for i in range(len(res)): -- cgit From c1527612b95cb7bc5bee7ebc34ab87013ab88b8a Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Sun, 20 Sep 2009 23:49:05 +0200 Subject: s4:python tools - try to fix some test problems --- source4/scripting/python/samba/samdb.py | 26 ++++++++++++++------------ source4/setup/newuser | 2 +- source4/setup/setexpiry | 2 +- 3 files changed, 16 insertions(+), 14 deletions(-) (limited to 'source4') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 28352f202f..239dd6a6ea 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -107,15 +107,16 @@ pwdLastSet: 0 """ % (user_dn) self.modify_ldif(mod) - def newuser(self, username, unixname, password, force_password_change_at_next_login=False): + def newuser(self, username, unixname, password, force_password_change_at_next_login_req=False): """Adds a new user Note: This call adds also the ID mapping for winbind; therefore it works *only* on SAMBA 4. - :param username: Name of the new user. - :param unixname: Name of the unix user to map to. + :param username: Name of the new user + :param unixname: Name of the unix user to map to :param password: Password for the new user + :param force_password_change_at_next_login_req: Force password change """ self.transaction_start() try: @@ -129,7 +130,7 @@ pwdLastSet: 0 # Sets the password for it self.setpassword("(dn=" + user_dn + ")", password, - force_password_change_at_next_login) + force_password_change_at_next_login_req) # Gets the user SID (for the account mapping setup) res = self.search(user_dn, scope=ldb.SCOPE_BASE, @@ -153,7 +154,7 @@ pwdLastSet: 0 raise self.transaction_commit() - def setpassword(self, filter, password, force_password_change_at_next_login=False): + def setpassword(self, filter, password, force_password_change_at_next_login_req=False): """Sets the password for a user Note: This call uses the "userPassword" attribute to set the password. @@ -162,7 +163,7 @@ pwdLastSet: 0 :param filter: LDAP filter to find the user (eg samccountname=name) :param password: Password for the user - :param force_password_change_at_next_login: Force password change + :param force_password_change_at_next_login_req: Force password change """ self.transaction_start() try: @@ -180,8 +181,9 @@ userPassword:: %s self.modify_ldif(setpw) - if force_password_change_at_next_login: - self.force_password_change_at_next_login(user_dn) + if force_password_change_at_next_login_req: + self.force_password_change_at_next_login( + "(dn=" + str(user_dn) + ")") # modify the userAccountControl to remove the disabled bit self.enable_account(filter) @@ -190,24 +192,24 @@ userPassword:: %s raise self.transaction_commit() - def setexpiry(self, filter, expiry_seconds, noexpiry=False): + def setexpiry(self, filter, expiry_seconds, no_expiry_req=False): """Sets the account expiry for a user :param filter: LDAP filter to find the user (eg samccountname=name) :param expiry_seconds: expiry time from now in seconds - :param noexpiry: if set, then don't expire password + :param no_expiry_req: if set, then don't expire password """ self.transaction_start() try: res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, expression=filter, attrs=["userAccountControl", "accountExpires"]) - assert len(res) == 1 + assert(len(res) == 1) user_dn = res[0].dn userAccountControl = int(res[0]["userAccountControl"][0]) accountExpires = int(res[0]["accountExpires"][0]) - if noexpiry: + if no_expiry_req: userAccountControl = userAccountControl | 0x10000 accountExpires = 0 else: diff --git a/source4/setup/newuser b/source4/setup/newuser index 422677c301..10af55a458 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -60,4 +60,4 @@ creds = credopts.get_credentials(lp) samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) -samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login) +samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login) diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry index 6c6305ceaf..1572555b8c 100755 --- a/source4/setup/setexpiry +++ b/source4/setup/setexpiry @@ -61,4 +61,4 @@ creds = credopts.get_credentials(lp) samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) -samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry) +samdb.setexpiry(filter, days*24*3600, no_expiry_req=opts.noexpiry) -- cgit From 8b5cb77118e6fbf99d33987341db7476913bada1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 20 Sep 2009 15:23:34 -0700 Subject: s4-selftest: disable RPC-COUNTCALLS The RPC-COUNTCALLS was useful when we were working out IDL by hand --- source4/selftest/skip | 1 + 1 file changed, 1 insertion(+) (limited to 'source4') diff --git a/source4/selftest/skip b/source4/selftest/skip index c253e5cc33..87e7a8d20f 100644 --- a/source4/selftest/skip +++ b/source4/selftest/skip @@ -62,3 +62,4 @@ samba4.ntvfs.cifs.raw. nss.test # Fails raw.offline # Samba 4 doesn't have much offline support yet rpc.autoidl # this one just generates a lot of noise, and is no longer useful +samba4.rpc.countcalls # this is not useful now we have full IDL -- cgit From 11bfbc516077d1cead94d0bc70ef24267b9014e7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 20 Sep 2009 15:27:09 -0700 Subject: s4-selftest: disable RAP-SCAN test also pointless now we have docs --- source4/selftest/skip | 1 + 1 file changed, 1 insertion(+) (limited to 'source4') diff --git a/source4/selftest/skip b/source4/selftest/skip index 87e7a8d20f..aa57c6b1b4 100644 --- a/source4/selftest/skip +++ b/source4/selftest/skip @@ -63,3 +63,4 @@ nss.test # Fails raw.offline # Samba 4 doesn't have much offline support yet rpc.autoidl # this one just generates a lot of noise, and is no longer useful samba4.rpc.countcalls # this is not useful now we have full IDL +samba4.rap.scan # same thing here - we have docs now -- cgit