if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+ secrets_tdb = lpcfg_private_path(cred, lp_ctx,
+ lpcfg_use_ntdb(lp_ctx) ?
+ "secrets.ntdb" : "secrets.tdb");
if (!secrets_tdb) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
<refsect2>
<title>RPC GETSID</title>
-<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
+<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para>
</refsect2>
has been compiled with LDAP support. The <parameter>-w</parameter>
switch is used to specify the password to be used with the
<smbconfoption name="ldap admin dn"/>. Note that the password is stored in
- the <filename>secrets.tdb</filename> and is keyed off
+ the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
of the admin's DN. This means that if the value of <parameter>ldap
admin dn</parameter> ever changes, the password will need to be
manually updated as well.
has been compiled with LDAP support. The <parameter>-W</parameter>
switch is used to specify the password to be used with the
<smbconfoption name="ldap admin dn"/>. Note that the password is stored in
- the <filename>secrets.tdb</filename> and is keyed off
+ the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
of the admin's DN. This means that if the value of <parameter>ldap
admin dn</parameter> ever changes, the password will need to be
manually updated as well.
<itemizedlist>
<listitem>
<para>
- The data from the module may be send encrypted, with a key stored in secrets.tdb. The
+ The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The
Receiver then has to use the same key. The module does AES block encryption over the
data to send.
</para>
If a Samba server is a member of a Windows NT Domain (see the <smbconfoption
name="security">domain</smbconfoption> parameter) then periodically a running smbd process will try and change
the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb
- </filename>. This parameter specifies how often this password will be changed, in seconds. The default is one
+ </filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>). This parameter specifies how often this password will be changed, in seconds. The default is one
week (expressed in seconds), the same as a Windows NT Domain member server.
</para>
<para>
The <smbconfoption name="ldap admin dn"/> defines the Distinguished Name (DN) name used by Samba to contact
the ldap server when retreiving user account information. The <smbconfoption name="ldap admin dn"/> is used
- in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename>
+ in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>)
file. See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
man page for more information on how to accomplish this.
</para>
<para>Valid options are:</para>
<itemizedlist>
- <listitem><para>secrets only - use only the secrets.tdb for
+ <listitem><para>secrets only - use only the secrets.(n)tdb for
ticket verification (default)</para></listitem>
<listitem><para>system keytab - use only the system keytab
<listitem><para>dedicated keytab - use a dedicated keytab
for ticket verification</para></listitem>
- <listitem><para>secrets and keytab - use the secrets.tdb
+ <listitem><para>secrets and keytab - use the secrets.(n)tdb
first, then the system keytab</para></listitem>
</itemizedlist>
<description>
<para>This parameters defines the directory
smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
- and <filename moreinfo="none">secrets.tdb</filename>.
+ and <filename moreinfo="none">secrets.tdb</filename> (or <filename moreinfo="none">secrets.ntdb</filename>).
</para>
</description>
my $tdbdump = "/usr/bin/tdbdump";
+my $ntdbdump = "/usr/bin/ntdbdump";
my $testparm = "/usr/bin/testparm";
my $net = "/usr/bin/net";
my $dig = "/usr/bin/dig";
my $nmblookup = "/usr/bin/nmblookup";
my $secrets_tdb = "/etc/samba/secrets.tdb";
+my $secrets_ntdb = "/etc/samba/secrets.ntdb";
my $klist = "/usr/bin/klist";
my $kinit = "/usr/bin/kinit";
my $workgroup = "";
my $workgroup = shift || "";
$workgroup = uc($workgroup);
- my ($found, $tmp);
- -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
- -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+ my ($found, $tmp, $dbdump, $db);
+ if (-r $secrets_ntdb) {
+ -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n";
+ $dbdump = $ntdbdump;
+ $db = $secrets_ntdb;
+ } else {
+ -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
+ -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+ $dbdump = $tdbdump;
+ $db = $secrets_tdb;
+ }
# get machine-password
my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
- open(SECRETS,"$tdbdump $secrets_tdb |");
+ open(SECRETS,"$dbdump $db |");
while(my $line = <SECRETS>) {
chomp($line);
if ($found) {
<para>tdbbackup -v [-s suffix] *.tdb</para>
+ <para>
+ Note that Samba 4 can use .ntdb files instead, so you should
+ use <command>ntdbbackup</command> on those files.
+ </para>
+
<para>
Samba .tdb files are stored in various locations, be sure to run backup all
.tdb file on the system. Important files includes:
system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
chmod 0600, "$prefix/private/secrets.tdb";
+#Make sure there's no old ntdb file.
+ system("rm -f $prefix/private/secrets.ntdb");
+
#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
#
# Remove secrets.tdb from this environment to test that we still start up
# on systems without the new matching secrets.tdb records
- unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) {
+ unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
return undef;
}
/* The following definitions come from passdb/secrets.c */
-bool secrets_init_path(const char *private_dir);
+bool secrets_init_path(const char *private_dir, bool use_ntdb);
bool secrets_init(void);
struct db_context *secrets_db_ctx(void);
void secrets_shutdown(void);
}
/* Initialize secrets database */
- if (!secrets_init_path(private_dir)) {
+ if (!secrets_init_path(private_dir, lp_use_ntdb())) {
PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'",
private_dir);
talloc_free(frame);
}
/* open up the secrets database with specified private_dir path */
-bool secrets_init_path(const char *private_dir)
+bool secrets_init_path(const char *private_dir, bool use_ntdb)
{
char *fname = NULL;
unsigned char dummy;
}
frame = talloc_stackframe();
- fname = talloc_asprintf(frame, "%s/secrets.tdb",
- private_dir);
+ fname = talloc_asprintf(frame, "%s/secrets.%s",
+ private_dir, use_ntdb ? "ntdb" : "tdb");
if (fname == NULL) {
TALLOC_FREE(frame);
return False;
/* open up the secrets database */
bool secrets_init(void)
{
- return secrets_init_path(lp_private_dir());
+ return secrets_init_path(lp_private_dir(), lp_use_ntdb());
}
struct db_context *secrets_db_ctx(void)
struct ldb_context *ldb;
struct secrets_tdb_sync_private *data;
char *private_dir, *p;
- const char *secrets_ldb;
+ const char *secrets_ldb, *secrets_ntdb;
+ bool use_ntdb;
ldb = ldb_module_get_ctx(module);
p = strrchr(private_dir, '/');
if (p) {
*p = '\0';
- secrets_init_path(private_dir);
} else {
- secrets_init_path(".");
+ private_dir = talloc_strdup(data, ".");
}
+ /* If there's an ntdb file, force code to load that. */
+ secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb",
+ private_dir);
+ use_ntdb = file_exist(secrets_ntdb);
+
+ secrets_init_path(private_dir, use_ntdb);
+
TALLOC_FREE(private_dir);
data->secrets_tdb = secrets_db_ctx();
def test_setup_secretsdb(self):
path = os.path.join(self.tempdir, "secrets.ldb")
- secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
paths = ProvisionPaths()
+ secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
+ secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb")
paths.secrets = path
paths.private_dir = os.path.dirname(path)
paths.keytab = "no.keytab"
finally:
del ldb
os.unlink(path)
- os.unlink(secrets_tdb_path)
-
+ if os.path.exists(secrets_tdb_path):
+ os.unlink(secrets_tdb_path)
+ if os.path.exists(secrets_ntdb_path):
+ os.unlink(secrets_ntdb_path)
class FindNssTests(TestCase):
"""Test findnss() function."""
self.assertEquals(newmodules.msgs, refmodules.msgs)
def tearDown(self):
- for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]:
+ for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]:
path = os.path.join(self.tempdir, name)
if os.path.exists(path):
os.unlink(path)
self.assertTrue(re.match(".*upgrade to.*", str(oem2)))
def tearDown(self):
- for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]:
+ for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]:
path = os.path.join(self.tempdir, name)
if os.path.exists(path):
os.unlink(path)