Merge branch 'master' of git://git.samba.org/samba

author Nadezhda Ivanova <nadezhda.ivanova@postpath.com>

Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)

committer Nadezhda Ivanova <nadezhda.ivanova@postpath.com>

Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)
author Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)
committer Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c

index f5a0dfde708bd8b14065dcdbc09ad9e642a1fd3a..18adb42a0cb6aeeedbaf26429155db50ed3d1cd8 100644 (file)
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -160,6 +160,10 @@ static void async_recv_handler(struct tevent_context *ev,
                 /* retry */
                 return;
         }
+       if (state->received == 0) {
+               tevent_req_error(req, EPIPE);
+               return;
+       }
         if (state->received == -1) {
                 tevent_req_error(req, errno);
                 return;
diff --git a/lib/tdb/tools/tdbtool.c b/lib/tdb/tools/tdbtool.c

index c0814e11de2753ac5c7529bc698dbd030ac7c90e..e469cebf650bc0a72c8cef36a9efdfc0119cd763 100644 (file)
--- a/lib/tdb/tools/tdbtool.c
+++ b/lib/tdb/tools/tdbtool.c
@@ -40,6 +40,9 @@ static int disable_mmap;
  enum commands {
         CMD_CREATE_TDB,
         CMD_OPEN_TDB,
+       CMD_TRANSACTION_START,
+       CMD_TRANSACTION_COMMIT,
+       CMD_TRANSACTION_CANCEL,
         CMD_ERASE,
         CMD_DUMP,
         CMD_INSERT,
@@ -70,6 +73,9 @@ typedef struct {
  COMMAND_TABLE cmd_table[] = {
         {"create",      CMD_CREATE_TDB},
         {"open",        CMD_OPEN_TDB},
+       {"transaction_start",   CMD_TRANSACTION_START},
+       {"transaction_commit",  CMD_TRANSACTION_COMMIT},
+       {"transaction_cancel",  CMD_TRANSACTION_CANCEL},
         {"erase",       CMD_ERASE},
         {"dump",        CMD_DUMP},
         {"insert",      CMD_INSERT},
@@ -169,6 +175,9 @@ static void help(void)
  "tdbtool: \n"
  "  create    dbname     : create a database\n"
  "  open      dbname     : open an existing database\n"
+"  transaction_start    : start a transaction\n"
+"  transaction_commit   : commit a transaction\n"
+"  transaction_cancel   : cancel a transaction\n"
  "  erase                : erase the database\n"
  "  dump                 : dump the database as strings\n"
  "  keys                 : dump the database keys as strings\n"
@@ -182,6 +191,7 @@ static void help(void)
  "  list                 : print the database hash table and freelist\n"
  "  free                 : print the database freelist\n"
  "  check                : check the integrity of an opened database\n"
+"  speed                : perform speed tests on the database\n"
  "  ! command            : execute system command\n"
  "  1 | first            : print the first record\n"
  "  n | next             : print the next record\n"
@@ -536,117 +546,129 @@ static int do_command(void)
         int cmd_len;
  
         if (cmdname && strlen(cmdname) == 0) {
-           mycmd = CMD_NEXT;
+               mycmd = CMD_NEXT;
         } else {
-           while (ctp->name) {
-               cmd_len = strlen(ctp->name);
-               if (strncmp(ctp->name,cmdname,cmd_len) == 0) {
-                       mycmd = ctp->cmd;
-                       break;
+               while (ctp->name) {
+                       cmd_len = strlen(ctp->name);
+                       if (strncmp(ctp->name,cmdname,cmd_len) == 0) {
+                               mycmd = ctp->cmd;
+                               break;
+                       }
+                       ctp++;
                 }
-               ctp++;
-           }
         }
  
         switch (mycmd) {
         case CMD_CREATE_TDB:
-            bIterate = 0;
-            create_tdb(arg1);
-           return 0;
-       case CMD_OPEN_TDB:
-            bIterate = 0;
-            open_tdb(arg1);
-            return 0;
-       case CMD_SYSTEM:
-           /* Shell command */
-           if (system(arg1) == -1) {
-               terror("system() call failed\n");
-           }
-           return 0;
-       case CMD_QUIT:
-           return 1;
-       default:
-           /* all the rest require a open database */
-           if (!tdb) {
-               bIterate = 0;
-               terror("database not open");
-               help();
-               return 0;
-           }
-           switch (mycmd) {
-           case CMD_ERASE:
-               bIterate = 0;
-               tdb_traverse(tdb, do_delete_fn, NULL);
-               return 0;
-           case CMD_DUMP:
-               bIterate = 0;
-               tdb_traverse(tdb, print_rec, NULL);
-               return 0;
-           case CMD_INSERT:
                 bIterate = 0;
-               insert_tdb(arg1, arg1len,arg2,arg2len);
+               create_tdb(arg1);
                 return 0;
-           case CMD_MOVE:
-               bIterate = 0;
-               move_rec(arg1,arg1len,arg2);
-               return 0;
-           case CMD_STORE:
-               bIterate = 0;
-               store_tdb(arg1,arg1len,arg2,arg2len);
-               return 0;
-           case CMD_SHOW:
-               bIterate = 0;
-               show_tdb(arg1, arg1len);
-               return 0;
-           case CMD_KEYS:
-               tdb_traverse(tdb, print_key, NULL);
-               return 0;
-           case CMD_HEXKEYS:
-               tdb_traverse(tdb, print_hexkey, NULL);
-               return 0;
-           case CMD_DELETE:
+       case CMD_OPEN_TDB:
                 bIterate = 0;
-               delete_tdb(arg1,arg1len);
-               return 0;
-           case CMD_LIST_HASH_FREE:
-               tdb_dump_all(tdb);
+               open_tdb(arg1);
                 return 0;
-           case CMD_LIST_FREE:
-               tdb_printfreelist(tdb);
-               return 0;
-           case CMD_INFO:
-               info_tdb();
-               return 0;
-           case CMD_SPEED:
-               speed_tdb(arg1);
-               return 0;
-           case CMD_MMAP:
-               toggle_mmap();
-               return 0;
-           case CMD_FIRST:
-               bIterate = 1;
-               first_record(tdb, &iterate_kbuf);
-               return 0;
-           case CMD_NEXT:
-              if (bIterate)
-                 next_record(tdb, &iterate_kbuf);
-               return 0;
-           case CMD_CHECK:
-               check_db(tdb);
-               return 0;
-           case CMD_HELP:
-               help();
+       case CMD_SYSTEM:
+               /* Shell command */
+               if (system(arg1) == -1) {
+                       terror("system() call failed\n");
+               }
                 return 0;
-            case CMD_CREATE_TDB:
-            case CMD_OPEN_TDB:
-            case CMD_SYSTEM:
-            case CMD_QUIT:
-                /*
-                 * unhandled commands.  cases included here to avoid compiler
-                 * warnings.
-                 */
-                return 0;
-           }
+       case CMD_QUIT:
+               return 1;
+       default:
+               /* all the rest require a open database */
+               if (!tdb) {
+                       bIterate = 0;
+                       terror("database not open");
+                       help();
+                       return 0;
+               }
+               switch (mycmd) {
+               case CMD_TRANSACTION_START:
+                       bIterate = 0;
+                       tdb_transaction_start(tdb);
+                       return 0;
+               case CMD_TRANSACTION_COMMIT:
+                       bIterate = 0;
+                       tdb_transaction_commit(tdb);
+                       return 0;
+               case CMD_TRANSACTION_CANCEL:
+                       bIterate = 0;
+                       tdb_transaction_cancel(tdb);
+                       return 0;
+               case CMD_ERASE:
+                       bIterate = 0;
+                       tdb_traverse(tdb, do_delete_fn, NULL);
+                       return 0;
+               case CMD_DUMP:
+                       bIterate = 0;
+                       tdb_traverse(tdb, print_rec, NULL);
+                       return 0;
+               case CMD_INSERT:
+                       bIterate = 0;
+                       insert_tdb(arg1, arg1len,arg2,arg2len);
+                       return 0;
+               case CMD_MOVE:
+                       bIterate = 0;
+                       move_rec(arg1,arg1len,arg2);
+                       return 0;
+               case CMD_STORE:
+                       bIterate = 0;
+                       store_tdb(arg1,arg1len,arg2,arg2len);
+                       return 0;
+               case CMD_SHOW:
+                       bIterate = 0;
+                       show_tdb(arg1, arg1len);
+                       return 0;
+               case CMD_KEYS:
+                       tdb_traverse(tdb, print_key, NULL);
+                       return 0;
+               case CMD_HEXKEYS:
+                       tdb_traverse(tdb, print_hexkey, NULL);
+                       return 0;
+               case CMD_DELETE:
+                       bIterate = 0;
+                       delete_tdb(arg1,arg1len);
+                       return 0;
+               case CMD_LIST_HASH_FREE:
+                       tdb_dump_all(tdb);
+                       return 0;
+               case CMD_LIST_FREE:
+                       tdb_printfreelist(tdb);
+                       return 0;
+               case CMD_INFO:
+                       info_tdb();
+                       return 0;
+               case CMD_SPEED:
+                       speed_tdb(arg1);
+                       return 0;
+               case CMD_MMAP:
+                       toggle_mmap();
+                       return 0;
+               case CMD_FIRST:
+                       bIterate = 1;
+                       first_record(tdb, &iterate_kbuf);
+                       return 0;
+               case CMD_NEXT:
+                       if (bIterate)
+                               next_record(tdb, &iterate_kbuf);
+                       return 0;
+               case CMD_CHECK:
+                       check_db(tdb);
+                       return 0;
+               case CMD_HELP:
+                       help();
+                       return 0;
+               case CMD_CREATE_TDB:
+               case CMD_OPEN_TDB:
+               case CMD_SYSTEM:
+               case CMD_QUIT:
+                       /*
+                        * unhandled commands.  cases included here to avoid compiler
+                        * warnings.
+                        */
+                       return 0;
+               }
         }
  
         return 0;
@@ -654,88 +676,87 @@ static int do_command(void)
  
  static char *convert_string(char *instring, size_t *sizep)
  {
-    size_t length = 0;
-    char *outp, *inp;
-    char temp[3];
-    
-
-    outp = inp = instring;
-
-    while (*inp) {
-       if (*inp == '\\') {
-           inp++;
-           if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
-               temp[0] = *inp++;
-               temp[1] = '\0';
-               if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
-                   temp[1] = *inp++;
-                   temp[2] = '\0';
+       size_t length = 0;
+       char *outp, *inp;
+       char temp[3];
+
+       outp = inp = instring;
+
+       while (*inp) {
+               if (*inp == '\\') {
+                       inp++;
+                       if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
+                               temp[0] = *inp++;
+                               temp[1] = '\0';
+                               if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
+                                       temp[1] = *inp++;
+                                       temp[2] = '\0';
+                               }
+                               *outp++ = (char)strtol((const char *)temp,NULL,16);
+                       } else {
+                               *outp++ = *inp++;
+                       }
+               } else {
+                       *outp++ = *inp++;
                 }
-               *outp++ = (char)strtol((const char *)temp,NULL,16);
-           } else {
-               *outp++ = *inp++;
-           }
-       } else {
-           *outp++ = *inp++;
+               length++;
         }
-       length++;
-    }
-    *sizep = length;
-    return instring;
+       *sizep = length;
+       return instring;
  }
  
  int main(int argc, char *argv[])
  {
-    cmdname = "";
-    arg1 = NULL;
-    arg1len = 0;
-    arg2 = NULL;
-    arg2len = 0;
-
-    if (argv[1]) {
-       cmdname = "open";
-       arg1 = argv[1];
-        do_command();
-       cmdname =  "";
+       cmdname = "";
         arg1 = NULL;
-    }
+       arg1len = 0;
+       arg2 = NULL;
+       arg2len = 0;
+
+       if (argv[1]) {
+               cmdname = "open";
+               arg1 = argv[1];
+               do_command();
+               cmdname =  "";
+               arg1 = NULL;
+       }
  
-    switch (argc) {
+       switch (argc) {
         case 1:
         case 2:
-           /* Interactive mode */
-           while ((cmdname = tdb_getline("tdb> "))) {
-               arg2 = arg1 = NULL;
-               if ((arg1 = strchr((const char *)cmdname,' ')) != NULL) {
-                   arg1++;
-                   arg2 = arg1;
-                   while (*arg2) {
-                       if (*arg2 == ' ') {
-                           *arg2++ = '\0';
-                           break;
-                       }
-                       if ((*arg2++ == '\\') && (*arg2 == ' ')) {
-                           arg2++;
+               /* Interactive mode */
+               while ((cmdname = tdb_getline("tdb> "))) {
+                       arg2 = arg1 = NULL;
+                       if ((arg1 = strchr((const char *)cmdname,' ')) != NULL) {
+                               arg1++;
+                               arg2 = arg1;
+                               while (*arg2) {
+                                       if (*arg2 == ' ') {
+                                               *arg2++ = '\0';
+                                               break;
+                                       }
+                                       if ((*arg2++ == '\\') && (*arg2 == ' ')) {
+                                               arg2++;
+                                       }
+                               }
                         }
-                   }
+                       if (arg1) arg1 = convert_string(arg1,&arg1len);
+                       if (arg2) arg2 = convert_string(arg2,&arg2len);
+                       if (do_command()) break;
                 }
-               if (arg1) arg1 = convert_string(arg1,&arg1len);
-               if (arg2) arg2 = convert_string(arg2,&arg2len);
-               if (do_command()) break;
-           }
-           break;
+               break;
         case 5:
-           arg2 = convert_string(argv[4],&arg2len);
+               arg2 = convert_string(argv[4],&arg2len);
         case 4:
-           arg1 = convert_string(argv[3],&arg1len);
+               arg1 = convert_string(argv[3],&arg1len);
         case 3:
-           cmdname = argv[2];
+               cmdname = argv[2];
         default:
-           do_command();
-           break;
-    }
+               do_command();
+               break;
+       }
  
-    if (tdb) tdb_close(tdb);
+       if (tdb) tdb_close(tdb);
  
-    return 0;
+       return 0;
  }
diff --git a/lib/tevent/tevent_signal.c b/lib/tevent/tevent_signal.c

index ef9c0cf28877999b27d19323ae70018336a455c1..0ca2a2760b0338112a1f3ebaa9cceb1ec857cabc 100644 (file)
--- a/lib/tevent/tevent_signal.c
+++ b/lib/tevent/tevent_signal.c
@@ -85,6 +85,7 @@ static void tevent_common_signal_handler(int signum)
         ssize_t res;
         struct tevent_common_signal_list *sl;
         struct tevent_context *ev = NULL;
+       int saved_errno = errno;
  
         SIG_INCREMENT(sig_state->signal_count[signum]);
         SIG_INCREMENT(sig_state->got_signal);
@@ -103,6 +104,8 @@ static void tevent_common_signal_handler(int signum)
                         ev = sl->se->event_ctx;
                 }
         }
+
+       errno = saved_errno;
  }
  
  #ifdef SA_SIGINFO
diff --git a/source3/lib/select.c b/source3/lib/select.c

index a58530af8d343eebe72ac484ce94e61a812999b1..b5443ff20ca3c7ebdb201d77616ca52fb0d1bca2 100644 (file)
--- a/source3/lib/select.c
+++ b/source3/lib/select.c
@@ -39,11 +39,15 @@ static volatile unsigned pipe_written, pipe_read;
  
  void sys_select_signal(char c)
  {
+       int saved_errno = errno;
+
         if (!initialised) return;
  
         if (pipe_written > pipe_read+256) return;
  
         if (write(select_pipe[1], &c, 1) == 1) pipe_written++;
+
+       errno = saved_errno;
  }
  
  /*******************************************************************
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c

index 0e66e3cf01e2f36fc73f29a7575a1dcce975b8a8..36f401bc92803f7b8fd061d08207ea539221e6ac 100644 (file)
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -1135,8 +1135,8 @@ void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
  *******************************************************************************/
  
  #define SCHANNEL_STORE_VERSION_1 1
-#define SCHANNEL_STORE_VERSION_2 2
-#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_2
+#define SCHANNEL_STORE_VERSION_2 2 /* should not be used */
+#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1
  
  TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
  {
@@ -1168,12 +1168,18 @@ TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
                 vers.dptr = NULL;
         } else if (vers.dsize == 4) {
                 ver = IVAL(vers.dptr,0);
-               if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
+               if (ver == SCHANNEL_STORE_VERSION_2) {
                         DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
                                 (int)ver, fname ));
                         tdb_wipe_all(tdb_sc);
                         goto again;
                 }
+               if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
+                       DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
+                               (int)ver, fname ));
+                       tdb_close(tdb_sc);
+                       tdb_sc = NULL;
+               }
         } else {
                 tdb_close(tdb_sc);
                 tdb_sc = NULL;
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c

index 9d4676f9b5976a9b22ca9656adb63eab6689127e..f0160fcb78fbd95a54b49cf1b5321429f11912c7 100644 (file)
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -692,6 +692,8 @@ static void winbind_client_response_written(struct tevent_req *req)
         ret = wb_resp_write_recv(req, &err);
         TALLOC_FREE(req);
         if (ret == -1) {
+               close(state->sock);
+               state->sock = -1;
                 DEBUG(2, ("Could not write response to client: %s\n",
                           strerror(err)));
                 remove_client(state);
@@ -792,6 +794,8 @@ static void winbind_client_request_read(struct tevent_req *req)
         ret = wb_req_read_recv(req, state, &state->request, &err);
         TALLOC_FREE(req);
         if (ret == -1) {
+               close(state->sock);
+               state->sock = -1;
                 DEBUG(2, ("Could not read client request: %s\n",
                           strerror(err)));
                 remove_client(state);
@@ -813,22 +817,19 @@ static void remove_client(struct winbindd_cli_state *state)
                 return;
         }
  
-       /* tell client, we are closing ... */
-       nwritten = write(state->sock, &c, sizeof(c));
-       if (nwritten == -1) {
-               /* 
-                * ignore EPIPE error here, because the other end might
-                * have already closed the socket.
-                */
-               if (errno != EPIPE) {
+       if (state->sock != -1) {
+               /* tell client, we are closing ... */
+               nwritten = write(state->sock, &c, sizeof(c));
+               if (nwritten == -1) {
                         DEBUG(2, ("final write to client failed: %s\n",
-                               strerror(errno)));
+                               strerror(errno)));
                 }
-       }
  
-       /* Close socket */
+               /* Close socket */
  
-       close(state->sock);
+               close(state->sock);
+               state->sock = -1;
+       }
  
         /* Free any getent state */
  
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c

index a04e52469d572060e7ba17dc4a0f18596eccd40d..a50e5b4a66d85f3fcc076fd55b5f2d0ef92c9bd5 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -248,7 +248,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
                 char *name;
                 char *saltbody;
  
-               name = talloc_strdup(io->ac, io->u.sAMAccountName);
+               name = strlower_talloc(io->ac, io->u.sAMAccountName);
                 if (!name) {
                         ldb_oom(ldb);
                         return LDB_ERR_OPERATIONS_ERROR;
diff --git a/source4/dsdb/samdb/ldb_modules/resolve_oids.c b/source4/dsdb/samdb/ldb_modules/resolve_oids.c

index f4d9eba17a4b1449878a7cf7354ada1c6fba9418..053c2ec55fe3f4f4fc7170ba807d530136076a9b 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/resolve_oids.c
+++ b/source4/dsdb/samdb/ldb_modules/resolve_oids.c
@@ -21,6 +21,199 @@
  #include "ldb_module.h"
  #include "dsdb/samdb/samdb.h"
  
+static int resolve_oids_need_value(struct ldb_context *ldb,
+                                  struct dsdb_schema *schema,
+                                  const struct dsdb_attribute *a,
+                                  const struct ldb_val *valp)
+{
+       const struct dsdb_attribute *va = NULL;
+       const struct dsdb_class *vo = NULL;
+       const void *p2;
+       char *str = NULL;
+
+       if (a->syntax->oMSyntax != 6) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       if (valp) {
+               p2 = memchr(valp->data, '.', valp->length);
+       } else {
+               p2 = NULL;
+       }
+
+       if (!p2) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       switch (a->attributeID_id) {
+       case DRSUAPI_ATTRIBUTE_objectClass:
+       case DRSUAPI_ATTRIBUTE_subClassOf:
+       case DRSUAPI_ATTRIBUTE_auxiliaryClass:
+       case DRSUAPI_ATTRIBUTE_systemPossSuperiors:
+       case DRSUAPI_ATTRIBUTE_possSuperiors:
+               str = talloc_strndup(ldb, (char *)valp->data, valp->length);
+               if (!str) {
+                       ldb_oom(ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
+               vo = dsdb_class_by_governsID_oid(schema, str);
+               talloc_free(str);
+               if (!vo) {
+                       return LDB_ERR_COMPARE_FALSE;
+               }
+               return LDB_ERR_COMPARE_TRUE;
+       case DRSUAPI_ATTRIBUTE_systemMustContain:
+       case DRSUAPI_ATTRIBUTE_systemMayContain:
+       case DRSUAPI_ATTRIBUTE_mustContain:
+       case DRSUAPI_ATTRIBUTE_mayContain:
+               str = talloc_strndup(ldb, (char *)valp->data, valp->length);
+               if (!str) {
+                       ldb_oom(ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
+               va = dsdb_attribute_by_attributeID_oid(schema, str);
+               talloc_free(str);
+               if (!va) {
+                       return LDB_ERR_COMPARE_FALSE;
+               }
+               return LDB_ERR_COMPARE_TRUE;
+       case DRSUAPI_ATTRIBUTE_governsID:
+       case DRSUAPI_ATTRIBUTE_attributeID:
+       case DRSUAPI_ATTRIBUTE_attributeSyntax:
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       return LDB_ERR_COMPARE_FALSE;
+}
+
+static int resolve_oids_parse_tree_need(struct ldb_context *ldb,
+                                       struct dsdb_schema *schema,
+                                       const struct ldb_parse_tree *tree)
+{
+       int i;
+       const struct dsdb_attribute *a = NULL;
+       const char *attr;
+       const char *p1;
+       const void *p2;
+       const struct ldb_val *valp = NULL;
+       int ret;
+
+       switch (tree->operation) {
+       case LDB_OP_AND:
+       case LDB_OP_OR:
+               for (i=0;i<tree->u.list.num_elements;i++) {
+                       ret = resolve_oids_parse_tree_need(ldb, schema,
+                                               tree->u.list.elements[i]);
+                       if (ret != LDB_ERR_COMPARE_FALSE) {
+                               return ret;
+                       }
+               }
+               return LDB_ERR_COMPARE_FALSE;
+       case LDB_OP_NOT:
+               return resolve_oids_parse_tree_need(ldb, schema,
+                                               tree->u.isnot.child);
+       case LDB_OP_EQUALITY:
+       case LDB_OP_GREATER:
+       case LDB_OP_LESS:
+       case LDB_OP_APPROX:
+               attr = tree->u.equality.attr;
+               valp = &tree->u.equality.value;
+               break;
+       case LDB_OP_SUBSTRING:
+               attr = tree->u.substring.attr;
+               break;
+       case LDB_OP_PRESENT:
+               attr = tree->u.present.attr;
+               break;
+       case LDB_OP_EXTENDED:
+               attr = tree->u.extended.attr;
+               valp = &tree->u.extended.value;
+               break;
+       default:
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       p1 = strchr(attr, '.');
+
+       if (valp) {
+               p2 = memchr(valp->data, '.', valp->length);
+       } else {
+               p2 = NULL;
+       }
+
+       if (!p1 && !p2) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       if (p1) {
+               a = dsdb_attribute_by_attributeID_oid(schema, attr);
+       } else {
+               a = dsdb_attribute_by_lDAPDisplayName(schema, attr);
+       }
+       if (!a) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       if (!p2) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       if (a->syntax->oMSyntax != 6) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       return resolve_oids_need_value(ldb, schema, a, valp);
+}
+
+static int resolve_oids_element_need(struct ldb_context *ldb,
+                                    struct dsdb_schema *schema,
+                                    const struct ldb_message_element *el)
+{
+       int i;
+       const struct dsdb_attribute *a = NULL;
+       const char *p1;
+
+       p1 = strchr(el->name, '.');
+
+       if (p1) {
+               a = dsdb_attribute_by_attributeID_oid(schema, el->name);
+       } else {
+               a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
+       }
+       if (!a) {
+               return LDB_ERR_COMPARE_FALSE;
+       }
+
+       for (i=0; i < el->num_values; i++) {
+               int ret;
+               ret = resolve_oids_need_value(ldb, schema, a,
+                                             &el->values[i]);
+               if (ret != LDB_ERR_COMPARE_FALSE) {
+                       return ret;
+               }
+       }
+
+       return LDB_ERR_COMPARE_FALSE;
+}
+
+static int resolve_oids_message_need(struct ldb_context *ldb,
+                                    struct dsdb_schema *schema,
+                                    const struct ldb_message *msg)
+{
+       int i;
+
+       for (i=0; i < msg->num_elements; i++) {
+               int ret;
+               ret = resolve_oids_element_need(ldb, schema,
+                                               &msg->elements[i]);
+               if (ret != LDB_ERR_COMPARE_FALSE) {
+                       return ret;
+               }
+       }
+
+       return LDB_ERR_COMPARE_FALSE;
+}
+
  static int resolve_oids_replace_value(struct ldb_context *ldb,
                                       struct dsdb_schema *schema,
                                       const struct dsdb_attribute *a,
@@ -98,19 +291,22 @@ static int resolve_oids_parse_tree_replace(struct ldb_context *ldb,
         const char *p1;
         const void *p2;
         struct ldb_val *valp = NULL;
+       int ret;
  
         switch (tree->operation) {
         case LDB_OP_AND:
         case LDB_OP_OR:
                 for (i=0;i<tree->u.list.num_elements;i++) {
-                       resolve_oids_parse_tree_replace(ldb, schema,
+                       ret = resolve_oids_parse_tree_replace(ldb, schema,
                                                         tree->u.list.elements[i]);
+                       if (ret != LDB_SUCCESS) {
+                               return ret;
+                       }
                 }
                 return LDB_SUCCESS;
         case LDB_OP_NOT:
-               resolve_oids_parse_tree_replace(ldb, schema,
+               return resolve_oids_parse_tree_replace(ldb, schema,
                                                 tree->u.isnot.child);
-               return LDB_SUCCESS;
         case LDB_OP_EQUALITY:
         case LDB_OP_GREATER:
         case LDB_OP_LESS:
@@ -275,6 +471,14 @@ static int resolve_oids_search(struct ldb_module *module, struct ldb_request *re
                 return ldb_next_request(module, req);
         }
  
+       ret = resolve_oids_parse_tree_need(ldb, schema,
+                                          req->op.search.tree);
+       if (ret == LDB_ERR_COMPARE_FALSE) {
+               return ldb_next_request(module, req);
+       } else if (ret != LDB_ERR_COMPARE_TRUE) {
+               return ret;
+       }
+
         ac = talloc(req, struct resolve_oids_context);
         if (ac == NULL) {
                 ldb_oom(ldb);
@@ -332,6 +536,14 @@ static int resolve_oids_add(struct ldb_module *module, struct ldb_request *req)
                 return ldb_next_request(module, req);
         }
  
+       ret = resolve_oids_message_need(ldb, schema,
+                                       req->op.add.message);
+       if (ret == LDB_ERR_COMPARE_FALSE) {
+               return ldb_next_request(module, req);
+       } else if (ret != LDB_ERR_COMPARE_TRUE) {
+               return ret;
+       }
+
         ac = talloc(req, struct resolve_oids_context);
         if (ac == NULL) {
                 ldb_oom(ldb);
@@ -385,6 +597,14 @@ static int resolve_oids_modify(struct ldb_module *module, struct ldb_request *re
                 return ldb_next_request(module, req);
         }
  
+       ret = resolve_oids_message_need(ldb, schema,
+                                       req->op.mod.message);
+       if (ret == LDB_ERR_COMPARE_FALSE) {
+               return ldb_next_request(module, req);
+       } else if (ret != LDB_ERR_COMPARE_TRUE) {
+               return ret;
+       }
+
         ac = talloc(req, struct resolve_oids_context);
         if (ac == NULL) {
                 ldb_oom(ldb);
diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c

index 613451a7c2a2cba9ce634f7fc478fe95a52aae7b..b75d837674c3c1f9bd362422632732a7c3818523 100644 (file)
--- a/source4/lib/ldb/common/ldb.c
+++ b/source4/lib/ldb/common/ldb.c
@@ -41,8 +41,8 @@ static int ldb_context_destructor(void *ptr)
  
         if (ldb->transaction_active) {
                 ldb_debug(ldb, LDB_DEBUG_FATAL,
-                         "A transaction is still active in ldb context [%p]",
-                         ldb);
+                         "A transaction is still active in ldb context [%p] on %s",
+                         ldb, (const char *)ldb_get_opaque(ldb, "ldb_url"));
         }
  
         return 0;
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c

index c4e786c83384f8e95112eeae3b5cdbbc9b7c85db..70dee9597b673beb12b8856d67c7528b73a269f6 100644 (file)
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -2101,7 +2101,7 @@ static void becomeDC_drsuapi1_add_entry_send(struct libnet_BecomeDC_state *s)
                 vd[0] = data_blob_talloc(vd, NULL, 4);
                 if (composite_nomem(vd[0].data, c)) return;
  
-               SIVAL(vd[0].data, 0, DS_DC_FUNCTION_2008_R2);
+               SIVAL(vd[0].data, 0, DS_DC_FUNCTION_2008);
  
                 vs[0].blob              = &vd[0];
  
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c

index 86ad685c5161479b820e227629f06f58fb795eaa..fc7de10506bc8258416521d6903c1e5d307aa02d 100644 (file)
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -33,6 +33,7 @@
  #include "auth/credentials/credentials_krb5.h"
  #include "librpc/gen_ndr/ndr_samr_c.h"
  #include "param/param.h"
+#include "param/provision.h"
  
  /*
   * complete a domain join, when joining to a AD domain:
@@ -860,254 +861,6 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
         return status;
  }
  
-NTSTATUS libnet_set_join_secrets(struct libnet_context *ctx, 
-                                TALLOC_CTX *mem_ctx, 
-                                struct libnet_set_join_secrets *r)
-{
-       TALLOC_CTX *tmp_mem;
-       int ret, rtn;
-       struct ldb_context *ldb;
-       struct ldb_dn *base_dn;
-       struct ldb_message **msgs, *msg;
-       const char *sct;
-       const char * const attrs[] = {
-               "whenChanged",
-               "secret",
-               "priorSecret",
-               "priorChanged",
-               "krb5Keytab",
-               "privateKeytab",
-               NULL
-       };
-
-       tmp_mem = talloc_new(mem_ctx);
-       if (!tmp_mem) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       /* Open the secrets database */
-       ldb = secrets_db_connect(tmp_mem, ctx->event_ctx, ctx->lp_ctx);
-       if (!ldb) {
-               r->out.error_string
-                       = talloc_asprintf(mem_ctx, 
-                                         "Could not open secrets database");
-               talloc_free(tmp_mem);
-               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-       }
-
-       /*
-        * now prepare the record for secrets.ldb
-        */
-       sct = talloc_asprintf(tmp_mem, "%d", r->in.join_type); 
-       if (!sct) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-       
-       msg = ldb_msg_new(tmp_mem);
-       if (!msg) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       base_dn = ldb_dn_new(tmp_mem, ldb, "cn=Primary Domains");
-       if (!base_dn) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       msg->dn = ldb_dn_copy(tmp_mem, base_dn);
-       if ( ! ldb_dn_add_child_fmt(msg->dn, "flatname=%s", r->in.domain_name)) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-       
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "flatname", r->in.domain_name);
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       if (r->in.realm) {
-               rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "realm", r->in.realm);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-       }
-
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "kerberosSecret");
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secret", r->in.join_password);
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "samAccountName", r->in.account_name);
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secureChannelType", sct);
-       if (rtn == -1) {
-               r->out.error_string = NULL;
-               talloc_free(tmp_mem);
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       if (r->in.kvno) {
-               rtn = samdb_msg_add_uint(ldb, tmp_mem, msg, "msDS-KeyVersionNumber",
-                                        r->in.kvno);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-       }
-
-       if (r->in.domain_sid) {
-               rtn = samdb_msg_add_dom_sid(ldb, tmp_mem, msg, "objectSid",
-                                           r->in.domain_sid);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-       }
-
-       /* 
-        * search for the secret record
-        * - remove the records we find
-        * - and fetch the old secret and store it under priorSecret
-        */
-       ret = gendb_search(ldb,
-                          tmp_mem, base_dn,
-                          &msgs, attrs,
-                          "(|" SECRETS_PRIMARY_DOMAIN_FILTER "(realm=%s))",
-                          r->in.domain_name, r->in.realm);
-       if (ret == 0) {
-               rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "privateKeytab", "secrets.keytab");
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-       } else if (ret == -1) {
-               r->out.error_string
-                       = talloc_asprintf(mem_ctx, 
-                                         "Search for domain: %s and realm: %s failed: %s", 
-                                         r->in.domain_name, r->in.realm, ldb_errstring(ldb));
-               talloc_free(tmp_mem);
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       } else {
-               const struct ldb_val *private_keytab;
-               const struct ldb_val *krb5_main_keytab;
-               const struct ldb_val *prior_secret;
-               const struct ldb_val *prior_modified_time;
-               int i;
-
-               for (i = 0; i < ret; i++) {
-                       ldb_delete(ldb, msgs[i]->dn);
-               }
-
-               prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
-               if (prior_secret) {
-                       rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorSecret", prior_secret);
-                       if (rtn == -1) {
-                               r->out.error_string = NULL;
-                               talloc_free(tmp_mem);
-                               return NT_STATUS_NO_MEMORY;
-                       }
-               }
-               rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secret", r->in.join_password);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-
-               prior_modified_time = ldb_msg_find_ldb_val(msgs[0], 
-                                                          "whenChanged");
-               if (prior_modified_time) {
-                       rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorWhenChanged", 
-                                                 prior_modified_time);
-                       if (rtn == -1) {
-                               r->out.error_string = NULL;
-                               talloc_free(tmp_mem);
-                               return NT_STATUS_NO_MEMORY;
-                       }
-               }
-
-               rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "samAccountName", r->in.account_name);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-
-               rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secureChannelType", sct);
-               if (rtn == -1) {
-                       r->out.error_string = NULL;
-                       talloc_free(tmp_mem);
-                       return NT_STATUS_NO_MEMORY;
-               }
-
-               /* We will want to keep the keytab names */
-               private_keytab = ldb_msg_find_ldb_val(msgs[0], "privateKeytab");
-               if (private_keytab) {
-                       rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "privateKeytab", private_keytab);
-                       if (rtn == -1) {
-                               r->out.error_string = NULL;
-                               talloc_free(tmp_mem);
-                               return NT_STATUS_NO_MEMORY;
-                       }
-               }
-               krb5_main_keytab = ldb_msg_find_ldb_val(msgs[0], "krb5Keytab");
-               if (krb5_main_keytab) {
-                       rtn = samdb_msg_set_value(ldb, tmp_mem, msg,
-                                       "krb5Keytab", krb5_main_keytab);
-                       if (rtn == -1) {
-                               r->out.error_string = NULL;
-                               talloc_free(tmp_mem);
-                               return NT_STATUS_NO_MEMORY;
-                       }
-               }
-       }
-
-       /* create the secret */
-       ret = ldb_add(ldb, msg);
-       if (ret != 0) {
-               r->out.error_string = talloc_asprintf(mem_ctx, "Failed to create secret record %s", 
-                                                     ldb_dn_get_linearized(msg->dn));
-               talloc_free(tmp_mem);
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
-
-       return NT_STATUS_OK;
-}
-
  static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx, 
                                            TALLOC_CTX *mem_ctx, 
                                            struct libnet_Join *r)
@@ -1115,11 +868,12 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
         NTSTATUS status;
         TALLOC_CTX *tmp_mem;
         struct libnet_JoinDomain *r2;
-       struct libnet_set_join_secrets *r3;
+       struct provision_store_self_join_settings *set_secrets;
         uint32_t acct_type = 0;
         const char *account_name;
         const char *netbios_name;
-       
+       const char *error_string;
+
         r->out.error_string = NULL;
  
         tmp_mem = talloc_new(mem_ctx);
@@ -1179,26 +933,26 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
                 return status;
         }
  
-       r3 = talloc(tmp_mem, struct libnet_set_join_secrets);
-       if (!r3) {
+       set_secrets = talloc(tmp_mem, struct provision_store_self_join_settings);
+       if (!set_secrets) {
                 r->out.error_string = NULL;
                 talloc_free(tmp_mem);
                 return NT_STATUS_NO_MEMORY;
         }
         
-       ZERO_STRUCTP(r3);
-       r3->in.domain_name = r2->out.domain_name;
-       r3->in.realm = r2->out.realm;
-       r3->in.account_name = account_name;
-       r3->in.netbios_name = netbios_name;
-       r3->in.join_type = r->in.join_type;
-       r3->in.join_password = r2->out.join_password;
-       r3->in.kvno = r2->out.kvno;
-       r3->in.domain_sid = r2->out.domain_sid;
+       ZERO_STRUCTP(set_secrets);
+       set_secrets->domain_name = r2->out.domain_name;
+       set_secrets->realm = r2->out.realm;
+       set_secrets->account_name = account_name;
+       set_secrets->netbios_name = netbios_name;
+       set_secrets->secure_channel_type = r->in.join_type;
+       set_secrets->machine_password = r2->out.join_password;
+       set_secrets->key_version_number = r2->out.kvno;
+       set_secrets->domain_sid = r2->out.domain_sid;
         
-       status = libnet_set_join_secrets(ctx, r3, r3);
+       status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
         if (!NT_STATUS_IS_OK(status)) {
-               r->out.error_string = talloc_steal(mem_ctx, r3->out.error_string);
+               r->out.error_string = talloc_steal(mem_ctx, error_string);
                 talloc_free(tmp_mem);
                 return status;
         }
@@ -1206,11 +960,11 @@ static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
         /* move all out parameter to the callers TALLOC_CTX */
         r->out.error_string     = NULL;
         r->out.join_password    = r2->out.join_password;
-       talloc_steal(mem_ctx, r2->out.join_password);
+       talloc_reparent(r2, mem_ctx, r2->out.join_password);
         r->out.domain_sid       = r2->out.domain_sid;
-       talloc_steal(mem_ctx, r2->out.domain_sid);
+       talloc_reparent(r2, mem_ctx, r2->out.domain_sid);
         r->out.domain_name      = r2->out.domain_name;
-       talloc_steal(mem_ctx, r2->out.domain_name);
+       talloc_reparent(r2, mem_ctx, r2->out.domain_name);
         talloc_free(tmp_mem);
         return NT_STATUS_OK;
  }
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c

index 327a64daea3bf0932a7728b82fced206dcc88f74..19453a4d650723dffd310185f8a7741b3ed0c000 100644 (file)
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -595,10 +595,11 @@ NTSTATUS libnet_Vampire(struct libnet_context *ctx, TALLOC_CTX *mem_ctx,
                         struct libnet_Vampire *r)
  {
         struct libnet_JoinDomain *join;
-       struct libnet_set_join_secrets *set_secrets;
+       struct provision_store_self_join_settings *set_secrets;
         struct libnet_BecomeDC b;
         struct vampire_state *s;
         struct ldb_message *msg;
+       const char *error_string;
         int ldb_ret;
         uint32_t i;
         NTSTATUS status;
@@ -709,40 +710,52 @@ NTSTATUS libnet_Vampire(struct libnet_context *ctx, TALLOC_CTX *mem_ctx,
                 return NT_STATUS_INTERNAL_DB_ERROR;
         }
  
-       /* commit the transaction - this commits all the changes in
-          the ldb from the whole vampire.  Note that this commit
+       /* prepare the transaction - this prepares to commit all the changes in
+          the ldb from the whole vampire.  Note that this 
            triggers the writing of the linked attribute backlinks.
         */
-       if (ldb_transaction_commit(s->ldb) != LDB_SUCCESS) {
-               printf("Failed to commit vampire transaction\n");
+       if (ldb_transaction_prepare_commit(s->ldb) != LDB_SUCCESS) {
+               printf("Failed to prepare_commit vampire transaction\n");
                 return NT_STATUS_INTERNAL_DB_ERROR;
         }
  
-       set_secrets = talloc_zero(s, struct libnet_set_join_secrets);
+       set_secrets = talloc(s, struct provision_store_self_join_settings);
         if (!set_secrets) {
+               r->out.error_string = NULL;
+               talloc_free(s);
                 return NT_STATUS_NO_MEMORY;
         }
-               
-       set_secrets->in.domain_name = join->out.domain_name;
-       set_secrets->in.realm = join->out.realm;
-       set_secrets->in.account_name = account_name;
-       set_secrets->in.netbios_name = netbios_name;
-       set_secrets->in.join_type = SEC_CHAN_BDC;
-       set_secrets->in.join_password = join->out.join_password;
-       set_secrets->in.kvno = join->out.kvno;
-       set_secrets->in.domain_sid = join->out.domain_sid;
         
-       status = libnet_set_join_secrets(ctx, set_secrets, set_secrets);
+       ZERO_STRUCTP(set_secrets);
+       set_secrets->domain_name = join->out.domain_name;
+       set_secrets->realm = join->out.realm;
+       set_secrets->account_name = account_name;
+       set_secrets->netbios_name = netbios_name;
+       set_secrets->secure_channel_type = SEC_CHAN_BDC;
+       set_secrets->machine_password = join->out.join_password;
+       set_secrets->key_version_number = join->out.kvno;
+       set_secrets->domain_sid = join->out.domain_sid;
+       
+       status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
         if (!NT_STATUS_IS_OK(status)) {
-               r->out.error_string = talloc_steal(mem_ctx, set_secrets->out.error_string);
+               r->out.error_string = talloc_steal(mem_ctx, error_string);
                 talloc_free(s);
                 return status;
         }
  
         r->out.domain_name = talloc_steal(r, join->out.domain_name);
         r->out.domain_sid = talloc_steal(r, join->out.domain_sid);
-       talloc_free(s);
         
+       /* commit the transaction now we know the secrets were written
+        * out properly
+       */
+       if (ldb_transaction_commit(s->ldb) != LDB_SUCCESS) {
+               printf("Failed to commit vampire transaction\n");
+               return NT_STATUS_INTERNAL_DB_ERROR;
+       }
+
+       talloc_free(s);
+
         return NT_STATUS_OK;
  
  }
diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c

index 02dc059f0587b9f735a1ef7517f9001e2cd7875f..1b185a51b53d6c8de25837884724ed3608300404 100644 (file)
--- a/source4/librpc/ndr/py_security.c
+++ b/source4/librpc/ndr/py_security.c
@@ -23,6 +23,11 @@
  #define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
  #endif
  
+PyObject *py_dom_sid_FromSid(struct dom_sid *sid)
+{
+       return py_talloc_reference(&dom_sid_Type, sid);
+}
+
  static void PyType_AddMethods(PyTypeObject *type, PyMethodDef *methods)
  {
         PyObject *dict;
diff --git a/source4/librpc/ndr/py_security.h b/source4/librpc/ndr/py_security.h

new file mode 100644 (file)

index 0000000..9d200fa
--- /dev/null
+++ b/source4/librpc/ndr/py_security.h
@@ -0,0 +1,23 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2008
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "libcli/security/security.h"
+
+/* a lone prototype for this function, because it's python */
+PyObject *py_dom_sid_FromSid(struct dom_sid *sid);
diff --git a/source4/param/config.mk b/source4/param/config.mk

index 6e5290b64d96aaf77eaa3c444fd37e3d77079a7e..45eb836bb4d7b80e897e824c940eaf97899ddda6 100644 (file)
--- a/source4/param/config.mk
+++ b/source4/param/config.mk
@@ -13,7 +13,7 @@ PUBLIC_HEADERS += param/param.h
  PC_FILES += $(paramsrcdir)/samba-hostconfig.pc
  
  [SUBSYSTEM::PROVISION]
-PRIVATE_DEPENDENCIES = LIBPYTHON pyldb pyparam_util
+PRIVATE_DEPENDENCIES = LIBPYTHON pyldb pyparam_util python_dcerpc_security
  
  PROVISION_OBJ_FILES = $(paramsrcdir)/provision.o $(param_OBJ_FILES)
  
diff --git a/source4/param/provision.c b/source4/param/provision.c

index bbc6837a90c783166fe24555261473489afc4b9f..355af794d82017c17c9af54ccc6f478892e6505d 100644 (file)
--- a/source4/param/provision.c
+++ b/source4/param/provision.c
@@ -2,7 +2,8 @@
     Unix SMB/CIFS implementation.
     Samba utility functions
     Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2008
-   
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
     the Free Software Foundation; either version 3 of the License, or
@@ -20,15 +21,21 @@
  #include "includes.h"
  #include "auth/auth.h"
  #include "lib/ldb_wrap.h"
+#include "ldb/include/ldb.h"
+#include "ldb_errors.h"
  #include "libcli/raw/libcliraw.h"
  #include "librpc/ndr/libndr.h"
  
  #include "param/param.h"
  #include "param/provision.h"
+#include "param/secrets.h"
  #include <Python.h>
+#include "lib/talloc/pytalloc.h"
+#include "librpc/rpc/pyrpc.h"
  #include "scripting/python/modules.h"
  #include "lib/ldb/pyldb.h"
  #include "param/pyparam.h"
+#include "librpc/ndr/py_security.h"
  
  NTSTATUS provision_bare(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
                         struct provision_settings *settings, 
@@ -144,3 +151,125 @@ NTSTATUS provision_bare(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
  
         return NT_STATUS_OK;
  }
+
+extern void initldb(void);
+extern void initsecurity(void);
+
+NTSTATUS provision_store_self_join(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+                                  struct tevent_context *event_ctx,
+                                  struct provision_store_self_join_settings *settings,
+                                  const char **error_string)
+{
+       int ret;
+       PyObject *provision_mod, *provision_dict, *provision_fn, *py_result, *parameters, *py_sid;
+       struct ldb_context *ldb;
+       TALLOC_CTX *tmp_mem = talloc_new(mem_ctx);
+       if (!tmp_mem) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       /* Open the secrets database */
+       ldb = secrets_db_connect(tmp_mem, event_ctx, lp_ctx);
+       if (!ldb) {
+               *error_string
+                       = talloc_asprintf(mem_ctx, 
+                                         "Could not open secrets database");
+               talloc_free(tmp_mem);
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
+       ret = ldb_transaction_start(ldb);
+
+       if (ret != LDB_SUCCESS) {
+               *error_string
+                       = talloc_asprintf(mem_ctx, 
+                                         "Could not start transaction on secrets database: %s", ldb_errstring(ldb));
+               talloc_free(tmp_mem);
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
+       py_load_samba_modules();
+       Py_Initialize();
+       py_update_path("bin"); /* FIXME: Can't assume this is always the case */
+       initldb();
+       initsecurity();
+       provision_mod = PyImport_Import(PyString_FromString("samba.provision"));
+
+       if (provision_mod == NULL) {
+               PyErr_Print();
+               *error_string
+                       = talloc_asprintf(mem_ctx, "Unable to import provision Python module.");
+               talloc_free(tmp_mem);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       provision_dict = PyModule_GetDict(provision_mod);
+
+       if (provision_dict == NULL) {
+               *error_string
+                       = talloc_asprintf(mem_ctx, "Unable to get dictionary for provision module");
+               talloc_free(tmp_mem);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       provision_fn = PyDict_GetItemString(provision_dict, "secretsdb_self_join");
+       if (provision_fn == NULL) {
+               PyErr_Print();
+               *error_string
+                       = talloc_asprintf(mem_ctx, "Unable to get provision_become_dc function");
+               talloc_free(tmp_mem);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+       
+       parameters = PyDict_New();
+
+       PyDict_SetItemString(parameters, "secretsdb", 
+                            PyLdb_FromLdbContext(ldb));
+       PyDict_SetItemString(parameters, "domain", 
+                            PyString_FromString(settings->domain_name));
+       PyDict_SetItemString(parameters, "domain", 
+                            PyString_FromString(settings->domain_name));
+       PyDict_SetItemString(parameters, "realm", 
+                            PyString_FromString(settings->realm));
+       PyDict_SetItemString(parameters, "machinepass", 
+                            PyString_FromString(settings->machine_password));
+       PyDict_SetItemString(parameters, "netbiosname", 
+                            PyString_FromString(settings->netbios_name));
+
+       py_sid = py_dom_sid_FromSid(settings->domain_sid);
+
+       PyDict_SetItemString(parameters, "domainsid", 
+                            py_sid);
+
+       PyDict_SetItemString(parameters, "secure_channel_type", 
+                      PyInt_FromLong(settings->secure_channel_type));
+
+       PyDict_SetItemString(parameters, "key_version_number", 
+                      PyInt_FromLong(settings->key_version_number));
+
+       py_result = PyEval_CallObjectWithKeywords(provision_fn, NULL, parameters);
+
+       Py_DECREF(parameters);
+
+       if (py_result == NULL) {
+               ldb_transaction_cancel(ldb);
+               talloc_free(tmp_mem);
+
+               PyErr_Print();
+               PyErr_Clear();
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       ret = ldb_transaction_commit(ldb);
+       if (ret != LDB_SUCCESS) {
+               *error_string
+                       = talloc_asprintf(mem_ctx, 
+                                         "Could not commit transaction on secrets database: %s", ldb_errstring(ldb));
+               talloc_free(tmp_mem);
+               return NT_STATUS_INTERNAL_DB_ERROR;
+       }
+
+       talloc_free(tmp_mem);
+
+       return NT_STATUS_OK;
+}
diff --git a/source4/param/provision.h b/source4/param/provision.h

index af9685d292f5aa9562e4eec03051dfb52f5a93a1..c3b3bb88d80a58fd2997ccb4786dfa41700e2f58 100644 (file)
--- a/source4/param/provision.h
+++ b/source4/param/provision.h
@@ -44,8 +44,24 @@ struct provision_result {
          struct loadparm_context *lp_ctx;
  };
  
+struct provision_store_self_join_settings {
+       const char *domain_name;
+       const char *realm;
+       const char *netbios_name;
+       const char *account_name;
+       enum netr_SchannelType secure_channel_type;
+       const char *machine_password;
+       int key_version_number;
+       struct dom_sid *domain_sid;
+};
+
  NTSTATUS provision_bare(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
                                                 struct provision_settings *settings,
                                                 struct provision_result *result);
  
+NTSTATUS provision_store_self_join(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+                                  struct tevent_context *ev_ctx,
+                                  struct provision_store_self_join_settings *settings,
+                                  const char **error_string);
+
  #endif /* _PROVISION_H_ */
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py

index 25cec4b143340ea01281014f69202663df34d7a4..2d3e04eac1bdda1d2fb7d18ac4717599e766ec66 100644 (file)
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS
  from auth import system_session, admin_session
  from samba import version, Ldb, substitute_var, valid_netbios_name
  from samba import check_all_substituted
-from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
  from samba.samdb import SamDB
  from samba.idmap import IDmapDB
  from samba.dcerpc import security
@@ -54,14 +54,10 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, timestring
  from ms_schema import read_ms_schema
  from ms_display_specifiers import read_ms_ldif
  from signal import SIGTERM
+from dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
  
  __docformat__ = "restructuredText"
  
-
-class ProvisioningError(ValueError):
-  pass
-
-
  def find_setup_dir():
      """Find the setup directory used by provision."""
      dirname = os.path.dirname(__file__)
@@ -113,6 +109,11 @@ def get_config_descriptor(domain_sid):
  
  DEFAULTSITE = "Default-First-Site-Name"
  
+# Exception classes
+
+class ProvisioningError(Exception):
+    """A generic provision error."""
+
  class InvalidNetbiosName(Exception):
      """A specified name was not a valid NetBIOS name."""
      def __init__(self, name):
@@ -355,7 +356,6 @@ def provision_paths_from_lp(lp, dnsdomain):
      """
      paths = ProvisionPaths()
      paths.private_dir = lp.get("private dir")
-    paths.keytab = "secrets.keytab"
      paths.dns_keytab = "dns.keytab"
  
      paths.shareconf = os.path.join(paths.private_dir, "share.ldb")
@@ -695,26 +695,83 @@ def setup_samdb_partitions(samdb_path, setup_path, message, lp, session_info,
  
      samdb.transaction_commit()
      
+def secretsdb_self_join(secretsdb, domain, 
+                        netbiosname, domainsid, machinepass, 
+                        realm=None, dnsdomain=None,
+                        keytab_path=None, 
+                        key_version_number=1,
+                        secure_channel_type=SEC_CHAN_WKSTA):
+    """Add domain join-specific bits to a secrets database.
+    
+    :param secretsdb: Ldb Handle to the secrets database
+    :param machinepass: Machine password
+    """
+    attrs=["whenChanged",
+           "secret",
+           "priorSecret",
+           "priorChanged",
+           "krb5Keytab",
+           "privateKeytab"]
+    
+
+    msg = ldb.Message(ldb.Dn(secretsdb, "flatname=%s,cn=Primary Domains" % domain));
+    msg["secureChannelType"] = str(secure_channel_type)
+    msg["flatname"] = [domain]
+    msg["objectClass"] = ["top", "primaryDomain"]
+    if realm is not None:
+      if dnsdomain is None:
+        dnsdomain = realm.lower()
+      msg["objectClass"] = ["top", "primaryDomain", "kerberosSecret"]
+      msg["realm"] = realm
+      msg["saltPrincipal"] = "host/%s.%s@%s" % (netbiosname.lower(), dnsdomain.lower(), realm.upper())
+      msg["msDS-KeyVersionNumber"] = [str(key_version_number)]
+      msg["privateKeytab"] = ["secrets.keytab"];
+
+
+    msg["secret"] = [machinepass]
+    msg["samAccountName"] = ["%s$" % netbiosname]
+    msg["secureChannelType"] = [str(secure_channel_type)]
+    msg["objectSid"] = [ndr_pack(domainsid)]
+    
+    res = secretsdb.search(base="cn=Primary Domains", 
+                           attrs=attrs, 
+                           expression=("(&(|(flatname=%s)(realm=%s)(objectSid=%s))(objectclass=primaryDomain))" % (domain, realm, str(domainsid))), 
+                           scope=SCOPE_ONELEVEL)
+    
+    for del_msg in res:
+      if del_msg.dn is not msg.dn:
+        secretsdb.delete(del_msg.dn)
+
+    res = secretsdb.search(base=msg.dn, attrs=attrs, scope=SCOPE_BASE)
  
+    if len(res) == 1:
+      msg["priorSecret"] = res[0]["secret"]
+      msg["priorWhenChanged"] = res[0]["whenChanged"]
  
-def secretsdb_become_dc(secretsdb, setup_path, domain, realm, dnsdomain, 
-                        netbiosname, domainsid, keytab_path, samdb_url, 
-                        dns_keytab_path, dnspass, machinepass):
-    """Add DC-specific bits to a secrets database.
+      if res["privateKeytab"] is not None:
+        msg["privateKeytab"] = res[0]["privateKeytab"]
+
+      if res["krb5Keytab"] is not None:
+        msg["krb5Keytab"] = res[0]["krb5Keytab"]
+
+      for el in msg:
+        el.set_flags(ldb.FLAG_MOD_REPLACE)
+        secretsdb.modify(msg)
+    else:
+      secretsdb.add(msg)
+
+
+def secretsdb_setup_dns(secretsdb, setup_path, realm, dnsdomain, 
+                        dns_keytab_path, dnspass):
+    """Add DNS specific bits to a secrets database.
      
      :param secretsdb: Ldb Handle to the secrets database
      :param setup_path: Setup path function
      :param machinepass: Machine password
      """
-    setup_ldb(secretsdb, setup_path("secrets_dc.ldif"), { 
-            "MACHINEPASS_B64": b64encode(machinepass),
-            "DOMAIN": domain,
+    setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), { 
              "REALM": realm,
              "DNSDOMAIN": dnsdomain,
-            "DOMAINSID": str(domainsid),
-            "SECRETS_KEYTAB": keytab_path,
-            "NETBIOSNAME": netbiosname,
-            "SAM_LDB": samdb_url,
              "DNS_KEYTAB": dns_keytab_path,
              "DNSPASS_B64": b64encode(dnspass),
              })
@@ -738,6 +795,7 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
      secrets_ldb.load_ldif_file_add(setup_path("secrets_init.ldif"))
      secrets_ldb = Ldb(path, session_info=session_info, credentials=credentials,
                        lp=lp)
+    secrets_ldb.transaction_start()
      secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
  
      if credentials is not None and credentials.authentication_requested():
@@ -873,9 +931,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
      :note: This will wipe the main SAM database file!
      """
  
-    domainFunctionality = DS_DOMAIN_FUNCTION_2000
-    forestFunctionality = DS_DOMAIN_FUNCTION_2000
-    domainControllerFunctionality = DS_DC_FUNCTION_2008_R2
+    # Do NOT change these default values without discussion with the team and reslease manager.  
+    domainFunctionality = DS_DOMAIN_FUNCTION_2008
+    forestFunctionality = DS_DOMAIN_FUNCTION_2008
+    domainControllerFunctionality = DS_DC_FUNCTION_2008
  
      # Also wipes the database
      setup_samdb_partitions(path, setup_path, message=message, lp=lp,
@@ -1275,16 +1334,18 @@ def provision(setup_dir, message, session_info,
  
          # Only make a zone file on the first DC, it should be replicated with DNS replication
          if serverrole == "domain controller":
-            secrets_ldb = Ldb(paths.secrets, session_info=session_info, 
-                              credentials=credentials, lp=lp)
-            secretsdb_become_dc(secrets_ldb, setup_path, domain=domain,
+            secretsdb_self_join(secrets_ldb, domain=domain,
                                  realm=names.realm,
+                                dnsdomain=names.dnsdomain,
                                  netbiosname=names.netbiosname,
                                  domainsid=domainsid, 
-                                keytab_path=paths.keytab, samdb_url=paths.samdb,
+                                machinepass=machinepass,
+                                secure_channel_type=SEC_CHAN_BDC)
+
+            secretsdb_setup_dns(secrets_ldb, setup_path, 
+                                realm=names.realm, dnsdomain=names.dnsdomain,
                                  dns_keytab_path=paths.dns_keytab,
-                                dnspass=dnspass, machinepass=machinepass,
-                                dnsdomain=names.dnsdomain)
+                                dnspass=dnspass)
  
              domainguid = samdb.searchone(basedn=domaindn, attribute="objectGUID")
              assert isinstance(domainguid, str)
@@ -1309,6 +1370,8 @@ def provision(setup_dir, message, session_info,
                               realm=names.realm)
              message("A Kerberos configuration suitable for Samba 4 has been generated at %s" % paths.krb5conf)
  
+    #Now commit the secrets.ldb to disk
+    secrets_ldb.transaction_commit()
  
      if provision_backend is not None: 
        if ldap_backend_type == "fedora-ds":
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py

index 239dd6a6ea4f44397da2b4d70c078f97f3ce6036..39cf1d6c406ed87c7cd0bc7fda04e16a8140a061 100644 (file)
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -202,8 +202,8 @@ userPassword:: %s
          self.transaction_start()
          try:
              res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
-                              expression=filter,
-                              attrs=["userAccountControl", "accountExpires"])
+                          expression=filter,
+                          attrs=["userAccountControl", "accountExpires"])
              assert(len(res) == 1)
              user_dn = res[0].dn
  
diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel

index b49150ff2dafad65a3c92fdc2790e1577bb9ed19..ceab735c8f88e3e83b099eeea28db3bae66ba16a 100755 (executable)
--- a/source4/setup/domainlevel
+++ b/source4/setup/domainlevel
@@ -39,6 +39,7 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--quiet", help="Be quiet", action="store_true")
  parser.add_option("--forest",
    help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support the 2003 with mixed domains (NT4 DC support) level.", type=str)
@@ -60,8 +61,12 @@ if len(args) == 0:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
-              credentials=creds, lp=lp)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
  
  domain_dn = SamDB.domain_dn(samdb)
  
diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount

index 0ca5b39faaaa6bd997993099e8005dd65400db37..f8f727c1ee2698fde68dd454dd82c1a3502395d4 100755 (executable)
--- a/source4/setup/enableaccount
+++ b/source4/setup/enableaccount
@@ -36,6 +36,7 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
  
  opts, args = parser.parse_args()
@@ -54,6 +55,11 @@ if filter is None:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
-              credentials=creds, lp=lp)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
  samdb.enable_account(filter)
diff --git a/source4/setup/newuser b/source4/setup/newuser

index 10af55a458afe973a3af2c4942d6777f8c96b9eb..ef65d36dfb0389e5fd2e338756e0fe94c188828f 100755 (executable)
--- a/source4/setup/newuser
+++ b/source4/setup/newuser
@@ -37,6 +37,7 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--unixname", help="Unix Username", type=str)
  parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
  
@@ -58,6 +59,11 @@ if opts.unixname is None:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
-              credentials=creds, lp=lp)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
  samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login)
diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings

index 6a5e18ef59767645cfc296f176987b300d96c4b1..0bb39d975761f7f5755acee3b4957eb89381723a 100755 (executable)
--- a/source4/setup/pwsettings
+++ b/source4/setup/pwsettings
@@ -39,6 +39,7 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--quiet", help="Be quiet", action="store_true")
  parser.add_option("--complexity",
    help="The password complexity (on | off | default). Default is 'on'", type=str)
@@ -67,8 +68,12 @@ if len(args) == 0:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
-              credentials=creds, lp=lp)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
  
  domain_dn = SamDB.domain_dn(samdb)
  res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif

deleted file mode 100644 (file)

index b8251ee..0000000
--- a/source4/setup/secrets_dc.ldif
+++ /dev/null
@@ -1,24 +0,0 @@
-dn: flatname=${DOMAIN},CN=Primary Domains
-objectClass: top
-objectClass: primaryDomain
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-secret:: ${MACHINEPASS_B64}
-secureChannelType: 6
-sAMAccountName: ${NETBIOSNAME}$
-msDS-KeyVersionNumber: 1
-objectSid: ${DOMAINSID}
-privateKeytab: ${SECRETS_KEYTAB}
-
-#Update a keytab for the external DNS server to use 
-dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-realm: ${REALM}
-servicePrincipalName: DNS/${DNSDOMAIN}
-msDS-KeyVersionNumber: 1
-privateKeytab: ${DNS_KEYTAB}
-secret:: ${DNSPASS_B64}
-
diff --git a/source4/setup/secrets_dns.ldif b/source4/setup/secrets_dns.ldif

new file mode 100644 (file)

index 0000000..8a19733
--- /dev/null
+++ b/source4/setup/secrets_dns.ldif
@@ -0,0 +1,11 @@
+#Update a keytab for the external DNS server to use 
+dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
+objectClass: top
+objectClass: secret
+objectClass: kerberosSecret
+realm: ${REALM}
+servicePrincipalName: DNS/${DNSDOMAIN}
+msDS-KeyVersionNumber: 1
+privateKeytab: ${DNS_KEYTAB}
+secret:: ${DNSPASS_B64}
+
diff --git a/source4/setup/secrets_self_join.ldif b/source4/setup/secrets_self_join.ldif

new file mode 100644 (file)

index 0000000..22be0ca
--- /dev/null
+++ b/source4/setup/secrets_self_join.ldif
@@ -0,0 +1,13 @@
+dn: flatname=${DOMAIN},CN=Primary Domains
+objectClass: top
+objectClass: primaryDomain
+objectClass: kerberosSecret
+flatname: ${DOMAIN}
+realm: ${REALM}
+secret:: ${MACHINEPASS_B64}
+secureChannelType: 6
+sAMAccountName: ${NETBIOSNAME}$
+msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
+objectSid: ${DOMAINSID}
+privateKeytab: ${SECRETS_KEYTAB}
+saltPrincipal: ${SALT_PRINCIPAL}
diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry

index 1572555b8cfab5de7f22202ca2e21f43648c2443..2740326f2b493bef89434566e30534e812356e91 100755 (executable)
--- a/source4/setup/setexpiry
+++ b/source4/setup/setexpiry
@@ -37,12 +37,15 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
  parser.add_option("--days", help="Days to expiry", type=int)
  parser.add_option("--noexpiry", help="Password does never expire", action="store_true")
  
  opts, args = parser.parse_args()
  
+filter = opts.filter
+
  if (len(args) == 0) and (filter is None):
         print "Either the username or '--filter' must be specified!"
         parser.print_usage()
@@ -59,6 +62,11 @@ if filter is None:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
-              credentials=creds, lp=lp)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
  samdb.setexpiry(filter, days*24*3600, no_expiry_req=opts.noexpiry)
diff --git a/source4/setup/setpassword b/source4/setup/setpassword

index d8a2a1144acb343d8d906e758592d590e18a339b..57772be7a75c79bd1602cf35c1490b551891995a 100755 (executable)
--- a/source4/setup/setpassword
+++ b/source4/setup/setpassword
@@ -38,6 +38,7 @@ parser.add_option_group(sambaopts)
  parser.add_option_group(options.VersionOptions(parser))
  credopts = options.CredentialsOptions(parser)
  parser.add_option_group(credopts)
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
  parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
  parser.add_option("--newpassword", help="Set password", type=str)
  parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
@@ -62,7 +63,12 @@ if filter is None:
  lp = sambaopts.get_loadparm()
  creds = credopts.get_credentials(lp)
  
-samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), 
-              credentials=creds, lp=lp)
-samdb.setpassword(filter, password, force_password_change_at_next_login=opts.must_change_at_next_login)
+if opts.H is not None:
+       url = opts.H
+else:
+       url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(), credentials=creds, lp=lp)
+
+samdb.setpassword(filter, password, force_password_change_at_next_login_req=opts.must_change_at_next_login)
  
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh

index 0a15802a287df415366cc215810b0538dd27e3e1..91f21f473b4e65248b6821240268590321f12cd8 100755 (executable)
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -69,7 +69,7 @@ echo $USERPASS > ./tmpuserpassfile
  
  testit "set user password with kerberos ccache" $VALGRIND $net password set $DOMAIN\\nettestuser $USERPASS $CONFIGURATION  -k yes $@ || failed=`expr $failed + 1`
  
-testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -k yes $@ || failed=`expr $failed + 1`
+testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1`
  
  KRB5CCNAME="$PREFIX/tmpuserccache"
  export KRB5CCNAME
author	Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
	Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)
committer	Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
	Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)
lib/async_req/async_sock.c		patch \| blob \| history
lib/tdb/tools/tdbtool.c		patch \| blob \| history
lib/tevent/tevent_signal.c		patch \| blob \| history
source3/lib/select.c		patch \| blob \| history
source3/passdb/secrets.c		patch \| blob \| history
source3/winbindd/winbindd.c		patch \| blob \| history
source4/dsdb/samdb/ldb_modules/password_hash.c		patch \| blob \| history
source4/dsdb/samdb/ldb_modules/resolve_oids.c		patch \| blob \| history
source4/lib/ldb/common/ldb.c		patch \| blob \| history
source4/libnet/libnet_become_dc.c		patch \| blob \| history
source4/libnet/libnet_join.c		patch \| blob \| history
source4/libnet/libnet_vampire.c		patch \| blob \| history
source4/librpc/ndr/py_security.c		patch \| blob \| history
source4/librpc/ndr/py_security.h	[new file with mode: 0644]	patch \| blob
source4/param/config.mk		patch \| blob \| history
source4/param/provision.c		patch \| blob \| history
source4/param/provision.h		patch \| blob \| history
source4/scripting/python/samba/provision.py		patch \| blob \| history
source4/scripting/python/samba/samdb.py		patch \| blob \| history
source4/setup/domainlevel		patch \| blob \| history
source4/setup/enableaccount		patch \| blob \| history
source4/setup/newuser		patch \| blob \| history
source4/setup/pwsettings		patch \| blob \| history
source4/setup/secrets_dc.ldif	[deleted file]	patch \| blob \| history
source4/setup/secrets_dns.ldif	[new file with mode: 0644]	patch \| blob
source4/setup/secrets_self_join.ldif	[new file with mode: 0644]	patch \| blob
source4/setup/setexpiry		patch \| blob \| history
source4/setup/setpassword		patch \| blob \| history
testprogs/blackbox/test_kinit.sh		patch \| blob \| history