X-Git-Url: http://git.samba.org/samba.git/?p=nivanova%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=selftest%2Ftarget%2FSamba4.pm;h=1209893792fc846b669bc740ccbf6a829bf01107;hp=0508027bba54312f891183c94406d5484f13dbd8;hb=73bd0ebe5501dbbc3efef87209262f3a697b9115;hpb=c561a42ff68bc4561147839e3a65951924f6af21 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 0508027bba5..1209893792f 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -91,7 +91,10 @@ sub check_or_start($$$) my $env_ok = $self->check_env($env_vars); if ($env_ok) { - return $env_vars->{SAMBA_PID}; + return $env_vars->{SAMBA_PID}; + } elsif (defined($env_vars->{SAMBA_PID})) { + warn("SAMBA PID $env_vars->{SAMBA_PID} is not running (died)"); + return undef; } # use a pipe for stdin in the child processes. This allows @@ -107,7 +110,7 @@ sub check_or_start($$$) } } - print "STARTING SAMBA..."; + print "STARTING SAMBA...\n"; my $pid = fork(); if ($pid == 0) { # we want out from samba to go to the log file, but also @@ -119,12 +122,14 @@ sub check_or_start($$$) SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}); $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG}; + $ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.samba"; $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR}; $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR}; $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD}; $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP}; $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS}; + $ENV{NSS_WRAPPER_HOSTNAME} = $env_vars->{NSS_WRAPPER_HOSTNAME}; $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH}; $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX}; @@ -168,6 +173,7 @@ sub check_or_start($$$) sub wait_for_start($$) { my ($self, $testenv_vars) = @_; + my $count = 0; my $ret = 0; if (not $self->check_env($testenv_vars)) { @@ -175,50 +181,66 @@ sub wait_for_start($$) return -1; } - # give time for nbt server to register its names - print "delaying for nbt name registration\n"; - sleep 2; - # This will return quickly when things are up, but be slow if we # need to wait for (eg) SSL init my $nmblookup = Samba::bindir_path($self, "nmblookup4"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); - system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); + + do { + $ret = system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}"); + if ($ret != 0) { + sleep(1); + } else { + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}"); + system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}"); + } + $count++; + } while ($ret != 0 && $count < 20); + if ($count == 10) { + warn("nbt not reachable after 20 retries\n"); + teardown_env($self, $testenv_vars); + return 0; + } # Ensure we have the first RID Set before we start tests. This makes the tests more reliable. - if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOSNAME} eq "RODC")) { - # Add hosts file for name lookups - $ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS}; + if ($testenv_vars->{SERVER_ROLE} eq "domain controller") { + # Add hosts file for name lookups + $ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS}; if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) { $ENV{RESOLV_WRAPPER_CONF} = $testenv_vars->{RESOLV_WRAPPER_CONF}; } else { $ENV{RESOLV_WRAPPER_HOSTS} = $testenv_vars->{RESOLV_WRAPPER_HOSTS}; } - print "waiting for working LDAP and a RID Set to be allocated\n"; - my $ldbsearch = Samba::bindir_path($self, "ldbsearch"); - my $count = 0; - my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM})); - my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn"; - sleep(1); - while (system("$ldbsearch -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool > /dev/null") != 0) { - $count++; - if ($count > 40) { - $ret = -1; - last; + print "waiting for working LDAP and a RID Set to be allocated\n"; + my $ldbsearch = Samba::bindir_path($self, "ldbsearch"); + my $count = 0; + my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM})); + + my $search_dn = $base_dn; + if ($testenv_vars->{NETBIOSNAME} ne "RODC") { + # TODO currently no check for actual rIDAllocationPool + $search_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn"; + } + my $max_wait = 60; + my $cmd = "$ldbsearch $testenv_vars->{CONFIGURATION} -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$search_dn\""; + while (system("$cmd >/dev/null") != 0) { + $count++; + if ($count > $max_wait) { + warn("Timed out ($max_wait sec) waiting for working LDAP and a RID Set to be allocated by $testenv_vars->{NETBIOSNAME} PID $testenv_vars->{SAMBA_PID}"); + $ret = -1; + last; + } + sleep(1); } - sleep(1); - } } print $self->getlog_env($testenv_vars); @@ -272,219 +294,6 @@ sub mk_openldap($$) return ($slapd_conf_d, $pidfile); } -sub mk_keyblobs($$) -{ - my ($self, $tlsdir) = @_; - - #TLS and PKINIT crypto blobs - my $dhfile = "$tlsdir/dhparms.pem"; - my $cafile = "$tlsdir/ca.pem"; - my $certfile = "$tlsdir/cert.pem"; - my $reqkdc = "$tlsdir/req-kdc.der"; - my $kdccertfile = "$tlsdir/kdc.pem"; - my $keyfile = "$tlsdir/key.pem"; - my $adminkeyfile = "$tlsdir/adminkey.pem"; - my $reqadmin = "$tlsdir/req-admin.der"; - my $admincertfile = "$tlsdir/admincert.pem"; - my $admincertupnfile = "$tlsdir/admincertupn.pem"; - - mkdir($tlsdir, 0700); - my $oldumask = umask; - umask 0077; - - #This is specified here to avoid draining entropy on every run - open(DHFILE, ">$dhfile"); - print DHFILE <$keyfile"); - print KEYFILE <$adminkeyfile"); - - print ADMINKEYFILE <$cafile"); - print CAFILE <$certfile"); - print CERTFILE <$kdccertfile"); - print KDCCERTFILE <$admincertfile"); - print ADMINCERTFILE <$admincertupnfile"); - print ADMINCERTUPNFILE <{RESOLV_WRAPPER_HOSTS}\" "; } - $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\""; + $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" "; + $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" "; my $cmd_config = " $localenv->{CONFIGURATION}"; @@ -547,7 +357,8 @@ sub setup_trust($$$$$) } else { $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" "; } - $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\""; + $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" "; + $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" "; my $cmd_config = " $localenv->{CONFIGURATION}"; my $cmd_creds = $cmd_config; @@ -599,6 +410,10 @@ sub provision_raw_prepare($$$$$$$$$$$) $ctx->{password} = $password; $ctx->{kdc_ipv4} = $kdc_ipv4; $ctx->{kdc_ipv6} = $kdc_ipv6; + $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}"; + if ($functional_level eq "2000") { + $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc" + } # # Set smbd log level here. @@ -624,6 +439,7 @@ sub provision_raw_prepare($$$$$$$$$$$) $ctx->{piddir} = "$prefix_abs/pid"; $ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf"; $ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf"; + $ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache"; $ctx->{privatedir} = "$prefix_abs/private"; $ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc"; $ctx->{lockdir} = "$prefix_abs/lockdir"; @@ -631,18 +447,19 @@ sub provision_raw_prepare($$$$$$$$$$$) $ctx->{statedir} = "$prefix_abs/statedir"; $ctx->{cachedir} = "$prefix_abs/cachedir"; $ctx->{winbindd_socket_dir} = "$prefix_abs/winbindd_socket"; - $ctx->{winbindd_privileged_socket_dir} = "$prefix_abs/winbindd_privileged_socket"; $ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket"; $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd"; $ctx->{nsswrap_group} = "$ctx->{etcdir}/group"; $ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts"; + $ctx->{nsswrap_hostname} = "$ctx->{hostname}.$ctx->{dnsname}"; if ($ENV{SAMBA_DNS_FAKING}) { $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file"; $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}"; } else { - $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf"; - $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf}"; + $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces"; + $ctx->{use_resolv_wrapper} = 1; } + $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf"; $ctx->{tlsdir} = "$ctx->{privatedir}/tls"; @@ -661,11 +478,13 @@ sub provision_raw_prepare($$$$$$$$$$$) $ctx->{smb_conf_extra_options} = ""; my @provision_options = (); - push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_config}\""); + push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_conf}\""); + push (@provision_options, "KRB5_CCACHE=\"$ctx->{krb5_ccache}\""); push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\""); push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\""); push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\""); - if (defined($ctx->{resolv_conf})) { + push (@provision_options, "NSS_WRAPPER_HOSTNAME=\"$ctx->{nsswrap_hostname}\""); + if (defined($ctx->{use_resolv_wrapper})) { push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\""); } else { push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\""); @@ -727,6 +546,11 @@ sub provision_raw_step1($$) warn("can't open $ctx->{smb_conf}$?"); return undef; } + + Samba::prepare_keyblobs($ctx); + my $crlfile = "$ctx->{tlsdir}/crl.pem"; + $crlfile = "" unless -e ${crlfile}; + print CONFFILE " [global] netbios name = $ctx->{netbiosname} @@ -740,11 +564,12 @@ sub provision_raw_step1($$) state directory = $ctx->{statedir} cache directory = $ctx->{cachedir} winbindd socket directory = $ctx->{winbindd_socket_dir} - winbindd privileged socket directory = $ctx->{winbindd_privileged_socket_dir} ntp signd socket directory = $ctx->{ntp_signd_socket_dir} winbind separator = / interfaces = $ctx->{interfaces} tls dh params file = $ctx->{tlsdir}/dhparms.pem + tls crlfile = ${crlfile} + tls verify peer = no_check panic action = $RealBin/gdb_backtrace \%d wins support = yes server role = $ctx->{server_role} @@ -752,11 +577,13 @@ sub provision_raw_step1($$) dcerpc endpoint servers = +winreg +srvsvc notify:inotify = false ldb:nosync = true + ldap server require strong auth = yes #We don't want to pass our self-tests if the PAC code is wrong gensec:require_pac = true log file = $ctx->{logdir}/log.\%m log level = $ctx->{server_loglevel} lanman auth = Yes + ntlm auth = Yes rndc command = true dns update command = $ctx->{samba_dnsupdate} spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf} @@ -765,13 +592,12 @@ sub provision_raw_step1($$) vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot - # remove this again, when our smb2 client library - # supports signin on compound related requests - server signing = on - idmap_ldb:use rfc2307=yes winbind enum users = yes winbind enum groups = yes + + rpc server port:netlogon = 1026 + "; print CONFFILE " @@ -782,8 +608,6 @@ sub provision_raw_step1($$) "; close(CONFFILE); - $self->mk_keyblobs($ctx->{tlsdir}); - #Default the KDC IP to the server's IP if (not defined($ctx->{kdc_ipv4})) { $ctx->{kdc_ipv4} = $ctx->{ipv4}; @@ -855,6 +679,7 @@ nogroup:x:65534:nobody my $ret = { KRB5_CONFIG => $ctx->{krb5_conf}, + KRB5_CCACHE => $ctx->{krb5_ccache}, PIDDIR => $ctx->{piddir}, SERVER => $ctx->{hostname}, SERVER_IP => $ctx->{ipv4}, @@ -878,6 +703,7 @@ nogroup:x:65534:nobody NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd}, NSS_WRAPPER_GROUP => $ctx->{nsswrap_group}, NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts}, + NSS_WRAPPER_HOSTNAME => $ctx->{nsswrap_hostname}, SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo", SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log", SAMBA_TEST_LOG_POS => 0, @@ -886,11 +712,12 @@ nogroup:x:65534:nobody LOCAL_PATH => $ctx->{share}, UID_RFC2307TEST => $uid_rfc2307test, GID_RFC2307TEST => $gid_rfc2307test, - SERVER_ROLE => $ctx->{server_role} + SERVER_ROLE => $ctx->{server_role}, + RESOLV_CONF => $ctx->{resolv_conf} }; - if (defined($ctx->{resolv_conf})) { - $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf}; + if (defined($ctx->{use_resolv_wrapper})) { + $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf}; } else { $ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file}; } @@ -914,8 +741,9 @@ sub provision_raw_step2($$$) my $testallowed_account = "testallowed"; my $samba_tool_cmd = ""; $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") - . " user add --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}"; + . " user create --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}"; unless (system($samba_tool_cmd) == 0) { warn("Unable to add testallowed user: \n$samba_tool_cmd\n"); return undef; @@ -923,6 +751,7 @@ sub provision_raw_step2($$$) my $ldbmodify = ""; $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $ldbmodify .= Samba::bindir_path($self, "ldbmodify"); my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm})); @@ -954,8 +783,9 @@ servicePrincipalName: host/testallowed $samba_tool_cmd = ""; $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") - . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}"; + . " user create --configfile=$ctx->{smb_conf} testdenied $ctx->{password}"; unless (system($samba_tool_cmd) == 0) { warn("Unable to add testdenied user: \n$samba_tool_cmd\n"); return undef; @@ -973,6 +803,7 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn $samba_tool_cmd = ""; $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'"; unless (system($samba_tool_cmd) == 0) { @@ -980,6 +811,22 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn return undef; } + # Create to users alice and bob! + my $user_account_array = ["alice", "bob"]; + + foreach my $user_account (@{$user_account_array}) { + my $samba_tool_cmd = ""; + + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " user create --configfile=$ctx->{smb_conf} $user_account Secret007"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to create user: $user_account\n$samba_tool_cmd\n"); + return undef; + } + } + return $ret; } @@ -1019,7 +866,6 @@ sub provision($$$$$$$$$$) server max protocol = SMB2 host msdfs = $msdfs lanman auth = yes - allow nt4 crypto = yes # fruit:copyfile is a global option fruit:copyfile = yes @@ -1096,7 +942,7 @@ sub provision($$$$$$$$$$) path = $ctx->{share} vfs objects = catia fruit streams_xattr acl_xattr ea support = yes - fruit:ressource = file + fruit:resource = file fruit:metadata = netatalk fruit:locking = netatalk fruit:encoding = native @@ -1140,14 +986,17 @@ $extra_smbconf_shares return $self->provision_raw_step2($ctx, $ret); } -sub provision_s4member($$$) +sub provision_s4member($$$$$) { - my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING MEMBER..."; + my ($self, $prefix, $dcvars, $hostname, $more_conf) = @_; + print "PROVISIONING MEMBER...\n"; my $extra_smb_conf = " passdb backend = samba_dsdb winbindd:use external pipes = true +# the source4 smb server doesn't allow signing by default +server signing = enabled + rpc_server:default = external rpc_server:svcctl = embedded rpc_server:srvsvc = embedded @@ -1158,9 +1007,12 @@ rpc_server:spoolss = embedded rpc_daemon:spoolssd = embedded rpc_server:tcpip = no "; + if ($more_conf) { + $extra_smb_conf = $extra_smb_conf . $more_conf . "\n"; + } my $ret = $self->provision($prefix, "member server", - "s4member", + $hostname, "SAMBADOMAIN", "samba.example.com", "2008", @@ -1181,6 +1033,7 @@ rpc_server:tcpip = no $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --machinepass=machine$ret->{PASSWORD}"; @@ -1210,7 +1063,7 @@ rpc_server:tcpip = no sub provision_rpc_proxy($$$) { my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING RPC PROXY..."; + print "PROVISIONING RPC PROXY...\n"; my $extra_smbconf_options = " passdb backend = samba_dsdb @@ -1243,7 +1096,6 @@ sub provision_rpc_proxy($$$) $dcvars->{SERVER_IP}, $dcvars->{SERVER_IPV6}, $extra_smbconf_options, "", undef); - unless ($ret) { return undef; } @@ -1259,6 +1111,7 @@ sub provision_rpc_proxy($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --machinepass=machine$ret->{PASSWORD}"; @@ -1272,6 +1125,7 @@ sub provision_rpc_proxy($$$) $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on"; $cmd .= " $dcvars->{CONFIGURATION}"; print $cmd; @@ -1285,6 +1139,7 @@ sub provision_rpc_proxy($$$) $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}"; $cmd .= " $dcvars->{CONFIGURATION}"; @@ -1313,7 +1168,7 @@ sub provision_rpc_proxy($$$) sub provision_promoted_dc($$$) { my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING PROMOTED DC..."; + print "PROVISIONING PROMOTED DC...\n"; # We do this so that we don't run the provision. That's the job of 'samba-tool domain dcpromo'. my $ctx = $self->provision_raw_prepare($prefix, "domain controller", @@ -1355,6 +1210,7 @@ sub provision_promoted_dc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --machinepass=machine$ret->{PASSWORD}"; @@ -1368,6 +1224,7 @@ sub provision_promoted_dc($$$) my $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ"; @@ -1394,15 +1251,20 @@ sub provision_promoted_dc($$$) sub provision_vampire_dc($$$) { - my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING VAMPIRE DC..."; + my ($self, $prefix, $dcvars, $fl) = @_; + print "PROVISIONING VAMPIRE DC @ FL $fl...\n"; + my $name = "localvampiredc"; + + if ($fl == "2000") { + $name = "vampire2000dc"; + } # We do this so that we don't run the provision. That's the job of 'net vampire'. my $ctx = $self->provision_raw_prepare($prefix, "domain controller", - "localvampiredc", - "SAMBADOMAIN", - "samba.example.com", - "2008", + $name, + $dcvars->{DOMAIN}, + $dcvars->{REALM}, + $fl, $dcvars->{PASSWORD}, $dcvars->{SERVER_IP}, $dcvars->{SERVER_IPV6}); @@ -1437,6 +1299,7 @@ sub provision_vampire_dc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only"; $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; @@ -1446,11 +1309,17 @@ sub provision_vampire_dc($$$) return undef; } - $ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER}; - $ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP}; - $ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; - $ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; - + if ($fl == "2000") { + $ret->{VAMPIRE_2000_DC_SERVER} = $ret->{SERVER}; + $ret->{VAMPIRE_2000_DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{VAMPIRE_2000_DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{VAMPIRE_2000_DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + } else { + $ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER}; + $ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + } $ret->{DC_SERVER} = $dcvars->{DC_SERVER}; $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP}; $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6}; @@ -1465,7 +1334,7 @@ sub provision_vampire_dc($$$) sub provision_subdom_dc($$$) { my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING SUBDOMAIN DC..."; + print "PROVISIONING SUBDOMAIN DC...\n"; # We do this so that we don't run the provision. That's the job of 'net vampire'. my $ctx = $self->provision_raw_prepare($prefix, "domain controller", @@ -1508,6 +1377,7 @@ sub provision_subdom_dc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname} subdomain "; $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; @@ -1541,9 +1411,14 @@ sub provision_ad_dc_ntvfs($$) # ensure upgrades which used that name still work with the now # alias. - print "PROVISIONING AD DC (NTVFS)..."; + print "PROVISIONING AD DC (NTVFS)...\n"; my $extra_conf_options = "netbios aliases = localDC1-a - server services = +winbind -winbindd"; + server services = +winbind -winbindd + ldap server require strong auth = allow_sasl_over_tls + allow nt4 crypto = yes + lsa over netlogon = yes + rpc server port = 1027 + "; my $ret = $self->provision($prefix, "domain controller", "localdc", @@ -1556,8 +1431,10 @@ sub provision_ad_dc_ntvfs($$) $extra_conf_options, "", undef); + unless ($ret) { + return undef; + } - return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; @@ -1578,7 +1455,11 @@ sub provision_fl2000dc($$) { my ($self, $prefix) = @_; - print "PROVISIONING DC WITH FOREST LEVEL 2000..."; + print "PROVISIONING DC WITH FOREST LEVEL 2000...\n"; + my $extra_conf_options = " + spnego:simulate_w2k=yes + ntlmssp_server:force_old_spnego=yes +"; my $ret = $self->provision($prefix, "domain controller", "dc5", @@ -1588,14 +1469,24 @@ sub provision_fl2000dc($$) "locDCpass5", undef, undef, - "", + $extra_conf_options, "", undef); + unless ($ret) { + return undef; + } unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; } + $ret->{DC_SERVER} = $ret->{SERVER}; + $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $ret->{USERNAME}; + $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{DC_REALM} = $ret->{REALM}; return $ret; } @@ -1603,9 +1494,12 @@ sub provision_fl2000dc($$) sub provision_fl2003dc($$$) { my ($self, $prefix, $dcvars) = @_; + my $swiface1 = Samba::get_interface("fakednsforwarder1"); + my $swiface2 = Samba::get_interface("fakednsforwarder2"); - print "PROVISIONING DC WITH FOREST LEVEL 2003..."; - my $extra_conf_options = "allow dns updates = nonsecure and secure"; + print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; + my $extra_conf_options = "allow dns updates = nonsecure and secure + dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2"; my $ret = $self->provision($prefix, "domain controller", "dc6", @@ -1618,7 +1512,6 @@ sub provision_fl2003dc($$$) $extra_conf_options, "", undef); - unless (defined $ret) { return undef; } @@ -1629,6 +1522,8 @@ sub provision_fl2003dc($$$) $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; $ret->{DC_USERNAME} = $ret->{USERNAME}; $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{DNS_FORWARDER1} = "127.0.0.$swiface1"; + $ret->{DNS_FORWARDER2} = "127.0.0.$swiface2"; my @samba_tool_options; push (@samba_tool_options, Samba::bindir_path($self, "samba-tool")); @@ -1646,8 +1541,6 @@ sub provision_fl2003dc($$$) return undef; } - return $ret; - unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; @@ -1660,7 +1553,8 @@ sub provision_fl2008r2dc($$$) { my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING DC WITH FOREST LEVEL 2008r2..."; + print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n"; + my $extra_conf_options = "ldap server require strong auth = no"; my $ret = $self->provision($prefix, "domain controller", "dc7", @@ -1670,14 +1564,24 @@ sub provision_fl2008r2dc($$$) "locDCpass7", undef, undef, - "", + $extra_conf_options, "", undef); + unless (defined $ret) { + return undef; + } unless ($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; } + $ret->{DC_SERVER} = $ret->{SERVER}; + $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $ret->{USERNAME}; + $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{DC_REALM} = $ret->{REALM}; return $ret; } @@ -1686,7 +1590,7 @@ sub provision_fl2008r2dc($$$) sub provision_rodc($$$) { my ($self, $prefix, $dcvars) = @_; - print "PROVISIONING RODC..."; + print "PROVISIONING RODC...\n"; # We do this so that we don't run the provision. That's the job of 'net join RODC'. my $ctx = $self->provision_raw_prepare($prefix, "domain controller", @@ -1741,6 +1645,7 @@ sub provision_rodc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs"; @@ -1754,6 +1659,7 @@ sub provision_rodc($$$) # user password verified on the RODC my $testallowed_account = "testallowed account"; $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; $cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}"; $cmd .= " --server=$dcvars->{DC_SERVER}"; @@ -1784,6 +1690,27 @@ sub provision_rodc($$$) return $ret; } +sub read_config_h($) +{ + my ($name) = @_; + my %ret = {}; + open(LF, "<$name") or die("unable to read $name: $!"); + while () { + chomp; + next if not (/^#define /); + if (/^#define (.*?)[ \t]+(.*?)$/) { + $ret{$1} = $2; + next; + } + if (/^#define (.*?)[ \t]+$/) { + $ret{$1} = 1;; + next; + } + } + close(LF); + return \%ret; +} + sub provision_ad_dc($$) { my ($self, $prefix) = @_; @@ -1797,6 +1724,15 @@ sub provision_ad_dc($$) my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes"; $require_mutexes = "" if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} eq "1"); + my $config_h = {}; + + if (defined($ENV{CONFIG_H})) { + $config_h = read_config_h($ENV{CONFIG_H}); + } + + my $password_hash_gpg_key_ids = "password hash gpg key ids = 4952E40301FAB41A"; + $password_hash_gpg_key_ids = "" unless defined($config_h->{HAVE_GPGME}); + my $extra_smbconf_options = " server services = -smb +s3fs xattr_tdb:file = $prefix_abs/statedir/xattr.tdb @@ -1804,8 +1740,11 @@ sub provision_ad_dc($$) dbwrap_tdb_mutexes:* = yes ${require_mutexes} + ${password_hash_gpg_key_ids} + kernel oplocks = no kernel change notify = no + smb2 leases = no logging = file printing = bsd @@ -1813,7 +1752,6 @@ sub provision_ad_dc($$) max protocol = SMB3 read only = no - server signing = auto smbd:sharedelay = 100000 smbd:writetimeupdatedelay = 500000 @@ -1878,7 +1816,7 @@ sub provision_ad_dc($$) copy = print1 "; - print "PROVISIONING AD DC..."; + print "PROVISIONING AD DC...\n"; my $ret = $self->provision($prefix, "domain controller", "addc", @@ -1891,8 +1829,10 @@ sub provision_ad_dc($$) $extra_smbconf_options, $extra_smbconf_shares, undef); + unless (defined $ret) { + return undef; + } - return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; @@ -1912,8 +1852,11 @@ sub provision_chgdcpass($$) { my ($self, $prefix) = @_; - print "PROVISIONING CHGDCPASS..."; + print "PROVISIONING CHGDCPASS...\n"; my $extra_provision_options = undef; + # This environment disallows the use of this password + # (and also removes the default AD complexity checks) + my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ"; push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); my $ret = $self->provision($prefix, "domain controller", @@ -1924,11 +1867,13 @@ sub provision_chgdcpass($$) "chgDCpass1", undef, undef, - "", + "check password script = sed -e '/$unacceptable_password/{;q1}; /$unacceptable_password/!{q0}'\n", "", $extra_provision_options); + unless (defined $ret) { + return undef; + } - return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { warn("Unable to add wins configuration"); return undef; @@ -1948,11 +1893,12 @@ sub provision_chgdcpass($$) $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; $ret->{DC_USERNAME} = $ret->{USERNAME}; $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{UNACCEPTABLE_PASSWORD} = $unacceptable_password; return $ret; } -sub teardown_env($$) +sub teardown_env_terminate($$) { my ($self, $envvars) = @_; my $pid; @@ -1965,28 +1911,50 @@ sub teardown_env($$) my $childpid; # This should give it time to write out the gcov data + until ($count > 15) { + if (Samba::cleanup_child($pid, "samba") != 0) { + return; + } + sleep(1); + $count++; + } + + # After 15 Seconds, work out why this thing is still alive + warn "server process $pid took more than $count seconds to exit, showing backtrace:\n"; + system("$self->{srcdir}/selftest/gdb_backtrace $pid"); + until ($count > 30) { - if (Samba::cleanup_child($pid, "samba") == -1) { - last; + if (Samba::cleanup_child($pid, "samba") != 0) { + return; } sleep(1); $count++; } - if ($count > 30 || kill(0, $pid)) { + if (kill(0, $pid)) { + warn "server process $pid took more than $count seconds to exit, sending SIGTERM\n"; kill "TERM", $pid; + } - until ($count > 40) { - if (Samba::cleanup_child($pid, "samba") == -1) { - last; - } - sleep(1); - $count++; + until ($count > 40) { + if (Samba::cleanup_child($pid, "samba") != 0) { + return; } - # If it is still around, kill it - warn "server process $pid took more than $count seconds to exit, killing\n"; + sleep(1); + $count++; + } + # If it is still around, kill it + if (kill(0, $pid)) { + warn "server process $pid took more than $count seconds to exit, killing\n with SIGKILL\n"; kill 9, $pid; } + return; +} + +sub teardown_env($$) +{ + my ($self, $envvars) = @_; + teardown_env_terminate($self, $envvars); $self->slapd_stop($envvars) if ($self->{ldap}); @@ -1998,7 +1966,7 @@ sub teardown_env($$) sub getlog_env($$) { my ($self, $envvars) = @_; - my $title = "SAMBA LOG of: $envvars->{NETBIOSNAME}\n"; + my $title = "SAMBA LOG of: $envvars->{NETBIOSNAME} pid $envvars->{SAMBA_PID}\n"; my $out = $title; open(LOG, "<$envvars->{SAMBA_TEST_LOG}"); @@ -2050,6 +2018,11 @@ sub setup_env($$$) return $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); } elsif ($envname eq "fl2000dc") { return $self->setup_fl2000dc("$path/fl2000dc"); + } elsif ($envname eq "vampire_2000_dc") { + if (not defined($self->{vars}->{fl2000dc})) { + $self->setup_fl2000dc("$path/fl2000dc"); + } + return $self->setup_vampire_dc("$path/vampire_2000_dc", $self->{vars}->{fl2000dc}, "2000"); } elsif ($envname eq "fl2003dc") { if (not defined($self->{vars}->{ad_dc})) { $self->setup_ad_dc("$path/ad_dc"); @@ -2069,7 +2042,7 @@ sub setup_env($$$) if (not defined($self->{vars}->{ad_dc_ntvfs})) { $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); } - return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{ad_dc_ntvfs}); + return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{ad_dc_ntvfs}, "2008"); } elsif ($envname eq "promoted_dc") { if (not defined($self->{vars}->{ad_dc_ntvfs})) { $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); @@ -2080,6 +2053,11 @@ sub setup_env($$$) $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); } return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{ad_dc_ntvfs}); + } elsif ($envname eq "s4member_dflt_domain") { + if (not defined($self->{vars}->{ad_dc_ntvfs})) { + $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); + } + return $self->setup_s4member_dflt_domain("$path/s4member_dflt_domain", $self->{vars}->{ad_dc_ntvfs}); } elsif ($envname eq "s4member") { if (not defined($self->{vars}->{ad_dc_ntvfs})) { $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs"); @@ -2118,7 +2096,7 @@ sub setup_s4member($$$) { my ($self, $path, $dc_vars) = @_; - my $env = $self->provision_s4member($path, $dc_vars); + my $env = $self->provision_s4member($path, $dc_vars, "s4member"); if (defined $env) { if (not defined($self->check_or_start($env, "standard"))) { @@ -2131,6 +2109,24 @@ sub setup_s4member($$$) return $env; } +sub setup_s4member_dflt_domain($$$) +{ + my ($self, $path, $dc_vars) = @_; + + my $env = $self->provision_s4member($path, $dc_vars, "s4member_dflt", + "winbind use default domain = yes"); + + if (defined $env) { + if (not defined($self->check_or_start($env, "standard"))) { + return undef; + } + + $self->{vars}->{s4member_dflt_domain} = $env; + } + + return $env; +} + sub setup_rpc_proxy($$$) { my ($self, $path, $dc_vars) = @_; @@ -2236,11 +2232,11 @@ sub setup_fl2008r2dc($$$) return $env; } -sub setup_vampire_dc($$$) +sub setup_vampire_dc($$$$) { - my ($self, $path, $dc_vars) = @_; + my ($self, $path, $dc_vars, $fl) = @_; - my $env = $self->provision_vampire_dc($path, $dc_vars); + my $env = $self->provision_vampire_dc($path, $dc_vars, $fl); if (defined $env) { if (not defined($self->check_or_start($env, "single"))) { @@ -2260,11 +2256,12 @@ sub setup_vampire_dc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}"; $cmd .= " $env->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); + warn("Failed to exec kcc on remote DC\n$cmd"); return undef; } @@ -2279,6 +2276,7 @@ sub setup_vampire_dc($$$) $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" "; } $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}"; $cmd .= " $dc_vars->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; @@ -2294,6 +2292,33 @@ sub setup_vampire_dc($$$) warn("Failed to replicate\n$cmd_repl"); return undef; } + + # Pull in a full set of changes from the main DC + my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM})); + $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + if (defined($env->{RESOLV_WRAPPER_CONF})) { + $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" "; + } else { + $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" "; + } + $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; + $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}"; + $cmd .= " $dc_vars->{CONFIGURATION}"; + $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; + # replicate Configuration NC + my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\""; + unless(system($cmd_repl) == 0) { + warn("Failed to replicate\n$cmd_repl"); + return undef; + } + # replicate Default NC + $cmd_repl = "$cmd \"$base_dn\""; + unless(system($cmd_repl) == 0) { + warn("Failed to replicate\n$cmd_repl"); + return undef; + } } return $env; @@ -2318,11 +2343,12 @@ sub setup_promoted_dc($$$) my $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}"; $cmd .= " $env->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); + warn("Failed to exec kcc on remote DC\n$cmd"); return undef; } @@ -2330,11 +2356,12 @@ sub setup_promoted_dc($$$) my $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs kcc $env->{SERVER}"; $cmd .= " $env->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); + warn("Failed to exec kcc on promoted DC\n$cmd"); return undef; } @@ -2343,6 +2370,7 @@ sub setup_promoted_dc($$$) my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM})); $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}"; $cmd .= " $dc_vars->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; @@ -2382,11 +2410,12 @@ sub setup_subdom_dc($$$) my $cmd = ""; $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}"; $cmd .= " $env->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}"; unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); + warn("Failed to exec kcc on remote DC\n$cmd"); return undef; } @@ -2396,6 +2425,7 @@ sub setup_subdom_dc($$$) my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./, $dc_vars->{REALM})); $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SUBDOM_DC_SERVER}"; $cmd .= " $dc_vars->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}"; @@ -2430,35 +2460,13 @@ sub setup_rodc($$$) return undef; } - # force source and replicated DC to update repsTo/repsFrom - # for vampired partitions my $samba_tool = Samba::bindir_path($self, "samba-tool"); my $cmd = ""; - $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; - $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; - $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}"; - $cmd .= " $env->{CONFIGURATION}"; - $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; - unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); - return undef; - } - - my $samba_tool = Samba::bindir_path($self, "samba-tool"); - my $cmd = ""; - $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; - $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; - $cmd .= " $samba_tool drs kcc -k no $env->{SERVER}"; - $cmd .= " $env->{CONFIGURATION}"; - $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}"; - unless (system($cmd) == 0) { - warn("Failed to exec kcc\n$cmd"); - return undef; - } my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM})); $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\""; $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\""; + $cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" "; $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}"; $cmd .= " $dc_vars->{CONFIGURATION}"; $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";