2 # Bootstrap Samba and run a number of tests against it.
3 # Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Published under the GNU GPL, v3 or later.
10 use FindBin qw($RealBin);
17 my ($classname, $bindir, $ldap, $srcdir, $server_maxtime) = @_;
24 server_maxtime => $server_maxtime,
25 target3 => new Samba3($bindir, $srcdir, $server_maxtime)
31 sub scriptdir_path($$) {
32 my ($self, $path) = @_;
33 return "$self->{srcdir}/source4/scripting/$path";
36 sub openldap_start($$$) {
42 my ($self, $env_vars, $STDIN_READER) = @_;
43 my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
45 my $uri = $env_vars->{LDAP_URI};
47 if (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") == 0) {
48 print "A SLAPD is still listening to $uri before we started the LDAP backend. Aborting!";
51 # running slapd in the background means it stays in the same process group, so it can be
55 open STDOUT, ">$env_vars->{LDAPDIR}/logs";
56 open STDERR, '>&STDOUT';
57 close($env_vars->{STDIN_PIPE});
58 open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
60 if ($self->{ldap} eq "fedora-ds") {
61 exec("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd", "-D", $env_vars->{FEDORA_DS_DIR}, "-d0", "-i", $env_vars->{FEDORA_DS_PIDFILE});
62 } elsif ($self->{ldap} eq "openldap") {
63 exec($ENV{OPENLDAP_SLAPD}, "-dnone", "-F", $env_vars->{SLAPD_CONF_D}, "-h", $uri);
65 die("Unable to start slapd: $!");
67 $env_vars->{SLAPD_PID} = $pid;
69 while (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") != 0) {
72 $self->slapd_stop($env_vars);
82 my ($self, $envvars) = @_;
83 kill 9, $envvars->{SLAPD_PID};
87 sub check_or_start($$$)
89 my ($self, $env_vars, $process_model) = @_;
92 return 0 if $self->check_env($env_vars);
94 # use a pipe for stdin in the child processes. This allows
95 # those processes to monitor the pipe for EOF to ensure they
96 # exit when the test script exits
97 pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
99 # Start slapd before samba, but with the fifo on stdin
100 if (defined($self->{ldap})) {
101 unless($self->slapd_start($env_vars, $STDIN_READER)) {
102 warn("couldn't start slapd (main run)");
107 print "STARTING SAMBA...";
110 # we want out from samba to go to the log file, but also
111 # to the users terminal when running 'make test' on the command
112 # line. This puts it on stderr on the terminal
113 open STDOUT, "| tee $env_vars->{SAMBA_TEST_LOG} 1>&2";
114 open STDERR, '>&STDOUT';
116 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
118 $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
119 $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
120 $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
122 $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
123 $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
124 $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
125 $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
126 $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
128 if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
129 $ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
131 $ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
134 $ENV{UID_WRAPPER} = "1";
136 $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "samba");
139 if (defined($ENV{SAMBA_OPTIONS})) {
140 @optargs = split(/ /, $ENV{SAMBA_OPTIONS});
142 if(defined($ENV{SAMBA_VALGRIND})) {
143 @preargs = split(/ /,$ENV{SAMBA_VALGRIND});
146 close($env_vars->{STDIN_PIPE});
147 open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
149 exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
151 $env_vars->{SAMBA_PID} = $pid;
154 close($STDIN_READER);
159 sub wait_for_start($$)
161 my ($self, $testenv_vars) = @_;
163 # give time for nbt server to register its names
164 print "delaying for nbt name registration\n";
167 # This will return quickly when things are up, but be slow if we
168 # need to wait for (eg) SSL init
169 my $nmblookup = Samba::bindir_path($self, "nmblookup4");
170 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
171 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
172 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
173 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
174 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
175 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
176 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
177 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
178 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
179 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
180 system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
181 system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
183 # Ensure we have the first RID Set before we start tests. This makes the tests more reliable.
184 if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOSNAME} eq "RODC")) {
185 # Add hosts file for name lookups
186 $ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS};
187 if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) {
188 $ENV{RESOLV_WRAPPER_CONF} = $testenv_vars->{RESOLV_WRAPPER_CONF};
190 $ENV{RESOLV_WRAPPER_HOSTS} = $testenv_vars->{RESOLV_WRAPPER_HOSTS};
193 print "waiting for working LDAP and a RID Set to be allocated\n";
194 my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
196 my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
197 my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
199 while (system("$ldbsearch -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool > /dev/null") != 0) {
208 print $self->getlog_env($testenv_vars);
213 sub write_ldb_file($$$)
215 my ($self, $file, $ldif) = @_;
217 my $ldbadd = Samba::bindir_path($self, "ldbadd");
218 open(LDIF, "|$ldbadd -H $file >/dev/null");
223 sub add_wins_config($$)
225 my ($self, $privatedir) = @_;
227 return $self->write_ldb_file("$privatedir/wins_config.ldb", "
228 dn: name=TORTURE_11,CN=PARTNERS
229 objectClass: wreplPartner
240 my ($self, $ctx) = @_;
242 #Make the subdirectory be as fedora DS would expect
243 my $fedora_ds_dir = "$ctx->{ldapdir}/slapd-$ctx->{ldap_instance}";
245 my $pidfile = "$fedora_ds_dir/logs/slapd-$ctx->{ldap_instance}.pid";
247 return ($fedora_ds_dir, $pidfile);
252 my ($self, $ctx) = @_;
254 my $slapd_conf_d = "$ctx->{ldapdir}/slapd.d";
255 my $pidfile = "$ctx->{ldapdir}/slapd.pid";
257 return ($slapd_conf_d, $pidfile);
262 my ($self, $tlsdir) = @_;
264 #TLS and PKINIT crypto blobs
265 my $dhfile = "$tlsdir/dhparms.pem";
266 my $cafile = "$tlsdir/ca.pem";
267 my $certfile = "$tlsdir/cert.pem";
268 my $reqkdc = "$tlsdir/req-kdc.der";
269 my $kdccertfile = "$tlsdir/kdc.pem";
270 my $keyfile = "$tlsdir/key.pem";
271 my $adminkeyfile = "$tlsdir/adminkey.pem";
272 my $reqadmin = "$tlsdir/req-admin.der";
273 my $admincertfile = "$tlsdir/admincert.pem";
274 my $admincertupnfile = "$tlsdir/admincertupn.pem";
276 mkdir($tlsdir, 0700);
277 my $oldumask = umask;
280 #This is specified here to avoid draining entropy on every run
281 open(DHFILE, ">$dhfile");
283 -----BEGIN DH PARAMETERS-----
284 MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
285 svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
287 -----END DH PARAMETERS-----
291 #Likewise, we pregenerate the key material. This allows the
292 #other certificates to be pre-generated
293 open(KEYFILE, ">$keyfile");
295 -----BEGIN RSA PRIVATE KEY-----
296 MIICXQIBAAKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpc
297 ol3+S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H
298 6H+pPqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQAB
299 AoGAAqDLzFRR/BF1kpsiUfL4WFvTarCe9duhwj7ORc6fs785qAXuwUYAJ0Uvzmy6
300 HqoGv3t3RfmeHDmjcpPHsbOKnsOQn2MgmthidQlPBMWtQMff5zdoYNUFiPS0XQBq
301 szNW4PRjaA9KkLQVTwnzdXGkBSkn/nGxkaVu7OR3vJOBoo0CQQDO4upypesnbe6p
302 9/xqfZ2uim8IwV1fLlFClV7WlCaER8tsQF4lEi0XSzRdXGUD/dilpY88Nb+xok/X
303 8Z8OvgAXAkEA+pcLsx1gN7kxnARxv54jdzQjC31uesJgMKQXjJ0h75aUZwTNHmZQ
304 vPxi6u62YiObrN5oivkixwFNncT9MxTxVQJBAMaWUm2SjlLe10UX4Zdm1MEB6OsC
305 kVoX37CGKO7YbtBzCfTzJGt5Mwc1DSLA2cYnGJqIfSFShptALlwedot0HikCQAJu
306 jNKEKnbf+TdGY8Q0SKvTebOW2Aeg80YFkaTvsXCdyXrmdQcifw4WdO9KucJiDhSz
307 Y9hVapz7ykEJtFtWjLECQQDIlfc63I5ZpXfg4/nN4IJXUW6AmPVOYIA5215itgki
308 cSlMYli1H9MEXH0pQMGv5Qyd0OYIx2DDg96mZ+aFvqSG
309 -----END RSA PRIVATE KEY-----
313 open(ADMINKEYFILE, ">$adminkeyfile");
315 print ADMINKEYFILE <<EOF;
316 -----BEGIN RSA PRIVATE KEY-----
317 MIICXQIBAAKBgQD0+OL7TQBj0RejbIH1+g5GeRaWaM9xF43uE5y7jUHEsi5owhZF
318 5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMFxB6esnXhl0Jpip1JkUMM
319 XLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xdl3JRlwIDAQAB
320 AoGAP8mjCP628Ebc2eACQzOWjgEvwYCPK4qPmYOf1zJkArzG2t5XAGJ5WGrENRuB
321 cm3XFh1lpmaADl982UdW3gul4gXUy6w4XjKK4vVfhyHj0kZ/LgaXUK9BAGhroJ2L
322 osIOUsaC6jdx9EwSRctwdlF3wWJ8NK0g28AkvIk+FlolW4ECQQD7w5ouCDnf58CN
323 u4nARx4xv5XJXekBvOomkCQAmuOsdOb6b9wn3mm2E3au9fueITjb3soMR31AF6O4
324 eAY126rXAkEA+RgHzybzZEP8jCuznMqoN2fq/Vrs6+W3M8/G9mzGEMgLLpaf2Jiz
325 I9tLZ0+OFk9tkRaoCHPfUOCrVWJZ7Y53QQJBAMhoA6rw0WDyUcyApD5yXg6rusf4
326 ASpo/tqDkqUIpoL464Qe1tjFqtBM3gSXuhs9xsz+o0bzATirmJ+WqxrkKTECQHt2
327 OLCpKqwAspU7N+w32kaUADoRLisCEdrhWklbwpQgwsIVsCaoEOpt0CLloJRYTANE
328 yoZeAErTALjyZYZEPcECQQDlUi0N8DFxQ/lOwWyR3Hailft+mPqoPCa8QHlQZnlG
329 +cfgNl57YHMTZFwgUVFRdJNpjH/WdZ5QxDcIVli0q+Ko
330 -----END RSA PRIVATE KEY-----
334 # hxtool issue-certificate --self-signed --issue-ca \
335 # --ca-private-key="FILE:$KEYFILE" \
336 # --subject="CN=CA,DC=samba,DC=example,DC=com" \
337 # --certificate="FILE:$CAFILE" --lifetime="25 years"
339 open(CAFILE, ">$cafile");
341 -----BEGIN CERTIFICATE-----
342 MIICcTCCAdqgAwIBAgIUaBPmjnPVqyFqR5foICmLmikJTzgwCwYJKoZIhvcNAQEFMFIxEzAR
343 BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
344 LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTIyMzEyWhgPMjAzMzAyMjQx
345 MjIzMTJaMFIxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
346 MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMIGfMA0GCSqGSIb3DQEBAQUA
347 A4GNADCBiQKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+S9/6
348 I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+pPqVIRLOmrWIm
349 ai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC
350 AaYwHQYDVR0OBBYEFMLZufegDKLZs0VOyFXYK1L6M8oyMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
351 KoZIhvcNAQEFBQADgYEAAZJbCAAkaqgFJ0xgNovn8Ydd0KswQPjicwiODPgw9ZPoD2HiOUVO
352 yYDRg/dhFF9y656OpcHk4N7qZ2sl3RlHkzDu+dseETW+CnKvQIoXNyeARRJSsSlwrwcoD4JR
353 HTLk2sGigsWwrJ2N99sG/cqSJLJ1MFwLrs6koweBnYU0f/g=
354 -----END CERTIFICATE-----
357 #generated with GNUTLS internally in Samba.
359 open(CERTFILE, ">$certfile");
360 print CERTFILE <<EOF;
361 -----BEGIN CERTIFICATE-----
362 MIICYTCCAcygAwIBAgIE5M7SRDALBgkqhkiG9w0BAQUwZTEdMBsGA1UEChMUU2Ft
363 YmEgQWRtaW5pc3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1
364 dG9nZW5lcmF0ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMB4XDTA2MDgw
365 NDA0MzY1MloXDTA4MDcwNDA0MzY1MlowZTEdMBsGA1UEChMUU2FtYmEgQWRtaW5p
366 c3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0
367 ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMIGcMAsGCSqGSIb3DQEBAQOB
368 jAAwgYgCgYDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+
369 S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+p
370 PqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABoyUw
371 IzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGCSqGSIb3DQEB
372 BQOBgQAmkN6XxvDnoMkGcWLCTwzxGfNNSVcYr7TtL2aJh285Xw9zaxcm/SAZBFyG
373 LYOChvh6hPU7joMdDwGfbiLrBnMag+BtGlmPLWwp/Kt1wNmrRhduyTQFhN3PP6fz
374 nBr9vVny2FewB2gHmelaPS//tXdxivSXKz3NFqqXLDJjq7P8wA==
375 -----END CERTIFICATE-----
380 # hxtool request-create \
381 # --subject="CN=krbtgt,CN=users,DC=samba,DC=example,DC=com" \
382 # --key="FILE:$KEYFILE" $KDCREQ
384 # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
385 # --type="pkinit-kdc" \
386 # --pk-init-principal="krbtgt/SAMBA.EXAMPLE.COM@SAMBA.EXAMPLE.COM" \
387 # --req="PKCS10:$KDCREQ" --certificate="FILE:$KDCCERTFILE" \
388 # --lifetime="25 years"
390 open(KDCCERTFILE, ">$kdccertfile");
391 print KDCCERTFILE <<EOF;
392 -----BEGIN CERTIFICATE-----
393 MIIDDDCCAnWgAwIBAgIUI2Tzj+JnMzMcdeabcNo30rovzFAwCwYJKoZIhvcNAQEFMFIxEzAR
394 BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
395 LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTMxOTIzWhgPMjAzMzAyMjQx
396 MzE5MjNaMGYxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
397 MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMQ8wDQYDVQQDDAZrcmJ0
398 Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqDqkDAIdQwDUN8cOZaFl934XQL70nF
399 yq+nD2KL0SfcTW5+WlyiXf5L3/oj+5pOYkdmt74MXd1PNv9Q5mjRl6bw34jPOSCgaQVp+Ne5
400 PcEvlQ9jb8fof6k+pUhEs6atYiZqLfn1jKgqEXKjftjoc95TxBxn67atL2B5qkhZ966jAgMB
401 AAGjgcgwgcUwDgYDVR0PAQH/BAQDAgWgMBIGA1UdJQQLMAkGBysGAQUCAwUwVAYDVR0RBE0w
402 S6BJBgYrBgEFAgKgPzA9oBMbEVNBTUJBLkVYQU1QTEUuQ09NoSYwJKADAgEBoR0wGxsGa3Ji
403 dGd0GxFTQU1CQS5FWEFNUExFLkNPTTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS+jPK
404 MjAdBgNVHQ4EFgQUwtm596AMotmzRU7IVdgrUvozyjIwCQYDVR0TBAIwADANBgkqhkiG9w0B
405 AQUFAAOBgQBmrVD5MCmZjfHp1nEnHqTIh8r7lSmVtDx4s9MMjxm9oNrzbKXynvdhwQYFVarc
406 ge4yRRDXtSebErOl71zVJI9CVeQQpwcH+tA85oGA7oeFtO/S7ls581RUU6tGgyxV4veD+lJv
407 KPH5LevUtgD+q9H4LU4Sq5N3iFwBaeryB0g2wg==
408 -----END CERTIFICATE-----
411 # hxtool request-create \
412 # --subject="CN=Administrator,CN=users,DC=samba,DC=example,DC=com" \
413 # --key="FILE:$ADMINKEYFILE" $ADMINREQFILE
415 # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
416 # --type="pkinit-client" \
417 # --pk-init-principal="administrator@SAMBA.EXAMPLE.COM" \
418 # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTFILE" \
419 # --lifetime="25 years"
421 open(ADMINCERTFILE, ">$admincertfile");
422 print ADMINCERTFILE <<EOF;
423 -----BEGIN CERTIFICATE-----
424 MIIDHTCCAoagAwIBAgIUUggzW4lLRkMKe1DAR2NKatkMDYwwCwYJKoZIhvcNAQELMFIxEzAR
425 BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
426 LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMjE1WhgPMjAzNDA3MjIw
427 MzMyMTVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
428 MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
429 bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
430 eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
431 xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
432 l3JRlwIDAQABo4HSMIHPMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
433 BgEFBQcDAgYKKwYBBAGCNxQCAjBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgExsRU0FNQkEu
434 RVhBTVBMRS5DT02hGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yMB8GA1UdIwQYMBaAFMLZ
435 ufegDKLZs0VOyFXYK1L6M8oyMB0GA1UdDgQWBBQg81bLyfCA88C2B/BDjXlGuaFaxjAJBgNV
436 HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4GBAEf/OSHUDJaGdtWGNuJeqcVYVMwrfBAc0OSwVhz1
437 7/xqKHWo8wIMPkYRtaRHKLNDsF8GkhQPCpVsa6mX/Nt7YQnNvwd+1SBP5E8GvwWw9ZzLJvma
438 nk2n89emuayLpVtp00PymrDLRBcNaRjFReQU8f0o509kiVPHduAp3jOiy13l
439 -----END CERTIFICATE-----
441 close(ADMINCERTFILE);
443 # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
444 # --type="pkinit-client" \
445 # --ms-upn="administrator@samba.example.com" \
446 # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTUPNFILE" \
447 # --lifetime="25 years"
449 open(ADMINCERTUPNFILE, ">$admincertupnfile");
450 print ADMINCERTUPNFILE <<EOF;
451 -----BEGIN CERTIFICATE-----
452 MIIDDzCCAnigAwIBAgIUUp3CJMuNaEaAdPKp3QdNIwG7a4wwCwYJKoZIhvcNAQELMFIxEzAR
453 BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
454 LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMzA1WhgPMjAzNDA3MjIw
455 MzMzMDVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
456 MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
457 bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
458 eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
459 xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
460 l3JRlwIDAQABo4HEMIHBMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
461 BgEFBQcDAgYKKwYBBAGCNxQCAjA6BgNVHREEMzAxoC8GCisGAQQBgjcUAgOgIQwfYWRtaW5p
462 c3RyYXRvckBzYW1iYS5leGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS
463 +jPKMjAdBgNVHQ4EFgQUIPNWy8nwgPPAtgfwQ415RrmhWsYwCQYDVR0TBAIwADANBgkqhkiG
464 9w0BAQsFAAOBgQBk42+egeUB3Ji2PC55fbt3FNKxvmm2xUUFkV9POK/YR9rajKOwk5jtYSeS
465 Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
466 Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
467 -----END CERTIFICATE-----
473 sub setup_namespaces($$:$$)
475 my ($self, $localenv, $upn_array, $spn_array) = @_;
477 @{$upn_array} = [] unless defined($upn_array);
479 foreach my $upn (@{$upn_array}) {
480 $upn_args .= " --add-upn-suffix=$upn";
483 @{$spn_array} = [] unless defined($spn_array);
485 foreach my $spn (@{$spn_array}) {
486 $spn_args .= " --add-spn-suffix=$spn";
489 my $samba_tool = Samba::bindir_path($self, "samba-tool");
492 $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
493 if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
494 $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
496 $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
498 $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
500 my $cmd_config = " $localenv->{CONFIGURATION}";
502 my $namespaces = $cmd_env;
503 $namespaces .= " $samba_tool domain trust namespaces $upn_args $spn_args";
504 $namespaces .= $cmd_config;
505 unless (system($namespaces) == 0) {
506 warn("Failed to add namespaces \n$namespaces");
513 sub setup_trust($$$$$)
515 my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
517 $localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
518 $localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
519 $localenv->{TRUST_SERVER_IPV6} = $remoteenv->{SERVER_IPV6};
520 $localenv->{TRUST_NETBIOSNAME} = $remoteenv->{NETBIOSNAME};
521 $localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
522 $localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
523 $localenv->{TRUST_DOMAIN} = $remoteenv->{DOMAIN};
524 $localenv->{TRUST_REALM} = $remoteenv->{REALM};
526 my $samba_tool = Samba::bindir_path($self, "samba-tool");
529 $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
530 if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
531 $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
533 $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
535 $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
537 my $cmd_config = " $localenv->{CONFIGURATION}";
538 my $cmd_creds = $cmd_config;
539 $cmd_creds .= " -U$localenv->{TRUST_DOMAIN}\\\\$localenv->{TRUST_USERNAME}\%$localenv->{TRUST_PASSWORD}";
541 my $create = $cmd_env;
542 $create .= " $samba_tool domain trust create --type=${type} $localenv->{TRUST_REALM}";
543 $create .= " $extra_args";
544 $create .= $cmd_creds;
545 unless (system($create) == 0) {
546 warn("Failed to create trust \n$create");
553 sub provision_raw_prepare($$$$$$$$$$$)
555 my ($self, $prefix, $server_role, $hostname,
556 $domain, $realm, $functional_level,
557 $password, $kdc_ipv4, $kdc_ipv6) = @_;
559 my $netbiosname = uc($hostname);
561 unless(-d $prefix or mkdir($prefix, 0777)) {
562 warn("Unable to create $prefix");
565 my $prefix_abs = abs_path($prefix);
567 die ("prefix=''") if $prefix_abs eq "";
568 die ("prefix='/'") if $prefix_abs eq "/";
570 unless (system("rm -rf $prefix_abs/*") == 0) {
571 warn("Unable to clean up");
575 my $swiface = Samba::get_interface($hostname);
577 $ctx->{prefix} = $prefix;
578 $ctx->{prefix_abs} = $prefix_abs;
580 $ctx->{server_role} = $server_role;
581 $ctx->{hostname} = $hostname;
582 $ctx->{netbiosname} = $netbiosname;
583 $ctx->{swiface} = $swiface;
584 $ctx->{password} = $password;
585 $ctx->{kdc_ipv4} = $kdc_ipv4;
586 $ctx->{kdc_ipv6} = $kdc_ipv6;
589 # Set smbd log level here.
591 $ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
592 $ctx->{username} = "Administrator";
593 $ctx->{domain} = $domain;
594 $ctx->{realm} = uc($realm);
595 $ctx->{dnsname} = lc($realm);
597 $ctx->{functional_level} = $functional_level;
599 my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
601 $ctx->{unix_name} = $unix_name;
602 $ctx->{unix_uid} = $>;
603 my @mygid = split(" ", $();
604 $ctx->{unix_gid} = $mygid[0];
605 $ctx->{unix_gids_str} = $);
606 @{$ctx->{unix_gids}} = split(" ", $ctx->{unix_gids_str});
608 $ctx->{etcdir} = "$prefix_abs/etc";
609 $ctx->{piddir} = "$prefix_abs/pid";
610 $ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf";
611 $ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf";
612 $ctx->{privatedir} = "$prefix_abs/private";
613 $ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
614 $ctx->{lockdir} = "$prefix_abs/lockdir";
615 $ctx->{logdir} = "$prefix_abs/logs";
616 $ctx->{statedir} = "$prefix_abs/statedir";
617 $ctx->{cachedir} = "$prefix_abs/cachedir";
618 $ctx->{winbindd_socket_dir} = "$prefix_abs/winbindd_socket";
619 $ctx->{winbindd_privileged_socket_dir} = "$prefix_abs/winbindd_privileged_socket";
620 $ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
621 $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
622 $ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
623 $ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts";
624 if ($ENV{SAMBA_DNS_FAKING}) {
625 $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
626 $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
628 $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
629 $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf}";
632 $ctx->{tlsdir} = "$ctx->{privatedir}/tls";
634 $ctx->{ipv4} = "127.0.0.$swiface";
635 $ctx->{ipv6} = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
636 $ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
638 push(@{$ctx->{directories}}, $ctx->{privatedir});
639 push(@{$ctx->{directories}}, $ctx->{etcdir});
640 push(@{$ctx->{directories}}, $ctx->{piddir});
641 push(@{$ctx->{directories}}, $ctx->{lockdir});
642 push(@{$ctx->{directories}}, $ctx->{logdir});
643 push(@{$ctx->{directories}}, $ctx->{statedir});
644 push(@{$ctx->{directories}}, $ctx->{cachedir});
646 $ctx->{smb_conf_extra_options} = "";
648 my @provision_options = ();
649 push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_config}\"");
650 push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
651 push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
652 push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
653 if (defined($ctx->{resolv_conf})) {
654 push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\"");
656 push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
658 if (defined($ENV{GDB_PROVISION})) {
659 push (@provision_options, "gdb --args");
660 if (!defined($ENV{PYTHON})) {
661 push (@provision_options, "env");
662 push (@provision_options, "python");
665 if (defined($ENV{VALGRIND_PROVISION})) {
666 push (@provision_options, "valgrind");
667 if (!defined($ENV{PYTHON})) {
668 push (@provision_options, "env");
669 push (@provision_options, "python");
672 if (defined($ENV{PYTHON})) {
673 push (@provision_options, $ENV{PYTHON});
675 push (@provision_options, Samba::bindir_path($self, "samba-tool"));
676 push (@provision_options, "domain");
677 push (@provision_options, "provision");
678 push (@provision_options, "--configfile=$ctx->{smb_conf}");
679 push (@provision_options, "--host-name=$ctx->{hostname}");
680 push (@provision_options, "--host-ip=$ctx->{ipv4}");
681 push (@provision_options, "--quiet");
682 push (@provision_options, "--domain=$ctx->{domain}");
683 push (@provision_options, "--realm=$ctx->{realm}");
684 push (@provision_options, "--adminpass=$ctx->{password}");
685 push (@provision_options, "--krbtgtpass=krbtgt$ctx->{password}");
686 push (@provision_options, "--machinepass=machine$ctx->{password}");
687 push (@provision_options, "--root=$ctx->{unix_name}");
688 push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
689 push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
691 @{$ctx->{provision_options}} = @provision_options;
697 # Step1 creates the basic configuration
699 sub provision_raw_step1($$)
701 my ($self, $ctx) = @_;
703 mkdir($_, 0777) foreach (@{$ctx->{directories}});
706 ## lockdir and piddir must be 0755
708 chmod 0755, $ctx->{lockdir};
709 chmod 0755, $ctx->{piddir};
711 unless (open(CONFFILE, ">$ctx->{smb_conf}")) {
712 warn("can't open $ctx->{smb_conf}$?");
717 netbios name = $ctx->{netbiosname}
718 posix:eadb = $ctx->{statedir}/eadb.tdb
719 workgroup = $ctx->{domain}
720 realm = $ctx->{realm}
721 private dir = $ctx->{privatedir}
722 pid directory = $ctx->{piddir}
723 ncalrpc dir = $ctx->{ncalrpcdir}
724 lock dir = $ctx->{lockdir}
725 state directory = $ctx->{statedir}
726 cache directory = $ctx->{cachedir}
727 winbindd socket directory = $ctx->{winbindd_socket_dir}
728 winbindd privileged socket directory = $ctx->{winbindd_privileged_socket_dir}
729 ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
730 winbind separator = /
731 interfaces = $ctx->{interfaces}
732 tls dh params file = $ctx->{tlsdir}/dhparms.pem
733 panic action = $RealBin/gdb_backtrace \%d
735 server role = $ctx->{server_role}
736 server services = +echo +smb -s3fs
737 dcerpc endpoint servers = +winreg +srvsvc
738 notify:inotify = false
740 #We don't want to pass our self-tests if the PAC code is wrong
741 gensec:require_pac = true
742 log file = $ctx->{logdir}/log.\%m
743 log level = $ctx->{server_loglevel}
746 dns update command = $ctx->{samba_dnsupdate}
747 spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
748 dreplsrv:periodic_startup_interval = 0
749 dsdb:schema update allowed = yes
751 vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
753 # remove this again, when our smb2 client library
754 # supports signin on compound related requests
757 idmap_ldb:use rfc2307=yes
758 winbind enum users = yes
759 winbind enum groups = yes
764 # Begin extra options
765 $ctx->{smb_conf_extra_options}
770 $self->mk_keyblobs($ctx->{tlsdir});
772 #Default the KDC IP to the server's IP
773 if (not defined($ctx->{kdc_ipv4})) {
774 $ctx->{kdc_ipv4} = $ctx->{ipv4};
776 if (not defined($ctx->{kdc_ipv6})) {
777 $ctx->{kdc_ipv6} = $ctx->{ipv6};
780 Samba::mk_krb5_conf($ctx);
782 open(PWD, ">$ctx->{nsswrap_passwd}");
783 if ($ctx->{unix_uid} != 0) {
784 print PWD "root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false\n";
786 print PWD "$ctx->{unix_name}:x:$ctx->{unix_uid}:65531:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false\n";
787 print PWD "nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
788 pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
789 pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
790 pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
791 pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
794 my $uid_rfc2307test = 65533;
796 open(GRP, ">$ctx->{nsswrap_group}");
797 if ($ctx->{unix_gid} != 0) {
798 print GRP "root:x:0:\n";
800 print GRP "$ctx->{unix_name}:x:$ctx->{unix_gid}:\n";
801 print GRP "wheel:x:10:
804 nogroup:x:65534:nobody
807 my $gid_rfc2307test = 65532;
809 my $hostname = lc($ctx->{hostname});
810 open(HOSTS, ">>$ctx->{nsswrap_hosts}");
811 if ($hostname eq "localdc") {
812 print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
813 print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
815 print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} ${hostname}\n";
816 print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} ${hostname}\n";
820 if (defined($ctx->{resolv_conf})) {
821 open(RESOLV_CONF, ">$ctx->{resolv_conf}");
822 print RESOLV_CONF "nameserver $ctx->{kdc_ipv4}\n";
823 print RESOLV_CONF "nameserver $ctx->{kdc_ipv6}\n";
827 my $configuration = "--configfile=$ctx->{smb_conf}";
829 #Ensure the config file is valid before we start
830 my $testparm = Samba::bindir_path($self, "samba-tool") . " testparm";
831 if (system("$testparm $configuration -v --suppress-prompt >/dev/null 2>&1") != 0) {
832 system("$testparm -v --suppress-prompt $configuration >&2");
833 warn("Failed to create a valid smb.conf configuration $testparm!");
836 unless (system("($testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global 2> /dev/null | grep -i \"^$ctx->{netbiosname}\" ) >/dev/null 2>&1") == 0) {
837 warn("Failed to create a valid smb.conf configuration! $testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global");
842 KRB5_CONFIG => $ctx->{krb5_conf},
843 PIDDIR => $ctx->{piddir},
844 SERVER => $ctx->{hostname},
845 SERVER_IP => $ctx->{ipv4},
846 SERVER_IPV6 => $ctx->{ipv6},
847 NETBIOSNAME => $ctx->{netbiosname},
848 DOMAIN => $ctx->{domain},
849 USERNAME => $ctx->{username},
850 REALM => $ctx->{realm},
851 PASSWORD => $ctx->{password},
852 LDAPDIR => $ctx->{ldapdir},
853 LDAP_INSTANCE => $ctx->{ldap_instance},
854 SELFTEST_WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
855 NCALRPCDIR => $ctx->{ncalrpcdir},
856 LOCKDIR => $ctx->{lockdir},
857 STATEDIR => $ctx->{statedir},
858 CACHEDIR => $ctx->{cachedir},
859 PRIVATEDIR => $ctx->{privatedir},
860 SERVERCONFFILE => $ctx->{smb_conf},
861 CONFIGURATION => $configuration,
862 SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
863 NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd},
864 NSS_WRAPPER_GROUP => $ctx->{nsswrap_group},
865 NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts},
866 SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
867 SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
868 SAMBA_TEST_LOG_POS => 0,
869 NSS_WRAPPER_MODULE_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
870 NSS_WRAPPER_MODULE_FN_PREFIX => "winbind",
871 LOCAL_PATH => $ctx->{share},
872 UID_RFC2307TEST => $uid_rfc2307test,
873 GID_RFC2307TEST => $gid_rfc2307test,
874 SERVER_ROLE => $ctx->{server_role}
877 if (defined($ctx->{resolv_conf})) {
878 $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf};
880 $ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
887 # Step2 runs the provision script
889 sub provision_raw_step2($$$)
891 my ($self, $ctx, $ret) = @_;
893 my $provision_cmd = join(" ", @{$ctx->{provision_options}});
894 unless (system($provision_cmd) == 0) {
895 warn("Unable to provision: \n$provision_cmd\n");
899 my $testallowed_account = "testallowed";
900 my $samba_tool_cmd = "";
901 $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
902 $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
903 . " user add --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}";
904 unless (system($samba_tool_cmd) == 0) {
905 warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
910 $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
911 $ldbmodify .= Samba::bindir_path($self, "ldbmodify");
912 my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
914 if ($ctx->{server_role} ne "domain controller") {
915 $base_dn = "DC=$ctx->{netbiosname}";
918 my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
919 $testallowed_account = "testallowed account";
920 open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
921 print LDIF "dn: $user_dn
923 replace: samAccountName
924 samAccountName: $testallowed_account
929 open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
930 print LDIF "dn: $user_dn
932 replace: userPrincipalName
933 userPrincipalName: testallowed upn\@$ctx->{realm}
934 replace: servicePrincipalName
935 servicePrincipalName: host/testallowed
940 $samba_tool_cmd = "";
941 $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
942 $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
943 . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
944 unless (system($samba_tool_cmd) == 0) {
945 warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
949 my $user_dn = "cn=testdenied,cn=users,$base_dn";
950 open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
951 print LDIF "dn: $user_dn
953 replace: userPrincipalName
954 userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
959 $samba_tool_cmd = "";
960 $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
961 $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
962 . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
963 unless (system($samba_tool_cmd) == 0) {
964 warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
971 sub provision($$$$$$$$$$)
973 my ($self, $prefix, $server_role, $hostname,
974 $domain, $realm, $functional_level,
975 $password, $kdc_ipv4, $kdc_ipv6, $extra_smbconf_options, $extra_smbconf_shares,
976 $extra_provision_options) = @_;
978 my $ctx = $self->provision_raw_prepare($prefix, $server_role,
980 $domain, $realm, $functional_level,
981 $password, $kdc_ipv4, $kdc_ipv6);
983 if (defined($extra_provision_options)) {
984 push (@{$ctx->{provision_options}}, @{$extra_provision_options});
986 push (@{$ctx->{provision_options}}, "--use-ntvfs");
989 $ctx->{share} = "$ctx->{prefix_abs}/share";
990 push(@{$ctx->{directories}}, "$ctx->{share}");
991 push(@{$ctx->{directories}}, "$ctx->{share}/test1");
992 push(@{$ctx->{directories}}, "$ctx->{share}/test2");
994 # precreate directories for printer drivers
995 push(@{$ctx->{directories}}, "$ctx->{share}/W32X86");
996 push(@{$ctx->{directories}}, "$ctx->{share}/x64");
997 push(@{$ctx->{directories}}, "$ctx->{share}/WIN40");
1000 $msdfs = "yes" if ($server_role eq "domain controller");
1001 $ctx->{smb_conf_extra_options} = "
1004 server max protocol = SMB2
1007 allow nt4 crypto = yes
1009 # fruit:copyfile is a global option
1010 fruit:copyfile = yes
1012 $extra_smbconf_options
1015 path = $ctx->{share}
1017 posix:sharedelay = 100000
1018 posix:oplocktimeout = 3
1019 posix:writetimeupdatedelay = 500000
1022 path = $ctx->{share}
1024 posix:sharedelay = 100000
1025 posix:oplocktimeout = 3
1026 posix:writetimeupdatedelay = 500000
1028 force create mode = 777
1031 path = $ctx->{share}
1034 force create mode = 0
1035 directory mask = 0777
1036 force directory mode = 0
1039 path = $ctx->{share}/test1
1041 posix:sharedelay = 100000
1042 posix:oplocktimeout = 3
1043 posix:writetimeupdatedelay = 500000
1046 path = $ctx->{share}/test2
1048 posix:sharedelay = 100000
1049 posix:oplocktimeout = 3
1050 posix:writetimeupdatedelay = 500000
1053 path = $ctx->{share}/_ignore_cifs_
1055 ntvfs handler = cifs
1056 cifs:server = $ctx->{netbiosname}
1058 cifs:use-s4u2proxy = yes
1059 # There is no username specified here, instead the client is expected
1060 # to log in with kerberos, and the serverwill use delegated credentials.
1061 # Or the server tries s4u2self/s4u2proxy to impersonate the client
1064 path = $ctx->{share}
1066 ntvfs handler = simple
1069 path = $ctx->{statedir}/sysvol
1073 path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
1078 ntvfs handler = cifsposix
1081 path = $ctx->{share}
1082 vfs objects = catia fruit streams_xattr acl_xattr
1084 fruit:ressource = file
1085 fruit:metadata = netatalk
1086 fruit:locking = netatalk
1087 fruit:encoding = native
1089 $extra_smbconf_shares
1092 if (defined($self->{ldap})) {
1093 $ctx->{ldapdir} = "$ctx->{privatedir}/ldap";
1094 push(@{$ctx->{directories}}, "$ctx->{ldapdir}");
1096 my $ldap_uri= "$ctx->{ldapdir}/ldapi";
1097 $ldap_uri =~ s|/|%2F|g;
1098 $ldap_uri = "ldapi://$ldap_uri";
1099 $ctx->{ldap_uri} = $ldap_uri;
1101 $ctx->{ldap_instance} = lc($ctx->{netbiosname});
1104 my $ret = $self->provision_raw_step1($ctx);
1105 unless (defined $ret) {
1109 if (defined($self->{ldap})) {
1110 $ret->{LDAP_URI} = $ctx->{ldap_uri};
1111 push (@{$ctx->{provision_options}}, "--ldap-backend-type=" . $self->{ldap});
1112 push (@{$ctx->{provision_options}}, "--ldap-backend-nosync");
1113 if ($self->{ldap} eq "openldap") {
1114 push (@{$ctx->{provision_options}}, "--slapd-path=" . $ENV{OPENLDAP_SLAPD});
1115 ($ret->{SLAPD_CONF_D}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ctx) or die("Unable to create openldap directories");
1117 } elsif ($self->{ldap} eq "fedora-ds") {
1118 push (@{$ctx->{provision_options}}, "--slapd-path=" . "$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd");
1119 push (@{$ctx->{provision_options}}, "--setup-ds-path=" . "$ENV{FEDORA_DS_ROOT}/sbin/setup-ds.pl");
1120 ($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ctx) or die("Unable to create fedora ds directories");
1125 return $self->provision_raw_step2($ctx, $ret);
1128 sub provision_s4member($$$)
1130 my ($self, $prefix, $dcvars) = @_;
1131 print "PROVISIONING MEMBER...";
1132 my $extra_smb_conf = "
1133 passdb backend = samba_dsdb
1134 winbindd:use external pipes = true
1136 rpc_server:default = external
1137 rpc_server:svcctl = embedded
1138 rpc_server:srvsvc = embedded
1139 rpc_server:eventlog = embedded
1140 rpc_server:ntsvcs = embedded
1141 rpc_server:winreg = embedded
1142 rpc_server:spoolss = embedded
1143 rpc_daemon:spoolssd = embedded
1144 rpc_server:tcpip = no
1146 my $ret = $self->provision($prefix,
1150 "samba.example.com",
1153 $dcvars->{SERVER_IP},
1154 $dcvars->{SERVER_IPV6},
1155 $extra_smb_conf, "", undef);
1160 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1162 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1163 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1164 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1166 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1168 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1169 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
1170 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
1171 $cmd .= " --machinepass=machine$ret->{PASSWORD}";
1173 unless (system($cmd) == 0) {
1174 warn("Join failed\n$cmd");
1178 $ret->{MEMBER_SERVER} = $ret->{SERVER};
1179 $ret->{MEMBER_SERVER_IP} = $ret->{SERVER_IP};
1180 $ret->{MEMBER_SERVER_IPV6} = $ret->{SERVER_IPV6};
1181 $ret->{MEMBER_NETBIOSNAME} = $ret->{NETBIOSNAME};
1182 $ret->{MEMBER_USERNAME} = $ret->{USERNAME};
1183 $ret->{MEMBER_PASSWORD} = $ret->{PASSWORD};
1185 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1186 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1187 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1188 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1189 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1190 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1195 sub provision_rpc_proxy($$$)
1197 my ($self, $prefix, $dcvars) = @_;
1198 print "PROVISIONING RPC PROXY...";
1200 my $extra_smbconf_options = "
1201 passdb backend = samba_dsdb
1204 dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
1205 dcerpc endpoint servers = epmapper, remote
1206 dcerpc_remote:interfaces = rpcecho
1209 path = /tmp/_ignore_cifs_to_dc_/_none_
1211 ntvfs handler = cifs
1212 cifs:server = $dcvars->{SERVER}
1214 cifs:use-s4u2proxy = yes
1215 # There is no username specified here, instead the client is expected
1216 # to log in with kerberos, and the serverwill use delegated credentials.
1217 # Or the server tries s4u2self/s4u2proxy to impersonate the client
1221 my $ret = $self->provision($prefix,
1225 "samba.example.com",
1228 $dcvars->{SERVER_IP},
1229 $dcvars->{SERVER_IPV6},
1230 $extra_smbconf_options, "", undef);
1236 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1238 # The joind runs in the context of the rpc_proxy/member for now
1240 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1241 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1242 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1244 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1246 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1247 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
1248 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
1249 $cmd .= " --machinepass=machine$ret->{PASSWORD}";
1251 unless (system($cmd) == 0) {
1252 warn("Join failed\n$cmd");
1256 # Setting up delegation runs in the context of the DC for now
1258 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1259 $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
1260 $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
1261 $cmd .= " $dcvars->{CONFIGURATION}";
1264 unless (system($cmd) == 0) {
1265 warn("Delegation failed\n$cmd");
1269 # Setting up delegation runs in the context of the DC for now
1271 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1272 $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
1273 $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
1274 $cmd .= " $dcvars->{CONFIGURATION}";
1276 unless (system($cmd) == 0) {
1277 warn("Delegation failed\n$cmd");
1281 $ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
1282 $ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
1283 $ret->{RPC_PROXY_SERVER_IPV6} = $ret->{SERVER_IPV6};
1284 $ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
1285 $ret->{RPC_PROXY_USERNAME} = $ret->{USERNAME};
1286 $ret->{RPC_PROXY_PASSWORD} = $ret->{PASSWORD};
1288 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1289 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1290 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1291 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1292 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1293 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1298 sub provision_promoted_dc($$$)
1300 my ($self, $prefix, $dcvars) = @_;
1301 print "PROVISIONING PROMOTED DC...";
1303 # We do this so that we don't run the provision. That's the job of 'samba-tool domain dcpromo'.
1304 my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
1307 "samba.example.com",
1309 $dcvars->{PASSWORD},
1310 $dcvars->{SERVER_IP},
1311 $dcvars->{SERVER_IPV6});
1313 push (@{$ctx->{provision_options}}, "--use-ntvfs");
1315 $ctx->{smb_conf_extra_options} = "
1317 server max protocol = SMB2
1320 path = $ctx->{statedir}/sysvol
1324 path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
1329 my $ret = $self->provision_raw_step1($ctx);
1334 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1336 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1337 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1338 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1340 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1342 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1343 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
1344 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
1345 $cmd .= " --machinepass=machine$ret->{PASSWORD}";
1347 unless (system($cmd) == 0) {
1348 warn("Join failed\n$cmd");
1352 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1354 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1355 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1356 $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
1357 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
1358 $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
1360 unless (system($cmd) == 0) {
1361 warn("Join failed\n$cmd");
1365 $ret->{PROMOTED_DC_SERVER} = $ret->{SERVER};
1366 $ret->{PROMOTED_DC_SERVER_IP} = $ret->{SERVER_IP};
1367 $ret->{PROMOTED_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1368 $ret->{PROMOTED_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1370 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1371 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1372 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1373 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1374 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1375 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1380 sub provision_vampire_dc($$$)
1382 my ($self, $prefix, $dcvars) = @_;
1383 print "PROVISIONING VAMPIRE DC...";
1385 # We do this so that we don't run the provision. That's the job of 'net vampire'.
1386 my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
1389 "samba.example.com",
1391 $dcvars->{PASSWORD},
1392 $dcvars->{SERVER_IP},
1393 $dcvars->{SERVER_IPV6});
1395 push (@{$ctx->{provision_options}}, "--use-ntvfs");
1397 $ctx->{smb_conf_extra_options} = "
1399 server max protocol = SMB2
1402 path = $ctx->{statedir}/sysvol
1406 path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
1411 my $ret = $self->provision_raw_step1($ctx);
1416 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1418 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1419 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1420 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1422 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1424 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1425 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
1426 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
1427 $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
1429 unless (system($cmd) == 0) {
1430 warn("Join failed\n$cmd");
1434 $ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER};
1435 $ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
1436 $ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1437 $ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1439 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1440 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1441 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1442 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1443 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1444 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1445 $ret->{DC_REALM} = $dcvars->{DC_REALM};
1450 sub provision_subdom_dc($$$)
1452 my ($self, $prefix, $dcvars) = @_;
1453 print "PROVISIONING SUBDOMAIN DC...";
1455 # We do this so that we don't run the provision. That's the job of 'net vampire'.
1456 my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
1459 "sub.samba.example.com",
1461 $dcvars->{PASSWORD},
1464 push (@{$ctx->{provision_options}}, "--use-ntvfs");
1466 $ctx->{smb_conf_extra_options} = "
1468 server max protocol = SMB2
1471 path = $ctx->{statedir}/sysvol
1475 path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
1480 my $ret = $self->provision_raw_step1($ctx);
1485 Samba::mk_krb5_conf($ctx);
1487 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1489 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1490 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1491 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1493 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1495 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1496 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname} subdomain ";
1497 $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
1498 $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
1499 $cmd .= " --adminpass=$ret->{PASSWORD}";
1501 unless (system($cmd) == 0) {
1502 warn("Join failed\n$cmd");
1506 $ret->{SUBDOM_DC_SERVER} = $ret->{SERVER};
1507 $ret->{SUBDOM_DC_SERVER_IP} = $ret->{SERVER_IP};
1508 $ret->{SUBDOM_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1509 $ret->{SUBDOM_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1511 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1512 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1513 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1514 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1515 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1516 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1521 sub provision_ad_dc_ntvfs($$)
1523 my ($self, $prefix) = @_;
1525 # We keep the old 'winbind' name here in server services to
1526 # ensure upgrades which used that name still work with the now
1529 print "PROVISIONING AD DC (NTVFS)...";
1530 my $extra_conf_options = "netbios aliases = localDC1-a
1531 server services = +winbind -winbindd";
1532 my $ret = $self->provision($prefix,
1533 "domain controller",
1536 "samba.example.com",
1541 $extra_conf_options,
1545 return undef unless(defined $ret);
1546 unless($self->add_wins_config("$prefix/private")) {
1547 warn("Unable to add wins configuration");
1550 $ret->{NETBIOSALIAS} = "localdc1-a";
1551 $ret->{DC_SERVER} = $ret->{SERVER};
1552 $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
1553 $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1554 $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1555 $ret->{DC_USERNAME} = $ret->{USERNAME};
1556 $ret->{DC_PASSWORD} = $ret->{PASSWORD};
1557 $ret->{DC_REALM} = $ret->{REALM};
1562 sub provision_fl2000dc($$)
1564 my ($self, $prefix) = @_;
1566 print "PROVISIONING DC WITH FOREST LEVEL 2000...";
1567 my $ret = $self->provision($prefix,
1568 "domain controller",
1571 "samba2000.example.com",
1580 unless($self->add_wins_config("$prefix/private")) {
1581 warn("Unable to add wins configuration");
1588 sub provision_fl2003dc($$$)
1590 my ($self, $prefix, $dcvars) = @_;
1592 print "PROVISIONING DC WITH FOREST LEVEL 2003...";
1593 my $extra_conf_options = "allow dns updates = nonsecure and secure";
1594 my $ret = $self->provision($prefix,
1595 "domain controller",
1598 "samba2003.example.com",
1603 $extra_conf_options,
1607 unless (defined $ret) {
1611 $ret->{DC_SERVER} = $ret->{SERVER};
1612 $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
1613 $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1614 $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1615 $ret->{DC_USERNAME} = $ret->{USERNAME};
1616 $ret->{DC_PASSWORD} = $ret->{PASSWORD};
1618 my @samba_tool_options;
1619 push (@samba_tool_options, Samba::bindir_path($self, "samba-tool"));
1620 push (@samba_tool_options, "domain");
1621 push (@samba_tool_options, "passwordsettings");
1622 push (@samba_tool_options, "set");
1623 push (@samba_tool_options, "--configfile=$ret->{SERVERCONFFILE}");
1624 push (@samba_tool_options, "--min-pwd-age=0");
1625 push (@samba_tool_options, "--history-length=1");
1627 my $samba_tool_cmd = join(" ", @samba_tool_options);
1629 unless (system($samba_tool_cmd) == 0) {
1630 warn("Unable to set min password age to 0: \n$samba_tool_cmd\n");
1636 unless($self->add_wins_config("$prefix/private")) {
1637 warn("Unable to add wins configuration");
1644 sub provision_fl2008r2dc($$$)
1646 my ($self, $prefix, $dcvars) = @_;
1648 print "PROVISIONING DC WITH FOREST LEVEL 2008r2...";
1649 my $ret = $self->provision($prefix,
1650 "domain controller",
1653 "samba2008R2.example.com",
1662 unless ($self->add_wins_config("$prefix/private")) {
1663 warn("Unable to add wins configuration");
1671 sub provision_rodc($$$)
1673 my ($self, $prefix, $dcvars) = @_;
1674 print "PROVISIONING RODC...";
1676 # We do this so that we don't run the provision. That's the job of 'net join RODC'.
1677 my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
1680 "samba.example.com",
1682 $dcvars->{PASSWORD},
1683 $dcvars->{SERVER_IP},
1684 $dcvars->{SERVER_IPV6});
1689 push (@{$ctx->{provision_options}}, "--use-ntvfs");
1691 $ctx->{share} = "$ctx->{prefix_abs}/share";
1692 push(@{$ctx->{directories}}, "$ctx->{share}");
1694 $ctx->{smb_conf_extra_options} = "
1696 server max protocol = SMB2
1699 path = $ctx->{statedir}/sysvol
1703 path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
1707 path = $ctx->{share}
1709 posix:sharedelay = 10000
1710 posix:oplocktimeout = 3
1711 posix:writetimeupdatedelay = 50000
1715 my $ret = $self->provision_raw_step1($ctx);
1720 my $samba_tool = Samba::bindir_path($self, "samba-tool");
1722 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
1723 if (defined($ret->{RESOLV_WRAPPER_CONF})) {
1724 $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
1726 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
1728 $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1729 $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
1730 $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
1731 $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
1733 unless (system($cmd) == 0) {
1734 warn("RODC join failed\n$cmd");
1738 # This ensures deterministic behaviour for tests that want to have the 'testallowed account'
1739 # user password verified on the RODC
1740 my $testallowed_account = "testallowed account";
1741 $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
1742 $cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}";
1743 $cmd .= " --server=$dcvars->{DC_SERVER}";
1745 unless (system($cmd) == 0) {
1746 warn("RODC join failed\n$cmd");
1750 # we overwrite the kdc after the RODC join
1751 # so that use the RODC as kdc and test
1753 $ctx->{kdc_ipv4} = $ret->{SERVER_IP};
1754 $ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
1755 Samba::mk_krb5_conf($ctx);
1757 $ret->{RODC_DC_SERVER} = $ret->{SERVER};
1758 $ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
1759 $ret->{RODC_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1760 $ret->{RODC_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1762 $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
1763 $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
1764 $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
1765 $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
1766 $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
1767 $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
1772 sub provision_ad_dc($$)
1774 my ($self, $prefix) = @_;
1776 my $prefix_abs = abs_path($prefix);
1778 my $bindir_abs = abs_path($self->{bindir});
1779 my $lockdir="$prefix_abs/lockdir";
1780 my $conffile="$prefix_abs/etc/smb.conf";
1782 my $extra_smbconf_options = "
1783 server services = -smb +s3fs
1784 xattr_tdb:file = $prefix_abs/statedir/xattr.tdb
1786 dbwrap_tdb_mutexes:* = yes
1789 kernel change notify = no
1793 printcap name = /dev/null
1797 server signing = auto
1799 smbd:sharedelay = 100000
1800 smbd:writetimeupdatedelay = 500000
1804 dcerpc endpoint servers = -winreg -srvsvc
1806 printcap name = /dev/null
1808 addprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -a -s $conffile --
1809 deleteprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -d -s $conffile --
1812 print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
1813 lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
1814 lp rm command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lprm %p %j
1815 lp pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lppause %p %j
1816 lp resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpresume %p %j
1817 queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
1818 queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
1820 print notify backchannel = yes
1823 my $extra_smbconf_shares = "
1827 smb encrypt = required
1831 case sensitive = yes
1839 hide unreadable = yes
1843 kernel share modes = no
1862 print "PROVISIONING AD DC...";
1863 my $ret = $self->provision($prefix,
1864 "domain controller",
1867 "addc.samba.example.com",
1872 $extra_smbconf_options,
1873 $extra_smbconf_shares,
1876 return undef unless(defined $ret);
1877 unless($self->add_wins_config("$prefix/private")) {
1878 warn("Unable to add wins configuration");
1882 $ret->{DC_SERVER} = $ret->{SERVER};
1883 $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
1884 $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1885 $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1886 $ret->{DC_USERNAME} = $ret->{USERNAME};
1887 $ret->{DC_PASSWORD} = $ret->{PASSWORD};
1892 sub provision_chgdcpass($$)
1894 my ($self, $prefix) = @_;
1896 print "PROVISIONING CHGDCPASS...";
1897 my $extra_provision_options = undef;
1898 push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
1899 my $ret = $self->provision($prefix,
1900 "domain controller",
1903 "chgdcpassword.samba.example.com",
1910 $extra_provision_options);
1912 return undef unless(defined $ret);
1913 unless($self->add_wins_config("$prefix/private")) {
1914 warn("Unable to add wins configuration");
1918 # Remove secrets.tdb from this environment to test that we
1919 # still start up on systems without the new matching
1920 # secrets.tdb records.
1921 unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
1922 warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
1926 $ret->{DC_SERVER} = $ret->{SERVER};
1927 $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
1928 $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
1929 $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
1930 $ret->{DC_USERNAME} = $ret->{USERNAME};
1931 $ret->{DC_PASSWORD} = $ret->{PASSWORD};
1936 sub teardown_env($$)
1938 my ($self, $envvars) = @_;
1941 # This should cause samba to terminate gracefully
1942 close($envvars->{STDIN_PIPE});
1944 $pid = $envvars->{SAMBA_PID};
1948 # This should give it time to write out the gcov data
1949 until ($count > 30) {
1950 if (Samba::cleanup_child($pid, "samba") == -1) {
1957 if ($count > 30 || kill(0, $pid)) {
1960 until ($count > 40) {
1961 if (Samba::cleanup_child($pid, "samba") == -1) {
1967 # If it is still around, kill it
1968 warn "server process $pid took more than $count seconds to exit, killing\n";
1972 $self->slapd_stop($envvars) if ($self->{ldap});
1974 print $self->getlog_env($envvars);
1981 my ($self, $envvars) = @_;
1982 my $title = "SAMBA LOG of: $envvars->{NETBIOSNAME}\n";
1985 open(LOG, "<$envvars->{SAMBA_TEST_LOG}");
1987 seek(LOG, $envvars->{SAMBA_TEST_LOG_POS}, SEEK_SET);
1991 $envvars->{SAMBA_TEST_LOG_POS} = tell(LOG);
1994 return "" if $out eq $title;
2001 my ($self, $envvars) = @_;
2003 my $childpid = Samba::cleanup_child($envvars->{SAMBA_PID}, "samba");
2005 return ($childpid == 0);
2010 my ($self, $envname, $path) = @_;
2011 my $target3 = $self->{target3};
2013 $ENV{ENVNAME} = $envname;
2015 if (defined($self->{vars}->{$envname})) {
2016 return $self->{vars}->{$envname};
2019 if ($envname eq "ad_dc_ntvfs") {
2020 return $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2021 } elsif ($envname eq "fl2000dc") {
2022 return $self->setup_fl2000dc("$path/fl2000dc");
2023 } elsif ($envname eq "fl2003dc") {
2024 if (not defined($self->{vars}->{ad_dc})) {
2025 $self->setup_ad_dc("$path/ad_dc");
2027 return $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{ad_dc});
2028 } elsif ($envname eq "fl2008r2dc") {
2029 if (not defined($self->{vars}->{ad_dc})) {
2030 $self->setup_ad_dc("$path/ad_dc");
2032 return $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{ad_dc});
2033 } elsif ($envname eq "rpc_proxy") {
2034 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2035 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2037 return $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{ad_dc_ntvfs});
2038 } elsif ($envname eq "vampire_dc") {
2039 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2040 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2042 return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{ad_dc_ntvfs});
2043 } elsif ($envname eq "promoted_dc") {
2044 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2045 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2047 return $self->setup_promoted_dc("$path/promoted_dc", $self->{vars}->{ad_dc_ntvfs});
2048 } elsif ($envname eq "subdom_dc") {
2049 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2050 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2052 return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{ad_dc_ntvfs});
2053 } elsif ($envname eq "s4member") {
2054 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2055 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2057 return $self->setup_s4member("$path/s4member", $self->{vars}->{ad_dc_ntvfs});
2058 } elsif ($envname eq "rodc") {
2059 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2060 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2062 return $self->setup_rodc("$path/rodc", $self->{vars}->{ad_dc_ntvfs});
2063 } elsif ($envname eq "chgdcpass") {
2064 return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
2065 } elsif ($envname eq "ad_member") {
2066 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2067 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2069 return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
2070 } elsif ($envname eq "ad_dc") {
2071 return $self->setup_ad_dc("$path/ad_dc");
2072 } elsif ($envname eq "ad_dc_no_nss") {
2073 return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
2074 } elsif ($envname eq "ad_member_rfc2307") {
2075 if (not defined($self->{vars}->{ad_dc_ntvfs})) {
2076 $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
2078 return $target3->setup_admember_rfc2307("$path/ad_member_rfc2307",
2079 $self->{vars}->{ad_dc_ntvfs}, 34);
2085 sub setup_s4member($$$)
2087 my ($self, $path, $dc_vars) = @_;
2089 my $env = $self->provision_s4member($path, $dc_vars);
2092 $self->check_or_start($env, "single");
2094 $self->wait_for_start($env);
2096 $self->{vars}->{s4member} = $env;
2102 sub setup_rpc_proxy($$$)
2104 my ($self, $path, $dc_vars) = @_;
2106 my $env = $self->provision_rpc_proxy($path, $dc_vars);
2109 $self->check_or_start($env, "single");
2111 $self->wait_for_start($env);
2113 $self->{vars}->{rpc_proxy} = $env;
2118 sub setup_ad_dc_ntvfs($$)
2120 my ($self, $path) = @_;
2122 my $env = $self->provision_ad_dc_ntvfs($path);
2124 $self->check_or_start($env, "standard");
2126 $self->wait_for_start($env);
2128 $self->{vars}->{ad_dc_ntvfs} = $env;
2133 sub setup_chgdcpass($$)
2135 my ($self, $path) = @_;
2137 my $env = $self->provision_chgdcpass($path);
2139 $self->check_or_start($env, "single");
2141 $self->wait_for_start($env);
2143 $self->{vars}->{chgdcpass} = $env;
2148 sub setup_fl2000dc($$)
2150 my ($self, $path) = @_;
2152 my $env = $self->provision_fl2000dc($path);
2154 $self->check_or_start($env, "single");
2156 $self->wait_for_start($env);
2158 $self->{vars}->{fl2000dc} = $env;
2164 sub setup_fl2003dc($$$)
2166 my ($self, $path, $dc_vars) = @_;
2168 my $env = $self->provision_fl2003dc($path);
2171 $self->check_or_start($env, "single");
2173 $self->wait_for_start($env);
2175 $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys");
2177 $self->{vars}->{fl2003dc} = $env;
2182 sub setup_fl2008r2dc($$$)
2184 my ($self, $path, $dc_vars) = @_;
2186 my $env = $self->provision_fl2008r2dc($path);
2189 $self->check_or_start($env, "single");
2191 $self->wait_for_start($env);
2193 my $upn_array = ["$env->{REALM}.upn"];
2194 my $spn_array = ["$env->{REALM}.spn"];
2196 $self->setup_namespaces($env, $upn_array, $spn_array);
2198 $env = $self->setup_trust($env, $dc_vars, "forest", "");
2200 $self->{vars}->{fl2008r2dc} = $env;
2206 sub setup_vampire_dc($$$)
2208 my ($self, $path, $dc_vars) = @_;
2210 my $env = $self->provision_vampire_dc($path, $dc_vars);
2213 $self->check_or_start($env, "single");
2215 $self->wait_for_start($env);
2217 $self->{vars}->{vampire_dc} = $env;
2219 # force replicated DC to update repsTo/repsFrom
2220 # for vampired partitions
2221 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2223 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
2224 if (defined($env->{RESOLV_WRAPPER_CONF})) {
2225 $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
2227 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
2229 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2230 $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
2231 $cmd .= " $env->{CONFIGURATION}";
2232 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2233 unless (system($cmd) == 0) {
2234 warn("Failed to exec kcc\n$cmd");
2238 # as 'vampired' dc may add data in its local replica
2239 # we need to synchronize data between DCs
2240 my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
2242 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
2243 if (defined($env->{RESOLV_WRAPPER_CONF})) {
2244 $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
2246 $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
2248 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2249 $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
2250 $cmd .= " $dc_vars->{CONFIGURATION}";
2251 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2252 # replicate Configuration NC
2253 my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
2254 unless(system($cmd_repl) == 0) {
2255 warn("Failed to replicate\n$cmd_repl");
2258 # replicate Default NC
2259 $cmd_repl = "$cmd \"$base_dn\"";
2260 unless(system($cmd_repl) == 0) {
2261 warn("Failed to replicate\n$cmd_repl");
2269 sub setup_promoted_dc($$$)
2271 my ($self, $path, $dc_vars) = @_;
2273 my $env = $self->provision_promoted_dc($path, $dc_vars);
2276 $self->check_or_start($env, "single");
2278 $self->wait_for_start($env);
2280 $self->{vars}->{promoted_dc} = $env;
2282 # force source and replicated DC to update repsTo/repsFrom
2283 # for vampired partitions
2284 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2286 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2287 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2288 $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
2289 $cmd .= " $env->{CONFIGURATION}";
2290 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2291 unless (system($cmd) == 0) {
2292 warn("Failed to exec kcc\n$cmd");
2296 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2298 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2299 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2300 $cmd .= " $samba_tool drs kcc $env->{SERVER}";
2301 $cmd .= " $env->{CONFIGURATION}";
2302 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2303 unless (system($cmd) == 0) {
2304 warn("Failed to exec kcc\n$cmd");
2308 # as 'vampired' dc may add data in its local replica
2309 # we need to synchronize data between DCs
2310 my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
2311 $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2312 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2313 $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
2314 $cmd .= " $dc_vars->{CONFIGURATION}";
2315 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2316 # replicate Configuration NC
2317 my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
2318 unless(system($cmd_repl) == 0) {
2319 warn("Failed to replicate\n$cmd_repl");
2322 # replicate Default NC
2323 $cmd_repl = "$cmd \"$base_dn\"";
2324 unless(system($cmd_repl) == 0) {
2325 warn("Failed to replicate\n$cmd_repl");
2333 sub setup_subdom_dc($$$)
2335 my ($self, $path, $dc_vars) = @_;
2337 my $env = $self->provision_subdom_dc($path, $dc_vars);
2340 $self->check_or_start($env, "single");
2342 $self->wait_for_start($env);
2344 $self->{vars}->{subdom_dc} = $env;
2346 # force replicated DC to update repsTo/repsFrom
2347 # for primary domain partitions
2348 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2350 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2351 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2352 $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
2353 $cmd .= " $env->{CONFIGURATION}";
2354 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
2355 unless (system($cmd) == 0) {
2356 warn("Failed to exec kcc\n$cmd");
2360 # as 'subdomain' dc may add data in its local replica
2361 # we need to synchronize data between DCs
2362 my $base_dn = "DC=".join(",DC=", split(/\./, $env->{REALM}));
2363 my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
2364 $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2365 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2366 $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SUBDOM_DC_SERVER}";
2367 $cmd .= " $dc_vars->{CONFIGURATION}";
2368 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
2369 # replicate Configuration NC
2370 my $cmd_repl = "$cmd \"$config_dn\"";
2371 unless(system($cmd_repl) == 0) {
2372 warn("Failed to replicate\n$cmd_repl");
2375 # replicate Default NC
2376 $cmd_repl = "$cmd \"$base_dn\"";
2377 unless(system($cmd_repl) == 0) {
2378 warn("Failed to replicate\n$cmd_repl");
2388 my ($self, $path, $dc_vars) = @_;
2390 my $env = $self->provision_rodc($path, $dc_vars);
2396 $self->check_or_start($env, "single");
2398 $self->wait_for_start($env);
2400 # force source and replicated DC to update repsTo/repsFrom
2401 # for vampired partitions
2402 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2404 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2405 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2406 $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
2407 $cmd .= " $env->{CONFIGURATION}";
2408 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2409 unless (system($cmd) == 0) {
2410 warn("Failed to exec kcc\n$cmd");
2414 my $samba_tool = Samba::bindir_path($self, "samba-tool");
2416 $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2417 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2418 $cmd .= " $samba_tool drs kcc -k no $env->{SERVER}";
2419 $cmd .= " $env->{CONFIGURATION}";
2420 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2421 unless (system($cmd) == 0) {
2422 warn("Failed to exec kcc\n$cmd");
2426 my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
2427 $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
2428 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
2429 $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
2430 $cmd .= " $dc_vars->{CONFIGURATION}";
2431 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
2432 # replicate Configuration NC
2433 my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
2434 unless(system($cmd_repl) == 0) {
2435 warn("Failed to replicate\n$cmd_repl");
2438 # replicate Default NC
2439 $cmd_repl = "$cmd \"$base_dn\"";
2440 unless(system($cmd_repl) == 0) {
2441 warn("Failed to replicate\n$cmd_repl");
2445 $self->{vars}->{rodc} = $env;
2452 my ($self, $path, $no_nss) = @_;
2454 # If we didn't build with ADS, pretend this env was never available
2455 if (not $self->{target3}->have_ads()) {
2459 my $env = $self->provision_ad_dc($path);
2464 if (defined($no_nss) and $no_nss) {
2465 $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
2466 $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
2469 $self->check_or_start($env, "single");
2471 $self->wait_for_start($env);
2473 my $upn_array = ["$env->{REALM}.upn"];
2474 my $spn_array = ["$env->{REALM}.spn"];
2476 $self->setup_namespaces($env, $upn_array, $spn_array);
2478 $self->{vars}->{ad_dc} = $env;
git.samba.org / sfrench / samba-autobuild / .git / blob