Merge branch 'master' of git://git.samba.org/samba
authorNadezhda Ivanova <nadezhda.ivanova@postpath.com>
Mon, 21 Sep 2009 00:43:46 +0000 (17:43 -0700)
committerNadezhda Ivanova <nadezhda.ivanova@postpath.com>
Mon, 21 Sep 2009 00:43:46 +0000 (17:43 -0700)
source4/dsdb/common/util.c
source4/dsdb/samdb/ldb_modules/tests/samba3sam.py
source4/lib/ldb/tests/python/sec_descriptor.py [changed mode: 0644->0755]
source4/scripting/python/samba/samdb.py
source4/selftest/skip
source4/setup/domainlevel
source4/setup/newuser
source4/setup/setexpiry
source4/smbd/server.c
testprogs/blackbox/test_kinit.sh

index 39fdfe94a502f1eb39d7209af33e57d2ff13864d..1fe5979c694860fafe6f4bb42a918cdcaf8f8348 100644 (file)
@@ -1432,6 +1432,63 @@ struct ldb_dn *samdb_server_site_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx
        return server_site_dn;
 }
 
+/*
+ * This works out if we are running on a supported forest/domain function
+ * level. Basically this means that we don't support mixed/interim (NT 4 DC
+ * support) levels.
+ * If errmsg isn't NULL we write in an adequate error message for printing out
+ * to the screen.
+ */
+bool samdb_is_capable_dc(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
+       char **errmsg)
+{
+       int32_t level_forest, level_domain, level_domain_mixed;
+       bool ret = true;
+
+       level_forest = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+               samdb_partitions_dn(ldb, mem_ctx), "msDS-Behavior-Version",
+               NULL);
+       level_domain = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+               samdb_base_dn(ldb), "msDS-Behavior-Version", NULL);
+       level_domain_mixed = (int32_t) samdb_search_int64(ldb, mem_ctx, -1,
+               samdb_base_dn(ldb), "nTMixedDomain", NULL);
+
+       if (errmsg != NULL)
+               *errmsg = talloc_asprintf(mem_ctx, "");
+
+       if (level_forest == -1 || level_domain == -1 || level_domain_mixed == -1) {
+               ret = false;
+               if (errmsg != NULL)
+                       *errmsg = talloc_strdup_append(*errmsg,
+                               "\nATTENTION: Invalid values for forest and/or domain function level!"
+                       );
+       }
+
+       if (level_forest == DS_DOMAIN_FUNCTION_2003_MIXED) {
+               ret = false;
+               if (errmsg != NULL)
+                       *errmsg = talloc_strdup_append(*errmsg,
+                               "\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported!"
+                       );
+       }
+       if ((level_domain == DS_DOMAIN_FUNCTION_2000 && level_domain_mixed != 0)
+               || level_domain == DS_DOMAIN_FUNCTION_2003_MIXED) {
+               ret = false;
+               if (errmsg != NULL)
+                       *errmsg = talloc_strdup_append(*errmsg,
+                               "\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported!"
+                       );
+       }
+
+       if ((!ret) && (errmsg != NULL)) {
+               *errmsg = talloc_strdup_append(*errmsg,
+                       "\nPlease raise the domain and/or forest level to an adequate value. Use for this the 'domainlevel' tool, the MS AD MMC tools or manipulate the needed attributes directly."
+               );
+       }
+
+       return ret;
+}
+
 /*
   work out if we are the PDC for the domain of the current open ldb
 */
index 75aaeb7366e666d32f93702ada0007705cb8c414..fe96b8822133ea7a8b1bf6f22cf5bbdaa0ba4552 100644 (file)
@@ -323,8 +323,6 @@ nextRid: y
 lastLogon: x
 description: x
 objectSid: S-1-5-21-4231626423-2410014848-2360679739-552
-primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512
-
 """)
 
         self.ldb.add({
@@ -486,11 +484,8 @@ primaryGroupID: 1-5-21-4231626423-2410014848-2360679739-512
         self.assertEquals(str(res[0]["lastLogon"]), "x")
         self.assertEquals(str(res[0]["primaryGroupID"]), "512")
 
-        # TODO: There should actually be two results, A and X.  The
-        # primaryGroupID of X seems to get corrupted somewhere, and the
-        # objectSid isn't available during the generation of remote (!) data,
-        # which can be observed with the following search.  Also note that Xs
-        # objectSid seems to be fine in the previous search for objectSid... */
+        # Note that Xs "objectSid" seems to be fine in the previous search for
+        # "objectSid"...
         #res = ldb.search(expression="(primaryGroupID=*)", NULL, ldb. SCOPE_DEFAULT, attrs)
         #print len(res) + " results found"
         #for i in range(len(res)):
old mode 100644 (file)
new mode 100755 (executable)
index 71c17d1..155b65f
@@ -24,11 +24,11 @@ from samba.ndr import ndr_pack, ndr_unpack
 from samba.dcerpc import security
 
 from samba.auth import system_session
-from samba import Ldb, DS_BEHAVIOR_WIN2008
+from samba import Ldb, DS_DOMAIN_FUNCTION_2008
 from subunit import SubunitTestRunner
 import unittest
 
-parser = optparse.OptionParser("ldap [options] <host>")
+parser = optparse.OptionParser("sec_descriptor [options] <host>")
 sambaopts = options.SambaOptions(parser)
 parser.add_option_group(sambaopts)
 parser.add_option_group(options.VersionOptions(parser))
@@ -377,7 +377,7 @@ changetype: add
 member: """ + user_dn
             self.ldb_admin.modify_ldif(ldif)
         self.results = {
-            # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008
+            # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
             "ds_behavior_win2003" : {
                 "100" : "O:EAG:DU",
                 "101" : "O:DAG:DU",
@@ -484,7 +484,7 @@ member: """ + user_dn
         res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
                 attrs=['msDS-Behavior-Version'])
         res = int(res[0]['msDS-Behavior-Version'][0])
-        if res < DS_BEHAVIOR_WIN2008:
+        if res < DS_DOMAIN_FUNCTION_2008:
             self.DS_BEHAVIOR = "ds_behavior_win2003"
         else:
             self.DS_BEHAVIOR = "ds_behavior_win2008"
index 28352f202f7bdff6bb1f1396be9b44136abafb2c..239dd6a6ea4f44397da2b4d70c078f97f3ce6036 100644 (file)
@@ -107,15 +107,16 @@ pwdLastSet: 0
 """ % (user_dn)
         self.modify_ldif(mod)
 
-    def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
+    def newuser(self, username, unixname, password, force_password_change_at_next_login_req=False):
         """Adds a new user
 
         Note: This call adds also the ID mapping for winbind; therefore it works
         *only* on SAMBA 4.
         
-        :param username: Name of the new user.
-        :param unixname: Name of the unix user to map to.
+        :param username: Name of the new user
+        :param unixname: Name of the unix user to map to
         :param password: Password for the new user
+        :param force_password_change_at_next_login_req: Force password change
         """
         self.transaction_start()
         try:
@@ -129,7 +130,7 @@ pwdLastSet: 0
 
             # Sets the password for it
             self.setpassword("(dn=" + user_dn + ")", password,
-              force_password_change_at_next_login)
+              force_password_change_at_next_login_req)
 
             # Gets the user SID (for the account mapping setup)
             res = self.search(user_dn, scope=ldb.SCOPE_BASE,
@@ -153,7 +154,7 @@ pwdLastSet: 0
             raise
         self.transaction_commit()
 
-    def setpassword(self, filter, password, force_password_change_at_next_login=False):
+    def setpassword(self, filter, password, force_password_change_at_next_login_req=False):
         """Sets the password for a user
         
         Note: This call uses the "userPassword" attribute to set the password.
@@ -162,7 +163,7 @@ pwdLastSet: 0
 
         :param filter: LDAP filter to find the user (eg samccountname=name)
         :param password: Password for the user
-        :param force_password_change_at_next_login: Force password change
+        :param force_password_change_at_next_login_req: Force password change
         """
         self.transaction_start()
         try:
@@ -180,8 +181,9 @@ userPassword:: %s
 
             self.modify_ldif(setpw)
 
-            if force_password_change_at_next_login:
-                self.force_password_change_at_next_login(user_dn)
+            if force_password_change_at_next_login_req:
+                self.force_password_change_at_next_login(
+                  "(dn=" + str(user_dn) + ")")
 
             #  modify the userAccountControl to remove the disabled bit
             self.enable_account(filter)
@@ -190,24 +192,24 @@ userPassword:: %s
             raise
         self.transaction_commit()
 
-    def setexpiry(self, filter, expiry_seconds, noexpiry=False):
+    def setexpiry(self, filter, expiry_seconds, no_expiry_req=False):
         """Sets the account expiry for a user
         
         :param filter: LDAP filter to find the user (eg samccountname=name)
         :param expiry_seconds: expiry time from now in seconds
-        :param noexpiry: if set, then don't expire password
+        :param no_expiry_req: if set, then don't expire password
         """
         self.transaction_start()
         try:
             res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
                               expression=filter,
                               attrs=["userAccountControl", "accountExpires"])
-            assert len(res) == 1
+            assert(len(res) == 1)
             user_dn = res[0].dn
 
             userAccountControl = int(res[0]["userAccountControl"][0])
             accountExpires     = int(res[0]["accountExpires"][0])
-            if noexpiry:
+            if no_expiry_req:
                 userAccountControl = userAccountControl | 0x10000
                 accountExpires = 0
             else:
index c253e5cc338c8e5b758cfc5129d62465c0541ae8..aa57c6b1b4ae8d43501df0eae1da518a0dfe6305 100644 (file)
@@ -62,3 +62,5 @@ samba4.ntvfs.cifs.raw.
 nss.test                                               # Fails
 raw.offline                    # Samba 4 doesn't have much offline support yet
 rpc.autoidl  # this one just generates a lot of noise, and is no longer useful
+samba4.rpc.countcalls # this is not useful now we have full IDL
+samba4.rap.scan # same thing here - we have docs now
index 9386d199ac514fdb5f19d0dfd923df215fbac786..b49150ff2dafad65a3c92fdc2790e1577bb9ed19 100755 (executable)
@@ -41,7 +41,7 @@ credopts = options.CredentialsOptions(parser)
 parser.add_option_group(credopts)
 parser.add_option("--quiet", help="Be quiet", action="store_true")
 parser.add_option("--forest",
-  help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+  help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support the 2003 with mixed domains (NT4 DC support) level.", type=str)
 parser.add_option("--domain",
   help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
 opts, args = parser.parse_args()
@@ -69,48 +69,40 @@ res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn,
   scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
 assert(len(res_forest) == 1)
 
-res_forest_mixed = samdb.search("CN=" + lp.get("workgroup") +
-  ",CN=Partitions,CN=Configuration," + domain_dn,
-  scope=ldb.SCOPE_BASE, attrs=["nTMixedDomain"])
-assert(len(res_forest_mixed) == 1)
-
 res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
   attrs=["msDS-Behavior-Version", "nTMixedDomain"])
 assert(len(res_domain) == 1)
 
 try:
        level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
-       level_forest_mixed = int(res_forest_mixed[0]["nTMixedDomain"][0])
        level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
        level_domain_mixed = int(res_domain[0]["nTMixedDomain"][0])
 
        if level_forest < 0 or level_domain < 0:
                print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!"
                sys.exit(1)
-       if level_forest > level_domain or (level_forest_mixed < level_domain_mixed):
+       if level_forest > level_domain:
                print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!"
                sys.exit(1)
 except:
-       print "ERROR: Could not retrieve the actual domain and forest level!"
+       print "ERROR: Could not retrieve the actual domain and/or forest level!"
        if args[0] == "show":
                print "So the levels can't be displayed!"
        sys.exit(1)
 
 if args[0] == "show":
        message("Domain and forest function level for domain '" + domain_dn + "'")
-       if (level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0) or level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
-               message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) forest level. This isn't supported! Please raise!")
+       if level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
+               message("\nATTENTION: You run SAMBA 4 on the 2003 with mixed domains (NT4 DC support) forest level. This isn't supported! Please raise!")
        if (level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed != 0) or level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
                message("\nATTENTION: You run SAMBA 4 on a mixed/interim (NT4 DC support) domain level. This isn't supported! Please raise!")
 
        message("")
 
-       if level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed != 0:
-               outstr = "2000 mixed (NT4 DC support)"
-       elif level_forest == DS_DOMAIN_FUNCTION_2000 and level_forest_mixed == 0:
+       if level_forest == DS_DOMAIN_FUNCTION_2000:
                outstr = "2000"
        elif level_forest == DS_DOMAIN_FUNCTION_2003_MIXED:
-               outstr = "2003 interim (NT4 DC support)"
+               outstr = "2003 with mixed domains/interim (NT4 DC support)"
        elif level_forest == DS_DOMAIN_FUNCTION_2003:
                outstr = "2003"
        elif level_forest == DS_DOMAIN_FUNCTION_2008:
@@ -126,7 +118,7 @@ if args[0] == "show":
        elif level_domain == DS_DOMAIN_FUNCTION_2000 and level_domain_mixed == 0:
                outstr = "2000"
        elif level_domain == DS_DOMAIN_FUNCTION_2003_MIXED:
-               outstr = "2003 interim (NT4 DC support)"
+               outstr = "2003 with mixed domains/interim (NT4 DC support)"
        elif level_domain == DS_DOMAIN_FUNCTION_2003:
                outstr = "2003"
        elif level_domain == DS_DOMAIN_FUNCTION_2008:
@@ -193,7 +185,7 @@ elif args[0] == "raise":
                        print "ERROR: Wrong argument '" + arg + "'!"
                        sys.exit(1)
 
-               if new_level_forest <= level_forest and level_forest_mixed == 0:
+               if new_level_forest <= level_forest:
                        print "ERROR: Forest function level can't be smaller equal to the actual one!"
                        sys.exit(1)
 
@@ -201,15 +193,6 @@ elif args[0] == "raise":
                        print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!"
                        sys.exit(1)
 
-               # Deactivate mixed/interim forest support
-               if level_forest_mixed != 0:
-                       m = ldb.Message()
-                       m.dn = ldb.Dn(samdb, "CN=" + lp.get("workgroup")
-                         + ",CN=Partitions,CN=Configuration," + domain_dn)
-                       m["nTMixedDomain"] = ldb.MessageElement("0",
-                         ldb.FLAG_MOD_REPLACE, "nTMixedDomain")
-                       samdb.modify(m)
-
                m = ldb.Message()
                m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration,"
                  + domain_dn)
index 422677c301fb137a1f99abda1d5d4ddce020fcca..10af55a458afe973a3af2c4942d6777f8c96b9eb 100755 (executable)
@@ -60,4 +60,4 @@ creds = credopts.get_credentials(lp)
 
 samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
               credentials=creds, lp=lp)
-samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login)
+samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login)
index 6c6305ceaf6b9f219f388246b46c07e818e10e84..1572555b8cfab5de7f22202ca2e21f43648c2443 100755 (executable)
@@ -61,4 +61,4 @@ creds = credopts.get_credentials(lp)
 
 samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
               credentials=creds, lp=lp)
-samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry)
+samdb.setexpiry(filter, days*24*3600, no_expiry_req=opts.noexpiry)
index a96991e6467c10d93c08f72c84bfc9baccde4b56..8aad26dd2c51c53d58b2442c8eaeb6e25255b238 100644 (file)
@@ -407,6 +407,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
        }
 
        DEBUG(0,("%s: using '%s' process model\n", binary_name, model));
+
        status = server_service_startup(event_ctx, cmdline_lp_ctx, model, 
                                        lp_server_services(cmdline_lp_ctx));
        if (!NT_STATUS_IS_OK(status)) {
@@ -425,7 +426,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
        return 0;
 }
 
- int main(int argc, const char *argv[])
+int main(int argc, const char *argv[])
 {
        return binary_smbd_main("samba", argc, argv);
 }
index 91f21f473b4e65248b6821240268590321f12cd8..0a15802a287df415366cc215810b0538dd27e3e1 100755 (executable)
@@ -69,7 +69,7 @@ echo $USERPASS > ./tmpuserpassfile
 
 testit "set user password with kerberos ccache" $VALGRIND $net password set $DOMAIN\\nettestuser $USERPASS $CONFIGURATION  -k yes $@ || failed=`expr $failed + 1`
 
-testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=`expr $failed + 1`
+testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -k yes $@ || failed=`expr $failed + 1`
 
 KRB5CCNAME="$PREFIX/tmpuserccache"
 export KRB5CCNAME