The branch, master has been updated via 6a029cd autobuild: push of ref/notes/commits isn't allowed in master via 176ecce s4-provision: wipe the old keytabs when provisioning via 67a0461 s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab via 75a542a s4-drs: put the GCSPN flag into the repsTo if requested via 87f67d3 s4-libnet: wipe the old keytab when exporting via 57f6770 s4-dsdb: silence the domainFunctionality not setup warning from e90b964 autobuild: added much better email reporting
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6a029cd9ca662863724920030bb3a325cee28691 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 14:42:02 2010 -0700 autobuild: push of ref/notes/commits isn't allowed in master metze may enable this later Autobuild-User: Andrew Tridgell <tri...@samba.org> Autobuild-Date: Thu Sep 30 22:25:02 UTC 2010 on sn-devel-104 commit 176ecce9a661c9145620c3f7af9d13025ed0616c Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 12:45:00 2010 -0700 s4-provision: wipe the old keytabs when provisioning Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 67a04613e9106f9ab6c014c57a971d75854908f7 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 12:44:39 2010 -0700 s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab we need to fetch the msDS-keyVersionNumber from the writeable DC Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 75a542a1d93f6f015d866a01d25d5978e9b32583 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 12:43:45 2010 -0700 s4-drs: put the GCSPN flag into the repsTo if requested Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 87f67d336919172845f53067c67d1eab8e7ef18a Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 12:43:14 2010 -0700 s4-libnet: wipe the old keytab when exporting this prevents confusion with old keytab entries Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 57f67701a694b03f7c227c0f58729bf6d3733bbc Author: Andrew Tridgell <tri...@samba.org> Date: Thu Sep 30 12:42:35 2010 -0700 s4-dsdb: silence the domainFunctionality not setup warning ----------------------------------------------------------------------- Summary of changes: script/autobuild.py | 4 +++- source4/dsdb/common/util.c | 3 ++- source4/libnet/libnet_export_keytab.c | 2 ++ source4/rpc_server/drsuapi/getncchanges.c | 6 ++++++ source4/rpc_server/drsuapi/updaterefs.c | 2 ++ source4/scripting/python/samba/join.py | 7 +++++-- source4/scripting/python/samba/provision.py | 20 ++++++++++++++++---- source4/scripting/python/samba/tests/provision.py | 16 +++++++++++++--- 8 files changed, 49 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index 62cef69..f1e29a7 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -270,7 +270,9 @@ def rebase_tree(url): def push_to(url): print("Pushing to %s" % url) if options.mark: - run_cmd("EDITOR=script/commit_mark.sh git notes edit HEAD", dir=test_master) + run_cmd("EDITOR=script/commit_mark.sh git commit --amend -c HEAD", dir=test_master) + # the notes method doesn't work yet, as metze hasn't allowed refs/notes/* in master + # run_cmd("EDITOR=script/commit_mark.sh git notes edit HEAD", dir=test_master) run_cmd("git remote add -t master pushto %s" % url, show=True, dir=test_master) run_cmd("git push pushto +HEAD:master", show=True, dir=test_master) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index a5d0f60..3259eab 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3059,7 +3059,8 @@ int dsdb_functional_level(struct ldb_context *ldb) int *domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int); if (!domainFunctionality) { - DEBUG(0,(__location__ ": WARNING: domainFunctionality not setup\n")); + /* this is expected during initial provision */ + DEBUG(4,(__location__ ": WARNING: domainFunctionality not setup\n")); return DS_DOMAIN_FUNCTION_2000; } return *domainFunctionality; diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index f7ab88f..e8a0a13 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -45,6 +45,8 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s return NT_STATUS_NO_MEMORY; } + unlink(r->in.keytab_name); + ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name); if(ret) { r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context, diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index c04a8c7..54b0430 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -1589,6 +1589,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ ureq.options = DRSUAPI_DRS_ADD_REF | DRSUAPI_DRS_ASYNC_OP | DRSUAPI_DRS_GETCHG_CHECK; + + /* we also need to pass through the + DRSUAPI_DRS_REF_GCSPN bit so that repsTo gets flagged + to send notifies using the GC SPN */ + ureq.options |= (req10->replica_flags & DRSUAPI_DRS_REF_GCSPN); + werr = drsuapi_UpdateRefs(b_state, mem_ctx, &ureq); if (!W_ERROR_IS_OK(werr)) { DEBUG(0,(__location__ ": Failed UpdateRefs in DsGetNCChanges - %s\n", diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index d628388..a089586 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -66,6 +66,8 @@ static WERROR uref_add_dest(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, ZERO_STRUCT(reps.r[reps.count]); reps.r[reps.count].version = 1; reps.r[reps.count].ctr.ctr1 = *dest; + /* add the GCSPN flag if the client asked for it */ + reps.r[reps.count].ctr.ctr1.replica_flags |= (options & DRSUAPI_DRS_REF_GCSPN); reps.count++; werr = dsdb_savereps(sam_ctx, mem_ctx, dn, "repsTo", reps.r, reps.count); diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py index 34f3ebb..6cd18b4 100644 --- a/source4/scripting/python/samba/join.py +++ b/source4/scripting/python/samba/join.py @@ -119,7 +119,7 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None, "useraccountcontrol" : str(samba.dsdb.UF_NORMAL_ACCOUNT | samba.dsdb.UF_ACCOUNTDISABLE), "showinadvancedviewonly" : "TRUE", - "description" : "tricky account"} + "description" : "krbtgt for %s" % ctx.samname} ctx.samdb.add(rec, ["rodc_join:1:1"]) # now we need to search for the samAccountName attribute on the krbtgt DN, @@ -210,6 +210,8 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None, ctx.acct_pass, force_change_at_next_login=False, username=ctx.samname) + res = ctx.samdb.search(base=ctx.acct_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-keyVersionNumber"]) + ctx.key_version_number = res[0]["msDS-keyVersionNumber"] def join_provision(ctx): @@ -281,7 +283,8 @@ def join_rodc(server=None, creds=None, lp=None, site=None, netbios_name=None, netbiosname=ctx.myname, domainsid=security.dom_sid(ctx.domsid), machinepass=ctx.acct_pass, - secure_channel_type=misc.SEC_CHAN_RODC) + secure_channel_type=misc.SEC_CHAN_RODC, + key_version_number=ctx.key_version_number) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 9e22d58..1d0abf4 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -389,6 +389,7 @@ def provision_paths_from_lp(lp, dnsdomain): # This is stored without path prefix for the "privateKeytab" attribute in # "secrets_dns.ldif". paths.dns_keytab = "dns.keytab" + paths.keytab = "secrets.keytab" paths.shareconf = os.path.join(paths.private_dir, "share.ldb") paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb") @@ -781,7 +782,7 @@ def secretsdb_setup_dns(secretsdb, setup_path, names, private_dir, }) -def setup_secretsdb(path, setup_path, session_info, backend_credentials, lp): +def setup_secretsdb(paths, setup_path, session_info, backend_credentials, lp): """Setup the secrets database. :note: This function does not handle exceptions and transaction on purpose, @@ -794,8 +795,19 @@ def setup_secretsdb(path, setup_path, session_info, backend_credentials, lp): :param lp: Loadparm context :return: LDB handle for the created secrets database """ - if os.path.exists(path): - os.unlink(path) + if os.path.exists(paths.secrets): + os.unlink(paths.secrets) + + keytab_path = os.path.join(paths.private_dir, paths.keytab) + if os.path.exists(keytab_path): + os.unlink(keytab_path) + + dns_keytab_path = os.path.join(paths.private_dir, paths.dns_keytab) + if os.path.exists(dns_keytab_path): + os.unlink(dns_keytab_path) + + path = paths.secrets + secrets_ldb = Ldb(path, session_info=session_info, lp=lp) secrets_ldb.erase() @@ -1513,7 +1525,7 @@ def provision(setup_dir, logger, session_info, share_ldb.load_ldif_file_add(setup_path("share.ldif")) logger.info("Setting up secrets.ldb") - secrets_ldb = setup_secretsdb(paths.secrets, setup_path, + secrets_ldb = setup_secretsdb(paths, setup_path, session_info=session_info, backend_credentials=provision_backend.secrets_credentials, lp=lp) diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py index 37b256a..58bb030 100644 --- a/source4/scripting/python/samba/tests/provision.py +++ b/source4/scripting/python/samba/tests/provision.py @@ -18,7 +18,7 @@ # import os -from samba.provision import setup_secretsdb, findnss +from samba.provision import setup_secretsdb, findnss, ProvisionPaths import samba.tests from samba.tests import env_loadparm, TestCase @@ -36,7 +36,12 @@ def create_dummy_secretsdb(path, lp=None): """ if lp is None: lp = env_loadparm() - secrets_ldb = setup_secretsdb(path, setup_path, None, None, lp=lp) + paths = ProvisionPaths() + paths.secrets = path + paths.private_dir = os.path.dirname(path) + paths.keytab = "no.keytab" + paths.dns_keytab = "no.dns.keytab" + secrets_ldb = setup_secretsdb(paths, setup_path, None, None, lp=lp) secrets_ldb.transaction_commit() return secrets_ldb @@ -47,7 +52,12 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): def test_setup_secretsdb(self): path = os.path.join(self.tempdir, "secrets.ldb") - ldb = setup_secretsdb(path, setup_path, None, None, lp=env_loadparm()) + paths = ProvisionPaths() + paths.secrets = path + paths.private_dir = os.path.dirname(path) + paths.keytab = "no.keytab" + paths.dns_keytab = "no.dns.keytab" + ldb = setup_secretsdb(paths, setup_path, None, None, lp=env_loadparm()) try: self.assertEquals("LSA Secrets", ldb.searchone(basedn="CN=LSA Secrets", attribute="CN")) -- Samba Shared Repository