The branch, master has been updated via cd3f552 s3-py-passdb: Fix handling of uninitialized gid values via 9318e00 dsdb: Fix the password expiry calculation via d0e9f22 s3-passdb_test: Policy values are converted to signed integer via 244ecc8 s4-s3-upgrade: Add --verbose option to print extra details via f93ec5a s4-auth log details about any token we fail to convert to a unix token via e6c77f5 s4-s3-upgrade: Fix idmap types ID_TYPE_UID/ID_TYPE_GID instead of UID/GID via 6a2a2df samba-tool: Fix the domain account policy max_pwd_age calculation via c48a2aa s4-s3-upgrade: Fix the minimum and maximum password age calculation via e80dbdc s4-s3-upgrade now look for -1 as the special 'not set' value from 32e825d s3/packaging: Fix rpm build issues on RHEL.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cd3f552f4f632204edc8064a1ad332e703a28e72 Author: Amitay Isaacs <ami...@gmail.com> Date: Fri Nov 18 14:35:56 2011 +1100 s3-py-passdb: Fix handling of uninitialized gid values Uninitialized gid value is set to -1 and return as such from python passdb api. Autobuild-User: Amitay Isaacs <ami...@samba.org> Autobuild-Date: Fri Nov 18 06:18:33 CET 2011 on sn-devel-104 commit 9318e00a1fab1e6eda6495c44b69d95a980b1e5e Author: Amitay Isaacs <ami...@gmail.com> Date: Fri Nov 18 10:34:44 2011 +1100 dsdb: Fix the password expiry calculation As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if pwdLastSet = null, or pwdLastSet = 0, or (maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge) commit d0e9f22654be1c9972c5b5ba6b3ebe808f27c678 Author: Amitay Isaacs <ami...@gmail.com> Date: Fri Nov 18 09:55:38 2011 +1100 s3-passdb_test: Policy values are converted to signed integer No need to check value for 0xffffffff (4294967295). commit 244ecc844dc36584a01ec5248c68060f6bb97114 Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Nov 17 18:51:14 2011 +1100 s4-s3-upgrade: Add --verbose option to print extra details commit f93ec5a0274b3b14a5ad2cff287fcb5e48d59731 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 17 18:24:24 2011 +1100 s4-auth log details about any token we fail to convert to a unix token Now that entries are being added into the idmap DB from Samba3, and may be UID or GID but not BOTH, failures are more likely. Andrew Bartlett commit e6c77f523b8ed8332ecb4d50a6af7eaa7e6f19af Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Nov 17 16:08:16 2011 +1100 s4-s3-upgrade: Fix idmap types ID_TYPE_UID/ID_TYPE_GID instead of UID/GID commit 6a2a2dfa5f510fcab964588c29c2991859bbc83f Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Nov 17 09:34:57 2011 +1100 samba-tool: Fix the domain account policy max_pwd_age calculation Windows sets maxPwdAge to -0x8000000000000000 when maximum password age is set to 0 days. commit c48a2aa43854636763cd6472ceba7f0c70185689 Author: Amitay Isaacs <ami...@gmail.com> Date: Wed Nov 16 12:59:52 2011 +1100 s4-s3-upgrade: Fix the minimum and maximum password age calculation Windows sets maxPwdAge to -0x8000000000000000 when maximum password age is set to 0 days. commit e80dbdcab1831bd07e76863acaea4e356f71cf98 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Nov 16 16:51:06 2011 +1100 s4-s3-upgrade now look for -1 as the special 'not set' value this is possible because we know the py_passdb will always set -1 here, not passing though 0xFFFFFFFF. Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: source3/passdb/py_passdb.c | 4 ++-- source4/auth/unix_token.c | 17 +++++++++++++++++ source4/dsdb/common/util.c | 2 +- source4/scripting/python/samba/netcmd/domain.py | 17 +++++++++++++---- source4/scripting/python/samba/tests/samba3.py | 4 ++-- source4/scripting/python/samba/upgrade.py | 18 +++++++++--------- 6 files changed, 44 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index de27839..46f2e90 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -975,7 +975,7 @@ static PyObject *py_groupmap_get_gid(PyObject *obj, void *closure) GROUP_MAP *group_map = (GROUP_MAP *)pytalloc_get_ptr(obj); PyObject *py_gid; - py_gid = PyInt_FromLong(group_map->gid); + py_gid = Py_BuildValue("i", group_map->gid); return py_gid; } @@ -2317,7 +2317,7 @@ static PyObject *py_pdb_get_account_policy(pytalloc_Object *self) type = account_policy_name_to_typenum(names[i]); status = methods->get_account_policy(methods, type, &value); if (NT_STATUS_IS_OK(status)) { - PyDict_SetItemString(py_acct_policy, names[i], PyInt_FromLong(value)); + PyDict_SetItemString(py_acct_policy, names[i], Py_BuildValue("i", value)); } } diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c index 765bf06..24f3226 100644 --- a/source4/auth/unix_token.c +++ b/source4/auth/unix_token.c @@ -78,6 +78,11 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, } else if (ids[0].xid.type == ID_TYPE_UID) { (*sec)->uid = ids[0].xid.id; } else { + char *sid_str = dom_sid_string(mem_ctx, ids[0].sid); + DEBUG(0, ("Unable to convert first SID (%s) in user token to a UID. Conversion was returned as type %d, full token:\n", + sid_str, (int)ids[0].xid.type)); + security_token_debug(0, 0, token); + talloc_free(sid_str); return NT_STATUS_INVALID_SID; } @@ -87,6 +92,11 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, (*sec)->groups[g] = ids[1].xid.id; g++; } else { + char *sid_str = dom_sid_string(mem_ctx, ids[1].sid); + DEBUG(0, ("Unable to convert second SID (%s) in user token to a GID. Conversion was returned as type %d, full token:\n", + sid_str, (int)ids[1].xid.type)); + security_token_debug(0, 0, token); + talloc_free(sid_str); return NT_STATUS_INVALID_SID; } @@ -96,10 +106,17 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, (*sec)->groups[g] = ids[s].xid.id; g++; } else { + char *sid_str = dom_sid_string(mem_ctx, ids[s].sid); + DEBUG(0, ("Unable to convert SID (%s) at index %u in user token to a GID. Conversion was returned as type %d, full token:\n", + sid_str, (unsigned int)s, (int)ids[s].xid.type)); + security_token_debug(0, 0, token); + talloc_free(sid_str); return NT_STATUS_INVALID_SID; } } + DEBUG(5, ("Successfully converted security token to a unix token:")); + security_token_debug(0, 5, token); TALLOC_FREE(ids); return NT_STATUS_OK; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index cae6bd4..826a1e4 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -505,7 +505,7 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn, "maxPwdAge", NULL); - if (maxPwdAge == 0) { + if (maxPwdAge == 0 || maxPwdAge == -0x8000000000000000ULL) { return 0x7FFFFFFFFFFFFFFFULL; } else { attr_time -= maxPwdAge; diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index f1ebf7e..0e6083a 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -386,7 +386,10 @@ class cmd_domain_passwordsettings(Command): cur_min_pwd_len = int(res[0]["minPwdLength"][0]) # ticks -> days cur_min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24)) - cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) + if int(res[0]["maxPwdAge"][0]) == -0x8000000000000000: + cur_max_pwd_age = 0 + else: + cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) except Exception, e: raise CommandError("Could not retrieve password properties!", e) @@ -482,7 +485,10 @@ class cmd_domain_passwordsettings(Command): raise CommandError("Maximum password age must be in the range of 0 to 999!") # days -> ticks - max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7)) + if max_pwd_age == 0: + max_pwd_age_ticks = -0x8000000000000000 + else: + max_pwd_age_ticks = -int(max_pwd_age * (24 * 60 * 60 * 1e7)) m["maxPwdAge"] = ldb.MessageElement(str(max_pwd_age_ticks), ldb.FLAG_MOD_REPLACE, "maxPwdAge") @@ -522,6 +528,7 @@ class cmd_domain_samba3upgrade(Command): Option("--targetdir", type="string", metavar="DIR", help="Path prefix where the new Samba 4.0 AD domain should be initialised"), Option("--quiet", help="Be quiet", action="store_true"), + Option("--verbose", help="Be verbose", action="store_true"), Option("--use-xattrs", type="choice", choices=["yes","no","auto"], metavar="[yes|no|auto]", help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto"), ] @@ -529,7 +536,7 @@ class cmd_domain_samba3upgrade(Command): takes_args = ["smbconf"] def run(self, smbconf=None, targetdir=None, dbdir=None, testparm=None, - quiet=False, use_xattrs=None, sambaopts=None, versionopts=None): + quiet=False, verbose=False, use_xattrs=None, sambaopts=None, versionopts=None): if not os.path.exists(smbconf): raise CommandError("File %s does not exist" % smbconf) @@ -544,7 +551,9 @@ class cmd_domain_samba3upgrade(Command): raise CommandError("Please specify either dbdir or testparm") logger = self.get_logger() - if quiet: + if verbose: + logger.setLevel(logging.DEBUG) + elif quiet: logger.setLevel(logging.WARNING) else: logger.setLevel(logging.INFO) diff --git a/source4/scripting/python/samba/tests/samba3.py b/source4/scripting/python/samba/tests/samba3.py index fb1eb5a..e8852cd 100644 --- a/source4/scripting/python/samba/tests/samba3.py +++ b/source4/scripting/python/samba/tests/samba3.py @@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir): def test_policy(self): policy = self.pdb.get_account_policy() self.assertEquals(0, policy['bad lockout attempt']) - self.assertEquals(4294967295, policy['disconnect time']) + self.assertEquals(-1, policy['disconnect time']) self.assertEquals(0, policy['lockout duration']) self.assertEquals(999999999, policy['maximum password age']) self.assertEquals(0, policy['minimum password age']) @@ -151,7 +151,7 @@ class PassdbTestCase(TestCaseInTempDir): def test_get_group(self): group = self.pdb.getgrsid(dom_sid("S-1-5-32-544")) self.assertEquals("Administrators", group.nt_name) - self.assertEquals(4294967295, group.gid) + self.assertEquals(-1, group.gid) self.assertEquals(5, group.sid_name_use) def test_groupsids(self): diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index 0636d2b..bf91201 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -60,15 +60,15 @@ def import_sam_policy(samdb, policy, logger): ldb.FLAG_MOD_REPLACE, 'pwdHistoryLength') min_pw_age_unix = policy['minimum password age'] - min_pw_age_nt = 0 - unix2nttime(min_pw_age_unix) + min_pw_age_nt = int(-min_pw_age_unix * (1e7 * 60 * 60 * 24)) m['a03'] = ldb.MessageElement(str(min_pw_age_nt), ldb.FLAG_MOD_REPLACE, 'minPwdAge') max_pw_age_unix = policy['maximum password age'] - if (max_pw_age_unix == 0xFFFFFFFF): - max_pw_age_nt = 0 + if max_pw_age_unix == -1: + max_pw_age_nt = -0x8000000000000000 else: - max_pw_age_nt = unix2nttime(max_pw_age_unix) + max_pw_age_nt = int(-max_pw_age_unix * (1e7 * 60 * 60 * 24)) m['a04'] = ldb.MessageElement(str(max_pw_age_nt), ldb.FLAG_MOD_REPLACE, 'maxPwdAge') @@ -91,7 +91,7 @@ def add_idmap_entry(idmapdb, sid, xid, xid_type, logger): :param idmapdb: Samba4 IDMAP database :param sid: user/group sid :param xid: user/group id - :param xid_type: type of id (UID/GID) + :param xid_type: type of id (ID_TYPE_UID/ID_TYPE_GID) :param logger: Logger object """ @@ -237,7 +237,7 @@ def add_users_to_group(samdb, group, members, logger): samdb.modify(m) except ldb.LdbError, (ecode, emsg): if ecode == ldb.ERR_ENTRY_ALREADY_EXISTS: - logger.info("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg) + logger.debug("skipped re-adding member '%s' to group '%s': %s", member_sid, group.sid, emsg) elif ecode == ldb.ERR_NO_SUCH_OBJECT: raise ProvisioningError("Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s" % (member_sid, group.sid, emsg)) else: @@ -674,8 +674,8 @@ Please fix this account before attempting to upgrade again logger.info("Importing groups") for g in grouplist: # Ignore uninitialized groups (gid = -1) - if g.gid != 0xffffffff: - add_idmap_entry(result.idmap, g.sid, g.gid, "GID", logger) + if g.gid != -1: + add_idmap_entry(result.idmap, g.sid, g.gid, "ID_TYPE_GID", logger) add_group_from_mapping_entry(result.samdb, g, logger) # Export users to samba4 backend @@ -685,7 +685,7 @@ Please fix this account before attempting to upgrade again continue s4_passdb.add_sam_account(userdata[username]) if username in uids: - add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "UID", logger) + add_idmap_entry(result.idmap, userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger) logger.info("Adding users to groups") for g in grouplist: -- Samba Shared Repository