The branch, master has been updated via 051a1a9 samba-tool classicupgrade: Do not print the admin password during upgrade via 5e0fcb0 s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307 via c9d2ca5 selftest: Add test for rfc2307 mapping handling via 5812eb3 dsdb-acl: give error string if we can not obtain the schema via 99d872e s4-dbcheck: Allow forcing an override of an old @MODULES record from 213e726 build: Set LD_LIBRARY_PATH in install_with_python.sh
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 051a1a9c6417c2cbffa7d091ae477a6c7922d363 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Dec 22 09:28:05 2012 +1100 samba-tool classicupgrade: Do not print the admin password during upgrade This changes the code to only set and show a new password if no admin user is found during the upgrade. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu Jan 10 16:55:23 CET 2013 on sn-devel-104 commit 5e0fcb04a48d96669ed4376bfa17f679e3582236 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 26 20:48:12 2012 +1100 s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307 This change matches the source3/idmap/idmap_ad.c code, and allows this feature to work with only the setting of the UID/GID in Active Directory Users and Computers. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c9d2ca585e198b1006bbf7f1a3c988c1188b66cb Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 12:36:06 2012 +1100 selftest: Add test for rfc2307 mapping handling Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5812eb3c1deac51891f01338b4771b1e397dc24d Author: Andrew Bartlett <abart...@samba.org> Date: Thu Jan 3 21:31:22 2013 +1100 dsdb-acl: give error string if we can not obtain the schema Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 99d872ee9261a299add4718c38234dfe9f7658fc Author: Andrew Bartlett <abart...@samba.org> Date: Thu Aug 23 15:18:13 2012 +1000 s4-dbcheck: Allow forcing an override of an old @MODULES record Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: nsswitch/tests/test_rfc2307_mapping.sh | 181 ++++++++++++++++++++++ selftest/selftest.pl | 5 +- selftest/target/Samba4.pm | 8 +- source4/dsdb/samdb/ldb_modules/acl.c | 5 +- source4/scripting/python/samba/dbchecker.py | 9 + source4/scripting/python/samba/netcmd/dbcheck.py | 24 +++- source4/scripting/python/samba/upgrade.py | 11 ++- source4/selftest/tests.py | 1 + source4/winbind/idmap.c | 9 +- testprogs/blackbox/dbcheck.sh | 5 + 10 files changed, 243 insertions(+), 15 deletions(-) create mode 100755 nsswitch/tests/test_rfc2307_mapping.sh Changeset truncated at 500 lines: diff --git a/nsswitch/tests/test_rfc2307_mapping.sh b/nsswitch/tests/test_rfc2307_mapping.sh new file mode 100755 index 0000000..f1e3ea9 --- /dev/null +++ b/nsswitch/tests/test_rfc2307_mapping.sh @@ -0,0 +1,181 @@ +#!/bin/sh +# Blackbox test for wbinfo and rfc2307 mappings +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_rfc2307_mapping.sh DOMAIN USERNAME PASSWORD SERVER UID_RFC2307TEST GID_RFC2307TEST +EOF +exit 1; +fi + +DOMAIN=$1 +USERNAME=$2 +PASSWORD=$3 +SERVER=$4 +UID_RFC2307TEST=$5 +GID_RFC2307TEST=$6 +shift 6 + +failed=0 +samba4bindir="$BINDIR" +wbinfo="$VALGRIND $samba4bindir/wbinfo" +samba_tool="$VALGRIND $samba4bindir/samba-tool" +ldbmodify="$samba4bindir/ldbmodify" + +. `dirname $0`/../../testprogs/blackbox/subunit.sh + +testfail() { + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "failure: $name" + else + echo "success: $name" + fi + return $status +} + +knownfail() { + name="$1" + shift + cmdline="$*" + echo "test: $name" + $cmdline + status=$? + if [ x$status = x0 ]; then + echo "failure: $name [unexpected success]" + status=1 + else + echo "knownfail: $name" + status=0 + fi + return $status +} + + +# Create new testing account +testit "user add" $samba_tool user create --given-name="rfc2307" --surname="Tester" --initial="UT" rfc2307_test_user testp@ssw0Rd $@ + +#test creation of six different groups +testit "group add" $samba_tool group add $CONFIG --group-scope='Domain' --group-type='Security' rfc2307_test_group $@ + +# Create new testing group + +# Convert name to SID +testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_user" || failed=`expr $failed + 1` +user_sid=`$wbinfo -n "$DOMAIN/rfc2307_test_user" | cut -d " " -f1` +echo "$DOMAIN/rfc2307_test_user resolved to $user_sid" + +testit "wbinfo -s $user_sid against $TARGET" $wbinfo -s $user_sid || failed=`expr $failed + 1` +user_name=`$wbinfo -s $user_sid | cut -d " " -f1| tr a-z A-Z` +echo "$user_sid resolved to $user_name" + +tested_name=`echo $DOMAIN/rfc2307_test_user | tr a-z A-Z` + +# Now check that wbinfo works correctly (sid <=> name) +echo "test: wbinfo -s check for sane mapping" +if test x$user_name != x$tested_name; then + echo "$user_name does not match $tested_name" + echo "failure: wbinfo -s check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -s check for sane mapping" +fi + +testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $user_name || failed=`expr $failed + 1` +test_sid=`$wbinfo -n $tested_name | cut -d " " -f1` + +echo "test: wbinfo -n check for sane mapping" +if test x$user_sid != x$test_sid; then + echo "$user_sid does not match $test_sid" + echo "failure: wbinfo -n check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -n check for sane mapping" +fi + +testit "wbinfo -n against $TARGET" $wbinfo -n "$DOMAIN/rfc2307_test_group" || failed=`expr $failed + 1` +group_sid=`$wbinfo -n "$DOMAIN/rfc2307_test_group" | cut -d " " -f1` +echo "$DOMAIN/rfc2307_test_group resolved to $group_sid" + +# Then add a uidNumber to the group record using ldbmodify +cat > $PREFIX/tmpldbmodify <<EOF +dn: <SID=$user_sid> +changetype: modify +add: uidNumber +uidNumber: $UID_RFC2307TEST +EOF + +testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD $@ || failed=`expr $failed + 1` + +# Then add a gidNumber to the group record using ldbmodify +cat > $PREFIX/tmpldbmodify <<EOF +dn: <SID=$group_sid> +changetype: modify +add: gidNumber +gidNumber: $GID_RFC2307TEST +EOF + +testit "modify gidNumber on group" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -U$DOMAIN/$USERNAME%$PASSWORD $@ || failed=`expr $failed + 1` + +rm -f $PREFIX/tmpldbmodify + +# Now check we get a correct SID for the UID + +testit "wbinfo -U against $TARGET" $wbinfo -U $UID_RFC2307TEST || failed=`expr $failed + 1` + +echo "test: wbinfo -U check for sane mapping" +sid_for_user=`$wbinfo -U $UID_RFC2307TEST` +if test x"$sid_for_user" != x"$user_sid"; then + echo "uid $UID_RFC2307TEST mapped to $sid_for_user, not $user_sid" + echo "failure: wbinfo -U check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -U check for sane mapping" +fi + +testit "wbinfo -G against $TARGET" $wbinfo -G $GID_RFC2307TEST || failed=`expr $failed + 1` + +echo "test: wbinfo -G check for sane mapping" +sid_for_group=`$wbinfo -G $GID_RFC2307TEST` +if test x$sid_for_group != "x$group_sid"; then + echo "gid $GID_RFC2307TEST mapped to $sid_for_group, not $group_sid" + echo "failure: wbinfo -G check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -G check for sane mapping" +fi + +# Now check we get the right UID from the SID +testit "wbinfo -S against $TARGET" $wbinfo -S "$user_sid" || failed=`expr $failed + 1` + +echo "test: wbinfo -S check for sane mapping" +uid_for_user_sid=`$wbinfo -S $user_sid` +if test 0$uid_for_user_sid -ne $UID_RFC2307TEST; then + echo "$user_sid mapped to $uid_for_sid, not $UID_RFC2307TEST" + echo "failure: wbinfo -S check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -S check for sane mapping" +fi + +# Now check we get the right GID from the SID +testit "wbinfo -Y" $wbinfo -Y "$group_sid" || failed=`expr $failed + 1` + +echo "test: wbinfo -Y check for sane mapping" +gid_for_user_sid=`$wbinfo -Y $group_sid` +if test 0$gid_for_user_sid -ne $GID_RFC2307TEST; then + echo "$group_sid mapped to $gid_for_sid, not $GID_RFC2307TEST" + echo "failure: wbinfo -Y check for sane mapping" + failed=`expr $failed + 1` +else + echo "success: wbinfo -Y check for sane mapping" +fi + +testit "group delete" $samba_tool group delete rfc2307_test_group $@ +testit "user delete" $samba_tool user delete rfc2307_test_user $@ + +exit $failed diff --git a/selftest/selftest.pl b/selftest/selftest.pl index c6eadd7..4ac5aeb 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -714,8 +714,11 @@ my @exported_envvars = ( # nss_wrapper "NSS_WRAPPER_PASSWD", - "NSS_WRAPPER_GROUP" + "NSS_WRAPPER_GROUP", + # UID/GID for rfc2307 mapping tests + "UID_RFC2307TEST", + "GID_RFC2307TEST" ); $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub { diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index ba37504..a08e550 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -608,6 +608,8 @@ sub provision_raw_step1($$) # remove this again, when our smb2 client library # supports signin on compound related requests server signing = on + + idmap_ldb:use rfc2307=yes "; print CONFFILE " @@ -634,6 +636,7 @@ nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false "; close(PWD); + my $uid_rfc2307test = 65533; open(GRP, ">$ctx->{nsswrap_group}"); print GRP " @@ -644,6 +647,7 @@ nobody:x:65533: nogroup:x:65534:nobody "; close(GRP); + my $gid_rfc2307test = 65532; my $configuration = "--configfile=$ctx->{smb_conf}"; @@ -686,7 +690,9 @@ nogroup:x:65534:nobody SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log", SAMBA_TEST_LOG_POS => 0, NSS_WRAPPER_WINBIND_SO_PATH => Samba::nss_wrapper_winbind_so_path($self), - LOCAL_PATH => $ctx->{share} + LOCAL_PATH => $ctx->{share}, + UID_RFC2307TEST => $uid_rfc2307test, + GID_RFC2307TEST => $gid_rfc2307test }; return $ret; diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 9bf2612..2de16b7 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -1021,8 +1021,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req) schema = dsdb_get_schema(ldb, tmp_ctx); if (!schema) { - ret = LDB_ERR_OPERATIONS_ERROR; - goto fail; + talloc_free(tmp_ctx); + return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, + "acl_modify: Error obtaining schema."); } ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd); diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py index e1be6c4..91ae0b6 100644 --- a/source4/scripting/python/samba/dbchecker.py +++ b/source4/scripting/python/samba/dbchecker.py @@ -749,3 +749,12 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) m['add'] = ldb.MessageElement('NONE', ldb.FLAG_MOD_ADD, 'force_reindex') m['delete'] = ldb.MessageElement('NONE', ldb.FLAG_MOD_DELETE, 'force_reindex') return self.do_modify(m, [], 're-indexed database', validate=False) + + ############################################### + # reset @MODULES + def reset_modules(self): + '''reset @MODULES to that needed for current sam.ldb (to read a very old database)''' + m = ldb.Message() + m.dn = ldb.Dn(self.samdb, "@MODULES") + m['@LIST'] = ldb.MessageElement('samba_dsdb', ldb.FLAG_MOD_REPLACE, '@LIST') + return self.do_modify(m, [], 'reset @MODULES on database', validate=False) diff --git a/source4/scripting/python/samba/netcmd/dbcheck.py b/source4/scripting/python/samba/netcmd/dbcheck.py index e4ec6b3..889b0ff 100644 --- a/source4/scripting/python/samba/netcmd/dbcheck.py +++ b/source4/scripting/python/samba/netcmd/dbcheck.py @@ -55,6 +55,7 @@ class cmd_dbcheck(Command): help="don't print details of checking"), Option("--attrs", dest="attrs", default=None, help="list of attributes to check (space separated)"), Option("--reindex", dest="reindex", default=False, action="store_true", help="force database re-index"), + Option("--force-modules", dest="force_modules", default=False, action="store_true", help="force loading of Samba modules and ignore the @MODULES record (for very old databases)"), Option("-H", "--URL", help="LDB URL for database or target server (defaults to local SAM database)", type=str, metavar="URL", dest="H"), ] @@ -62,7 +63,7 @@ class cmd_dbcheck(Command): def run(self, DN=None, H=None, verbose=False, fix=False, yes=False, cross_ncs=False, quiet=False, scope="SUB", credopts=None, sambaopts=None, versionopts=None, - attrs=None, reindex=False): + attrs=None, reindex=False, force_modules=False): lp = sambaopts.get_loadparm() @@ -73,8 +74,16 @@ class cmd_dbcheck(Command): else: creds = None - samdb = SamDB(session_info=system_session(), url=H, - credentials=creds, lp=lp) + if force_modules: + samdb = SamDB(session_info=system_session(), url=H, + credentials=creds, lp=lp, options=["modules=samba_dsdb"]) + else: + try: + samdb = SamDB(session_info=system_session(), url=H, + credentials=creds, lp=lp) + except: + raise CommandError("Failed to connect to DB at %s. If this is a really old sam.ldb (before alpha9), then try again with --force-modules" % H) + if H is None or not over_ldap: samdb_schema = samdb @@ -105,13 +114,20 @@ class cmd_dbcheck(Command): started_transaction = True try: chk = dbcheck(samdb, samdb_schema=samdb_schema, verbose=verbose, - fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction) + fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction) if reindex: self.outf.write("Re-indexing...\n") error_count = 0 if chk.reindex_database(): self.outf.write("completed re-index OK\n") + + elif force_modules: + self.outf.write("Resetting @MODULES...\n") + error_count = 0 + if chk.reset_modules(): + self.outf.write("completed @MODULES reset OK\n") + else: error_count = chk.check_database(DN=DN, scope=search_scope, controls=controls, attrs=attrs) diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index df9415e..d680a7c 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -35,6 +35,7 @@ from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime +from samba import generate_random_password def import_sam_policy(samdb, policy, logger): @@ -835,11 +836,19 @@ Please fix this account before attempting to upgrade again if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"): dns_backend = "NONE" + # If we found an admin user, set a fake pw that we will override. + # This avoids us printing out an admin password that we won't actually + # set. + if admin_user: + adminpass = generate_random_password(12, 32) + else: + adminpass = None + # Do full provision result = provision(logger, session_info, None, targetdir=targetdir, realm=realm, domain=domainname, domainsid=str(domainsid), next_rid=next_rid, - dc_rid=machinerid, + dc_rid=machinerid, adminpass = adminpass, dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003, hostname=netbiosname.lower(), machinepass=machinepass, serverrole=serverrole, samdb_fill=FILL_FULL, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index f43741c..568d122 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -308,6 +308,7 @@ plantestsuite("samba4.blackbox.nmblookup(dc)", "dc", [os.path.join(samba4srcdir, plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_locktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX']) plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX']) plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"]) +plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration]) plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"]) plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"]) plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4]) diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index a6cc88f..3773c1d 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -236,8 +236,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, LDB_SCOPE_SUBTREE, sam_attrs, 0, "(&(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u))" - "(uidNumber=%u)(objectSid=*)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + "(uidNumber=%u)(objectSid=*))", ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, unixid->id); } else { /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ @@ -274,8 +273,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, ldb_get_default_basedn(idmap_ctx->samdb), LDB_SCOPE_SUBTREE, sam_attrs, 0, - "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u))", ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id); } else { @@ -439,8 +437,7 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, "(&(objectSid=%s)" "(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u)" "(sAMaccountType=%u)(sAMaccountType=%u))" - "(|(uidNumber=*)(gidNumber=*))" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + "(|(uidNumber=*)(gidNumber=*)))", dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh index 1ea7811..faf6fab 100755 --- a/testprogs/blackbox/dbcheck.sh +++ b/testprogs/blackbox/dbcheck.sh @@ -20,7 +20,12 @@ reindex() { $BINDIR/samba-tool dbcheck --reindex } +force_modules() { + $BINDIR/samba-tool dbcheck --force-modules +} + testit "dbcheck" dbcheck testit "reindex" reindex +testit "force_modules" force_modules exit $failed -- Samba Shared Repository