The branch, v4-1-test has been updated via 3beda4c WHATSNEW: Update changes since 4.1.0rc2. via cfa4e2a Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query. via 3912eeb9 Move the retry logic when site_name is passed in a NULL or "" to the wrapper function. via 2d7fe2b Move the manipulation of site_name into the caller function dsgetdcname(). via 0c046a4 Refactor dsgetdcname to be called via a wrapper function. via a616bbc dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it. via 317f960 smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 via 26ac864 smbd: Fix error return for STREAM_INFO via db4e8a7 smbd: Revert a93f9c3 via 0e91fd6 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo via 9444c6f smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo via b4427b9 smbd: qfsinfo has fixed/variable buffers via 3691f46 smbd: qfilepathinfo has fixed/variable buffers via 6ee8231 smbd: Use #defines in smb2_getinfo_send via a9ef99c s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data via 25fbced s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data via 342afee s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler via 5e75d4b s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data via 2b411e6 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small via a654601 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9 via 1e653e4 selftest: Add a basic test of samba_upgradedns via 79b7888 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ via 0d7c1f0 selftest: Test creation of the dns-SERVER account during selftest via e00be93 scripting/samba_upgradedns: Tighten up exception and attribute list handling via fee6fa5 scripting/join.py: Handle creating the dns-NAME account during a DC join via e6cbc39 WHATSNEW: Add paragraph about SMB2/3 support for client tools/library. from cf677c4 WHATSNEW: Add release notes for Samba 4.1.0rc3.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-test - Log ----------------------------------------------------------------- commit 3beda4cffdf36e10a85fdcb8f9cb31ba04fc9cf8 Author: Karolin Seeger <ksee...@samba.org> Date: Fri Sep 6 11:11:39 2013 +0200 WHATSNEW: Update changes since 4.1.0rc2. Signed-off-by: Karolin Seeger <ksee...@samba.org> Autobuild-User(v4-1-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-1-test): Fri Sep 6 12:59:28 CEST 2013 on sn-devel-104 commit cfa4e2a8ae97b02a112c132f2154c22a9fc53314 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 14:07:43 2013 -0700 Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Sep 4 01:19:05 CEST 2013 on sn-devel-104 (cherry picked from commit bdab6f9431715fbfd28f8cc0dfb4dde2966f22f3) commit 3912eeb93f633c0511147c34205b0813748d273a Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:20:52 2013 -0700 Move the retry logic when site_name is passed in a NULL or "" to the wrapper function. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 68e7b1c9446c7d1274b0fb85b59b90ac1a7f6041) commit 2d7fe2b9afed0e16a750f918eab30f017b4198fc Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:08:46 2013 -0700 Move the manipulation of site_name into the caller function dsgetdcname(). Leave dsgetdcname_internal() only using const char *site_name. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 181c11066bd53b07015a199f56eb71182e89ff71) commit 0c046a4e5814616d504d755a81901a6eeabea401 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:04:37 2013 -0700 Refactor dsgetdcname to be called via a wrapper function. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 66006be7ef703b2935334633d27641050cee5f58) commit a616bbcfd8e8f70ab482bc0957693966b956f693 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:13:45 2013 -0700 dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit dd12bfbcbf359c1642cc2e968aec62ae904aad5d) commit 317f960a34d8079714ee68b5d00d651d3a4bd45e Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:40:19 2013 +0000 smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 This is required if the client offered less buffer than the fixed portion of the info level data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 1b1935b876a14154ef74e447bf53eb7cd0a5dde9) commit 26ac864a120405b7d3fcd15a8dcd5f696146d5da Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:39:17 2013 +0000 smbd: Fix error return for STREAM_INFO The stream_info marshalling follows its own rules. This needs unifying eventually... Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 5634f240fd4273cb7327111140ccbea0fd41e3fc) commit db4e8a75e3a00e55e93eb6ab8ca9ce75652b4f9f Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:38:29 2013 +0000 smbd: Revert a93f9c3 This was too broad and has been replaced by finer-grained error checks Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit b37edda32930fec372d6467d442f67532c3fbd33) commit 0e91fd6f6f80f25901771dc2c008a0293019bc2d Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:37:34 2013 +0000 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo Also, don't overflow the client buffer Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9) commit 9444c6fce8dd99543957fd22d7274a69fc2b200f Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:36:03 2013 +0000 smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo We have to return this error if the client offered less than the fixed portion of the infolevel data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 91939614760837b2ac2c6bb8b5daac108a4f4670) commit b4427b92f143d90730d144ab24233f8540d83538 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:06:27 2013 +0000 smbd: qfsinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit ac41df91a5a425633fc716ca02187e753879d795) commit 3691f463adcc7000f262ac1d925021618ec71e4d Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:06:27 2013 +0000 smbd: qfilepathinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 53123996033594f68a3fc9037474aada3aef0750) commit 6ee82318869610e6f8c7f13099851373b2e711f8 Author: Volker Lendecke <v...@samba.org> Date: Mon Aug 26 08:36:14 2013 +0000 smbd: Use #defines in smb2_getinfo_send Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Tue Aug 27 15:08:08 CEST 2013 on sn-devel-104 (cherry picked from commit 323cccd35d06c7327c19dc5cb891043507624d7d) commit a9ef99ca7880a0a192c61ea31df232449a057b29 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 16:43:39 2013 +0200 s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit 270d29a743a030653037cb176f3764bec3c79b6c) commit 25fbcedf3d60cc979fb906fa8fe067a989ed19e4 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 15:52:06 2013 +0200 s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit ec46f6b91941e38dd92f8e0fb0f278592e3157b6) commit 342afeefbe1786021ce5127284bee3f29808bb4c Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Fri Jul 5 11:32:27 2013 +0200 s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit 616777f029e462f53c5118d79de8c6405a5fb7c1) commit 5e75d4bfcc965cd062f51fcf8aa6e9290953509a Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Fri Jul 5 11:03:16 2013 +0200 s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit a91d2b05bab329a8a9772c2c79a3b1e02933182e) commit 2b411e6219fbce5ef1499da4a141d31a8a295e89 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 08:59:58 2013 +0200 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit a93f9c3d33e442c84d0c9da7eb5d25ca4b54fc33) commit a6546016fa552407ea6ccd9c7ddb43737601484e Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 21:00:28 2012 +1100 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9 This exercises some more of the dlz_bind9 code outside BIND, by sending in a ticket to be access checked, wrapped either in SPNEGO or just in GSSAPI. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104 (cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840) The last 6 patches address bug #9091 - When replicating DNS for bind9_dlz we need to create the server-DNS account remotely. commit 1e653e402588a386bf747e49b20c2ccd0dbf46f4 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 10:06:39 2012 +1100 selftest: Add a basic test of samba_upgradedns This does not check that the command runs correctly, but does at least check that the command runs to completion without errors. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa) commit 79b78888474d062152283a9c9e080756a96f1346 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 09:25:11 2012 +1100 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ This shows that the internal server can use the dns-SERVER account. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d) commit 0d7c1f07ef7eed313b0185fadcadcb26b7ee9197 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 26 10:03:47 2012 +1100 selftest: Test creation of the dns-SERVER account during selftest We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a dns-SERVER account. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902) commit e00be93e07ddfc2d1dfbbe0f8213ca2df1e2d48d Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 24 09:12:04 2012 +1100 scripting/samba_upgradedns: Tighten up exception and attribute list handling This avoids asking for attributes that will not be used, and looks only for the expected exceptions, rather than all exceptions. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd) commit fee6fa5e2f2a56ef3d8a02d9cd4348f2cccb0a3f Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 24 08:56:50 2012 +1100 scripting/join.py: Handle creating the dns-NAME account during a DC join This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the domain. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060) commit e6cbc396ef66df6ad6d9c122417ed1b7fe95c395 Author: Jeremy Allison <j...@samba.org> Date: Fri Sep 6 10:09:52 2013 +0200 WHATSNEW: Add paragraph about SMB2/3 support for client tools/library. Signed-off-by: Jeremy Allison <j...@samba.org> Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 83 ++++++++++++++++++++++++++- python/samba/join.py | 73 ++++++++++++++++++++++- python/samba/provision/sambadns.py | 11 +++- selftest/target/Samba4.pm | 4 +- source3/libsmb/dsgetdcname.c | 85 ++++++++++++++++++++------ source3/smbd/globals.h | 2 + source3/smbd/smb2_getinfo.c | 47 +++++++++++++-- source3/smbd/trans2.c | 55 +++++++++++++++++- source4/scripting/bin/samba_upgradedns | 30 ++++++--- source4/selftest/tests.py | 3 +- source4/setup/secrets_dns.ldif | 2 +- source4/torture/dns/dlz_bind9.c | 78 ++++++++++++++++++++++++ source4/torture/winbind/winbind.c | 1 + testprogs/blackbox/test_samba_upgradedns.sh | 37 ++++++++++++ 14 files changed, 461 insertions(+), 50 deletions(-) create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 13174f0..eeb6307 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -19,6 +19,73 @@ releases candidates, you should backup all configuration and data. NEW FEATURES ============ +Client tools support SMB2/3 +=========================== + +Samba 4.1.0 contains the first release of our client tools +and client library that work over the new protocols SMB2 or SMB3. +Note that SMB3 only works either to a Samba server version 4.0.0 +or above, or to a Windows Server running Windows 2012 or Windows 8. + +The default protocol for smbclient and smbcacls is still +SMB1 (the NT1 protocol dialect). An SMB2 or SMB3 connection +can be selected in one of two ways. The easiest way to test +the new protocol connection is to add the -mMAX_PROTOCOL +command line switch to either smbclient or smbcacls. + +For example, to connect using SMB3 with smbclient a user +would type: + +smbclient //server/share -Uuser%password -mSMB3 + +Another example of connecting using SMB2 using smbcacls +would be: + +smbcacls //server/share -Uuser%password -mSMB2 filename + +Note that when connecting using SMB2 or SMB3 protocols +the UNIX extensions are no longer available inside the +smbclient command set. This is due to UNIX extensions +not yet being defined for the SMB2 or SMB3 protocols. + +The second way to select SMB2 or SMB3 connections is to +set the "client max protocol" parameter in the [global] +section of your smb.conf. + +Setting this parameter will cause all client connections +from Samba and its client tools to offer the requested +max protocol to a server on every connection request. + +For example, to cause all client tools (including winbindd, +rpcclient, and the libsmbclient library) to attempt use SMB3 +by default add the line: + +client max protocol = SMB3 + +to the [global] section of your smb.conf. This has not +been as widely tested as the -mPROTOCOL options, but +is intended to work correctly in the final release of +4.1.0. + +Encrypted transport +=================== + +Although Samba servers have supported encrypted transport +connections using the UNIX extensions for many years, +selecting SMB3 transport allows encrypted transport +connections to Windows servers that support SMB3, as +well as Samba servers. + +In order to enable this, add the "-e" option to the +smbclient command line. + +For example, to connect to a Windows 2012 server over +SMB3 and select an encrypted transport you would use +the following command line: + +smbclient //Win2012Server/share -Uuser%password -mSMB3 -e + + Directory database replication (AD DC mode) =========================================== @@ -88,7 +155,8 @@ COMMIT HIGHLIGHTS ================= o Jeremy Allison <j...@samba.org> - * Add SMB2 and SMB3 support for smbclient. + * Add SMB2 and SMB3 support for client tools and client library. + * Add support for SMB3 Encrypted transport. o David Disseldorp <dd...@samba.org> @@ -105,6 +173,7 @@ o Michael Adam <ob...@samba.org> o Jeremy Allison <j...@samba.org> + * BUG 5917: Fix working on site with Read Only Domain Controller. * BUG 9974: Add SMB2 and SMB3 support for smbclient. * BUG 10063: Fix memory leak in source3/lib/util.c:1493. * BUG 10121: Masks incorrectly applied to UNIX extension permission @@ -115,6 +184,11 @@ o Christian Ambach <a...@samba.org> * BUG 9911: Build Samba 4.0.x on AIX with IBM XL C/C++. +o Andrew Bartlett <abart...@samba.org> + * BUG 9091: When replicating DNS for bind9_dlz we need to create the + server-DNS account remotely. + + o Günther Deschner <g...@samba.org> * BUG 9615: Winbind unable to retrieve user information from AD. * BUG 9899: winbind_lookup_names() fails because of @@ -124,6 +198,8 @@ o Günther Deschner <g...@samba.org> o Volker Lendecke <v...@samba.org> * BUG 10086: smbd: Fix async echo handler forking. + * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo + requests. * BUG 10114: Handle Dropbox (write-only-directory) case correctly in pathname lookup. @@ -153,6 +229,11 @@ o Richard Sharpe <realrichardsha...@gmail.com> out by Samba. +o Ralph Wuerthner <ralph.wuerth...@de.ibm.com> + * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo + requests. + + CHANGES SINCE 4.1.0rc1 ====================== diff --git a/python/samba/join.py b/python/samba/join.py index c55c22c..b2f4da4 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -26,9 +26,12 @@ from samba.ndr import ndr_pack from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs from samba.credentials import Credentials, DONT_USE_KERBEROS from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN +from samba.provision.common import setup_path from samba.schema import Schema from samba.net import Net from samba.provision.sambadns import setup_bind9_dns +from samba import read_and_sub_file +from base64 import b64encode import logging import talloc import random @@ -179,6 +182,19 @@ class dc_join(object): attrs=["msDS-krbTgtLink"]) if res: ctx.del_noerror(res[0].dn, recursive=True) + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), + expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)), + attrs=[]) + if res: + ctx.del_noerror(res[0].dn, recursive=True) + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), + expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname), + attrs=[]) + if res: + raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname))) + if ctx.connection_dn is not None: ctx.del_noerror(ctx.connection_dn) if ctx.krbtgt_dn is not None: @@ -579,6 +595,56 @@ class dc_join(object): "userAccountControl") ctx.samdb.modify(m) + if ctx.dns_backend.startswith("BIND9_"): + ctx.dnspass = samba.generate_random_password(128, 255) + + recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"), + {"DNSDOMAIN": ctx.dnsdomain, + "DOMAINDN": ctx.base_dn, + "HOSTNAME" : ctx.myname, + "DNSPASS_B64": b64encode(ctx.dnspass), + "DNSNAME" : ctx.dnshostname})) + for changetype, msg in recs: + assert changetype == ldb.CHANGETYPE_NONE + print "Adding DNS account %s with dns/ SPN" % msg["dn"] + + # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP) + del msg["clearTextPassword"] + # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP + del msg["isCriticalSystemObject"] + try: + ctx.samdb.add(msg) + dns_acct_dn = msg["dn"] + except ldb.LdbError, (num, _): + if num != ldb.ERR_ENTRY_ALREADY_EXISTS: + raise + + # The account password set operation should normally be done over + # LDAP. Windows 2000 DCs however allow this only with SSL + # connections which are hard to set up and otherwise refuse with + # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet + # over SAMR. + print "Setting account password for %s" % ctx.samname + try: + ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))" + % ldb.binary_encode(ctx.myname), + ctx.dnspass, + force_change_at_next_login=False, + username=ctx.samname) + except ldb.LdbError, (num, _): + if num != ldb.ERR_UNWILLING_TO_PERFORM: + pass + ctx.net.set_password(account_name="dns-" % ctx.myname, + domain_name=ctx.domain_name, + newpassword=ctx.dnspass) + + res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE, + attrs=["msDS-KeyVersionNumber"]) + if "msDS-KeyVersionNumber" in res[0]: + ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) + else: + ctx.dns_key_version_number = None + def join_add_objects2(ctx): """add the various objects needed for the join, for subdomains post replication""" @@ -861,13 +927,12 @@ class dc_join(object): key_version_number=ctx.key_version_number) if ctx.dns_backend.startswith("BIND9_"): - dnspass = samba.generate_random_password(128, 255) - setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid), ctx.names, ctx.paths, ctx.lp, logger, dns_backend=ctx.dns_backend, - dnspass=dnspass, os_level=ctx.behavior_version, - targetdir=ctx.targetdir) + dnspass=ctx.dnspass, os_level=ctx.behavior_version, + targetdir=ctx.targetdir, + key_version_number=ctx.dns_key_version_number) def join_setup_trusts(ctx): """provision the local SAM.""" diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index a5a45cf..4acc24b 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname, def secretsdb_setup_dns(secretsdb, names, private_dir, realm, - dnsdomain, dns_keytab_path, dnspass): + dnsdomain, dns_keytab_path, dnspass, key_version_number): """Add DNS specific bits to a secrets database. :param secretsdb: Ldb Handle to the secrets database @@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm, except OSError: pass + if key_version_number is None: + key_version_number = 1 + setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), { "REALM": realm, "DNSDOMAIN": dnsdomain, "DNS_KEYTAB": dns_keytab_path, "DNSPASS_B64": b64encode(dnspass), + "KEY_VERSION_NUMBER": str(key_version_number), "HOSTNAME": names.hostname, "DNSNAME" : '%s.%s' % ( names.netbiosname.lower(), names.dnsdomain.lower()) @@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, dns_backend, os_level, site=None, dnspass=None, hostip=None, - hostip6=None, targetdir=None): + hostip6=None, targetdir=None, key_version_number=None): """Provision DNS information (assuming BIND9 backend in DC role) :param samdb: LDB object connected to sam.ldb file @@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, secretsdb_setup_dns(secretsdb, names, paths.private_dir, realm=names.realm, dnsdomain=names.dnsdomain, - dns_keytab_path=paths.dns_keytab, dnspass=dnspass) + dns_keytab_path=paths.dns_keytab, dnspass=dnspass, + key_version_number=key_version_number) create_dns_dir(logger, paths) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index e574b48..37f7102 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1069,7 +1069,7 @@ sub provision_promoted_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; + $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1520,7 +1520,7 @@ sub provision_chgdcpass($$) "chgdcpassword.samba.example.com", "2008", "chgDCpass1", - undef, "server services = -dns", "", + undef, "", "", $extra_provision_options); return undef unless(defined $ret); diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index 028a31b..6818b01 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -320,7 +320,6 @@ static NTSTATUS dsgetdcname_cache_fetch(TALLOC_CTX *mem_ctx, const char *domain_name, const struct GUID *domain_guid, uint32_t flags, - const char *site_name, struct netr_DsRGetDCNameInfo **info_p) { char *key; @@ -393,7 +392,7 @@ static NTSTATUS dsgetdcname_cached(TALLOC_CTX *mem_ctx, NTSTATUS status; status = dsgetdcname_cache_fetch(mem_ctx, domain_name, domain_guid, - flags, site_name, info); + flags, info); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { DEBUG(10,("dsgetdcname_cached: cache fetch failed with: %s\n", @@ -1094,12 +1093,10 @@ static bool is_closest_site(struct netr_DsRGetDCNameInfo *info) } /******************************************************************** - dsgetdcname. - - This will be the only public function here. + Internal dsgetdcname. ********************************************************************/ -NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, +static NTSTATUS dsgetdcname_internal(TALLOC_CTX *mem_ctx, struct messaging_context *msg_ctx, const char *domain_name, const struct GUID *domain_guid, @@ -1109,15 +1106,14 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, { NTSTATUS status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct netr_DsRGetDCNameInfo *myinfo = NULL; - char *query_site = NULL; bool first = true; struct netr_DsRGetDCNameInfo *first_info = NULL; - DEBUG(10,("dsgetdcname: domain_name: %s, " + DEBUG(10,("dsgetdcname_internal: domain_name: %s, " "domain_guid: %s, site_name: %s, flags: 0x%08x\n", domain_name, domain_guid ? GUID_string(mem_ctx, domain_guid) : "(null)", - site_name, flags)); + site_name ? site_name : "(null)", flags)); *info = NULL; @@ -1126,18 +1122,12 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if ((site_name == NULL) || (site_name[0] == '\0')) { - query_site = sitename_fetch(domain_name); - } else { - query_site = SMB_STRDUP(site_name); - } - if (flags & DS_FORCE_REDISCOVERY) { goto rediscover; } status = dsgetdcname_cached(mem_ctx, msg_ctx, domain_name, domain_guid, - flags, query_site, &myinfo); + flags, site_name, &myinfo); if (NT_STATUS_IS_OK(status)) { goto done; } @@ -1148,12 +1138,10 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, rediscover: status = dsgetdcname_rediscover(mem_ctx, msg_ctx, domain_name, - domain_guid, flags, query_site, + domain_guid, flags, site_name, &myinfo); done: - SAFE_FREE(query_site); - if (!NT_STATUS_IS_OK(status)) { if (!first) { *info = first_info; @@ -1168,10 +1156,67 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, first = false; first_info = myinfo; /* TODO: may use the next_closest_site here */ - query_site = SMB_STRDUP(myinfo->client_site_name); + site_name = myinfo->client_site_name; goto rediscover; } *info = myinfo; return NT_STATUS_OK; } + +/******************************************************************** + dsgetdcname. + + This will be the only public function here. +********************************************************************/ + +NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, + struct messaging_context *msg_ctx, + const char *domain_name, + const struct GUID *domain_guid, + const char *site_name, + uint32_t flags, + struct netr_DsRGetDCNameInfo **info) +{ + NTSTATUS status; + const char *query_site = NULL; + char *ptr_to_free = NULL; + bool retry_query_with_null = false; + + if ((site_name == NULL) || (site_name[0] == '\0')) { + ptr_to_free = sitename_fetch(domain_name); + if (ptr_to_free != NULL) { + retry_query_with_null = true; + } + query_site = ptr_to_free; + } else { + query_site = site_name; + } + + status = dsgetdcname_internal(mem_ctx, + msg_ctx, + domain_name, + domain_guid, + query_site, + flags, + info); + + SAFE_FREE(ptr_to_free); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { + return status; + } + + /* Should we try again with site_name == NULL ? */ + if (retry_query_with_null) { + status = dsgetdcname_internal(mem_ctx, + msg_ctx, + domain_name, + domain_guid, + NULL, + flags, + info); + } + + return status; +} diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index d618aea..9ea5e25 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -138,6 +138,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, char *lock_data, uint16_t flags2, unsigned int max_data_bytes, + size_t *fixed_portion, char **ppdata, unsigned int *pdata_size); @@ -155,6 +156,7 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn, uint16_t info_level, uint16_t flags2, unsigned int max_data_bytes, + size_t *fixed_portion, struct smb_filename *smb_fname, char **ppdata, int *ret_data_len); diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 5616c84..449aeb3 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -159,7 +159,10 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq) return; } - if (!NT_STATUS_IS_OK(call_status)) { + /* some GetInfo responses set STATUS_BUFFER_OVERFLOW and return partial, + but valid data */ + if (!(NT_STATUS_IS_OK(call_status) || + NT_STATUS_EQUAL(call_status, STATUS_BUFFER_OVERFLOW))) { -- Samba Shared Repository