The branch, master has been updated via 860d465 s4-torture: Add AES and RC4 enctype checks via bc3473e s4-torture: Add torture_check_krb5_error() function via 51d2779 schema: Reorder dsdb_set_schema() to unlink the old schema last via 2a90606 dsdb: Remove 120 second delay and USN from schema refresh check via 5abcdd5 dsdb: Remove use of schema USN in samldb_add_handle_msDS_IntId via bad502f schema: Make the fetch of the schema version fast via 3175d5f ldb: Avoid use-after-free when one error message is printed into another via 6e37854 provision: Ignore duplicate attid and governsID check via c76b009 provision_fill: move GPO into transaction via 60375ab provision_fill: move most db accesses into transactions from 9ec9e6f ctdb-scripts: Quote some variable expansions
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 860d465e2bb4b52e7a32b4215e31756340c873bb Author: Andreas Schneider <a...@samba.org> Date: Mon Jul 4 13:18:03 2016 +0200 s4-torture: Add AES and RC4 enctype checks Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlet <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Jul 6 19:06:19 CEST 2016 on sn-devel-144 commit bc3473e67cd0b958264f587cf807974c34ae6239 Author: Andreas Schneider <a...@samba.org> Date: Mon Jul 4 09:47:10 2016 +0200 s4-torture: Add torture_check_krb5_error() function Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlet <abart...@samba.org> commit 51d2779a60b0b5d358e0b3473324ce4b606d52b7 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jul 4 14:06:10 2016 +1200 schema: Reorder dsdb_set_schema() to unlink the old schema last Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit 2a9060641757937ad764685ec35507629ce6283e Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 4 17:01:15 2016 +1200 dsdb: Remove 120 second delay and USN from schema refresh check We now refresh it once the schema changes, so that replication can proceed right away. We use the sequence number in the metadata.tdb. The previous commit added a cache for this value, protected by tdb_seqnum(). metadata.tdb is now opened at startup to provide this support. Note that while still supported, schemaUpdateNow is essentially rudundent: instead, to ensure we increment the sequence number correctly, we unify that check into repl_meta_data at the transaction close. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit 5abcdd56ba4f1b61b9421c81caa491e70c4881c4 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 6 11:38:28 2016 +1200 dsdb: Remove use of schema USN in samldb_add_handle_msDS_IntId This is not a frequent enough operation to warrent a cache, and the USN will be removed from the schema code shortly Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> commit bad502fd86185dc15d58c753baacd4cb3d03c733 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jul 4 14:05:46 2016 +1200 schema: Make the fetch of the schema version fast Use the tdb_seqnum() to avoid needing locks to check if the schema has not changed Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3175d5f4bfb399049ad6b8da2a1d578620b25802 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jul 5 16:01:38 2016 +1200 ldb: Avoid use-after-free when one error message is printed into another Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> commit 6e378546ce5dc0768c349b07453061241610f816 Author: Bob Campbell <bobcampb...@catalyst.net.nz> Date: Thu Jun 30 15:03:39 2016 +1200 provision: Ignore duplicate attid and governsID check During the provision this causes a huge performance hit as these two attributes are unindexed. Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> commit c76b0090ae03d2fabc500b03eb8d7076d6af762b Author: Bob Campbell <bobcampb...@catalyst.net.nz> Date: Thu Jun 30 10:40:51 2016 +1200 provision_fill: move GPO into transaction Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> commit 60375abe46b194490b6b878375488d3a1eb0a07c Author: Bob Campbell <bobcampb...@catalyst.net.nz> Date: Wed Jun 29 16:54:06 2016 +1200 provision_fill: move most db accesses into transactions Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz> Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb.c | 6 +- python/samba/dbchecker.py | 10 + python/samba/provision/__init__.py | 424 +++++++++++---------- python/samba/provision/sambadns.py | 56 +-- selftest/knownfail | 3 + source4/dsdb/pydsdb.c | 1 + source4/dsdb/repl/replicated_objects.c | 80 +--- source4/dsdb/samdb/ldb_modules/acl.c | 2 - .../dsdb/samdb/ldb_modules/partition_metadata.c | 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 35 +- source4/dsdb/samdb/ldb_modules/samldb.c | 84 ++-- source4/dsdb/samdb/ldb_modules/schema_load.c | 145 ++++--- source4/dsdb/samdb/samdb.h | 8 +- source4/dsdb/schema/schema.h | 5 - source4/dsdb/schema/schema_init.c | 6 - source4/dsdb/schema/schema_set.c | 25 +- source4/setup/schema_samba4.ldif | 1 + source4/torture/krb5/kdc-heimdal.c | 412 ++++++++++++++++---- 18 files changed, 751 insertions(+), 554 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c index 0f0f5ab..a824c7a 100644 --- a/lib/ldb/common/ldb.c +++ b/lib/ldb/common/ldb.c @@ -284,15 +284,17 @@ void ldb_set_errstring(struct ldb_context *ldb, const char *err_string) void ldb_asprintf_errstring(struct ldb_context *ldb, const char *format, ...) { va_list ap; - + char *old_err_string = NULL; if (ldb->err_string) { - talloc_free(ldb->err_string); + old_err_string = ldb->err_string; } va_start(ap, format); ldb->err_string = talloc_vasprintf(ldb, format, ap); va_end(ap); + TALLOC_FREE(old_err_string); + if (ldb->flags & LDB_FLG_ENABLE_TRACING) { ldb_debug(ldb, LDB_DEBUG_TRACE, "ldb_asprintf/set_errstring: %s", ldb->err_string); diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py index e652f86..039f841 100644 --- a/python/samba/dbchecker.py +++ b/python/samba/dbchecker.py @@ -142,6 +142,8 @@ class dbcheck(object): error_count += self.check_deleted_objects_containers() + self.attribute_or_class_ids = set() + for object in res: self.dn_set.add(str(object.dn)) error_count += self.check_object(object.dn, attrs=attrs) @@ -1557,6 +1559,14 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) self.err_doubled_userParameters(obj, attrname, obj[attrname]) continue + if attrname.lower() == 'attributeid' or attrname.lower() == 'governsid': + if obj[attrname][0] in self.attribute_or_class_ids: + error_count += 1 + self.report('Error: %s %s on %s already exists as an attributeId or governsId' + % (attrname, obj.dn, obj[attrname][0])) + else: + self.attribute_or_class_ids.add(obj[attrname][0]) + # check for empty attributes for val in obj[attrname]: if val == '': diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index b36a7d2..d21a22d 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -38,6 +38,7 @@ import socket import urllib import string import tempfile +import samba.dsdb import ldb @@ -1259,223 +1260,213 @@ def fill_samdb(samdb, lp, names, logger, policyguid, # before the provisioned tree exists and we connect samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn) - samdb.transaction_start() - try: - # Set the domain functionality levels onto the database. - # Various module (the password_hash module in particular) need - # to know what level of AD we are emulating. - - # These will be fixed into the database via the database - # modifictions below, but we need them set from the start. - samdb.set_opaque_integer("domainFunctionality", domainFunctionality) - samdb.set_opaque_integer("forestFunctionality", forestFunctionality) - samdb.set_opaque_integer("domainControllerFunctionality", - domainControllerFunctionality) - - samdb.set_domain_sid(str(names.domainsid)) - samdb.set_invocation_id(invocationid) - - logger.info("Adding DomainDN: %s" % names.domaindn) - - # impersonate domain admin - admin_session_info = admin_session(lp, str(names.domainsid)) - samdb.set_session_info(admin_session_info) - if names.domainguid is not None: - domainguid_line = "objectGUID: %s\n-" % names.domainguid - else: - domainguid_line = "" + # Set the domain functionality levels onto the database. + # Various module (the password_hash module in particular) need + # to know what level of AD we are emulating. - descr = b64encode(get_domain_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { - "DOMAINDN": names.domaindn, - "DOMAINSID": str(names.domainsid), - "DESCRIPTOR": descr, - "DOMAINGUID": domainguid_line - }) + # These will be fixed into the database via the database + # modifictions below, but we need them set from the start. + samdb.set_opaque_integer("domainFunctionality", domainFunctionality) + samdb.set_opaque_integer("forestFunctionality", forestFunctionality) + samdb.set_opaque_integer("domainControllerFunctionality", + domainControllerFunctionality) - setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), { - "DOMAINDN": names.domaindn, - "CREATTIME": str(samba.unix2nttime(int(time.time()))), - "NEXTRID": str(next_rid), - "DEFAULTSITE": names.sitename, - "CONFIGDN": names.configdn, - "POLICYGUID": policyguid, - "DOMAIN_FUNCTIONALITY": str(domainFunctionality), - "SAMBA_VERSION_STRING": version - }) + samdb.set_domain_sid(str(names.domainsid)) + samdb.set_invocation_id(invocationid) - # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it - if fill == FILL_FULL: - logger.info("Adding configuration container") - descr = b64encode(get_config_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), { - "CONFIGDN": names.configdn, - "DESCRIPTOR": descr, - }) - - # The LDIF here was created when the Schema object was constructed - logger.info("Setting up sam.ldb schema") - samdb.add_ldif(schema.schema_dn_add, controls=["relax:0"]) - samdb.modify_ldif(schema.schema_dn_modify) - samdb.write_prefixes_from_schema() - samdb.add_ldif(schema.schema_data, controls=["relax:0"]) - setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), - {"SCHEMADN": names.schemadn}) - - # Now register this container in the root of the forest - msg = ldb.Message(ldb.Dn(samdb, names.domaindn)) - msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD, - "subRefs") + logger.info("Adding DomainDN: %s" % names.domaindn) - except: - samdb.transaction_cancel() - raise + # impersonate domain admin + admin_session_info = admin_session(lp, str(names.domainsid)) + samdb.set_session_info(admin_session_info) + if names.domainguid is not None: + domainguid_line = "objectGUID: %s\n-" % names.domainguid else: - samdb.transaction_commit() + domainguid_line = "" - samdb.transaction_start() - try: - samdb.invocation_id = invocationid - - # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it - if fill == FILL_FULL: - logger.info("Setting up sam.ldb configuration data") - - partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid)) - sites_descr = b64encode(get_config_sites_descriptor(names.domainsid)) - ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid)) - protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid)) - protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) - protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)) - - setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { - "CONFIGDN": names.configdn, - "NETBIOSNAME": names.netbiosname, - "DEFAULTSITE": names.sitename, - "DNSDOMAIN": names.dnsdomain, - "DOMAIN": names.domain, - "SCHEMADN": names.schemadn, - "DOMAINDN": names.domaindn, - "SERVERDN": names.serverdn, - "FOREST_FUNCTIONALITY": str(forestFunctionality), - "DOMAIN_FUNCTIONALITY": str(domainFunctionality), - "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, - "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, - "SERVICES_DESCRIPTOR": protected1_descr, - "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, - "FORESTUPDATES_DESCRIPTOR": protected1wd_descr, - "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr, - "PARTITIONS_DESCRIPTOR": partitions_descr, - "SITES_DESCRIPTOR": sites_descr, - }) - - logger.info("Setting up display specifiers") - display_specifiers_ldif = read_ms_ldif( - setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt')) - display_specifiers_ldif = substitute_var(display_specifiers_ldif, - {"CONFIGDN": names.configdn}) - check_all_substituted(display_specifiers_ldif) - samdb.add_ldif(display_specifiers_ldif) - - logger.info("Modifying display specifiers") - setup_modify_ldif(samdb, - setup_path("provision_configuration_modify.ldif"), { + descr = b64encode(get_domain_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { + "DOMAINDN": names.domaindn, + "DOMAINSID": str(names.domainsid), + "DESCRIPTOR": descr, + "DOMAINGUID": domainguid_line + }) + + setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), { + "DOMAINDN": names.domaindn, + "CREATTIME": str(samba.unix2nttime(int(time.time()))), + "NEXTRID": str(next_rid), + "DEFAULTSITE": names.sitename, + "CONFIGDN": names.configdn, + "POLICYGUID": policyguid, + "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "SAMBA_VERSION_STRING": version + }) + + # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it + if fill == FILL_FULL: + logger.info("Adding configuration container") + descr = b64encode(get_config_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), { "CONFIGDN": names.configdn, - "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr + "DESCRIPTOR": descr, }) - logger.info("Adding users container") - users_desc = b64encode(get_domain_users_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { - "DOMAINDN": names.domaindn, - "USERS_DESCRIPTOR": users_desc - }) - logger.info("Modifying users container") - setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { - "DOMAINDN": names.domaindn}) - logger.info("Adding computers container") - computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), { + # The LDIF here was created when the Schema object was constructed + ignore_checks_oid = "local_oid:%s:0" % samba.dsdb.DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID + logger.info("Setting up sam.ldb schema") + samdb.add_ldif(schema.schema_dn_add, + controls=["relax:0", ignore_checks_oid]) + samdb.modify_ldif(schema.schema_dn_modify, + controls=[ignore_checks_oid]) + samdb.write_prefixes_from_schema() + samdb.add_ldif(schema.schema_data, controls=["relax:0", ignore_checks_oid]) + setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), + {"SCHEMADN": names.schemadn}, + controls=["relax:0", ignore_checks_oid]) + + # Now register this container in the root of the forest + msg = ldb.Message(ldb.Dn(samdb, names.domaindn)) + msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD, + "subRefs") + + samdb.invocation_id = invocationid + + # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it + if fill == FILL_FULL: + logger.info("Setting up sam.ldb configuration data") + + partitions_descr = b64encode(get_config_partitions_descriptor(names.domainsid)) + sites_descr = b64encode(get_config_sites_descriptor(names.domainsid)) + ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(names.domainsid)) + protected1_descr = b64encode(get_config_delete_protected1_descriptor(names.domainsid)) + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) + protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)) + + setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { + "CONFIGDN": names.configdn, + "NETBIOSNAME": names.netbiosname, + "DEFAULTSITE": names.sitename, + "DNSDOMAIN": names.dnsdomain, + "DOMAIN": names.domain, + "SCHEMADN": names.schemadn, "DOMAINDN": names.domaindn, - "COMPUTERS_DESCRIPTOR": computers_desc + "SERVERDN": names.serverdn, + "FOREST_FUNCTIONALITY": str(forestFunctionality), + "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, + "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, + "SERVICES_DESCRIPTOR": protected1_descr, + "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, + "FORESTUPDATES_DESCRIPTOR": protected1wd_descr, + "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr, + "PARTITIONS_DESCRIPTOR": partitions_descr, + "SITES_DESCRIPTOR": sites_descr, }) - logger.info("Modifying computers container") + + logger.info("Setting up display specifiers") + display_specifiers_ldif = read_ms_ldif( + setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt')) + display_specifiers_ldif = substitute_var(display_specifiers_ldif, + {"CONFIGDN": names.configdn}) + check_all_substituted(display_specifiers_ldif) + samdb.add_ldif(display_specifiers_ldif) + + logger.info("Modifying display specifiers") setup_modify_ldif(samdb, - setup_path("provision_computers_modify.ldif"), { - "DOMAINDN": names.domaindn}) - logger.info("Setting up sam.ldb data") - infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid)) - lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid)) - system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid)) - builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid)) - controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision.ldif"), { - "CREATTIME": str(samba.unix2nttime(int(time.time()))), - "DOMAINDN": names.domaindn, - "NETBIOSNAME": names.netbiosname, - "DEFAULTSITE": names.sitename, + setup_path("provision_configuration_modify.ldif"), { "CONFIGDN": names.configdn, - "SERVERDN": names.serverdn, - "RIDAVAILABLESTART": str(next_rid + 600), - "POLICYGUID_DC": policyguid_dc, - "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, - "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, - "SYSTEM_DESCRIPTOR": system_desc, - "BUILTIN_DESCRIPTOR": builtin_desc, - "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc, + "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr }) - # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it - if fill == FILL_FULL: - setup_modify_ldif(samdb, - setup_path("provision_configuration_references.ldif"), { - "CONFIGDN": names.configdn, - "SCHEMADN": names.schemadn}) + logger.info("Adding users container") + users_desc = b64encode(get_domain_users_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { + "DOMAINDN": names.domaindn, + "USERS_DESCRIPTOR": users_desc + }) + logger.info("Modifying users container") + setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { + "DOMAINDN": names.domaindn}) + logger.info("Adding computers container") + computers_desc = b64encode(get_domain_computers_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), { + "DOMAINDN": names.domaindn, + "COMPUTERS_DESCRIPTOR": computers_desc + }) + logger.info("Modifying computers container") + setup_modify_ldif(samdb, + setup_path("provision_computers_modify.ldif"), { + "DOMAINDN": names.domaindn}) + logger.info("Setting up sam.ldb data") + infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(names.domainsid)) + lostandfound_desc = b64encode(get_domain_delete_protected2_descriptor(names.domainsid)) + system_desc = b64encode(get_domain_delete_protected1_descriptor(names.domainsid)) + builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid)) + controllers_desc = b64encode(get_domain_controllers_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision.ldif"), { + "CREATTIME": str(samba.unix2nttime(int(time.time()))), + "DOMAINDN": names.domaindn, + "NETBIOSNAME": names.netbiosname, + "DEFAULTSITE": names.sitename, + "CONFIGDN": names.configdn, + "SERVERDN": names.serverdn, + "RIDAVAILABLESTART": str(next_rid + 600), + "POLICYGUID_DC": policyguid_dc, + "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, + "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, + "SYSTEM_DESCRIPTOR": system_desc, + "BUILTIN_DESCRIPTOR": builtin_desc, + "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc, + }) - logger.info("Setting up well known security principals") - protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) - setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), { + # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it + if fill == FILL_FULL: + setup_modify_ldif(samdb, + setup_path("provision_configuration_references.ldif"), { "CONFIGDN": names.configdn, - "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr, - }) + "SCHEMADN": names.schemadn}) - if fill == FILL_FULL or fill == FILL_SUBDOMAIN: - setup_modify_ldif(samdb, - setup_path("provision_basedn_references.ldif"), - {"DOMAINDN": names.domaindn}) + logger.info("Setting up well known security principals") + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)) + setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), { + "CONFIGDN": names.configdn, + "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr, + }) - logger.info("Setting up sam.ldb users and groups") - setup_add_ldif(samdb, setup_path("provision_users.ldif"), { - "DOMAINDN": names.domaindn, - "DOMAINSID": str(names.domainsid), - "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')), - "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) - }) + if fill == FILL_FULL or fill == FILL_SUBDOMAIN: + setup_modify_ldif(samdb, + setup_path("provision_basedn_references.ldif"), + {"DOMAINDN": names.domaindn}) - logger.info("Setting up self join") - setup_self_join(samdb, admin_session_info, names=names, fill=fill, - invocationid=invocationid, - dns_backend=dns_backend, - dnspass=dnspass, - machinepass=machinepass, - domainsid=names.domainsid, - next_rid=next_rid, - dc_rid=dc_rid, - policyguid=policyguid, - policyguid_dc=policyguid_dc, - domainControllerFunctionality=domainControllerFunctionality, - ntdsguid=ntdsguid) - - ntds_dn = "CN=NTDS Settings,%s" % names.serverdn - names.ntdsguid = samdb.searchone(basedn=ntds_dn, - attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE) - assert isinstance(names.ntdsguid, str) - except: - samdb.transaction_cancel() - raise - else: - samdb.transaction_commit() - return samdb + logger.info("Setting up sam.ldb users and groups") + setup_add_ldif(samdb, setup_path("provision_users.ldif"), { + "DOMAINDN": names.domaindn, + "DOMAINSID": str(names.domainsid), + "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')), + "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) + }) + + logger.info("Setting up self join") + setup_self_join(samdb, admin_session_info, names=names, fill=fill, + invocationid=invocationid, + dns_backend=dns_backend, + dnspass=dnspass, + machinepass=machinepass, + domainsid=names.domainsid, + next_rid=next_rid, + dc_rid=dc_rid, + policyguid=policyguid, + policyguid_dc=policyguid_dc, + domainControllerFunctionality=domainControllerFunctionality, + ntdsguid=ntdsguid) + + ntds_dn = "CN=NTDS Settings,%s" % names.serverdn + names.ntdsguid = samdb.searchone(basedn=ntds_dn, + attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE) + assert isinstance(names.ntdsguid, str) + + return samdb SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" @@ -1783,22 +1774,32 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, if dnspass is None: dnspass = samba.generate_random_password(128, 255) - samdb = fill_samdb(samdb, lp, names, logger=logger, - schema=schema, - policyguid=policyguid, policyguid_dc=policyguid_dc, - fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass, - invocationid=invocationid, machinepass=machinepass, - dns_backend=dns_backend, dnspass=dnspass, - ntdsguid=ntdsguid, serverrole=serverrole, - dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc, - next_rid=next_rid, dc_rid=dc_rid) - - if serverrole == "active directory domain controller": + samdb.transaction_start() + try: + samdb = fill_samdb(samdb, lp, names, logger=logger, + schema=schema, + policyguid=policyguid, policyguid_dc=policyguid_dc, + fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass, + invocationid=invocationid, machinepass=machinepass, + dns_backend=dns_backend, dnspass=dnspass, + ntdsguid=ntdsguid, serverrole=serverrole, + dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc, -- Samba Shared Repository