The branch, master has been updated
via 860d465 s4-torture: Add AES and RC4 enctype checks
via bc3473e s4-torture: Add torture_check_krb5_error() function
via 51d2779 schema: Reorder dsdb_set_schema() to unlink the old schema
last
via 2a90606 dsdb: Remove 120 second delay and USN from schema refresh
check
via 5abcdd5 dsdb: Remove use of schema USN in
samldb_add_handle_msDS_IntId
via bad502f schema: Make the fetch of the schema version fast
via 3175d5f ldb: Avoid use-after-free when one error message is printed
into another
via 6e37854 provision: Ignore duplicate attid and governsID check
via c76b009 provision_fill: move GPO into transaction
via 60375ab provision_fill: move most db accesses into transactions
from 9ec9e6f ctdb-scripts: Quote some variable expansions
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 860d465e2bb4b52e7a32b4215e31756340c873bb
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 4 13:18:03 2016 +0200
s4-torture: Add AES and RC4 enctype checks
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlet <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Jul 6 19:06:19 CEST 2016 on sn-devel-144
commit bc3473e67cd0b958264f587cf807974c34ae6239
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 4 09:47:10 2016 +0200
s4-torture: Add torture_check_krb5_error() function
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlet <abart...@samba.org>
commit 51d2779a60b0b5d358e0b3473324ce4b606d52b7
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jul 4 14:06:10 2016 +1200
schema: Reorder dsdb_set_schema() to unlink the old schema last
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
commit 2a9060641757937ad764685ec35507629ce6283e
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed May 4 17:01:15 2016 +1200
dsdb: Remove 120 second delay and USN from schema refresh check
We now refresh it once the schema changes, so that replication can
proceed right away. We use the sequence number in the metadata.tdb.
The previous commit added a cache for this value, protected by
tdb_seqnum().
metadata.tdb is now opened at startup to provide this support.
Note that while still supported, schemaUpdateNow is essentially rudundent:
instead, to ensure we increment the sequence number correctly, we unify
that check
into repl_meta_data at the transaction close.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
commit 5abcdd56ba4f1b61b9421c81caa491e70c4881c4
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jul 6 11:38:28 2016 +1200
dsdb: Remove use of schema USN in samldb_add_handle_msDS_IntId
This is not a frequent enough operation to warrent a cache, and the USN
will be removed
from the schema code shortly
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
commit bad502fd86185dc15d58c753baacd4cb3d03c733
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jul 4 14:05:46 2016 +1200
schema: Make the fetch of the schema version fast
Use the tdb_seqnum() to avoid needing locks to check if the schema has not
changed
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3175d5f4bfb399049ad6b8da2a1d578620b25802
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jul 5 16:01:38 2016 +1200
ldb: Avoid use-after-free when one error message is printed into another
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 6e378546ce5dc0768c349b07453061241610f816
Author: Bob Campbell <bobcampb...@catalyst.net.nz>
Date: Thu Jun 30 15:03:39 2016 +1200
provision: Ignore duplicate attid and governsID check
During the provision this causes a huge performance hit as these two
attributes are unindexed.
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
commit c76b0090ae03d2fabc500b03eb8d7076d6af762b
Author: Bob Campbell <bobcampb...@catalyst.net.nz>
Date: Thu Jun 30 10:40:51 2016 +1200
provision_fill: move GPO into transaction
Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
commit 60375abe46b194490b6b878375488d3a1eb0a07c
Author: Bob Campbell <bobcampb...@catalyst.net.nz>
Date: Wed Jun 29 16:54:06 2016 +1200
provision_fill: move most db accesses into transactions
Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb.c | 6 +-
python/samba/dbchecker.py | 10 +
python/samba/provision/__init__.py | 424 +++++++++++----------
python/samba/provision/sambadns.py | 56 +--
selftest/knownfail | 3 +
source4/dsdb/pydsdb.c | 1 +
source4/dsdb/repl/replicated_objects.c | 80 +---
source4/dsdb/samdb/ldb_modules/acl.c | 2 -
.../dsdb/samdb/ldb_modules/partition_metadata.c | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 35 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 84 ++--
source4/dsdb/samdb/ldb_modules/schema_load.c | 145 ++++---
source4/dsdb/samdb/samdb.h | 8 +-
source4/dsdb/schema/schema.h | 5 -
source4/dsdb/schema/schema_init.c | 6 -
source4/dsdb/schema/schema_set.c | 25 +-
source4/setup/schema_samba4.ldif | 1 +
source4/torture/krb5/kdc-heimdal.c | 412 ++++++++++++++++----
18 files changed, 751 insertions(+), 554 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb.c b/lib/ldb/common/ldb.c
index 0f0f5ab..a824c7a 100644
--- a/lib/ldb/common/ldb.c
+++ b/lib/ldb/common/ldb.c
@@ -284,15 +284,17 @@ void ldb_set_errstring(struct ldb_context *ldb, const
char *err_string)
void ldb_asprintf_errstring(struct ldb_context *ldb, const char *format, ...)
{
va_list ap;
-
+ char *old_err_string = NULL;
if (ldb->err_string) {
- talloc_free(ldb->err_string);
+ old_err_string = ldb->err_string;
}
va_start(ap, format);
ldb->err_string = talloc_vasprintf(ldb, format, ap);
va_end(ap);
+ TALLOC_FREE(old_err_string);
+
if (ldb->flags & LDB_FLG_ENABLE_TRACING) {
ldb_debug(ldb, LDB_DEBUG_TRACE, "ldb_asprintf/set_errstring:
%s",
ldb->err_string);
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index e652f86..039f841 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -142,6 +142,8 @@ class dbcheck(object):
error_count += self.check_deleted_objects_containers()
+ self.attribute_or_class_ids = set()
+
for object in res:
self.dn_set.add(str(object.dn))
error_count += self.check_object(object.dn, attrs=attrs)
@@ -1557,6 +1559,14 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn),
str(to_base)))
self.err_doubled_userParameters(obj, attrname,
obj[attrname])
continue
+ if attrname.lower() == 'attributeid' or attrname.lower() ==
'governsid':
+ if obj[attrname][0] in self.attribute_or_class_ids:
+ error_count += 1
+ self.report('Error: %s %s on %s already exists as an
attributeId or governsId'
+ % (attrname, obj.dn, obj[attrname][0]))
+ else:
+ self.attribute_or_class_ids.add(obj[attrname][0])
+
# check for empty attributes
for val in obj[attrname]:
if val == '':
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index b36a7d2..d21a22d 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -38,6 +38,7 @@ import socket
import urllib
import string
import tempfile
+import samba.dsdb
import ldb
@@ -1259,223 +1260,213 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
# before the provisioned tree exists and we connect
samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" % names.serverdn)
- samdb.transaction_start()
- try:
- # Set the domain functionality levels onto the database.
- # Various module (the password_hash module in particular) need
- # to know what level of AD we are emulating.
-
- # These will be fixed into the database via the database
- # modifictions below, but we need them set from the start.
- samdb.set_opaque_integer("domainFunctionality", domainFunctionality)
- samdb.set_opaque_integer("forestFunctionality", forestFunctionality)
- samdb.set_opaque_integer("domainControllerFunctionality",
- domainControllerFunctionality)
-
- samdb.set_domain_sid(str(names.domainsid))
- samdb.set_invocation_id(invocationid)
-
- logger.info("Adding DomainDN: %s" % names.domaindn)
-
- # impersonate domain admin
- admin_session_info = admin_session(lp, str(names.domainsid))
- samdb.set_session_info(admin_session_info)
- if names.domainguid is not None:
- domainguid_line = "objectGUID: %s\n-" % names.domainguid
- else:
- domainguid_line = ""
+ # Set the domain functionality levels onto the database.
+ # Various module (the password_hash module in particular) need
+ # to know what level of AD we are emulating.
- descr = b64encode(get_domain_descriptor(names.domainsid))
- setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
- "DOMAINDN": names.domaindn,
- "DOMAINSID": str(names.domainsid),
- "DESCRIPTOR": descr,
- "DOMAINGUID": domainguid_line
- })
+ # These will be fixed into the database via the database
+ # modifictions below, but we need them set from the start.
+ samdb.set_opaque_integer("domainFunctionality", domainFunctionality)
+ samdb.set_opaque_integer("forestFunctionality", forestFunctionality)
+ samdb.set_opaque_integer("domainControllerFunctionality",
+ domainControllerFunctionality)
- setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
- "DOMAINDN": names.domaindn,
- "CREATTIME": str(samba.unix2nttime(int(time.time()))),
- "NEXTRID": str(next_rid),
- "DEFAULTSITE": names.sitename,
- "CONFIGDN": names.configdn,
- "POLICYGUID": policyguid,
- "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
- "SAMBA_VERSION_STRING": version
- })
+ samdb.set_domain_sid(str(names.domainsid))
+ samdb.set_invocation_id(invocationid)
- # If we are setting up a subdomain, then this has been replicated in,
so we don't need to add it
- if fill == FILL_FULL:
- logger.info("Adding configuration container")
- descr = b64encode(get_config_descriptor(names.domainsid))
- setup_add_ldif(samdb,
setup_path("provision_configuration_basedn.ldif"), {
- "CONFIGDN": names.configdn,
- "DESCRIPTOR": descr,
- })
-
- # The LDIF here was created when the Schema object was constructed
- logger.info("Setting up sam.ldb schema")
- samdb.add_ldif(schema.schema_dn_add, controls=["relax:0"])
- samdb.modify_ldif(schema.schema_dn_modify)
- samdb.write_prefixes_from_schema()
- samdb.add_ldif(schema.schema_data, controls=["relax:0"])
- setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
- {"SCHEMADN": names.schemadn})
-
- # Now register this container in the root of the forest
- msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
- msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
- "subRefs")
+ logger.info("Adding DomainDN: %s" % names.domaindn)
- except:
- samdb.transaction_cancel()
- raise
+ # impersonate domain admin
+ admin_session_info = admin_session(lp, str(names.domainsid))
+ samdb.set_session_info(admin_session_info)
+ if names.domainguid is not None:
+ domainguid_line = "objectGUID: %s\n-" % names.domainguid
else:
- samdb.transaction_commit()
+ domainguid_line = ""
- samdb.transaction_start()
- try:
- samdb.invocation_id = invocationid
-
- # If we are setting up a subdomain, then this has been replicated in,
so we don't need to add it
- if fill == FILL_FULL:
- logger.info("Setting up sam.ldb configuration data")
-
- partitions_descr =
b64encode(get_config_partitions_descriptor(names.domainsid))
- sites_descr =
b64encode(get_config_sites_descriptor(names.domainsid))
- ntdsquotas_descr =
b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
- protected1_descr =
b64encode(get_config_delete_protected1_descriptor(names.domainsid))
- protected1wd_descr =
b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
- protected2_descr =
b64encode(get_config_delete_protected2_descriptor(names.domainsid))
-
- setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
- "CONFIGDN": names.configdn,
- "NETBIOSNAME": names.netbiosname,
- "DEFAULTSITE": names.sitename,
- "DNSDOMAIN": names.dnsdomain,
- "DOMAIN": names.domain,
- "SCHEMADN": names.schemadn,
- "DOMAINDN": names.domaindn,
- "SERVERDN": names.serverdn,
- "FOREST_FUNCTIONALITY": str(forestFunctionality),
- "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
- "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
- "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
- "SERVICES_DESCRIPTOR": protected1_descr,
- "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
- "FORESTUPDATES_DESCRIPTOR": protected1wd_descr,
- "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr,
- "PARTITIONS_DESCRIPTOR": partitions_descr,
- "SITES_DESCRIPTOR": sites_descr,
- })
-
- logger.info("Setting up display specifiers")
- display_specifiers_ldif = read_ms_ldif(
-
setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt'))
- display_specifiers_ldif = substitute_var(display_specifiers_ldif,
- {"CONFIGDN":
names.configdn})
- check_all_substituted(display_specifiers_ldif)
- samdb.add_ldif(display_specifiers_ldif)
-
- logger.info("Modifying display specifiers")
- setup_modify_ldif(samdb,
- setup_path("provision_configuration_modify.ldif"), {
+ descr = b64encode(get_domain_descriptor(names.domainsid))
+ setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "DOMAINSID": str(names.domainsid),
+ "DESCRIPTOR": descr,
+ "DOMAINGUID": domainguid_line
+ })
+
+ setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "CREATTIME": str(samba.unix2nttime(int(time.time()))),
+ "NEXTRID": str(next_rid),
+ "DEFAULTSITE": names.sitename,
+ "CONFIGDN": names.configdn,
+ "POLICYGUID": policyguid,
+ "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+ "SAMBA_VERSION_STRING": version
+ })
+
+ # If we are setting up a subdomain, then this has been replicated in, so
we don't need to add it
+ if fill == FILL_FULL:
+ logger.info("Adding configuration container")
+ descr = b64encode(get_config_descriptor(names.domainsid))
+ setup_add_ldif(samdb,
setup_path("provision_configuration_basedn.ldif"), {
"CONFIGDN": names.configdn,
- "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr
+ "DESCRIPTOR": descr,
})
- logger.info("Adding users container")
- users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
- setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
- "DOMAINDN": names.domaindn,
- "USERS_DESCRIPTOR": users_desc
- })
- logger.info("Modifying users container")
- setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
- "DOMAINDN": names.domaindn})
- logger.info("Adding computers container")
- computers_desc =
b64encode(get_domain_computers_descriptor(names.domainsid))
- setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
+ # The LDIF here was created when the Schema object was constructed
+ ignore_checks_oid = "local_oid:%s:0" %
samba.dsdb.DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID
+ logger.info("Setting up sam.ldb schema")
+ samdb.add_ldif(schema.schema_dn_add,
+ controls=["relax:0", ignore_checks_oid])
+ samdb.modify_ldif(schema.schema_dn_modify,
+ controls=[ignore_checks_oid])
+ samdb.write_prefixes_from_schema()
+ samdb.add_ldif(schema.schema_data, controls=["relax:0",
ignore_checks_oid])
+ setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"),
+ {"SCHEMADN": names.schemadn},
+ controls=["relax:0", ignore_checks_oid])
+
+ # Now register this container in the root of the forest
+ msg = ldb.Message(ldb.Dn(samdb, names.domaindn))
+ msg["subRefs"] = ldb.MessageElement(names.configdn , ldb.FLAG_MOD_ADD,
+ "subRefs")
+
+ samdb.invocation_id = invocationid
+
+ # If we are setting up a subdomain, then this has been replicated in, so
we don't need to add it
+ if fill == FILL_FULL:
+ logger.info("Setting up sam.ldb configuration data")
+
+ partitions_descr =
b64encode(get_config_partitions_descriptor(names.domainsid))
+ sites_descr = b64encode(get_config_sites_descriptor(names.domainsid))
+ ntdsquotas_descr =
b64encode(get_config_ntds_quotas_descriptor(names.domainsid))
+ protected1_descr =
b64encode(get_config_delete_protected1_descriptor(names.domainsid))
+ protected1wd_descr =
b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
+ protected2_descr =
b64encode(get_config_delete_protected2_descriptor(names.domainsid))
+
+ setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
+ "CONFIGDN": names.configdn,
+ "NETBIOSNAME": names.netbiosname,
+ "DEFAULTSITE": names.sitename,
+ "DNSDOMAIN": names.dnsdomain,
+ "DOMAIN": names.domain,
+ "SCHEMADN": names.schemadn,
"DOMAINDN": names.domaindn,
- "COMPUTERS_DESCRIPTOR": computers_desc
+ "SERVERDN": names.serverdn,
+ "FOREST_FUNCTIONALITY": str(forestFunctionality),
+ "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+ "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+ "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
+ "SERVICES_DESCRIPTOR": protected1_descr,
+ "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
+ "FORESTUPDATES_DESCRIPTOR": protected1wd_descr,
+ "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr,
+ "PARTITIONS_DESCRIPTOR": partitions_descr,
+ "SITES_DESCRIPTOR": sites_descr,
})
- logger.info("Modifying computers container")
+
+ logger.info("Setting up display specifiers")
+ display_specifiers_ldif = read_ms_ldif(
+ setup_path('display-specifiers/DisplaySpecifiers-Win2k8R2.txt'))
+ display_specifiers_ldif = substitute_var(display_specifiers_ldif,
+ {"CONFIGDN": names.configdn})
+ check_all_substituted(display_specifiers_ldif)
+ samdb.add_ldif(display_specifiers_ldif)
+
+ logger.info("Modifying display specifiers")
setup_modify_ldif(samdb,
- setup_path("provision_computers_modify.ldif"), {
- "DOMAINDN": names.domaindn})
- logger.info("Setting up sam.ldb data")
- infrastructure_desc =
b64encode(get_domain_infrastructure_descriptor(names.domainsid))
- lostandfound_desc =
b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
- system_desc =
b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
- builtin_desc =
b64encode(get_domain_builtin_descriptor(names.domainsid))
- controllers_desc =
b64encode(get_domain_controllers_descriptor(names.domainsid))
- setup_add_ldif(samdb, setup_path("provision.ldif"), {
- "CREATTIME": str(samba.unix2nttime(int(time.time()))),
- "DOMAINDN": names.domaindn,
- "NETBIOSNAME": names.netbiosname,
- "DEFAULTSITE": names.sitename,
+ setup_path("provision_configuration_modify.ldif"), {
"CONFIGDN": names.configdn,
- "SERVERDN": names.serverdn,
- "RIDAVAILABLESTART": str(next_rid + 600),
- "POLICYGUID_DC": policyguid_dc,
- "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
- "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
- "SYSTEM_DESCRIPTOR": system_desc,
- "BUILTIN_DESCRIPTOR": builtin_desc,
- "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
+ "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr
})
- # If we are setting up a subdomain, then this has been replicated in,
so we don't need to add it
- if fill == FILL_FULL:
- setup_modify_ldif(samdb,
-
setup_path("provision_configuration_references.ldif"), {
- "CONFIGDN": names.configdn,
- "SCHEMADN": names.schemadn})
+ logger.info("Adding users container")
+ users_desc = b64encode(get_domain_users_descriptor(names.domainsid))
+ setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "USERS_DESCRIPTOR": users_desc
+ })
+ logger.info("Modifying users container")
+ setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
+ "DOMAINDN": names.domaindn})
+ logger.info("Adding computers container")
+ computers_desc =
b64encode(get_domain_computers_descriptor(names.domainsid))
+ setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "COMPUTERS_DESCRIPTOR": computers_desc
+ })
+ logger.info("Modifying computers container")
+ setup_modify_ldif(samdb,
+ setup_path("provision_computers_modify.ldif"), {
+ "DOMAINDN": names.domaindn})
+ logger.info("Setting up sam.ldb data")
+ infrastructure_desc =
b64encode(get_domain_infrastructure_descriptor(names.domainsid))
+ lostandfound_desc =
b64encode(get_domain_delete_protected2_descriptor(names.domainsid))
+ system_desc =
b64encode(get_domain_delete_protected1_descriptor(names.domainsid))
+ builtin_desc = b64encode(get_domain_builtin_descriptor(names.domainsid))
+ controllers_desc =
b64encode(get_domain_controllers_descriptor(names.domainsid))
+ setup_add_ldif(samdb, setup_path("provision.ldif"), {
+ "CREATTIME": str(samba.unix2nttime(int(time.time()))),
+ "DOMAINDN": names.domaindn,
+ "NETBIOSNAME": names.netbiosname,
+ "DEFAULTSITE": names.sitename,
+ "CONFIGDN": names.configdn,
+ "SERVERDN": names.serverdn,
+ "RIDAVAILABLESTART": str(next_rid + 600),
+ "POLICYGUID_DC": policyguid_dc,
+ "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+ "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
+ "SYSTEM_DESCRIPTOR": system_desc,
+ "BUILTIN_DESCRIPTOR": builtin_desc,
+ "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
+ })
- logger.info("Setting up well known security principals")
- protected1wd_descr =
b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
- setup_add_ldif(samdb,
setup_path("provision_well_known_sec_princ.ldif"), {
+ # If we are setting up a subdomain, then this has been replicated in, so
we don't need to add it
+ if fill == FILL_FULL:
+ setup_modify_ldif(samdb,
+
setup_path("provision_configuration_references.ldif"), {
"CONFIGDN": names.configdn,
- "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
- })
+ "SCHEMADN": names.schemadn})
- if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
- setup_modify_ldif(samdb,
- setup_path("provision_basedn_references.ldif"),
- {"DOMAINDN": names.domaindn})
+ logger.info("Setting up well known security principals")
+ protected1wd_descr =
b64encode(get_config_delete_protected1wd_descriptor(names.domainsid))
+ setup_add_ldif(samdb,
setup_path("provision_well_known_sec_princ.ldif"), {
+ "CONFIGDN": names.configdn,
+ "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
+ })
- logger.info("Setting up sam.ldb users and groups")
- setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
- "DOMAINDN": names.domaindn,
- "DOMAINSID": str(names.domainsid),
- "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
- "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
- })
+ if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
+ setup_modify_ldif(samdb,
+ setup_path("provision_basedn_references.ldif"),
+ {"DOMAINDN": names.domaindn})
- logger.info("Setting up self join")
- setup_self_join(samdb, admin_session_info, names=names, fill=fill,
- invocationid=invocationid,
- dns_backend=dns_backend,
- dnspass=dnspass,
- machinepass=machinepass,
- domainsid=names.domainsid,
- next_rid=next_rid,
- dc_rid=dc_rid,
- policyguid=policyguid,
- policyguid_dc=policyguid_dc,
- domainControllerFunctionality=domainControllerFunctionality,
- ntdsguid=ntdsguid)
-
- ntds_dn = "CN=NTDS Settings,%s" % names.serverdn
- names.ntdsguid = samdb.searchone(basedn=ntds_dn,
- attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE)
- assert isinstance(names.ntdsguid, str)
- except:
- samdb.transaction_cancel()
- raise
- else:
- samdb.transaction_commit()
- return samdb
+ logger.info("Setting up sam.ldb users and groups")
+ setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "DOMAINSID": str(names.domainsid),
+ "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
+ "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
+ })
+
+ logger.info("Setting up self join")
+ setup_self_join(samdb, admin_session_info, names=names, fill=fill,
+ invocationid=invocationid,
+ dns_backend=dns_backend,
+ dnspass=dnspass,
+ machinepass=machinepass,
+ domainsid=names.domainsid,
+ next_rid=next_rid,
+ dc_rid=dc_rid,
+ policyguid=policyguid,
+ policyguid_dc=policyguid_dc,
+ domainControllerFunctionality=domainControllerFunctionality,
+ ntdsguid=ntdsguid)
+
+ ntds_dn = "CN=NTDS Settings,%s" % names.serverdn
+ names.ntdsguid = samdb.searchone(basedn=ntds_dn,
+ attribute="objectGUID", expression="", scope=ldb.SCOPE_BASE)
+ assert isinstance(names.ntdsguid, str)
+
+ return samdb
SYSVOL_ACL =
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
@@ -1783,22 +1774,32 @@ def provision_fill(samdb, secrets_ldb, logger, names,
paths,
if dnspass is None:
dnspass = samba.generate_random_password(128, 255)
- samdb = fill_samdb(samdb, lp, names, logger=logger,
- schema=schema,
- policyguid=policyguid, policyguid_dc=policyguid_dc,
- fill=samdb_fill, adminpass=adminpass, krbtgtpass=krbtgtpass,
- invocationid=invocationid, machinepass=machinepass,
- dns_backend=dns_backend, dnspass=dnspass,
- ntdsguid=ntdsguid, serverrole=serverrole,
- dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
- next_rid=next_rid, dc_rid=dc_rid)
-
- if serverrole == "active directory domain controller":
+ samdb.transaction_start()
+ try:
+ samdb = fill_samdb(samdb, lp, names, logger=logger,
+ schema=schema,
+ policyguid=policyguid, policyguid_dc=policyguid_dc,
+ fill=samdb_fill, adminpass=adminpass,
krbtgtpass=krbtgtpass,
+ invocationid=invocationid, machinepass=machinepass,
+ dns_backend=dns_backend, dnspass=dnspass,
+ ntdsguid=ntdsguid, serverrole=serverrole,
+ dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
--
Samba Shared Repository
