The branch, v4-20-stable has been updated via 964c0e97e7a VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc4 release. via f485def8104 WHATSNEW: Add release notes for Samba 4.20.0rc4. via 03b6dae6630 python:gp: Implement client site lookup in site_dn_for_machine() via e51e72dd14a librpc:idl: Make netlogon_samlogon_response public via a09d0ba6eb2 VERSION: Bump version up to Samba 4.20.0rc4... from 17bab5c0774 VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 9 +++++- librpc/idl/nbt.idl | 2 +- librpc/ndr/ndr_nbt.c | 2 +- librpc/ndr/ndr_nbt.h | 2 +- python/samba/gp/gpclass.py | 68 ++++++++++++++++++++++++++++++---------------- 6 files changed, 57 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index efcf3f379e6..fcee8581107 100644 --- a/VERSION +++ b/VERSION @@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=3 +SAMBA_VERSION_RC_RELEASE=4 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f540dc555c0..dd80f116a10 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the third release candidate of Samba 4.20. This is *not* +This is the fourth release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -214,6 +214,13 @@ smb.conf changes acl claims evaluation new AD DC only +CHANGES SINCE 4.20.0rc3 +======================= + +o Andreas Schneider <a...@samba.org> + * BUG 15588: samba-gpupdate: Correctly implement site support. + + CHANGES SINCE 4.20.0rc2 ======================= diff --git a/librpc/idl/nbt.idl b/librpc/idl/nbt.idl index 11814e7970e..46be2eae7e2 100644 --- a/librpc/idl/nbt.idl +++ b/librpc/idl/nbt.idl @@ -490,7 +490,7 @@ interface nbt [case(NETLOGON_NT_VERSION_5EX)] NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex; } netlogon_samlogon_response_union; - typedef [nopush,nopull] struct { + typedef [nopush,nopull,noprint,public] struct { uint32 ntver; [switch_is(ntver)] netlogon_samlogon_response_union data; } netlogon_samlogon_response; diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c index eb186810785..6f54198ffbc 100644 --- a/librpc/ndr/ndr_nbt.c +++ b/librpc/ndr/ndr_nbt.c @@ -392,7 +392,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull * return NDR_ERR_SUCCESS; } -_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r) +_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r) { ndr_print_struct(ndr, name, "netlogon_samlogon_response"); if (r == NULL) { ndr_print_null(ndr); return; } diff --git a/librpc/ndr/ndr_nbt.h b/librpc/ndr/ndr_nbt.h index c38422fff6b..00ee8a17364 100644 --- a/librpc/ndr/ndr_nbt.h +++ b/librpc/ndr/ndr_nbt.h @@ -37,6 +37,6 @@ enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_ uint32_t nt_version_flags); enum ndr_err_code ndr_push_netlogon_samlogon_response(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct netlogon_samlogon_response *r); enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct netlogon_samlogon_response *r); -void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r); +void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r); #endif /* _LIBRPC_NDR_NDR_NBT_H */ diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py index 26c2386847e..08be472e707 100644 --- a/python/samba/gp/gpclass.py +++ b/python/samba/gp/gpclass.py @@ -49,7 +49,7 @@ from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, GP from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES from samba.dcerpc import security import samba.security -from samba.dcerpc import netlogon +from samba.dcerpc import nbt from datetime import datetime @@ -611,12 +611,6 @@ def get_dc_hostname(creds, lp): nbt.NBT_SERVER_DS)) return cldap_ret.pdc_dns_name -def get_dc_netbios_hostname(creds, lp): - net = Net(creds=creds, lp=lp) - cldap_ret = net.finddc(domain=lp.get('realm'), flags=(nbt.NBT_SERVER_LDAP | - nbt.NBT_SERVER_DS)) - return cldap_ret.pdc_name - """ Fetch a list of GUIDs for applicable GPOs """ @@ -787,24 +781,52 @@ def merge_with_system_token(token_1): # There are no claims in the system token, so it is safe not to merge the claims return token_1 + def site_dn_for_machine(samdb, dc_hostname, lp, creds, hostname): # [MS-GPOL] 3.2.5.1.4 Site Search - config_context = samdb.get_config_basedn() - try: - c = netlogon.netlogon("ncacn_np:%s[seal]" % dc_hostname, lp, creds) - site_name = c.netr_DsRGetSiteName(hostname) - return 'CN={},CN=Sites,{}'.format(site_name, config_context) - except WERRORError: - # Fallback to the old method found in ads_site_dn_for_machine - nb_hostname = get_dc_netbios_hostname(creds, lp) - res = samdb.search(config_context, ldb.SCOPE_SUBTREE, - "(cn=%s)" % nb_hostname, ['dn']) - if res.count != 1: - raise ldb.LdbError(ldb.ERR_NO_SUCH_OBJECT, - 'site_dn_for_machine: no result') - dn = res.msgs[0]['dn'] - site_dn = dn.parent().parent() - return site_dn + + # The netr_DsRGetSiteName() needs to run over local rpc, however we do not + # have the call implemented in our rpc_server. + # What netr_DsRGetSiteName() actually does is an ldap query to get + # the sitename, we can do the same. + + # NtVer=(NETLOGON_NT_VERSION_IP|NETLOGON_NT_VERSION_WITH_CLOSEST_SITE| + # NETLOGON_NT_VERSION_5EX) [0x20000014] + expr = "(&(DnsDomain=%s.)(User=%s)(NtVer=\\14\\00\\00\\20))" % ( + samdb.domain_dns_name(), + hostname) + res = samdb.search( + base='', + scope=ldb.SCOPE_BASE, + expression=expr, + attrs=["Netlogon"]) + if res.count != 1: + raise RuntimeError('site_dn_for_machine: No result') + + samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response, + bytes(res.msgs[0]['Netlogon'][0])) + if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX, + (nbt.NETLOGON_NT_VERSION_1 + | nbt.NETLOGON_NT_VERSION_5EX)]: + raise RuntimeError('site_dn_for_machine: Invalid NtVer in ' + + 'netlogon_samlogon_response') + + # We want NETLOGON_NT_VERSION_5EX out of the union! + samlogon_response.ntver = nbt.NETLOGON_NT_VERSION_5EX + samlogon_response_ex = samlogon_response.data + + client_site = "Default-First-Site-Name" + if (samlogon_response_ex.client_site + and len(samlogon_response_ex.client_site) > 1): + client_site = samlogon_response_ex.client_site + + site_dn = samdb.get_config_basedn() + site_dn.add_child("CN=Sites") + site_dn.add_child("CN=%s" % (client_site)) + + return site_dn + + def get_gpo_list(dc_hostname, creds, lp, username): """Get the full list of GROUP_POLICY_OBJECTs for a given username. -- Samba Shared Repository