mirror of
https://github.com/samba-team/samba.git
synced 2025-08-02 00:22:11 +03:00
lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett
This commit is contained in:
Andrew Bartlett
@ -447,7 +447,7 @@ static NTSTATUS dodomain_referral(struct loadparm_context *lp_ctx,
|
||||
/* In the future this needs to be fetched from the ldb */
|
||||
uint32_t found_domain = 2;
|
||||
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
DEBUG(10 ,("Received a domain referral request on a non DC\n"));
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
@ -529,7 +529,7 @@ static NTSTATUS dodc_referral(struct loadparm_context *lp_ctx,
|
||||
struct dfs_referral_type *referrals;
|
||||
const char *referral_str;
|
||||
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
@ -640,7 +640,7 @@ static NTSTATUS dosysvol_referral(struct loadparm_context *lp_ctx,
|
||||
NTSTATUS status;
|
||||
struct dfs_referral_type *referrals;
|
||||
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
|
||||
@ -41,6 +41,7 @@ static const struct srv_role_tab {
|
||||
{ ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" },
|
||||
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
|
||||
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
|
||||
{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
@ -83,7 +84,7 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
|
||||
break;
|
||||
case SEC_ADS:
|
||||
if (domain_logons) {
|
||||
role = ROLE_DOMAIN_CONTROLLER;
|
||||
role = ROLE_DOMAIN_BDC;
|
||||
break;
|
||||
}
|
||||
role = ROLE_DOMAIN_MEMBER;
|
||||
@ -158,6 +159,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
|
||||
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_DOMAIN_BDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
if (security == SEC_USER || security == SEC_ADS || security == SEC_DOMAIN) {
|
||||
valid = true;
|
||||
}
|
||||
|
||||
@ -78,10 +78,11 @@ static const struct enum_list enum_server_role[] = {
|
||||
{ROLE_STANDALONE, "standalone"},
|
||||
{ROLE_DOMAIN_MEMBER, "member server"},
|
||||
{ROLE_DOMAIN_MEMBER, "member"},
|
||||
/* note that currently
|
||||
ROLE_DOMAIN_CONTROLLER == ROLE_DOMAIN_BDC */
|
||||
{ROLE_DOMAIN_CONTROLLER, "domain controller"},
|
||||
{ROLE_DOMAIN_CONTROLLER, "dc"},
|
||||
{ROLE_DOMAIN_PDC, "classic primary domain controller"},
|
||||
{ROLE_DOMAIN_BDC, "classic backup domain controller"},
|
||||
{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
|
||||
{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
|
||||
{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
|
||||
@ -260,6 +260,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
|
||||
switch (lpcfg_server_role(lp_ctx)) {
|
||||
case ROLE_DOMAIN_BDC:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
return lpcfg_workgroup(lp_ctx);
|
||||
default:
|
||||
return lpcfg_netbios_name(lp_ctx);
|
||||
|
||||
@ -30,18 +30,14 @@ enum server_role {
|
||||
ROLE_DOMAIN_MEMBER = 1,
|
||||
ROLE_DOMAIN_BDC = 2,
|
||||
ROLE_DOMAIN_PDC = 3,
|
||||
|
||||
/* not in samr.idl */
|
||||
ROLE_ACTIVE_DIRECTORY_DC = 4,
|
||||
|
||||
/* To determine the role automatically, this is not a valid role */
|
||||
ROLE_AUTO = 100
|
||||
};
|
||||
|
||||
/* keep compatibility with the s4 'ROLE_DOMAIN_CONTROLLER' by mapping
|
||||
* it to ROLE_DOMAIN_BDC. The PDC/BDC split is really historical from
|
||||
* NT4 domains which were not multi-master, but even in AD there is
|
||||
* only one machine that has the PDC FSMO role in a domain.
|
||||
*/
|
||||
#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
|
||||
|
||||
/* security levels for 'security =' option
|
||||
|
||||
--------------
|
||||
|
||||
@ -190,7 +190,7 @@ copy an IP address from one buffer to another
|
||||
Check to see if we are a DC for this domain
|
||||
*****************************************************************************/
|
||||
|
||||
#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC)
|
||||
#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
|
||||
|
||||
/*
|
||||
* If you add any entries to KERBEROS_VERIFY defines, please modify the below expressions
|
||||
|
||||
@ -630,6 +630,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
|
||||
break;
|
||||
case ROLE_DOMAIN_BDC:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -341,7 +341,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
|
||||
}
|
||||
return NT_STATUS_OK;
|
||||
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
if (!is_local_name && !is_my_domain) {
|
||||
DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
|
||||
user_info->mapped.domain_name));
|
||||
|
||||
@ -205,7 +205,7 @@ static void cldapd_task_init(struct task_server *task)
|
||||
task_server_terminate(task, "cldap_server: no CLDAP server required in member server configuration",
|
||||
false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want an CLDAP server */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -698,7 +698,7 @@ static void dns_task_init(struct task_server *task)
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
task_server_terminate(task, "dns: no DNS required in member server configuration", false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want a DNS */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -594,7 +594,7 @@ static void dnsupdate_task_init(struct task_server *task)
|
||||
NTSTATUS status;
|
||||
struct dnsupdate_service *service;
|
||||
|
||||
if (lpcfg_server_role(task->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
/* not useful for non-DC */
|
||||
return;
|
||||
}
|
||||
|
||||
@ -183,7 +183,7 @@ static void kccsrv_task_init(struct task_server *task)
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want a KCC */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -434,7 +434,7 @@ static void dreplsrv_task_init(struct task_server *task)
|
||||
task_server_terminate(task, "dreplsrv: no DSDB replication required in domain member configuration",
|
||||
false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want DSDB replication */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -303,7 +303,7 @@ static void echo_task_init(struct task_server *task)
|
||||
task_server_terminate(task, "echo: Not starting echo server " \
|
||||
"for domain members", false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want to run the echo server */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -871,7 +871,11 @@ static void kdc_task_init(struct task_server *task)
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_DOMAIN_BDC:
|
||||
task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true);
|
||||
return;
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want a KDC */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -907,7 +907,7 @@ static void ldapsrv_task_init(struct task_server *task)
|
||||
task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
|
||||
false);
|
||||
return;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* Yes, we want an LDAP server */
|
||||
break;
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot,
|
||||
|
||||
samctx = iface->nbtsrv->sam_ctx;
|
||||
|
||||
if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER
|
||||
if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC
|
||||
|| !samdb_is_pdc(samctx)) {
|
||||
DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n"));
|
||||
return;
|
||||
|
||||
@ -289,7 +289,7 @@ void nbtd_register_names(struct nbtd_server *nbtsrv)
|
||||
aliases++;
|
||||
}
|
||||
|
||||
if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
bool is_pdc = samdb_is_pdc(nbtsrv->sam_ctx);
|
||||
if (is_pdc) {
|
||||
nbtd_register_name(nbtsrv, lpcfg_workgroup(nbtsrv->task->lp_ctx),
|
||||
|
||||
@ -157,7 +157,7 @@ static bool test_server_role_dc_specified(struct torture_context *tctx)
|
||||
{
|
||||
struct loadparm_context *lp_ctx = loadparm_init(tctx);
|
||||
torture_assert(tctx, lpcfg_set_option(lp_ctx, "server role=domain controller"), "lpcfg_set_option failed");
|
||||
torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_DOMAIN_CONTROLLER, "ROLE should be DC");
|
||||
torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_ACTIVE_DIRECTORY_DC, "ROLE should be DC");
|
||||
torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_USER, "security should be USER");
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -1269,7 +1269,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
|
||||
}
|
||||
}
|
||||
|
||||
if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
return WERR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
|
||||
@ -75,7 +75,7 @@ uint32_t dcesrv_common_get_server_type(TALLOC_CTX *mem_ctx, struct tevent_contex
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
|
||||
break;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
{
|
||||
struct ldb_context *samctx;
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
|
||||
@ -420,7 +420,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
role = DS_ROLE_MEMBER_SERVER;
|
||||
break;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
if (samdb_is_pdc(state->sam_ldb)) {
|
||||
role = DS_ROLE_PRIMARY_DC;
|
||||
} else {
|
||||
@ -439,7 +439,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal
|
||||
W_ERROR_HAVE_NO_MEMORY(domain);
|
||||
/* TODO: what is with dns_domain and forest and guid? */
|
||||
break;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
flags = DS_ROLE_PRIMARY_DS_RUNNING;
|
||||
|
||||
if (state->mixed_domain == 1) {
|
||||
|
||||
@ -500,7 +500,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
|
||||
info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
|
||||
0);
|
||||
switch (state->role) {
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* This pulls the NetBIOS name from the
|
||||
cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
|
||||
string */
|
||||
@ -511,8 +511,8 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
|
||||
}
|
||||
break;
|
||||
case ROLE_DOMAIN_PDC:
|
||||
info->role = SAMR_ROLE_DOMAIN_PDC;
|
||||
break;
|
||||
case ROLE_DOMAIN_BDC:
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
case ROLE_DOMAIN_MEMBER:
|
||||
info->role = SAMR_ROLE_DOMAIN_MEMBER;
|
||||
break;
|
||||
@ -606,7 +606,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
|
||||
{
|
||||
|
||||
switch (state->role) {
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
/* This pulls the NetBIOS name from the
|
||||
cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
|
||||
string */
|
||||
|
||||
@ -532,7 +532,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
|
||||
if lp.get("server role").lower() != serverrole:
|
||||
raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
|
||||
|
||||
if serverrole == "domain controller":
|
||||
if serverrole == "active directory domain controller":
|
||||
if domain is None:
|
||||
# This will, for better or worse, default to 'WORKGROUP'
|
||||
domain = lp.get("workgroup")
|
||||
@ -658,7 +658,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
|
||||
lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
|
||||
|
||||
shares = {}
|
||||
if serverrole == "domain controller":
|
||||
if serverrole == "active directory domain controller":
|
||||
shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
|
||||
shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
|
||||
"scripts")
|
||||
@ -1489,7 +1489,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
|
||||
next_rid=next_rid, dc_rid=dc_rid)
|
||||
|
||||
if serverrole == "domain controller":
|
||||
if serverrole == "active directory domain controller":
|
||||
# Set up group policies (domain policy and domain controller
|
||||
# policy)
|
||||
create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
|
||||
@ -1568,11 +1568,12 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
|
||||
_ROLES_MAP = {
|
||||
"ROLE_STANDALONE": "standalone",
|
||||
"ROLE_DOMAIN_MEMBER": "member server",
|
||||
"ROLE_DOMAIN_BDC": "domain controller",
|
||||
"ROLE_DOMAIN_PDC": "domain controller",
|
||||
"dc": "domain controller",
|
||||
"ROLE_DOMAIN_BDC": "active directory domain controller",
|
||||
"ROLE_DOMAIN_PDC": "active directory domain controller",
|
||||
"dc": "active directory domain controller",
|
||||
"member": "member server",
|
||||
"domain controller": "domain controller",
|
||||
"domain controller": "active directory domain controller",
|
||||
"active directory domain controller": "active directory domain controller",
|
||||
"member server": "member server",
|
||||
"standalone": "standalone",
|
||||
}
|
||||
@ -1584,7 +1585,7 @@ def sanitize_server_role(role):
|
||||
:param role: Server role
|
||||
:raise ValueError: If the role can not be interpreted
|
||||
:return: Sanitized server role (one of "member server",
|
||||
"domain controller", "standalone")
|
||||
"active directory domain controller", "standalone")
|
||||
"""
|
||||
try:
|
||||
return _ROLES_MAP[role]
|
||||
@ -1614,7 +1615,7 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
try:
|
||||
serverrole = sanitize_server_role(serverrole)
|
||||
except ValueError:
|
||||
raise ProvisioningError('server role (%s) should be one of "domain controller", "member server", "standalone"' % serverrole)
|
||||
raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone"' % serverrole)
|
||||
|
||||
if ldapadminpass is None:
|
||||
# Make a new, random password between Samba and it's LDAP server
|
||||
@ -1735,7 +1736,7 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
if paths.sysvol and not os.path.exists(paths.sysvol):
|
||||
os.makedirs(paths.sysvol, 0775)
|
||||
|
||||
if not use_ntvfs and serverrole == "domain controller":
|
||||
if not use_ntvfs and serverrole == "active directory domain controller":
|
||||
if paths.sysvol is None:
|
||||
raise MissingShareError("sysvol", paths.smbconf)
|
||||
|
||||
@ -1813,7 +1814,7 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
serverrole=serverrole,
|
||||
schema=schema, fill=samdb_fill, am_rodc=am_rodc)
|
||||
|
||||
if serverrole == "domain controller":
|
||||
if serverrole == "active directory domain controller":
|
||||
if paths.netlogon is None:
|
||||
raise MissingShareError("netlogon", paths.smbconf)
|
||||
|
||||
@ -1848,7 +1849,7 @@ def provision(logger, session_info, credentials, smbconf=None,
|
||||
logger.info("A Kerberos configuration suitable for Samba 4 has been "
|
||||
"generated at %s", paths.krb5conf)
|
||||
|
||||
if serverrole == "domain controller":
|
||||
if serverrole == "active directory domain controller":
|
||||
create_dns_update_list(lp, logger, paths)
|
||||
|
||||
backend_result = provision_backend.post_setup()
|
||||
@ -1913,7 +1914,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
|
||||
realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
|
||||
configdn=configdn, serverdn=serverdn, domain=domain,
|
||||
hostname=hostname, hostip=None, domainsid=domainsid,
|
||||
machinepass=machinepass, serverrole="domain controller",
|
||||
machinepass=machinepass, serverrole="active directory domain controller",
|
||||
sitename=sitename, dns_backend=dns_backend, dnspass=dnspass)
|
||||
res.lp.set("debuglevel", str(debuglevel))
|
||||
return res
|
||||
|
||||
@ -98,7 +98,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
|
||||
* on non-DCs
|
||||
*/
|
||||
|
||||
if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
signing_setting = SMB_SIGNING_REQUIRED;
|
||||
} else {
|
||||
signing_setting = SMB_SIGNING_OFF;
|
||||
|
||||
@ -136,7 +136,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
|
||||
* on non-DCs
|
||||
*/
|
||||
|
||||
if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
signing_setting = SMB_SIGNING_REQUIRED;
|
||||
} else {
|
||||
signing_setting = SMB_SIGNING_OFF;
|
||||
|
||||
@ -392,7 +392,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
|
||||
if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
|
||||
DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
|
||||
exit(1);
|
||||
|
||||
@ -162,7 +162,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
|
||||
((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
|
||||
(lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
|
||||
(lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) &&
|
||||
(dom_sid_equal(state->domain->info->sid,
|
||||
state->service->primary_sid))) {
|
||||
state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;
|
||||
|
||||
@ -264,8 +264,7 @@ static void winbind_task_init(struct task_server *task)
|
||||
return;
|
||||
}
|
||||
break;
|
||||
case ROLE_DOMAIN_CONTROLLER:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
primary_sid = secrets_get_domain_sid(service,
|
||||
service->task->lp_ctx,
|
||||
lpcfg_workgroup(service->task->lp_ctx),
|
||||
@ -279,6 +278,10 @@ static void winbind_task_init(struct task_server *task)
|
||||
return;
|
||||
}
|
||||
break;
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_DOMAIN_BDC:
|
||||
task_server_terminate(task, "Cannot start 'samba' winbindd as a 'classic samba' DC: use winbindd instead", true);
|
||||
return;
|
||||
}
|
||||
service->primary_sid = primary_sid;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user