1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

3449 Commits

Author SHA1 Message Date
Jelmer Vernooij
ee281c61d0 Move option handling into samba.tests.subunitrun.
Change-Id: I65a73b74854af636413f4f284147f3bcf28b6f82
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
24035a6b3e Move option parsing to samba.tests.subunitrun.
Change-Id: I2939c1b6ebb9739530efa9bc4667668cff7a7aeb
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
ed4c07b34b subunitrun: Use new samba.tests.subunitrun module.
Change-Id: Ie32f16d72c80c831adfd9a8d32735fa348962123
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
5757c5071e speedtest: Create and run a single testsuite, should easy migration to regulary Python unit tests.
Change-Id: Ib31eb26b8f6094a51cd4985b9ae98d018ae95c2d
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:07 +01:00
Jelmer Vernooij
fb39c6fb5e Move dnspython to third_party.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 12 22:40:53 CET 2014 on sn-devel-104
2014-11-12 22:40:53 +01:00
Jelmer Vernooij
bd6faaf56a Remove last instances of pep8 error E712 (use 'is' rather than '==' for booleans)
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: I43b394a6225b4c2049d979fda75548c82d781f67
2014-10-14 06:44:06 +02:00
Jelmer Vernooij
bbaa739bbd Remove remaining instance of pep8 E211 (too many spaces before operator).
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: I9af3bf582bba8fc1094addb12cd0a5ce04406b5b
2014-10-14 06:44:06 +02:00
Andrew Bartlett
85437d7426 samba_dnsupdate: Look for ForestDnsZones in the right place
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 27 22:09:29 CEST 2014 on sn-devel-104
2014-09-27 22:09:29 +02:00
Andreas Schneider
7982c373b0 testprogs: Use the system binaries for KRB5 if we don't build in-tree heimdal.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Stefan Metzmacher
f1544e8d1d s4:samba_dnsupdate: provide more substitution variables e.g. IF_RODC
This will make the dns_update_list more flexible.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:07 +02:00
Stefan Metzmacher
b13974048b s4:samba_dnsupdate: don't try to be smart when verifying NS records
We can't rely on the DNS delegation to be correct in the parent domain.
What we really want is to check if we already have registered ourself
as a NS record in our own domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
25ec8e8656 s4:samba_dnsupdate: cache the already registered records
This way we can delete records which are not used anymore.

E.g. if the ip address changed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
6e853708de s4:samba_dnsupdate: fix dnsobj.__str__()
We should not implicitly use the global variable 'd'.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Stefan Metzmacher
c5088f338a s4:samba_dnsupdate: don't lower case the registered names
This matches Windows...

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Kamen Mazdrashki
9006198839 s4:samba_kcc: Use 'dburl' passed from command line rather than lp.samdb_url()
This patch makes '-H, --URL' param to actually work as expected

Change-Id: Ie7f4e9e3fc1f79a938473312e200f36de6886596
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-04-22 23:34:15 +02:00
Kamen Mazdrashki
1325e0af6a s4:samba_kcc: fix reference to DSA object while building partial replica list
Change-Id: I33209dfd42d8c3af8d80b862ba0022d15385311b
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-04-22 23:34:15 +02:00
Kamen Mazdrashki
b241aacc46 s4:samba_kcc: Fix error handling opening export ldif file
Change-Id: If52440272513ef244e33481476da0e884969153c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-04-22 23:34:15 +02:00
Kamen Mazdrashki
8b68f9b931 s4:KCC: Use dsdb.DS_DOMAIN_FUNCTION_2008 constant for DS-Behavior comparisons
DS_BEHAVIOR_WIN2008 was used so far which is a leftover from previous
KCC implementation in "C"

Change-Id: Id9b6551073c0b17cc27e086faa315b01305f39a5
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-04-22 23:34:15 +02:00
Andreas Schneider
2522bb8090 selftest: Rename WINBINDD_SOCKET_DIR environment variable.
It is very confusing if the env var uses the same name as the define in
the source code. So prefix it with SELFTEST.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Noel Power
32b35b8d92 script to generate content for libcli/util/nterr.c & libcli/util/ntstatus.h
A ropey script to generate some missing NT_STATUS error codes and
and descriptions. The script generates ntstatus.c & ntstatus.h
whose contents are used to extend the existing contents of
libcli/util/nterr.c & libcli/util/ntstatus.h

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  2 22:40:06 CEST 2014 on sn-devel-104
2014-04-02 22:40:06 +02:00
Noel Power
4f9dd94819 script to generate libcli/util/hresult.c & libcli/util/hresult.h
This hacky script was used to generate the contents of libcli/util/hresult.c
& libcli/util/hresult.h. It expects the table contents of
http://msdn.microsoft.com/en-us/library/cc704587.aspx cut'n'pasted into
the text file specified as it's single required input param

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 20:25:07 +02:00
Garming Sam
cff0f8e75f samba-tool: make provision check for bind version
(small corrections and TODO added following Jelmer's review by abartlet)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>

Change-Id: Iba9a709641dad9f2ae05df0b26ac4cd2ebfc84f0
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Mar  9 02:52:50 CET 2014 on sn-devel-104
2014-03-09 02:52:49 +01:00
Ricky Nance
0dc30b9fe8 samba_upgradedns: message the user if they need to change smb.conf
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jan  7 06:05:15 CET 2014 on sn-devel-104
2014-01-07 06:05:15 +01:00
Andrew Bartlett
af3138e9b6 samba-tool domain join subdomain: Rework sambadns.py to allow setup of DomainDNSZone only
This skips handling the ForestDNSZone when we are setting up a subdomain.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Oct 11 10:27:49 CEST 2013 on sn-devel-104
2013-10-11 10:27:49 +02:00
Andrew Bartlett
48b979c4fe provision: Remove --username and --password options from samba-tool domain provision
This avoids confusion, because the LDAP backend does not use these,
and they do not set the password for the administrator account either!

This may break support for the 'existing' backend LDAP backend, but
that is nothing more than a stub for future development anyway, and
new work in this area should use EXTERNAL in any case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-11 08:32:10 +02:00
Brian Martin
8fe1f405e9 samba_backup: fix bug, add command line parameter, improve error messages
Also remove .bak suffix from tdb/ldb backups for more consistent restore procedures

Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct  5 13:51:34 CEST 2013 on sn-devel-104
2013-10-05 13:51:34 +02:00
Andrew Bartlett
d19c437a36 scripting/samba_upgradedns: Tighten up exception and attribute list handling
This avoids asking for attributes that will not be used, and looks only for the
expected exceptions, rather than all exceptions.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2013-09-04 07:06:05 +02:00
Andrew Bartlett
b106d9090e scripting/join.py: Handle creating the dns-NAME account during a DC join
This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the
domain.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2013-09-04 07:06:05 +02:00
Stefan Metzmacher
9edc0276c7 s4:samba_upgradedns: don't pass linklocal=False to interface_ips_v6()
This is the default...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Bjoern Jacke <bj@sernet.de>
2013-08-30 15:35:34 +02:00
Matthieu Patou
2536ee8b64 Make the output of the crackname script more readable
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul  3 23:17:57 CEST 2013 on sn-devel-104
2013-07-03 23:17:56 +02:00
Jean Raby
afd291b1de Avoid leaking temp file if an exception is raised
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 11 06:06:03 CEST 2013 on sn-devel-104
2013-04-11 06:06:03 +02:00
Andrew Bartlett
30adf0cdba scripting: Fill the ProvisionNames hash with strings, not ldb.MessageElement or Dn
This avoids the need to fix it up again in samba_upgradedns.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 25 13:25:30 CET 2013 on sn-devel-104
2013-03-25 13:25:30 +01:00
Andrew Bartlett
9040e26841 scripting: Move get_diff_sds from samba.upgradehelpers to samba.descriptor
This helps avoid a dependency loop when we use get_diff_sds in dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25 10:33:37 +01:00
Andrew Bartlett
a113ddbf88 scripting: Modify samba.descriptor.get_wellknown_sds() use samdb calls only
We need this routine not to use the names context as this is tied to
provision, and we end up in a circular dependency if we use that in
dbcheck.

Andrew Bartlett
2013-03-25 10:32:34 +01:00
Andrew Bartlett
352aff8ed7 scripting: Move samba.provision.descriptor to samba.descriptor
This will allow dbcheck to import it, without a cirucular dependency via
samba.provision importing dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25 10:32:11 +01:00
Andrew Bartlett
e81a97dd6f scripting: Make samba.provision.descriptor.get_wellknown_sds() return ldb.Dn objects
As we look to use this function in more places, it does not make sense to constantly create
Dn objects from the strings.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25 10:29:26 +01:00
Andrew Bartlett
3da89b01fa scripting: Move the list of well known SDs to samba.provision.descriptor
This will allow us to call this from dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25 10:27:58 +01:00
Andrew Bartlett
389197e7c3 scripting: No longer install samba_upgradeprovision
This tool is an important part of the toolkit a Samba Team member can
use to assist a user with the upgrade of a very old Samba 4.0 AD DC
installation.

However, like all powerful tools, it has sharp edges, and these need
to have more protection added before we recommend the tool be used.

The WHATSNEW already indicated that this tool should not be used but a
large number of users have run it, and due to lack of testing in the
past, some have run into bugs.

While this tool can be run in debug modes, by default it simply fixes
the database following a series of internal rule.  This does a good
job much of the time, but does not request permission in the way that
dbcheck does, and will create extra objects for things like the DNS
partitions.

By removing this from the installed binaries, we provide another
signal that it should not be used right now, until these matters are
fixed and some clear documentation on how to safely use the tool can
be written.

Andrew Bartlett

Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Mar 12 02:51:23 CET 2013 on sn-devel-104
2013-03-12 02:51:23 +01:00
Andrew Bartlett
d5d88bd82b samba_upgradeprovision: Do not reset every DN when changing an SD
SD propogation is handled by an LDB module, we do not need to touch each
and every DN to make it happen.

Now that we do not need to put this via a hash, the dnToRecalculate
list is changed to be a list of Dn objects, not strings so that:

if dn in listWellknown

is handled using a schema comparison (avoiding different case forms
tripping it up).

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:57 +01:00
Andrew Bartlett
0f247dce00 samba_upgradeprovision: do not maintain dnNotToRecalculate as a list
We only need a boolean indication, not the actual values.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:51 +01:00
Andrew Bartlett
9bc32bfd65 samba_upgradeprovision: only run rebuild_sd in --full mode
This is a potentially destructive routine, and should not be run by default.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:41 +01:00
Andrew Bartlett
81cda856fa samba_upgradeprovision: Remove alwaysRecalculate, this is too dangerous
I am unclear on why this was added, but the idea that we ever always reset data
in the directory is not reasonable to me, so I am removing it.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:33 +01:00
Andrew Bartlett
09b82d5fdc samba_upgradeprovision: Remove unused checkKeepAttributeOldMtd
lastProvisionUSNs is never None, instead the code requries the administrator to populate this
attribute in the directory.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:26 +01:00
Andrew Bartlett
5074b98714 scripting: Rework samba.upgradehelpers.get_diff_sddls to be get_diff_sds
This moves the SDDL conversion inside the get_diff_sds function and prepares
for removing inherited ACEs from the SD before comparison.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:08 +01:00
Andrew Bartlett
787a6aacc3 samba_upgradeprovision: Remove auto-detection of pre-alpha9 databases
These are incredibly rare, and administrators running such databases
not only ask the Samba Team for help personally, they can read --help.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04 08:33:04 +01:00
Landon Fuller
2cfbfa6337 Remove incomplete check for IPv6 link-local addresses.
This has been superceded by a check for link-local
addresses in get_interfaces()

Signed-Off-By: Landon Fuller <landonf@bikemonkey.org>
Reviewed-By: Richard Sharpe <realrichardsharpe@gmail.com>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar  2 08:38:54 CET 2013 on sn-devel-104
2013-03-02 08:38:54 +01:00
Jelmer Vernooij
87afc3aee1 Move python modules from source4/scripting/python/ to python/.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar  2 03:57:34 CET 2013 on sn-devel-104
2013-03-02 03:57:34 +01:00
Andrew Bartlett
2d13532cb3 build: Rename samba_python waf node to avoid duplicate name
This makes it clearer when debuging build issues.

Andrew Bartlett
2013-03-02 02:16:52 +01:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andrew Bartlett
2cf83f7c64 samba_upgradeprovision: Use tdb_util.tdb_copy not shutil.copy2
This is really important, because copying a file will both ignore
locks held by another process and break any locks we hold (due to
POSIX brain-damage regarding multiple fds on one file in a process).

By leaving this to tdbbackup in a child, both of these issues are avoided.

Andrew Bartlett

Reviewed-by: Matthieu Patou <mat@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 19 07:48:18 CET 2013 on sn-devel-104
2013-02-19 07:48:18 +01:00
Andrew Bartlett
3c51e18a0c samba_upgradeprovision: Do not update privileges.ldb any more (unchanged since 2009)
This update was only a total oblitoration of the existing database
and not a merge, and the shutil.copy would both disregard and break
locks on the database that are held at this point.

Andrew Bartlett

Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19 06:08:19 +01:00
Andrew Bartlett
396df64ef6 scripting: Make tdb_copy a common util function in samba.tdb_util
This will allow samba_upgradeprovision to also call it.

Andrew Bartlett

Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19 06:08:19 +01:00
Andrew Bartlett
2c2759e408 scripting: Make tdb_copy use the python subprocess module
This makes the code more robust to spaces in the file names (etc).

Andrew Bartlett

Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19 06:08:19 +01:00
Andrew Bartlett
06780ae822 samba_upgradeprovision: Remove options to fix FS ACLs
samba-tool ntacl sysvolreset handles this better, and makes this tool
much less confusing internally.

Andrew Bartlett

Reviewed-by: Matthieu Patou <mat@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 19 06:06:41 CET 2013 on sn-devel-104
2013-02-19 06:06:40 +01:00
Stefan Metzmacher
dc6c40b193 samba-tool/domain provision: add support for utf-8 passwords for --adminpass
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Feb  4 18:54:32 CET 2013 on sn-devel-104
2013-02-04 18:54:32 +01:00
Stefan Metzmacher
2e7bc87fa5 samba-tool/user setpassword: fix help message
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04 17:14:22 +01:00
Stefan Metzmacher
d60be8167b s4:scripting/python: add support for utf-8 passwords from the command line
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04 17:14:22 +01:00
Christian Ambach
a133a989c3 selftest: add a test that demonstrates how new ACL blob code helps
this test shows that a change to POSIX ACL->SD mapping behavior does not invalidate the stored SD

Signed-off-by: Christian Ambach <ambi@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-04 12:19:30 +01:00
Stefan Metzmacher
58d6d884cf samba_upgradeprovision: detect dns_backend for the reference provision
If we have a DomainDnsZone partition, we use BIND9_DLZ as backend
and fix errors in the ForestDnsZone and DomainDnsZone partitions.
Note: this should work fine also for SAMBA_INTERNAL.

If the current setup doesn't use dns specific partitions (e.g. alpha13 setups)
we pass dns_backend=BIND9_FLATFILE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:22 +11:00
Stefan Metzmacher
b855df254d provision: setup names.dns_backend
If we have a DomainDnsZone partition:
 - we use BIND9_DLZ as backend if a dns-<netbiosname> account is available
 - otherwise, we use SAMBA_INTERNAL
else:
 - we use BIND9_FLATFILE if a dns or dns-<netbiosname> account is available
 - otherwise, we use NONE

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:22 +11:00
Stefan Metzmacher
4752731c2e samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
5cf98823cc provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
a477649e56 provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
1de5c2f785 provision: fix nTSecurityDescriptor of CN={LostAndFound,System},${DOMAINDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
4775f9ab34 provision: setup names.name_map['DnsAdmins']
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
e0712a70f5 provision: introduce names.name_map = {}
This will be used to translated names in SDDL values,
which are not wellknown, e.g. 'DnsAdmins'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
ebb73f1c5d provision: add get_dns_{forest,domain}_microsoft_dns_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
d00fb6aff2 provision: add get_config_ntds_quotas_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
1207cbd123 provision: add get_{config,domain}_delete_protected*_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
8880c2d0d3 schema.py: add optional name_map={} to get_schema_descriptor()
This is not used, but makes the prototype compatible with the
other get_*_descriptor() functions.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
27a99c6236 provision: add optional name_map={} argument to get_*_descriptor()
This will allow subsitute non-wellkown names in the SDDL,
e.g. 'DnsAdmins'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:21 +11:00
Stefan Metzmacher
d4653e99b8 provision: import/export get_dns_partition_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Stefan Metzmacher
b54b58e75d provision: setup names.dns{forest,domain}dn
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Stefan Metzmacher
f51248339a samba_upgradeprovision: fix resetting of 'nTSecurityDescriptor' on schema objects
Without this schema_data_modify() will reject updates to schema objects
by default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Stefan Metzmacher
b5cafa3b84 samba_upgradeprovision: don't reset 'whenCreated' when resetting 'nTSecurityDescriptor'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Stefan Metzmacher
ec466aa356 dbckecker: fix nTSecurityDescriptor values from before 4.0.0rc6 (bug #9481)
They inherited effective ACE for the wrong object classes.

For SACL ACEs the problem was also present in 4.0.0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27 20:14:20 +11:00
Matthieu Patou
0a4a4ba3f6 devel-script: add options for RODC and partial replica for replicate flags
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jan 22 00:12:17 CET 2013 on sn-devel-104
2013-01-22 00:12:17 +01:00
Matthieu Patou
fa591a6d3c devel-scripts: ask with WRIT_REP by default
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 22:31:20 +01:00
Matthieu Patou
0755b835cc devel-getncchange: try to find the dest_dsa automatically
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 22:31:20 +01:00
Matthieu Patou
3b79774197 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC
Forest of level 2000 don't hve the msDS-hasMasterNCs parameter

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21 22:31:19 +01:00
Andrew Bartlett
edbc26bca8 scripting/samba_upgradedns: Only look for IPv4/IPv6 addresses if we actually them
This allows the script to be used to create/remove the samba-specific dns-SERVER account
when we do not need to create the in-directory partition.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 10 20:56:50 CET 2013 on sn-devel-104
2013-01-10 20:56:50 +01:00
Andrew Bartlett
051a1a9c64 samba-tool classicupgrade: Do not print the admin password during upgrade
This changes the code to only set and show a new password if no admin
user is found during the upgrade.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 10 16:55:23 CET 2013 on sn-devel-104
2013-01-10 16:55:23 +01:00
Andrew Bartlett
99d872ee92 s4-dbcheck: Allow forcing an override of an old @MODULES record
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-10 14:52:45 +01:00
Björn Baumbach
4d1fd0b7da samba_dnsupdate: set KRB5_CONFIG for nsupdate command
Let nslookup use krb5.conf, which is set in our KRB5_CONFIG.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-09 09:11:20 +01:00
Andrew Bartlett
eae01b0d3d samba-tool Add --service argument to samba-tool ntacl get/set
This also ensures a VFS connect is done to the correct service.

Andrew Bartlett

Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  8 03:39:21 CET 2013 on sn-devel-104
2013-01-08 03:39:20 +01:00
Andrew Bartlett
cef5f466af pysmbd: Change to keyword based arguments
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-01-07 16:23:24 -08:00
Andrew Bartlett
4741cda956 scripting-provision: Set sysvol ACLs on the sysvol share
This allows us to correctly load any modules that have been specified
by the smb.conf for [sysvol] and issue a VFS connect operation which
may be required by some VFS modules.

Andrew Bartlett

Reviewed-by: Jeremy Allison <jra@samba.org>
2013-01-07 16:20:51 -08:00
Andrew Bartlett
0533905c5d scripting-ntacls: Optionally allow the service to be specified.
Providing a service allows a VFS connect to be issued on the correct
service, and so ensures that the correct modules are loaded rather
than just what is specified in [globals].

Andrew Bartlett

Reviewed-by: Jeremy Allison <jra@samba.org>
2013-01-07 16:19:43 -08:00
Stefan Metzmacher
257ae54436 s4:scripting/python: always treat the highwatermark as opaque (bug #9508)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01 19:28:06 +01:00
Stefan Metzmacher
914a61d9e5 s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
2012-12-11 07:05:39 +01:00
Stefan Metzmacher
8eb359c23c s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 05:20:32 +01:00
Stefan Metzmacher
19b03834f0 s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 05:04:48 +01:00
Stefan Metzmacher
e1301fef73 s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 05:04:44 +01:00
Stefan Metzmacher
ebb0a88722 s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 05:02:03 +01:00
Stefan Metzmacher
999c068113 s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 04:56:39 +01:00
Stefan Metzmacher
649fb5b614 s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11 04:56:07 +01:00
Ricky Nance
b4ae73f58c samba-tool processes: Make the output a bit neater
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sat Dec  8 03:34:29 CET 2012 on sn-devel-104
2012-12-08 03:34:29 +01:00
Andrew Bartlett
631654ae11 scripting: Handle missing LDAP entries in samba-tool domain classicupgrade
Reported-by: Thomas Simmons <twsnnva@gmail.com>
2012-12-06 13:28:46 +11:00
Stefan Metzmacher
6f71071381 s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
This allows the caller to ask for a security.descriptor instead of sddl
by passing 'as_sddl=False'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:46 +01:00
Stefan Metzmacher
06f026368e s4:python/ntacl: allow string or objects for sd/sid in setntacl()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:46 +01:00
Stefan Metzmacher
d48d0c5bbf s4:samba-tool/gpo: fix the operation order when creating gpos
We should do it like the windows GUI.

1. create the LDAP objects
2. query the security_descriptor of the groupPolicyContainer
3. create the gPCFileSysPath via smb
4. set the security_descriptor of gPCFileSysPath
5. copy the files and directories into gPCFileSysPath
6. modify the groupPolicyContainer and link gPCFileSysPath

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
dde7eb0d82 s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:45 +01:00
Stefan Metzmacher
a1a525e2a9 s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-03 08:46:25 +01:00
Stefan Metzmacher
4136d969ca s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd
The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (which is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:20 +01:00
Stefan Metzmacher
118db4ca11 s4:provision: add get_empty_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:20 +01:00
Michael Adam
4970d3cacb s4:tests/samba_tool/gpo.py: fix accidential line break
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
a581242080 s4:tests/samba_tool/gpo.py: add test_show_as_admin()
This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
325e921908 s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
67799962b8 s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
6bffad67d2 s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Stefan Metzmacher
f843c04b0f s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30 17:17:19 +01:00
Jelmer Vernooij
0d9bdcf834 web_server: Load SWAT if it is available.
Reviewed-by: Matthieu Patou <mat@matws.net>

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Fri Nov 23 01:39:38 CET 2012 on sn-devel-104
2012-11-23 01:39:38 +01:00
Jelmer Vernooij
831a9f8f6d s4/web_server: Fix typo in URL.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Nov 22 01:37:02 CET 2012 on sn-devel-104
2012-11-22 01:37:02 +01:00
Kai Blin
10b6cceb1f samba-tool dns: Don't use "localhost" to connect to local host
Calling "samba-tool dns <cmd> localhost" provokes a stacktrace.

This just makes 'samba-tool dns <cmd> localhost' work and doesn't fix
the underlying issue, but I don't see it causing any harm (unless you
don't have an ipv4 localhost, I guess).

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 16 13:18:14 CET 2012 on sn-devel-104
2012-11-16 13:18:14 +01:00
Arvid Requate
ace0909b88 s4:samba-tool: Fix samba-tool fsmo --role=schema
Fix traceback:
samba-tool fsmo --role=schema --force
ERROR(<type 'exceptions.TypeError'>): uncaught exception - argument 2 must be string, not ldb.Dn
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 160, in run
    self.seize_role(role, samdb, force)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 119, in seize_role
    m.dn = ldb.Dn(samdb, self.schema_dn)

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 16 00:40:24 CET 2012 on sn-devel-104
2012-11-16 00:40:24 +01:00
Andrew Bartlett
256391c0fa samba-tool: Add new samba-tool gpo aclcheck and test
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-16 08:59:00 +11:00
Andrew Bartlett
a390a5878d scripting ntacls: Do not place a SACL in the GPO filesystem ACL
On a new GPO created on windows, the SACL is not used.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 14 00:34:50 CET 2012 on sn-devel-104
2012-11-14 00:34:50 +01:00
Andrew Bartlett
d6c7e9b1ed smbd: Remove NT4 compatability handling in posix -> NT ACL conversion
NT4 is long dead, and we should not change which ACL we return based
on what we think the client is.  The reason we should not do this, is
that if we are using vfs_acl_xattr then the hash will break if we do.
Additionally, it would require that the python VFS interface set the
global remote_arch to fake up being a modern client.

This instead seems cleaner and removes untested code (the tests are
updated to then handle the results of the modern codepath).

The supporting 'acl compatability' parameter is also removed.

Andrew Bartlett

Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-13 22:48:19 +01:00
Stefan Metzmacher
11f5d54cbb s4:samba-tool/testparm: report a CommandError if loading of the config file fails
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-13 22:14:14 +11:00
Andrew Bartlett
095c7627df selftest: Add --tmpdir to 'samba-tool gpo create' test
This was the cause of the flakey test, and was only noticed when
multiple different users ran autobuild at the same time on the same
server.

We use shutil.rmtree to wipe the directory before the tests finishes
as required by the TestCaseInTempDir class.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 13 10:50:56 CET 2012 on sn-devel-104
2012-11-13 10:50:56 +01:00
Andrew Bartlett
4d6d6e446c selftest: Avoid returning errors (rather than failures) in gpo test
This should help find the real cause of the flakey test, if it ever returns.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-13 00:00:25 +01:00
Andrew Bartlett
94649e46b4 selftest: Avoid test cross-contamination in samba.tests.posixacl
This creates a new xattr.tdb per unit test, which avoids once and for all
the issue of dev/inode reuse.

For test_setposixacl_dir_getntacl_smbd the file ownership also set specifically.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-12 09:39:54 +11:00
Andrew Bartlett
1d81e52bba selftest: Add tests for expected behaviour on directories as well as files
This is important because it covers the codepath which had the talloc
error fixed by commit 60cf4cb5a6
(vfs_acl_common: In add_directory_inheritable_components allocate on
psd as parent)

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Nov 11 15:48:10 CET 2012 on sn-devel-104
2012-11-11 15:48:10 +01:00
Andrew Bartlett
a6a01552ef pysmbd: Add SMB_ACL_EXECUTE to the mask set by make_simple_acl()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12 00:05:12 +11:00
Andrew Bartlett
312f8ddae2 selftest: Make samba.tests.ntacl also use TestCaseInTempDir
This follows on from the successful conversion of samba.tests.posixacl.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12 00:05:12 +11:00
Andrew Bartlett
b4d8629f51 samba-tool: Rework ldap attribute fetch in classicupgrade for missing attributes
Is is not required that these additional attributes be filled in, so
catch KeyError in both the nsswitch and ldap backend case.

We rework get_posix_attr_from_ldap_backend() so it raises KeyError
rather than trying to return None, and does not ignore other errors.

Andrew Bartlett

Tested-by: Chirana Gheorghita Eugeniu Theodor <office@adaptcom.ro>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-11-12 00:05:08 +11:00
Karolin Seeger
76fa5ee5d4 samba-tool: Fix typo in --help output.
Signed-off-by: Karolin Seeger <kseeger@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov  9 11:04:50 CET 2012 on sn-devel-104
2012-11-09 11:04:50 +01:00
Andrew Bartlett
ab30a8bf0f provision: Make dsacl2fsacl() take a security.dom_sid, not str
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov  6 00:12:43 CET 2012 on sn-devel-104
2012-11-06 00:12:43 +01:00
Andrew Bartlett
033451587d provision: Also walk directories checking ACLs
The directory walk was missed due to a cut-and-paste error.

Andrew Bartlett

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06 08:27:44 +11:00
Andrew Bartlett
0b7bb774ce selftest: check that samba-tool gpo works for basic operations
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06 08:27:44 +11:00
Andrew Tridgell
538dd046f1 samba-tool: "drs options" does not need a samdb connection
this gives us a handy pure RPC client test for use in blackbox testing

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2012-11-01 15:40:41 +11:00
Andrew Bartlett
42c379f0df samba-tool: Add samba-tool processes subcommand
This will allow administrators to inspect the process list in a
similar way to what running on a platform with setproctitle might
permit.

--pid= returns the registered server names for a PID (eg kdc, cldap_server)
--name= returns the pids registered with a particular name.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Andrew Bartlett
a732f2a621 pymessaging: Add irpc_servers_byname() and irpc_all_servers()
This will allow python scripts to inspect the process list.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Andrew Bartlett
76b7348299 pymessaging: Use the server_id IDL structure rather than a tuple
This will make it easier to pass this structure in and out.  The tuple is still
accepted as input.

Andrew Bartlett
2012-10-31 08:13:56 +11:00
Jelmer Vernooij
8d397b69bb TestCaseInTempDir: Use addCleanup rather than tearDown. 2012-10-27 05:16:19 -08:00
Andrew Bartlett
3180a1082a sefltest: use TestCaseInTempDir and setUp/tearDown for posixacl.py temp file
This manages the temp file more reliably, and reduces the repeated
code in each test case.

Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 27 04:37:58 CEST 2012 on sn-devel-104
2012-10-27 04:37:58 +02:00
Andrew Bartlett
7e90a06443 provision: Fix comments in checksysvolacl 2012-10-27 11:55:08 +11:00
Andrew Bartlett
e107c6ace7 pysmbd: Add hook for unlink() so python scripts can remove xattr.tdb entries
If we do not provide a way to remove files from xattr.tdb, we can re-use the inode.

Andrew Bartlett
2012-10-26 17:26:20 +11:00
Andrew Bartlett
a2d53262e8 python-ntacls: Cope with ACL revision 4
This is the new revision with the hash of the posix or system ACL.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 25 15:04:39 CEST 2012 on sn-devel-104
2012-10-25 15:04:39 +02:00
Andrew Bartlett
1008f6fbf4 selftest: Always unlink the tempf in posixacl test 2012-10-25 22:18:50 +11:00
Andrew Bartlett
117d5f4c37 selftest: Cover the important non-Samba invalidation of the NT ACL
This covers the case where we have a valid hash of the posix ACL (or the NT ACL from the
POSIX ACL) and we notice it no longer matches.

Andrew Bartlett
2012-10-25 22:18:50 +11:00
Andrew Bartlett
53244c9151 selftest: Cover one more NT ACL invalidation case and improve comments
This tries to show the difference between the cases where we trap
the POSIX ACL change and where we actually detect an OS-level change.

Andrew Bartlett
2012-10-25 20:24:36 +11:00
Andrew Bartlett
e9b6b23fbd selftest: Add many more tests for our posix ACL handling
This tests the mapping of posix ACLs to NT ACLs, the invalidation of
NT ACLs stored as an xattr and ensures this security-critical code
continues to work in the long term.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 25 10:05:16 CEST 2012 on sn-devel-104
2012-10-25 10:05:16 +02:00
Jelmer Vernooij
13bbd3b3b1 pyglue: Make all_interfaces argumen to interface_ips() optional.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sun Oct 21 21:26:01 CEST 2012 on sn-devel-104
2012-10-21 21:26:01 +02:00
Jelmer Vernooij
f67c0a28cf pyglue: Mention parameters in interface_ips() docstring. 2012-10-21 10:42:40 -07:00
Jelmer Vernooij
e3a48bb5f6 samba-tool user test: Fix expected output.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Fri Oct 19 11:37:44 CEST 2012 on sn-devel-104
2012-10-19 11:37:44 +02:00
Jelmer Vernooij
364ed82d22 samba.tests.docs: Ignore removed parameters. 2012-10-19 09:21:01 +02:00
Jelmer Vernooij
ed37b8ad14 samba.tests.docs: Assume docs are generated by waf. 2012-10-19 09:16:55 +02:00
Jelmer Vernooij
cfa72bcc5e samba.tests.docs: Write error output from xsltproc to standard out. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
8412b57f5c samba.tests.docs: Skip tests if xsltproc is not present. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
2a31f0b509 smb.conf(5): Consistent spelling of parameter names.
This includes spacing and casing.
2012-10-19 09:10:14 +02:00
Jelmer Vernooij
32fad2b910 samba.tests.docs: Support spaces before synonyms. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
be4dea45da samba.tests.docs: Support synonyms. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
d0e644e0c8 samba.tests.docs: Distinguish between unknown and undocumened parameters. 2012-10-19 09:10:14 +02:00
Jelmer Vernooij
d2f8fe855d tests: Convert find_missing_doc into a unit test. 2012-10-19 09:10:13 +02:00
Jelmer Vernooij
d09f151638 samba-tool user: Fix typos, improve messages. 2012-10-18 22:34:29 +02:00
Alexander Wuerstlein
64886e312f Warn when setting UID/GID without idmap_ldb:use rfc2307 = Yes
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 18 09:51:35 CEST 2012 on sn-devel-104
2012-10-18 09:51:35 +02:00
Alexander Wuerstlein
071047e895 Tests for 'samba-tool user create' with RFC2307 attributes
Check if attributes are correctly set and read from SamDB
Test automatic creation of attributes from getpwent (NSS)
Check if overriding NSS attributes works

getpwent will be skipped if the current UID of the user running the
tests has no passwd entry (getpwuid(geteuid())).

If a user with the name of the current UID already exists in the
directory, the getpwent test will fail. If that should happen, the
test would need to be updated to use a nonexistent UID that is
visible to the Python 'pwd' module.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-10-18 17:10:58 +11:00
Alexander Wuerstlein
bfdaaf2327 Set RFC2307 attributes in samba-tool create
Optionally set RFC2307 (NIS Schema) attributes in samba-tool create.
Mainly needed for UID mapping to be usable.
Not all attributes are set-able, only harmless and non-overlapping
ones (uid, uidNumber, gidNumber, loginShell, gecos). Description and
homeDirectory should already be set, userPassword seems problematic.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-10-18 17:10:58 +11:00
Andrew Bartlett
9eb022c8c6 provision: No longer use the wheel group in new AD Domains
The issue here is that if we set S-1-5-32-544 (administrators) to a
GID only, then users cannot force a mandetory profile to be owned by
administrators (which is a requirement).

There is no particularly useful reason for us to enforce this matching
a system group.

Andrew Bartlett
2012-10-18 17:10:58 +11:00
Ricky Nance
d09ac9636a Removed phpldapadmin inclusion for Samba 4.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 17 12:55:44 CEST 2012 on sn-devel-104
2012-10-17 12:55:44 +02:00
Stefan Metzmacher
266b4c5963 Revert "provision: Always create DNS user."
This reverts commit c2d14747d6.

samba_upgradedns handles creates/removed the dns acount.

See
https://lists.samba.org/archive/samba-technical/2012-October/thread.html#87578

metze
2012-10-16 08:38:25 +02:00
Jelmer Vernooij
21b58b5eac samba.join: Fix multiple spaces.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Oct 11 20:30:43 CEST 2012 on sn-devel-104
2012-10-11 20:30:43 +02:00
Jelmer Vernooij
2adf27a99b samba.provision.sambadns: Use == to compare strings, not 'is'. 2012-10-11 18:50:40 +02:00
Jelmer Vernooij
c2d14747d6 provision: Always create DNS user.
The DNS user is currently only used by the bind9 plugin. This makes it
easier to later on switch between the builtin DNS server and bind
backend.

In addition, ideally the internal DNS server would use that (separate)
user too.

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Oct 11 17:05:40 CEST 2012 on sn-devel-104
2012-10-11 17:05:40 +02:00
Karolin Seeger
f9a4a9bfe1 samba-tool: Some more unifications...
in the usage message.

Karolin
2012-10-09 17:12:07 +02:00
Andrew Bartlett
2f0753b456 samba-tool: skip chown in sysvolreset when it would fail on a GID
This skips the chown of the files if (for example) the domain Admins group
were to own the file and not be able to because the group maps only to a GID.

This essentially papers over the problem, but may be enough to get us past
the Samba 4.0 release.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct  9 15:24:44 CEST 2012 on sn-devel-104
2012-10-09 15:24:44 +02:00
Stefan Metzmacher
8746faf846 s4:scripting/python: add '-V' as alias for '--version'
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct  8 17:52:52 CEST 2012 on sn-devel-104
2012-10-08 17:52:52 +02:00
Stefan Metzmacher
309434a773 s4:samba-tool: allow 'samba-tool --version'
metze
2012-10-08 16:13:06 +02:00
Stefan Metzmacher
2fce71c89a s4:samba-tool: use normal option parsing in SuperCommand
We use the epilog to print the subcommands.

metze
2012-10-08 16:13:06 +02:00
Stefan Metzmacher
8d4943dcf9 s4:samba-tool: add optional epilog to _create_parser()
metze
2012-10-08 16:13:06 +02:00
Karolin Seeger
acea51cc37 samba-tool: Unify usage messages.
Karolin

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Oct  8 14:26:52 CEST 2012 on sn-devel-104
2012-10-08 14:26:51 +02:00
Karolin Seeger
a2f3ec0577 samba-tool: Clarify usage of --help.
Karolin
2012-10-08 11:47:22 +02:00
Karolin Seeger
171bf9827b samba-tool: Fix typo in usage.
Karolin
2012-10-08 11:14:42 +02:00
Matthieu Patou
95ea6d765b s4-join: factorize code, add info 2012-10-07 22:11:47 -07:00
Matthieu Patou
d57e0d8a6d s4-join: add some documentation 2012-10-07 22:11:47 -07:00
Matthieu Patou
e332f98909 devel-crackname: Print if count > 0 2012-10-07 21:51:01 -07:00
Björn Baumbach
9a6f648122 s4: samba_backup: Fix typos.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-10-03 16:26:53 +02:00
Jelmer Vernooij
df23b17fa9 provision: Use logger rather than print.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Oct  3 14:24:09 CEST 2012 on sn-devel-104
2012-10-03 14:24:09 +02:00
Matthieu Patou
c1677e3b2f s4-provision: do not skip setting the acls on sysvol
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Wed Oct  3 10:26:06 CEST 2012 on sn-devel-104
2012-10-03 10:26:06 +02:00
Kai Blin
81805222ec s4 dns: Fix return code for deleted records
This fixes bug #9225. We already had a test for this scenario, but the test wasn't
correct. This patch fixes the test, and also fixes the bug.

Signed-off-by: Kai Blin <kai@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Sun Sep 30 13:09:14 CEST 2012 on sn-devel-104
2012-09-30 13:09:14 +02:00
Jelmer Vernooij
0883e174bf sanba.upgradehelpers: Use standard functionality for getting temp dir. 2012-09-27 18:45:12 +02:00
Jelmer Vernooij
2a797f29aa s4-python: Various formatting fixes.
* Trailing whitespace
* use of "==" where "is" should be used
* double spaces
2012-09-27 18:45:12 +02:00
Jelmer Vernooij
6986f7bdda samba.tests.source: Check for trailing whitespace in Python files. 2012-09-27 18:45:12 +02:00
Ricky Nance
ee0012de1a samba-tool domain provision: DNS forwarder default
Provision would break with an exception if there was no value given for the DNS forwarder, this simply sets a default to "none".

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Sep 27 04:35:33 CEST 2012 on sn-devel-104
2012-09-27 04:35:33 +02:00
Jelmer Vernooij
c5e83ee9a5 samba-tool: Hide 'samba-tool domain samba3upgrade'.
This subcommand is provided for backwards compatibility only; new use of
it should be discouraged. Its new name is 'samba-tool domain
classicupgrade'.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9047
2012-09-26 07:58:31 +02:00
Andrew Bartlett
3c4d0ce469 samba_dnsupdate: Safely update/create names for Samba3 targets as well
This avoids unlocked writes to the dns_hosts_file, and may fix some of our
issues on the build farm where large numbers of tests fail due to failed name resolution.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 26 05:48:25 CEST 2012 on sn-devel-104
2012-09-26 05:48:25 +02:00
Andrew Bartlett
6d7c651f2f samba_dnsupdate: Move to using tmpfile/rename to keep the dns_hosts_file consistent
This may be the cause of some of the large failure modes on the build farm.

Andrew Bartlett
2012-09-26 04:08:26 +02:00
Jelmer Vernooij
fa332b71dc s4-python: Override SIGINT handler in scripts only.
Override the SIGINT handler in a few select cases only, rather than
doing so in one of the samba Python modules. I've done this where it
matters most; we can add this code to other scripts too if necessary.

This means that importing the 'samba' module from a third party
application does not have side-effects on the state of the signal
handlers.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9068
2012-09-25 20:59:09 +02:00
Jelmer Vernooij
f44ad36718 samba-tool domain provision: DNS forwarder is not a boolean.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Tue Sep 25 00:48:43 CEST 2012 on sn-devel-104
2012-09-25 00:48:42 +02:00
Jelmer Vernooij
fd8d4ec347 replace: Support setproctitle().
This uses the setproctitle() from libc, libsetproctitle or libbsd.
If none is available it provides a dummy implementation.
2012-09-24 23:06:07 +02:00
Jelmer Vernooij
6641d76562 samba-tool domain-provision: Avoid python2.5-isms. 2012-09-24 23:06:07 +02:00
Jelmer Vernooij
61ce3e871a samba-tool domain-provision: Fix docstring. 2012-09-24 23:06:07 +02:00
Stefan Metzmacher
cb157e19cb s4:dns.py: reproducer for (bug #9184)
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Sep 22 06:08:05 CEST 2012 on sn-devel-104
2012-09-22 06:08:04 +02:00
Daniele Dario
48e6da64fd Correct command help message
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 20 16:55:17 CEST 2012 on sn-devel-104
2012-09-20 16:55:17 +02:00
Jelmer Vernooij
c0d4f2462f s4-python: Formatting fixes, break lines.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sun Sep 16 15:58:04 CEST 2012 on sn-devel-104
2012-09-16 15:58:04 +02:00
Jelmer Vernooij
0ff2ea56d9 samba.netcmd: Formatting fixes, break lines. 2012-09-16 14:20:11 +02:00
Jelmer Vernooij
ebcb6a7447 samba.provision.common: Fix formatting. 2012-09-16 14:20:11 +02:00
Jelmer Vernooij
cd7dcf4571 samba.provision.sambadns: Fix formatting. 2012-09-16 14:20:11 +02:00
Jelmer Vernooij
858135920d samba.provision.backend: Fix formatting. 2012-09-16 14:20:11 +02:00
Jelmer Vernooij
fdb873a203 samba.provision: Fix formatting, NameErrors. 2012-09-16 14:20:11 +02:00
Kai Blin
fee75752fb s4 provision: Ask for the dns forwarder IP address during interactive provision
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-09-12 16:51:29 +02:00
Stefan Metzmacher
c4aef88b32 s4:samba_upgradedns: delete dns-HOSTNAME account if using the internal dns server
metze
2012-09-12 16:51:29 +02:00
Stefan Metzmacher
0c55510a0d s4:upgradehelpers.py: don't require a dns-$HOSTNAME account
metze
2012-09-12 16:51:29 +02:00
Stefan Metzmacher
50084e5732 s4:provision: don't add the dns-HOSTNAME account if we use the internal dns server
metze
2012-09-12 16:51:29 +02:00
Kai Blin
56058ea597 s4 dns: use the internal DNS server per default 2012-09-12 16:51:29 +02:00
Kai Blin
76801b502d s4 dns: Run python tests in fl2003dc env 2012-09-12 16:51:29 +02:00
Stefan Metzmacher
2c4255084a s4:scripting: rename upgradeprovision -> samba_upgradeprovision
metze
2012-09-12 07:07:27 +02:00
Andrew Bartlett
ac804f0d7f smbd-posix_acls: Use a IDL union to store the ACL entry
This is a clearer, long-term-stable structure we can hash without
risking it changing.

Andrew Bartlett
2012-09-12 05:26:16 +02:00
Andrew Bartlett
6fbce905db provision: Only give the "no posix ACLs" exception if we could not set the SD
This will allow us to run make test on all platforms again, as we emululate the posix ACLs using the fake_acls
module.  By then testing smbd.have_posix_acls() we gain a more specific error message.

Andrew Bartlett
2012-09-11 16:25:36 +02:00
Stefan Metzmacher
318770a67f s4:scripting: install samba_kcc to SBINDIR
It's use as "%s/samba_kcc", dyn_SCRIPTSBINDIR" similar
to samba_spnupdate and samba_dnsupdate.

metze
2012-09-11 08:35:56 +02:00
Stefan Metzmacher
15c793fa34 s4:scripting: use the 'sbin_files' variable
metze
2012-09-11 08:35:56 +02:00
Stefan Metzmacher
a4fc79f8fc s4:samba-tool: add 'samba-tool domain provision'
This is mostly a copy of the standalone source4/setup/provision.

metze
2012-09-11 08:35:49 +02:00
Stefan Metzmacher
ca3f285390 s4:python/netcmd: give the Commad implementations access to the raw arguments
metze
2012-09-11 08:23:56 +02:00
Stefan Metzmacher
7f98cf1698 s4:samba-tool: remove unused code in testparm.py
metze
2012-09-11 08:23:56 +02:00
Stefan Metzmacher
475755ef9f s4:samba-tool: allow sys.exit(ret) to control the exit code
Some subcommands may use sys.exit(0), which shouldn't be reported
as an error to the caller.

metze
2012-09-11 08:23:55 +02:00
Andrew Bartlett
0d99175f2a join.py: Only replicate DNS zones if the source DC had DNS zones
This avoid folks needing to specify --dns-backend=NONE

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  6 04:48:55 CEST 2012 on sn-devel-104
2012-09-06 04:48:55 +02:00
Andrew Bartlett
7b86c18f38 selftest: Add python blackbox tests for samba-tool ntacl get/set
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep  5 15:47:55 CEST 2012 on sn-devel-104
2012-09-05 15:47:55 +02:00
Andrew Bartlett
f9cee8d832 samba_tool: Improve samba-tool ntacl get/set to use the local sam.ldb SID
This gets the SID for the local machine correctly.

We also add options for --use-ntvfs and --use-s3fs to help control
exactly which database is being read and written.

Andrew Bartlett
2012-09-05 14:12:20 +02:00
Andrew Bartlett
7b5ba30138 samba_tool: Fix ntacl get to correctly output in sddl 2012-09-05 14:12:19 +02:00
Andrew Bartlett
c19208e93c s4-provision: Fix error message to contain the string SSDL of the failed-to-match ACL 2012-09-05 14:12:19 +02:00
Andrew Bartlett
4437547afa s4-selftest: Try a more complex ACL - this example from a GPO
Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep  4 11:30:17 CEST 2012 on sn-devel-104
2012-09-04 11:30:17 +02:00
Andrew Bartlett
97a1f8d20b s4-selftest: Try to make ntacl unit tests better match their names
We are trying to test combinations of setting and getting via the VFS
and directly to the underlying DB.

Andrew Bartlett
2012-09-04 09:52:23 +02:00
Andrew Bartlett
30253c11cc s4-samba-tool: Ensure we also sync the SACL as well as the DACL during sysvolreset 2012-09-04 09:52:23 +02:00
Andrew Bartlett
9983ad7a80 s3-passdb: Rename pdb_samba4 to samba_dsdb and autoconfigure when we are a AD DC
The name samba_dsdb is not ideal, but it matches the primary ldb
module we use, and more importantly it avoids having '4' in the name.
We should slowly avoid using the term samba4 in long-term places like
the smb.conf because it is confusing to users given we are shipping
Samba 4.0 as an AD DC as well as all the other supported roles (domain
member/standalone server/classic DC)

Additionally, samba4 will be an odd name when we eventually release
Samba 5.0!

samba4 remains accepted as an alias to ensure existing smb.conf files
load, but to allow changes here in the future, we set the value during
the smb.conf load, and not during the provision when we are an AD DC.

This simplifies the default smb.conf for the vast majority of our
users and reduces the number of things listed in smb.conf files that
we later have to work around if we wish to change the
name/implementation of the passdb glue module again.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep  4 04:45:16 CEST 2012 on sn-devel-104
2012-09-04 04:45:16 +02:00
Andrew Bartlett
2dd0e7141f s4-classicupgrade: Show more clearly what is wrong with the Adminstrator SID 2012-09-03 19:24:10 +10:00
Andrew Bartlett
9e441c4ed9 s3-classicupgrade: Fix import from ldap
We must not reference result before provision(), and do not need
session_info and lp for reading a normal ldap backend anyway.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 28 09:49:39 CEST 2012 on sn-devel-104
2012-08-28 09:49:39 +02:00
Andrew Bartlett
444c9ffad7 s4-classicupgrade: Do the setting of the sysvol ACLs last, after idmap is configured
This will allow files to be correctly owned by the idmap that is imported.

This appears to fix an issue that came up after s3fs-compatible ACLs were
merged into provision.

Andrew Bartlett
2012-08-28 07:57:30 +10:00
Andrew Bartlett
5aa9a6c936 s3-passdb: Allow reload of the static passdb from python
This is then used in provision when the passdb backend is forced.

Andrew Bartlett
2012-08-28 07:57:30 +10:00
Andrew Bartlett
8c205395c6 s4-dsdb: Add secrets_tdb_sync - an ldb module to keep secrets.tdb in sync
secrets_tdb_sync is a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.

While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
d5b9972215 s4-classicupgrade: Read WINS DB before the provision 2012-08-28 07:57:29 +10:00
Andrew Bartlett
85f1c4fdfd s4-classicupgrade: Do all the queries of data before the provision()
This allows provision to change the s3 smb.conf settings if required.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
738f4ac058 s4-classicupgrade: Use s3param.get_context() instead of result.lp
We should not need the guessed values here, but by changing to using the s3 loadparm context
we can move this block to before the provision.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Andrew Bartlett
123ee7f9b5 s4-selftest: Add test for samba-tool ntacl sysvolcheck 2012-08-23 15:02:26 +02:00
Andrew Bartlett
ebcdc4a36b s4-samba-tool: Add samba-tool ntacl sysvolcheck command
This command verifies that the current on-disk ACLs match the directory and
the defaults from provision.

Unlike sysvolreset, this does not change any of the permissions.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
0aed29105e s3-smbd: Add security_info_wanted argument to get_nt_acl_no_snum
I need to get at the owner, group, DACL and SACL when testing correct
ACL storage.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
7cf50b9f30 s4-selftest: Add testing of samba-tool ntacl sysvolreset 2012-08-23 15:02:26 +02:00
Andrew Bartlett
7e7ed72bbe s4-provision: Fix internal documentation 2012-08-23 15:02:26 +02:00
Andrew Bartlett
51e3547426 s3-pysmbd: Allow a mode to be specified for the simple ACL
The additional group for the ACL is now optional.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
8f909199c4 s4-samba-tool: Add 'samba-tool ntacl sysvolreset' tool
This will reset the NT ACL on the sysvol share to the default from
provision, with GPO objects matching the LDAP ACL (as required).

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
4fe344ef05 selftest: Cope with the multiple possible representations of -1 in posixacl.py 2012-08-23 15:02:26 +02:00
Andrew Bartlett
bd00c92865 selftest: Extend posixacl test to check the actual ACL
Needing to be able to write this test is the primary reason I have
been reworking the VFS and posix ACL layer over the past few weeks.
By exposing the POSIX ACL as a IDL object we can eaisly manipulate it
in python, and then verify that the ACL was handled correctly.

This ensures the when we write an ACL in provision, that it will
indeed allow that access at the FS layer.

We need to extend this beyond just the critical two ACLs set during
provision, to also include some special (hard) cases involving the
merging of ACE entries, as this is the most delicate part of the ACL
transfomation.

A similar test should also be written to read the posix ACL and the
mapped NT ACL on a file that has never had an NT ACL set.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
318b8cb4fa selftest: Add a test of the NT ACL -> posix ACL mapping layer
This is the start of what will be a series of tests confirming exactly how
some NT ACLs are mapped to posix ACLs.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
b1825c6421 s4-scripting: Redefine getntacl() as accessing via the smbd VFS or directly
This allows us to write tests that compare the smbd vfs with what is
in the DB or xattr.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
a778662da8 s4-provision: set POSIX ACLs to for use with the smbd file server (s3fs)
This handles the fact that smbd will rarely override the POSIX ACL enforced by
the kernel.  This has caused issues with the creation of group policies by
other members of the Domain Admins group.

Andrew Bartlett
2012-08-23 15:02:26 +02:00
Andrew Bartlett
a58ac39a5a s4-upgradeprovision: Use ntvfs in reference provision
We do not need filesystem ACLs set when creating the reference provision, so it is
easier to use the NTVFS backend as it does not cause trouble with make test.

Andrew Bartlett
2012-08-23 15:02:25 +02:00
Andrew Bartlett
97b13799ce s4-classicupgrade: Add --use-ntvfs option
This is an odd option, but is needed because I wish to add assertions about
ACL setting that will not work in make test without the vfs_fake_acls module
loaded.

Andrew Bartlett
2012-08-22 01:31:57 +02:00
Andrew Bartlett
b5c2747cad s4-provision: pass use_ntvfs from C wrappers and set to true in tests/vampire
None of these cases need the complexity of the s3fs backend.

Andrew Bartlett
2012-08-22 01:31:57 +02:00
Volker Lendecke
f3b69da2ae s3-libsmb: Add a simple test for python bindings
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug 16 22:49:06 CEST 2012 on sn-devel-104
2012-08-16 22:49:06 +02:00
Andrew Bartlett
f9b9433b75 s4-selftest: Fix test name for samba.tests.dcerpc.bare 2012-08-15 16:28:03 +02:00