1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

496 Commits

Author SHA1 Message Date
Douglas Bagnall
b27dcb5bca samba.sites: improve grammar in an error message
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24 04:09:29 +01:00
Douglas Bagnall
fa2c6685c9 samba-tool sites: use -H to set URL with standard handling
samba-tool sites was defaulting to the local database, but we might
want to use another URL. This allows that case while defaulting to
the old behaviour.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24 04:09:29 +01:00
Douglas Bagnall
bb64abf954 sambatool sites: PEP8/flake8 improvements
We were nearly there, so lets make the jump. This involves removing
some unused variables.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-12-24 04:09:28 +01:00
Matthias Dieter Wallnöfer
8091f84fa4 s4:samba-tool domain raise tool - make it aware of newer domain function levels
http://msdn.microsoft.com/en-us/library/Cc223742.aspx

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Thu Dec 24 04:08:04 CET 2015 on sn-devel-144
2015-12-24 04:08:04 +01:00
Matthias Dieter Wallnöfer
33ed975398 s4:samba-tool domain raise tool - handle Windows 2000 mode AD domains correctly
Considering http://msdn.microsoft.com/en-us/library/cc220262.aspx they do not
provide any "msDS-Behavior-Version" attributes.

gulikoza <gulikoza@users.sourceforge.net> noticed this correctly.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-24 00:58:33 +01:00
Andrew Bartlett
4807577d30 Fix bug 10881 Wrong keytab permissions when joining additional DC with BIND backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 15 11:47:21 CET 2015 on sn-devel-104
2015-12-15 11:47:21 +01:00
Andrew Bartlett
67b6346e73 python: Give a more helpful error message when we do not have an smb.conf
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-12-15 08:42:20 +01:00
Rowland Penny
fbcf1d2b0f samba-tool: user create examples show 'add' instead of 'create'
Signed-off-by: Rowland Penny <repenny241155@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-07 17:59:07 +01:00
Rowland Penny
4735e5f5e3 samba-tool: fsmo.py throws an uncaught exception if no
fSMORoleOwner attribute

This will fix bug 11613 where a user got the uncaught exception when trying
to seize an FSMO role that didn't have the required attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11613

Signed-off-by: Rowland Penny <repenny241155@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Sun Dec  6 00:33:10 CET 2015 on sn-devel-104
2015-12-06 00:33:10 +01:00
Uri Simchoni
22386dc396 samba-tool: replace use of os.popen
The netcmd/domain.py module uses os.popen() on user-supplied
parameters. This opens up the way to code injection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11601

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Nov 23 22:19:34 CET 2015 on sn-devel-104
2015-11-23 22:19:34 +01:00
Rowland Penny
0111773310 samba-tool:provision: fix bug 11600
If you join a second DC after changing the name of
the 'Default Domain Policy' or 'Default Domain Controllers
Policy' the join will fail as the search is hardcoded to
these names, this fix changes the search to the objects name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11600

Signed-off-by: Rowland Penny <repenny241155@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Nov 21 04:44:58 CET 2015 on sn-devel-104
2015-11-21 04:44:58 +01:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Douglas Bagnall
46ac3a5308 KCC: kcc.import_ldif doesn't need creds
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
6f93ffaf0c KCC: remove NTDSConnection API methods that are never used
These are not used, and using them would not be considered Pythonic. The
flags they alter are always changed directly.

The similar set_modified() method IS used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
b93205ebe4 KCC: whitespace for pep8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
1d5bb5996e KCC: fix pep8 line length in load_ip_transport()
You are right to sigh about this one.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
ab63f1a983 KCC: Correct capitalisation of KCCError
previously we had "raise KccError", which of course would raise a
NameError.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
e9f0799a18 KCC: raise KCCError, not Exception, in multiple places
"except Exception" lines will still catch them, but more fine-grained
control is possible.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:16 +01:00
Douglas Bagnall
26384192d5 KCC: NTDSConnection.load_connection() requires objectGUID
If there is no GUID, that is an error, so we raise an exception instead
of stepping around it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
8f5936261f KCC: remove debug print statements from intrasite and intersite
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
8fe9992cff KCC: load samdb before calling kcc.run()
kcc.run() is a mega-function that does nearly everything, including
loading the database. The --list-valid-dsas and --test-all-reps-from
tasks also want to load the database, but not do all that other run()
stuff, so it makes sense to pull it out. When the samdb has not been
loaded, run() will still load it -- this avoids having to change all
the tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
47b3334f48 KCC: load the object GUID with --import-ldif
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
30330b4df8 KCC: avoid logging alarming things about exected events
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
e442726c3d KCC: more debug info when --import-ldif goes badly
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
acd77283cc KCC: default to not loading new samdb when we already have one
This should make things simpler in the --import-ldif case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
76f195a279 KCC: fix typo in error path
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
6f78ad2450 KCC: better explain our confusion in colour_vertices comment
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
310aa2f340 KCC: clarify debugging messages in bridgehead finding code
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
5f60c4bf33 KCC: keep track of IP transport for dsa.new_connection()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
059e2838c8 KCC: set system flags for new intrasite connections
These flags are mandatory for intrasite connections.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
704fd83bcf KCC: correctly use dsa.new_connection() system_flags argument
The dsa.system_flags attribute is important and gets saved in the
database, but was never getting altered because we were setting dsa.flags
instead.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Garming Sam
4bf95b6b32 KCC: Use detect_failed in create_connections
Without this, dead DCs were treated as live, and could be used in the
tree. If they're in the tree they can split the network.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
0f8f99f6af KCC: remove useless comments and simplify get_dsa_for_implied_replica()
These comments are a close reflection (or possibly copy/paste) of the
spec, but our code here no longer resembles the spec. We end up just
glazing over when we see comments and losing track of the flow of code.

If you want the spec just look at the spec.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
24ae662eae KCC: stop --forget-intersite-links forgetting local links
It will still forget intrasite links on other sites, but that in theory
should not matter.

It will still break your network, and is only useful for debugging.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
eec0d119ac KCC: simplify get_dsa_for_implied_replica(), using IP invariant
We only do IP transports. Therfore the long list of alternatives...

                   (not n_rep.is_domain() or
                    n_rep.is_partial() or
                    cn_conn.transport_dnstr is None or
                    cn_conn.transport_dnstr.find("CN=IP") == 0)

that ends with the equivalant of "is this IP?" always evaluates to True.

If we leave it there it will confuse people for ever.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
5bbcbe380b KCC: Share commit wrapper between forget_ntdsconn and intrasite
The wrapper is only to create DEBUG output in read-only mode --
normally it amounts to `dsa.commit_connections(self.samdb)`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
03e352268a KCC: pull apart remove_unneeded_ntdsconn(), fixing intersite
The confusing big mess was hiding bugs. Firstly, intersite links on
non-intersite-topology-generators were not getting looked at. Secondly,
the logic around superseding intersite links was missing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Douglas Bagnall
472735f26c KCC: shift common is_generated() check out of branches
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-10-29 05:08:15 +01:00
Andrew Bartlett
55a13e17b3 samba-tool domain demote: Add support for removing by NTDS GUID
This would help remove a DC that is a conflict record, for example

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
e57dcddfe8 samba-tool domain demote: Add --verbose and --quiet options
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
642de9193f samba-tool domain demote: Remove dns-SERVER object as well
This object is not in standard AD, but Marc Muehlfeld
correctly notes that Samba creates it for BIND9_DLZ

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
145bb6fd7b samba-tool domain demote: Remove all references to the demoted host, even in DNS
We search the in-directory DNS records for entries that point to the
name or IP that the dead DC was using, and remove them

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
3226077627 pydns: Add replace_by_dn()
This allows us to find a DNS record by searching LDB and unpacking the dnsRecord
but replace the record using the common code that will create a tombstone

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
a3b92a50d1 samba-tool domain demote: Use dn.add_base/dn.add_child
This is done primarilly to set the pattern that we should manipulate ldb.Dn values
with the helper routines, not just by concatonation via format strings.

We also restrict our exception hadling to only the expected errors, not
all errors.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
00ffb67be2 samba-tool domain demote: Remove correct DNs and from the correct locations
The previous code missed the CN=DFSR-GlobalSettings children and did
not cope with subdomains.  The root DN may not be the domain DN if
we are a subdomain.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
27039a7b1c selftest: Add tests confirming the demote actually removes objects
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
e432c1b682 samba-tool domain demote: Refuse to remove ourself
This ensures that a different server is the one being demoted from the local database

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
097435cfd9 selftest: Run samba-tool domain demote while we have a clone of the DB handy
This avoids needing to run the demote on the main replicated DB
of the selftest system

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
1f88353713 samba-tool domain demote: Rework to allow cleanup of partial demotion, catch more errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Andrew Bartlett
8086900077 selftest: Make it clear that the first argument to KCC.run() is unused
This is unused because we have already provided a database via import_ldif

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00