1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1290 Commits

Author SHA1 Message Date
Joe Guo
cf85785377 selftest: enable py3 for samba.tests.posixacl
Fix bytes and str issue.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:09 +02:00
Joe Guo
fe9e62935c samba3: work around bytes formatting for Python 3.4
b'%s\x00' % key

The above % formatting for bytes is only available since Python 3.5,
however we need to support Python 3.4 so far.

Work around this with `+`.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:09 +02:00
Noel Power
2d593c27fd get make test TESTS=samba.tests.provision to work
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:09 +02:00
Noel Power
22d563b13e selftest python: get samba.tests.s3idmapdb to run with py3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:09 +02:00
Noel Power
1734655bf8 python selftest: enabled samba.tests.s3registry to run with py3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:08 +02:00
Noel Power
8caa2cd48a python selftest: enable samba.tests.s3passdb to run with python3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:08 +02:00
Noel Power
e4779b0da3 python selftest: enable samba.tests.s3param to run with python3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:08 +02:00
Noel Power
7ad012d411 python selftest: split samba3 test into separate tests
This patch splits the tests contained in samba3.py into separate
tests s3idmapdb.py, s3param.py, s3passdb.py, s3registry.py, s3windb.py
This allows test of associated python c-modules to be done independently.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-05 08:59:08 +02:00
David Mulder
e29a75e74a Add tests for dckeytab python module
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:26 +01:00
David Mulder
6a7cdad3e7 Add python tests for samba.gpo module
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:26 +01:00
Joe Guo
bb88292cee tests/dcerpc/misc.GUID: improve tests
1. Merge tests for different formats into a for loop, make it easy to
read and extend.
2. Add test for invalid formats.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:25 +01:00
Douglas Bagnall
f6db12e236 tests/dcerpc/misc.GUID: test that long-form py3 bytes works
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-23 07:28:25 +01:00
Noel Power
cd5a4519b1 samba python tests: Ensure GUIDTests cover all input formats
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-23 07:28:25 +01:00
Noel Power
0fa93f5fe9 s4/selftest: Add simple python netbios test python2 only for the moment
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:25 +01:00
Noel Power
9c251740b4 samba python libs: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:23 +01:00
Noel Power
aacbe1b65c samba-tool: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:23 +01:00
Noel Power
708abbf306 samba python tests: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:23 +01:00
Björn Baumbach
9312a1cdaf samba-tool visualize: fix python2.6 incompatibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13337

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 21 09:25:51 CET 2018 on sn-devel-144
2018-03-21 09:25:51 +01:00
Douglas Bagnall
bddf66c460 samba-tool ldapcmp: remove duplicate takes_optiongroups attribute
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-21 04:36:22 +01:00
Garming Sam
79b640f84e tests/samba_dnsupdate: Add a trivial test of automatic site coverage
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:22 +01:00
Garming Sam
b71f897b4f tests/kcc_util: Add unit tests for automatic site coverage
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:22 +01:00
Garming Sam
ecf503ce76 kcc_utils: Use lower name in automatic sites covered
This allows easier testing, as well as some consistency in the DNS
record creation.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:22 +01:00
Garming Sam
f342d7e025 kcc_utils: Prevent multiple sites attached to a sitelink covering a site
This avoids trivial duplicates in a similar manner as mentioned in:

https://blogs.technet.microsoft.com/askds/2011/04/29/sites-sites-everywhere/

It prefers the largest sites then the earliest alphabetically, so that
only a single site ever covers an uncovered site (within a site link).
Note that this isn't applicable over multiple site links (like Windows
presumably) and is only a simple mechanism to avoid excessive
registering.  DCs within the site will also still register for each.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:22 +01:00
Garming Sam
96340e1ad2 kcc_utils: Keep a count of the DCs in each site
This is useful for ranking which sites are preferable within the same
site link.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:22 +01:00
Garming Sam
32a5431987 kcc_utils: Add a routine for automatic site coverage
This allows double-coverage if two links exist with the same cost.
Administrators should only connect an DC-less site via a single site
link.

This also allows unnecessary coverage by all sites in the adjoining site
link (to be resolved in the later patches).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:21 +01:00
Garming Sam
245e179340 join.py: Add missing NTSTATUSError import
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-21 04:36:21 +01:00
Stefan Metzmacher
6a0fe7b038 samba-tool: allow sid strings for 'group {add,remove}members'
This makes it possible to add foreign SIDS as group members.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Stefan Metzmacher
799c9d1ce3 tests/dsdb.py: test creation of foreignSecurityPrincipal via 'attr: <SID=...>'
[MS-ADTS] 3.1.1.5.2.3 Special Classes and Attributes claims:

  FPO-enabled attributes:
   member, msDS-MembersForAzRole, msDS-NeverRevealGroup,
   msDS-NonMembers, msDS-RevealOnDemandGroup, msDS-ServiceAccount.

'msDS-NonMembers' always generates NOT_SUPPORTED.

'msDS-ServiceAccount' is not defined in any schema
(only msDS-HostServiceAccount).

'msDS-HostServiceAccount' is not an FPO-enabled attribute
and behaves as the 'manager' attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:50 +01:00
Stefan Metzmacher
856504ca26 tests/dsdb.py: verify that foreignSecurityPrincipal objects require the provision control
Windows rejects creating foreignSecurityPrincipal objects directly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:50 +01:00
Stefan Metzmacher
470044bee8 provision: use the provision control when adding foreignSecurityPrincipals
The next commits will require this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:50 +01:00
Stefan Metzmacher
b040d3289d tests/dsdb.py: prove the difference between linked and non-linked DN references
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13307

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:50 +01:00
Jonathan Hunter
f092ac5b6e Update help text for dbcheck
Update the help text for dbcheck, to make its behaviour clear (in
particular with reference to the difference between specifying "--yes"
on the command line, and answering "yes"/"all" to each individual
question)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 19 12:39:12 CET 2018 on sn-devel-144
2018-03-19 12:39:12 +01:00
Björn Baumbach
a27db0b61e ms_schema: fix python2.6 incompatibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13337

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-16 09:46:16 +01:00
Gary Lockyer
7b8f540b8d selftest: Change name to sam.ldb to align with new partition module assumptions
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-06 23:30:26 +01:00
Gary Lockyer
bca8ac0296 remove_dc.py: Abort transaction before throwing an exception
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:15 +01:00
Douglas Bagnall
ffcc3671cc tests/smbcontrol: reduce ping test false positive rate
The ping test was failing when a transient ldap_server process died
between the time it was listed and the time it was pinged. We stop
treating that as failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar  5 01:33:46 CET 2018 on sn-devel-144
2018-03-05 01:33:46 +01:00
Garming Sam
ea3a80e669 domain.py: Give some advice if the schema upgrade command fails
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Noel Power
0de23d27d6 samba python tests: convert 'except X, (tuple)' to 'except X as e'
In addition to converting the except line another line is also added
for each except to extract the tuple contents.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:40 +01:00
Noel Power
52729d3549 samba-tool: convert 'except X, (tuple)' to 'except X as e'
In addition to converting the except line another line is also added
for each except to extract the tuple contents.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:40 +01:00
Noel Power
91a5941f17 samba python libs: convert 'except X, (tuple)' to 'except X as e'
In addition to converting the except line another line is also added
for each except to extract the tuple contents.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:40 +01:00
Noel Power
efad273122 python tests: convert oct 'O1234' format to python3 compatible '0o1234'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:40 +01:00
Noel Power
15c72e0dd8 samba python libs: convert 'O1234' format to python3 compatible '0o1234'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:40 +01:00
Noel Power
f531c951b7 samba-tool: convert octal 'O1234' format to python3 compatible '0o1234'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:39 +01:00
Rowland Penny
c9888d4f6f samba-tool: user setexpiry: Fix incorrect Example2
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 27 20:31:39 CET 2018 on sn-devel-144
2018-02-27 20:31:39 +01:00
Douglas Bagnall
4a3954aded tests/blackbox/smbcontrol: ping tests names ping target upon failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-24 18:20:14 +01:00
Douglas Bagnall
be96147e69 text/python/blackbox: allow optional message in ProcessError
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-24 18:20:14 +01:00
Andreas Schneider
6368af8260 tests: Authenticate again so make sure we are not locked out
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-24 10:54:07 +01:00
Garming Sam
5c625eae3f tests/py_creds: Add a SamLogonEx test with an empty string domain
This test passes against 4.6, but failed against 4.7.5 and master.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-22 23:15:16 +01:00
Stefan Metzmacher
65e8edb382 tests:dcerpc/raw_protocol: reproduce call_id truncation bug
We need to make sure the server handles call_id values > UINT16_MAX.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
b02de5ad3e provision: fix the 'dnsdomain' for the local sam of a domain member
A member has a local AD database, which should not use the 'dnsdomain'
as the one on domain controllers.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13285

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
1a258b6b0f traffic_packets.py: let Lookup{Sids,Names}() work against a sane server
In order to resolve predefined sids or names we need to use
level = LSA_LOOKUP_NAMES_ALL (1).

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13284

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Garming Sam
7b45dc6841 subnet: Avoid a segfault when renaming subnet objects
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Douglas Bagnall
28134d002b samba python tests: convert 'except X, e' to 'except X as e'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Douglas Bagnall
4885937bf8 samba python libs: convert 'except X, e' to 'except X as e'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Douglas Bagnall
a485ac3243 samba-tool: convert 'except X, e' to 'except X as e' for all X
This is needed for Python 3 and is compatible with python 2.6

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Andrew Bartlett
278ac39384 selftest: Avoid a build started around midnight failing (again)
This case most likely relates to Daylight Saving changes creating
a 23 hour day.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-15 00:18:29 +01:00
Douglas Bagnall
ed15a452e7 samba-tool drs showrepl: add --json option for JSON output
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Douglas Bagnall
90d0c638ef samba-tool drs showrepl: restructure in preparation for --json
Basically we just separate data extraction from printing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Douglas Bagnall
92ec01dcf0 python.subunit: add assertRegexpMatches for Python 2.6
This is used in python/samba/tests/samba_tool/provision_password_check.py

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Lumir Balhar
70a85c163f python: tests: Make tests of dsdb Python module Python 3 compatible
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Lumir Balhar
bc7c6c15da python: Port samdb module to Python 3 compatible form
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Lumir Balhar
cb15e32f85 python: Add text_type Python 2/3 compatible function name.
This compatible function name represents `str` in Python 3
and `unicode` in Python 2.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Andreas Schneider
a45e70bf47 python: Convert base64 encoded password to utf-8
Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:28 +01:00
Andreas Schneider
298d812ca0 python: Generate random test usernames
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:28 +01:00
Douglas Bagnall
cb920dd873 tests/samba-tool user wdigest: fix a flapping test
The output of something like

  samba-tool user getpassword $USER --attributes virtualWDigest01

contains an LDIF section with long strings folded on the 77th column.

To unfold this LDIF we were using:

   result = re.sub(r"\n\s*", '', out)

which worked fine EXCEPT when a space in the output happened to land
immediately after the fold and got eaten by the \s*.

Instead we remove just a single space after the line break, because
that is always what fold_string() in lib/ldb/common/ldb_ldif.c
inserts, and for this simple replacement we don't need the re module.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 12 05:21:01 CET 2018 on sn-devel-144
2018-02-12 05:21:01 +01:00
Douglas Bagnall
72a81529aa tests: SambaToolCmdTest.assertMatch() indicates what was asserted
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-12 00:50:25 +01:00
Douglas Bagnall
cefb41b0ed sambatool drs showrepl: prefer self over ctx in python classes
and the line length too.

(Now only python/samba/join.py uses ctx for self, but at least it does
it consistently. This was the only ctx function in the class).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb  9 12:34:06 CET 2018 on sn-devel-144
2018-02-09 12:34:06 +01:00
Douglas Bagnall
f6f192934c samba-tool rodc: consistently use self.outf, not stdout
This increases the output of some commands from the point of view of
tests which read the outf, so we also need to change those tests a
bit.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Douglas Bagnall
055b7308d2 subunit.run: report failure in process return code
The protocol requires that the TestResult object remembers when it has failed, but
in subclassing unittest.TestResult we forgot to ensure this is true.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Douglas Bagnall
d8aa50b217 python samdb.newuser(): use user DN not samaccountname to set password
This is noticably faster in cases (e.g. tests) where the same user
is added and deleted many times.

The rreason is samaccountname is retained for deleted objects, so the
search finds multiple objects that need to be filtered out internally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Douglas Bagnall
a43dbb93ff tests/samba_tool user virtualCryptSHA: remove unused py3 incompatible import
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Douglas Bagnall
0e912a7303 tests/password_hash: avoid py3-incompatible md5 module
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Douglas Bagnall
57784b41c1 tests/samba-tool user_wdigest: avoid py3-incompatible md5 module
In Python3, the md5 and sha modules are gone, but the functions are
available via hashlib (which is also in python 2.5+).

The md5.hexdigest() does what binascii.hexlify(md5.digest()) does.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-09 07:59:20 +01:00
Garming Sam
c7d0e6f39b samba-tool/tests: Check that dns cleanup does not spuriously remove entries
This might happen in the multi-record case.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb  8 10:00:13 CET 2018 on sn-devel-144
2018-02-08 10:00:12 +01:00
Garming Sam
90e74fc15a samba-tool/dns: Clarify the cleanup subcommand
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Garming Sam
97de384e9a tests/samba-tool: dns cleanup should work with a missing name
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Garming Sam
d82687e77f remove_dc: Allow remove_dns_references to ignore missing server names
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Joe Guo
178f86848d samba-tool: add dns cleanup cmd
1. Add new command to cleanup dns records for a dns host name
2. Add test to verify the command is working

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
c4bb546b21 tests/samba-tool: add tests for samba-tool group move command
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
6a2a5e61dc samba-tool group: implement the group move command
This new command allows to move a a group into an ou or container.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
37b5195d1c tests/samba-tool: add tests for user move command
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
62a8eecfbb samba-tool user: implement the user move command
This new command allows to move an user into an ou or container.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
4c1101d033 samba-tool user: fix some typos
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
87ddbb6720 tests/samba-tool: add test for samba-tool user show command
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:10 +01:00
Björn Baumbach
dc0fa33c68 samba-tool: implement user show command to display a user AD object
This command displays a user account and it's attributes in the
Active Directory domain.
The username specified on the command is the sAMAccountName.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Björn Baumbach
e3882f80e0 tests/samba-tool: add tests for new ou management commands
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Björn Baumbach
2e0f33d842 samba-tool: implement ou management commands
Available subcommands:
  create       - Create an organizational unit.
  delete       - Delete an organizational unit.
  list         - List all organizational units
  listobjects  - List all objects in an organizational unit.
  move         - Move an organizational unit.
  rename       - Rename an organizational unit.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Andrew Bartlett
f973667fac selftest: Add tests for samdb.normalize_dn_in_domain()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Andrew Bartlett
f202b0ef24 python/samdb: Improve function comment on normalize_dn_in_domain()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Andrew Bartlett
3f022b2dd0 python/samdb: Allow samdb.normalize_dn_in_domain() to take an ldb.Dn()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Björn Baumbach
0a88be836b python/samdb: add method normalize_dn_in_domain(): get full dn of an relative dn
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-02-08 04:58:09 +01:00
Gary Lockyer
7009479b7a python SamDB: init default flags to FLG_DONT_CREATE_DB
The current defaults for SamDB are to create the database file if it does not
exist.  Most of the uses of SamDB assume the database already exists, and so
auto-creation is not the desired behaviour.

TDB will overwrite an existing non TDB file with a newly created TDB file.
This becomes an issue when using alternate database file formats i.e. lmdb.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-07 23:45:23 +01:00
Gary Lockyer
a157091a22 samdb: Add tests for samdb tdb file creation.
The current defaults for SamDB are to create the database file if it
does not exist.  Most of the uses of SamDB assume the database already
exists, and so auto-creation is not the desired behaviour.

Also TDB will overwrite an existing non TDB file with a newly created
TDB file.  This becomes an issue when using alternate database file
formats i.e. lmdb.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-07 23:45:23 +01:00
Stefan Metzmacher
0c3348feb0 dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Feb  5 18:32:51 CET 2018 on sn-devel-144
2018-02-05 18:32:51 +01:00
Ralph Boehme
5bf823d68b dbcheck: add support for restoring missing forward links
This recovers broken databases with duplicate and missing
forward links.

See commit a25c99c9f1 for
the fix that prevents to problem from happening.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:13 +01:00
Ralph Boehme
d59f201388 dbcheck: add find_missing_forward_links_from_backlinks()
find_missing_forward_links_from_backlinks() finds and returns missing forward-links by
searching all for all objects that link to the object in the backlink attribute.

This will be used in the next commit to restore forward links in a corrupted
forward link attribute by passing the missing backling objects to
err_recover_forward_links().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:13 +01:00
Stefan Metzmacher
182fb3c4c9 dbcheck: make sure we ask for replPropertyMetaData if we need to process any forward link attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:13 +01:00
Stefan Metzmacher
2059803386 dbcheck: make sure we always ask for the objectGUID attribute explicitly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:13 +01:00
Ralph Boehme
e258b4fb28 dbcheck: add a helper function that checks is a value has duplicate links
Will be used in a subsequent commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:13 +01:00
Ralph Boehme
e4cc062fa9 dbcheck: add a dict where we remember attributes with duplicate links
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:13 +01:00
Ralph Boehme
44a8782d71 dbcheck: split out check_duplicate_links from check_dn
Refactoring, no change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Stefan Metzmacher
7df17c0a8d dbcheck: store fixed forward link attributes with the correct sorting
The corruption we're trying to fix messed up the sorting,
so there's no point in keeping the current order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:12 +01:00
Stefan Metzmacher
b0bc3f6008 dbcheck: remove ldb.FLAG_MOD_REPLACE when replacing search results for forward links
Search results don't have an ldb.FLAG_MOD_* flags set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
ec433f8531 dbcheck: rename err_duplicate_links() to err_recover_forward_links() and adjust the output message
It's really a fatal error to have duplicate values as it's very likely that
some forward links got lost.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
dc43d31cd2 dbcheck: add link direction to error message for duplicate links
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
a651cc79d6 dbcheck: rename err_duplicate_links arguments
In preperation of adding more arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Stefan Metzmacher
9f47fe6c4a dbcheck: only pass obj_dn to err_orphaned_backlink()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
6f77503871 dbcheck: add forward_syntax argument to err_orphaned_backlink
Will be used in a subsequent commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
4a71394c6a dbcheck: rename and reorder err_orphaned_backlink arguments
In preperation of adding more arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Ralph Boehme
8c01acd562 Revert "dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links"
This reverts commit 43e3f79d54c5aeaea820865d298d4249cf47af99.

The real fix will follow in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-05 13:49:12 +01:00
Stefan Metzmacher
55d466549a python/common: add __cmp__ function to dsdb_Dn similar to parsed_dn_compare()
Linked attribute values are sorted by objectGUID of the link target.
For C code we have parsed_dn_compare() to implement the logic,
the same is now available on python dsdb_Dn objects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:12 +01:00
Stefan Metzmacher
c56eb49119 python:tests: add test_dsdb_Dn_sorted() to "samba.tests.common"
Failing until dsdb_Dn implements the correct __cmp__() function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:11 +01:00
Stefan Metzmacher
1341780dcf python:tests: remove test_dsdb_Dn() to test_dsdb_Dn_binary()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:11 +01:00
Stefan Metzmacher
681e0a1745 python:tests: use TestCaseInTempDir for "samba.tests.common"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:11 +01:00
Stefan Metzmacher
28fcf631c8 python/netcmd: implement __repr__ for class CommandError
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-05 13:49:11 +01:00
Stefan Metzmacher
850a8027f3 dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-22 12:26:20 +01:00
Günther Deschner
112938879f python: fix the build with python3.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13221

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-01-16 16:38:23 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
David Mulder
ef49d0b9ef gpo: Fix crashes in gpo unapply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Andrej Gessel
08651a08ac samba_kcc: do not commit new nTDSConnection, if we are rodc
Traceback (most recent call last):
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/sbin/samba_kcc", line 337, in <module>
/usr/local/samba/sbin/samba_kcc:     attempt_live_connections=opts.attempt_live_connections)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 2644, in run
/usr/local/samba/sbin/samba_kcc:     all_connected = self.intersite(ping)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1883, in intersite
/usr/local/samba/sbin/samba_kcc:     all_connected = self.create_intersite_connections()
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1817, in create_intersite_connections
/usr/local/samba/sbin/samba_kcc:     part, True)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1769, in create_connections
/usr/local/samba/sbin/samba_kcc:     partial_ok, detect_failed)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py", line 1594, in create_connection
/usr/local/samba/sbin/samba_kcc:     lbh.commit_connections(self.samdb)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 827, in commit_connections
/usr/local/samba/sbin/samba_kcc:     connect.commit_added(samdb, ro)
/usr/local/samba/sbin/samba_kcc:   File "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/kcc_utils.py", line 1123, in commit_added
/usr/local/samba/sbin/samba_kcc:     (self.dnstr, estr))
/usr/local/samba/sbin/samba_kcc: samba.kcc.kcc_utils.KCCError: Could not add nTDSConnection for (CN=862f0429-c72c-4a81-ae9a-96820bb2f96d,CN=NTDS Settings,
CN=BUILDHOST,CN=Servers,CN=Testsite,CN=Sites,CN=Configuration,DC=samdom,DC=com) - (Invalid LDB reply type 1)
../source4/dsdb/kcc/kcc_periodic.c:693: Failed samba_kcc - NT_STATUS_ACCESS_DENIED

Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Sat Jan 13 22:01:49 CET 2018 on sn-devel-144
2018-01-13 22:01:49 +01:00
Douglas Bagnall
a00312df7d samba_kcc: simplify NCReplica.set_instantiated_flags()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
81484f32f4 samba_kcc: simplify NCReplica constructor
There is nothing to be gained from setting the dn and guid separately
except subtle bugs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
315f445a02 samba_kcc: clarify readonly logging, removing now unused function
The unused function was somewhat misnamed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
d3f4429cd6 samba_kcc: remove unused functions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
d3c542051f samba_kcc: fix dot_file_dir documentation
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
a090d7ef52 samba_kcc: remove an unused function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
c6294c3c7b samba-tool visualize for understanding AD DC behaviour
To work out what is happening in a replication graph, it is sometimes
helpful to use visualisations. We introduce a samba-tool subcommand to
write Graphviz dot output and generate text-based heatmaps of the
distance in hops between DCs.

There are two subcommands, two graphical modes, and (roughly) two modes of
operation with respect to the location of authority.

`samba-tool visualize ntdsconn` looks at NTDS Connections.
`samba-tool visualize reps` looks at repsTo and repsFrom objects.

In '--distance' mode (default), the distances between DCs are shown in
a matrix in the terminal. With '--color=yes', this is depicted as a
heatmap. With '--utf8' it is a lttle prettier.

In '--dot' mode, Graphviz dot output is generated. When viewed using
dot or xdot, this shows the network as a graph with DCs as vertices
and connections edges. Certain types of degenerate edges are shown in
different colours or line-styles.

Normally samba-tool talks to one database; with the '-r' (a.k.a.
'--talk-to-remote') option attempts are made to contact all the DCs
known to the first database. This is necessary to get sensible results
from `samba-tool visualize reps` because the repsFrom/To objects are
not replicated, and it can reveal replication issues in other modes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
ba2306f00d samba_kcc: use new graph module for writing dot files
We avoid changing the (annoying) signature of write_dot_file().

Using samba_kcc to write dot files may be deprecated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
cebad22ce0 python/graph: module for generating ASCII and graphviz visualisations
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
b4a90a650e samba_kcc: respect kcc.read_only flag on RODC
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
e579d5bd48 samba_kcc: kcc.debug module defers to samba.colour
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
a46c4a39c4 python: module containing ANSI colour sequences
This is going to be used by `samba-tool visualize` and samba_kcc.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
f2762d0880 python tests: assert string equality, with diff
In the success case this works just like self.assertEqual(),
but when things fail you get a better representation of where it went
wrong (a unified diff).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:06 +01:00
Douglas Bagnall
3f2762d0b7 samba_kcc: documentation fix
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:06 +01:00
Volker Lendecke
977b3f60cf python: Print the finddcs error message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan  9 22:41:28 CET 2018 on sn-devel-144
2018-01-09 22:41:28 +01:00
Björn Jacke
e3cc2af011 tests:docs: remove explicit exceptions for parametric options
we don't need to list them all as special cases because we exclude parametric
options generally now from the default value test.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
Björn Jacke
ece75ea9a6 tests:docs: don't try to test parametric option defaults
we don't get the values of the parametric options.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
Douglas Bagnall
8a42954775 samba-tool test: ensure samba-tool help works
We make sure the output is identical to `samba-tool --help` for the same
subcommands.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 07:50:21 CET 2017 on sn-devel-144
2017-12-22 07:50:21 +01:00
Douglas Bagnall
316594f211 samba-tool: treat 'samba-tool help foo' as 'samba-tool foo --help'
Vaguely keeping up with the modern style.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Douglas Bagnall
769197dfa3 samba-tool: give cache_loader pseudo-dict a .get() method
This makes it more dict-like, and makes the next patch (adding
samba-tool help) simpler.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Douglas Bagnall
cef83c0cc6 samba-tool: --help test, ensuring help tree coverage
`samba-tool [COMMAND] --help` will list sub-commands of COMMAND
(or top-level commands if COMMAND is omitted). This ensures that
`samba-tool COMMAND SUBCOMMAND --help` works for all the commands
found in the help tree.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Andrew Bartlett
6a6f0952a5 samba-tool domain schemaupgrade: Avoid reindex after every hunk
This takes advantage of the fact that a single LDB operation is atomic
even inside our transaction and so we can retry it after updating the
schema.

This makes the smaba-tool domain schemaupgrade take 1m30s compared with 4m4s.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 08:28:51 CET 2017 on sn-devel-144
2017-12-21 08:28:51 +01:00
Garming Sam
fafc6da6ab ldapcmp: Improve the difference checker of ldapcmp for 2012 R2
There are a number of new attributes which may be considered DNs.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 03:41:19 CET 2017 on sn-devel-144
2017-12-21 03:41:19 +01:00
Garming Sam
c4895cfd9a upgradeprovision: Mark tests as passing again (using functional prep)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:12 +01:00
Garming Sam
c419ac4a2e domain.py: Command for prepping the domain for higher functional levels
Currently we support the 2012 and 2012 R2 prep levels.

Forest prep requires use of the schema master role.
Domain prep requires use of the infrastructure master role.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:12 +01:00
Garming Sam
b2d831f23d domain.py: Force schema upgrade to be used only on the schema master
While this may be enforced at lower levels, it would be better to warn
earlier rather than later.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
66895701c9 forest_update: Allow the script to add the missing forest containers
Before we set the prep level higher in default provisions, we should add
these objects to the initial ldif (so that our initial ldif represents a
full 2008R2 domain which we build consistently on).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
c4262753ae forest_update: Create a module to apply forest prep updates
This module uses information sourced from the Forest-Wide-Updates.md
file from one of Microsoft's Github repos to generate the operation
information.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
107fbaa8f1 domain_update: Add a new docstring for the main entry point
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
b5f7677af9 domain_update: Add an additional error with revision
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
60b70e9540 domain_update: Allow the revision version to be set
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
551ec22da8 domain_update: Respect the fix=False flag
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
23dbcb403a domain_update: Create a module to apply domain prep updates
These updates are referenced in documentation much like our
Forest-Wide-Updates.md file under the same MIT and CC attribution
licenses.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Domain-Wide-Updates.md

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
8a4085fc2b ms_forest_updates_markdown: Write a parser for the forest updates .md
Unlike the schema markdown which appears generally as ldif, these
descriptions are textual.

We are only handling the add cases, with the rest being manually encoded.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
3cddb6ad07 2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)
Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}

 - Create the CN=Managed Service Accounts object

Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}

 - Add otherWellKnownObject link for CN=Managed Service Accounts

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
0efc061a62 ldapcmp: Add otherWellKnownObjects to ignore when using --two
wellKnownObjects already exists in this list.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
83c4c3b397 sambadns: Allow functional level 2016 (when added)
This is currently just a harmless check anyways.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:10 +01:00
Andrew Bartlett
44eee9ce9e selftest: Do not use dn= filter string
This accidentially worked with SCOPE_ONELEVEL against Samba but dn= filters are
not valid in AD.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-20 04:22:09 +01:00
Gary Lockyer
d120d7fe84 provision: Changes to support encrypted_secrets module
Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.

Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:17 +01:00
Gary Lockyer
b29ab3a0c1 tests dsdb encrypted secrets module
Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.

This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
Gary Lockyer
e5ce0a4d73 pyglue: Add function to generate a random byte string
Adds a function to generate a random byte string using the samba random
routines.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
David Mulder
ac56f87018 gpo: Only commit the earliest change to the log
Otherwise we overwrite the original value,
leaving the setting tattooed on unapplied

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
David Mulder
9ace2343ab gpo: Fix the empty apply log
The apply log wasn't being saved, apparently the pointers to elements
of the tree were getting lost.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
Garming Sam
964bc8d19a markdown: Rename ms_markdown.py -> ms_schema_markdown.py
We also reduce the scope of the import so that python-markdown is only
required if interacting with 2012 code.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 12:34:04 CET 2017 on sn-devel-144
2017-12-14 12:34:03 +01:00
Andrew Bartlett
4f20416b38 provision: Use the official MS 2008R2 schema by default
This fixes us to have the official adminDescription etc.  While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:17 +01:00
Garming Sam
6bdbcb1d4c domain.py: Auto-patch the diffs for the adprep schemaupgrade
This creates a temporary directory where the markdown is parsed and the
diffs are then applied.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Garming Sam
5db10e0662 domain.py: Add a base dir option for schema upgrades
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
c22d022cea upgradeprovision: Change test to always use 2008 R2 schema
This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).

Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.

It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
ea9cde92fb domain.py: Add base-schema option to samba-tool provision
Allow a different base-schema to be used when provisioning a new domain.
This allows us to test the new 2012 schema without committing Samba to
using it by default.

If, in future, we change the default to use the 2012 schema, some
existing Samba tests (like upgradeprovision) rely on the 2012 schema.
So making the base-schema optional allows these tests to continue using
the older schema.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
1f60f5b51a schema: Add option of specifying the base schema for a provision
Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d67f706b34 schema: Re-work extended rights handling in provision (prep for 2012R2)
Add the changes needed to provision a 2012 DC (mostly this just affects
the Extended Rights objects) by moving to the new extended-rights.ldif

The localizationDisplayId is not documented in MS-ATDS so these values
are moved to provision_configuation_modify.ldif and applied after the
display-specifiers.ldif

We don't enable the 2012R2 mode yet. The ${INC2012} variable
just gets replaced with '#' so the lines get commented out and not
applied.

This approach allows us to support provisioning both a 2008R2 DC or
a 2012R2 DC (so that we can test we can upgrade a 2008 DC to 2012).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Tim Beale
9327c5a35e domain.py: Add a schemaupgrade option to apply missing 2008R2 schema
We've identified some cases where we've gotten our implementation of the
2008R2 schema wrong. We can fix these up for new provisions going
forward, but it'd be nice to have some way of fixing up the schema on
existing DCs.

A lot of what we're missing is already documented in Microsoft's
Sch45.ldf file:
https://technet.microsoft.com/en-us/library/dd378890(v=ws.10).aspx

Unfortunately we can't just apply the Sch45.ldf file using the existing
'samba-tool domain schema-upgrade' option because:
- We have got some of the Sch45.ldf changes, just not all of them.
- We already say the Samba schema objectVersion is 47 (2008R2), so
  there's no way to tell if the Samba instance does or doesn't have the
  missing changes (apart from querying each change).

We may want to add this to dbcheck eventually, but the simplest
implementation option for now is to extend the new schemaupgrade command
to allow us to specify a particular .LDF file to apply.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Tim Beale
f9059c7c1b domain.py: Make schemaupgrade option work regardless of config
Currently the 'samba-tool domain schemaupgrade' command will only work
if the Samba config has the non-default option 'dsdb:schema update
allowed = yes'. The whole point of running this samba-tool option is to
upgrade the schema, so it would seem to make sense to bypass the setting
temporarily, in order to apply the schema updates successfully.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Tim Beale
580e6babaf domain.py: Add schema upgrade option to samba-tool
Microsoft has published the Schema updates that its Adprep.exe tool
applies when it upgrades a 2008R2 schema to 2012R2.

This patch adds an option to samba-tool to go through these update files
and apply each change one by one. Along the way we need to make a few
changes to the LDIF operations, e.g. change 'ntdsschemaadd' to 'add' and
so on.

The bulk of the changes involve parsing the .ldif file and separating
out each update into a separate operation.

There are a couple of errors that we've chosen to ignore:
- Trying to set isDefunct for an object we don't know about.
- Trying to set a value for an attribute OID that we don't know about
  (we may need to fix this in future, but it'll require some help from
   Microsoft about what the OIDs actually are).

To try to make life easier, I've added a ldif_schema_update helper
class. This provides convenient access of the DN the change applies to
and other such details (whether it's setting isDefunct, etc).

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
d66cbca4e1 adprep: Add the LDF data needed to upgrade to 2012R2 schema
This patch adds the LDF files corresponding to the changes that the
Windows Adprep.exe tool makes when upgrading a AD schema to Windows
2012R2.

This is based on information Microsoft has made public on github
(Schema-Updates.md - see the README.txt for more details).

The LDF files 48-56 are for upgrading to Windows Server 2012, and 57-69
are for Windows Server 2012 R2.

Unfortunately, the raw LDF information from Microsoft wasn't enough to
get the schema working. The .diff files contain changes we needed to
make on top of the raw LDF content from Microsoft.

The basic steps to regenerate the .LDF files are documented in the
README.txt file. The files used to generate the .LDF files are in the
WindowsServerDocs/ sub-directory. (The .LDF generation is done at runtime
during provision).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
3257c7f60f ms_schema: Properly handle base64 encoded attributes
There used to be a special case for omobjectclass, but now there is just
generic handling for such attributes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
ed6a3ddb2a ms_schema: Allow for CN=X and DC=X replacements
These occur in the newer 2012 and 2016 schemas.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Stefan Metzmacher
df1a06074e tests/posixacl.py: remove useless 'profile acls' based test
test_setntacl_smbd_dont_invalidate_getntacl_smbd() is basically
the same as test_setntacl_smbd_getntacl_smbd()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-13 20:34:24 +01:00
Andrew Bartlett
9f4eda9c24 selftest: Fix copyright header on samba.dsdb_lock
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13178

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Dec 13 13:03:16 CET 2017 on sn-devel-144
2017-12-13 13:03:16 +01:00
Andrew Bartlett
2a8b507084 selftest: Add cleanup of ForeignSecurityPrincipal in samba.dsdb test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 13 08:47:05 CET 2017 on sn-devel-144
2017-12-13 08:47:05 +01:00
Andrew Bartlett
d2b14b7578 selftest: Fix flapping samba.dsdb test
The check for the final digit in the SID was wrong, any domain SID
ending with a zero would fail the test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-12-13 04:47:37 +01:00
Jamie McClymont
698d28ee8c samba-tool: validate password early in domain provision
Checks password against default quality and length standards when it is entered,
allowing a second chance to enter one (if interactive), rather than running
through the provisioning process and bailing on an exception

Includes unit tests for the newly-added python wrapper of check_password_quality
plus black-box tests for the checks in samba-tool.

Breaks an openldap test which uses an invalid password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9710
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12235

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:30 +01:00
Gary Lockyer
073328673f tests dsdb: Add tests for optionally unique objectSID's
It is possible for foreign security principals to have duplicate object
sids, this can be the result of:
 a replication race condition generating conflict resolution objects
 or the foreign security principal being deleted and then re-added on a
 join.

Rather than remove unique check on all objectSIDs we wish to allow
duplicate objectSIDs for foreign security principals.  But enforce the
unique constraint for local objects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:29 +01:00
Andrew Bartlett
b8d0602e59 selftest: Rework samba.dsdb locking test to samba.dsdb_lock
This avoids running the test while samba is modifying and locking the same database,
as this can lead to a deadlock.

The deadlock is not seen in production as the LDB read lock is not held while
waiting for another process, but this test needs to do this to demonstrate
the locking safety.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  8 21:47:55 CET 2017 on sn-devel-144
2017-12-08 21:47:55 +01:00
Andreas Schneider
6f8e3f7cd0 python:tests: Create a test user for the dsdb test
We should never taint the Administrator account as we don't shut down
target envionments!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Nov 25 14:13:24 CET 2017 on sn-devel-144
2017-11-25 14:13:23 +01:00
Andreas Schneider
8635465d77 build: Move pam_wrapper to third_party
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-11-25 10:14:13 +01:00
Stefan Metzmacher
239fbeb163 dbcheck: detect and fix duplicate links
Check with git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
9a631560c9 dbcheck: only calculate linked attribute helper variables once in check_dn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
eb6bd6511a dbcheck: remove indentation level
Check with git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
527f2c95cf dbcheck: Use the GUID as the DN to fix replPropertyMetaData
This allows this to still work after an object is renamed under the deleted objects container.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
3b111fbdbe dbcheck: Clarify error count bumping in deleted/gone DN handling
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:15 +01:00
Andreas Schneider
84a7baeef3 python:tests: Use bin/tdbdump only if built
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:14 +01:00
Garming Sam
6e7d037ace Fix formating of sources to be less than 80 lines
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Nov 21 01:51:59 CET 2017 on sn-devel-144
2017-11-21 01:51:59 +01:00
Andrew Bartlett
6d77776ce7 python: This function converts days to a relative (ie negative) NTTIME
It is not nttime2unix as it claimed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:15 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
4a7ccbeab7 gpo: Always enforce policy, even if unchanged
Policies should always be enforced, even if the gpo hasn't changed.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8d4c7229e9 gpo: Add GPO unapply
Keep a log of applied settings, and add an option to samba_gpoupdate to allow unapply. An unapply will revert settings to a state prior to any policy application.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
e750e4a35f gpo: Add gpo tests
Lays down a sysvol gpttmpl.inf with password policies, then runs the samba_gpoupdate command. Verifies policies are applied to the samdb.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
de9cee2262 gpoupdate: Rewrite samba_gpoupdate
Use new python bindings and remove obsoleted code

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8eba3b5d38 gpo: Make the gpclass more easily extensible
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
115615d836 gpo: Make the gpoupdate script much more reliable
Using a static file blanks the file when samba_gpoupdate crashes. Transformed
to a tdb file and added transactions. Add info logging to monitor gpo changes,
etc. Also handle parse errors and log an error message, then recover. Modified
the parsing code to use ConfigParser. Also, use the backslash in path names
when opening smb files, otherwise it fails against a windows server.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Luke Morrison
5194cd4e8d gpo: Initial commit for GPO work
Enclosed is my Summer of Code 2013 patch to have vital password GPO always applied to the Samba4 Domain Controller using a GPO update service.

To try it out "make -j" your samba with the patch, apply a security password GPO and see the difference in ~20 seconds. It also takes GPO hierarchy into account.

Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Lumir Balhar
de5e23c236 python: tests: Add tests for samba.posix_eadb module
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov  8 21:54:59 CET 2017 on sn-devel-144
2017-11-08 21:54:59 +01:00
Lumir Balhar
e583a926eb python: Port tests of samba.messaging to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 23 15:40:48 CEST 2017 on sn-devel-144
2017-10-23 15:40:48 +02:00
Joe Guo
5dc773a5b0 python: use communicate to fix Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144
2017-10-19 09:27:15 +02:00
Joe Guo
8ed3cac9e5 python: add a failed test to show Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

This patch is commited to show the issue, a fix patch will come later.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-19 05:33:10 +02:00
Gary Lockyer
6d7a8d80cd tests: Add a blackbox test for smbcontrol
Add tests to check that samba processes have started and that they can be
pinged.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:09 +02:00
Andrew Bartlett
962a1b3220 dbcheck: Allow removal of one-way links to missing objects
If dbcheck is not run within the tombstone lifetime, these links can
persist in the database forever.  The risk of unintentional information loss
is why these links are only removed within the same partition.  A
replication may be in progress which has created only one end of
the link, so we must keep that.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 19 00:50:19 CEST 2017 on sn-devel-144
2017-10-19 00:50:19 +02:00
Lumir Balhar
88dc82d1f9 tests: Improve tests of samba.registry Python module
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-10-18 10:20:26 +02:00
Tim Beale
8c56aa2c91 selftest: Rename ntlmauth tests to ntlmdisabled
There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Andrew Bartlett
7665d999d2 provision: Add a fixed objectGUID to the tmp DB used for LDAP backend schema work
This DB holds a copy of the schema, but now needs to have an objectGUID on each record.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-23 05:26:15 +02:00
Andrew Bartlett
eabc344416 provision: make clear that the tmp ldb is running in @IDXGUID mode
This happended when the schema was set on the DB, forcing the full set of Samba behaviours

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-23 05:26:15 +02:00
Martin Schwenke
68c3ea773b selftest: Avoid a build started just before midnight failing
It looks like commit 070f24bc9d was incomplete because it doesn't
match on the trailing fullstop and newline.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 19 05:32:22 CEST 2017 on sn-devel-144
2017-09-19 05:32:22 +02:00
Andreas Schneider
ffb7d6b50e python:provision: Do not change the owner of the sam.ldb.d dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andreas Schneider
591b086bf1 python:provision: Change the group of the 'binddns dir' too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andreas Schneider
4880e8a7e6 samba:provision: Give a hint to copy the krb5.conf and not symlink it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andrew Bartlett
9516d4229f s4-provision: Ensure the dummy main-domain DB used for DLZ has an @INDEXLIST
The other databases are created from copies of the main provision, but this one
is not, so did not previously get a valid @INDEXLIST.

This is important as otherwise we will not correctly notice support for
the GUID index or new DSDB features in @SAMBA_DSDB as this is gated
on seeing @SAMBA_FEATURES_SUPPORTED in @INDEXLIST.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-14 18:43:16 +02:00
Andrew Bartlett
51be27522c selftest: Check re-opening sam.ldb corrects the @ATTRIBUTES and @INDEXLIST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-14 18:43:16 +02:00
Andrew Bartlett
c938f61d33 python: Allow debug classes to be specified on the command line for python tools
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  7 10:43:33 CEST 2017 on sn-devel-144
2017-09-07 10:43:33 +02:00
Andrew Bartlett
dc48fa9822 drs repl: Only print raw DRS replication traffic at level 9
This can be sensitive even with the passwords still encrypted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-07 06:56:27 +02:00
Andrew Bartlett
070f24bc9d selftest: Avoid a build started just before midnight failing
By allowing 41 or 42 days, we still test the expiry but are less sensitive to the
current time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-07 06:56:26 +02:00
Lumir Balhar
6f877285a3 python: Add tests for check_access function from samba.security.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-09-06 11:35:18 +02:00
Andreas Schneider
8f2dee256e python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
This provisions the bind_dlz files in the 'binddns dir'. If you want to
migrate to the new files strcuture you can run samba_upgradedns!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andreas Schneider
3b1aa2ca5f python:samba: Remove code to change group
This is the wrong place, it will just prepare the ldif. The file is not
created here.

The code is corrently changing the group in:
    python/samba/provision/__init__.py

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andreas Schneider
47c039792a dynconfig: Change permission of the private dir to 0700
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Tim Beale
f812c29d40 drs_utils: Add GET_TGT support to 'samba-tool drs replicate --local'
Update drs_Replicate.replicate() so it handles being passed the GET_TGT
flag (more_flags). To do this, we need to always use a v10 GetNCChanges
request (v8 and v10 are essentially the same except for the more_flags).

If the replicate_chunk() call into the C bindings throws an error, check
to see whether the error could be fixed by setting the GET_TGT flag, and
re-send the request if so.

Unfortunately because WERR_DS_DRA_RECYCLED_TARGET isn't documented with
the other AD error codes, I've left it hardcoded for now (Microsoft
should be fixing up their Docs).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12972
2017-08-18 06:07:12 +02:00
Gary Lockyer
beeec1ff7c tests: replace traffic_summary test with python blackbox test
Replace the shell subunit test for script/traffic_summary.pl with a
python black box test.

This involves moving the test files to more standard locations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Aug 17 07:59:38 CEST 2017 on sn-devel-144
2017-08-17 07:59:38 +02:00
Gary Lockyer
7057abcfcd scripts: Scripts to replay and generate samba traffic
Scripts to generate representative network traffic and replay this to a
samba instance.  For load testing, performance profiling and capacity
planning.

traffic_learner  process a file generated by traffic_summary and
                 generate a model that can be used by traffic_replay to
                 generate samba network traffic.

traffic_replay   Replay a summary file generated by traffic_summary, or
                 use a model created by traffic_learner to generate
                 network traffic.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Tim Beale <timbeale@catalyst.net.nz>
2017-08-17 04:06:06 +02:00
Gary Lockyer
74ebcf6dfc blackbox tests: method to check specific exit codes
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-08-17 04:06:06 +02:00
Gary Lockyer
29b3a2b0d1 samba-tool dns query: Allow '*' in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
3d2bd849f1 samba-tool dns: Test support of DNS wild card in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
1184770a76 dnsserver: Tests for dns wildcard entries
Add tests for dns wildcards.
Tests validated against Windows Server 2012 R2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Andreas Schneider
eb691cd024 python:tests: Add test for warn_pwd_expire
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug  7 19:11:02 CEST 2017 on sn-devel-144
2017-08-07 19:11:02 +02:00
Andreas Schneider
0a7db4dd43 python:tests: Do not overwrite exit code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-08-07 15:20:04 +02:00
Marc Muehlfeld
d51d4c9458 python: Fix incorrect kdc.conf parameter name in kerberos.py
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Gary Lockyer
6d65d679f1 tests samba_tool: fix flapping user-virtualCryptSHA test
Fix flapping test, occasionally a password would be generated that failed
the password criteria, which resulted in the test user not being
created.  The tests relying on this user being present then failed.

This patch ensures that the generated password contains at least one digit,
at least one upper case letter and at least one lower case letter.
The generated passwords do not contain special characters to avoid shell
escaping issues.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Aug  7 05:34:24 CEST 2017 on sn-devel-144
2017-08-07 05:34:23 +02:00
Andrew Bartlett
d5750f0163 dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc
If we do not call ldb_module_done() then we do not know that up_req->callback()
has been called, and ldb_next_request() will call the callback again.

If called twice, the new ldb_lock_backend_callback() in ldb 1.2.0 will segfault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12904

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug  1 07:52:38 CEST 2017 on sn-devel-144
2017-08-01 07:52:38 +02:00
Tim Beale
4bd8467018 drs_utils: HWM in 'samba-tool drs replicate --local' always zero
The code to check for the 'repsFrom' highwatermark didn't have any
effect because the hwm variable was overwritten (initialized to all
zeroes) further down.

Using a zero HWM probably wouldn't have impacted functionality because
we were still correctly using the uptodatenessvector, which should
avoid a full replication.

This was introduced in commit e2ba17d26a, presumably by
accident.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:15 +02:00
Tim Beale
314b96e183 drs: support sync-forced for 'samba-tool drs replicate --local'
The sync-forced option wasn't being passed into the replication request
when the --local option was used. This meant if outbound replication
were disabled on the target DC, then the replicate --local command would
fail.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
e91782541e selftest: Add and use new helper function get_creds_ccache_name()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
f7089c0262 python/getopt: Add --krb5-ccache (for samba-tool etc) to match the C binaries
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
dc940ad0e0 pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
a5f62958cc selftest: Add tests for credentials.get_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:13 +02:00
Andrew Bartlett
a420b1bdcc selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144
2017-07-25 03:21:19 +02:00
Gary Lockyer
f3d3e6da5a tests auth_log: Add new tests for NETLOGON
Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing

Test code based on the existing auth_log tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
5c27c5b6ef tests auth_log: Modify existing tests to handle NETLOGON messages
Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately.  Ignoring it in these tests avoids order dependencies.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
ddfe8aa9cc auth_log: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Tim Beale
4e04f025a0 selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
2017-07-21 13:54:35 +02:00
Rowland Penny
3c03ac750f Add test for 'samba-tool user edit'
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-05 13:36:09 +02:00
Rowland Penny
2ab239be0d Easily edit a users object in AD, as if using ldbedit.
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-05 13:36:09 +02:00