1
0
mirror of https://github.com/samba-team/samba.git synced 2025-06-09 11:17:03 +03:00

86 Commits

Author SHA1 Message Date
Andrew Bartlett
c2b094ffbc s4-s3-upgrade: Max/min password age policy is in seconds, not days
This cases upgraded domains to have a too-long password expiry, which in extreme
cases can cause the KDC to misfunction.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun May  6 14:49:39 CEST 2012 on sn-devel-104
2012-05-06 14:49:39 +02:00
Andrew Bartlett
a0a83802fb s4-s3upgrade: Force ldapsam:trusted = yes
While this setting is not the default in Samba3, any domain that is
in a suitable condition to upgrade to Samba4 should already be in the
layout that ldapsam:trusted uses.  It can be turned off by setting
ldapsam:trusted=false in the smb.conf.

Many upgrades to Samba4 happen on a different host to the old Samba3 domain
and this avoids the need to configure nss_ldap only for the duration of
the upgrade.

Andrew Bartlett
2012-05-03 08:09:09 +10:00
Andrew Bartlett
d2c8ebe2c7 s4-s3upgrade: Try harder to get group memberships on upgrade
This fixes an issue where some group types were not upgraded, as we
did not upgrade alias memberships.

It also uses enum_group_memberships() to try and find the memberships
from the other direction, by asking which groups a user is a member
of.  As Samba3 (and NT4) does not implement nested groups, this should
be safe.

Andrew Bartlett
2012-05-03 08:09:09 +10:00
Andrew Bartlett
0d5d45c2df s4-s3upgrade: print the error message from passdb.error exceptions
This gives more information on why a group membership lookup failed.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Apr 24 04:34:44 CEST 2012 on sn-devel-104
2012-04-24 04:34:44 +02:00
Andrew Bartlett
6b2753d71e s4-samba-tool: Fix samba-tool fsmo seize
This is currently untested, and a restructure broke it.

Andrew Bartlett
2012-04-19 14:19:09 +10:00
Andrew Bartlett
a2b7a9e2a2 s4-s3upgrade: Do not ever set a domain-wide maxPwdAge of 0
This means no-expiry in s3, and so we must treat it like -1.

Andrew Bartlett
2012-04-19 14:19:09 +10:00
Andrew Bartlett
a5905bfb39 s4-s3upgrade: Ignore (with warning) groups that are listed but we cannot list members for 2012-04-19 09:59:40 +10:00
Jelmer Vernooij
21f443eb82 provision: Leave result reporting up to caller. 2012-02-26 16:27:06 +01:00
Amitay Isaacs
bfa951db97 s4-s3-upgrade: Check if there are duplicate sids for users and groups
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Tue Jan 31 02:23:17 CET 2012 on sn-devel-104
2012-01-31 02:23:17 +01:00
Amitay Isaacs
449ca75759 s4-s3-upgrade: Use lowercase hostname as hostname for provision 2012-01-31 00:49:07 +01:00
Amitay Isaacs
1e935d1bdc s4-provision: Make BIND9_DLZ as the default backend for DNS 2011-11-29 16:00:36 +11:00
Amitay Isaacs
cd3f552f4f s3-py-passdb: Fix handling of uninitialized gid values
Uninitialized gid value is set to -1 and return as such from python
passdb api.

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Fri Nov 18 06:18:33 CET 2011 on sn-devel-104
2011-11-18 06:18:33 +01:00
Amitay Isaacs
244ecc844d s4-s3-upgrade: Add --verbose option to print extra details 2011-11-18 14:38:28 +11:00
Amitay Isaacs
e6c77f523b s4-s3-upgrade: Fix idmap types ID_TYPE_UID/ID_TYPE_GID instead of UID/GID 2011-11-18 14:38:28 +11:00
Amitay Isaacs
c48a2aa438 s4-s3-upgrade: Fix the minimum and maximum password age calculation
Windows sets maxPwdAge to -0x8000000000000000 when maximum password age
is set to 0 days.
2011-11-18 14:38:27 +11:00
Andrew Bartlett
e80dbdcab1 s4-s3-upgrade now look for -1 as the special 'not set' value
this is possible because we know the py_passdb will always set -1
here, not passing though 0xFFFFFFFF.

Andrew Bartlett
2011-11-18 14:38:27 +11:00
Andrew Bartlett
29cd8ae6fd s4-provision permit server role to be the ROLE_ strings from s3
Also convert between the aliases in one single place.

Andrew Bartlett

Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>
2011-11-17 00:34:09 +01:00
Amitay Isaacs
80113755c4 s3-s4-upgrade: do not add description if it is empty string or none
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Nov 16 05:53:41 CET 2011 on sn-devel-104
2011-11-16 05:53:41 +01:00
Andrew Bartlett
d61d28bccc s4-s3-upgrade Add my copyright 2011-11-08 02:58:06 +01:00
Andrew Bartlett
43f23b55c4 s4-s3-upgrade rename samba-tool domain samba3upgrade --libdir to --dbdir for clarity
The things pointed at are not typically in a directory called lib,
so avoid confusing our administrators.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Oct 19 15:43:04 CEST 2011 on sn-devel-104
2011-10-19 15:43:04 +02:00
Andrew Bartlett
be9378e41e s4-s3-upgrade fix format string for secrets.tdb exception 2011-10-19 14:13:09 +02:00
Andrew Bartlett
596d6cceab s4-s3-upgrade Fix samba3upgrade code to cope with a missing wins.dat 2011-10-19 14:13:09 +02:00
Andrew Bartlett
5f11615810 s4-s3-upgrade: Give a better clue when we cannot open secrets.tdb
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Kai Blin
8c076862ad s4 provision: DNS backend should be set by caller
Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Mon Oct 17 09:51:12 CEST 2011 on sn-devel-104
2011-10-17 09:51:12 +02:00
Jelmer Vernooij
c6481f4f24 samba.upgrade: Use list comprehension.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Wed Oct 12 22:44:40 CEST 2011 on sn-devel-104
2011-10-12 22:44:40 +02:00
Andrew Bartlett
1255383140 s4-s3-upgrade: Allow import (just without a uid mapping) where getpwnam fails
This allows the tests to pass on systems without a jelmer user :-)

Andrew Bartlett
2011-10-11 13:41:36 +11:00
Jelmer Vernooij
dc3df567be upgrade: Avoid catching all exceptions, just catch the ones we care about. 2011-10-08 14:15:11 +02:00
Jelmer Vernooij
0ee22a2dec s4-python: Fix some formatting issues.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Tue Sep 13 03:51:13 CEST 2011 on sn-devel-104
2011-09-13 03:51:13 +02:00
Amitay Isaacs
c7b1f156bb s4-s3-upgrade: Check for duplicate sids before provisioning
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-09-12 20:42:20 +10:00
Amitay Isaacs
c6a40942b2 s4-s3-upgrade: Check for common user/group names before provisioning
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-09-12 20:42:17 +10:00
Andrew Bartlett
47130f97fd s4-s3-upgrade Do not use python 2.6 style exceptions
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Sep  9 08:54:16 CEST 2011 on sn-devel-104
2011-09-09 08:54:16 +02:00
Andrew Bartlett
b8aa4e513c s4-s3-upgrade do not convert min password length as a time
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Sep  9 01:53:55 CEST 2011 on sn-devel-104
2011-09-09 01:53:55 +02:00
Andrew Bartlett
c640e9235f s4-s3-upgrade: convert password age policies to the negative NTTIME format
This previously caused all accounts to be locked out.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Sep  7 13:44:44 CEST 2011 on sn-devel-104
2011-09-07 13:44:44 +02:00
Andrew Bartlett
a9a3a79767 s4-s3-upgrade Handle expected errors, error out on unexpected ones
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Sep  7 02:22:56 CEST 2011 on sn-devel-104
2011-09-07 02:22:56 +02:00
Andrew Bartlett
02da47d75c s4-s3-upgrade Fix group member addition 2011-09-07 08:44:35 +10:00
Andrew Bartlett
5422db82e3 s4-s3-upgrade Fix error handling in add_users_to_group 2011-09-05 11:19:25 +02:00
Andrew Bartlett
1316bc4b08 s4-provision handle a number of invalid but real-world upgrade cases
Real world databass have the wrong account flags (U and W at the same time) and have the wrong
group type in group mapping databases.  Cope with these.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Sep  5 04:58:09 CEST 2011 on sn-devel-104
2011-09-05 04:58:09 +02:00
Andrew Bartlett
4a9f5d759f s4-provision Fix type error on existing idmap entries in s3 upgrade
This is already a DN object.

Andrew Bartlett
2011-09-05 11:25:38 +10:00
Andrew Bartlett
3d05a0856f s4-provision Use ProvisioningError and the eadb
The eadb flag tells us to avoid using system extended attributes, typcially if we
are not running as root (ie, in a test environment).

The ProvisioningError class allows us to return failures to the upgrade_from_s3 script
which can then be detected correctly by the selftest framework.

Andrew Bartlett
2011-09-05 11:25:38 +10:00
Andrew Bartlett
389cb93450 s4-provision Allow a missing idmap DB in upgrade.py
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sun Sep  4 06:34:16 CEST 2011 on sn-devel-104
2011-09-04 06:34:16 +02:00
Andrew Bartlett
329ec81288 s4-provision cope with SID_NAME_WKN_GRP mappings in upgrade.py
Some incorrect LDAP backends have entries with this group type, but
due to the pdb_ldap code, we cannot read the group members, and we
already skip them in add_group_from_mapping_entry().

Andrew Bartlett
2011-09-04 13:00:10 +10:00
Amitay Isaacs
76ff9bffd8 s3_upgrade: Set lock directory to correct directory
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-26 10:07:36 +10:00
Amitay Isaacs
d8465f2a91 s3_upgrade: Update commandline options and use updated samba3 python module
upgrade_from_s3 script now requires samba3 configuration file and target
directory for samba4 database. In addition, it either uses --libdir option
or --testparm option to correctly guess the paths for samba3 databases
(private dir and state directory).

Usage: upgrade_from_s3 [options] <configuration_file> <targetdir>

Input arguments are:
  <configuration_file> - path to existing smb.conf
  <targetdir>          - directory in which samba4 database will be created

In addition, specify either samba3 database directory (with --libdir) or
samba3 testparm utility (with --testparm).

Before using passdb interface, initialize s3 loadparm context using
correct path settings for private dir and state directory.

Export account policy from s3 to s4.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-26 10:06:33 +10:00
Amitay Isaacs
7f67d7b5ca s3_upgrade: Let python generate backtrace for unknown exceptions
Catch known exceptions only.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-26 10:06:32 +10:00
Amitay Isaacs
886203f3bc s3_upgrade: Add document strings for python methods
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-26 10:06:32 +10:00
Amitay Isaacs
2ecb5003eb s3_upgrade: Set the administrator password on upgrade
In the upgrade process, set the administrator password from the
existing root or administrator account.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-19 16:35:12 +10:00
Amitay Isaacs
149845fb18 s3_upgrade: Do not add administrator and root accounts from s3 to s4
Need to copy the password from s3 for administrator/root to s4.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-19 16:35:10 +10:00
Amitay Isaacs
0ffb4e6f6f python-samba3: Secrets file loaded from private dir, not lib dir
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-19 16:35:09 +10:00
Amitay Isaacs
2a3f5c04bd s3upgrade: Add idmap migration, users/groups import
Added users/groups import from s3 using python wrapper for passdb.
Fix idmap entries for users/groups when migrating from s3 idmap.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-08-19 16:35:06 +10:00
Andrew Bartlett
070b970a9d s4-provision Add support for fixing the DC rid to a particular value
This will allow an upgraded DC to keep its SID, while being upgraded
to AD.  We also watch for the highest RID in the existing DB to set
next_rid for other additional users.

Andrew Bartlett
2011-08-13 20:18:41 +10:00