1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-21 18:04:06 +03:00
Tim Beale 55fa7bc01d selftest: Fix backup testenv creation on certain host machines
When we created the backup-file for the restoredc/renamedc/labdc
testenvs we weren't explicitly a --configfile on the samba-tool command.
This meant the command tried to use the smb.conf form the default
install location, i.e. /usr/local/samba/etc/smb.conf. On the gitlab CI
runner, there's no samba installed, so it ends up using the default
settings, which is fine. However, if the host machine had an invalid
smb.conf installed there, creating the testenv would fail with an error
like:

ERROR(runtime): uncaught exception - Unable to load default file
File "bin/python/samba/netcmd/__init__.py", line 184, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/domain_backup.py", line 222, in run
lp = sambaopts.get_loadparm()
  File "bin/python/samba/getopt.py", line 94, in get_loadparm
    self._lp.load_default()

We can avoid this by always explictly specifying the backupfromdc's
smb.conf when creating the backup file.

Likewise, labdc/customdc also need the config specified when the admin
password is reset.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-11-09 17:52:30 +01:00

3114 lines
91 KiB
Perl
Executable File

#!/usr/bin/perl
# Bootstrap Samba and run a number of tests against it.
# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
# Published under the GNU GPL, v3 or later.
# NOTE: Refer to the README for more details about the various testenvs,
# and tips about adding new testenvs.
package Samba4;
use strict;
use Cwd qw(abs_path);
use FindBin qw($RealBin);
use POSIX;
use SocketWrapper;
use target::Samba;
use target::Samba3;
use Archive::Tar;
sub new($$$$$) {
my ($classname, $bindir, $ldap, $srcdir, $server_maxtime) = @_;
my $self = {
vars => {},
ldap => $ldap,
bindir => $bindir,
srcdir => $srcdir,
server_maxtime => $server_maxtime,
target3 => new Samba3($bindir, $srcdir, $server_maxtime)
};
bless $self;
return $self;
}
sub scriptdir_path($$) {
my ($self, $path) = @_;
return "$self->{srcdir}/source4/scripting/$path";
}
sub openldap_start($$$) {
}
sub slapd_start($$)
{
my $count = 0;
my ($self, $env_vars, $STDIN_READER) = @_;
my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
my $uri = $env_vars->{LDAP_URI};
if (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") == 0) {
print "A SLAPD is still listening to $uri before we started the LDAP backend. Aborting!";
return 1;
}
# running slapd in the background means it stays in the same process group, so it can be
# killed by timelimit
my $pid = fork();
if ($pid == 0) {
open STDOUT, ">$env_vars->{LDAPDIR}/logs";
open STDERR, '>&STDOUT';
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
if ($self->{ldap} eq "fedora-ds") {
exec("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd", "-D", $env_vars->{FEDORA_DS_DIR}, "-d0", "-i", $env_vars->{FEDORA_DS_PIDFILE});
} elsif ($self->{ldap} eq "openldap") {
exec($ENV{OPENLDAP_SLAPD}, "-dnone", "-F", $env_vars->{SLAPD_CONF_D}, "-h", $uri);
}
die("Unable to start slapd: $!");
}
$env_vars->{SLAPD_PID} = $pid;
sleep(1);
while (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") != 0) {
$count++;
if ($count > 40) {
$self->slapd_stop($env_vars);
return 0;
}
sleep(1);
}
return 1;
}
sub slapd_stop($$)
{
my ($self, $envvars) = @_;
kill 9, $envvars->{SLAPD_PID};
return 1;
}
sub check_or_start($$$)
{
my ($self, $env_vars, $process_model) = @_;
my $STDIN_READER;
my $env_ok = $self->check_env($env_vars);
if ($env_ok) {
return $env_vars->{SAMBA_PID};
} elsif (defined($env_vars->{SAMBA_PID})) {
warn("SAMBA PID $env_vars->{SAMBA_PID} is not running (died)");
return undef;
}
# use a pipe for stdin in the child processes. This allows
# those processes to monitor the pipe for EOF to ensure they
# exit when the test script exits
pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
# Start slapd before samba, but with the fifo on stdin
if (defined($self->{ldap})) {
unless($self->slapd_start($env_vars, $STDIN_READER)) {
warn("couldn't start slapd (main run)");
return undef;
}
}
print "STARTING SAMBA...\n";
my $pid = fork();
if ($pid == 0) {
# we want out from samba to go to the log file, but also
# to the users terminal when running 'make test' on the command
# line. This puts it on stderr on the terminal
open STDOUT, "| tee $env_vars->{SAMBA_TEST_LOG} 1>&2";
open STDERR, '>&STDOUT';
SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
$ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
$ENV{KRB5CCNAME} = "$env_vars->{KRB5_CCACHE}.samba";
if (defined($ENV{MITKRB5})) {
$ENV{KRB5_KDC_PROFILE} = $env_vars->{MITKDC_CONFIG};
}
$ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
$ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
$ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
$ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
$ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
$ENV{NSS_WRAPPER_HOSTNAME} = $env_vars->{NSS_WRAPPER_HOSTNAME};
$ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
$ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
$ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
} else {
$ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
}
$ENV{UID_WRAPPER} = "1";
$ENV{UID_WRAPPER_ROOT} = "1";
$ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "samba");
my @preargs = ();
my @optargs = ();
if (defined($ENV{SAMBA_OPTIONS})) {
@optargs = split(/ /, $ENV{SAMBA_OPTIONS});
}
if(defined($ENV{SAMBA_VALGRIND})) {
@preargs = split(/ /,$ENV{SAMBA_VALGRIND});
}
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
close($STDIN_READER);
if ($self->wait_for_start($env_vars) != 0) {
warn("Samba $pid failed to start up");
return undef;
}
return $pid;
}
sub wait_for_start($$)
{
my ($self, $testenv_vars) = @_;
my $count = 0;
my $ret = 0;
if (not $self->check_env($testenv_vars)) {
warn("unable to confirm Samba $testenv_vars->{SAMBA_PID} is running");
return -1;
}
# This will return quickly when things are up, but be slow if we
# need to wait for (eg) SSL init
my $nmblookup = Samba::bindir_path($self, "nmblookup4");
do {
$ret = system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
if ($ret != 0) {
sleep(1);
} else {
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
}
$count++;
} while ($ret != 0 && $count < 20);
if ($count == 20) {
warn("nbt not reachable after 20 retries\n");
teardown_env($self, $testenv_vars);
return 0;
}
# Ensure we have the first RID Set before we start tests. This makes the tests more reliable.
if ($testenv_vars->{SERVER_ROLE} eq "domain controller") {
print "waiting for working LDAP and a RID Set to be allocated\n";
my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
my $count = 0;
my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
my $search_dn = $base_dn;
if ($testenv_vars->{NETBIOSNAME} ne "RODC") {
# TODO currently no check for actual rIDAllocationPool
$search_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
}
my $max_wait = 60;
# Add hosts file for name lookups
my $cmd = "NSS_WRAPPER_HOSTS='$testenv_vars->{NSS_WRAPPER_HOSTS}' ";
if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF='$testenv_vars->{RESOLV_WRAPPER_CONF}' ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS='$testenv_vars->{RESOLV_WRAPPER_HOSTS}' ";
}
$cmd .= "$ldbsearch ";
$cmd .= "$testenv_vars->{CONFIGURATION} ";
$cmd .= "-H ldap://$testenv_vars->{SERVER} ";
$cmd .= "-U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} ";
$cmd .= "-s base ";
$cmd .= "-b '$search_dn' ";
while (system("$cmd >/dev/null") != 0) {
$count++;
if ($count > $max_wait) {
warn("Timed out ($max_wait sec) waiting for working LDAP and a RID Set to be allocated by $testenv_vars->{NETBIOSNAME} PID $testenv_vars->{SAMBA_PID}");
$ret = -1;
last;
}
sleep(1);
}
}
my $wbinfo = Samba::bindir_path($self, "wbinfo");
$count = 0;
do {
my $cmd = "NSS_WRAPPER_PASSWD=$testenv_vars->{NSS_WRAPPER_PASSWD} ";
$cmd .= "NSS_WRAPPER_GROUP=$testenv_vars->{NSS_WRAPPER_GROUP} ";
$cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=$testenv_vars->{SELFTEST_WINBINDD_SOCKET_DIR} ";
$cmd .= "$wbinfo -P";
$ret = system($cmd);
if ($ret != 0) {
sleep(1);
}
$count++;
} while ($ret != 0 && $count < 20);
if ($count == 20) {
warn("winbind not reachable after 20 retries\n");
teardown_env($self, $testenv_vars);
return 0;
}
print $self->getlog_env($testenv_vars);
return $ret
}
sub write_ldb_file($$$)
{
my ($self, $file, $ldif) = @_;
my $ldbadd = Samba::bindir_path($self, "ldbadd");
open(LDIF, "|$ldbadd -H $file >/dev/null");
print LDIF $ldif;
return(close(LDIF));
}
sub add_wins_config($$)
{
my ($self, $privatedir) = @_;
return $self->write_ldb_file("$privatedir/wins_config.ldb", "
dn: name=TORTURE_11,CN=PARTNERS
objectClass: wreplPartner
name: TORTURE_11
address: 127.0.0.11
pullInterval: 0
pushChangeCount: 0
type: 0x3
");
}
sub mk_fedora_ds($$)
{
my ($self, $ctx) = @_;
#Make the subdirectory be as fedora DS would expect
my $fedora_ds_dir = "$ctx->{ldapdir}/slapd-$ctx->{ldap_instance}";
my $pidfile = "$fedora_ds_dir/logs/slapd-$ctx->{ldap_instance}.pid";
return ($fedora_ds_dir, $pidfile);
}
sub mk_openldap($$)
{
my ($self, $ctx) = @_;
my $slapd_conf_d = "$ctx->{ldapdir}/slapd.d";
my $pidfile = "$ctx->{ldapdir}/slapd.pid";
return ($slapd_conf_d, $pidfile);
}
sub setup_namespaces($$:$$)
{
my ($self, $localenv, $upn_array, $spn_array) = @_;
@{$upn_array} = [] unless defined($upn_array);
my $upn_args = "";
foreach my $upn (@{$upn_array}) {
$upn_args .= " --add-upn-suffix=$upn";
}
@{$spn_array} = [] unless defined($spn_array);
my $spn_args = "";
foreach my $spn (@{$spn_array}) {
$spn_args .= " --add-spn-suffix=$spn";
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd_env = "NSS_WRAPPER_HOSTS='$localenv->{NSS_WRAPPER_HOSTS}' ";
$cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
$cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
$cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
my $cmd_config = " $localenv->{CONFIGURATION}";
my $namespaces = $cmd_env;
$namespaces .= " $samba_tool domain trust namespaces $upn_args $spn_args";
$namespaces .= $cmd_config;
unless (system($namespaces) == 0) {
warn("Failed to add namespaces \n$namespaces");
return;
}
return;
}
sub setup_trust($$$$$)
{
my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
$localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
$localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
$localenv->{TRUST_SERVER_IPV6} = $remoteenv->{SERVER_IPV6};
$localenv->{TRUST_NETBIOSNAME} = $remoteenv->{NETBIOSNAME};
$localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
$localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
$localenv->{TRUST_DOMAIN} = $remoteenv->{DOMAIN};
$localenv->{TRUST_REALM} = $remoteenv->{REALM};
$localenv->{TRUST_DOMSID} = $remoteenv->{DOMSID};
my $samba_tool = Samba::bindir_path($self, "samba-tool");
# setup the trust
my $cmd_env = "NSS_WRAPPER_HOSTS='$localenv->{NSS_WRAPPER_HOSTS}' ";
$cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
$cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
$cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
my $cmd_config = " $localenv->{CONFIGURATION}";
my $cmd_creds = $cmd_config;
$cmd_creds .= " -U$localenv->{TRUST_DOMAIN}\\\\$localenv->{TRUST_USERNAME}\%$localenv->{TRUST_PASSWORD}";
my $create = $cmd_env;
$create .= " $samba_tool domain trust create --type=${type} $localenv->{TRUST_REALM}";
$create .= " $extra_args";
$create .= $cmd_creds;
unless (system($create) == 0) {
warn("Failed to create trust \n$create");
return undef;
}
my $groupname = "g_$localenv->{TRUST_DOMAIN}";
my $groupadd = $cmd_env;
$groupadd .= " $samba_tool group add '$groupname' --group-scope=Domain $cmd_config";
unless (system($groupadd) == 0) {
warn("Failed to create group \n$groupadd");
return undef;
}
my $groupmem = $cmd_env;
$groupmem .= " $samba_tool group addmembers '$groupname' '$localenv->{TRUST_DOMSID}-513' $cmd_config";
unless (system($groupmem) == 0) {
warn("Failed to add group member \n$groupmem");
return undef;
}
return $localenv
}
sub provision_raw_prepare($$$$$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $samsid, $functional_level,
$password, $kdc_ipv4, $kdc_ipv6) = @_;
my $ctx;
my $python_cmd = "";
if (defined $ENV{PYTHON}) {
$python_cmd = $ENV{PYTHON} . " ";
}
$ctx->{python} = $python_cmd;
my $netbiosname = uc($hostname);
unless(-d $prefix or mkdir($prefix, 0777)) {
warn("Unable to create $prefix");
return undef;
}
my $prefix_abs = abs_path($prefix);
die ("prefix=''") if $prefix_abs eq "";
die ("prefix='/'") if $prefix_abs eq "/";
unless (system("rm -rf $prefix_abs/*") == 0) {
warn("Unable to clean up");
}
my $swiface = Samba::get_interface($hostname);
$ctx->{prefix} = $prefix;
$ctx->{prefix_abs} = $prefix_abs;
$ctx->{server_role} = $server_role;
$ctx->{hostname} = $hostname;
$ctx->{netbiosname} = $netbiosname;
$ctx->{swiface} = $swiface;
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
$ctx->{kdc_ipv6} = $kdc_ipv6;
$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
if ($functional_level eq "2000") {
$ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc"
}
#
# Set smbd log level here.
#
$ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
$ctx->{username} = "Administrator";
$ctx->{domain} = $domain;
$ctx->{realm} = uc($realm);
$ctx->{dnsname} = lc($realm);
$ctx->{samsid} = $samsid;
$ctx->{functional_level} = $functional_level;
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
chomp $unix_name;
$ctx->{unix_name} = $unix_name;
$ctx->{unix_uid} = $>;
my @mygid = split(" ", $();
$ctx->{unix_gid} = $mygid[0];
$ctx->{unix_gids_str} = $);
@{$ctx->{unix_gids}} = split(" ", $ctx->{unix_gids_str});
$ctx->{etcdir} = "$prefix_abs/etc";
$ctx->{piddir} = "$prefix_abs/pid";
$ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf";
$ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf";
$ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache";
$ctx->{mitkdc_conf} = "$ctx->{etcdir}/mitkdc.conf";
$ctx->{privatedir} = "$prefix_abs/private";
$ctx->{binddnsdir} = "$prefix_abs/bind-dns";
$ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
$ctx->{lockdir} = "$prefix_abs/lockdir";
$ctx->{logdir} = "$prefix_abs/logs";
$ctx->{statedir} = "$prefix_abs/statedir";
$ctx->{cachedir} = "$prefix_abs/cachedir";
$ctx->{winbindd_socket_dir} = "$prefix_abs/winbindd_socket";
$ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
$ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
$ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
$ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts";
$ctx->{nsswrap_hostname} = "$ctx->{hostname}.$ctx->{dnsname}";
if ($ENV{SAMBA_DNS_FAKING}) {
$ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
$ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
$ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
} else {
$ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces";
$ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
$ctx->{use_resolv_wrapper} = 1;
}
$ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
$ctx->{tlsdir} = "$ctx->{privatedir}/tls";
$ctx->{ipv4} = "127.0.0.$swiface";
$ctx->{ipv6} = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
$ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
push(@{$ctx->{directories}}, $ctx->{privatedir});
push(@{$ctx->{directories}}, $ctx->{binddnsdir});
push(@{$ctx->{directories}}, $ctx->{etcdir});
push(@{$ctx->{directories}}, $ctx->{piddir});
push(@{$ctx->{directories}}, $ctx->{lockdir});
push(@{$ctx->{directories}}, $ctx->{logdir});
push(@{$ctx->{directories}}, $ctx->{statedir});
push(@{$ctx->{directories}}, $ctx->{cachedir});
$ctx->{smb_conf_extra_options} = "";
my @provision_options = ();
push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_conf}\"");
push (@provision_options, "KRB5_CCACHE=\"$ctx->{krb5_ccache}\"");
push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
push (@provision_options, "NSS_WRAPPER_HOSTNAME=\"$ctx->{nsswrap_hostname}\"");
if (defined($ctx->{use_resolv_wrapper})) {
push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\"");
} else {
push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
}
if (defined($ENV{GDB_PROVISION})) {
push (@provision_options, "gdb --args");
if (!defined($ENV{PYTHON})) {
push (@provision_options, "env");
push (@provision_options, "python");
}
}
if (defined($ENV{VALGRIND_PROVISION})) {
push (@provision_options, "valgrind");
if (!defined($ENV{PYTHON})) {
push (@provision_options, "env");
push (@provision_options, "python");
}
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
push (@provision_options, $samba_tool);
push (@provision_options, "domain");
push (@provision_options, "provision");
push (@provision_options, "--configfile=$ctx->{smb_conf}");
push (@provision_options, "--host-name=$ctx->{hostname}");
push (@provision_options, "--host-ip=$ctx->{ipv4}");
push (@provision_options, "--quiet");
push (@provision_options, "--domain=$ctx->{domain}");
push (@provision_options, "--realm=$ctx->{realm}");
if (defined($ctx->{samsid})) {
push (@provision_options, "--domain-sid=$ctx->{samsid}");
}
push (@provision_options, "--adminpass=$ctx->{password}");
push (@provision_options, "--krbtgtpass=krbtgt$ctx->{password}");
push (@provision_options, "--machinepass=machine$ctx->{password}");
push (@provision_options, "--root=$ctx->{unix_name}");
push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
@{$ctx->{provision_options}} = @provision_options;
return $ctx;
}
#
# Step1 creates the basic configuration
#
sub provision_raw_step1($$)
{
my ($self, $ctx) = @_;
mkdir($_, 0777) foreach (@{$ctx->{directories}});
##
## lockdir and piddir must be 0755
##
chmod 0755, $ctx->{lockdir};
chmod 0755, $ctx->{piddir};
unless (open(CONFFILE, ">$ctx->{smb_conf}")) {
warn("can't open $ctx->{smb_conf}$?");
return undef;
}
Samba::prepare_keyblobs($ctx);
my $crlfile = "$ctx->{tlsdir}/crl.pem";
$crlfile = "" unless -e ${crlfile};
print CONFFILE "
[global]
netbios name = $ctx->{netbiosname}
posix:eadb = $ctx->{statedir}/eadb.tdb
workgroup = $ctx->{domain}
realm = $ctx->{realm}
private dir = $ctx->{privatedir}
binddns dir = $ctx->{binddnsdir}
pid directory = $ctx->{piddir}
ncalrpc dir = $ctx->{ncalrpcdir}
lock dir = $ctx->{lockdir}
state directory = $ctx->{statedir}
cache directory = $ctx->{cachedir}
winbindd socket directory = $ctx->{winbindd_socket_dir}
ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
winbind separator = /
interfaces = $ctx->{interfaces}
tls dh params file = $ctx->{tlsdir}/dhparms.pem
tls crlfile = ${crlfile}
tls verify peer = no_check
panic action = $RealBin/gdb_backtrace \%d
wins support = yes
server role = $ctx->{server_role}
server services = +echo +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc
notify:inotify = false
ldb:nosync = true
ldap server require strong auth = yes
#We don't want to pass our self-tests if the PAC code is wrong
gensec:require_pac = true
log file = $ctx->{logdir}/log.\%m
log level = $ctx->{server_loglevel}
lanman auth = Yes
ntlm auth = Yes
rndc command = true
dns update command = $ctx->{samba_dnsupdate}
spn update command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
gpo update command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba-gpupdate -s $ctx->{smb_conf} --target=Computer
samba kcc command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_kcc
dreplsrv:periodic_startup_interval = 0
dsdb:schema update allowed = yes
prefork children = 4
vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
idmap_ldb:use rfc2307=yes
winbind enum users = yes
winbind enum groups = yes
rpc server port:netlogon = 1026
";
print CONFFILE "
# Begin extra options
$ctx->{smb_conf_extra_options}
# End extra options
";
close(CONFFILE);
#Default the KDC IP to the server's IP
if (not defined($ctx->{kdc_ipv4})) {
$ctx->{kdc_ipv4} = $ctx->{ipv4};
}
if (not defined($ctx->{kdc_ipv6})) {
$ctx->{kdc_ipv6} = $ctx->{ipv6};
}
Samba::mk_krb5_conf($ctx);
Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
open(PWD, ">$ctx->{nsswrap_passwd}");
if ($ctx->{unix_uid} != 0) {
print PWD "root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false\n";
}
print PWD "$ctx->{unix_name}:x:$ctx->{unix_uid}:65531:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false\n";
print PWD "nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
";
close(PWD);
my $uid_rfc2307test = 65533;
open(GRP, ">$ctx->{nsswrap_group}");
if ($ctx->{unix_gid} != 0) {
print GRP "root:x:0:\n";
}
print GRP "$ctx->{unix_name}:x:$ctx->{unix_gid}:\n";
print GRP "wheel:x:10:
users:x:65531:
nobody:x:65533:
nogroup:x:65534:nobody
";
close(GRP);
my $gid_rfc2307test = 65532;
my $hostname = lc($ctx->{hostname});
open(HOSTS, ">>$ctx->{nsswrap_hosts}");
if ($hostname eq "localdc") {
print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
} else {
print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} ${hostname}\n";
print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} ${hostname}\n";
}
close(HOSTS);
if (defined($ctx->{resolv_conf})) {
open(RESOLV_CONF, ">$ctx->{resolv_conf}");
print RESOLV_CONF "nameserver $ctx->{kdc_ipv4}\n";
print RESOLV_CONF "nameserver $ctx->{kdc_ipv6}\n";
close(RESOLV_CONF);
}
my $configuration = "--configfile=$ctx->{smb_conf}";
#Ensure the config file is valid before we start
my $testparm = Samba::bindir_path($self, "samba-tool") . " testparm";
if (system("$testparm $configuration -v --suppress-prompt >/dev/null 2>&1") != 0) {
system("$testparm -v --suppress-prompt $configuration >&2");
warn("Failed to create a valid smb.conf configuration $testparm!");
return undef;
}
unless (system("($testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global 2> /dev/null | grep -i \"^$ctx->{netbiosname}\" ) >/dev/null 2>&1") == 0) {
warn("Failed to create a valid smb.conf configuration! $testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global");
return undef;
}
my $ret = {
KRB5_CONFIG => $ctx->{krb5_conf},
KRB5_CCACHE => $ctx->{krb5_ccache},
MITKDC_CONFIG => $ctx->{mitkdc_conf},
PIDDIR => $ctx->{piddir},
SERVER => $ctx->{hostname},
SERVER_IP => $ctx->{ipv4},
SERVER_IPV6 => $ctx->{ipv6},
NETBIOSNAME => $ctx->{netbiosname},
DOMAIN => $ctx->{domain},
USERNAME => $ctx->{username},
REALM => $ctx->{realm},
DNSNAME => $ctx->{dnsname},
SAMSID => $ctx->{samsid},
PASSWORD => $ctx->{password},
LDAPDIR => $ctx->{ldapdir},
LDAP_INSTANCE => $ctx->{ldap_instance},
SELFTEST_WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
NCALRPCDIR => $ctx->{ncalrpcdir},
LOCKDIR => $ctx->{lockdir},
STATEDIR => $ctx->{statedir},
CACHEDIR => $ctx->{cachedir},
PRIVATEDIR => $ctx->{privatedir},
BINDDNSDIR => $ctx->{binddnsdir},
SERVERCONFFILE => $ctx->{smb_conf},
CONFIGURATION => $configuration,
SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd},
NSS_WRAPPER_GROUP => $ctx->{nsswrap_group},
NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts},
NSS_WRAPPER_HOSTNAME => $ctx->{nsswrap_hostname},
SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
SAMBA_TEST_LOG_POS => 0,
NSS_WRAPPER_MODULE_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
NSS_WRAPPER_MODULE_FN_PREFIX => "winbind",
LOCAL_PATH => $ctx->{share},
UID_RFC2307TEST => $uid_rfc2307test,
GID_RFC2307TEST => $gid_rfc2307test,
SERVER_ROLE => $ctx->{server_role},
RESOLV_CONF => $ctx->{resolv_conf}
};
if (defined($ctx->{use_resolv_wrapper})) {
$ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf};
} else {
$ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
}
if ($ctx->{server_role} eq "domain controller") {
$ret->{DOMSID} = $ret->{SAMSID};
}
return $ret;
}
#
# Step2 runs the provision script
#
sub provision_raw_step2($$$)
{
my ($self, $ctx, $ret) = @_;
my $provision_cmd = join(" ", @{$ctx->{provision_options}});
unless (system($provision_cmd) == 0) {
warn("Unable to provision: \n$provision_cmd\n");
return undef;
}
my $testallowed_account = "testallowed";
my $samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
return undef;
}
my $ldbmodify = "";
$ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$ldbmodify .= Samba::bindir_path($self, "ldbmodify");
my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
if ($ctx->{server_role} ne "domain controller") {
$base_dn = "DC=$ctx->{netbiosname}";
}
my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
$testallowed_account = "testallowed account";
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
print LDIF "dn: $user_dn
changetype: modify
replace: samAccountName
samAccountName: $testallowed_account
-
";
close(LDIF);
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
print LDIF "dn: $user_dn
changetype: modify
replace: userPrincipalName
userPrincipalName: testallowed upn\@$ctx->{realm}
replace: servicePrincipalName
servicePrincipalName: host/testallowed
-
";
close(LDIF);
$samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
return undef;
}
my $user_dn = "cn=testdenied,cn=users,$base_dn";
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
print LDIF "dn: $user_dn
changetype: modify
replace: userPrincipalName
userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
-
";
close(LDIF);
$samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} testupnspn $ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add testupnspn user: \n$samba_tool_cmd\n");
return undef;
}
my $user_dn = "cn=testupnspn,cn=users,$base_dn";
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
print LDIF "dn: $user_dn
changetype: modify
replace: userPrincipalName
userPrincipalName: http/testupnspn.$ctx->{dnsname}\@$ctx->{realm}
replace: servicePrincipalName
servicePrincipalName: http/testupnspn.$ctx->{dnsname}
-
";
close(LDIF);
$samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
return undef;
}
# Create to users alice and bob!
my $user_account_array = ["alice", "bob", "jane"];
foreach my $user_account (@{$user_account_array}) {
my $samba_tool_cmd = "";
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
. " user create --configfile=$ctx->{smb_conf} $user_account Secret007";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to create user: $user_account\n$samba_tool_cmd\n");
return undef;
}
}
my $ldbmodify = "";
$ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$ldbmodify .= Samba::bindir_path($self, "ldbmodify");
my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
my $user_dn = "cn=jane,cn=users,$base_dn";
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
print LDIF "dn: $user_dn
changetype: modify
replace: userPrincipalName
userPrincipalName: jane.doe\@$ctx->{realm}
-
";
close(LDIF);
return $ret;
}
sub provision($$$$$$$$$$)
{
my ($self, $prefix, $server_role, $hostname,
$domain, $realm, $functional_level,
$password, $kdc_ipv4, $kdc_ipv6, $extra_smbconf_options, $extra_smbconf_shares,
$extra_provision_options) = @_;
my $samsid = Samba::random_domain_sid();
my $ctx = $self->provision_raw_prepare($prefix, $server_role,
$hostname,
$domain, $realm,
$samsid,
$functional_level,
$password, $kdc_ipv4, $kdc_ipv6);
if (defined($extra_provision_options)) {
push (@{$ctx->{provision_options}}, @{$extra_provision_options});
} else {
push (@{$ctx->{provision_options}}, "--use-ntvfs");
}
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
push(@{$ctx->{directories}}, "$ctx->{share}/test1");
push(@{$ctx->{directories}}, "$ctx->{share}/test2");
# precreate directories for printer drivers
push(@{$ctx->{directories}}, "$ctx->{share}/W32X86");
push(@{$ctx->{directories}}, "$ctx->{share}/x64");
push(@{$ctx->{directories}}, "$ctx->{share}/WIN40");
my $msdfs = "no";
$msdfs = "yes" if ($server_role eq "domain controller");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
host msdfs = $msdfs
lanman auth = yes
# fruit:copyfile is a global option
fruit:copyfile = yes
$extra_smbconf_options
[tmp]
path = $ctx->{share}
read only = no
posix:sharedelay = 100000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 500000
[xcopy_share]
path = $ctx->{share}
read only = no
posix:sharedelay = 100000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 500000
create mask = 777
force create mode = 777
[posix_share]
path = $ctx->{share}
read only = no
create mask = 0777
force create mode = 0
directory mask = 0777
force directory mode = 0
[test1]
path = $ctx->{share}/test1
read only = no
posix:sharedelay = 100000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 500000
[test2]
path = $ctx->{share}/test2
read only = no
posix:sharedelay = 100000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 500000
[cifs]
path = $ctx->{share}/_ignore_cifs_
read only = no
ntvfs handler = cifs
cifs:server = $ctx->{netbiosname}
cifs:share = tmp
cifs:use-s4u2proxy = yes
# There is no username specified here, instead the client is expected
# to log in with kerberos, and the serverwill use delegated credentials.
# Or the server tries s4u2self/s4u2proxy to impersonate the client
[simple]
path = $ctx->{share}
read only = no
ntvfs handler = simple
[sysvol]
path = $ctx->{statedir}/sysvol
read only = no
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = no
[cifsposix]
copy = simple
ntvfs handler = cifsposix
[vfs_fruit]
path = $ctx->{share}
vfs objects = catia fruit streams_xattr acl_xattr
ea support = yes
fruit:resource = file
fruit:metadata = netatalk
fruit:locking = netatalk
fruit:encoding = native
$extra_smbconf_shares
";
if (defined($self->{ldap})) {
$ctx->{ldapdir} = "$ctx->{privatedir}/ldap";
push(@{$ctx->{directories}}, "$ctx->{ldapdir}");
my $ldap_uri= "$ctx->{ldapdir}/ldapi";
$ldap_uri =~ s|/|%2F|g;
$ldap_uri = "ldapi://$ldap_uri";
$ctx->{ldap_uri} = $ldap_uri;
$ctx->{ldap_instance} = lc($ctx->{netbiosname});
}
my $ret = $self->provision_raw_step1($ctx);
unless (defined $ret) {
return undef;
}
if (defined($self->{ldap})) {
$ret->{LDAP_URI} = $ctx->{ldap_uri};
push (@{$ctx->{provision_options}}, "--ldap-backend-type=" . $self->{ldap});
push (@{$ctx->{provision_options}}, "--ldap-backend-nosync");
if ($self->{ldap} eq "openldap") {
push (@{$ctx->{provision_options}}, "--slapd-path=" . $ENV{OPENLDAP_SLAPD});
($ret->{SLAPD_CONF_D}, $ret->{OPENLDAP_PIDFILE}) = $self->mk_openldap($ctx) or die("Unable to create openldap directories");
} elsif ($self->{ldap} eq "fedora-ds") {
push (@{$ctx->{provision_options}}, "--slapd-path=" . "$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd");
push (@{$ctx->{provision_options}}, "--setup-ds-path=" . "$ENV{FEDORA_DS_ROOT}/sbin/setup-ds.pl");
($ret->{FEDORA_DS_DIR}, $ret->{FEDORA_DS_PIDFILE}) = $self->mk_fedora_ds($ctx) or die("Unable to create fedora ds directories");
}
}
return $self->provision_raw_step2($ctx, $ret);
}
sub provision_s4member($$$$$)
{
my ($self, $prefix, $dcvars, $hostname, $more_conf) = @_;
print "PROVISIONING MEMBER...\n";
my $extra_smb_conf = "
passdb backend = samba_dsdb
winbindd:use external pipes = true
# the source4 smb server doesn't allow signing by default
server signing = enabled
raw NTLMv2 auth = yes
rpc_server:default = external
rpc_server:svcctl = embedded
rpc_server:srvsvc = embedded
rpc_server:eventlog = embedded
rpc_server:ntsvcs = embedded
rpc_server:winreg = embedded
rpc_server:spoolss = embedded
rpc_daemon:spoolssd = embedded
rpc_server:tcpip = no
";
if ($more_conf) {
$extra_smb_conf = $extra_smb_conf . $more_conf . "\n";
}
my $ret = $self->provision($prefix,
"member server",
$hostname,
$dcvars->{DOMAIN},
$dcvars->{REALM},
"2008",
"locMEMpass3",
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6},
$extra_smb_conf, "", undef);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
$ret->{MEMBER_SERVER} = $ret->{SERVER};
$ret->{MEMBER_SERVER_IP} = $ret->{SERVER_IP};
$ret->{MEMBER_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{MEMBER_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{MEMBER_USERNAME} = $ret->{USERNAME};
$ret->{MEMBER_PASSWORD} = $ret->{PASSWORD};
$ret->{DOMSID} = $dcvars->{DOMSID};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
sub provision_rpc_proxy($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING RPC PROXY...\n";
my $extra_smbconf_options = "
passdb backend = samba_dsdb
# rpc_proxy
dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
dcerpc endpoint servers = epmapper, remote
dcerpc_remote:interfaces = rpcecho
[cifs_to_dc]
path = /tmp/_ignore_cifs_to_dc_/_none_
read only = no
ntvfs handler = cifs
cifs:server = $dcvars->{SERVER}
cifs:share = cifs
cifs:use-s4u2proxy = yes
# There is no username specified here, instead the client is expected
# to log in with kerberos, and the serverwill use delegated credentials.
# Or the server tries s4u2self/s4u2proxy to impersonate the client
";
my $ret = $self->provision($prefix,
"member server",
"localrpcproxy",
$dcvars->{DOMAIN},
$dcvars->{REALM},
"2008",
"locRPCproxypass4",
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6},
$extra_smbconf_options, "", undef);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
# The joind runs in the context of the rpc_proxy/member for now
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
# Setting up delegation runs in the context of the DC for now
$cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
$cmd .= " $dcvars->{CONFIGURATION}";
print $cmd;
unless (system($cmd) == 0) {
warn("Delegation failed\n$cmd");
return undef;
}
# Setting up delegation runs in the context of the DC for now
$cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
$cmd .= " $dcvars->{CONFIGURATION}";
unless (system($cmd) == 0) {
warn("Delegation failed\n$cmd");
return undef;
}
$ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
$ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
$ret->{RPC_PROXY_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{RPC_PROXY_USERNAME} = $ret->{USERNAME};
$ret->{RPC_PROXY_PASSWORD} = $ret->{PASSWORD};
$ret->{DOMSID} = $dcvars->{DOMSID};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
sub provision_promoted_dc($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING PROMOTED DC...\n";
# We do this so that we don't run the provision. That's the job of 'samba-tool domain dcpromo'.
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
"promotedvdc",
$dcvars->{DOMAIN},
$dcvars->{REALM},
$dcvars->{SAMSID},
"2008",
$dcvars->{PASSWORD},
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6});
push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
ntlm auth = ntlmv2-only
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = no
";
my $ret = $self->provision_raw_step1($ctx);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
$ret->{PROMOTED_DC_SERVER} = $ret->{SERVER};
$ret->{PROMOTED_DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{PROMOTED_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{PROMOTED_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
sub provision_vampire_dc($$$)
{
my ($self, $prefix, $dcvars, $fl) = @_;
print "PROVISIONING VAMPIRE DC @ FL $fl...\n";
my $name = "localvampiredc";
my $extra_conf = "";
if ($fl == "2000") {
$name = "vampire2000dc";
} else {
$extra_conf = "drs: immediate link sync = yes
drs: max link sync = 250";
}
# We do this so that we don't run the provision. That's the job of 'net vampire'.
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
$name,
$dcvars->{DOMAIN},
$dcvars->{REALM},
$dcvars->{DOMSID},
$fl,
$dcvars->{PASSWORD},
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6});
push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
ntlm auth = mschapv2-and-ntlmv2-only
$extra_conf
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = no
";
my $ret = $self->provision_raw_step1($ctx);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
$cmd .= " --backend-store=mdb";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
if ($fl == "2000") {
$ret->{VAMPIRE_2000_DC_SERVER} = $ret->{SERVER};
$ret->{VAMPIRE_2000_DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{VAMPIRE_2000_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{VAMPIRE_2000_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
} else {
$ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER};
$ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
}
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
$ret->{DC_REALM} = $dcvars->{DC_REALM};
return $ret;
}
sub provision_subdom_dc($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING SUBDOMAIN DC...\n";
# We do this so that we don't run the provision. That's the job of 'net vampire'.
my $samsid = undef; # TODO pass the domain sid all the way down
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
"localsubdc",
"SAMBASUBDOM",
"sub.samba.example.com",
$samsid,
"2008",
$dcvars->{PASSWORD},
undef);
push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = no
";
my $ret = $self->provision_raw_step1($ctx);
unless ($ret) {
return undef;
}
Samba::mk_krb5_conf($ctx);
Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname} subdomain ";
$cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
$cmd .= " --adminpass=$ret->{PASSWORD}";
unless (system($cmd) == 0) {
warn("Join failed\n$cmd");
return undef;
}
$ret->{SUBDOM_DC_SERVER} = $ret->{SERVER};
$ret->{SUBDOM_DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{SUBDOM_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{SUBDOM_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
sub provision_ad_dc_ntvfs($$)
{
my ($self, $prefix) = @_;
# We keep the old 'winbind' name here in server services to
# ensure upgrades which used that name still work with the now
# alias.
print "PROVISIONING AD DC (NTVFS)...\n";
my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
dsdb event notification = true
dsdb password event notification = true
dsdb group change notification = true
server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
"localdc",
"SAMBADOMAIN",
"samba.example.com",
"2008",
"locDCpass1",
undef,
undef,
$extra_conf_options,
"",
undef);
unless ($ret) {
return undef;
}
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
$ret->{NETBIOSALIAS} = "localdc1-a";
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
sub provision_fl2000dc($$)
{
my ($self, $prefix) = @_;
print "PROVISIONING DC WITH FOREST LEVEL 2000...\n";
my $extra_conf_options = "
spnego:simulate_w2k=yes
ntlmssp_server:force_old_spnego=yes
";
my $extra_provision_options = undef;
# This environment uses plain text secrets
# i.e. secret attributes are not encrypted on disk.
# This allows testing of the --plaintext-secrets option for
# provision
push (@{$extra_provision_options}, "--plaintext-secrets");
my $ret = $self->provision($prefix,
"domain controller",
"dc5",
"SAMBA2000",
"samba2000.example.com",
"2000",
"locDCpass5",
undef,
undef,
$extra_conf_options,
"",
$extra_provision_options);
unless ($ret) {
return undef;
}
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
sub provision_fl2003dc($$$)
{
my ($self, $prefix, $dcvars) = @_;
my $swiface1 = Samba::get_interface("fakednsforwarder1");
my $swiface2 = Samba::get_interface("fakednsforwarder2");
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
my $extra_conf_options = "allow dns updates = nonsecure and secure
dcesrv:header signing = no
dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2";
my $ret = $self->provision($prefix,
"domain controller",
"dc6",
"SAMBA2003",
"samba2003.example.com",
"2003",
"locDCpass6",
undef,
undef,
$extra_conf_options,
"",
undef);
unless (defined $ret) {
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$ret->{DNS_FORWARDER1} = "127.0.0.$swiface1";
$ret->{DNS_FORWARDER2} = "127.0.0.$swiface2";
my @samba_tool_options;
push (@samba_tool_options, Samba::bindir_path($self, "samba-tool"));
push (@samba_tool_options, "domain");
push (@samba_tool_options, "passwordsettings");
push (@samba_tool_options, "set");
push (@samba_tool_options, "--configfile=$ret->{SERVERCONFFILE}");
push (@samba_tool_options, "--min-pwd-age=0");
push (@samba_tool_options, "--history-length=1");
my $samba_tool_cmd = join(" ", @samba_tool_options);
unless (system($samba_tool_cmd) == 0) {
warn("Unable to set min password age to 0: \n$samba_tool_cmd\n");
return undef;
}
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
return $ret;
}
sub provision_fl2008r2dc($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n";
my $extra_conf_options = "ldap server require strong auth = no";
my $ret = $self->provision($prefix,
"domain controller",
"dc7",
"SAMBA2008R2",
"samba2008R2.example.com",
"2008_R2",
"locDCpass7",
undef,
undef,
$extra_conf_options,
"",
undef);
unless (defined $ret) {
return undef;
}
unless ($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
sub provision_rodc($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING RODC...\n";
# We do this so that we don't run the provision. That's the job of 'net join RODC'.
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
"rodc",
$dcvars->{DOMAIN},
$dcvars->{REALM},
$dcvars->{DOMSID},
"2008",
$dcvars->{PASSWORD},
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6});
unless ($ctx) {
return undef;
}
push (@{$ctx->{provision_options}}, "--use-ntvfs");
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
password server = $dcvars->{DC_SERVER}
[sysvol]
path = $ctx->{statedir}/sysvol
read only = yes
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = yes
[tmp]
path = $ctx->{share}
read only = no
posix:sharedelay = 10000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 50000
";
my $ret = $self->provision_raw_step1($ctx);
unless ($ret) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($ret->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
unless (system($cmd) == 0) {
warn("RODC join failed\n$cmd");
return undef;
}
# This ensures deterministic behaviour for tests that want to have the 'testallowed account'
# user password verified on the RODC
my $testallowed_account = "testallowed account";
$cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
$cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}";
$cmd .= " --server=$dcvars->{DC_SERVER}";
unless (system($cmd) == 0) {
warn("RODC join failed\n$cmd");
return undef;
}
# we overwrite the kdc after the RODC join
# so that use the RODC as kdc and test
# the proxy code
$ctx->{kdc_ipv4} = $ret->{SERVER_IP};
$ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
Samba::mk_krb5_conf($ctx);
Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
$ret->{RODC_DC_SERVER} = $ret->{SERVER};
$ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{RODC_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{RODC_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_SERVER} = $dcvars->{DC_SERVER};
$ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
$ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
$ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
return $ret;
}
sub read_config_h($)
{
my ($name) = @_;
my %ret = {};
open(LF, "<$name") or die("unable to read $name: $!");
while (<LF>) {
chomp;
next if not (/^#define /);
if (/^#define (.*?)[ \t]+(.*?)$/) {
$ret{$1} = $2;
next;
}
if (/^#define (.*?)[ \t]+$/) {
$ret{$1} = 1;;
next;
}
}
close(LF);
return \%ret;
}
sub provision_ad_dc($$$$$$)
{
my ($self, $prefix, $hostname, $domain, $realm, $smbconf_args,
$extra_provision_options) = @_;
my $prefix_abs = abs_path($prefix);
my $bindir_abs = abs_path($self->{bindir});
my $lockdir="$prefix_abs/lockdir";
my $conffile="$prefix_abs/etc/smb.conf";
my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
$require_mutexes = "" if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} eq "1");
my $config_h = {};
if (defined($ENV{CONFIG_H})) {
$config_h = read_config_h($ENV{CONFIG_H});
}
my $password_hash_gpg_key_ids = "password hash gpg key ids = 4952E40301FAB41A";
$password_hash_gpg_key_ids = "" unless defined($config_h->{HAVE_GPGME});
my $extra_smbconf_options = "
server services = -smb +s3fs
xattr_tdb:file = $prefix_abs/statedir/xattr.tdb
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
${password_hash_gpg_key_ids}
kernel oplocks = no
kernel change notify = no
smb2 leases = no
logging = file
printing = bsd
printcap name = /dev/null
max protocol = SMB3
read only = no
smbd:sharedelay = 100000
smbd:writetimeupdatedelay = 500000
create mask = 755
dos filemode = yes
check parent directory delete on close = yes
dcerpc endpoint servers = -winreg -srvsvc
printcap name = /dev/null
addprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -a -s $conffile --
deleteprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -d -s $conffile --
printing = vlp
print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
lp rm command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lprm %p %j
lp pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lppause %p %j
lp resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpresume %p %j
queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
lpq cache time = 0
print notify backchannel = yes
server schannel = auto
auth event notification = true
dsdb event notification = true
dsdb password event notification = true
dsdb group change notification = true
$smbconf_args
";
my $extra_smbconf_shares = "
[tmpenc]
copy = tmp
smb encrypt = required
[tmpcase]
copy = tmp
case sensitive = yes
[tmpguest]
copy = tmp
guest ok = yes
[hideunread]
copy = tmp
hide unreadable = yes
[durable]
copy = tmp
kernel share modes = no
kernel oplocks = no
posix locking = no
[print\$]
copy = tmp
[print1]
copy = tmp
printable = yes
[print2]
copy = print1
[print3]
copy = print1
[lp]
copy = print1
";
push (@{$extra_provision_options}, "--backend-store=mdb");
print "PROVISIONING AD DC...\n";
my $ret = $self->provision($prefix,
"domain controller",
$hostname,
$domain,
$realm,
"2008",
"locDCpass1",
undef,
undef,
$extra_smbconf_options,
$extra_smbconf_shares,
$extra_provision_options);
unless (defined $ret) {
return undef;
}
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
return $ret;
}
sub provision_chgdcpass($$)
{
my ($self, $prefix) = @_;
print "PROVISIONING CHGDCPASS...\n";
my $extra_provision_options = undef;
# This environment disallows the use of this password
# (and also removes the default AD complexity checks)
my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ";
push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
my $ret = $self->provision($prefix,
"domain controller",
"chgdcpass",
"CHDCDOMAIN",
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
undef,
undef,
"check password script = sed -e '/$unacceptable_password/{;q1}; /$unacceptable_password/!{q0}'\n",
"",
$extra_provision_options);
unless (defined $ret) {
return undef;
}
unless($self->add_wins_config("$prefix/private")) {
warn("Unable to add wins configuration");
return undef;
}
# Remove secrets.tdb from this environment to test that we
# still start up on systems without the new matching
# secrets.tdb records.
unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
return undef;
}
$ret->{DC_SERVER} = $ret->{SERVER};
$ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
$ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
$ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
$ret->{DC_USERNAME} = $ret->{USERNAME};
$ret->{DC_PASSWORD} = $ret->{PASSWORD};
$ret->{UNACCEPTABLE_PASSWORD} = $unacceptable_password;
return $ret;
}
sub teardown_env_terminate($$)
{
my ($self, $envvars) = @_;
my $pid;
# This should cause samba to terminate gracefully
close($envvars->{STDIN_PIPE});
$pid = $envvars->{SAMBA_PID};
my $count = 0;
my $childpid;
# This should give it time to write out the gcov data
until ($count > 15) {
if (Samba::cleanup_child($pid, "samba") != 0) {
return;
}
sleep(1);
$count++;
}
# After 15 Seconds, work out why this thing is still alive
warn "server process $pid took more than $count seconds to exit, showing backtrace:\n";
system("$self->{srcdir}/selftest/gdb_backtrace $pid");
until ($count > 30) {
if (Samba::cleanup_child($pid, "samba") != 0) {
return;
}
sleep(1);
$count++;
}
if (kill(0, $pid)) {
warn "server process $pid took more than $count seconds to exit, sending SIGTERM\n";
kill "TERM", $pid;
}
until ($count > 40) {
if (Samba::cleanup_child($pid, "samba") != 0) {
return;
}
sleep(1);
$count++;
}
# If it is still around, kill it
if (kill(0, $pid)) {
warn "server process $pid took more than $count seconds to exit, killing\n with SIGKILL\n";
kill 9, $pid;
}
return;
}
sub teardown_env($$)
{
my ($self, $envvars) = @_;
teardown_env_terminate($self, $envvars);
$self->slapd_stop($envvars) if ($self->{ldap});
print $self->getlog_env($envvars);
return;
}
sub getlog_env($$)
{
my ($self, $envvars) = @_;
my $title = "SAMBA LOG of: $envvars->{NETBIOSNAME} pid $envvars->{SAMBA_PID}\n";
my $out = $title;
open(LOG, "<$envvars->{SAMBA_TEST_LOG}");
seek(LOG, $envvars->{SAMBA_TEST_LOG_POS}, SEEK_SET);
while (<LOG>) {
$out .= $_;
}
$envvars->{SAMBA_TEST_LOG_POS} = tell(LOG);
close(LOG);
return "" if $out eq $title;
return $out;
}
sub check_env($$)
{
my ($self, $envvars) = @_;
my $samba_pid = $envvars->{SAMBA_PID};
if (not defined($samba_pid)) {
return 0;
} elsif ($samba_pid > 0) {
my $childpid = Samba::cleanup_child($samba_pid, "samba");
if ($childpid == 0) {
return 1;
}
return 0;
} else {
return 1;
}
}
# Declare the environments Samba4 makes available.
# To be set up, they will be called as
# samba4->setup_$envname($self, $path, $dep_1_vars, $dep_2_vars, ...)
%Samba4::ENV_DEPS = (
# name => [dep_1, dep_2, ...],
ad_dc_ntvfs => [],
ad_dc => [],
ad_dc_no_nss => [],
ad_dc_no_ntlm => [],
ad_dc_ntvfs => [],
backupfromdc => [],
customdc => [],
fl2008r2dc => ["ad_dc"],
fl2003dc => ["ad_dc"],
fl2000dc => [],
vampire_2000_dc => ["fl2000dc"],
vampire_dc => ["ad_dc_ntvfs"],
promoted_dc => ["ad_dc_ntvfs"],
subdom_dc => ["ad_dc_ntvfs"],
rodc => ["ad_dc_ntvfs"],
rpc_proxy => ["ad_dc_ntvfs"],
chgdcpass => [],
s4member_dflt_domain => ["ad_dc_ntvfs"],
s4member => ["ad_dc_ntvfs"],
restoredc => ["backupfromdc"],
renamedc => ["backupfromdc"],
offlinebackupdc => ["backupfromdc"],
labdc => ["backupfromdc"],
none => [],
);
sub setup_s4member
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_s4member($path, $dc_vars, "s4member");
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
}
return $env;
}
sub setup_s4member_dflt_domain
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_s4member($path, $dc_vars, "s4member_dflt",
"winbind use default domain = yes");
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
}
return $env;
}
sub setup_rpc_proxy
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_rpc_proxy($path, $dc_vars);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
}
return $env;
}
sub setup_ad_dc_ntvfs
{
my ($self, $path) = @_;
my $env = $self->provision_ad_dc_ntvfs($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
warn("Failed to start ad_dc_ntvfs");
return undef;
}
}
return $env;
}
sub setup_chgdcpass
{
my ($self, $path) = @_;
my $env = $self->provision_chgdcpass($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
}
return $env;
}
sub setup_fl2000dc
{
my ($self, $path) = @_;
my $env = $self->provision_fl2000dc($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
}
return $env;
}
sub setup_fl2003dc
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2003dc($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
$env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys");
}
return $env;
}
sub setup_fl2008r2dc
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2008r2dc($path);
if (defined $env) {
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
$env = $self->setup_trust($env, $dc_vars, "forest", "");
}
return $env;
}
sub setup_vampire_dc
{
return setup_generic_vampire_dc(@_, "2008");
}
sub setup_vampire_2000_dc
{
return setup_generic_vampire_dc(@_, "2000");
}
sub setup_generic_vampire_dc
{
my ($self, $path, $dc_vars, $fl) = @_;
my $env = $self->provision_vampire_dc($path, $dc_vars, $fl);
if (defined $env) {
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
# force replicated DC to update repsTo/repsFrom
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
my $cmd = "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($env->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
# replicate Configuration NC
my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# replicate Default NC
$cmd_repl = "$cmd \"$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# Pull in a full set of changes from the main DC
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
$cmd = "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($env->{RESOLV_WRAPPER_CONF})) {
$cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
}
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
# replicate Configuration NC
my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# replicate Default NC
$cmd_repl = "$cmd \"$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
}
return $env;
}
sub setup_promoted_dc
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_promoted_dc($path, $dc_vars);
if (defined $env) {
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
# force source and replicated DC to update repsTo/repsFrom
# for vampired partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
# as 'vampired' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
$cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
# replicate Configuration NC
my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# replicate Default NC
$cmd_repl = "$cmd \"$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
}
return $env;
}
sub setup_subdom_dc
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_subdom_dc($path, $dc_vars);
if (defined $env) {
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
# force replicated DC to update repsTo/repsFrom
# for primary domain partitions
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
# as 'subdomain' dc may add data in its local replica
# we need to synchronize data between DCs
my $base_dn = "DC=".join(",DC=", split(/\./, $env->{REALM}));
my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
$cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SUBDOM_DC_SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
# replicate Configuration NC
my $cmd_repl = "$cmd \"$config_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# replicate Default NC
$cmd_repl = "$cmd \"$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
}
return $env;
}
sub setup_rodc
{
my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_rodc($path, $dc_vars);
unless ($env) {
return undef;
}
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "";
my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
$cmd .= "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
$cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
$cmd .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
$cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
$cmd .= " $dc_vars->{CONFIGURATION}";
$cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
# replicate Configuration NC
my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
# replicate Default NC
$cmd_repl = "$cmd \"$base_dn\"";
unless(system($cmd_repl) == 0) {
warn("Failed to replicate\n$cmd_repl");
return undef;
}
return $env;
}
sub setup_ad_dc
{
my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
my $env = $self->provision_ad_dc($path, "addc", "ADDOMAIN",
"addom.samba.example.com", "", undef);
unless ($env) {
return undef;
}
if (not defined($self->check_or_start($env, "prefork"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
sub setup_ad_dc_no_nss
{
my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
my $env = $self->provision_ad_dc($path, "addc_no_nss", "ADNONSSDOMAIN",
"adnonssdom.samba.example.com", "", undef);
unless ($env) {
return undef;
}
$env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
$env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
if (not defined($self->check_or_start($env, "single"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
sub setup_ad_dc_no_ntlm
{
my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
my $env = $self->provision_ad_dc($path, "addc_no_ntlm", "ADNONTLMDOMAIN",
"adnontlmdom.samba.example.com",
"ntlm auth = disabled", undef);
unless ($env) {
return undef;
}
if (not defined($self->check_or_start($env, "prefork"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
# Sets up a DC that's solely used to do a domain backup from. We then use the
# backupfrom-DC to create the restore-DC - this proves that the backup/restore
# process will create a Samba DC that will actually start up.
# We don't use the backup-DC for anything else because its domain will conflict
# with the restore DC.
sub setup_backupfromdc
{
my ($self, $path) = @_;
# If we didn't build with ADS, pretend this env was never available
if (not $self->{target3}->have_ads()) {
return "UNKNOWN";
}
my $provision_args = ["--site=Backup-Site"];
my $env = $self->provision_ad_dc($path, "backupfromdc", "BACKUPDOMAIN",
"backupdom.samba.example.com", "",
$provision_args);
unless ($env) {
return undef;
}
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
# returns the server/user-auth params needed to run an online backup cmd
sub get_backup_server_args
{
# dcvars contains the env info for the backup DC testenv
my ($self, $dcvars) = @_;
my $server = $dcvars->{DC_SERVER_IP};
my $server_args = "--server=$server ";
$server_args .= "-U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$server_args .= " $dcvars->{CONFIGURATION}";
return $server_args;
}
# Creates a backup of a running testenv DC
sub create_backup
{
# note: dcvars contains the env info for the backup DC testenv
my ($self, $env, $dcvars, $backupdir, $backup_cmd) = @_;
# get all the env variables we pass in with the samba-tool command
my $cmd_env = "NSS_WRAPPER_HOSTS='$env->{NSS_WRAPPER_HOSTS}' ";
$cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
if (defined($env->{RESOLV_WRAPPER_CONF})) {
$cmd_env .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
} else {
$cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
}
# Note: use the backupfrom-DC's krb5.conf to do the backup
$cmd_env .= " KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
$cmd_env .= "KRB5CCNAME=\"$env->{KRB5_CCACHE}\" ";
# use samba-tool to create a backup from the 'backupfromdc' DC
my $cmd = "";
my $samba_tool = Samba::bindir_path($self, "samba-tool");
$cmd .= "$cmd_env $samba_tool domain backup $backup_cmd";
$cmd .= " --targetdir=$backupdir";
print "Executing: $cmd\n";
unless(system($cmd) == 0) {
warn("Failed to create backup using: \n$cmd");
return undef;
}
# get the name of the backup file created
opendir(DIR, $backupdir);
my @files = grep(/\.tar/, readdir(DIR));
closedir(DIR);
if(scalar @files != 1) {
warn("Backup file not found in directory $backupdir\n");
return undef;
}
my $backup_file = "$backupdir/$files[0]";
print "Using backup file $backup_file...\n";
return $backup_file;
}
# Restores a backup-file to populate a testenv for a new DC
sub restore_backup_file
{
my ($self, $backup_file, $restore_opts, $restoredir, $smbconf) = @_;
# pass the restore command the testenv's smb.conf that we've already
# generated. But move it to a temp-dir first, so that the restore doesn't
# overwrite it
my $tmpdir = File::Temp->newdir();
my $tmpconf = "$tmpdir/smb.conf";
my $cmd = "cp $smbconf $tmpconf";
unless(system($cmd) == 0) {
warn("Failed to backup smb.conf using: \n$cmd");
return -1;
}
my $samba_tool = Samba::bindir_path($self, "samba-tool");
$cmd = "$samba_tool domain backup restore --backup-file=$backup_file";
$cmd .= " --targetdir=$restoredir $restore_opts --configfile=$tmpconf";
print "Executing: $cmd\n";
unless(system($cmd) == 0) {
warn("Failed to restore backup using: \n$cmd");
return -1;
}
print "Restore complete\n";
return 0
}
# sets up the initial directory and returns the new testenv's env info
# (without actually doing a 'domain join')
sub prepare_dc_testenv
{
my ($self, $prefix, $dcname, $domain, $realm, $password) = @_;
my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
$dcname,
$domain,
$realm,
undef,
"2008",
$password,
undef,
undef);
# the restore uses a slightly different state-dir location to other testenvs
$ctx->{statedir} = "$ctx->{prefix_abs}/state";
push(@{$ctx->{directories}}, "$ctx->{statedir}");
# add support for sysvol/netlogon/tmp shares
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
$ctx->{smb_conf_extra_options} = "
max xmit = 32K
server max protocol = SMB2
[sysvol]
path = $ctx->{statedir}/sysvol
read only = no
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
read only = no
[tmp]
path = $ctx->{share}
read only = no
posix:sharedelay = 10000
posix:oplocktimeout = 3
posix:writetimeupdatedelay = 50000
";
my $env = $self->provision_raw_step1($ctx);
$env->{DC_SERVER} = $env->{SERVER};
$env->{DC_SERVER_IP} = $env->{SERVER_IP};
$env->{DC_SERVER_IPV6} = $env->{SERVER_IPV6};
$env->{DC_NETBIOSNAME} = $env->{NETBIOSNAME};
$env->{DC_USERNAME} = $env->{USERNAME};
$env->{DC_PASSWORD} = $env->{PASSWORD};
return ($env, $ctx);
}
# Set up a DC testenv solely by using the samba-tool domain backup/restore
# commands. This proves that we can backup an online DC ('backupfromdc') and
# use the backup file to create a valid, working samba DC.
sub setup_restoredc
{
# note: dcvars contains the env info for the dependent testenv ('backupfromdc')
my ($self, $prefix, $dcvars) = @_;
print "Preparing RESTORE DC...\n";
my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "restoredc",
$dcvars->{DOMAIN},
$dcvars->{REALM},
$dcvars->{PASSWORD});
# create a backup of the 'backupfromdc'
my $backupdir = File::Temp->newdir();
my $server_args = $self->get_backup_server_args($dcvars);
my $backup_args = "online $server_args";
my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
$backup_args);
unless($backup_file) {
return undef;
}
# restore the backup file to populate the restore-DC testenv
my $restore_dir = abs_path($prefix);
my $ret = $self->restore_backup_file($backup_file,
"--newservername=$env->{SERVER}",
$restore_dir, $env->{SERVERCONFFILE});
unless ($ret == 0) {
return undef;
}
# start samba for the restored DC
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
return $env;
}
# Set up a DC testenv solely by using the 'samba-tool domain backup rename' and
# restore commands. This proves that we can backup and rename an online DC
# ('backupfromdc') and use the backup file to create a valid, working samba DC.
sub setup_renamedc
{
# note: dcvars contains the env info for the dependent testenv ('backupfromdc')
my ($self, $prefix, $dcvars) = @_;
print "Preparing RENAME DC...\n";
my $realm = "renamedom.samba.example.com";
my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "renamedc",
"RENAMEDOMAIN", $realm,
$dcvars->{PASSWORD});
# create a backup of the 'backupfromdc' which renames the domain
my $backupdir = File::Temp->newdir();
my $server_args = $self->get_backup_server_args($dcvars);
my $backup_args = "rename $env->{DOMAIN} $env->{REALM} $server_args";
$backup_args .= " --backend-store=tdb";
my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
$backup_args);
unless($backup_file) {
return undef;
}
# restore the backup file to populate the rename-DC testenv
my $restore_dir = abs_path($prefix);
my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
my $ret = $self->restore_backup_file($backup_file, $restore_opts,
$restore_dir, $env->{SERVERCONFFILE});
unless ($ret == 0) {
return undef;
}
# start samba for the restored DC
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
# Set up a DC testenv solely by using the 'samba-tool domain backup offline' and
# restore commands. This proves that we do an offline backup of a local DC
# ('backupfromdc') and use the backup file to create a valid, working samba DC.
sub setup_offlinebackupdc
{
# note: dcvars contains the env info for the dependent testenv ('backupfromdc')
my ($self, $prefix, $dcvars) = @_;
print "Preparing OFFLINE BACKUP DC...\n";
my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "offlinebackupdc",
$dcvars->{DOMAIN},
$dcvars->{REALM},
$dcvars->{PASSWORD});
# create an offline backup of the 'backupfromdc' target
my $backupdir = File::Temp->newdir();
my $cmd = "offline -s $dcvars->{SERVERCONFFILE}";
my $backup_file = $self->create_backup($env, $dcvars,
$backupdir, $cmd);
unless($backup_file) {
return undef;
}
# restore the backup file to populate the rename-DC testenv
my $restore_dir = abs_path($prefix);
my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
my $ret = $self->restore_backup_file($backup_file, $restore_opts,
$restore_dir, $env->{SERVERCONFFILE});
unless ($ret == 0) {
return undef;
}
# re-create the testenv's krb5.conf (the restore may have overwritten it)
Samba::mk_krb5_conf($ctx);
# start samba for the restored DC
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
return $env;
}
# Set up a DC testenv solely by using the samba-tool 'domain backup rename' and
# restore commands, using the --no-secrets option. This proves that we can
# create a realistic lab environment from an online DC ('backupfromdc').
sub setup_labdc
{
# note: dcvars contains the env info for the dependent testenv ('backupfromdc')
my ($self, $prefix, $dcvars) = @_;
print "Preparing LAB-DOMAIN DC...\n";
my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "labdc",
"LABDOMAIN",
"labdom.samba.example.com",
$dcvars->{PASSWORD});
# create a backup of the 'backupfromdc' which renames the domain and uses
# the --no-secrets option to scrub any sensitive info
my $backupdir = File::Temp->newdir();
my $server_args = $self->get_backup_server_args($dcvars);
my $backup_args = "rename $env->{DOMAIN} $env->{REALM} $server_args";
$backup_args .= " --no-secrets --backend-store=mdb";
my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
$backup_args);
unless($backup_file) {
return undef;
}
# restore the backup file to populate the lab-DC testenv
my $restore_dir = abs_path($prefix);
my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
my $ret = $self->restore_backup_file($backup_file, $restore_opts,
$restore_dir, $env->{SERVERCONFFILE});
unless ($ret == 0) {
return undef;
}
# because we don't include any secrets in the backup, we need to reset the
# admin user's password back to what the testenv expects
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "$samba_tool user setpassword $env->{USERNAME} ";
$cmd .= "--newpassword=$env->{PASSWORD} -H $restore_dir/private/sam.ldb";
$cmd .= " $env->{CONFIGURATION}";
unless(system($cmd) == 0) {
warn("Failed to reset admin's password: \n$cmd");
return undef;
}
# start samba for the restored DC
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
# Inspects a backup *.tar.bz2 file and determines the realm/domain it contains
sub get_backup_domain_realm
{
my ($self, $backup_file) = @_;
print "Determining REALM/DOMAIN values in backup...\n";
# The backup will have the correct domain/realm values in the smb.conf.
# So we can work out the env variables the testenv should use based on
# that. Let's start by extracting the smb.conf
my $tar = Archive::Tar->new($backup_file);
my $tmpdir = File::Temp->newdir();
my $smbconf = "$tmpdir/smb.conf";
# note that the filepaths within the tar-file differ slightly for online
# and offline backups
if ($tar->contains_file("etc/smb.conf")) {
$tar->extract_file("etc/smb.conf", $smbconf);
} elsif ($tar->contains_file("./etc/smb.conf")) {
$tar->extract_file("./etc/smb.conf", $smbconf);
} else {
warn("Could not find smb.conf in $backup_file");
return undef, undef;
}
# now use testparm to read the values we're interested in
my $testparm = Samba::bindir_path($self, "testparm");
my $domain = `$testparm $smbconf -sl --parameter-name=WORKGROUP`;
my $realm = `$testparm $smbconf -sl --parameter-name=REALM`;
chomp $realm;
chomp $domain;
print "Backup-file REALM is $realm, DOMAIN is $domain\n";
return ($domain, $realm);
}
# This spins up a custom testenv that can be based on any backup-file you want.
# This is just intended for manual testing (rather than automated test-cases)
sub setup_customdc
{
my ($self, $prefix) = @_;
print "Preparing CUSTOM RESTORE DC...\n";
my $dc_name = "customdc";
my $password = "locDCpass1";
my $backup_file = $ENV{'BACKUP_FILE'};
# user must specify a backup file to restore via an ENV variable, i.e.
# BACKUP_FILE=backup-blah.tar.bz2 SELFTEST_TESTENV=customdc make testenv
if (not defined($backup_file)) {
warn("Please specify BACKUP_FILE");
return undef;
}
# work out the correct domain/realm env values from the backup-file
my ($domain, $realm) = $self->get_backup_domain_realm($backup_file);
# create a placeholder directory and smb.conf, as well as the env vars.
my ($env, $ctx) = $self->prepare_dc_testenv($prefix, $dc_name,
$domain, $realm, $password);
# restore the specified backup file to populate the testenv
my $restore_dir = abs_path($prefix);
my $ret = $self->restore_backup_file($backup_file,
"--newservername=$env->{SERVER}",
$restore_dir, $env->{SERVERCONFFILE});
unless ($ret == 0) {
return undef;
}
# Change the admin password to the testenv default, just in case it's
# different, or in case this was a --no-secrets backup
my $samba_tool = Samba::bindir_path($self, "samba-tool");
my $cmd = "$samba_tool user setpassword $env->{USERNAME} ";
$cmd .= "--newpassword=$password -H $restore_dir/private/sam.ldb";
$cmd .= " $env->{CONFIGURATION}";
unless(system($cmd) == 0) {
warn("Failed to reset admin's password: \n$cmd");
return undef;
}
# re-create the testenv's krb5.conf (the restore may have overwritten it,
# if the backup-file was an offline backup)
Samba::mk_krb5_conf($ctx);
# start samba for the restored DC
if (not defined($self->check_or_start($env, "standard"))) {
return undef;
}
# if this was a backup-rename, then we may need to setup namespaces
my $upn_array = ["$env->{REALM}.upn"];
my $spn_array = ["$env->{REALM}.spn"];
$self->setup_namespaces($env, $upn_array, $spn_array);
return $env;
}
sub setup_none
{
my ($self, $path) = @_;
my $ret = {
KRB5_CONFIG => abs_path($path) . "/no_krb5.conf",
SAMBA_PID => -1,
}
}
1;