summaryrefslogtreecommitdiff
path: root/python
Commit message (Collapse)AuthorAgeFilesLines
* python/ntacls: use correct "state directory" smb.conf option instead of ↵Björn Baumbach2019-06-261-1/+3
| | | | | | | | | | | | | | | | "state dir" samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs Fixes: Unknown parameter encountered: "state dir" Signed-off-by: Björn Baumbach <bb@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 670a12df52df63a067b638d37bec71341bf18bdd) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002 Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Wed Jun 26 11:40:27 UTC 2019 on sn-devel-144
* ldap tests: test scheme for referralsGary Lockyer2019-06-211-0/+91
| | | | | | | | | | | | Ensure that the referrals returned in a search request use the same scheme as the request, i.e. referrals recieved via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://" BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)
* Merge tag 'samba-4.9.9' into v4-9-testKarolin Seeger2019-06-191-0/+51
|\ | | | | | | samba: tag release samba-4.9.9
| * CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in ↵Douglas Bagnall2019-06-131-0/+26
| | | | | | | | | | | | | | | | | | | | | | DnssrvOperation2 We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in ↵Douglas Bagnall2019-06-131-0/+25
| | | | | | | | | | | | | | | | | | | | | | DnssrvOperation We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* | python/ntacls: we only need security.SEC_STD_READ_CONTROL in order to get ↵Stefan Metzmacher2019-06-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the ACL We should avoid security.SEC_FLAG_MAXIMUM_ALLOWED otherwise we may get NT_STATUS_SHARING_VIOLATION when we run 'samba-tool domain backup online' against a Windows DC. Windows DCs have hidden folders for the NtFrs or Dfsr services, which are locked by the running service. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13917 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 15032ec6df1abbb53f1b1d5377aab369f83ae707)
* | python/provision: use provision and relax controls for schema provisionStefan Metzmacher2019-06-131-7/+12
| | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit 7652439fa1aab92945f5540a43fc49568d446917)
* | s4:provision: split out provision_self_join_modify_schema.ldifStefan Metzmacher2019-06-131-1/+6
| | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit 5ea84af2d69e0b3a2a801ea0cc3f4ffc66bf1764)
* | ldapcmp: ignore 'schemaInfo' if two domains are comparedStefan Metzmacher2019-06-131-1/+1
| | | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit b5b572d5f71e2b9783ddb25c21ac32904fbfd661)
* | pytests/dns: use 2.6 compatible syntaxDouglas Bagnall2019-05-171-1/+1
|/ | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13886 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* py/provision: fix for Python 2.6Douglas Bagnall2019-04-091-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13882 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Tue Apr 9 13:52:03 UTC 2019 on sn-devel-144
* Merge tag 'samba-4.9.6' into v4-9-testKarolin Seeger2019-04-083-4/+65
|\ | | | | | | samba: tag release samba-4.9.6
| * CVE-2019-3870 pysmbd: Include tests to show the outside umask has no impactAndrew Bartlett2019-04-052-1/+14
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
| * CVE-2019-3870 tests: Extend smbd tests to check for umask being overwrittenTim Beale2019-04-053-4/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The smbd changes the umask - if the code fails to restore the umask to what it was, then this is very bad. Add an extra check to every smbd-related test that the umask at the end of the test is the same as what it was at the beginning (i.e. if the smbd code changed the umask then it correctly restored the value afterwards). As the selftest sets the umask for all tests to zero, it makes it hard to detect this problem, so the test setUp() needs to set it to something else first. This extra checking is added to the setUp()/tearDown() so that it applies to all test-cases. However, any failure that occur with this approach will not be able to be known-failed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (This backport to Samba 4.9 by Andrew Bartlett was not a pure cherry-pick due to merge conflicts)
* | py/kcc_utils: py2.6 compatibilityDouglas Bagnall2019-03-281-2/+2
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* | py/graph: use 2.6 compatible check for set membershipDouglas Bagnall2019-03-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | It is better this way anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Mar 20 06:36:05 UTC 2019 on sn-devel-144 (cherry picked from commit c0aca17a4c9ec06f0127d5c972f3fa979a87a77f)
* | dbcheck: use the str() value of the "name" attributeStefan Metzmacher2019-03-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | We do the same with the rdn attribute value and we need the same logic on both in order to check they are the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit dd6f0dad218ec1d5aa38ea8aa6848ec81035cb3f)
* | dbcheck: don't check expired tombstone objects by default anymoreStefan Metzmacher2019-03-282-3/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These will be removed anyway and any change on them risks to be an originating update that causes replication problems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 14 03:12:27 UTC 2019 on sn-devel-144 (cherry picked from commit a2c5f8cf41c2dfdc4f122e8427d1dfeabb6ba311)
* | dbcheck: add --selftest-check-expired-tombstones cmdline optionStefan Metzmacher2019-03-281-2/+7
| | | | | | | | | | | | | | | | | | This will be used by dbcheck tests which operate on static/old provision dumps in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6f9c5ed8de47bb98e21e8064d8e90f963f2f71ca)
* | python/samba/netcmd: provide SUPPRESS_HELP via Option classStefan Metzmacher2019-03-281-0/+1
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b61d580fb7dba8ff94e9e98c958e324865cd2f1d)
* | dbcheck: detect the change after deletion bugStefan Metzmacher2019-03-281-0/+109
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Old versions of 'samba-tool dbcheck' could reanimate deleted objects, when running at the same time as the tombstone garbage collection. When the (deleted) parent of a deleted object (with the DISALLOW_MOVE_ON_DELETE bit in systemFlags), is removed before the object itself, dbcheck moved it in the LostAndFound[Config] subtree of the partition as an originating change. That means that the object will be in tombstone state again for 180 days on the local DC. And other DCs fail to replicate the object as it's already removed completely there and the replication only gives the name and lastKnownParent attributes, because all other attributes should already be known to the other DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a1658b306d85452407388b91a745078c9c1f7dc7)
* | dbcheck: add find_repl_attid() helper functionStefan Metzmacher2019-03-281-6/+9
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 598e38d2a5e0832429ba65b4e55bf7127618f894)
* | dbcheck: don't remove dangling one-way links on already deleted objectsStefan Metzmacher2019-03-281-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This would typically happen when the garbage collection removed a parent object before a child object (both with the DISALLOW_MOVE_ON_DELETE bit set in systemFlags), while dbcheck is running at the same time as the garbage collection. In this case the lastKnownParent attributes points a non existing object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e388e599495b6d7c38b8b6966332e27f8b958783)
* | dbcheck: don't move already deleted objects to LostAndFoundStefan Metzmacher2019-03-281-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | This would typically happen when the garbage collection removed a parent object before a child object (both with the DISALLOW_MOVE_ON_DELETE bit set in systemFlags), while dbcheck is running at the same time as the garbage collection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6d50ee74920c39cdb18b427bfaaf200775bf2d73)
* | dbcheck: do isDeleted, systemFlags and replPropertyMetaData detection firstStefan Metzmacher2019-03-281-11/+14
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9afcd5331ce567bd80d35175f8e4e21c506e9347)
* | dbcheck: use DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME when renaming deleted objectsStefan Metzmacher2019-03-281-3/+6
| | | | | | | | | | | | | | | | | | | | We should never do originating updates on deleted objects. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 07a8326746f0c444eedf3860b178fc29d84e8d16)
* | python/samba: extra ndr_unpack needs bytes functionNoel Power2019-03-281-1/+1
| | | | | | | | (cherry picked from commit 8db43696e70d7c4cb21172b7e7461cf6a72914a2)
* | python/samba: PY3 port for ridalloc_exop test to workNoel Power2019-03-282-7/+6
|/ | | | | | Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fc13a1268a4a9de94efd312a8309aa55d331ae19)
* netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpgJoe Guo2019-02-211-25/+61
| | | | | | | | | | | | | python[3]-gpgme is deprecated since ubuntu 1804 and debian 9. use python[3]-gpg instead, and adapt the API. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13728 Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 84069c8a5476a47d45ab946d82abb0d6c04635c3)
* join: Throw CommandError instead of Exception for simple errorsTim Beale2019-02-051-3/+4
| | | | | | | | | | | | | | | | | | | | | | | Throwing an exception here still dumps out the Python stack trace, which can be a little disconcerting for users. In this case, the stack trace isn't going to really help at all (the problem is pretty obvious), and it obscures the useful message explaining what went wrong. Throw a CommandError instead, which samba-tool will catch and display more nicely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Rowland Penny <rpenny@samba.org> Reviewed-by: Jeremy Allison <rpenny@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jan 16 22:11:04 CET 2019 on sn-devel-144 (cherry picked from commit 9e4b08f4c384b8cae5ad853a7be7cf03e2749be5)
* join: Fix TypeError when handling exceptionTim Beale2019-02-052-2/+2
| | | | | | | | | | | | | | | | | | | | When we can't resolve a domain name, we were inadvertently throwing a TypeError whilst trying to output a helpful message. E.g. ERROR(<class 'TypeError'>): uncaught exception - 'NTSTATUSError' object does not support indexing Instead of indexing the object, we want to index the Exception.args so that we just display the string portion of the exception error. The same problem is also present for the domain trust commands. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Rowland Penny <rpenny@samba.org> Reviewed-by: Jeremy Allison <rpenny@samba.org> (cherry picked from commit 3bb7808984c163a7bba66fb983411d1281589722)
* python: Add new compat PYARG_STR_UNI formatNoel Power2019-01-211-0/+10
| | | | | | | | | | | | | In python2 PYARG_STR_UNI evaluates to et which allows str type (e.g bytes) pass through unencoded and accepts unicode objects encoded as utf8 In python3 PYARG_STR_UNI evaluates to es which allows str type encoded as named/specified encoding BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 253af8b85450c2830a442084e98734ca338c1b2f)
* samba-tool: don't print backtrace on simple DNS errorsBjörn Jacke2019-01-101-5/+5
| | | | | | | | | | | | | | | | | | samba-tool throws backtraces even for simple DNS error messages, we should not frighten users for no good reason. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13721 Signed-off-by: Bjoern Jacke <bj@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Wed Dec 19 20:58:52 CET 2018 on sn-devel-144 (cherry picked from commit 49dc04f9f553c443c78c8073c07ea2a38cde61b2) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Thu Jan 10 16:55:06 CET 2019 on sn-devel-144
* samba-tool drs showrepl: do not crash if no dnsHostName foundDouglas Bagnall2019-01-091-2/+2
| | | | | | | | | | | | | | | This should not happen, but it does sometimes in an autobuild environment. Rather than reporting this by crashing, we report it by showing there is no DNS name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13716 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Fri Oct 12 15:27:07 CEST 2018 on sn-devel-144 (cherry picked from commit 2fc855e7d2458249ca6fc8ffdf1d7633ab84cc55)
* CVE-2018-14629: Tests to expose regression from dns cname loop fixAaron Haslett2018-12-101-0/+101
| | | | | | | | | | | These tests expose the regression described by Stefan Metzmacher in discussion on the bugzilla paged linked below. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 14399fd818b130a6347eec860460929c292d5996)
* sync_passwords: Remove dirsync cookie logging for continuous operationGarming Sam2018-12-041-1/+2
| | | | | | | | | | | | Under normal operation, users shouldn't see giant cookies in their logs. We still log the initial cookie retrieved from the cache database, which should still be helpful for identifying corrupt cookies. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ac90c9faa783fc133229e7c163471d96440ff30e)
* PEP8: fix E231: missing whitespace after ','Joe Guo2018-12-041-3/+3
| | | | | | | | | Signed-off-by: Joe Guo <joeg@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (part of commit 12d3fbe15cb58b57c60499103101e3a845378859 from master cherry-picked to v4-9-test)
* CVE-2018-14629 dns: CNAME loop prevention using counterAaron Haslett2018-11-251-0/+22
| | | | | | | | | | | Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dsdb encrypted_secrets tests: Allow "ldb://" in file pathGary Lockyer2018-11-051-0/+212
| | | | | | | | | | | | | | When creating a new user and specifying the local file path of the sam.ldb DB, it's possible to create an account that you can't actually login with. This commit contains tests to verify the bug. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13653 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e1eee614ca8a3f0f5609a3d9d8ce7ae926de1f9e)
* python tests Blackbox: add random_passwordGary Lockyer2018-11-054-36/+30
| | | | | | | | | | Add the random_password method to the BlackboxTestCase class and remove duplicated copies from other test cases. Also use SystemRandom so that the generated passwords are more cryptographically sound. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b6e45fb479689cff028b1fe626533b035e313ce3)
* dbchecker: Fix missing <SID=...> on linked attributesStefan Metzmacher2018-11-051-1/+41
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a801799ebe26780653f4ed3fa3fc633e31871f7d)
* dbchecker: improve verbose output of do_modify()Stefan Metzmacher2018-11-051-1/+2
| | | | | | | | | | This makes it easier to debug dbcheck problems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c5c99b569569ce36cac94e967ca53e3182abd6f7)
* netcmd: Make sure SMB connection is signed when backing up sysvolTim Beale2018-11-051-2/+2
| | | | | | | | | | | i.e. protect the client against man-in-the-middle attacks by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0122f45f053ecc545950c31bf1fb33fba143478c)
* netcmd: Re-create default site for backup-restore (if missing)Tim Beale2018-11-051-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Normally when a new DC joins a domain, samba-tool works out the new DC's site automatically. However, it does this by querying the existing DC using CLDAP. In the restore case, there is no DC running. We could still query the DB on disk and work out the correct site based on the new DC's IP, however: - comparing between the CN=Subnet DNs and an IP-address string seems like it'd be non-trivial to write, and - in the lab-domain rename case, chances are the user will want a completely different subnet to what's already in the DB. The restore command now has a --site option so the user can specify an appropriate site for the restored DC. This patch makes the restore command work by default (i.e. without a --site option) even if the default Default-First-Site-Name doesn't exist. Basically the solution is to just check Default-First-Site-Name exists and create it if it doesn't. As the recommended workflow is to use the restored DC as a temporary seed that you'll later throw away, this approach seems acceptable. Subsequent DCs will then be joined to the running restored DC, so an appropriate site will be determined using CLDAP. The only side-effect is potentially an extra Site object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ce57a800c9bed7e6876cdc0baf3a2d5fdc879ecf)
* tests: Add test-case for restore into non-default siteTim Beale2018-11-051-0/+33
| | | | | | | | | | | | Add a test-case that exercises the new '--site' restore option and ensures the restored DC gets added to the correct site. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ad69aaf7e13435111fc990954ff0bc81ed5325c5)
* netcmd: Add --site option when restoring a domainTim Beale2018-11-051-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | Restoring a backup only worked if the Default-First-Site-Name site was still present. When the new restored DC account is created, it was trying to add the new server's DN under CN=Default-First-Site-Name. However, if the original domain was setup using a different site, then the restore would fail because the DN didn't exist. When running the restore command, you should be able to specify the site that you want the new/restored DC to be in (same as during a DC 'join'). Passing the correct --site argument is one way to avoid this problem. (A subsequent patch will further improve the tool so it can work around non-default sites automatically). Note we also need to pass the site through to where the new DNS entries get registered (in the rename case). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e1f255a4d54b59924295ea875fdef62ccebb8811)
* test:doc: Skip 'clustering=yes'Christof Schmitt2018-10-101-1/+2
| | | | | | | | | | | As testparm will error out when running clustering=yes as non-root, skip this step to avoid a test failure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883)
* samba-tool: add virtualKerberosSalt attribute to 'user ↵Stefan Metzmacher2018-09-051-0/+24
| | | | | | | | | | | | | getpassword/syncpasswords' This might be useful for someone, but at least it's very useful for tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 39c281a23673691bab621de1a632d64df2c1c102)
* python: Fix print in dns_invalid.pyAndreas Schneider2018-08-231-1/+1
| | | | | | | | | | | https://bugzilla.samba.org/show_bug.cgi?id=13580 Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Aug 18 15:21:39 CEST 2018 on sn-devel-144 (cherry picked from commit 9ee4d9466e42ef419ddbb39efbc476532cd221d3)
* netcmd: Fix --kerberos=yes and --no-secrets domain backupsTim Beale2018-08-231-7/+16
| | | | | | | | | | | | | | | | | | | | | | | | The --kerberos=yes and --no-secrets options didn't work in combination for domain backups. The problem was creds.get_username() might not necessarily match the kerberos user (such as in the selftest environment). If this was the case, then trying to reset the admin password failed (because the creds.get_username() didn't exist in the DB). Because the admin user always has a fixed RID, we can work out the administrator based on its object SID, instead of relying on the username in the creds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13566 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 15 10:19:09 CEST 2018 on sn-devel-144 (cherry picked from commit f249bea1e0538300288e7cf1dcb6037c45f92276)
View Lorry Controller Status