summaryrefslogtreecommitdiff
path: root/python
Commit message (Collapse)AuthorAgeFilesLines
* samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user ↵Stefan Metzmacher2016-07-221-11/+152
| | | | | | | | | | | | | | | | | | syncpasswords' This get's the cleartext passwords by decrypting the 'Primary:SambaGPG' value in order to provide the virtual attributes: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA The virtual attribute virtualSambaGPG provides the raw (encrypted) value of the 'Primary:SambaGPG' value. See the "password hash gpg key ids" option for the encryption part of this feature. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* python:samba/tests: add simple 'samba-tool user syncpasswords' testStefan Metzmacher2016-07-221-1/+45
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* samba-tool: add 'user syncpasswords' commandStefan Metzmacher2016-07-221-0/+760
| | | | | | | | | | | | | | | | | | | | | | | This provides an easy way to keep passwords in sync with another account database, e.g. an OpenLDAP server. It provides a functionality like the "passwd program" for the "unix password sync" feature of a standalone, member and classic (NT4) server, but for an active directory domain controller. The provided script is called for each account/password related change. Like the 'user getpassword' command it allows virtual attributes like: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA Note that this command should just run on a single domain controller (typically the PDC-emulator). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* python:samba/tests: verify the packages order in supplementalCredentialsStefan Metzmacher2016-07-221-0/+75
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python:samba/tests: add simple 'samba-tool user getpassword' testStefan Metzmacher2016-07-221-1/+23
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: add 'user getpassword' commandStefan Metzmacher2016-07-221-0/+408
| | | | | | | | | | | | | | This provides an easy way to get the passwords of a user including the cleartext passwords (if stored) and derived hashes. This is done by providing virtual attributes like: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA This is much easier than using ldbsearch and manually parsing the supplementalCredentials attribute. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* kcc: correct a typo in the debug messagesGarming Sam2016-07-211-2/+2
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dbcheck: Add a rule regarding replica locationsGarming Sam2016-07-211-1/+57
| | | | | | | | | | | | This fixes any RW DCs with repsFrom without the corresponding link. On any RODC, this just reports an error (and doesn't fix it). (the knownfail entry is also now removed) BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* join.py: Don't add replica locations without the backendGarming Sam2016-07-211-7/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* join.py: Add Replica-Locations for DomainDNS and ForestDNSGarming Sam2016-07-211-4/+31
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* join.py: Ensure that all expressions are escapedGarming Sam2016-07-211-4/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kcc: Make more fault tolerant on DC demotionGarming Sam2016-07-211-0/+9
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba_kcc: match translate connection from old KCC for RWDCGarming Sam2016-07-211-0/+6
| | | | | | | | This makes it so that repsTo are always regenerated on the target DCs. This also happens elsewhere in drepl_out, but is to be removed. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba_kcc: match translate connection from old KCC for RODCGarming Sam2016-07-211-2/+17
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kcc: Prevent the KCC from doing work on the RODCGarming Sam2016-07-211-4/+20
| | | | | | | | This should never have done any real work, new code or not. This just removes the initial KCC calls and bails out in the KCC if we actually ran it. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: Speed up all samba-tool commandsGarming Sam2016-07-201-37/+41
| | | | | | | | | | | | | | | This in particular helps the docs.py test halve in time (at least on my machine) NOTE: The removal of enable_null_tracking is required because we are no longer importing join.py in every single samba-tool invocation. Without removing this line, memory would be hanging from both the actual NULL context and the talloc_null_context (causing a segfault at system_exit). Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Wed Jul 20 12:47:24 CEST 2016 on sn-devel-144
* join.py: Remove talloc enable_null_trackingGarming Sam2016-07-191-3/+0
| | | | | | | | | | | The removal of enable_null_tracking is required because we will no longer importing join.py in every single samba-tool invocation. Without removing this line, memory would be hanging from both the actual NULL context and the talloc_null_context (causing a segfault at system_exit). Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: Put full command and subcommand in informative name when testing ↵Andrew Bartlett2016-07-191-2/+2
| | | | | | | | | | samba-tool These are not used for anything other than to print in the usage, but it seems nicer to match normal invocation of these commands Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* dbcheck: Split out valid stale DN links and invalid onesGarming Sam2016-07-151-8/+35
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dbcheck: change argument to specify a partial --yesGarming Sam2016-07-152-4/+25
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dbcheck: check for linked atributes that should not existDouglas Bagnall2016-07-151-44/+90
| | | | | | | | | | | | | In order to do this we need to use the reveal internals control, which breaks the comparison against extended DNs. So we compare the components instead. Because this patch makes our code notice and fix stale one-way-links (eg, after a rename) now, the renamedc test needs to be adjusted to match. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* dbcheck: cache linkIDs and reverse attribute namesDouglas Bagnall2016-07-151-5/+17
| | | | | | | This avoids fetching the same same schema things again and again. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dbcheck: Script swallows input when given a carriage returnGarming Sam2016-07-151-1/+1
| | | | | Signed-off-by: Garming Sam <garming@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python/remove_dc: handle dnsNode objects without dnsRecord attributeStefan Metzmacher2016-07-131-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we have dnsNode objects without dnsRecord attribute values we trigger the following error triggered by 'samba-tool domain demote --remove-other-dead-server=server2' ERROR(<type 'exceptions.TypeError'>): uncaught exception - __ndr_unpack__() argument 1 must be string or read-only buffer, not dnsp.DnssrvRpcRecord File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 720, in run remove_dc.remove_dc(samdb, logger, remove_other_dead_server) File "/usr/lib64/python2.6/site-packages/samba/remove_dc.py", line 423, in remove_dc remove_dns_account=True) File "/usr/lib64/python2.6/site-packages/samba/remove_dc.py", line 351, in offline_remove_ntds_dc remove_dns_account=remove_dns_account) File "/usr/lib64/python2.6/site-packages/samba/remove_dc.py", line 266, in offline_remove_server remove_dns_references(samdb, logger, dnsHostName) File "/usr/lib64/python2.6/site-packages/samba/remove_dc.py", line 186, in remove_dns_references for v in values if not to_remove(v) ] File "/usr/lib64/python2.6/site-packages/samba/remove_dc.py", line 160, in to_remove dnsRecord = ndr_unpack(dnsp.DnssrvRpcRecord, value) File "/usr/lib64/python2.6/site-packages/samba/ndr.py", line 45, in ndr_unpack object.__ndr_unpack__(data, allow_remaining=allow_remaining) A transaction is still active in ldb context [0xe1f320] on tdb:///var/lib/samba/private/sam.ldb "next" is used in perl not in python! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12018 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 13 10:10:30 CEST 2016 on sn-devel-144
* samba-tool drs replicate: Allow replication call to take as long as requiredAndrew Bartlett2016-07-121-1/+2
| | | | | | | This matches the behaviour in the drsuapi server for DsReplicaSync Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* pyrpc: Allow control of RPC timeout for IRPCAndrew Bartlett2016-07-121-0/+1
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Fix typo in python/samba/provision/__init__.pyRowland Penny2016-07-121-1/+1
| | | | | | | | Signed-off-by: Rowland Penny <rpenny@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jul 12 06:58:47 CEST 2016 on sn-devel-144
* tests/dns_update: Add error message for diagnosisGarming Sam2016-07-111-8/+8
| | | | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Mon Jul 11 10:58:16 CEST 2016 on sn-devel-144
* selftest: Add more tests for samba-tool drs replicateAndrew Bartlett2016-07-081-0/+45
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 8 13:39:01 CEST 2016 on sn-devel-144
* samba-tool: Add --local-online mode to samba-tool drs replicateAndrew Bartlett2016-07-081-3/+12
| | | | | | | | This mode avoids an issue with using -P on an RODC, instead using an IRPC message to trigger online replication right away Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* samba-tool: Add success message to samba-tool drs replicate --localAndrew Bartlett2016-07-081-0/+2
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests:samba3sam: make use of the dsdb_flags_ignore moduleStefan Metzmacher2016-07-081-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* provision: Ignore duplicate attid and governsID checkBob Campbell2016-07-062-4/+22
| | | | | | | | | | During the provision this causes a huge performance hit as these two attributes are unindexed. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
* provision_fill: move GPO into transactionBob Campbell2016-07-061-5/+7
| | | | | | | Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
* provision_fill: move most db accesses into transactionsBob Campbell2016-07-062-230/+232
| | | | | | | Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
* selftest: add check password script testBob Campbell2016-07-051-0/+97
| | | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: add 'samba-tool user setpassword ↵Stefan Metzmacher2016-06-301-10/+52
| | | | | | | | | --smartcard-required/--clear-smartcard-required' BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: do a password retype validation check for 'samba-tool user ↵Stefan Metzmacher2016-06-301-3/+7
| | | | | | | | | | | setpassword' This matches the behavior of 'samba-tool user create' and 'samba-tool user password'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: add --smartcard-required option to 'samba-tool user create'Stefan Metzmacher2016-06-301-3/+20
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samdb.py: add smartcard_required option to newuser()Stefan Metzmacher2016-06-301-1/+7
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: really deprecate 'samba-tool user add'Stefan Metzmacher2016-06-271-3/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python/tests: add auth_pad test for the dcerpc raw_protocol testStefan Metzmacher2016-06-241-0/+548
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jun 24 18:08:44 CEST 2016 on sn-devel-144
* flapping: temporarily add samba_dnsupdate testGarming Sam2016-06-161-2/+11
| | | | | | | | | | This should be removed when we can run nsupdate on sn-devel Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Thu Jun 16 08:37:56 CEST 2016 on sn-devel-144
* drs: Send DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP by defaultGarming2016-06-161-1/+2
| | | | | | | | This flag is not implemented in Samba, however, on an RODC replicating from Windows, failing to send this flag leaves out group memberships. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* selftest: Add a DNS test matching WindowsAndrew Bartlett2016-06-161-0/+76
| | | | | | | This performs the same steps as Windows does Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* selftest: confirm samba_dnsupdate works in both nsupdate and samba_tool modeAndrew Bartlett2016-06-161-0/+50
| | | | | | | This can be extended, but already checks the basic functionality Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* samba-tool domain join: Refuse to re-join a DC with a still-valid passwordAndrew Bartlett2016-06-162-62/+118
| | | | | | | | While the DC will eventually get back to the same state, it can take a while, so try harder not to overwrite our already-working account Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* samba-tool: Improve fsmo handlingAndrew Bartlett2016-06-162-40/+62
| | | | | | | | This makes a clear seperation between data and display variables and improves the tests. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* selftest: Rebase DrsBaseTestCase on SambaToolCmdTestAndrew Bartlett2016-06-161-1/+1
| | | | | | | | | | This then makes SambaToolCmdTest based on BlackboxTestCase. This allows us to use better command output testing in the fsmo tests Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* selftest: add test for DNS updates with TKEY/TSIGRalph Boehme2016-06-161-0/+487
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Thu Jun 16 04:07:41 CEST 2016 on sn-devel-144
View Lorry Controller Status