The branch, master has been updated
via 9afd4be s3-build: Do not write loadparm generated files into the
build tree
via 8e31d97 s3-lib: Convert lib/events.c to modern tevent names
via bf3235f docs: document new server role values
via 60b6348 s3-auth: rework default auth methods around the
lp_server_role() parameter
via 67bdf4f lib/param: Use server role = 'standalone server' to be
consistant with member server
via 11db5b1 lib/param: make security=domain and security=ads conflict
with being a DC
via b8815dc lib/param: Create a seperate server role for "active
directory domain controller"
via b9a75d8 s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the
default auth module list
via 5df459a s3-auth: Fix system info3 return to be just SID_NT_SYSTEM
via 9b3cf96 s3-auth: Fix system token generation not to dereference
pointer as an integer
via f0c5800 s3-auth: Give the SYSTEM token all privileges
from 8cca7b0 s3:smb2_server: remember the request_time on an incoming
request
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9afd4be688429d7bb344087cb3eda876f18e19f9
Author: Andrew Bartlett <[email protected]>
Date: Fri Jun 15 12:34:28 2012 +1000
s3-build: Do not write loadparm generated files into the build tree
We need to keep these files away from where waf might see them.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Fri Jun 15 11:10:14 CEST 2012 on sn-devel-104
commit 8e31d97c8b62d34aff5d52bfe46dbcc5805dae03
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 11 14:53:20 2012 +1000
s3-lib: Convert lib/events.c to modern tevent names
commit bf3235f8c6159e238226bef59f39c46ecc6888d8
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 11 11:40:17 2012 +1000
docs: document new server role values
commit 60b63482441deee2d6db523bd295caf21af187ad
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 11 10:51:47 2012 +1000
s3-auth: rework default auth methods around the lp_server_role() parameter
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.
Andrew Bartlett
commit 67bdf4fa11f097144a831b51c424bdac3618a927
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 11 10:50:08 2012 +1000
lib/param: Use server role = 'standalone server' to be consistant with
member server
standalne is left as an alias.
Andrew Bartlett
commit 11db5b1f3321b3d5b73bb16f4030111c9a35fbbe
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 11 10:40:32 2012 +1000
lib/param: make security=domain and security=ads conflict with being a DC
This simplifies our supported configurations down to those that we test and
expect
to work. security=domain and domain logons = yes has never made much
sense, and
security=ads and domain logons = yes was only ever used in early
experiments for
our AD support using smbd.
The correct way to be an AD DC is to set "server role = active directory
domain controller"
Andrew Bartlett
commit b8815dc23d36468cce9b615335ed62f119eb8f35
Author: Andrew Bartlett <[email protected]>
Date: Sun Jun 10 22:08:20 2012 +1000
lib/param: Create a seperate server role for "active directory domain
controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
commit b9a75d8438470065633c1ff69c653eaa799d5718
Author: Andrew Bartlett <[email protected]>
Date: Sun Jun 10 16:05:58 2012 +1000
s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the default auth
module list
commit 5df459aed7f9f85a9eb15a16b1ad5a8bbdd1df5a
Author: Andrew Bartlett <[email protected]>
Date: Thu Jun 14 09:35:10 2012 +1000
s3-auth: Fix system info3 return to be just SID_NT_SYSTEM
The SID for the SYSTEM token should be a fixed value, and not the
administrator. Note however that it will be replaced by the SID of
sec_initial_uid() by the create_local_token() code. Fixing this
requires fixes the other parts of the code that cannot cope with a
token of just SID_NT_SYSTEM.
Andrew Bartlett
commit 9b3cf96fb042429eaf79ede426e406ea1fa32079
Author: Andrew Bartlett <[email protected]>
Date: Thu Jun 14 09:30:37 2012 +1000
s3-auth: Fix system token generation not to dereference pointer as an
integer
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9
which is marked as being part of bug #8944, ldapsam:trusted and ipasam
and an additional fix for bug #8567
(0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
The problem here was that the primary_gid was simply the pointer result
of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on
the build farm).
Andrew Bartlett
commit f0c58007588f1e6346f378a13c9d881c25eabbd8
Author: Andrew Bartlett <[email protected]>
Date: Fri Jun 15 09:14:26 2012 +1000
s3-auth: Give the SYSTEM token all privileges
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 12 +++---
dfs_server/dfs_server_ad.c | 6 ++--
docs-xml/smbdotconf/security/serverrole.xml | 26 ++++++++++++-
file_server/file_server.c | 1 -
lib/param/loadparm.c | 6 ++--
lib/param/loadparm_server_role.c | 22 ++---------
lib/param/param.h | 2 +-
lib/param/param_enums.c | 10 +++--
lib/param/util.c | 1 +
libds/common/roles.h | 10 ++----
source3/Makefile.in | 26 +++++++-------
source3/auth/auth.c | 39 ++++++++++----------
source3/auth/auth_util.c | 32 +++++++++++------
source3/autoconf/lib/param/README | 3 ++
source3/autoconf/source3/param/README | 3 ++
source3/autogen.sh | 10 +++---
source3/include/smb_macros.h | 2 +-
source3/lib/events.c | 28 +++++++-------
source4/auth/ntlm/auth.c | 1 +
source4/auth/ntlm/auth_sam.c | 2 +-
source4/cldap_server/cldap_server.c | 2 +-
source4/dns_server/dns_server.c | 2 +-
source4/dsdb/dns/dns_update.c | 2 +-
source4/dsdb/kcc/kcc_service.c | 2 +-
source4/dsdb/repl/drepl_service.c | 2 +-
source4/echo_server/echo_server.c | 2 +-
source4/kdc/kdc.c | 6 +++-
source4/ldap_server/ldap_server.c | 2 +-
source4/nbt_server/dgram/netlogon.c | 2 +-
source4/nbt_server/register.c | 2 +-
source4/param/tests/loadparm.c | 2 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 2 +-
source4/rpc_server/common/server_info.c | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 4 +-
source4/rpc_server/samr/dcesrv_samr.c | 8 ++--
.../scripting/python/samba/provision/__init__.py | 34 +++++++++--------
source4/scripting/python/samba/tests/provision.py | 7 +++-
source4/smb_server/smb/signing.c | 2 +-
source4/smb_server/smb2/negprot.c | 2 +-
source4/smbd/server.c | 2 +-
source4/winbind/wb_init_domain.c | 2 +-
source4/winbind/wb_server.c | 7 +++-
wscript_build | 2 +-
43 files changed, 189 insertions(+), 153 deletions(-)
create mode 100644 source3/autoconf/lib/param/README
create mode 100644 source3/autoconf/source3/param/README
Changeset truncated at 500 lines:
diff --git a/.gitignore b/.gitignore
index b18a6d1..7f2c590 100644
--- a/.gitignore
+++ b/.gitignore
@@ -90,13 +90,13 @@ source3/script/installbin.sh
source3/script/uninstallbin.sh
source3/smbadduser
source3/smbd/build_options.c
-source3/param/param_global.h
-source3/param/param_local.h
+source3/autoconf/source3/param/param_global.h
+source3/autoconf/source3/param/param_local.h
source3/setup
-lib/param/param_global.h
-lib/param/param_local.h
-lib/param/param_proto.h
-lib/param/s3_param.h
+source3/autoconf/lib/param/param_global.h
+source3/autoconf/lib/param/param_local.h
+source3/autoconf/lib/param/param_proto.h
+source3/autoconf/lib/param/s3_param.h
pidl/blib
pidl/cover_db
pidl/Makefile
diff --git a/dfs_server/dfs_server_ad.c b/dfs_server/dfs_server_ad.c
index b7004c5..6b71f70 100644
--- a/dfs_server/dfs_server_ad.c
+++ b/dfs_server/dfs_server_ad.c
@@ -447,7 +447,7 @@ static NTSTATUS dodomain_referral(struct loadparm_context
*lp_ctx,
/* In the future this needs to be fetched from the ldb */
uint32_t found_domain = 2;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
DEBUG(10 ,("Received a domain referral request on a non DC\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -529,7 +529,7 @@ static NTSTATUS dodc_referral(struct loadparm_context
*lp_ctx,
struct dfs_referral_type *referrals;
const char *referral_str;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -640,7 +640,7 @@ static NTSTATUS dosysvol_referral(struct loadparm_context
*lp_ctx,
NTSTATUS status;
struct dfs_referral_type *referrals;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
return NT_STATUS_INVALID_PARAMETER;
}
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index e4e65c2..005b6e9 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -51,9 +51,31 @@
exist as well as the account on the Domain Controller to allow
Samba to have a valid UNIX account to map file access to. Winbind can
provide this.</para>
- <para><anchor id="DC"/><emphasis>SERVER ROLE = DOMAIN
CONTROLLER</emphasis></para>
+ <para><anchor id="PDC"/><emphasis>SERVER ROLE = CLASSIC PRIMARY DOMAIN
CONTROLLER</emphasis></para>
- <para>This mode of operation runs Samba as a domain controller, providing
domain logon services to Windows and Samba clients of the domain. Clients must
be joined to the domain to create a secure, trusted path across the
network.</para>
+ <para>This mode of operation runs a classic Samba primary domain
+ controller, providing domain logon services to Windows and Samba
+ clients of an NT4-like domain. Clients must be joined to the domain to
+ create a secure, trusted path across the network. There must be
+ only one PDC per NetBIOS scope (typcially a broadcast network or
+ clients served by a single WINS server).</para>
+
+ <para><anchor id="BDC"/><emphasis>SERVER ROLE = NETBIOS BACKUP DOMAIN
CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs a classic Samba backup domain
+ controller, providing domain logon services to Windows and Samba
+ clients of an NT4-like domain. As a BDC, this allows
+ multiple Samba servers to provide rudundent logon services to a
+ single NetBIOS scope.</para>
+
+ <para><anchor id="AD-DC"/><emphasis>SERVER ROLE = ACTIVE DIRECTORY DOMAIN
CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba as an active directory
+ domain controller, providing domain logon services to Windows and
+ Samba clients of the domain. This role requires special
+ configuration, see the <ulink
+ url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
+ HOWTO</ulink></para>
</description>
diff --git a/file_server/file_server.c b/file_server/file_server.c
index 9f43ebb..46969f3 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -49,7 +49,6 @@ static const char *generate_smb_conf(struct task_server *task)
}
fdprintf(fd, "# auto-generated config for fileserver\n");
- fdprintf(fd, "auth methods = samba4\n");
fdprintf(fd, "passdb backend = samba4\n");
fdprintf(fd, "rpc_server:default = external\n");
fdprintf(fd, "rpc_server:svcctl = embedded\n");
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 520fc94..5749c34 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -62,7 +62,7 @@
#include "lib/param/param.h"
#include "lib/param/loadparm.h"
#include "auth/gensec/gensec.h"
-#include "s3_param.h"
+#include "lib/param/s3_param.h"
#include "lib/util/bitmap.h"
#include "libcli/smb/smb_constants.h"
#include "source4/dns_server/dns_update.h"
@@ -88,7 +88,7 @@ static bool defaults_saved = false;
int domain_logons; \
int bPreferredMaster;
-#include "param_global.h"
+#include "lib/param/param_global.h"
#define NUMPARAMETERS (sizeof(parm_table) / sizeof(struct parm_struct))
@@ -105,7 +105,7 @@ static bool handle_debuglevel(struct loadparm_context
*lp_ctx, int unused,
static bool handle_logfile(struct loadparm_context *lp_ctx, int unused,
const char *pszParmValue, char **ptr);
-#include "param_enums.c"
+#include "lib/param/param_enums.c"
#define GLOBAL_VAR(name) offsetof(struct loadparm_global, name)
#define LOCAL_VAR(name) offsetof(struct loadparm_service, name)
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 5a1f498..c088343 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -41,6 +41,7 @@ static const struct srv_role_tab {
{ ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" },
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
+ { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
{ 0, NULL }
};
@@ -74,18 +75,7 @@ int lp_find_server_role(int server_role, int security, int
domain_logons, int do
switch (security) {
case SEC_DOMAIN:
- if (domain_logons) {
- DEBUG(1, ("Server's Role (logon server) NOT
ADVISED with domain-level security\n"));
- role = ROLE_DOMAIN_BDC;
- break;
- }
- role = ROLE_DOMAIN_MEMBER;
- break;
case SEC_ADS:
- if (domain_logons) {
- role = ROLE_DOMAIN_CONTROLLER;
- break;
- }
role = ROLE_DOMAIN_MEMBER;
break;
case SEC_AUTO:
@@ -144,21 +134,17 @@ bool lp_is_security_and_server_role_valid(int
server_role, int security)
case ROLE_AUTO:
valid = true;
break;
- case ROLE_STANDALONE:
- if (security == SEC_USER) {
- valid = true;
- }
- break;
-
case ROLE_DOMAIN_MEMBER:
if (security == SEC_ADS || security == SEC_DOMAIN) {
valid = true;
}
break;
+ case ROLE_STANDALONE:
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
- if (security == SEC_USER || security == SEC_ADS || security ==
SEC_DOMAIN) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ if (security == SEC_USER) {
valid = true;
}
break;
diff --git a/lib/param/param.h b/lib/param/param.h
index 7842a84..d821fa3 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -48,7 +48,7 @@ struct smbcli_session_options;
struct gensec_settings;
#ifdef CONFIG_H_IS_FROM_SAMBA
-#include "param/param_proto.h"
+#include "lib/param/param_proto.h"
#endif
const char **lpcfg_interfaces(struct loadparm_context *);
diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c
index 5f4cd61..afcf2f0 100644
--- a/lib/param/param_enums.c
+++ b/lib/param/param_enums.c
@@ -75,13 +75,15 @@ static const struct enum_list enum_csc_policy[] = {
/* Server role options */
static const struct enum_list enum_server_role[] = {
{ROLE_AUTO, "auto"},
+ {ROLE_STANDALONE, "standalone server"},
{ROLE_STANDALONE, "standalone"},
{ROLE_DOMAIN_MEMBER, "member server"},
{ROLE_DOMAIN_MEMBER, "member"},
- /* note that currently
- ROLE_DOMAIN_CONTROLLER == ROLE_DOMAIN_BDC */
- {ROLE_DOMAIN_CONTROLLER, "domain controller"},
- {ROLE_DOMAIN_CONTROLLER, "dc"},
+ {ROLE_DOMAIN_PDC, "classic primary domain controller"},
+ {ROLE_DOMAIN_BDC, "classic backup domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "dc"},
{-1, NULL}
};
diff --git a/lib/param/util.c b/lib/param/util.c
index f60abb9..98894fc 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -260,6 +260,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
diff --git a/libds/common/roles.h b/libds/common/roles.h
index 9dc9a00..4772c8d 100644
--- a/libds/common/roles.h
+++ b/libds/common/roles.h
@@ -30,18 +30,14 @@ enum server_role {
ROLE_DOMAIN_MEMBER = 1,
ROLE_DOMAIN_BDC = 2,
ROLE_DOMAIN_PDC = 3,
+
+ /* not in samr.idl */
+ ROLE_ACTIVE_DIRECTORY_DC = 4,
/* To determine the role automatically, this is not a valid role */
ROLE_AUTO = 100
};
-/* keep compatibility with the s4 'ROLE_DOMAIN_CONTROLLER' by mapping
- * it to ROLE_DOMAIN_BDC. The PDC/BDC split is really historical from
- * NT4 domains which were not multi-master, but even in AD there is
- * only one machine that has the PDC FSMO role in a domain.
-*/
-#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
-
/* security levels for 'security =' option
--------------
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 9271baa..43dfb94 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -171,7 +171,7 @@ FLAGS = -I. \
-I$(srcdir)/lib \
-I.. \
-Iautoconf \
- -Iautoconf/librpc \
+ -Iautoconf/source3 \
-I./../lib/ldb/include \
-D_SAMBA_BUILD_=3
@@ -1679,18 +1679,18 @@ idl_full::
@PIDL_OUTPUTDIR="autoconf/librpc/gen_ndr" PIDL_ARGS="$(PIDL_ARGS)"
CPP="$(CPP)" PIDL="../pidl/pidl" \
srcdir="$(srcdir)" $(srcdir)/script/build_idl.sh --full $(IDL_FILES)
-mkparam: ../lib/param/param_local.h ../lib/param/param_global.h
param/param_global.h ../lib/param/param_proto.h ../lib/param/s3_param.h
-
-../lib/param/param_local.h:
- $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c --file ../lib/param/param_local.h
--generate-scope=LOCAL
-../lib/param/param_global.h:
- $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--file ../lib/param/param_global.h --generate-scope=GLOBAL
-param/param_global.h:
- $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/param/loadparm.c --file
param/param_global.h --generate-scope=GLOBAL
-../lib/param/param_proto.h:
- $(PERL) ../source4/script/mkproto.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--public ../lib/param/param_proto.h --private ../lib/param/param_proto.h
-../lib/param/s3_param.h:
- $(PERL) ../script/mks3param.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--file ../lib/param/s3_param.h
+mkparam: autoconf/lib/param/param_local.h autoconf/lib/param/param_global.h
autoconf/source3/param/param_global.h autoconf/lib/param/param_proto.h
autoconf/lib/param/s3_param.h
+
+autoconf/lib/param/param_local.h:
+ $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c --file
autoconf/lib/param/param_local.h --generate-scope=LOCAL
+autoconf/lib/param/param_global.h:
+ $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--file autoconf/lib/param/param_global.h --generate-scope=GLOBAL
+autoconf/source3/param/param_global.h:
+ $(PERL) ../script/mkparamdefs.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/param/loadparm.c --file
autoconf/source3/param/param_global.h --generate-scope=GLOBAL
+autoconf/lib/param/param_proto.h:
+ $(PERL) ../source4/script/mkproto.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--public autoconf/lib/param/param_proto.h --private
autoconf/lib/param/param_proto.h
+autoconf/lib/param/s3_param.h:
+ $(PERL) ../script/mks3param.pl
$(srcdir)/../lib/param/param_functions.c $(srcdir)/../lib/param/loadparm.c
--file autoconf/lib/param/s3_param.h
#####################################################################
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index c442a53..6713193 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -486,38 +486,39 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
}
if (auth_method_list == NULL) {
- switch (lp_security())
+ switch (lp_server_role())
{
- case SEC_DOMAIN:
- DEBUG(5,("Making default auth method list for
security=domain\n"));
+ case ROLE_DOMAIN_MEMBER:
+ DEBUG(5,("Making default auth method list for server
role = 'domain member'\n"));
auth_method_list = str_list_make_v3(
talloc_tos(), "guest sam winbind:ntdomain",
NULL);
break;
- case SEC_USER:
- if (lp_encrypted_passwords()) {
- if ((lp_server_role() == ROLE_DOMAIN_PDC) ||
(lp_server_role() == ROLE_DOMAIN_BDC)) {
- DEBUG(5,("Making default auth method
list for DC, security=user, encrypt passwords = yes\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(),
- "guest sam winbind:trustdomain",
- NULL);
- } else {
- DEBUG(5,("Making default auth method
list for standalone security=user, encrypt passwords = yes\n"));
- auth_method_list = str_list_make_v3(
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ DEBUG(5,("Making default auth method list for DC\n"));
+ auth_method_list = str_list_make_v3(
+ talloc_tos(),
+ "guest sam winbind:trustdomain",
+ NULL);
+ break;
+ case ROLE_STANDALONE:
+ DEBUG(5,("Making default auth method list for server
role = 'standalone server', encrypt passwords = yes\n"));
+ if (lp_encrypted_passwords()) {
+ auth_method_list = str_list_make_v3(
talloc_tos(), "guest sam",
NULL);
- }
} else {
- DEBUG(5,("Making default auth method list for
security=user, encrypt passwords = no\n"));
+ DEBUG(5,("Making default auth method list for
server role = 'standalone server', encrypt passwords = no\n"));
auth_method_list = str_list_make_v3(
talloc_tos(), "guest unix", NULL);
}
break;
- case SEC_ADS:
- DEBUG(5,("Making default auth method list for
security=ADS\n"));
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ DEBUG(5,("Making default auth method list for server
role = 'active directory domain controller'\n"));
auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam winbind:ntdomain",
+ talloc_tos(),
+ "samba4",
NULL);
break;
default:
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f270ccd..eb5961d 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -775,7 +775,8 @@ static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
struct passwd *pwd,
struct netr_SamInfo3 *info3)
{
- struct dom_sid domain_sid;
+ NTSTATUS status;
+ struct dom_sid *system_sid;
const char *tmp;
/* Set account name */
@@ -792,19 +793,24 @@ static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
}
init_lsa_StringLarge(&info3->base.logon_domain, tmp);
- /* Domain sid */
- sid_copy(&domain_sid, get_global_sam_sid());
- info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
- if (info3->base.domain_sid == NULL) {
+ /* The SID set here will be overwirtten anyway, but try and make it
SID_NT_SYSTEM anyway */
+ /* Domain sid is NT_AUTHORITY */
+
+ system_sid = dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM);
+ if (system_sid == NULL) {
return NT_STATUS_NO_MEMORY;
}
-
- /* Admin rid */
- info3->base.rid = DOMAIN_RID_ADMINISTRATOR;
-
- /* Primary gid */
- info3->base.primary_gid = dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM);
+
+ status = dom_sid_split_rid(mem_ctx, system_sid,
&info3->base.domain_sid,
+ &info3->base.rid);
+ TALLOC_FREE(system_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* Primary gid is the same */
+ info3->base.primary_gid = info3->base.rid;
return NT_STATUS_OK;
}
@@ -982,6 +988,10 @@ static NTSTATUS
make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
}
talloc_free(server_info);
+
+ /* SYSTEM has all privilages */
+ (*session_info)->security_token->privilege_mask = ~0;
+
talloc_steal(mem_ctx, *session_info);
status = NT_STATUS_OK;
diff --git a/source3/autoconf/lib/param/README
b/source3/autoconf/lib/param/README
new file mode 100644
index 0000000..2d7cf01
--- /dev/null
+++ b/source3/autoconf/lib/param/README
@@ -0,0 +1,3 @@
+This file denoates the output location of perl-generated files that we need
for loadparm.
+
+To ensure no conflict between waf and autoconf, we generate the files here.
\ No newline at end of file
diff --git a/source3/autoconf/source3/param/README
b/source3/autoconf/source3/param/README
new file mode 100644
index 0000000..2d7cf01
--- /dev/null
+++ b/source3/autoconf/source3/param/README
@@ -0,0 +1,3 @@
+This file denoates the output location of perl-generated files that we need
for loadparm.
+
+To ensure no conflict between waf and autoconf, we generate the files here.
\ No newline at end of file
diff --git a/source3/autogen.sh b/source3/autogen.sh
index 15689e0..bd0d99d 100755
--- a/source3/autogen.sh
+++ b/source3/autogen.sh
@@ -95,11 +95,11 @@ else
echo "some autconf tests might not work properly"
fi
-perl ../script/mkparamdefs.pl ../lib/param/param_functions.c --file
../lib/param/param_local.h --generate-scope=LOCAL
-perl ../script/mkparamdefs.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --file ../lib/param/param_global.h
--generate-scope=GLOBAL
-perl ../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c
--file param/param_global.h --generate-scope=GLOBAL
-perl ../source4/script/mkproto.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --public ../lib/param/param_proto.h --private
../lib/param/param_proto.h
-perl ../script/mks3param.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --file ../lib/param/s3_param.h
+perl ../script/mkparamdefs.pl ../lib/param/param_functions.c --file
autoconf/lib/param/param_local.h --generate-scope=LOCAL
+perl ../script/mkparamdefs.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --file autoconf/lib/param/param_global.h
--generate-scope=GLOBAL
+perl ../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c
--file autoconf/source3/param/param_global.h --generate-scope=GLOBAL
+perl ../source4/script/mkproto.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --public autoconf/lib/param/param_proto.h
--private ../lib/param/param_proto.h
+perl ../script/mks3param.pl ../lib/param/loadparm.c
../lib/param/param_functions.c --file autoconf/lib/param/s3_param.h
echo "Now run ./configure (or ./configure.developer) and then make."
exit 0
diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
index 048e560..73f8fb3 100644
--- a/source3/include/smb_macros.h
+++ b/source3/include/smb_macros.h
@@ -190,7 +190,7 @@ copy an IP address from one buffer to another
Check to see if we are a DC for this domain
*****************************************************************************/
-#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC ||
lp_server_role()==ROLE_DOMAIN_BDC)
+#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC ||
lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() ==
ROLE_ACTIVE_DIRECTORY_DC)
/*
* If you add any entries to KERBEROS_VERIFY defines, please modify the below
expressions
diff --git a/source3/lib/events.c b/source3/lib/events.c
index c71876c..64ea3ad 100644
--- a/source3/lib/events.c
+++ b/source3/lib/events.c
@@ -59,7 +59,7 @@ static void count_fds(struct tevent_context *ev,
int max_fd = 0;
for (fde = ev->fd_events; fde != NULL; fde = fde->next) {
- if (fde->flags & (EVENT_FD_READ|EVENT_FD_WRITE)) {
+ if (fde->flags & (TEVENT_FD_READ|TEVENT_FD_WRITE)) {
num_fds += 1;
if (fde->fd > max_fd) {
--
Samba Shared Repository
