The branch, master has been updated
via 2ed6b08 auth: Ensure auth_sam is not used on the AD DC
via 9b24f65 dsdb: Expand on what the error finding the
ntSecurityDescriptor was in acl_read
via 60d1c2d autobuild.py add ntdb to the samba-libs task, to ensure it
works as an external library
via 73628e9 rpc_server-drsuapi: Include the failing DN when unable to
convert DB objects to DRS
via 11e716a dsdb-schema: Print clear debug message when we find a OID
in our local DB we cannot convert
via 25402e0 dsdb-repl: Allow the name attribute (and name-based schema
lookups) to be skipped in dsdb_repl_make_working_schema()
via 3482060 python-samba-tool domain classicupgrade: Use transactions
when adding users/groups/members
via ef895fe samba-tool dbcheck: Use
dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER rather than the literal value
via 9c5756c python-samba-tool domain classicupgrade: Correct message
about re-promoting BDCs
via 1165776 pdb_ldap: Do not skip accounts without a sambaAcctFlags
value
via 2c04719 python-samba-tool domain classicupgrade: Actually Skip
domain trust accounts
via 2e1f143 python-samba-tool domain classicupgrade: Skip machine
accounts that do not end in $
via 2044541 build: Do not set PATH in install_with_python now we set
$PYTHON
via 10f6926 s3-rpc_server: Ensure we are root when starting and usiing
gensec
via 9430310 gensec: Make the no-hostname status message much less scary
via 768c3bb build: Blacklist the release-4-0-0 provision as well
from 46e98cf dns: Fix allocation of txt_record in txt record tests
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2ed6b0818a68ac07bd9c4270522aa8e2098ec140
Author: Andrew Bartlett <[email protected]>
Date: Thu May 16 10:32:50 2013 +1000
auth: Ensure auth_sam is not used on the AD DC
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Thu May 16 22:51:26 CEST 2013 on sn-devel-104
commit 9b24f6523e8c78879ada3e6d2927ebbb21dabfdc
Author: Andrew Bartlett <[email protected]>
Date: Mon May 13 14:06:14 2013 +1200
dsdb: Expand on what the error finding the ntSecurityDescriptor was in
acl_read
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 60d1c2d5288b01bd9a99f90bb0a9d0ff3c873412
Author: Andrew Bartlett <[email protected]>
Date: Mon May 13 14:05:28 2013 +1200
autobuild.py add ntdb to the samba-libs task, to ensure it works as an
external library
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 73628e9cd9005478cdb225f01917eb54270a3c05
Author: Andrew Bartlett <[email protected]>
Date: Tue Apr 2 16:10:03 2013 +1100
rpc_server-drsuapi: Include the failing DN when unable to convert DB
objects to DRS
This is a very serious situation (it should not happen) so getting
information on the
objects that this happens for would be very helpful.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 11e716ae0736067272868b997367e94ebf1cdf3b
Author: Andrew Bartlett <[email protected]>
Date: Tue Apr 2 15:36:47 2013 +1100
dsdb-schema: Print clear debug message when we find a OID in our local DB
we cannot convert
We need to work out why we are unable to make a mapping for an OID in our
database, because
we should not have been able to add it without such a mapping.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 25402e06bcdf98e346fdbbfa7e8740504329b42f
Author: Andrew Bartlett <[email protected]>
Date: Tue Mar 26 11:51:38 2013 +1100
dsdb-repl: Allow the name attribute (and name-based schema lookups) to be
skipped in dsdb_repl_make_working_schema()
This allows us to use a schema that may only be valid for attributeID based
lookups, during the schema load.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 34820602715cc8936179091e188993f7a42808ac
Author: Andrew Bartlett <[email protected]>
Date: Sun Apr 14 14:36:08 2013 +1000
python-samba-tool domain classicupgrade: Use transactions when adding
users/groups/members
This should make things a bit faster when importing very large numbers of
users
as we will not constantly rewrite the indicies on disk.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit ef895fe9e4e4043bd4ce1db5007fd2016f0b8673
Author: Andrew Bartlett <[email protected]>
Date: Sun Apr 14 13:32:05 2013 +1000
samba-tool dbcheck: Use dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER rather than
the literal value
This is better practice.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 9c5756c077896e6a3ff8e610acf706f203e4dede
Author: Andrew Bartlett <[email protected]>
Date: Thu Apr 11 18:13:16 2013 +1000
python-samba-tool domain classicupgrade: Correct message about re-promoting
BDCs
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 1165776d861e8e4f2fe26dcaf1e9dabdcc0a4179
Author: Andrew Bartlett <[email protected]>
Date: Thu Apr 11 17:21:33 2013 +1000
pdb_ldap: Do not skip accounts without a sambaAcctFlags value
We allow this to mean a sambaAcctFlags value of zero in other parts of the
code
and by allowing these users to show up in a search, we can read and correct
them
during the classicupgrade, rather than not know they exist at all.
Most parts of the code do not look for ACB_NORMAL, which is why
these users appear to work.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 2c047198caccea30e8583dda869d513913fe1702
Author: Andrew Bartlett <[email protected]>
Date: Thu Apr 11 09:33:16 2013 +1000
python-samba-tool domain classicupgrade: Actually Skip domain trust accounts
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 2e1f14355c162dde0190ac2cb105a34607134e02
Author: Andrew Bartlett <[email protected]>
Date: Thu Apr 11 09:32:13 2013 +1000
python-samba-tool domain classicupgrade: Skip machine accounts that do not
end in $
These accounts will not work anyway, as all the domain member lookup code
in netlogon expects the $.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 20445415307ae3d6524995d0128862dcbc119684
Author: Andrew Bartlett <[email protected]>
Date: Wed May 8 12:59:05 2013 +1200
build: Do not set PATH in install_with_python now we set $PYTHON
This will ensure that the scripts get rewritten to use this specific
python, as it
will not be found in the path by the waf scripts.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 10f6926aaa6a8c49b29e183d12f6f767072ecff7
Author: Andrew Bartlett <[email protected]>
Date: Thu May 2 16:29:21 2013 +1200
s3-rpc_server: Ensure we are root when starting and usiing gensec
This fixes bug 9465.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 9430310dc3adaf98dbff494a1056e02f8750c41d
Author: Andrew Bartlett <[email protected]>
Date: Mon Apr 29 10:00:04 2013 +1000
gensec: Make the no-hostname status message much less scary
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 768c3bb16ae8aac2d96d4fa0d8a7593fc9be6ca8
Author: Andrew Bartlett <[email protected]>
Date: Fri Apr 26 16:44:00 2013 +1000
build: Blacklist the release-4-0-0 provision as well
This reduces the size of the published tarball while ensuring we test with
it
during autobuild.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
install_with_python.sh | 2 -
python/samba/dbchecker.py | 2 +-
python/samba/upgrade.py | 118 ++++++++++++++++++++---------
script/autobuild.py | 6 +-
source3/auth/auth_sam.c | 7 ++
source3/passdb/pdb_ldap.c | 8 +-
source3/rpc_server/dcesrv_auth_generic.c | 38 ++++++++--
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/auth/gensec/gensec_krb5.c | 2 +-
source4/dsdb/repl/replicated_objects.c | 31 +++++---
source4/dsdb/samdb/ldb_modules/acl_read.c | 10 ++-
source4/dsdb/schema/schema_prefixmap.c | 1 +
source4/rpc_server/drsuapi/getncchanges.c | 10 ++-
wscript | 2 +-
14 files changed, 168 insertions(+), 71 deletions(-)
Changeset truncated at 500 lines:
diff --git a/install_with_python.sh b/install_with_python.sh
index 7b51e5c..e545ecc 100755
--- a/install_with_python.sh
+++ b/install_with_python.sh
@@ -12,8 +12,6 @@ fi
PREFIX="$1"
shift
-PATH=$PREFIX/python/bin:$PATH
-export PATH
LD_LIBRARY_PATH=$PREFIX/python/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index d0d0ab3..e88f876 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -251,7 +251,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn),
str(to_base)))
def is_deleted_objects_dn(self, dsdb_dn):
'''see if a dsdb_Dn is the special Deleted Objects DN'''
- return dsdb_dn.prefix == "B:32:18E2EA80684F11D2B9AA00C04F79F805:"
+ return dsdb_dn.prefix == "B:32:%s:" %
dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER
def err_deleted_dn(self, dn, attrname, val, dsdb_dn, correct_dn):
"""handle a DN pointing to a deleted object"""
diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py
index af854ef..817981e 100644
--- a/python/samba/upgrade.py
+++ b/python/samba/upgrade.py
@@ -698,15 +698,17 @@ def upgrade_from_samba3(samba3, logger, targetdir,
session_info=None,
user = s3db.getsampwnam(username)
acct_type = (user.acct_ctrl &
(samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
- if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
- pass
-
- elif acct_type == samr.ACB_SVRTRUST:
- logger.warn(" Demoting BDC account trust for %s, this DC must be
elevated to an AD DC using 'samba-tool domain promote'" % username[:-1])
+ if acct_type == samr.ACB_SVRTRUST:
+ logger.warn(" Demoting BDC account trust for %s, this DC must be
elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) |
samr.ACB_WSTRUST
elif acct_type == samr.ACB_DOMTRUST:
logger.warn(" Skipping inter-domain trust from domain %s, this
trust must be re-created as an AD trust" % username[:-1])
+ continue
+
+ elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$':
+ logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set
but does not end in $. This account can not have worked, and is probably left
over from a misconfiguration." % username)
+ continue
elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1]
== '$':
logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and
ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a
domain member" % username)
@@ -716,6 +718,12 @@ def upgrade_from_samba3(samba3, logger, targetdir,
session_info=None,
logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and
ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a
domain member" % username)
user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
+ elif acct_type == 0 and username[-1] != '$':
+ user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL)
+
+ elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST):
+ pass
+
else:
raise ProvisioningError("""Failed to upgrade due to invalid
account %s, account control flags 0x%08X must have exactly one of
ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or
ACB_DOMTRUST (D 0x%08X).
@@ -883,40 +891,78 @@ Please fix this account before attempting to upgrade again
# Connect to samba4 backend
s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
- # Export groups to samba4 backend
- logger.info("Importing groups")
- for g in grouplist:
- # Ignore uninitialized groups (gid = -1)
- if g.gid != -1:
- add_group_from_mapping_entry(result.samdb, g, logger)
- add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid,
"ID_TYPE_GID", logger)
- add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name,
nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
-
- # Export users to samba4 backend
- logger.info("Importing users")
- for username in userdata:
- if username.lower() == 'administrator':
- if userdata[username].user_sid != dom_sid(str(domainsid) + "-500"):
- logger.error("User 'Administrator' in your existing directory
has SID %s, expected it to be %s" % (userdata[username].user_sid,
dom_sid(str(domainsid) + "-500")))
- raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")
- if username.lower() == 'root':
- if userdata[username].user_sid == dom_sid(str(domainsid) + "-500"):
- logger.warn('User root has been replaced by Administrator')
- else:
- logger.warn('User root has been kept in the directory, it
should be removed in favour of the Administrator user')
+ # Start a new transaction (should speed this up a little, due to index
churn)
+ result.samdb.transaction_start()
- s4_passdb.add_sam_account(userdata[username])
- if username in uids:
- add_ad_posix_idmap_entry(result.samdb,
userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
- if (username in homes) and (homes[username] is not None) and \
- (username in shells) and (shells[username] is not None) and \
- (username in pgids) and (pgids[username] is not None):
- add_posix_attrs(samdb=result.samdb,
sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(),
xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username],
pgid=pgids[username], logger=logger)
+ logger.info("Adding groups")
+ try:
+ # Export groups to samba4 backend
+ logger.info("Importing groups")
+ for g in grouplist:
+ # Ignore uninitialized groups (gid = -1)
+ if g.gid != -1:
+ add_group_from_mapping_entry(result.samdb, g, logger)
+ add_ad_posix_idmap_entry(result.samdb, g.sid, g.gid,
"ID_TYPE_GID", logger)
+ add_posix_attrs(samdb=result.samdb, sid=g.sid, name=g.nt_name,
nisdomain=domainname.lower(), xid_type="ID_TYPE_GID", logger=logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not
cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Commiting 'add groups' transaction to disk")
+ result.samdb.transaction_commit()
+
+ logger.info("Adding users")
+ # Start a new transaction (should speed this up a little, due to index
churn)
+ result.samdb.transaction_start()
+
+ try:
+ # Export users to samba4 backend
+ logger.info("Importing users")
+ for username in userdata:
+ if username.lower() == 'administrator':
+ if userdata[username].user_sid != dom_sid(str(domainsid) +
"-500"):
+ logger.error("User 'Administrator' in your existing
directory has SID %s, expected it to be %s" % (userdata[username].user_sid,
dom_sid(str(domainsid) + "-500")))
+ raise ProvisioningError("User 'Administrator' in your
existing directory does not have SID ending in -500")
+ if username.lower() == 'root':
+ if userdata[username].user_sid == dom_sid(str(domainsid) +
"-500"):
+ logger.warn('User root has been replaced by Administrator')
+ else:
+ logger.warn('User root has been kept in the directory, it
should be removed in favour of the Administrator user')
+
+ s4_passdb.add_sam_account(userdata[username])
+ if username in uids:
+ add_ad_posix_idmap_entry(result.samdb,
userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
+ if (username in homes) and (homes[username] is not None) and \
+ (username in shells) and (shells[username] is not None) and
\
+ (username in pgids) and (pgids[username] is not None):
+ add_posix_attrs(samdb=result.samdb,
sid=userdata[username].user_sid, name=username, nisdomain=domainname.lower(),
xid_type="ID_TYPE_UID", home=homes[username], shell=shells[username],
pgid=pgids[username], logger=logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not
cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Commiting 'add users' transaction to disk")
+ result.samdb.transaction_commit()
logger.info("Adding users to groups")
- for g in grouplist:
- if str(g.sid) in groupmembers:
- add_users_to_group(result.samdb, g, groupmembers[str(g.sid)],
logger)
+ # Start a new transaction (should speed this up a little, due to index
churn)
+ result.samdb.transaction_start()
+
+ try:
+ for g in grouplist:
+ if str(g.sid) in groupmembers:
+ add_users_to_group(result.samdb, g, groupmembers[str(g.sid)],
logger)
+
+ except:
+ # We need this, so that we do not give even more errors due to not
cancelling the transaction
+ result.samdb.transaction_cancel()
+ raise
+
+ logger.info("Commiting 'add users to groups' transaction to disk")
+ result.samdb.transaction_commit()
# Set password for administrator
if admin_user:
diff --git a/script/autobuild.py b/script/autobuild.py
index 1182d7f..8c88dc9 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -94,6 +94,10 @@ tasks = {
("tdb-make", "cd lib/tdb && make", "text/plain"),
("tdb-install", "cd lib/tdb && make install",
"text/plain"),
+ ("ntdb-configure", "cd lib/ntdb &&
PYTHONPATH=${PYTHON_PREFIX}/site-packages:$PYTHONPATH
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:${PREFIX_DIR}/lib/pkgconfig ./configure
--bundled-libraries=NONE --abi-check --enable-debug -C ${PREFIX}",
"text/plain"),
+ ("ntdb-make", "cd lib/ntdb && make", "text/plain"),
+ ("ntdb-install", "cd lib/ntdb && make install",
"text/plain"),
+
("tevent-configure", "cd lib/tevent &&
PYTHONPATH=${PYTHON_PREFIX}/site-packages:$PYTHONPATH
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:${PREFIX_DIR}/lib/pkgconfig ./configure
--bundled-libraries=NONE --abi-check --enable-debug -C ${PREFIX}",
"text/plain"),
("tevent-make", "cd lib/tevent && make", "text/plain"),
("tevent-install", "cd lib/tevent && make install",
"text/plain"),
@@ -102,7 +106,7 @@ tasks = {
("ldb-make", "cd lib/ldb && make", "text/plain"),
("ldb-install", "cd lib/ldb && make install",
"text/plain"),
- ("configure",
"PYTHONPATH=${PYTHON_PREFIX}/site-packages:$PYTHONPATH
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:${PREFIX_DIR}/lib/pkgconfig ./configure
--bundled-libraries=!talloc,!tdb,!pytdb,!ldb,!pyldb,!tevent,!pytevent
--abi-check --enable-debug -C ${PREFIX}", "text/plain"),
+ ("configure",
"PYTHONPATH=${PYTHON_PREFIX}/site-packages:$PYTHONPATH
PKG_CONFIG_PATH=$PKG_CONFIG_PATH:${PREFIX_DIR}/lib/pkgconfig ./configure
--bundled-libraries=!talloc,!tdb,!pytdb,!ntdb,!pyntdb,!ldb,!pyldb,!tevent,!pytevent
--abi-check --enable-debug -C ${PREFIX}", "text/plain"),
("make", "make", "text/plain"),
("install", "make install", "text/plain")],
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 7faa8de..a34f9a5 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -108,6 +108,13 @@ static NTSTATUS auth_init_sam(struct auth_context
*auth_context, const char *par
{
struct auth_methods *result;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
+ && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
+ DEBUG(0, ("server role = 'active directory domain controller'
not compatible with running the auth_sam module. \n"));
+ DEBUGADD(0, ("You should not set 'auth methods' when running
the AD DC.\n"));
+ exit(1);
+ }
+
result = talloc_zero(auth_context, struct auth_methods);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index dc6a9c3..0905ab4 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -4452,11 +4452,11 @@ static bool ldapuser2displayentry(struct
ldap_search_state *state,
vals = ldap_get_values(ld, entry, "sambaAcctFlags");
if ((vals == NULL) || (vals[0] == NULL)) {
- DEBUG(5, ("\"sambaAcctFlags\" not found\n"));
- return False;
+ acct_flags = ACB_NORMAL;
+ } else {
+ acct_flags = pdb_decode_acct_ctrl(vals[0]);
+ ldap_value_free(vals);
}
- acct_flags = pdb_decode_acct_ctrl(vals[0]);
- ldap_value_free(vals);
if ((state->acct_flags != 0) &&
((state->acct_flags & acct_flags) == 0))
diff --git a/source3/rpc_server/dcesrv_auth_generic.c
b/source3/rpc_server/dcesrv_auth_generic.c
index c4c08b2..77d76fc 100644
--- a/source3/rpc_server/dcesrv_auth_generic.c
+++ b/source3/rpc_server/dcesrv_auth_generic.c
@@ -24,12 +24,12 @@
#include "auth.h"
#include "auth/gensec/gensec.h"
-NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
- uint8_t auth_type, uint8_t
auth_level,
- DATA_BLOB *token_in,
- DATA_BLOB *token_out,
- const struct tsocket_address
*remote_address,
- struct gensec_security **ctx)
+static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
+ uint8_t auth_type,
uint8_t auth_level,
+ DATA_BLOB *token_in,
+ DATA_BLOB *token_out,
+ const struct
tsocket_address *remote_address,
+ struct
gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
@@ -62,6 +62,27 @@ NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX
*mem_ctx,
return NT_STATUS_OK;
}
+NTSTATUS auth_generic_server_authtype_start(TALLOC_CTX *mem_ctx,
+ uint8_t auth_type, uint8_t
auth_level,
+ DATA_BLOB *token_in,
+ DATA_BLOB *token_out,
+ const struct tsocket_address
*remote_address,
+ struct gensec_security **ctx)
+{
+ NTSTATUS status;
+ become_root();
+
+ /* this has to be done as root in order to create the messaging socket
*/
+ status = auth_generic_server_authtype_start_as_root(mem_ctx,
+ auth_type,
auth_level,
+ token_in,
+ token_out,
+ remote_address,
+ ctx);
+ unbecome_root();
+ return status;
+}
+
NTSTATUS auth_generic_server_step(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
@@ -101,7 +122,12 @@ NTSTATUS auth_generic_server_get_user_info(struct
gensec_security *gensec_securi
{
NTSTATUS status;
+ /* this has to be done as root in order to get to the
+ * messaging sockets for IDMAP and privilege.ldb in the AD
+ * DC */
+ become_root();
status = gensec_session_info(gensec_security, mem_ctx, session_info);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ ": Failed to get authenticated user "
"info: %s\n", nt_errstr(status)));
diff --git a/source4/auth/gensec/gensec_gssapi.c
b/source4/auth/gensec/gensec_gssapi.c
index e3bafe2..3e35cae 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -336,7 +336,7 @@ static NTSTATUS gensec_gssapi_client_start(struct
gensec_security *gensec_securi
const char *hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
- DEBUG(1, ("Could not determine hostname for target computer,
cannot use kerberos\n"));
+ DEBUG(3, ("No hostname for target computer passed in, cannot
use kerberos for this connection\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
diff --git a/source4/auth/gensec/gensec_krb5.c
b/source4/auth/gensec/gensec_krb5.c
index 140a165..fbec64c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -240,7 +240,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct
gensec_security *gensec_s
NTSTATUS nt_status;
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
- DEBUG(1, ("Could not determine hostname for target computer,
cannot use kerberos\n"));
+ DEBUG(3, ("No hostname for target computer passed in, cannot
use kerberos for this connection\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
diff --git a/source4/dsdb/repl/replicated_objects.c
b/source4/dsdb/repl/replicated_objects.c
index 44c5de8..29b494b 100644
--- a/source4/dsdb/repl/replicated_objects.c
+++ b/source4/dsdb/repl/replicated_objects.c
@@ -209,10 +209,6 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
NTTIME whenChanged = 0;
time_t whenChanged_t;
const char *whenChanged_s;
- const char *rdn_name = NULL;
- const struct ldb_val *rdn_value = NULL;
- const struct dsdb_attribute *rdn_attr = NULL;
- uint32_t rdn_attid;
struct drsuapi_DsReplicaAttribute *name_a = NULL;
struct drsuapi_DsReplicaMetaData *name_d = NULL;
struct replPropertyMetaData1 *rdn_m = NULL;
@@ -248,14 +244,6 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
msg->dn = ldb_dn_new(msg, ldb,
in->object.identifier->dn);
W_ERROR_HAVE_NO_MEMORY(msg->dn);
- rdn_name = ldb_dn_get_rdn_name(msg->dn);
- rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
- if (!rdn_attr) {
- return WERR_FOOBAR;
- }
- rdn_attid = rdn_attr->attributeID_id;
- rdn_value = ldb_dn_get_rdn_val(msg->dn);
-
msg->num_elements = in->object.attribute_ctr.num_attributes;
msg->elements = talloc_array(msg, struct ldb_message_element,
msg->num_elements + 1); /* +1
because of the RDN attribute */
@@ -331,6 +319,25 @@ WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
if (rdn_m) {
struct ldb_message_element *el;
+ const char *rdn_name = NULL;
+ const struct ldb_val *rdn_value = NULL;
+ const struct dsdb_attribute *rdn_attr = NULL;
+ uint32_t rdn_attid;
+
+ /*
+ * We only need the schema calls for the RDN in this
+ * codepath, and by doing this we avoid needing to
+ * have the dsdb_attribute_by_lDAPDisplayName accessor
+ * working during the schema load.
+ */
+ rdn_name = ldb_dn_get_rdn_name(msg->dn);
+ rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema,
rdn_name);
+ if (!rdn_attr) {
+ return WERR_FOOBAR;
+ }
+ rdn_attid = rdn_attr->attributeID_id;
+ rdn_value = ldb_dn_get_rdn_val(msg->dn);
+
el = ldb_msg_find_element(msg, rdn_attr->lDAPDisplayName);
if (!el) {
ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName,
rdn_value, NULL);
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c
b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 07b1bc4..f15633f 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -92,9 +92,15 @@ static int aclread_callback(struct ldb_request *req, struct
ldb_reply *ares)
case LDB_REPLY_ENTRY:
msg = ares->message;
ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
- if (ret != LDB_SUCCESS || sd == NULL ) {
+ if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s:
%s\n",
+ ldb_dn_get_linearized(msg->dn),
ldb_strerror(ret));
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ } else if (sd == NULL) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: cannot get descriptor of %s\n",
+ "acl_read: cannot get descriptor of %s
(attribute not found)\n",
ldb_dn_get_linearized(msg->dn));
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
diff --git a/source4/dsdb/schema/schema_prefixmap.c
b/source4/dsdb/schema/schema_prefixmap.c
index 4a895d9..270e6be 100644
--- a/source4/dsdb/schema/schema_prefixmap.c
+++ b/source4/dsdb/schema/schema_prefixmap.c
@@ -311,6 +311,7 @@ static WERROR dsdb_schema_pfm_make_attid_impl(struct
dsdb_schema_prefixmap *pfm,
} else {
/* return error in read-only mode */
if (!can_change_pfm) {
+ DEBUG(0, ("Unable to convert %s to an attid, and
can_change_pfm=false!\n", oid));
return werr;
}
diff --git a/source4/rpc_server/drsuapi/getncchanges.c
b/source4/rpc_server/drsuapi/getncchanges.c
index 575d037..219ddbc 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -353,8 +353,9 @@ static WERROR get_nc_changes_build_object(struct
drsuapi_DsReplicaObjectListItem
werr = sa->syntax->ldb_to_drsuapi(&syntax_ctx, sa, el,
obj,
&obj->object.attribute_ctr.attributes[i]);
if (!W_ERROR_IS_OK(werr)) {
- DEBUG(0,("Unable to convert %s to DRS object -
%s\n",
- sa->lDAPDisplayName,
win_errstr(werr)));
+ DEBUG(0,("Unable to convert %s on %s to DRS
object - %s\n",
+ sa->lDAPDisplayName,
ldb_dn_get_linearized(msg->dn),
+ win_errstr(werr)));
return werr;
}
/* if DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING is set
@@ -369,8 +370,9 @@ static WERROR get_nc_changes_build_object(struct
drsuapi_DsReplicaObjectListItem
werr = drsuapi_encrypt_attribute(obj, session_key, rid,
&obj->object.attribute_ctr.attributes[i]);
if (!W_ERROR_IS_OK(werr)) {
- DEBUG(0,("Unable to encrypt %s in DRS object -
%s\n",
- sa->lDAPDisplayName,
win_errstr(werr)));
+ DEBUG(0,("Unable to encrypt %s on %s in DRS
object - %s\n",
+ sa->lDAPDisplayName,
ldb_dn_get_linearized(msg->dn),
+ win_errstr(werr)));
return werr;
}
}
diff --git a/wscript b/wscript
index dad54d1..a743228 100644
--- a/wscript
+++ b/wscript
@@ -12,7 +12,7 @@ import wafsamba, Options, samba_dist, Scripting, Utils,
samba_version
samba_dist.DIST_DIRS('.')
-samba_dist.DIST_BLACKLIST('.gitignore .bzrignore
source4/selftest/provisions/alpha13')
+samba_dist.DIST_BLACKLIST('.gitignore .bzrignore
source4/selftest/provisions/alpha13 source4/selftest/provisions/release-4-0-0/')
# install in /usr/local/samba by default
Options.default_prefix = '/usr/local/samba'
--
Samba Shared Repository
