The branch, v4-0-test has been updated via f9c157c Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query. via 70be15b Move the retry logic when site_name is passed in a NULL or "" to the wrapper function. via 9930f28 Move the manipulation of site_name into the caller function dsgetdcname(). via 6ddc9a5 Refactor dsgetdcname to be called via a wrapper function. via 8943d97 dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it. via e0beb5a smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 via df9fd7f smbd: Fix error return for STREAM_INFO via d594876 smbd: Revert a93f9c3 via aadd02d smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo via cedcde9 smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo via ef717ef smbd: qfsinfo has fixed/variable buffers via 4220369 smbd: qfilepathinfo has fixed/variable buffers via 12c77c7 smbd: Use #defines in smb2_getinfo_send via 6dc2f7f s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data via cc100f0 s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data via 235342b s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler via 2c608aa s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data via 71c00f1 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small via 067ce71 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9 via cf1ae22 selftest: Add a basic test of samba_upgradedns via 8424ea2 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ via e94d37c selftest: Test creation of the dns-SERVER account during selftest via 8e618de scripting/samba_upgradedns: Tighten up exception and attribute list handling via d17713f scripting/join.py: Handle creating the dns-NAME account during a DC join via 6bed1b2 selftest: Fix specification of --machinepass to actually set a unique password from 8749a30 s3:lib/gencache: place gencache.tdb into /var/cache/samba
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit f9c157cf6892e02e765a64601c4a286d8dadece4 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 14:07:43 2013 -0700 Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Sep 4 01:19:05 CEST 2013 on sn-devel-104 (cherry picked from commit bdab6f9431715fbfd28f8cc0dfb4dde2966f22f3) Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-0-test): Fri Sep 6 12:51:06 CEST 2013 on sn-devel-104 commit 70be15bdb448b9c6c8ec047ce6f6df4a696ce61e Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:20:52 2013 -0700 Move the retry logic when site_name is passed in a NULL or "" to the wrapper function. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 68e7b1c9446c7d1274b0fb85b59b90ac1a7f6041) commit 9930f28a3cf94bdbeb11f551926c105f27c1c12e Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:08:46 2013 -0700 Move the manipulation of site_name into the caller function dsgetdcname(). Leave dsgetdcname_internal() only using const char *site_name. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 181c11066bd53b07015a199f56eb71182e89ff71) commit 6ddc9a57d025fe196b2f820cfa27429a3acf5643 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:04:37 2013 -0700 Refactor dsgetdcname to be called via a wrapper function. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit 66006be7ef703b2935334633d27641050cee5f58) commit 8943d971ee729e7f00e17125b9011d9456f220f3 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 3 12:13:45 2013 -0700 dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it. Bug 5917 - Samba does not work on site with Read Only Domain Controller Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Richard Sharpe <rsha...@samba.org> (cherry picked from commit dd12bfbcbf359c1642cc2e968aec62ae904aad5d) commit e0beb5a2f258757f64ef3c4d0f6928e67a1e5d5b Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:40:19 2013 +0000 smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 This is required if the client offered less buffer than the fixed portion of the info level data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 1b1935b876a14154ef74e447bf53eb7cd0a5dde9) commit df9fd7fae1adf496f8a9337755684c2a010760ec Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:39:17 2013 +0000 smbd: Fix error return for STREAM_INFO The stream_info marshalling follows its own rules. This needs unifying eventually... Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 5634f240fd4273cb7327111140ccbea0fd41e3fc) commit d594876817e5667af56257236fb0bd4af98e80d1 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:38:29 2013 +0000 smbd: Revert a93f9c3 This was too broad and has been replaced by finer-grained error checks Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit b37edda32930fec372d6467d442f67532c3fbd33) commit aadd02d8c4f6a378a4aabb882287e4b0897cfe65 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:37:34 2013 +0000 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo Also, don't overflow the client buffer Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9) commit cedcde95dd2e391fbdc720f5634f7aa7136aa8c0 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:36:03 2013 +0000 smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo We have to return this error if the client offered less than the fixed portion of the infolevel data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 91939614760837b2ac2c6bb8b5daac108a4f4670) commit ef717efda15ad4d8c8100babf9f9ca63f92d7ee3 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:06:27 2013 +0000 smbd: qfsinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit ac41df91a5a425633fc716ca02187e753879d795) commit 4220369fe28e54c630392ee99e9eb7ec0dceafaf Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 27 09:06:27 2013 +0000 smbd: qfilepathinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 53123996033594f68a3fc9037474aada3aef0750) commit 12c77c7c24e1c619018e794149367c867f3c85a7 Author: Volker Lendecke <v...@samba.org> Date: Mon Aug 26 08:36:14 2013 +0000 smbd: Use #defines in smb2_getinfo_send Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: David Disseldorp <dd...@samba.org> Autobuild-User(master): David Disseldorp <dd...@samba.org> Autobuild-Date(master): Tue Aug 27 15:08:08 CEST 2013 on sn-devel-104 (cherry picked from commit 323cccd35d06c7327c19dc5cb891043507624d7d) commit 6dc2f7f0beda5e47713a360b528449d33495b09d Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 16:43:39 2013 +0200 s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit 270d29a743a030653037cb176f3764bec3c79b6c) commit cc100f000421ef8fd147552d9de32676e141e774 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 15:52:06 2013 +0200 s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit ec46f6b91941e38dd92f8e0fb0f278592e3157b6) commit 235342b63b14745c102b94333d0699b5ac3e6325 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Fri Jul 5 11:32:27 2013 +0200 s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit 616777f029e462f53c5118d79de8c6405a5fb7c1) commit 2c608aa2d2393f8e24b85b98e079b43d8c53d527 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Fri Jul 5 11:03:16 2013 +0200 s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit a91d2b05bab329a8a9772c2c79a3b1e02933182e) commit 71c00f1138bae008d3fe0bb6df86b8317c228f40 Author: Ralph Wuerthner <ralph.wuerth...@de.ibm.com> Date: Wed Jul 10 08:59:58 2013 +0200 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <volker.lende...@sernet.de> (cherry picked from commit a93f9c3d33e442c84d0c9da7eb5d25ca4b54fc33) commit 067ce71566b34cd17548c321cc0e2c80c484edf3 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 21:00:28 2012 +1100 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9 This exercises some more of the dlz_bind9 code outside BIND, by sending in a ticket to be access checked, wrapped either in SPNEGO or just in GSSAPI. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Sep 4 11:25:10 CEST 2013 on sn-devel-104 (cherry picked from commit 38e43961c01f6f491b069e7106fe2a2ec80bd840) The last 7 patches address bug #9091 - When replicating DNS for bind9_dlz we need to create the server-DNS account remotely. commit cf1ae22648dff54696947c2a70762bab21b993fc Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 10:06:39 2012 +1100 selftest: Add a basic test of samba_upgradedns This does not check that the command runs correctly, but does at least check that the command runs to completion without errors. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 16b26eafa75280e576333975cff5dd1505c118fa) commit 8424ea2489b6b1575616f322ca44d28a329e27a1 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Dec 28 09:25:11 2012 +1100 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ This shows that the internal server can use the dns-SERVER account. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 013c4990c6f1412dd25592bf177ceffab4b5d16d) commit e94d37c6fce80e3e5d1a7678776b7101f552fd41 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 26 10:03:47 2012 +1100 selftest: Test creation of the dns-SERVER account during selftest We do this by having the samba-tool domain dcpromo for promoted_vampire_dc also create a dns-SERVER account. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit e281037c9bfa68ca3dc564ec7a36e5c790024902) commit 8e618de1fdc09b052f5e98b2e5f78210270c04b4 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 24 09:12:04 2012 +1100 scripting/samba_upgradedns: Tighten up exception and attribute list handling This avoids asking for attributes that will not be used, and looks only for the expected exceptions, rather than all exceptions. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d19c437a36b26e71c24bc25e672d714e21ba50bd) commit d17713f7651c333a35ac1069fb3acf17d416b80a Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 24 08:56:50 2012 +1100 scripting/join.py: Handle creating the dns-NAME account during a DC join This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the domain. Andrew Bartlett Reviewed-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b106d9090e8f8f44f02059d2ced3d10066787060) commit 6bed1b2f6f3ab32b31eedffa05efb438d3e3d299 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Feb 28 22:57:45 2013 +1100 selftest: Fix specification of --machinepass to actually set a unique password Because perl does not assert on dereferencing an invalid hash key we did not notice that the passwords were being set to machine, not machineloCalMemberPass. Andrew Bartlett Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 166288b162e7b658b48bc908c71f635928edc5b5) ----------------------------------------------------------------------- Summary of changes: python/samba/join.py | 73 ++++++++++++++++++++++- python/samba/provision/sambadns.py | 11 +++- selftest/target/Samba4.pm | 14 ++-- source3/libsmb/dsgetdcname.c | 85 ++++++++++++++++++++------ source3/smbd/globals.h | 2 + source3/smbd/smb2_getinfo.c | 47 +++++++++++++-- source3/smbd/trans2.c | 55 +++++++++++++++++- source4/scripting/bin/samba_upgradedns | 30 ++++++--- source4/selftest/tests.py | 3 +- source4/setup/secrets_dns.ldif | 2 +- source4/torture/dns/dlz_bind9.c | 78 ++++++++++++++++++++++++ source4/torture/winbind/winbind.c | 1 + testprogs/blackbox/test_samba_upgradedns.sh | 37 ++++++++++++ 13 files changed, 384 insertions(+), 54 deletions(-) create mode 100755 testprogs/blackbox/test_samba_upgradedns.sh Changeset truncated at 500 lines: diff --git a/python/samba/join.py b/python/samba/join.py index c55c22c..b2f4da4 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -26,9 +26,12 @@ from samba.ndr import ndr_pack from samba.dcerpc import security, drsuapi, misc, nbt, lsa, drsblobs from samba.credentials import Credentials, DONT_USE_KERBEROS from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN +from samba.provision.common import setup_path from samba.schema import Schema from samba.net import Net from samba.provision.sambadns import setup_bind9_dns +from samba import read_and_sub_file +from base64 import b64encode import logging import talloc import random @@ -179,6 +182,19 @@ class dc_join(object): attrs=["msDS-krbTgtLink"]) if res: ctx.del_noerror(res[0].dn, recursive=True) + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), + expression='(&(sAMAccountName=%s)(servicePrincipalName=%s))' % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname)), + attrs=[]) + if res: + ctx.del_noerror(res[0].dn, recursive=True) + + res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), + expression='(sAMAccountName=%s)' % ldb.binary_encode("dns-%s" % ctx.myname), + attrs=[]) + if res: + raise RuntimeError("Not removing account %s which looks like a Samba DNS service account but does not have servicePrincipalName=%s" % (ldb.binary_encode("dns-%s" % ctx.myname), ldb.binary_encode("dns/%s" % ctx.dnshostname))) + if ctx.connection_dn is not None: ctx.del_noerror(ctx.connection_dn) if ctx.krbtgt_dn is not None: @@ -579,6 +595,56 @@ class dc_join(object): "userAccountControl") ctx.samdb.modify(m) + if ctx.dns_backend.startswith("BIND9_"): + ctx.dnspass = samba.generate_random_password(128, 255) + + recs = ctx.samdb.parse_ldif(read_and_sub_file(setup_path("provision_dns_add_samba.ldif"), + {"DNSDOMAIN": ctx.dnsdomain, + "DOMAINDN": ctx.base_dn, + "HOSTNAME" : ctx.myname, + "DNSPASS_B64": b64encode(ctx.dnspass), + "DNSNAME" : ctx.dnshostname})) + for changetype, msg in recs: + assert changetype == ldb.CHANGETYPE_NONE + print "Adding DNS account %s with dns/ SPN" % msg["dn"] + + # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP) + del msg["clearTextPassword"] + # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP + del msg["isCriticalSystemObject"] + try: + ctx.samdb.add(msg) + dns_acct_dn = msg["dn"] + except ldb.LdbError, (num, _): + if num != ldb.ERR_ENTRY_ALREADY_EXISTS: + raise + + # The account password set operation should normally be done over + # LDAP. Windows 2000 DCs however allow this only with SSL + # connections which are hard to set up and otherwise refuse with + # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet + # over SAMR. + print "Setting account password for %s" % ctx.samname + try: + ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))" + % ldb.binary_encode(ctx.myname), + ctx.dnspass, + force_change_at_next_login=False, + username=ctx.samname) + except ldb.LdbError, (num, _): + if num != ldb.ERR_UNWILLING_TO_PERFORM: + pass + ctx.net.set_password(account_name="dns-" % ctx.myname, + domain_name=ctx.domain_name, + newpassword=ctx.dnspass) + + res = ctx.samdb.search(base=dns_acct_dn, scope=ldb.SCOPE_BASE, + attrs=["msDS-KeyVersionNumber"]) + if "msDS-KeyVersionNumber" in res[0]: + ctx.dns_key_version_number = int(res[0]["msDS-KeyVersionNumber"][0]) + else: + ctx.dns_key_version_number = None + def join_add_objects2(ctx): """add the various objects needed for the join, for subdomains post replication""" @@ -861,13 +927,12 @@ class dc_join(object): key_version_number=ctx.key_version_number) if ctx.dns_backend.startswith("BIND9_"): - dnspass = samba.generate_random_password(128, 255) - setup_bind9_dns(ctx.local_samdb, secrets_ldb, security.dom_sid(ctx.domsid), ctx.names, ctx.paths, ctx.lp, logger, dns_backend=ctx.dns_backend, - dnspass=dnspass, os_level=ctx.behavior_version, - targetdir=ctx.targetdir) + dnspass=ctx.dnspass, os_level=ctx.behavior_version, + targetdir=ctx.targetdir, + key_version_number=ctx.dns_key_version_number) def join_setup_trusts(ctx): """provision the local SAM.""" diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index a5a45cf..4acc24b 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -620,7 +620,7 @@ def add_dc_msdcs_records(samdb, forestdn, prefix, site, dnsforest, hostname, def secretsdb_setup_dns(secretsdb, names, private_dir, realm, - dnsdomain, dns_keytab_path, dnspass): + dnsdomain, dns_keytab_path, dnspass, key_version_number): """Add DNS specific bits to a secrets database. :param secretsdb: Ldb Handle to the secrets database @@ -632,11 +632,15 @@ def secretsdb_setup_dns(secretsdb, names, private_dir, realm, except OSError: pass + if key_version_number is None: + key_version_number = 1 + setup_ldb(secretsdb, setup_path("secrets_dns.ldif"), { "REALM": realm, "DNSDOMAIN": dnsdomain, "DNS_KEYTAB": dns_keytab_path, "DNSPASS_B64": b64encode(dnspass), + "KEY_VERSION_NUMBER": str(key_version_number), "HOSTNAME": names.hostname, "DNSNAME" : '%s.%s' % ( names.netbiosname.lower(), names.dnsdomain.lower()) @@ -1074,7 +1078,7 @@ def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, dns_backend, os_level, site=None, dnspass=None, hostip=None, - hostip6=None, targetdir=None): + hostip6=None, targetdir=None, key_version_number=None): """Provision DNS information (assuming BIND9 backend in DC role) :param samdb: LDB object connected to sam.ldb file @@ -1107,7 +1111,8 @@ def setup_bind9_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, secretsdb_setup_dns(secretsdb, names, paths.private_dir, realm=names.realm, dnsdomain=names.dnsdomain, - dns_keytab_path=paths.dns_keytab, dnspass=dnspass) + dns_keytab_path=paths.dns_keytab, dnspass=dnspass, + key_version_number=key_version_number) create_dns_dir(logger, paths) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index c8e71c8..9fd2d40 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -875,7 +875,7 @@ sub provision_member($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{PASSWORD}"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -943,7 +943,7 @@ sub provision_rpc_proxy($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{PASSWORD}"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1030,7 +1030,7 @@ sub provision_promoted_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password}"; + $cmd .= " --machinepass=machine$ret->{PASSWORD}"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1043,7 +1043,7 @@ sub provision_promoted_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; + $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1104,7 +1104,7 @@ sub provision_vampire_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}"; $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only"; - $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; + $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1169,7 +1169,7 @@ sub provision_subdom_dc($$$) $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain "; $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}"; - $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs"; + $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs"; unless (system($cmd) == 0) { warn("Join failed\n$cmd"); @@ -1494,7 +1494,7 @@ sub provision_chgdcpass($$) "chgdcpassword.samba.example.com", "2008", "chgDCpass1", - undef, "server services = -dns", "", + undef, "", "", $extra_provision_options); return undef unless(defined $ret); diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index 028a31b..6818b01 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -320,7 +320,6 @@ static NTSTATUS dsgetdcname_cache_fetch(TALLOC_CTX *mem_ctx, const char *domain_name, const struct GUID *domain_guid, uint32_t flags, - const char *site_name, struct netr_DsRGetDCNameInfo **info_p) { char *key; @@ -393,7 +392,7 @@ static NTSTATUS dsgetdcname_cached(TALLOC_CTX *mem_ctx, NTSTATUS status; status = dsgetdcname_cache_fetch(mem_ctx, domain_name, domain_guid, - flags, site_name, info); + flags, info); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { DEBUG(10,("dsgetdcname_cached: cache fetch failed with: %s\n", @@ -1094,12 +1093,10 @@ static bool is_closest_site(struct netr_DsRGetDCNameInfo *info) } /******************************************************************** - dsgetdcname. - - This will be the only public function here. + Internal dsgetdcname. ********************************************************************/ -NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, +static NTSTATUS dsgetdcname_internal(TALLOC_CTX *mem_ctx, struct messaging_context *msg_ctx, const char *domain_name, const struct GUID *domain_guid, @@ -1109,15 +1106,14 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, { NTSTATUS status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct netr_DsRGetDCNameInfo *myinfo = NULL; - char *query_site = NULL; bool first = true; struct netr_DsRGetDCNameInfo *first_info = NULL; - DEBUG(10,("dsgetdcname: domain_name: %s, " + DEBUG(10,("dsgetdcname_internal: domain_name: %s, " "domain_guid: %s, site_name: %s, flags: 0x%08x\n", domain_name, domain_guid ? GUID_string(mem_ctx, domain_guid) : "(null)", - site_name, flags)); + site_name ? site_name : "(null)", flags)); *info = NULL; @@ -1126,18 +1122,12 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if ((site_name == NULL) || (site_name[0] == '\0')) { - query_site = sitename_fetch(domain_name); - } else { - query_site = SMB_STRDUP(site_name); - } - if (flags & DS_FORCE_REDISCOVERY) { goto rediscover; } status = dsgetdcname_cached(mem_ctx, msg_ctx, domain_name, domain_guid, - flags, query_site, &myinfo); + flags, site_name, &myinfo); if (NT_STATUS_IS_OK(status)) { goto done; } @@ -1148,12 +1138,10 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, rediscover: status = dsgetdcname_rediscover(mem_ctx, msg_ctx, domain_name, - domain_guid, flags, query_site, + domain_guid, flags, site_name, &myinfo); done: - SAFE_FREE(query_site); - if (!NT_STATUS_IS_OK(status)) { if (!first) { *info = first_info; @@ -1168,10 +1156,67 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, first = false; first_info = myinfo; /* TODO: may use the next_closest_site here */ - query_site = SMB_STRDUP(myinfo->client_site_name); + site_name = myinfo->client_site_name; goto rediscover; } *info = myinfo; return NT_STATUS_OK; } + +/******************************************************************** + dsgetdcname. + + This will be the only public function here. +********************************************************************/ + +NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx, + struct messaging_context *msg_ctx, + const char *domain_name, + const struct GUID *domain_guid, + const char *site_name, + uint32_t flags, + struct netr_DsRGetDCNameInfo **info) +{ + NTSTATUS status; + const char *query_site = NULL; + char *ptr_to_free = NULL; + bool retry_query_with_null = false; + + if ((site_name == NULL) || (site_name[0] == '\0')) { + ptr_to_free = sitename_fetch(domain_name); + if (ptr_to_free != NULL) { + retry_query_with_null = true; + } + query_site = ptr_to_free; + } else { + query_site = site_name; + } + + status = dsgetdcname_internal(mem_ctx, + msg_ctx, + domain_name, + domain_guid, + query_site, + flags, + info); + + SAFE_FREE(ptr_to_free); + + if (!NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { + return status; + } + + /* Should we try again with site_name == NULL ? */ + if (retry_query_with_null) { + status = dsgetdcname_internal(mem_ctx, + msg_ctx, + domain_name, + domain_guid, + NULL, + flags, + info); + } + + return status; +} diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index b1f69c8..c7badbc 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -138,6 +138,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, char *lock_data, uint16_t flags2, unsigned int max_data_bytes, + size_t *fixed_portion, char **ppdata, unsigned int *pdata_size); @@ -155,6 +156,7 @@ NTSTATUS smbd_do_qfsinfo(connection_struct *conn, uint16_t info_level, uint16_t flags2, unsigned int max_data_bytes, + size_t *fixed_portion, struct smb_filename *smb_fname, char **ppdata, int *ret_data_len); diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 5616c84..449aeb3 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -159,7 +159,10 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq) return; } - if (!NT_STATUS_IS_OK(call_status)) { + /* some GetInfo responses set STATUS_BUFFER_OVERFLOW and return partial, + but valid data */ + if (!(NT_STATUS_IS_OK(call_status) || + NT_STATUS_EQUAL(call_status, STATUS_BUFFER_OVERFLOW))) { /* Return a specific error with data. */ error = smbd_smb2_request_error_ex(req, call_status, @@ -194,7 +197,7 @@ static void smbd_smb2_request_getinfo_done(struct tevent_req *subreq) outdyn = out_output_buffer; - error = smbd_smb2_request_done(req, outbody, &outdyn); + error = smbd_smb2_request_done_ex(req, call_status, outbody, &outdyn, __location__); if (!NT_STATUS_IS_OK(error)) { smbd_server_connection_terminate(req->sconn, nt_errstr(error)); @@ -279,7 +282,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, } switch (in_info_type) { - case 0x01:/* SMB2_GETINFO_FILE */ + case SMB2_GETINFO_FILE: { uint16_t file_info_level; char *data = NULL; @@ -290,6 +293,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, struct ea_list *ea_list = NULL; int lock_data_count = 0; char *lock_data = NULL; + size_t fixed_portion; ZERO_STRUCT(write_time_ts); @@ -377,6 +381,7 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, lock_data, STR_UNICODE, in_output_buffer_length, + &fixed_portion, &data, &data_size); if (!NT_STATUS_IS_OK(status)) { @@ -387,6 +392,12 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, tevent_req_nterror(req, status); return tevent_req_post(req, ev); } + if (in_output_buffer_length < fixed_portion) { + SAFE_FREE(data); + tevent_req_nterror( + req, NT_STATUS_INFO_LENGTH_MISMATCH); + return tevent_req_post(req, ev); + } if (data_size > 0) { state->out_output_buffer = data_blob_talloc(state, data, @@ -395,16 +406,22 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, if (tevent_req_nomem(state->out_output_buffer.data, req)) { return tevent_req_post(req, ev); } + if (data_size > in_output_buffer_length) { + state->out_output_buffer.length = + in_output_buffer_length; + status = STATUS_BUFFER_OVERFLOW; + } } SAFE_FREE(data); break; } - case 0x02:/* SMB2_GETINFO_FS */ + case SMB2_GETINFO_FS: { uint16_t file_info_level; char *data = NULL; int data_size = 0; + size_t fixed_portion; /* the levels directly map to the passthru levels */ file_info_level = in_file_info_class + 1000; @@ -413,10 +430,14 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, file_info_level, STR_UNICODE, in_output_buffer_length, + &fixed_portion, fsp->fsp_name, &data, &data_size); - if (!NT_STATUS_IS_OK(status)) { + /* some responses set STATUS_BUFFER_OVERFLOW and return -- Samba Shared Repository