Attachment 11146 Details for Bug 10991 – Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)

[patch] Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)

bug-10991.patch (text/plain), 7.74 KB, created by Andrew Bartlett on 2015-06-12 02:19:39 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2015-06-12 02:19:39 UTC

Size: 7.74 KB

patch

obsolete

>From e76314aa056c961fa0bf71539d1c0feb1f7e851b Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Fri, 12 Jun 2015 11:54:21 +1200
>Subject: [PATCH 1/3] winbindd: Use pdb_get_domain_info() to get exactly the
> local domain info when we are an AD DC
>
>This also triggers pdb_samba_dsdb_init_secrets(), to force the
>correct SID into secrets.tdb.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
>---
> source3/winbindd/winbindd_util.c | 11 +++++++++--
> source4/selftest/tests.py        |  2 +-
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
>diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
>index 0b7e234..424dccee 100644
>--- a/source3/winbindd/winbindd_util.c
>+++ b/source3/winbindd/winbindd_util.c
>@@ -623,10 +623,17 @@ bool init_domain_list(void)
> 		enum netr_SchannelType sec_chan_type;
> 		const char *account_name;
> 		struct samr_Password current_nt_hash;
>+		struct pdb_domain_info *pdb_domain_info;
> 		bool ok;
> 
>-		domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
>-					    &cache_methods, get_global_sam_sid());
>+		pdb_domain_info = pdb_get_domain_info(talloc_tos());
>+		if (pdb_domain_info == NULL) {
>+			DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n"));
>+			return false;
>+		}
>+		domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain,
>+					    &cache_methods, &pdb_domain_info->sid);
>+		TALLOC_FREE(pdb_domain_info);
> 		if (domain == NULL) {
> 			DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
> 			return false;
>diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
>index 7c4f888..b223e6e 100755
>--- a/source4/selftest/tests.py
>+++ b/source4/selftest/tests.py
>@@ -380,7 +380,7 @@ for env in ["s3dc", "fl2003dc"]:
>     for t in winbind_wbclient_tests:
>         plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
> 
>-for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member"]:
>+for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member", "chgdcpass"]:
>     tests = ["--ping", "--separator",
>              "--own-domain",
>              "--all-domains",
>-- 
>2.1.4
>
>
>From 67a2264017bc9eaf638d5da17d306f53acd8e46e Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Fri, 12 Jun 2015 11:57:07 +1200
>Subject: [PATCH 2/3] winbindd: Sync secrets.ldb into secrets.tdb on startup
>
>This ensures that the domain SID and machine account password are written into
>secrets.tdb if the secrets.tdb file was either never written or was deleted.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> source3/winbindd/winbindd_util.c | 41 +++++++++++++++++++++++++++++++++++++---
> 1 file changed, 38 insertions(+), 3 deletions(-)
>
>diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
>index 424dccee..82381d6 100644
>--- a/source3/winbindd/winbindd_util.c
>+++ b/source3/winbindd/winbindd_util.c
>@@ -27,6 +27,7 @@
> #include "../libcli/auth/pam_errors.h"
> #include "passdb/machine_sid.h"
> #include "passdb.h"
>+#include "auth/credentials/credentials.h"
> 
> #undef DBGC_CLASS
> #define DBGC_CLASS DBGC_WINBIND
>@@ -647,13 +648,47 @@ bool init_domain_list(void)
> 				       &account_name,
> 				       &sec_chan_type);
> 		if (!ok) {
>-			DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
>-			return false;
>+			/* If get_trust_pw_hash() fails, then try and fetch the password from the more recent of secrets.{ldb,tdb} using the pdb_get_trust_credentials() */
>+			struct cli_credentials *creds;
>+			NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, NULL, domain, &creds);
>+			if (!NT_STATUS_IS_OK(can_migrate)) {
>+				DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: %s\n", nt_errstr(can_migrate)));
>+				return false;
>+			}
>+
>+			/* NOTE: It is very unlikely we end up
>+			 * here if there is an oldpass,
>+			 * because a new password is created
>+			 * at classicupgrade, so this is not a
>+			 * concern. */
>+			ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
>+							    NULL /* oldpass */,
>+							    cli_credentials_get_domain(creds),
>+							    cli_credentials_get_realm(creds),
>+							    cli_credentials_get_salt_principal(creds),
>+							    0, /* Supported enc types, unused */
>+							    &domain->sid,
>+							    cli_credentials_get_password_last_changed_time(creds),
>+							    cli_credentials_get_secure_channel_type(creds),
>+							    false /* do_delete: Do not delete */);
>+			TALLOC_FREE(creds);
>+			if (ok == false) {
>+				DEBUG(0, ("Failed to write our our own, local AD domain join password for winbindd's internal use into secrets.tdb\n"));
>+				return false;
>+			}
>+			ok = get_trust_pw_hash(domain->name,
>+					       current_nt_hash.hash,
>+					       &account_name,
>+					       &sec_chan_type);
>+			if (ok == false) {
>+				DEBUG(0, ("Failed to re-fetch our own, local AD domain join password for winbindd's internal use from secrets.tdb: %s\n", nt_errstr(can_migrate)));
>+				return false;
>+			}
> 		}
> 		if (sec_chan_type == SEC_CHAN_RODC) {
> 			domain->rodc = true;
> 		}
>-
>+		
> 	} else {
> 		(void)add_trusted_domain(get_global_sam_name(), NULL,
> 					 &cache_methods, get_global_sam_sid());
>-- 
>2.1.4
>
>
>From 7911513dbb357c11a6a7ebea2d6bb5b7eacf893f Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 11 Jun 2015 17:19:38 +1200
>Subject: [PATCH 3/3] selftest: Change chgdcpass environment to use winbindd
>
>This allows us to test that winbindd starts up without secrets.tdb, as happens after
>a classicupgrade.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
>---
> selftest/knownfail        | 2 ++
> selftest/target/Samba4.pm | 7 ++-----
> 2 files changed, 4 insertions(+), 5 deletions(-)
>
>diff --git a/selftest/knownfail b/selftest/knownfail
>index febbd2e..7a89fde 100644
>--- a/selftest/knownfail
>+++ b/selftest/knownfail
>@@ -261,6 +261,8 @@
> ^samba.wbinfo_simple.$s4member:local$.--allocate-gid
> ^samba.wbinfo_simple.$plugin_s4_dc:local$.--allocate-uid
> ^samba.wbinfo_simple.$plugin_s4_dc:local$.--allocate-gid
>+^samba.wbinfo_simple.$chgdcpass:local$.--allocate-uid
>+^samba.wbinfo_simple.$chgdcpass:local$.--allocate-gid
> #
> # These do not work against winbindd in member mode for unknown reasons
> #
>diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
>index 342de58..f7e2447 100755
>--- a/selftest/target/Samba4.pm
>+++ b/selftest/target/Samba4.pm
>@@ -1639,7 +1639,6 @@ sub provision_chgdcpass($$)
> 	print "PROVISIONING CHGDCPASS...";
> 	my $extra_provision_options = undef;
> 	push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
>-	my $extra_conf_options = "server services = +winbind -winbindd";
> 	my $ret = $self->provision($prefix,
> 				   "domain controller",
> 				   "chgdcpass",
>@@ -1647,8 +1646,7 @@ sub provision_chgdcpass($$)
> 				   "chgdcpassword.samba.example.com",
> 				   "2008",
> 				   "chgDCpass1",
>-				   undef, $extra_conf_options, "",
>-				   $extra_provision_options);
>+				   undef, "", "", $extra_provision_options);
> 
> 	return undef unless(defined $ret);
> 	unless($self->add_wins_config("$prefix/private")) {
>@@ -1658,8 +1656,7 @@ sub provision_chgdcpass($$)
> 	
> 	# Remove secrets.tdb from this environment to test that we
> 	# still start up on systems without the new matching
>-	# secrets.tdb records.  For this reason we don't run winbindd
>-	# in this environment
>+	# secrets.tdb records.  
> 	unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
> 		warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
> 		return undef;
>-- 
>2.1.4
>

Actions: View

Attachments on bug 10991: 11146 | 11147 | 11182