The Samba-Bugzilla – Attachment 11146 Details for
Bug 10991
after classicupgrade: winbindd crash with "Failed to fetch our own, local AD domain join password for winbindd's internal use"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)
bug-10991.patch (text/plain), 7.74 KB, created by
Andrew Bartlett
on 2015-06-12 02:19:39 UTC
(
hide
)
Description:
Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2015-06-12 02:19:39 UTC
Size:
7.74 KB
patch
obsolete
>From e76314aa056c961fa0bf71539d1c0feb1f7e851b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Jun 2015 11:54:21 +1200 >Subject: [PATCH 1/3] winbindd: Use pdb_get_domain_info() to get exactly the > local domain info when we are an AD DC > >This also triggers pdb_samba_dsdb_init_secrets(), to force the >correct SID into secrets.tdb. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >--- > source3/winbindd/winbindd_util.c | 11 +++++++++-- > source4/selftest/tests.py | 2 +- > 2 files changed, 10 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 0b7e234..424dccee 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -623,10 +623,17 @@ bool init_domain_list(void) > enum netr_SchannelType sec_chan_type; > const char *account_name; > struct samr_Password current_nt_hash; >+ struct pdb_domain_info *pdb_domain_info; > bool ok; > >- domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(), >- &cache_methods, get_global_sam_sid()); >+ pdb_domain_info = pdb_get_domain_info(talloc_tos()); >+ if (pdb_domain_info == NULL) { >+ DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n")); >+ return false; >+ } >+ domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain, >+ &cache_methods, &pdb_domain_info->sid); >+ TALLOC_FREE(pdb_domain_info); > if (domain == NULL) { > DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n")); > return false; >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 7c4f888..b223e6e 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -380,7 +380,7 @@ for env in ["s3dc", "fl2003dc"]: > for t in winbind_wbclient_tests: > plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') > >-for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member"]: >+for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member", "chgdcpass"]: > tests = ["--ping", "--separator", > "--own-domain", > "--all-domains", >-- >2.1.4 > > >From 67a2264017bc9eaf638d5da17d306f53acd8e46e Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Jun 2015 11:57:07 +1200 >Subject: [PATCH 2/3] winbindd: Sync secrets.ldb into secrets.tdb on startup > >This ensures that the domain SID and machine account password are written into >secrets.tdb if the secrets.tdb file was either never written or was deleted. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source3/winbindd/winbindd_util.c | 41 +++++++++++++++++++++++++++++++++++++--- > 1 file changed, 38 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 424dccee..82381d6 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -27,6 +27,7 @@ > #include "../libcli/auth/pam_errors.h" > #include "passdb/machine_sid.h" > #include "passdb.h" >+#include "auth/credentials/credentials.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_WINBIND >@@ -647,13 +648,47 @@ bool init_domain_list(void) > &account_name, > &sec_chan_type); > if (!ok) { >- DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n")); >- return false; >+ /* If get_trust_pw_hash() fails, then try and fetch the password from the more recent of secrets.{ldb,tdb} using the pdb_get_trust_credentials() */ >+ struct cli_credentials *creds; >+ NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, NULL, domain, &creds); >+ if (!NT_STATUS_IS_OK(can_migrate)) { >+ DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: %s\n", nt_errstr(can_migrate))); >+ return false; >+ } >+ >+ /* NOTE: It is very unlikely we end up >+ * here if there is an oldpass, >+ * because a new password is created >+ * at classicupgrade, so this is not a >+ * concern. */ >+ ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds), >+ NULL /* oldpass */, >+ cli_credentials_get_domain(creds), >+ cli_credentials_get_realm(creds), >+ cli_credentials_get_salt_principal(creds), >+ 0, /* Supported enc types, unused */ >+ &domain->sid, >+ cli_credentials_get_password_last_changed_time(creds), >+ cli_credentials_get_secure_channel_type(creds), >+ false /* do_delete: Do not delete */); >+ TALLOC_FREE(creds); >+ if (ok == false) { >+ DEBUG(0, ("Failed to write our our own, local AD domain join password for winbindd's internal use into secrets.tdb\n")); >+ return false; >+ } >+ ok = get_trust_pw_hash(domain->name, >+ current_nt_hash.hash, >+ &account_name, >+ &sec_chan_type); >+ if (ok == false) { >+ DEBUG(0, ("Failed to re-fetch our own, local AD domain join password for winbindd's internal use from secrets.tdb: %s\n", nt_errstr(can_migrate))); >+ return false; >+ } > } > if (sec_chan_type == SEC_CHAN_RODC) { > domain->rodc = true; > } >- >+ > } else { > (void)add_trusted_domain(get_global_sam_name(), NULL, > &cache_methods, get_global_sam_sid()); >-- >2.1.4 > > >From 7911513dbb357c11a6a7ebea2d6bb5b7eacf893f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 11 Jun 2015 17:19:38 +1200 >Subject: [PATCH 3/3] selftest: Change chgdcpass environment to use winbindd > >This allows us to test that winbindd starts up without secrets.tdb, as happens after >a classicupgrade. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >--- > selftest/knownfail | 2 ++ > selftest/target/Samba4.pm | 7 ++----- > 2 files changed, 4 insertions(+), 5 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index febbd2e..7a89fde 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -261,6 +261,8 @@ > ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid > ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid > ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid > # > # These do not work against winbindd in member mode for unknown reasons > # >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 342de58..f7e2447 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1639,7 +1639,6 @@ sub provision_chgdcpass($$) > print "PROVISIONING CHGDCPASS..."; > my $extra_provision_options = undef; > push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); >- my $extra_conf_options = "server services = +winbind -winbindd"; > my $ret = $self->provision($prefix, > "domain controller", > "chgdcpass", >@@ -1647,8 +1646,7 @@ sub provision_chgdcpass($$) > "chgdcpassword.samba.example.com", > "2008", > "chgDCpass1", >- undef, $extra_conf_options, "", >- $extra_provision_options); >+ undef, "", "", $extra_provision_options); > > return undef unless(defined $ret); > unless($self->add_wins_config("$prefix/private")) { >@@ -1658,8 +1656,7 @@ sub provision_chgdcpass($$) > > # Remove secrets.tdb from this environment to test that we > # still start up on systems without the new matching >- # secrets.tdb records. For this reason we don't run winbindd >- # in this environment >+ # secrets.tdb records. > unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { > warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); > return undef; >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 10991
:
11146
|
11147
|
11182