From e98f308e1bb1e89bf3fa7cc61b548c9335ffa469 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 17 Jun 2015 11:10:15 +1200 Subject: [PATCH 1/4] selftest: Run winbind tests in chgdcpass environment This ensures that winbind both starts and operates without a secrets.tdb (chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade). Andrew Bartlett Signed-off-by: Andrew Bartlett (backport of master commit 5bb647b78806413a94f959d0b2b417a97b7a2173) --- selftest/knownfail | 14 ++++++++++++++ source4/selftest/tests.py | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/selftest/knownfail b/selftest/knownfail index febbd2e..d42830f 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -257,6 +257,8 @@ ^samba4.winbind.struct.show_sequence\(dc\) ^samba.wbinfo_simple.\(dc:local\).--allocate-uid ^samba.wbinfo_simple.\(dc:local\).--allocate-gid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid ^samba.wbinfo_simple.\(s4member:local\).--allocate-uid ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid @@ -287,6 +289,16 @@ ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\) ^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against dc\(dc:local\) ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--all-domains.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--trusted-domains.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--online-status.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=BUILTIN.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--change-secret --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) +^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) +^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo -I against chgdcpass\(chgdcpass:local\) +^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --trusted-domains against chgdcpass\(chgdcpass:local\) +^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --all-domains against chgdcpass\(chgdcpass:local\) # # These do not work against winbindd in member mode for unknown reasons # @@ -296,3 +308,5 @@ ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\) ^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of ^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of +^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth against winbindd with failed require-membership-of +^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 7c4f888..b223e6e 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -380,7 +380,7 @@ for env in ["s3dc", "fl2003dc"]: for t in winbind_wbclient_tests: plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') -for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member"]: +for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member", "chgdcpass"]: tests = ["--ping", "--separator", "--own-domain", "--all-domains", -- 2.1.4 From 02825087b7f3970ac2c84107d3c508f4806b2c41 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Jun 2015 11:54:21 +1200 Subject: [PATCH 2/4] winbindd: Use pdb_get_domain_info() to get exactly the local domain info when we are an AD DC This also triggers pdb_samba_dsdb_init_secrets(), to force the correct SID into secrets.tdb. Signed-off-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 (backport of master commit b209cd1677b306d72e56a98ecb02db421a5ca35a) --- source3/winbindd/winbindd_util.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 0b7e234..424dccee 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -623,10 +623,17 @@ bool init_domain_list(void) enum netr_SchannelType sec_chan_type; const char *account_name; struct samr_Password current_nt_hash; + struct pdb_domain_info *pdb_domain_info; bool ok; - domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(), - &cache_methods, get_global_sam_sid()); + pdb_domain_info = pdb_get_domain_info(talloc_tos()); + if (pdb_domain_info == NULL) { + DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n")); + return false; + } + domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain, + &cache_methods, &pdb_domain_info->sid); + TALLOC_FREE(pdb_domain_info); if (domain == NULL) { DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n")); return false; -- 2.1.4 From d62c0ff3b360458d95eb38ab24e4f87548a79228 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Jun 2015 11:57:07 +1200 Subject: [PATCH 3/4] winbindd: Sync secrets.ldb into secrets.tdb on startup This ensures that the domain SID and machine account password are written into secrets.tdb if the secrets.tdb file was either never written or was deleted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 Signed-off-by: Andrew Bartlett (backport of master commit 5de7621cbfba1e1fb52cddf41a5a13d027d45b46) --- source3/winbindd/winbindd_util.c | 74 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 424dccee..c0883eb 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -27,6 +27,7 @@ #include "../libcli/auth/pam_errors.h" #include "passdb/machine_sid.h" #include "passdb.h" +#include "auth/credentials/credentials.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -603,6 +604,49 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai return WINBINDD_OK; } +/* + * We did not get the secret when we queried secrets.tdb, so read it + * from secrets.tdb and re-sync the databases + */ +static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain) +{ + bool ok; + struct cli_credentials *creds; + NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, + NULL, domain, &creds); + if (!NT_STATUS_IS_OK(can_migrate)) { + DEBUG(0, ("Failed to fetch our own, local AD domain join password " + "for winbindd's internal use, both from secrets.tdb " + "and secrets.ldb: %s\n", + nt_errstr(can_migrate))); + return false; + } + + /* + * NOTE: It is very unlikely we end up here if there is an + * oldpass, because a new password is created at + * classicupgrade, so this is not a concern. + */ + ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds), + NULL /* oldpass */, + cli_credentials_get_domain(creds), + cli_credentials_get_realm(creds), + cli_credentials_get_salt_principal(creds), + 0, /* Supported enc types, unused */ + &domain->sid, + cli_credentials_get_password_last_changed_time(creds), + cli_credentials_get_secure_channel_type(creds), + false /* do_delete: Do not delete */); + TALLOC_FREE(creds); + if (ok == false) { + DEBUG(0, ("Failed to write our our own, " + "local AD domain join password for " + "winbindd's internal use into secrets.tdb\n")); + return false; + } + return true; +} + /* Look up global info for the winbind daemon */ bool init_domain_list(void) { @@ -647,13 +691,37 @@ bool init_domain_list(void) &account_name, &sec_chan_type); if (!ok) { - DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n")); - return false; + /* + * If get_trust_pw_hash() fails, then try and + * fetch the password from the more recent of + * secrets.{ldb,tdb} using the + * pdb_get_trust_credentials() + */ + ok = migrate_secrets_tdb_to_ldb(domain); + + if (ok == false) { + DEBUG(0, ("Failed to migrate our own, " + "local AD domain join password for " + "winbindd's internal use into " + "secrets.tdb\n")); + return false; + } + ok = get_trust_pw_hash(domain->name, + current_nt_hash.hash, + &account_name, + &sec_chan_type); + if (ok == false) { + DEBUG(0, ("Failed to find our our own, just " + "written local AD domain join " + "password for winbindd's internal " + "use in secrets.tdb\n")); + return false; + } } if (sec_chan_type == SEC_CHAN_RODC) { domain->rodc = true; } - + } else { (void)add_trusted_domain(get_global_sam_name(), NULL, &cache_methods, get_global_sam_sid()); -- 2.1.4 From cb5b36d8eda1cf290ce7640c08d10a077b542a1d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 17 Jun 2015 12:05:58 +1200 Subject: [PATCH 4/4] selftest: Change chgdcpass environment to use winbindd This allows us to test that winbindd starts up without secrets.tdb, as happens after a classicupgrade. Signed-off-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 (backport of master commit db59f9ec731e3abbeba3070925a6dedaac26e6e5) --- selftest/knownfail | 16 ++-------------- selftest/target/Samba4.pm | 7 ++----- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index d42830f..7a89fde 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -257,12 +257,12 @@ ^samba4.winbind.struct.show_sequence\(dc\) ^samba.wbinfo_simple.\(dc:local\).--allocate-uid ^samba.wbinfo_simple.\(dc:local\).--allocate-gid -^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid -^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid ^samba.wbinfo_simple.\(s4member:local\).--allocate-uid ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid # # These do not work against winbindd in member mode for unknown reasons # @@ -289,16 +289,6 @@ ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\) ^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against dc\(dc:local\) ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--all-domains.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--trusted-domains.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--online-status.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=BUILTIN.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--change-secret --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) -^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) -^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo -I against chgdcpass\(chgdcpass:local\) -^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --trusted-domains against chgdcpass\(chgdcpass:local\) -^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --all-domains against chgdcpass\(chgdcpass:local\) # # These do not work against winbindd in member mode for unknown reasons # @@ -308,5 +298,3 @@ ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\) ^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of ^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of -^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth against winbindd with failed require-membership-of -^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 342de58..f7e2447 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1639,7 +1639,6 @@ sub provision_chgdcpass($$) print "PROVISIONING CHGDCPASS..."; my $extra_provision_options = undef; push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); - my $extra_conf_options = "server services = +winbind -winbindd"; my $ret = $self->provision($prefix, "domain controller", "chgdcpass", @@ -1647,8 +1646,7 @@ sub provision_chgdcpass($$) "chgdcpassword.samba.example.com", "2008", "chgDCpass1", - undef, $extra_conf_options, "", - $extra_provision_options); + undef, "", "", $extra_provision_options); return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { @@ -1658,8 +1656,7 @@ sub provision_chgdcpass($$) # Remove secrets.tdb from this environment to test that we # still start up on systems without the new matching - # secrets.tdb records. For this reason we don't run winbindd - # in this environment + # secrets.tdb records. unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); return undef; -- 2.1.4