The Samba-Bugzilla – Attachment 11182 Details for
Bug 10991
after classicupgrade: winbindd crash with "Failed to fetch our own, local AD domain join password for winbindd's internal use"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)
bug-10991-4.2.patch (text/plain), 13.87 KB, created by
Andrew Bartlett
on 2015-06-22 04:26:20 UTC
(
hide
)
Description:
Have winbindd sync secrets.tdb with secrets.ldb at startup (4.2 version)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2015-06-22 04:26:20 UTC
Size:
13.87 KB
patch
obsolete
>From e98f308e1bb1e89bf3fa7cc61b548c9335ffa469 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 17 Jun 2015 11:10:15 +1200 >Subject: [PATCH 1/4] selftest: Run winbind tests in chgdcpass environment > >This ensures that winbind both starts and operates without a secrets.tdb > >(chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade). > >Andrew Bartlett > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(backport of master commit 5bb647b78806413a94f959d0b2b417a97b7a2173) >--- > selftest/knownfail | 14 ++++++++++++++ > source4/selftest/tests.py | 2 +- > 2 files changed, 15 insertions(+), 1 deletion(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index febbd2e..d42830f 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -257,6 +257,8 @@ > ^samba4.winbind.struct.show_sequence\(dc\) > ^samba.wbinfo_simple.\(dc:local\).--allocate-uid > ^samba.wbinfo_simple.\(dc:local\).--allocate-gid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid > ^samba.wbinfo_simple.\(s4member:local\).--allocate-uid > ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid > ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid >@@ -287,6 +289,16 @@ > ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\) > ^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against dc\(dc:local\) > ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--all-domains.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--trusted-domains.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--online-status.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=BUILTIN.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--change-secret --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >+^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >+^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo -I against chgdcpass\(chgdcpass:local\) >+^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --trusted-domains against chgdcpass\(chgdcpass:local\) >+^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --all-domains against chgdcpass\(chgdcpass:local\) > # > # These do not work against winbindd in member mode for unknown reasons > # >@@ -296,3 +308,5 @@ > ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\) > ^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of > ^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of >+^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth against winbindd with failed require-membership-of >+^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 7c4f888..b223e6e 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -380,7 +380,7 @@ for env in ["s3dc", "fl2003dc"]: > for t in winbind_wbclient_tests: > plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') > >-for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member"]: >+for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member", "chgdcpass"]: > tests = ["--ping", "--separator", > "--own-domain", > "--all-domains", >-- >2.1.4 > > >From 02825087b7f3970ac2c84107d3c508f4806b2c41 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Jun 2015 11:54:21 +1200 >Subject: [PATCH 2/4] winbindd: Use pdb_get_domain_info() to get exactly the > local domain info when we are an AD DC > >This also triggers pdb_samba_dsdb_init_secrets(), to force the >correct SID into secrets.tdb. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >(backport of master commit b209cd1677b306d72e56a98ecb02db421a5ca35a) >--- > source3/winbindd/winbindd_util.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 0b7e234..424dccee 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -623,10 +623,17 @@ bool init_domain_list(void) > enum netr_SchannelType sec_chan_type; > const char *account_name; > struct samr_Password current_nt_hash; >+ struct pdb_domain_info *pdb_domain_info; > bool ok; > >- domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(), >- &cache_methods, get_global_sam_sid()); >+ pdb_domain_info = pdb_get_domain_info(talloc_tos()); >+ if (pdb_domain_info == NULL) { >+ DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n")); >+ return false; >+ } >+ domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain, >+ &cache_methods, &pdb_domain_info->sid); >+ TALLOC_FREE(pdb_domain_info); > if (domain == NULL) { > DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n")); > return false; >-- >2.1.4 > > >From d62c0ff3b360458d95eb38ab24e4f87548a79228 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Jun 2015 11:57:07 +1200 >Subject: [PATCH 3/4] winbindd: Sync secrets.ldb into secrets.tdb on startup > >This ensures that the domain SID and machine account password are written into >secrets.tdb if the secrets.tdb file was either never written or was deleted. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(backport of master commit 5de7621cbfba1e1fb52cddf41a5a13d027d45b46) >--- > source3/winbindd/winbindd_util.c | 74 ++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 71 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 424dccee..c0883eb 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -27,6 +27,7 @@ > #include "../libcli/auth/pam_errors.h" > #include "passdb/machine_sid.h" > #include "passdb.h" >+#include "auth/credentials/credentials.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_WINBIND >@@ -603,6 +604,49 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai > return WINBINDD_OK; > } > >+/* >+ * We did not get the secret when we queried secrets.tdb, so read it >+ * from secrets.tdb and re-sync the databases >+ */ >+static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain) >+{ >+ bool ok; >+ struct cli_credentials *creds; >+ NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, >+ NULL, domain, &creds); >+ if (!NT_STATUS_IS_OK(can_migrate)) { >+ DEBUG(0, ("Failed to fetch our own, local AD domain join password " >+ "for winbindd's internal use, both from secrets.tdb " >+ "and secrets.ldb: %s\n", >+ nt_errstr(can_migrate))); >+ return false; >+ } >+ >+ /* >+ * NOTE: It is very unlikely we end up here if there is an >+ * oldpass, because a new password is created at >+ * classicupgrade, so this is not a concern. >+ */ >+ ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds), >+ NULL /* oldpass */, >+ cli_credentials_get_domain(creds), >+ cli_credentials_get_realm(creds), >+ cli_credentials_get_salt_principal(creds), >+ 0, /* Supported enc types, unused */ >+ &domain->sid, >+ cli_credentials_get_password_last_changed_time(creds), >+ cli_credentials_get_secure_channel_type(creds), >+ false /* do_delete: Do not delete */); >+ TALLOC_FREE(creds); >+ if (ok == false) { >+ DEBUG(0, ("Failed to write our our own, " >+ "local AD domain join password for " >+ "winbindd's internal use into secrets.tdb\n")); >+ return false; >+ } >+ return true; >+} >+ > /* Look up global info for the winbind daemon */ > bool init_domain_list(void) > { >@@ -647,13 +691,37 @@ bool init_domain_list(void) > &account_name, > &sec_chan_type); > if (!ok) { >- DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n")); >- return false; >+ /* >+ * If get_trust_pw_hash() fails, then try and >+ * fetch the password from the more recent of >+ * secrets.{ldb,tdb} using the >+ * pdb_get_trust_credentials() >+ */ >+ ok = migrate_secrets_tdb_to_ldb(domain); >+ >+ if (ok == false) { >+ DEBUG(0, ("Failed to migrate our own, " >+ "local AD domain join password for " >+ "winbindd's internal use into " >+ "secrets.tdb\n")); >+ return false; >+ } >+ ok = get_trust_pw_hash(domain->name, >+ current_nt_hash.hash, >+ &account_name, >+ &sec_chan_type); >+ if (ok == false) { >+ DEBUG(0, ("Failed to find our our own, just " >+ "written local AD domain join " >+ "password for winbindd's internal " >+ "use in secrets.tdb\n")); >+ return false; >+ } > } > if (sec_chan_type == SEC_CHAN_RODC) { > domain->rodc = true; > } >- >+ > } else { > (void)add_trusted_domain(get_global_sam_name(), NULL, > &cache_methods, get_global_sam_sid()); >-- >2.1.4 > > >From cb5b36d8eda1cf290ce7640c08d10a077b542a1d Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 17 Jun 2015 12:05:58 +1200 >Subject: [PATCH 4/4] selftest: Change chgdcpass environment to use winbindd > >This allows us to test that winbindd starts up without secrets.tdb, as happens after >a classicupgrade. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 >(backport of master commit db59f9ec731e3abbeba3070925a6dedaac26e6e5) >--- > selftest/knownfail | 16 ++-------------- > selftest/target/Samba4.pm | 7 ++----- > 2 files changed, 4 insertions(+), 19 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index d42830f..7a89fde 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -257,12 +257,12 @@ > ^samba4.winbind.struct.show_sequence\(dc\) > ^samba.wbinfo_simple.\(dc:local\).--allocate-uid > ^samba.wbinfo_simple.\(dc:local\).--allocate-gid >-^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid >-^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid > ^samba.wbinfo_simple.\(s4member:local\).--allocate-uid > ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid > ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid > ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid >+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid > # > # These do not work against winbindd in member mode for unknown reasons > # >@@ -289,16 +289,6 @@ > ^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\) > ^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against dc\(dc:local\) > ^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--all-domains.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--trusted-domains.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--online-status.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=BUILTIN.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--change-secret --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >-^samba.wbinfo_simple.\(chgdcpass:local\).--online-status --domain=CHDCDOMAIN.wbinfo\(chgdcpass:local\) >-^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo -I against chgdcpass\(chgdcpass:local\) >-^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --trusted-domains against chgdcpass\(chgdcpass:local\) >-^samba.blackbox.wbinfo\(chgdcpass:local\).wbinfo --all-domains against chgdcpass\(chgdcpass:local\) > # > # These do not work against winbindd in member mode for unknown reasons > # >@@ -308,5 +298,3 @@ > ^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane mapping\(s3member:local\) > ^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed require-membership-of > ^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of >-^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth against winbindd with failed require-membership-of >-^samba.ntlm_auth.\(chgdcpass:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 342de58..f7e2447 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1639,7 +1639,6 @@ sub provision_chgdcpass($$) > print "PROVISIONING CHGDCPASS..."; > my $extra_provision_options = undef; > push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); >- my $extra_conf_options = "server services = +winbind -winbindd"; > my $ret = $self->provision($prefix, > "domain controller", > "chgdcpass", >@@ -1647,8 +1646,7 @@ sub provision_chgdcpass($$) > "chgdcpassword.samba.example.com", > "2008", > "chgDCpass1", >- undef, $extra_conf_options, "", >- $extra_provision_options); >+ undef, "", "", $extra_provision_options); > > return undef unless(defined $ret); > unless($self->add_wins_config("$prefix/private")) { >@@ -1658,8 +1656,7 @@ sub provision_chgdcpass($$) > > # Remove secrets.tdb from this environment to test that we > # still start up on systems without the new matching >- # secrets.tdb records. For this reason we don't run winbindd >- # in this environment >+ # secrets.tdb records. > unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { > warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); > return undef; >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 10991
:
11146
|
11147
| 11182