From ed953201291f6550f29290c4287535ef85b4605f Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Fri, 14 Dec 2018 10:37:11 +1300 Subject: [PATCH 01/13] python/gpclass: Convert gpclass to use s3 SMB Python bindings BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 3b2e86bba1f6b22b144b07db454b842f0c0779ae) --- python/samba/gpclass.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py index fb7c705..0040f23 100644 --- a/python/samba/gpclass.py +++ b/python/samba/gpclass.py @@ -29,7 +29,8 @@ import xml.etree.ElementTree as etree import re from samba.net import Net from samba.dcerpc import nbt -from samba import smb +from samba.samba3 import libsmb_samba_internal as libsmb +from samba.samba3 import param as s3param import samba.gpo as gpo from samba.param import LoadParm from uuid import UUID @@ -386,7 +387,7 @@ def cache_gpo_dir(conn, cache, sub_dir): if e.errno != errno.EEXIST: raise for fdata in conn.list(sub_dir): - if fdata['attrib'] & smb.FILE_ATTRIBUTE_DIRECTORY: + if fdata['attrib'] & libsmb.FILE_ATTRIBUTE_DIRECTORY: cache_gpo_dir(conn, cache, os.path.join(sub_dir, fdata['name'])) else: local_name = fdata['name'].upper() @@ -407,7 +408,10 @@ def check_safe_path(path): def check_refresh_gpo_list(dc_hostname, lp, creds, gpos): - conn = smb.SMB(dc_hostname, 'sysvol', lp=lp, creds=creds, sign=True) + # the SMB bindings rely on having a s3 loadparm + s3_lp = s3param.get_context() + s3_lp.load(lp.configfile) + conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True) cache_path = lp.cache_path('gpo_cache') for gpo in gpos: if not gpo.file_sys_path: -- 2.7.4 From 26ad9cde93d779b5c3cf57dc50edf792484a8934 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 8 Jan 2019 14:42:05 +1300 Subject: [PATCH 02/13] s3:pylibsmb: Add .set_acl API to SMB py bindings This is pretty similar code to py_smb_getacl(), except it's calling cli_set_security_descriptor() instead of cli_query_security_descriptor() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit b982811b60521624f1f600841ffa05e306eb936a) --- source3/libsmb/pylibsmb.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index e0ce518..ee1d91b 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -1525,6 +1525,54 @@ static PyObject *py_smb_getacl(struct py_cli_state *self, PyObject *args) sd, sd); } +/* + * Set ACL on file/directory using given security descriptor object + */ +static PyObject *py_smb_setacl(struct py_cli_state *self, PyObject *args) +{ + NTSTATUS status; + char *filename = NULL; + PyObject *py_sd = NULL; + struct security_descriptor *sd = NULL; + unsigned int sinfo = SECINFO_DEFAULT_FLAGS; + uint16_t fnum; + + /* there's no async version of cli_set_security_descriptor() */ + if (self->thread_state != NULL) { + PyErr_SetString(PyExc_RuntimeError, + "set_acl() is not supported on " + "a multi_threaded connection"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "sO|I:set_acl", &filename, &py_sd, + &sinfo)) { + return NULL; + } + + sd = pytalloc_get_type(py_sd, struct security_descriptor); + if (!sd) { + PyErr_Format(PyExc_TypeError, + "Expected dcerpc.security.descriptor as argument, got %s", + talloc_get_name(pytalloc_get_ptr(py_sd))); + return NULL; + } + + status = cli_ntcreate(self->cli, filename, 0, + SEC_FLAG_MAXIMUM_ALLOWED, 0, + FILE_SHARE_READ|FILE_SHARE_WRITE, + FILE_OPEN, 0x0, 0x0, &fnum, NULL); + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + status = cli_set_security_descriptor(self->cli, fnum, sinfo, sd); + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + status = cli_close(self->cli, fnum); + PyErr_NTSTATUS_IS_ERR_RAISE(status); + + Py_RETURN_NONE; +} + static PyMethodDef py_cli_state_methods[] = { { "settimeout", (PyCFunction)py_cli_settimeout, METH_VARARGS, "settimeout(new_timeout_msecs) => return old_timeout_msecs" }, @@ -1577,6 +1625,9 @@ static PyMethodDef py_cli_state_methods[] = { { "get_acl", (PyCFunction)py_smb_getacl, METH_VARARGS, "get_acl(path[, security_info=0]) -> security_descriptor object\n\n" "\t\tGet security descriptor for file." }, + { "set_acl", (PyCFunction)py_smb_setacl, METH_VARARGS, + "set_acl(path, security_descriptor[, security_info=0]) -> None\n\n" + "\t\tSet security descriptor for file." }, { NULL, NULL, 0, NULL } }; -- 2.7.4 From f72a1a23687e61dc2381322e385ffe3e57dc896d Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 8 Jan 2019 15:10:46 +1300 Subject: [PATCH 03/13] netcmd: Change SMB flags from s4 Py bindings to s3 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 345746ea5f4cca2620421ac0c8a649a596f5c19d) --- python/samba/netcmd/gpo.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index a064f44..d443129 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -44,6 +44,7 @@ from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHE from samba.netcmd.common import netcmd_finddc from samba import policy from samba import smb +from samba.samba3 import libsmb_samba_internal as libsmb from samba import NTSTATUSError import uuid from samba.ntacls import dsacl2fsacl @@ -280,7 +281,7 @@ def backup_directory_remote_to_local(conn, remotedir, localdir): r_name = r_dir + '\\' + e['name'] l_name = os.path.join(l_dir, e['name']) - if e['attrib'] & smb.FILE_ATTRIBUTE_DIRECTORY: + if e['attrib'] & libsmb.FILE_ATTRIBUTE_DIRECTORY: r_dirs.append(r_name) l_dirs.append(l_name) os.mkdir(l_name) @@ -294,10 +295,10 @@ def backup_directory_remote_to_local(conn, remotedir, localdir): parser.write_xml(l_name + '.xml') -attr_flags = smb.FILE_ATTRIBUTE_SYSTEM | \ - smb.FILE_ATTRIBUTE_DIRECTORY | \ - smb.FILE_ATTRIBUTE_ARCHIVE | \ - smb.FILE_ATTRIBUTE_HIDDEN +attr_flags = libsmb.FILE_ATTRIBUTE_SYSTEM | \ + libsmb.FILE_ATTRIBUTE_DIRECTORY | \ + libsmb.FILE_ATTRIBUTE_ARCHIVE | \ + libsmb.FILE_ATTRIBUTE_HIDDEN def copy_directory_remote_to_local(conn, remotedir, localdir): @@ -315,7 +316,7 @@ def copy_directory_remote_to_local(conn, remotedir, localdir): r_name = r_dir + '\\' + e['name'] l_name = os.path.join(l_dir, e['name']) - if e['attrib'] & smb.FILE_ATTRIBUTE_DIRECTORY: + if e['attrib'] & libsmb.FILE_ATTRIBUTE_DIRECTORY: r_dirs.append(r_name) l_dirs.append(l_name) os.mkdir(l_name) -- 2.7.4 From 84196daef8b978984af60b0e500c8248530ce821 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Fri, 11 Jan 2019 14:25:32 +1300 Subject: [PATCH 04/13] s3:pylibsmb: Add FILE_READ_ATTRIBUTES access to .loadfile() API Add FILE_READ_ATTRIBUTES when opening the file handle, as we need to read the file's size. The .loadfile() API can end up calling cli_qfileinfo_basic() to get the file size. This can end up doing a 'FILE_ALL_INFORMATION' SMBv2 request underneath, which the MS-SMB2 spec (section 3.3.5.20.1 Handling SMB2_0_INFO_FILE) says the file handle must have FILE_READ_ATTRIBUTES access granted. I noticed this problem when running .loadfile() against the NTVFS server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 0304b08de5ba1b4a6e08568a559c52f7d9e943d3) --- source3/libsmb/pylibsmb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index ee1d91b..b4903a9 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -928,7 +928,8 @@ static PyObject *py_smb_loadfile(struct py_cli_state *self, PyObject *args, /* get a read file handle */ req = cli_ntcreate_send(NULL, self->ev, self->cli, filename, 0, - FILE_READ_DATA, FILE_ATTRIBUTE_NORMAL, + FILE_READ_DATA | FILE_READ_ATTRIBUTES, + FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, 0, SMB2_IMPERSONATION_IMPERSONATION, 0); if (!py_tevent_req_wait_exc(self, req)) { -- 2.7.4 From b69bd2870850c5fb2ab9dff378a3b5aa6f070e12 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Fri, 11 Jan 2019 14:53:16 +1300 Subject: [PATCH 05/13] netcmd: Change GPO commands to use s3 SMB Py bindings This means we can now use GPO commands on a DC that has SMBv1 disabled. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 08f1627cb3fa1c9ff7a0f74e32874d305647dc42) --- python/samba/netcmd/gpo.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index d443129..1b5e927 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -43,7 +43,7 @@ import samba.auth from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES from samba.netcmd.common import netcmd_finddc from samba import policy -from samba import smb +from samba.samba3 import param as s3param from samba.samba3 import libsmb_samba_internal as libsmb from samba import NTSTATUSError import uuid @@ -365,7 +365,10 @@ def create_directory_hier(conn, remotedir): def smb_connection(dc_hostname, service, lp, creds, sign=False): # SMB connect to DC try: - conn = smb.SMB(dc_hostname, service, lp=lp, creds=creds, sign=sign) + # the SMB bindings rely on having a s3 loadparm + s3_lp = s3param.get_context() + s3_lp.load(lp.configfile) + conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=sign) except Exception: raise CommandError("Error connecting to '%s' using SMB" % dc_hostname) return conn -- 2.7.4 From c6208e79fc06d5e6a0f79c957791b0729f3c105c Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Fri, 11 Jan 2019 15:57:21 +1300 Subject: [PATCH 06/13] s4:pysmb: Add error log that the s4 bindings are deprecated We plan to delete the s4 SMB Python bindings in the next Samba release after v4.10, but first give external consumers a heads-up, just in case they are currently using the s4 bindings. Note the auth_log tests still use the s4 bindings, but all user-facing tools should now be updated to use the s3 bindings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 6a29e63f32c0024587020fc1f92b3d1ecaa0afbc) --- source4/libcli/pysmb.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c index 45ff9a0..5a02816 100644 --- a/source4/libcli/pysmb.c +++ b/source4/libcli/pysmb.c @@ -614,6 +614,18 @@ static PyObject *py_smb_new(PyTypeObject *type, PyObject *args, PyObject *kwargs uint8_t use_spnego = 0xFF; PyObject *sign = Py_False; + /* + * These Python bindings are now deprecated because the s4 SMB client + * code doesn't support SMBv2 (and is unlikely to ever support it). + * The s3 libsmb_samba_internal bindings are a better choice for use + * within the Samba codebase, and support much the same API. + * This warning is mostly for external consumers that might be using + * these Python bindings (in which case, note libsmb_samba_internal + * is not a stable API and may change in future). + */ + DBG_ERR("The smb.SMB() Python bindings are now deprecated " + "and will be removed in the next samba release\n"); + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "zz|OObbO", discard_const_p(char *, kwnames), &hostname, &service, &py_creds, &py_lp, -- 2.7.4 From e88612625b94b94b8c428fc741ac27f3aa9d4b21 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Fri, 11 Jan 2019 15:09:48 +1300 Subject: [PATCH 07/13] tests: Run samba_tool.gpo tests against backup testenvs Run the GPO tests against the backup/restore testenvs. Because the backup/restore preserves the NTACLs of the sysvol files, running the GPO tests against the backup testenvs is a good sanity- check. If fact it highlights that there is currently a problem with restoring the GPO files - this shows up in 'samba-tool gpo aclcheck', but we never noticed it until now. NTACL backup works slightly different for offline backups, and rename backups end up with more sysvol files, so run the tests against both these envs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 2a7372da7b84921b247cefc23d7003b8056d74a4) --- selftest/knownfail.d/gpo | 3 +++ source4/selftest/tests.py | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 selftest/knownfail.d/gpo diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo new file mode 100644 index 0000000..fabe2ba --- /dev/null +++ b/selftest/knownfail.d/gpo @@ -0,0 +1,3 @@ +# 'samba-tool gpo aclcheck' currently fails against restored testenvs (due to a bug) +samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_aclcheck\(renamedc:local\) +samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_aclcheck\(offlinebackupdc:local\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index a1f3842..9d56e0b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -656,11 +656,13 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc"]: for env in ["ad_dc:local", "ad_dc_ntvfs:local", "fl2000dc:local", "fl2003dc:local", "fl2008r2dc:local"]: plantestsuite("samba.tests.samba_tool.edit", env, [os.path.join(srcdir(), "python/samba/tests/samba_tool/edit.sh"), '$SERVER', '$USERNAME', '$PASSWORD']) -# We run this test against both AD DC implemetnations because it is +# We run this test against both AD DC implementations because it is # the only test we have of GPO get/set behaviour, and this involves # the file server as well as the LDAP server. -planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.gpo", py3_compatible=True) -planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.gpo", py3_compatible=True) +# It's also a good sanity-check that sysvol backup worked correctly. +for env in ["ad_dc_ntvfs", "ad_dc", "offlinebackupdc", "renamedc"]: + planpythontestsuite(env + ":local", "samba.tests.samba_tool.gpo", + py3_compatible=True) planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.processes", py3_compatible=True) planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.samba_tool.user", py3_compatible=True) -- 2.7.4 From a184cbd086cf4aa385fab80b043f97555723802e Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 15 Jan 2019 14:09:15 +1300 Subject: [PATCH 08/13] ntacls: Pass correct use_ntvfs through to setntacl() We were already checking the smb.conf to see if it uses the NTVFS file server or the default smbd server. However, we weren't passing this through to the setntacl() call. This fixes the problem we noticed with 'samba-tool gpo aclcheck' failing after a restore. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit f3fe96fc2e2d942b4a2e241777b5ee12b2295b97) --- python/samba/ntacls.py | 3 ++- selftest/knownfail.d/gpo | 3 --- 2 files changed, 2 insertions(+), 4 deletions(-) delete mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py index 9924573..5bf646c 100644 --- a/python/samba/ntacls.py +++ b/python/samba/ntacls.py @@ -454,7 +454,8 @@ class NtaclsHelper: def setntacl(self, path, ntacl_sd): # ntacl_sd can be obj or str - return setntacl(self.lp, path, ntacl_sd, self.dom_sid) + return setntacl(self.lp, path, ntacl_sd, self.dom_sid, + use_ntvfs=self.use_ntvfs) def _create_ntacl_file(dst, ntacl_sddl_str): diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index fabe2ba..0000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1,3 +0,0 @@ -# 'samba-tool gpo aclcheck' currently fails against restored testenvs (due to a bug) -samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_aclcheck\(renamedc:local\) -samba.tests.samba_tool.gpo.samba.tests.samba_tool.gpo.GpoCmdTestCase.test_aclcheck\(offlinebackupdc:local\) -- 2.7.4 From 74b6ea7f89ebc7c886c4e10844cb21a8ae039231 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 15 Jan 2019 17:12:20 +1300 Subject: [PATCH 09/13] tests: Run GPO commands against testenv with SMBv1 disabled Just to prove that they work across SMBv2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit da33c2c4e4849f0985b08fbdc58cbd59b8426ec6) --- source4/selftest/tests.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 9d56e0b..7073755 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -660,7 +660,8 @@ for env in ["ad_dc:local", "ad_dc_ntvfs:local", "fl2000dc:local", "fl2003dc:loca # the only test we have of GPO get/set behaviour, and this involves # the file server as well as the LDAP server. # It's also a good sanity-check that sysvol backup worked correctly. -for env in ["ad_dc_ntvfs", "ad_dc", "offlinebackupdc", "renamedc"]: +for env in ["ad_dc_ntvfs", "ad_dc", "offlinebackupdc", "renamedc", + smbv1_disabled_testenv]: planpythontestsuite(env + ":local", "samba.tests.samba_tool.gpo", py3_compatible=True) -- 2.7.4 From 55f32918c944333d71116cdbcd3d1de78a180042 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Thu, 13 Dec 2018 16:29:33 +1300 Subject: [PATCH 10/13] selftest: Give the backup testenvs a 'test1' share The ntacls_backup tests use the test1 share, and we want to run them against the restoredc (which has SMBv1 disabled). The xattr.tdb file is needed for the backend_obj.wrap_getxattr() call (in ntacls.py) to work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit a310de2db13c02a602e74139cb47ea9a25628e01) --- selftest/target/Samba4.pm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 5346cb1..f2635e5 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -3007,12 +3007,14 @@ sub prepare_dc_testenv # add support for sysvol/netlogon/tmp shares $ctx->{share} = "$ctx->{prefix_abs}/share"; push(@{$ctx->{directories}}, "$ctx->{share}"); + push(@{$ctx->{directories}}, "$ctx->{share}/test1"); $ctx->{smb_conf_extra_options} = " $conf_options max xmit = 32K server max protocol = SMB2 samba kcc command = /bin/true + xattr_tdb:file = $ctx->{statedir}/xattr.tdb [sysvol] path = $ctx->{statedir}/sysvol @@ -3029,6 +3031,12 @@ sub prepare_dc_testenv posix:oplocktimeout = 3 posix:writetimeupdatedelay = 50000 +[test1] + path = $ctx->{share}/test1 + read only = no + posix:sharedelay = 100000 + posix:oplocktimeout = 3 + posix:writetimeupdatedelay = 500000 "; my $env = $self->provision_raw_step1($ctx); -- 2.7.4 From 3ee0ae08e871fc12419fdbfe22cc53218b409acb Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Wed, 16 Jan 2019 10:02:07 +1300 Subject: [PATCH 11/13] tests: Run ntacls_backup tests against testenv with SMBv1 disabled Just to prove that the NTACL backup works over SMBv2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison (cherry picked from commit 7fb93eaca74ffe17bbe7255210dd3090afe8d5dc) --- source4/selftest/tests.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 7073755..b813208 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -695,15 +695,13 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) + planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", + extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite( "ad_dc_ntvfs:local", "samba.tests.dcerpc.registry", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -planoldpythontestsuite( - "ad_dc:local", "samba.tests.ntacls_backup", - extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) - planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite("chgdcpass", "samba.tests.dcerpc.raw_protocol", py3_compatible=True, -- 2.7.4 From 23585c24c23d4d7760034100ab6f5b3eff9bc5e2 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Thu, 17 Jan 2019 09:41:21 +1300 Subject: [PATCH 12/13] netcmd: Try to improve domain backup error message I ran this command as non-root by mistake and didn't find the error message particularly helpful. Tweak the error message so it reminds the user that they should be root. Also display the path we're looking for the sam.ldb file in, to give them more clues. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Noel Power Autobuild-User(master): Noel Power Autobuild-Date(master): Mon Jan 21 16:34:06 CET 2019 on sn-devel-144 (cherry picked from commit 10e54a095f005c0988a7e5e8a35cea6200197854) --- python/samba/netcmd/domain_backup.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 4cacf57..4e32b4b 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1009,8 +1009,9 @@ class cmd_domain_backup_offline(samba.netcmd.Command): paths = samba.provision.provision_paths_from_lp(lp, lp.get('realm')) if not (paths.samdb and os.path.exists(paths.samdb)): - raise CommandError('No sam.db found. This backup ' + - 'tool is only for AD DCs') + logger.error("No database found at {0}".format(paths.samdb)) + raise CommandError('Please check you are root, and ' + + 'are running this command on an AD DC') check_targetdir(logger, targetdir) -- 2.7.4 From b1a68605fbe87be8db01364393619b60719be479 Mon Sep 17 00:00:00 2001 From: Tim Beale Date: Tue, 22 Jan 2019 11:08:13 +1300 Subject: [PATCH 13/13] WHATSNEW: Update for Bug 13676 changes in Samba 4.10 Although it's unlikely that users will be using the 'smb' Python bindings, it's probably worth noting in the release notes that these bindings will be deprecated in future releases. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Jeremy Allison --- WHATSNEW.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 267cc54..493d9c2 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -153,7 +153,13 @@ log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {" +SMBv2 samba-tool support +------------------------ +On previous releases, some samba-tool commands would not work against a remote +DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. +The affected commands are 'samba-tool domain backup|rename' and the +'samba-tool gpo' set of commands. Refer also bug #13676. REMOVED FEATURES @@ -176,6 +182,14 @@ samba_backup The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command. +SMB client Python bindings +-------------------------- + +The SMB client python bindings are now deprecated and will be removed in future +Samba releases. This will only affects users that may have used the Samba +Python bindings to write their own utilities, i.e. users with a custom Python +script that includes the line 'from samba import smb'. + smb.conf changes ================ -- 2.7.4