The Samba-Bugzilla – Attachment 8124 Details for
Bug 9340
We should not use the wheel group for 'administrators'
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from master - no longer use wheel group in provision
0001-provision-No-longer-use-the-wheel-group-in-new-AD-Do.patch (text/plain), 12.77 KB, created by
Andrew Bartlett
on 2012-10-30 07:34:41 UTC
(
hide
)
Description:
patch from master - no longer use wheel group in provision
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2012-10-30 07:34:41 UTC
Size:
12.77 KB
patch
obsolete
>From f2887653649aaf666ae4a130f579d34502717851 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 16 Oct 2012 13:08:22 +1100 >Subject: [PATCH] provision: No longer use the wheel group in new AD Domains > >The issue here is that if we set S-1-5-32-544 (administrators) to a >GID only, then users cannot force a mandetory profile to be owned by >administrators (which is a requirement). > >There is no particularly useful reason for us to enforce this matching >a system group. > >Andrew Bartlett >--- > source4/scripting/bin/samba_upgradedns | 2 +- > source4/scripting/python/samba/netcmd/domain.py | 5 +-- > .../scripting/python/samba/provision/__init__.py | 39 +++++++++++----------- > source4/scripting/python/samba/tests/posixacl.py | 8 ++--- > source4/scripting/python/samba/upgrade.py | 2 +- > source4/scripting/python/samba/upgradehelpers.py | 4 +-- > 6 files changed, 29 insertions(+), 31 deletions(-) > >diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns >index 8304134..ba597cf 100755 >--- a/source4/scripting/bin/samba_upgradedns >+++ b/source4/scripting/bin/samba_upgradedns >@@ -91,7 +91,7 @@ def fix_names(pnames): > names.domaindn = pnames.domaindn[0] > names.configdn = pnames.configdn[0] > names.schemadn = pnames.schemadn[0] >- names.wheel_gid = pnames.wheel_gid[0] >+ names.root_gid = pnames.root_gid > names.serverdn = str(pnames.serverdn) > return names > >diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py >index 6e3f35a..4ba305c 100644 >--- a/source4/scripting/python/samba/netcmd/domain.py >+++ b/source4/scripting/python/samba/netcmd/domain.py >@@ -186,8 +186,6 @@ class cmd_domain_provision(Command): > help="choose 'root' unix username"), > Option("--nobody", type="string", metavar="USERNAME", > help="choose 'nobody' user"), >- Option("--wheel", type="string", metavar="GROUPNAME", >- help="choose 'wheel' privileged group"), > Option("--users", type="string", metavar="GROUPNAME", > help="choose 'users' group"), > Option("--quiet", help="Be quiet", action="store_true"), >@@ -237,7 +235,6 @@ class cmd_domain_provision(Command): > ldapadminpass=None, > root=None, > nobody=None, >- wheel=None, > users=None, > quiet=None, > blank=None, >@@ -393,7 +390,7 @@ class cmd_domain_provision(Command): > krbtgtpass=krbtgtpass, machinepass=machinepass, > dns_backend=dns_backend, dns_forwarder=dns_forwarder, > dnspass=dnspass, root=root, nobody=nobody, >- wheel=wheel, users=users, >+ users=users, > serverrole=server_role, dom_for_fun_level=dom_for_fun_level, > backend_type=ldap_backend_type, > ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls, >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index 9966192..03d9bca 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -241,12 +241,16 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, > names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","") > else: > names.policyid_dc = None >- res9 = idmapdb.search(expression="(cn=%s)" % >- (security.SID_BUILTIN_ADMINISTRATORS), >- attrs=["xidNumber"]) >+ >+ res9 = idmapdb.search(expression="(cn=%s-%s)" % >+ (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR), >+ attrs=["xidNumber", "type"]) > if len(res9) != 1: >- raise ProvisioningError("Unable to find uid/gid for Domain Admins rid") >- names.wheel_gid = res9[0]["xidNumber"] >+ raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR)) >+ if res9[0]["type"][0] == "ID_TYPE_BOTH": >+ names.root_gid = res9[0]["xidNumber"][0] >+ else: >+ names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid > return names > > >@@ -692,7 +696,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir, > > > def setup_name_mappings(idmap, sid, root_uid, nobody_uid, >- users_gid, wheel_gid): >+ users_gid, root_gid): > """setup reasonable name mappings for sam names to unix names. > > :param samdb: SamDB object. >@@ -702,10 +706,9 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid, > :param root_uid: uid of the UNIX root user. > :param nobody_uid: uid of the UNIX nobody user. > :param users_gid: gid of the UNIX users group. >- :param wheel_gid: gid of the UNIX wheel group. >+ :param root_gid: gid of the UNIX root group. > """ > idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid) >- idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid) > > idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid) > idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid) >@@ -1649,7 +1652,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, > policyguid_dc) > if not skip_sysvolacl: > setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, >- paths.wheel_gid, domainsid, names.dnsdomain, >+ paths.root_gid, domainsid, names.dnsdomain, > names.domaindn, lp, use_ntvfs) > else: > logger.info("Setting acl on sysvol skipped") >@@ -1781,7 +1784,7 @@ def provision(logger, session_info, credentials, smbconf=None, > krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None, > dns_backend=None, dns_forwarder=None, dnspass=None, > invocationid=None, machinepass=None, ntdsguid=None, >- root=None, nobody=None, users=None, wheel=None, backup=None, aci=None, >+ root=None, nobody=None, users=None, backup=None, aci=None, > serverrole=None, dom_for_fun_level=None, backend_type=None, > sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false", > useeadb=False, am_rodc=False, lp=None, use_ntvfs=False, >@@ -1811,10 +1814,8 @@ def provision(logger, session_info, credentials, smbconf=None, > root_uid = findnss_uid([root or "root"]) > nobody_uid = findnss_uid([nobody or "nobody"]) > users_gid = findnss_gid([users or "users", 'users', 'other', 'staff']) >- if wheel is None: >- wheel_gid = findnss_gid(["wheel", "adm"]) >- else: >- wheel_gid = findnss_gid([wheel]) >+ root_gid = pwd.getpwuid(root_uid).pw_gid >+ > try: > bind_gid = findnss_gid(["bind", "named"]) > except KeyError: >@@ -1877,7 +1878,7 @@ def provision(logger, session_info, credentials, smbconf=None, > > paths.bind_gid = bind_gid > paths.root_uid = root_uid; >- paths.wheel_gid = wheel_gid >+ paths.root_gid = root_gid > > if hostip is None: > logger.info("Looking up IPv4 addresses") >@@ -1928,7 +1929,7 @@ def provision(logger, session_info, credentials, smbconf=None, > file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol)) > try: > try: >- smbd.set_simple_acl(file.name, 0755, wheel_gid) >+ smbd.set_simple_acl(file.name, 0755, root_gid) > except Exception: > if not smbd.have_posix_acls(): > # This clue is only strictly correct for RPM and >@@ -1938,7 +1939,7 @@ def provision(logger, session_info, credentials, smbconf=None, > > raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.") > try: >- smbd.chown(file.name, root_uid, wheel_gid) >+ smbd.chown(file.name, root_uid, root_gid) > except Exception: > raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.") > finally: >@@ -2002,7 +2003,7 @@ def provision(logger, session_info, credentials, smbconf=None, > > setup_name_mappings(idmap, sid=str(domainsid), > root_uid=root_uid, nobody_uid=nobody_uid, >- users_gid=users_gid, wheel_gid=wheel_gid) >+ users_gid=users_gid, root_gid=root_gid) > > logger.info("Setting up SAM db") > samdb = setup_samdb(paths.samdb, session_info, >@@ -2104,7 +2105,7 @@ def provision_become_dc(smbconf=None, targetdir=None, > serverdn=None, domain=None, hostname=None, domainsid=None, > adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None, > policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None, >- dns_backend=None, root=None, nobody=None, users=None, wheel=None, >+ dns_backend=None, root=None, nobody=None, users=None, > backup=None, serverrole=None, ldap_backend=None, > ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False): > >diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py >index 066cc97..78a07f7 100644 >--- a/source4/scripting/python/samba/tests/posixacl.py >+++ b/source4/scripting/python/samba/tests/posixacl.py >@@ -147,7 +147,7 @@ class PosixAclMappingTests(TestCase): > (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) > self.assertEquals(LA_type, idmap.ID_TYPE_UID) > (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) >- self.assertEquals(BA_type, idmap.ID_TYPE_GID) >+ self.assertEquals(BA_type, idmap.ID_TYPE_BOTH) > (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid) > self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) > (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid) >@@ -194,7 +194,7 @@ class PosixAclMappingTests(TestCase): > # user::rwx > # user:root:rwx (selftest user actually) > # group::rwx >-# group:wheel:rwx >+# group:Local Admins:rwx > # group:3000000:r-x > # group:3000001:rwx > # group:3000002:r-x >@@ -274,7 +274,7 @@ class PosixAclMappingTests(TestCase): > (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid) > self.assertEquals(LA_type, idmap.ID_TYPE_UID) > (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid) >- self.assertEquals(BA_type, idmap.ID_TYPE_GID) >+ self.assertEquals(BA_type, idmap.ID_TYPE_BOTH) > (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid) > self.assertEquals(SO_type, idmap.ID_TYPE_BOTH) > (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid) >@@ -327,7 +327,7 @@ class PosixAclMappingTests(TestCase): > # user::rwx > # user:root:rwx (selftest user actually) > # group::rwx >-# group:wheel:rwx >+# group:Local Admins:rwx > # group:3000000:r-x > # group:3000001:rwx > # group:3000002:r-x >diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py >index 194983c..786bb65 100644 >--- a/source4/scripting/python/samba/upgrade.py >+++ b/source4/scripting/python/samba/upgrade.py >@@ -908,7 +908,7 @@ Please fix this account before attempting to upgrade again > > if result.server_role == "active directory domain controller": > setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol, >- result.paths.root_uid, result.paths.wheel_gid, >+ result.paths.root_uid, result.paths.root_gid, > security.dom_sid(result.domainsid), result.names.dnsdomain, > result.names.domaindn, result.lp, use_ntvfs) > >diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py >index 55de4be..81fb8dc 100644 >--- a/source4/scripting/python/samba/upgradehelpers.py >+++ b/source4/scripting/python/samba/upgradehelpers.py >@@ -251,7 +251,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger): > hostname=names.netbiosname.lower(), hostip=None, hostip6=None, > invocationid=names.invocation, adminpass=names.adminpass, > krbtgtpass=None, machinepass=None, dnspass=None, root=None, >- nobody=None, wheel=None, users=None, >+ nobody=None, users=None, > serverrole="domain controller", > backend_type=None, ldapadminpass=None, ol_mmr_urls=None, > slapd_path=None, >@@ -615,7 +615,7 @@ def update_gpo(paths, samdb, names, lp, message, force=0): > > if resetacls: > try: >- setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid, >+ setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.root_gid, > names.domainsid, names.dnsdomain, names.domaindn, lp) > except TypeError, e: > acl_error(e) >-- >1.7.11.7 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review?
(
metze
)
obnox
:
review+
Actions:
View
Attachments on
bug 9340
: 8124