Attachment 8124 Details for Bug 9340 – patch from master - no longer use wheel group in provision

[patch] patch from master - no longer use wheel group in provision

0001-provision-No-longer-use-the-wheel-group-in-new-AD-Do.patch (text/plain), 12.77 KB, created by Andrew Bartlett on 2012-10-30 07:34:41 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2012-10-30 07:34:41 UTC

Size: 12.77 KB

patch

obsolete

>From f2887653649aaf666ae4a130f579d34502717851 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Tue, 16 Oct 2012 13:08:22 +1100
>Subject: [PATCH] provision: No longer use the wheel group in new AD Domains
>
>The issue here is that if we set S-1-5-32-544 (administrators) to a
>GID only, then users cannot force a mandetory profile to be owned by
>administrators (which is a requirement).
>
>There is no particularly useful reason for us to enforce this matching
>a system group.
>
>Andrew Bartlett
>---
> source4/scripting/bin/samba_upgradedns             |  2 +-
> source4/scripting/python/samba/netcmd/domain.py    |  5 +--
> .../scripting/python/samba/provision/__init__.py   | 39 +++++++++++-----------
> source4/scripting/python/samba/tests/posixacl.py   |  8 ++---
> source4/scripting/python/samba/upgrade.py          |  2 +-
> source4/scripting/python/samba/upgradehelpers.py   |  4 +--
> 6 files changed, 29 insertions(+), 31 deletions(-)
>
>diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
>index 8304134..ba597cf 100755
>--- a/source4/scripting/bin/samba_upgradedns
>+++ b/source4/scripting/bin/samba_upgradedns
>@@ -91,7 +91,7 @@ def fix_names(pnames):
>     names.domaindn = pnames.domaindn[0]
>     names.configdn = pnames.configdn[0]
>     names.schemadn = pnames.schemadn[0]
>-    names.wheel_gid = pnames.wheel_gid[0]
>+    names.root_gid = pnames.root_gid
>     names.serverdn = str(pnames.serverdn)
>     return names
> 
>diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
>index 6e3f35a..4ba305c 100644
>--- a/source4/scripting/python/samba/netcmd/domain.py
>+++ b/source4/scripting/python/samba/netcmd/domain.py
>@@ -186,8 +186,6 @@ class cmd_domain_provision(Command):
>                 help="choose 'root' unix username"),
>          Option("--nobody", type="string", metavar="USERNAME",
>                 help="choose 'nobody' user"),
>-         Option("--wheel", type="string", metavar="GROUPNAME",
>-                help="choose 'wheel' privileged group"),
>          Option("--users", type="string", metavar="GROUPNAME",
>                 help="choose 'users' group"),
>          Option("--quiet", help="Be quiet", action="store_true"),
>@@ -237,7 +235,6 @@ class cmd_domain_provision(Command):
>             ldapadminpass=None,
>             root=None,
>             nobody=None,
>-            wheel=None,
>             users=None,
>             quiet=None,
>             blank=None,
>@@ -393,7 +390,7 @@ class cmd_domain_provision(Command):
>                   krbtgtpass=krbtgtpass, machinepass=machinepass,
>                   dns_backend=dns_backend, dns_forwarder=dns_forwarder,
>                   dnspass=dnspass, root=root, nobody=nobody,
>-                  wheel=wheel, users=users,
>+                  users=users,
>                   serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
>                   backend_type=ldap_backend_type,
>                   ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,
>diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
>index 9966192..03d9bca 100644
>--- a/source4/scripting/python/samba/provision/__init__.py
>+++ b/source4/scripting/python/samba/provision/__init__.py
>@@ -241,12 +241,16 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
>         names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
>     else:
>         names.policyid_dc = None
>-    res9 = idmapdb.search(expression="(cn=%s)" %
>-                            (security.SID_BUILTIN_ADMINISTRATORS),
>-                            attrs=["xidNumber"])
>+
>+    res9 = idmapdb.search(expression="(cn=%s-%s)" %
>+                          (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR),
>+                          attrs=["xidNumber", "type"])
>     if len(res9) != 1:
>-        raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
>-    names.wheel_gid = res9[0]["xidNumber"]
>+        raise ProvisioningError("Unable to find uid/gid for Domain Admins rid (%s-%s" % (str(names.domainsid), security.DOMAIN_RID_ADMINISTRATOR))
>+    if res9[0]["type"][0] == "ID_TYPE_BOTH":
>+        names.root_gid = res9[0]["xidNumber"][0]
>+    else:
>+        names.root_gid = pwd.getpwuid(int(res9[0]["xidNumber"][0])).pw_gid
>     return names
> 
> 
>@@ -692,7 +696,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
> 
> 
> def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
>-                        users_gid, wheel_gid):
>+                        users_gid, root_gid):
>     """setup reasonable name mappings for sam names to unix names.
> 
>     :param samdb: SamDB object.
>@@ -702,10 +706,9 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
>     :param root_uid: uid of the UNIX root user.
>     :param nobody_uid: uid of the UNIX nobody user.
>     :param users_gid: gid of the UNIX users group.
>-    :param wheel_gid: gid of the UNIX wheel group.
>+    :param root_gid: gid of the UNIX root group.
>     """
>     idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
>-    idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
> 
>     idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
>     idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
>@@ -1649,7 +1652,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
>                            policyguid_dc)
>         if not skip_sysvolacl:
>             setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
>-                         paths.wheel_gid, domainsid, names.dnsdomain,
>+                         paths.root_gid, domainsid, names.dnsdomain,
>                          names.domaindn, lp, use_ntvfs)
>         else:
>             logger.info("Setting acl on sysvol skipped")
>@@ -1781,7 +1784,7 @@ def provision(logger, session_info, credentials, smbconf=None,
>         krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
>         dns_backend=None, dns_forwarder=None, dnspass=None,
>         invocationid=None, machinepass=None, ntdsguid=None,
>-        root=None, nobody=None, users=None, wheel=None, backup=None, aci=None,
>+        root=None, nobody=None, users=None, backup=None, aci=None,
>         serverrole=None, dom_for_fun_level=None, backend_type=None,
>         sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
>         useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
>@@ -1811,10 +1814,8 @@ def provision(logger, session_info, credentials, smbconf=None,
>     root_uid = findnss_uid([root or "root"])
>     nobody_uid = findnss_uid([nobody or "nobody"])
>     users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
>-    if wheel is None:
>-        wheel_gid = findnss_gid(["wheel", "adm"])
>-    else:
>-        wheel_gid = findnss_gid([wheel])
>+    root_gid = pwd.getpwuid(root_uid).pw_gid
>+
>     try:
>         bind_gid = findnss_gid(["bind", "named"])
>     except KeyError:
>@@ -1877,7 +1878,7 @@ def provision(logger, session_info, credentials, smbconf=None,
> 
>     paths.bind_gid = bind_gid
>     paths.root_uid = root_uid;
>-    paths.wheel_gid = wheel_gid
>+    paths.root_gid = root_gid
> 
>     if hostip is None:
>         logger.info("Looking up IPv4 addresses")
>@@ -1928,7 +1929,7 @@ def provision(logger, session_info, credentials, smbconf=None,
>         file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
>         try:
>             try:
>-                smbd.set_simple_acl(file.name, 0755, wheel_gid)
>+                smbd.set_simple_acl(file.name, 0755, root_gid)
>             except Exception:
>                 if not smbd.have_posix_acls():
>                     # This clue is only strictly correct for RPM and
>@@ -1938,7 +1939,7 @@ def provision(logger, session_info, credentials, smbconf=None,
> 
>                 raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
>             try:
>-                smbd.chown(file.name, root_uid, wheel_gid)
>+                smbd.chown(file.name, root_uid, root_gid)
>             except Exception:
>                 raise ProvisioningError("Unable to chown a file on your filesystem.  You may not be running provision as root.")
>         finally:
>@@ -2002,7 +2003,7 @@ def provision(logger, session_info, credentials, smbconf=None,
> 
>         setup_name_mappings(idmap, sid=str(domainsid),
>                             root_uid=root_uid, nobody_uid=nobody_uid,
>-                            users_gid=users_gid, wheel_gid=wheel_gid)
>+                            users_gid=users_gid, root_gid=root_gid)
> 
>         logger.info("Setting up SAM db")
>         samdb = setup_samdb(paths.samdb, session_info,
>@@ -2104,7 +2105,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
>         serverdn=None, domain=None, hostname=None, domainsid=None,
>         adminpass=None, krbtgtpass=None, domainguid=None, policyguid=None,
>         policyguid_dc=None, invocationid=None, machinepass=None, dnspass=None,
>-        dns_backend=None, root=None, nobody=None, users=None, wheel=None,
>+        dns_backend=None, root=None, nobody=None, users=None,
>         backup=None, serverrole=None, ldap_backend=None,
>         ldap_backend_type=None, sitename=None, debuglevel=1, use_ntvfs=False):
> 
>diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py
>index 066cc97..78a07f7 100644
>--- a/source4/scripting/python/samba/tests/posixacl.py
>+++ b/source4/scripting/python/samba/tests/posixacl.py
>@@ -147,7 +147,7 @@ class PosixAclMappingTests(TestCase):
>         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
>         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
>         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
>-        self.assertEquals(BA_type, idmap.ID_TYPE_GID)
>+        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
>         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
>         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
>         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
>@@ -194,7 +194,7 @@ class PosixAclMappingTests(TestCase):
> # user::rwx
> # user:root:rwx (selftest user actually)
> # group::rwx
>-# group:wheel:rwx
>+# group:Local Admins:rwx
> # group:3000000:r-x
> # group:3000001:rwx
> # group:3000002:r-x
>@@ -274,7 +274,7 @@ class PosixAclMappingTests(TestCase):
>         (LA_uid,LA_type) = s4_passdb.sid_to_id(LA_sid)
>         self.assertEquals(LA_type, idmap.ID_TYPE_UID)
>         (BA_gid,BA_type) = s4_passdb.sid_to_id(BA_sid)
>-        self.assertEquals(BA_type, idmap.ID_TYPE_GID)
>+        self.assertEquals(BA_type, idmap.ID_TYPE_BOTH)
>         (SO_gid,SO_type) = s4_passdb.sid_to_id(SO_sid)
>         self.assertEquals(SO_type, idmap.ID_TYPE_BOTH)
>         (SY_gid,SY_type) = s4_passdb.sid_to_id(SY_sid)
>@@ -327,7 +327,7 @@ class PosixAclMappingTests(TestCase):
> # user::rwx
> # user:root:rwx (selftest user actually)
> # group::rwx
>-# group:wheel:rwx
>+# group:Local Admins:rwx
> # group:3000000:r-x
> # group:3000001:rwx
> # group:3000002:r-x
>diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
>index 194983c..786bb65 100644
>--- a/source4/scripting/python/samba/upgrade.py
>+++ b/source4/scripting/python/samba/upgrade.py
>@@ -908,7 +908,7 @@ Please fix this account before attempting to upgrade again
> 
>     if result.server_role == "active directory domain controller":
>         setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol,
>-                result.paths.root_uid, result.paths.wheel_gid,
>+                result.paths.root_uid, result.paths.root_gid,
>                 security.dom_sid(result.domainsid), result.names.dnsdomain,
>                 result.names.domaindn, result.lp, use_ntvfs)
> 
>diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
>index 55de4be..81fb8dc 100644
>--- a/source4/scripting/python/samba/upgradehelpers.py
>+++ b/source4/scripting/python/samba/upgradehelpers.py
>@@ -251,7 +251,7 @@ def newprovision(names, creds, session, smbconf, provdir, logger):
>             hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
>             invocationid=names.invocation, adminpass=names.adminpass,
>             krbtgtpass=None, machinepass=None, dnspass=None, root=None,
>-            nobody=None, wheel=None, users=None,
>+            nobody=None, users=None,
>             serverrole="domain controller",
>             backend_type=None, ldapadminpass=None, ol_mmr_urls=None,
>             slapd_path=None,
>@@ -615,7 +615,7 @@ def update_gpo(paths, samdb, names, lp, message, force=0):
> 
>     if resetacls:
>        try:
>-            setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid,
>+            setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.root_gid,
>                         names.domainsid, names.dnsdomain, names.domaindn, lp)
>        except TypeError, e:
>            acl_error(e)
>-- 
>1.7.11.7
>

Flags:

abartlet: review? (metze)
obnox: review+

Actions: View

Attachments on bug 9340: 8124