From e76314aa056c961fa0bf71539d1c0feb1f7e851b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Jun 2015 11:54:21 +1200 Subject: [PATCH 1/3] winbindd: Use pdb_get_domain_info() to get exactly the local domain info when we are an AD DC This also triggers pdb_samba_dsdb_init_secrets(), to force the correct SID into secrets.tdb. Signed-off-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 --- source3/winbindd/winbindd_util.c | 11 +++++++++-- source4/selftest/tests.py | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 0b7e234..424dccee 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -623,10 +623,17 @@ bool init_domain_list(void) enum netr_SchannelType sec_chan_type; const char *account_name; struct samr_Password current_nt_hash; + struct pdb_domain_info *pdb_domain_info; bool ok; - domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(), - &cache_methods, get_global_sam_sid()); + pdb_domain_info = pdb_get_domain_info(talloc_tos()); + if (pdb_domain_info == NULL) { + DEBUG(0, ("Failed to fetch our own, local AD domain info from sam.ldb\n")); + return false; + } + domain = add_trusted_domain(pdb_domain_info->name, pdb_domain_info->dns_domain, + &cache_methods, &pdb_domain_info->sid); + TALLOC_FREE(pdb_domain_info); if (domain == NULL) { DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n")); return false; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 7c4f888..b223e6e 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -380,7 +380,7 @@ for env in ["s3dc", "fl2003dc"]: for t in winbind_wbclient_tests: plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') -for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member"]: +for env in ["s3dc", "member", "plugin_s4_dc", "dc", "s3member", "s4member", "chgdcpass"]: tests = ["--ping", "--separator", "--own-domain", "--all-domains", -- 2.1.4 From 67a2264017bc9eaf638d5da17d306f53acd8e46e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Jun 2015 11:57:07 +1200 Subject: [PATCH 2/3] winbindd: Sync secrets.ldb into secrets.tdb on startup This ensures that the domain SID and machine account password are written into secrets.tdb if the secrets.tdb file was either never written or was deleted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 Signed-off-by: Andrew Bartlett --- source3/winbindd/winbindd_util.c | 41 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 424dccee..82381d6 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -27,6 +27,7 @@ #include "../libcli/auth/pam_errors.h" #include "passdb/machine_sid.h" #include "passdb.h" +#include "auth/credentials/credentials.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -647,13 +648,47 @@ bool init_domain_list(void) &account_name, &sec_chan_type); if (!ok) { - DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n")); - return false; + /* If get_trust_pw_hash() fails, then try and fetch the password from the more recent of secrets.{ldb,tdb} using the pdb_get_trust_credentials() */ + struct cli_credentials *creds; + NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name, NULL, domain, &creds); + if (!NT_STATUS_IS_OK(can_migrate)) { + DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: %s\n", nt_errstr(can_migrate))); + return false; + } + + /* NOTE: It is very unlikely we end up + * here if there is an oldpass, + * because a new password is created + * at classicupgrade, so this is not a + * concern. */ + ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds), + NULL /* oldpass */, + cli_credentials_get_domain(creds), + cli_credentials_get_realm(creds), + cli_credentials_get_salt_principal(creds), + 0, /* Supported enc types, unused */ + &domain->sid, + cli_credentials_get_password_last_changed_time(creds), + cli_credentials_get_secure_channel_type(creds), + false /* do_delete: Do not delete */); + TALLOC_FREE(creds); + if (ok == false) { + DEBUG(0, ("Failed to write our our own, local AD domain join password for winbindd's internal use into secrets.tdb\n")); + return false; + } + ok = get_trust_pw_hash(domain->name, + current_nt_hash.hash, + &account_name, + &sec_chan_type); + if (ok == false) { + DEBUG(0, ("Failed to re-fetch our own, local AD domain join password for winbindd's internal use from secrets.tdb: %s\n", nt_errstr(can_migrate))); + return false; + } } if (sec_chan_type == SEC_CHAN_RODC) { domain->rodc = true; } - + } else { (void)add_trusted_domain(get_global_sam_name(), NULL, &cache_methods, get_global_sam_sid()); -- 2.1.4 From 7911513dbb357c11a6a7ebea2d6bb5b7eacf893f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 11 Jun 2015 17:19:38 +1200 Subject: [PATCH 3/3] selftest: Change chgdcpass environment to use winbindd This allows us to test that winbindd starts up without secrets.tdb, as happens after a classicupgrade. Signed-off-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991 --- selftest/knownfail | 2 ++ selftest/target/Samba4.pm | 7 ++----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index febbd2e..7a89fde 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -261,6 +261,8 @@ ^samba.wbinfo_simple.\(s4member:local\).--allocate-gid ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid ^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid +^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid # # These do not work against winbindd in member mode for unknown reasons # diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 342de58..f7e2447 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1639,7 +1639,6 @@ sub provision_chgdcpass($$) print "PROVISIONING CHGDCPASS..."; my $extra_provision_options = undef; push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); - my $extra_conf_options = "server services = +winbind -winbindd"; my $ret = $self->provision($prefix, "domain controller", "chgdcpass", @@ -1647,8 +1646,7 @@ sub provision_chgdcpass($$) "chgdcpassword.samba.example.com", "2008", "chgDCpass1", - undef, $extra_conf_options, "", - $extra_provision_options); + undef, "", "", $extra_provision_options); return undef unless(defined $ret); unless($self->add_wins_config("$prefix/private")) { @@ -1658,8 +1656,7 @@ sub provision_chgdcpass($$) # Remove secrets.tdb from this environment to test that we # still start up on systems without the new matching - # secrets.tdb records. For this reason we don't run winbindd - # in this environment + # secrets.tdb records. unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); return undef; -- 2.1.4