From 2f4b21bb57c4f96c5f5b57a69d022c142d8088d5 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 20 Feb 2013 14:59:42 +1030 Subject: [PATCH] ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb' Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell Reviewed-by: Andrew Bartlett Autobuild-User(master): Rusty Russell Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104 --- auth/credentials/credentials_secrets.c | 4 +++- docs-xml/manpages/net.8.xml | 2 +- docs-xml/manpages/smbpasswd.8.xml | 4 ++-- docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +- docs-xml/smbdotconf/domain/machinepasswordtimeout.xml | 2 +- docs-xml/smbdotconf/ldap/ldapadmindn.xml | 2 +- docs-xml/smbdotconf/security/kerberosmethod.xml | 4 ++-- docs-xml/smbdotconf/security/privatedir.xml | 2 +- examples/misc/adssearch.pl | 18 ++++++++++++++---- lib/tdb/man/tdbbackup.8.xml | 5 +++++ selftest/target/Samba3.pm | 3 +++ selftest/target/Samba4.pm | 2 +- source3/include/secrets.h | 2 +- source3/passdb/py_passdb.c | 2 +- source3/passdb/secrets.c | 8 ++++---- source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c | 13 ++++++++++--- source4/scripting/python/samba/tests/provision.py | 9 ++++++--- .../scripting/python/samba/tests/upgradeprovision.py | 2 +- .../python/samba/tests/upgradeprovisionneeddc.py | 2 +- 19 files changed, 59 insertions(+), 29 deletions(-) diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index a44fe1c8b87..730f047672e 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -245,7 +245,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb"); + secrets_tdb = lpcfg_private_path(cred, lp_ctx, + lpcfg_use_ntdb(lp_ctx) ? + "secrets.ntdb" : "secrets.tdb"); if (!secrets_tdb) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 3765af9be97..01044e10456 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1001,7 +1001,7 @@ local server. You need to run this against the PDC, from a Samba machine joined RPC GETSID -Fetch domain SID and store it in the local secrets.tdb. +Fetch domain SID and store it in the local secrets.tdb (or secrets.ntdb). diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml index 376044ccafa..88e7e864609 100644 --- a/docs-xml/manpages/smbpasswd.8.xml +++ b/docs-xml/manpages/smbpasswd.8.xml @@ -326,7 +326,7 @@ has been compiled with LDAP support. The -w switch is used to specify the password to be used with the . Note that the password is stored in - the secrets.tdb and is keyed off + the secrets.tdb (or secrets.ntdb) and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well. @@ -343,7 +343,7 @@ has been compiled with LDAP support. The -W switch is used to specify the password to be used with the . Note that the password is stored in - the secrets.tdb and is keyed off + the secrets.tdb (or secrets.ntdb) and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well. diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml index 0d682c2b5be..842856bf838 100644 --- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml @@ -129,7 +129,7 @@ - The data from the module may be send encrypted, with a key stored in secrets.tdb. The + The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The Receiver then has to use the same key. The module does AES block encryption over the data to send. diff --git a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml index a8e312ba363..4f55e81f004 100644 --- a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml +++ b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml @@ -9,7 +9,7 @@ If a Samba server is a member of a Windows NT Domain (see the domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb - . This parameter specifies how often this password will be changed, in seconds. The default is one + (or private/secrets.ntdb). This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server. diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml index 442d242679d..b5fe0fbca07 100644 --- a/docs-xml/smbdotconf/ldap/ldapadmindn.xml +++ b/docs-xml/smbdotconf/ldap/ldapadmindn.xml @@ -8,7 +8,7 @@ The defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The is used - in conjunction with the admin dn password stored in the private/secrets.tdb + in conjunction with the admin dn password stored in the private/secrets.tdb (or private/secrets.ntdb) file. See the smbpasswd 8 man page for more information on how to accomplish this. diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml index 3a11e06be96..cc8a69bc708 100644 --- a/docs-xml/smbdotconf/security/kerberosmethod.xml +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -8,7 +8,7 @@ Valid options are: - secrets only - use only the secrets.tdb for + secrets only - use only the secrets.(n)tdb for ticket verification (default) system keytab - use only the system keytab @@ -17,7 +17,7 @@ dedicated keytab - use a dedicated keytab for ticket verification - secrets and keytab - use the secrets.tdb + secrets and keytab - use the secrets.(n)tdb first, then the system keytab diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml index 46d4a8297cd..2f4b5766de2 100644 --- a/docs-xml/smbdotconf/security/privatedir.xml +++ b/docs-xml/smbdotconf/security/privatedir.xml @@ -7,7 +7,7 @@ This parameters defines the directory smbd will use for storing such files as smbpasswd - and secrets.tdb. + and secrets.tdb (or secrets.ntdb). diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl index 13a85bede98..02c4464abba 100755 --- a/examples/misc/adssearch.pl +++ b/examples/misc/adssearch.pl @@ -42,11 +42,13 @@ my $rebind_url; my $tdbdump = "/usr/bin/tdbdump"; +my $ntdbdump = "/usr/bin/ntdbdump"; my $testparm = "/usr/bin/testparm"; my $net = "/usr/bin/net"; my $dig = "/usr/bin/dig"; my $nmblookup = "/usr/bin/nmblookup"; my $secrets_tdb = "/etc/samba/secrets.tdb"; +my $secrets_ntdb = "/etc/samba/secrets.ntdb"; my $klist = "/usr/bin/klist"; my $kinit = "/usr/bin/kinit"; my $workgroup = ""; @@ -723,13 +725,21 @@ sub get_machine_password { my $workgroup = shift || ""; $workgroup = uc($workgroup); - my ($found, $tmp); - -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; - -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + my ($found, $tmp, $dbdump, $db); + if (-r $secrets_ntdb) { + -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n"; + $dbdump = $ntdbdump; + $db = $secrets_ntdb; + } else { + -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; + -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + $dbdump = $tdbdump; + $db = $secrets_tdb; + } # get machine-password my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup); - open(SECRETS,"$tdbdump $secrets_tdb |"); + open(SECRETS,"$dbdump $db |"); while(my $line = ) { chomp($line); if ($found) { diff --git a/lib/tdb/man/tdbbackup.8.xml b/lib/tdb/man/tdbbackup.8.xml index 02936cf0d6b..c15cc14e2d1 100644 --- a/lib/tdb/man/tdbbackup.8.xml +++ b/lib/tdb/man/tdbbackup.8.xml @@ -92,6 +92,11 @@ tdbbackup -v [-s suffix] *.tdb + Note that Samba 4 can use .ntdb files instead, so you should + use ntdbbackup on those files. + + + Samba .tdb files are stored in various locations, be sure to run backup all .tdb file on the system. Important files includes: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8546bd28951..c71419d4ba6 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -418,6 +418,9 @@ $ret->{USERNAME} = KTEST\\Administrator system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb"); chmod 0600, "$prefix/private/secrets.tdb"; +#Make sure there's no old ntdb file. + system("rm -f $prefix/private/secrets.ntdb"); + #This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with: # "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232" # diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 8ad62326cda..e9e003704ea 100644 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1512,7 +1512,7 @@ sub provision_chgdcpass($$) # Remove secrets.tdb from this environment to test that we still start up # on systems without the new matching secrets.tdb records - unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) { + unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) { warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision"); return undef; } diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 57a1be0c3eb..1eeb24c1c9b 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -82,7 +82,7 @@ struct afs_keyfile { /* The following definitions come from passdb/secrets.c */ -bool secrets_init_path(const char *private_dir); +bool secrets_init_path(const char *private_dir, bool use_ntdb); bool secrets_init(void); struct db_context *secrets_db_ctx(void); void secrets_shutdown(void); diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index 69840617147..3fd14cdc411 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -3638,7 +3638,7 @@ static PyObject *py_set_secrets_dir(PyObject *self, PyObject *args) } /* Initialize secrets database */ - if (!secrets_init_path(private_dir)) { + if (!secrets_init_path(private_dir, lp_use_ntdb())) { PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'", private_dir); talloc_free(frame); diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 8f314a76cf5..f97510db211 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -55,7 +55,7 @@ static void get_rand_seed(void *userdata, int *new_seed) } /* open up the secrets database with specified private_dir path */ -bool secrets_init_path(const char *private_dir) +bool secrets_init_path(const char *private_dir, bool use_ntdb) { char *fname = NULL; unsigned char dummy; @@ -70,8 +70,8 @@ bool secrets_init_path(const char *private_dir) } frame = talloc_stackframe(); - fname = talloc_asprintf(frame, "%s/secrets.tdb", - private_dir); + fname = talloc_asprintf(frame, "%s/secrets.%s", + private_dir, use_ntdb ? "ntdb" : "tdb"); if (fname == NULL) { TALLOC_FREE(frame); return False; @@ -105,7 +105,7 @@ bool secrets_init_path(const char *private_dir) /* open up the secrets database */ bool secrets_init(void) { - return secrets_init_path(lp_private_dir()); + return secrets_init_path(lp_private_dir(), lp_use_ntdb()); } struct db_context *secrets_db_ctx(void) diff --git a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c index e90fc77068f..e3d8485c611 100644 --- a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c +++ b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c @@ -474,7 +474,8 @@ static int secrets_tdb_sync_init(struct ldb_module *module) struct ldb_context *ldb; struct secrets_tdb_sync_private *data; char *private_dir, *p; - const char *secrets_ldb; + const char *secrets_ldb, *secrets_ntdb; + bool use_ntdb; ldb = ldb_module_get_ctx(module); @@ -498,11 +499,17 @@ static int secrets_tdb_sync_init(struct ldb_module *module) p = strrchr(private_dir, '/'); if (p) { *p = '\0'; - secrets_init_path(private_dir); } else { - secrets_init_path("."); + private_dir = talloc_strdup(data, "."); } + /* If there's an ntdb file, force code to load that. */ + secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb", + private_dir); + use_ntdb = file_exist(secrets_ntdb); + + secrets_init_path(private_dir, use_ntdb); + TALLOC_FREE(private_dir); data->secrets_tdb = secrets_db_ctx(); diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py index 992179124b2..929e7074f75 100644 --- a/source4/scripting/python/samba/tests/provision.py +++ b/source4/scripting/python/samba/tests/provision.py @@ -55,8 +55,9 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): def test_setup_secretsdb(self): path = os.path.join(self.tempdir, "secrets.ldb") - secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") paths = ProvisionPaths() + secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb") + secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb") paths.secrets = path paths.private_dir = os.path.dirname(path) paths.keytab = "no.keytab" @@ -68,8 +69,10 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir): finally: del ldb os.unlink(path) - os.unlink(secrets_tdb_path) - + if os.path.exists(secrets_tdb_path): + os.unlink(secrets_tdb_path) + if os.path.exists(secrets_ntdb_path): + os.unlink(secrets_ntdb_path) class FindNssTests(TestCase): """Test findnss() function.""" diff --git a/source4/scripting/python/samba/tests/upgradeprovision.py b/source4/scripting/python/samba/tests/upgradeprovision.py index c1c70c4a888..93a6731c830 100644 --- a/source4/scripting/python/samba/tests/upgradeprovision.py +++ b/source4/scripting/python/samba/tests/upgradeprovision.py @@ -126,7 +126,7 @@ class UpdateSecretsTests(samba.tests.TestCaseInTempDir): self.assertEquals(newmodules.msgs, refmodules.msgs) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py index 1de123c71d1..a7cb298ed7f 100644 --- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py +++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py @@ -172,7 +172,7 @@ class UpgradeProvisionWithLdbTestCase(TestCaseInTempDir): self.assertTrue(re.match(".*upgrade to.*", str(oem2))) def tearDown(self): - for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]: + for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]: path = os.path.join(self.tempdir, name) if os.path.exists(path): os.unlink(path) -- 2.11.4.GIT