Re: Fedora DS Support

Andrew,

----- "Andrew Bartlett" <abartlet <at> samba.org> wrote:

> >    In #3 I will add the SASL authentication. I might send another
> >    patch here.
> 
> Good.  One particular task will be to figure out how to add a SASL user
> into Fedora DS. (We add them to OpenLDAP using it's LDIF backend and
> manually constructed LDIF).

I've been looking at the code and thinking to do this:

1. Create cn=samba partition in FDS.
2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
   directory and set the password in clear text.
3. Setup SASL mapping for samba-admin to the above user.
4. Change the auth for Samba-to-FDS from anonymous to SASL as
   samba-admin as in Samba-to-OpenLDAP.

Is this the correct approach? I've figured out how to do #1 and #3.

I was trying to do #2 by adding another partition in samdb, but
it seems that an LDB can only have one rootDomainNamingContext,
so I can't add cn=samba because the root context is dc=samba,dc=example,
dc=com. Another alternative is to do this by invoking ldapi directly,
but I'm not sure how to do that from Python. Do you have an example?

About #4, where in the code does it set the anonymous connection for
FDS and SASL for OpenLDAP?

Re: Fedora DS Support

On Mon, 2009-08-31 at 19:00 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet <at> samba.org> wrote:
> 
> > >    In #3 I will add the SASL authentication. I might send another
> > >    patch here.
> > 
> > Good.  One particular task will be to figure out how to add a SASL user
> > into Fedora DS. (We add them to OpenLDAP using it's LDIF backend and
> > manually constructed LDIF).
> 
> I've been looking at the code and thinking to do this:
> 
> 1. Create cn=samba partition in FDS.
> 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
>    directory and set the password in clear text.
> 3. Setup SASL mapping for samba-admin to the above user.
> 4. Change the auth for Samba-to-FDS from anonymous to SASL as
>    samba-admin as in Samba-to-OpenLDAP.
> 
> Is this the correct approach? I've figured out how to do #1 and #3.

Yes, I think this is exactly the right approach.  The only other thing
you might consider is if you can create the cn=samba-admin,cn=samba user
via an 'initial LDIF' fragment into FDS. 

> I was trying to do #2 by adding another partition in samdb, but
> it seems that an LDB can only have one rootDomainNamingContext,
> so I can't add cn=samba because the root context is dc=samba,dc=example,

Re: Fedora DS Support

Andrew,

----- "Andrew Bartlett" <abartlet <at> samba.org> wrote:

> > I've been looking at the code and thinking to do this:
> > 
> > 1. Create cn=samba partition in FDS.
> > 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
> >    directory and set the password in clear text.
> > 3. Setup SASL mapping for samba-admin to the above user.
> > 4. Change the auth for Samba-to-FDS from anonymous to SASL as
> >    samba-admin as in Samba-to-OpenLDAP.
> > 
> > Is this the correct approach? I've figured out how to do #1 and #3.
> 
> Yes, I think this is exactly the right approach.  The only other thing
> you might consider is if you can create the cn=samba-admin,cn=samba user
> via an 'initial LDIF' fragment into FDS. 

> > I was trying to do #2 by adding another partition in samdb, but
> > it seems that an LDB can only have one rootDomainNamingContext,
> > so I can't add cn=samba because the root context is dc=samba,dc=example,
> > dc=com. Another alternative is to do this by invoking ldapi
> directly,
> 
> Yes, you should do this against ldapi directly. 

Ok, I got it working now. I've verified in FDS access log that Samba is
authenticated using SASL. Thanks for the instructions. Attached is the
result.

Re: Fedora DS Support

On Tue, 2009-09-01 at 01:02 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet <at> samba.org> wrote:
> 
> > > I've been looking at the code and thinking to do this:
> > > 
> > > 1. Create cn=samba partition in FDS.
> > > 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
> > >    directory and set the password in clear text.
> > > 3. Setup SASL mapping for samba-admin to the above user.
> > > 4. Change the auth for Samba-to-FDS from anonymous to SASL as
> > >    samba-admin as in Samba-to-OpenLDAP.
> > > 
> > > Is this the correct approach? I've figured out how to do #1 and #3.
> > 
> > Yes, I think this is exactly the right approach.  The only other thing
> > you might consider is if you can create the cn=samba-admin,cn=samba user
> > via an 'initial LDIF' fragment into FDS. 
> 
> > > I was trying to do #2 by adding another partition in samdb, but
> > > it seems that an LDB can only have one rootDomainNamingContext,
> > > so I can't add cn=samba because the root context is dc=samba,dc=example,
> > > dc=com. Another alternative is to do this by invoking ldapi
> > directly,
> > 
> > Yes, you should do this against ldapi directly. 
> 
> Ok, I got it working now. I've verified in FDS access log that Samba is
> authenticated using SASL. Thanks for the instructions. Attached is the

Re: [LDB] Store index DNs as canonical case

On Tue, 2009-09-01 at 08:22 +1000, Andrew Bartlett wrote:
> On Mon, 2009-08-31 at 13:10 -0400, simo wrote:
> > On Mon, 2009-08-31 at 23:27 +1000, Andrew Bartlett wrote:
> > > The attached patch reworks our index code to always store the canonical
> > > casefolded form of the DN in an index.  It does not work yet, and needs
> > > to add a 'index version' to the ldb to trigger a reindex.  The
> > > casefolded index entries should be backward compatible, because the
> > > previous code accepted any case variation, so we are simply being more
> > > strict in what we now write.  
> > > 
> > > This was inspired by a bug where we would not delete index entries
> > > because the DN was not in a canonical from, and the existing
> > > strcasecmp() didn't match.  
> > > 
> > > (strcasecmp isn't the right option any more anyway)
> > > 
> > > This stems from the fact that LDB DNs were just case-insensitive strings
> > > originally, but have become far more complex since then. 
> > > 
> > > Any comments would be most welcome while I chase down the remaining
> > > issues. 
> > 
> > Comment:
> > this means that the index string format depends on the case sensitivity
> > of an attribute, this is a change in behavior, although I see you
> > recognize the need of a re-index the db on upgrade.
> 
> Given that the on-disk TDB_KEY DN=<casefold_dn> already varies like
> this, we simply get closer to what I think should have done in the first
> place, and stored the TDB key in the index)!

Re: [LDB] Store index DNs as canonical case

On Tue, 2009-09-01 at 21:59 +1000, Andrew Bartlett wrote:
> --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.h
> +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.h
>  <at>  <at>  -29,6 +29,8  <at>  <at>  struct ltdb_private {
>         bool check_base;
>         struct ltdb_idxptr *idxptr;
>         bool prepared_commit;
> +
> +       int casefold_index;
>  };

Why casefold_index ?
I'd rather call it index version, and have an index_v00_to_v01 upgrade
function. If later on we need to change something else we will be able
to bump up index_version to 02 and chain a index_v01_to_v02 upgrade
function.

Simo.

--

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo <at> samba.org>
Principal Software Engineer at Red Hat, Inc. <simo <at> redhat.com>

cloning a virtual Win2K3 PDC

hi,
I have a Windows 2003 as a PDC running inside a virtual machine, and I need
another PDC to join the same AD. as I'm using a virtual machine, I don't
need to do another Windows installation; I can copy the image files to
"create" a distinct virtual machine.

my question is what should I do after copying the image files, from the
original Windows to the "cloned" Windows, to be able to put them on the same
AD? I can only remember of changing its name and IP address, but I don't
know if there's something else I should be careful in this context.

thanks!

--

-- 
Crístian Deives dos Santos Viana [aka CD1]
Sent from Campinas, SP, Brazil

Exceptions in source4/scripting/python/samba/provision.py

HI!

I tried to generate a proper patch for raising exceptions in
source4/scripting/python/samba/provision.py. I couldn't figure out where to
catch and handle them though.

Ciao, Michael.

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index bb95f38..4cbb4ab 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
 <at>  <at>  -54,6 +54,10  <at>  <at>  from signal import SIGTERM
 __docformat__ = "restructuredText"

 
+class ProvisioningError(ValueError):
+  pass
+
+
 def find_setup_dir():
     """Find the setup directory used by provision."""
     dirname = os.path.dirname(__file__)
 <at>  <at>  -1367,17 +1371,17  <at>  <at>  class ProvisionBackend(object):
             except:
                 pass

-            raise("Warning: Another slapd Instance seems already running on this host, listening to " +

Re: Exceptions in source4/scripting/python/samba/provision.py

Michael Ströder wrote:
> 
> I tried to generate a proper patch for raising exceptions in
> source4/scripting/python/samba/provision.py. I couldn't figure out where to
> catch and handle them though.

Sorry, I had forgotten two places. New patch attached.
Not sure whether that new class ProvisioningError fits in your style.

Ciao, Michael.

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index bb95f38..0a09321 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
 <at>  <at>  -54,6 +54,10  <at>  <at>  from signal import SIGTERM
 __docformat__ = "restructuredText"

 
+class ProvisioningError(ValueError):
+  pass
+
+
 def find_setup_dir():
     """Find the setup directory used by provision."""
     dirname = os.path.dirname(__file__)
 <at>  <at>  -206,7 +210,7  <at>  <at>  def check_install(lp, session_info, credentials):
     ldb = Ldb(lp.get("sam database"), session_info=session_info, 
             credentials=credentials, lp=lp)

Re: attribute modification: problem comming soon

On 08/18/2009 12:42 PM, Andrew Bartlett wrote:
> On Tue, 2009-08-18 at 12:38 +0400, Matthieu Patou wrote:
>    
>> Hi andrew and nadezhda,
>>
>> A couple of weeks ago I tweaked my S4 in tests to get rid of the
>> verification in kludge_acl.
>>
>> I found that windows 2008 is willing to modify some of his attributes
>> and for at least one of them: servicePrincipalName it keeps modifying it
>> willing to put again and again the same values ie.
>>
>> servicePrincipalName: TERMSRV/smbtstvz01.smb4.tst
>> servicePrincipalName: TERMSRV/SMBTSTVZ01
>>
>> Currently samba4 do not appreciate this and return an error maybe the
>> behavior should be modified to manage this behavior ?
>>      
> What does windows do?  What controls are present on the request
> (permissive modify in particular).
>    
Well today I've been able to trace this problem a bit more, so in order 
to trigger the bug you have to make a w2k8 server (maybe earlier version 
too would trigger it) join a s4 domain (so that TERMSVR entries are 
created as SPN) then make it leave the domain (I tend to make servers 
leave a domain even when the leaved domain has no active DC so that if 
there is any unregistration thing like removing those SPN then it isn't 
done ...) then make it rejoin the domain.

It appears that windows modify this values through DRSUAPI calls