ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use n…

…tdb' Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]> Autobuild-User(master): Rusty Russell <[email protected]> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
heftig · Feb 20, 2013 · 2f4b21b · 2f4b21b
1 parent 3c9c302
commit 2f4b21b
Show file tree

Hide file tree

Showing 19 changed files with 59 additions and 29 deletions.
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
@@ -245,7 +245,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+	secrets_tdb = lpcfg_private_path(cred, lp_ctx,
+					 lpcfg_use_ntdb(lp_ctx) ?
+					 "secrets.ntdb" : "secrets.tdb");
 	if (!secrets_tdb) {
 		TALLOC_FREE(tmp_ctx);
 		return NT_STATUS_NO_MEMORY;

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
@@ -1001,7 +1001,7 @@ local server.  You need to run this against the PDC, from a Samba machine joined
 <refsect2>
 <title>RPC GETSID</title>
 
-<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
+<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para>
 
 </refsect2>
 

diff --git a/docs-xml/manpages/smbpasswd.8.xml b/docs-xml/manpages/smbpasswd.8.xml
@@ -326,7 +326,7 @@
 		has been compiled with LDAP support. The <parameter>-w</parameter> 
 		switch is used to specify the password to be used with the 
 		<smbconfoption name="ldap admin dn"/>.  Note that the password is stored in
-		the <filename>secrets.tdb</filename> and is keyed off 
+		the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
 		of the admin's DN.  This means that if the value of <parameter>ldap
 		admin dn</parameter> ever changes, the password will need to be 
 		manually updated as well.
@@ -343,7 +343,7 @@
 		has been compiled with LDAP support. The <parameter>-W</parameter>
 		switch is used to specify the password to be used with the
 		<smbconfoption name="ldap admin dn"/>.  Note that the password is stored in
-		the <filename>secrets.tdb</filename> and is keyed off
+		the <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>) and is keyed off
 		of the admin's DN.  This means that if the value of <parameter>ldap
 		admin dn</parameter> ever changes, the password will need to be
 		manually updated as well.

diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
@@ -129,7 +129,7 @@
 	<itemizedlist>
 		<listitem>
 		<para>
-		The data from the module may be send encrypted, with a key stored in secrets.tdb. The
+		The data from the module may be send encrypted, with a key stored in secrets.tdb (or secrets.ntdb). The
 		Receiver then has to use the same key. The module does AES block encryption over the
 		data to send.
 		</para>

diff --git a/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml b/docs-xml/smbdotconf/domain/machinepasswordtimeout.xml
@@ -9,7 +9,7 @@
 	If a Samba server is a member of a Windows NT Domain (see the <smbconfoption
 	name="security">domain</smbconfoption> parameter) then periodically a running smbd process will try and change
 	the MACHINE ACCOUNT PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb
-	</filename>.  This parameter specifies how often this password will be changed, in seconds. The default is one
+	</filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>).  This parameter specifies how often this password will be changed, in seconds. The default is one
 	week (expressed in seconds), the same as a Windows NT Domain member server.
 	</para>
 

diff --git a/docs-xml/smbdotconf/ldap/ldapadmindn.xml b/docs-xml/smbdotconf/ldap/ldapadmindn.xml
@@ -8,7 +8,7 @@
 	 <para>
 	The <smbconfoption name="ldap admin dn"/> defines the Distinguished  Name (DN) name used by Samba to contact
 	the ldap server when retreiving  user account information. The <smbconfoption name="ldap admin dn"/> is used
-	in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename>
+	in conjunction with the admin dn password stored in the <filename moreinfo="none">private/secrets.tdb</filename> (or <filename moreinfo="none">private/secrets.ntdb</filename>)
 	file.  See the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
 	man page for more information on how  to accomplish this.
 	</para>

diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml
@@ -8,7 +8,7 @@
 
 	<para>Valid options are:</para>
 	<itemizedlist>
-	  <listitem><para>secrets only - use only the secrets.tdb for
+	  <listitem><para>secrets only - use only the secrets.(n)tdb for
 	  ticket verification (default)</para></listitem>
 
 	  <listitem><para>system keytab - use only the system keytab
@@ -17,7 +17,7 @@
 	  <listitem><para>dedicated keytab - use a dedicated keytab
 	  for ticket verification</para></listitem>
 
-	  <listitem><para>secrets and keytab - use the secrets.tdb
+	  <listitem><para>secrets and keytab - use the secrets.(n)tdb
 	  first, then the system keytab</para></listitem>
 	</itemizedlist>
 

diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml
@@ -7,7 +7,7 @@
 <description>
     <para>This parameters defines the directory
     smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename>
-    and <filename moreinfo="none">secrets.tdb</filename>.
+    and <filename moreinfo="none">secrets.tdb</filename> (or <filename moreinfo="none">secrets.ntdb</filename>).
 </para>
 </description>
 

diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl
@@ -42,11 +42,13 @@ BEGIN
 
 
 my $tdbdump	= "/usr/bin/tdbdump";
+my $ntdbdump	= "/usr/bin/ntdbdump";
 my $testparm	= "/usr/bin/testparm";
 my $net		= "/usr/bin/net";
 my $dig		= "/usr/bin/dig";
 my $nmblookup	= "/usr/bin/nmblookup";
 my $secrets_tdb = "/etc/samba/secrets.tdb";
+my $secrets_ntdb = "/etc/samba/secrets.ntdb";
 my $klist	= "/usr/bin/klist";
 my $kinit	= "/usr/bin/kinit";
 my $workgroup	= "";
@@ -723,13 +725,21 @@ sub get_machine_password {
 	my $workgroup = shift || "";
 	$workgroup = uc($workgroup);
 
-	my ($found, $tmp);
-	-x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
-	-r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+	my ($found, $tmp, $dbdump, $db);
+	if (-r $secrets_ntdb) {
+	    -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n";
+	    $dbdump = $ntdbdump;
+	    $db = $secrets_ntdb;
+	} else {
+	    -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
+	    -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+	    $dbdump = $tdbdump;
+	    $db = $secrets_tdb;
+	}
 
 	# get machine-password
 	my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
-	open(SECRETS,"$tdbdump $secrets_tdb |");
+	open(SECRETS,"$dbdump $db |");
 	while(my $line = <SECRETS>) {
 		chomp($line);
 		if ($found) {

diff --git a/lib/tdb/man/tdbbackup.8.xml b/lib/tdb/man/tdbbackup.8.xml
@@ -91,6 +91,11 @@
 
 	<para>tdbbackup -v [-s suffix] *.tdb</para>
 
+	<para>
+	Note that Samba 4 can use .ntdb files instead, so you should
+	use <command>ntdbbackup</command> on those files.
+	</para>
+
 	<para>
 	Samba .tdb files are stored in various locations, be sure to run backup all
 	.tdb file on the system. Important files includes:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
@@ -418,6 +418,9 @@ $ret->{USERNAME} = KTEST\\Administrator
 	system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
 	chmod 0600, "$prefix/private/secrets.tdb";
 
+#Make sure there's no old ntdb file.
+	system("rm -f $prefix/private/secrets.ntdb");
+
 #This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
 # "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
 #

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
@@ -1512,7 +1512,7 @@ sub provision_chgdcpass($$)
 
 	# Remove secrets.tdb from this environment to test that we still start up
 	# on systems without the new matching secrets.tdb records
-	unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) {
+	unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
 		warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
 		return undef;
 	}

diff --git a/source3/include/secrets.h b/source3/include/secrets.h
@@ -82,7 +82,7 @@ struct afs_keyfile {
 
 /* The following definitions come from passdb/secrets.c  */
 
-bool secrets_init_path(const char *private_dir);
+bool secrets_init_path(const char *private_dir, bool use_ntdb);
 bool secrets_init(void);
 struct db_context *secrets_db_ctx(void);
 void secrets_shutdown(void);

diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c
@@ -3638,7 +3638,7 @@ static PyObject *py_set_secrets_dir(PyObject *self, PyObject *args)
 	}
 
 	/* Initialize secrets database */
-	if (!secrets_init_path(private_dir)) {
+	if (!secrets_init_path(private_dir, lp_use_ntdb())) {
 		PyErr_Format(py_pdb_error, "Cannot open secrets file database in '%s'",
 				private_dir);
 		talloc_free(frame);

diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
@@ -55,7 +55,7 @@ static void get_rand_seed(void *userdata, int *new_seed)
 }
 
 /* open up the secrets database with specified private_dir path */
-bool secrets_init_path(const char *private_dir)
+bool secrets_init_path(const char *private_dir, bool use_ntdb)
 {
 	char *fname = NULL;
 	unsigned char dummy;
@@ -70,8 +70,8 @@ bool secrets_init_path(const char *private_dir)
 	}
 
 	frame = talloc_stackframe();
-	fname = talloc_asprintf(frame, "%s/secrets.tdb",
-				private_dir);
+	fname = talloc_asprintf(frame, "%s/secrets.%s",
+				private_dir, use_ntdb ? "ntdb" : "tdb");
 	if (fname == NULL) {
 		TALLOC_FREE(frame);
 		return False;
@@ -105,7 +105,7 @@ bool secrets_init_path(const char *private_dir)
 /* open up the secrets database */
 bool secrets_init(void)
 {
-	return secrets_init_path(lp_private_dir());
+	return secrets_init_path(lp_private_dir(), lp_use_ntdb());
 }
 
 struct db_context *secrets_db_ctx(void)

diff --git a/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c b/source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c
@@ -474,7 +474,8 @@ static int secrets_tdb_sync_init(struct ldb_module *module)
 	struct ldb_context *ldb;
 	struct secrets_tdb_sync_private *data;
 	char *private_dir, *p;
-	const char *secrets_ldb;
+	const char *secrets_ldb, *secrets_ntdb;
+	bool use_ntdb;
 
 	ldb = ldb_module_get_ctx(module);
 
@@ -498,11 +499,17 @@ static int secrets_tdb_sync_init(struct ldb_module *module)
 	p = strrchr(private_dir, '/');
 	if (p) {
 		*p = '\0';
-		secrets_init_path(private_dir);
 	} else {
-		secrets_init_path(".");
+		private_dir = talloc_strdup(data, ".");
 	}
 
+	/* If there's an ntdb file, force code to load that. */
+	secrets_ntdb = talloc_asprintf(private_dir, "%s/secrets.ntdb",
+				       private_dir);
+	use_ntdb = file_exist(secrets_ntdb);
+
+	secrets_init_path(private_dir, use_ntdb);
+
 	TALLOC_FREE(private_dir);
 
 	data->secrets_tdb = secrets_db_ctx();

diff --git a/source4/scripting/python/samba/tests/provision.py b/source4/scripting/python/samba/tests/provision.py
@@ -55,8 +55,9 @@ class ProvisionTestCase(samba.tests.TestCaseInTempDir):
 
     def test_setup_secretsdb(self):
         path = os.path.join(self.tempdir, "secrets.ldb")
-        secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
         paths = ProvisionPaths()
+        secrets_tdb_path = os.path.join(self.tempdir, "secrets.tdb")
+        secrets_ntdb_path = os.path.join(self.tempdir, "secrets.ntdb")
         paths.secrets = path
         paths.private_dir = os.path.dirname(path)
         paths.keytab = "no.keytab"
@@ -68,8 +69,10 @@ def test_setup_secretsdb(self):
         finally:
             del ldb
             os.unlink(path)
-            os.unlink(secrets_tdb_path)
-
+            if os.path.exists(secrets_tdb_path):
+                os.unlink(secrets_tdb_path)
+            if os.path.exists(secrets_ntdb_path):
+                os.unlink(secrets_ntdb_path)
 
 class FindNssTests(TestCase):
     """Test findnss() function."""

diff --git a/source4/scripting/python/samba/tests/upgradeprovision.py b/source4/scripting/python/samba/tests/upgradeprovision.py
@@ -126,7 +126,7 @@ def test_update_modules(self):
         self.assertEquals(newmodules.msgs, refmodules.msgs)
 
     def tearDown(self):
-        for name in ["ref.ldb", "secrets.ldb", "secrets.tdb"]:
+        for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb"]:
             path = os.path.join(self.tempdir, name)
             if os.path.exists(path):
                 os.unlink(path)

diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
@@ -172,7 +172,7 @@ def test_updateOEMInfo(self):
         self.assertTrue(re.match(".*upgrade to.*", str(oem2)))
 
     def tearDown(self):
-        for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "sam.ldb"]:
+        for name in ["ref.ldb", "secrets.ldb", "secrets.tdb", "secrets.tdb.bak", "secrets.ntdb", "sam.ldb"]:
             path = os.path.join(self.tempdir, name)
             if os.path.exists(path):
                 os.unlink(path)