s4:ldap_server: add support for tls channel bindings

[samba.git] / python / samba / netcmd / testparm.py
diff --git a/python/samba/netcmd/testparm.py b/python/samba/netcmd/testparm.py

index 9af141d3907d29fab9cf2f0259268948ae118fc5..a419ddf126064de8bb6da2660f8dc08781aabee6 100644 (file)
--- a/python/samba/netcmd/testparm.py
+++ b/python/samba/netcmd/testparm.py
@@ -37,6 +37,7 @@ import samba
  import samba.getopt as options
  from samba.netcmd import Command, CommandError, Option
  
+
  class cmd_testparm(Command):
      """Syntax check the configuration file."""
  
@@ -66,7 +67,7 @@ class cmd_testparm(Command):
          # These are harder to do with the new code structure
          Option("--show-all-parameters", action="store_true", default=False,
                 help="Show the parameters, type, possible values")
-        ]
+    ]
  
      takes_args = []
  
@@ -84,7 +85,7 @@ class cmd_testparm(Command):
  
          try:
              lp = sambaopts.get_loadparm()
-        except RuntimeError, err:
+        except RuntimeError as err:
              raise CommandError(err)
  
          # We need this to force the output
@@ -102,15 +103,25 @@ class cmd_testparm(Command):
          else:
              if section_name is not None or parameter_name is not None:
                  if parameter_name is None:
-                    lp[section_name].dump(sys.stdout, lp.default_service,
-                            verbose)
+                    try:
+                        section = lp[section_name]
+                    except KeyError:
+                        if section_name in ['global', 'globals']:
+                            lp.dump_globals()
+                        else:
+                            raise CommandError(f"Unknown section {section_name}")
+                    else:
+                        section.dump(lp.default_service, verbose)
                  else:
-                    lp.dump_a_parameter(sys.stdout, parameter_name, section_name)
+                    try:
+                        lp.dump_a_parameter(parameter_name, section_name)
+                    except RuntimeError as e:
+                        raise CommandError(e)
              else:
                  if not suppress_prompt:
                      self.outf.write("Press enter to see a dump of your service definitions\n")
                      sys.stdin.readline()
-                lp.dump(sys.stdout, verbose)
+                lp.dump(verbose)
          if valid:
              return
          else:
@@ -157,12 +168,30 @@ class cmd_testparm(Command):
              valid = False
  
          role = lp.get("server role")
-        charset = lp.get("unix charset").upper()
  
-        if role in ["active directory domain controller", "domain controller", "dc"] and charset not in ["UTF-8", "UTF8"]:
+        if role in ["active directory domain controller", "domain controller", "dc"]:
+            charset = lp.get("unix charset").upper()
+            if charset not in ["UTF-8", "UTF8"]:
+                logger.warning(
+                    "When acting as Active Directory domain controller, "
+                    "unix charset is expected to be UTF-8.")
+            vfsobjects = lp.get("vfs objects")
+            if vfsobjects:
+                for entry in ['dfs_samba4', 'acl_xattr']:
+                    if entry not in vfsobjects:
+                        logger.warning(
+                            "When acting as Active Directory domain controller, " +
+                            entry + " should be in vfs objects.")
+
+        strong_auth = lp.get("ldap server require strong auth")
+        if strong_auth == "allow_sasl_over_tls":
              logger.warning(
-                "When acting as Active Directory domain controller, "
-                "unix charset is expected to be UTF-8.")
+                "WARNING: You have not configured "
+                "'ldap server require strong auth = "
+                "allow_sasl_over_tls'.\n"
+                "Please change to 'yes' (preferred) or "
+                "'allow_sasl_without_tls_channel_bindings' "
+                "(if really needed).")
  
          return valid
  
@@ -202,9 +231,9 @@ class cmd_testparm(Command):
          # this is totally ugly, a real `quick' hack
          for s in lp.services():
              if (self.allow_access(lp.get("hosts deny"), lp.get("hosts allow"), cname,
-                             caddr) and
+                                  caddr) and
                  self.allow_access(lp.get("hosts deny", s), lp.get("hosts allow", s),
-                             cname, caddr)):
+                                  cname, caddr)):
                  logger.info("Allow connection from %s (%s) to %s", cname, caddr, s)
              else:
                  logger.info("Deny connection from %s (%s) to %s", cname, caddr, s)