/* In the future this needs to be fetched from the ldb */
uint32_t found_domain = 2;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
DEBUG(10 ,("Received a domain referral request on a non DC\n"));
return NT_STATUS_INVALID_PARAMETER;
}
struct dfs_referral_type *referrals;
const char *referral_str;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
return NT_STATUS_INVALID_PARAMETER;
}
NTSTATUS status;
struct dfs_referral_type *referrals;
- if (lpcfg_server_role(lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
return NT_STATUS_INVALID_PARAMETER;
}
{ ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" },
{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
+ { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
{ 0, NULL }
};
break;
case SEC_ADS:
if (domain_logons) {
- role = ROLE_DOMAIN_CONTROLLER;
+ role = ROLE_DOMAIN_BDC;
break;
}
role = ROLE_DOMAIN_MEMBER;
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
if (security == SEC_USER || security == SEC_ADS || security == SEC_DOMAIN) {
valid = true;
}
{ROLE_STANDALONE, "standalone"},
{ROLE_DOMAIN_MEMBER, "member server"},
{ROLE_DOMAIN_MEMBER, "member"},
- /* note that currently
- ROLE_DOMAIN_CONTROLLER == ROLE_DOMAIN_BDC */
- {ROLE_DOMAIN_CONTROLLER, "domain controller"},
- {ROLE_DOMAIN_CONTROLLER, "dc"},
+ {ROLE_DOMAIN_PDC, "classic primary domain controller"},
+ {ROLE_DOMAIN_BDC, "classic backup domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "dc"},
{-1, NULL}
};
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
return lpcfg_workgroup(lp_ctx);
default:
return lpcfg_netbios_name(lp_ctx);
ROLE_DOMAIN_MEMBER = 1,
ROLE_DOMAIN_BDC = 2,
ROLE_DOMAIN_PDC = 3,
+
+ /* not in samr.idl */
+ ROLE_ACTIVE_DIRECTORY_DC = 4,
/* To determine the role automatically, this is not a valid role */
ROLE_AUTO = 100
};
-/* keep compatibility with the s4 'ROLE_DOMAIN_CONTROLLER' by mapping
- * it to ROLE_DOMAIN_BDC. The PDC/BDC split is really historical from
- * NT4 domains which were not multi-master, but even in AD there is
- * only one machine that has the PDC FSMO role in a domain.
-*/
-#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
-
/* security levels for 'security =' option
--------------
Check to see if we are a DC for this domain
*****************************************************************************/
-#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC)
+#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
/*
* If you add any entries to KERBEROS_VERIFY defines, please modify the below expressions
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
break;
}
}
return NT_STATUS_OK;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
if (!is_local_name && !is_my_domain) {
DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
user_info->mapped.domain_name));
task_server_terminate(task, "cldap_server: no CLDAP server required in member server configuration",
false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want an CLDAP server */
break;
}
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "dns: no DNS required in member server configuration", false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want a DNS */
break;
}
NTSTATUS status;
struct dnsupdate_service *service;
- if (lpcfg_server_role(task->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
/* not useful for non-DC */
return;
}
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want a KCC */
break;
}
task_server_terminate(task, "dreplsrv: no DSDB replication required in domain member configuration",
false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want DSDB replication */
break;
}
task_server_terminate(task, "echo: Not starting echo server " \
"for domain members", false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want to run the echo server */
break;
}
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true);
+ return;
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want a KDC */
break;
}
task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration",
false);
return;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want an LDAP server */
break;
}
samctx = iface->nbtsrv->sam_ctx;
- if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER
+ if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC
|| !samdb_is_pdc(samctx)) {
DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n"));
return;
aliases++;
}
- if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
bool is_pdc = samdb_is_pdc(nbtsrv->sam_ctx);
if (is_pdc) {
nbtd_register_name(nbtsrv, lpcfg_workgroup(nbtsrv->task->lp_ctx),
{
struct loadparm_context *lp_ctx = loadparm_init(tctx);
torture_assert(tctx, lpcfg_set_option(lp_ctx, "server role=domain controller"), "lpcfg_set_option failed");
- torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_DOMAIN_CONTROLLER, "ROLE should be DC");
+ torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_ACTIVE_DIRECTORY_DC, "ROLE should be DC");
torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_USER, "security should be USER");
return true;
}
}
}
- if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
return WERR_NOT_SUPPORTED;
}
case ROLE_DOMAIN_MEMBER:
default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
break;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
{
struct ldb_context *samctx;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
case ROLE_DOMAIN_MEMBER:
role = DS_ROLE_MEMBER_SERVER;
break;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
if (samdb_is_pdc(state->sam_ldb)) {
role = DS_ROLE_PRIMARY_DC;
} else {
W_ERROR_HAVE_NO_MEMORY(domain);
/* TODO: what is with dns_domain and forest and guid? */
break;
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
flags = DS_ROLE_PRIMARY_DS_RUNNING;
if (state->mixed_domain == 1) {
info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
0);
switch (state->role) {
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* This pulls the NetBIOS name from the
cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
string */
}
break;
case ROLE_DOMAIN_PDC:
- info->role = SAMR_ROLE_DOMAIN_PDC;
- break;
+ case ROLE_DOMAIN_BDC:
+ return NT_STATUS_INTERNAL_ERROR;
case ROLE_DOMAIN_MEMBER:
info->role = SAMR_ROLE_DOMAIN_MEMBER;
break;
{
switch (state->role) {
- case ROLE_DOMAIN_CONTROLLER:
+ case ROLE_ACTIVE_DIRECTORY_DC:
/* This pulls the NetBIOS name from the
cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
string */
if lp.get("server role").lower() != serverrole:
raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
- if serverrole == "domain controller":
+ if serverrole == "active directory domain controller":
if domain is None:
# This will, for better or worse, default to 'WORKGROUP'
domain = lp.get("workgroup")
lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
shares = {}
- if serverrole == "domain controller":
+ if serverrole == "active directory domain controller":
shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
"scripts")
dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
next_rid=next_rid, dc_rid=dc_rid)
- if serverrole == "domain controller":
+ if serverrole == "active directory domain controller":
# Set up group policies (domain policy and domain controller
# policy)
create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
_ROLES_MAP = {
"ROLE_STANDALONE": "standalone",
"ROLE_DOMAIN_MEMBER": "member server",
- "ROLE_DOMAIN_BDC": "domain controller",
- "ROLE_DOMAIN_PDC": "domain controller",
- "dc": "domain controller",
+ "ROLE_DOMAIN_BDC": "active directory domain controller",
+ "ROLE_DOMAIN_PDC": "active directory domain controller",
+ "dc": "active directory domain controller",
"member": "member server",
- "domain controller": "domain controller",
+ "domain controller": "active directory domain controller",
+ "active directory domain controller": "active directory domain controller",
"member server": "member server",
"standalone": "standalone",
}
:param role: Server role
:raise ValueError: If the role can not be interpreted
:return: Sanitized server role (one of "member server",
- "domain controller", "standalone")
+ "active directory domain controller", "standalone")
"""
try:
return _ROLES_MAP[role]
try:
serverrole = sanitize_server_role(serverrole)
except ValueError:
- raise ProvisioningError('server role (%s) should be one of "domain controller", "member server", "standalone"' % serverrole)
+ raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone"' % serverrole)
if ldapadminpass is None:
# Make a new, random password between Samba and it's LDAP server
if paths.sysvol and not os.path.exists(paths.sysvol):
os.makedirs(paths.sysvol, 0775)
- if not use_ntvfs and serverrole == "domain controller":
+ if not use_ntvfs and serverrole == "active directory domain controller":
if paths.sysvol is None:
raise MissingShareError("sysvol", paths.smbconf)
serverrole=serverrole,
schema=schema, fill=samdb_fill, am_rodc=am_rodc)
- if serverrole == "domain controller":
+ if serverrole == "active directory domain controller":
if paths.netlogon is None:
raise MissingShareError("netlogon", paths.smbconf)
logger.info("A Kerberos configuration suitable for Samba 4 has been "
"generated at %s", paths.krb5conf)
- if serverrole == "domain controller":
+ if serverrole == "active directory domain controller":
create_dns_update_list(lp, logger, paths)
backend_result = provision_backend.post_setup()
realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
configdn=configdn, serverdn=serverdn, domain=domain,
hostname=hostname, hostip=None, domainsid=domainsid,
- machinepass=machinepass, serverrole="domain controller",
+ machinepass=machinepass, serverrole="active directory domain controller",
sitename=sitename, dns_backend=dns_backend, dnspass=dnspass)
res.lp.set("debuglevel", str(debuglevel))
return res
* on non-DCs
*/
- if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
signing_setting = SMB_SIGNING_REQUIRED;
} else {
signing_setting = SMB_SIGNING_OFF;
* on non-DCs
*/
- if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
signing_setting = SMB_SIGNING_REQUIRED;
} else {
signing_setting = SMB_SIGNING_OFF;
return 1;
}
- if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
+ if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
exit(1);
if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
- (lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
+ (lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) &&
(dom_sid_equal(state->domain->info->sid,
state->service->primary_sid))) {
state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;
return;
}
break;
- case ROLE_DOMAIN_CONTROLLER:
- case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
primary_sid = secrets_get_domain_sid(service,
service->task->lp_ctx,
lpcfg_workgroup(service->task->lp_ctx),
return;
}
break;
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ task_server_terminate(task, "Cannot start 'samba' winbindd as a 'classic samba' DC: use winbindd instead", true);
+ return;
}
service->primary_sid = primary_sid;