Hello Mathias, On 11/01/2010 00:48, Matthias Dieter WallnXXfer wrote:
The branch, master has been updated via 2cedefa... s4:upgradeprovision - fix up the script regarding linked attributes via e0d6b097.. s4:upgradeprovision - Reformat comments via 601ea3a... s4:repl_meta_data - Transform a "1" into a "true" on a boolean variable via 91e2100... s4:provision_users.ldif - Add objects for IIS via e72787f... s4:provision_self_join_modify.ldif - Point out that account "dns" is s4 specific via 9ee895f... s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group from 81a848b... s3: Remove some unused variableshttp://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2cedefabc93c8a1fcb49d65a3f78a344e814f826 Author: Matthias Dieter Wallnöfer<[email protected]> Date: Sun Jan 10 21:34:05 2010 +0100 s4:upgradeprovision - fix up the script regarding linked attributes We have to try to add new objects until between two iterations we didn't make any progress. Either we are then done (no objects remaining) or we are incapable to do this fully automatically. The latter can happen if important system objects (builtin groups, users...) moved (e.g. consider one of my recent comments). Then the new object can't be added if it contains the same "sAMAccountName" attribute as the old one. We have to let the user delete the old one (also to give him a chance to backup personal changes - if needed) and only then the script is capable to add the new one onto the right place. Make this clear with an exhaustive error output. I personally don't see a good way how to do this better for now so I would leave this as a manual step. diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 394ce3e..b4caac4 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -523,40 +534,78 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema): else: listPresent.append(hash_new[k]) - # Sort the missing object in order to have object of the lowest level first (which can be - # containers for higher level objects) + # Sort the missing object in order to have object of the lowest level + # first (which can be containers for higher level objects) listMissing.sort(dn_sort) listPresent.sort(dn_sort) if ischema: - # The following lines (up to the for loop) is to load the up to date schema into our current LDB - # a complete schema is needed as the insertion of attributes and class is done against it + # The following lines (up to the for loop) is to load the up to + # date schema into our current LDB + # a complete schema is needed as the insertion of attributes + # and class is done against it # and the schema is self validated - # The double ldb open and schema validation is taken from the initial provision script + # The double ldb open and schema validation is taken from the + # initial provision script # it's not certain that it is really needed .... sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp) schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn)) # Load the schema from the one we computed earlier sam_ldb.set_schema_from_ldb(schema.ldb) - # And now we can connect to the DB - the schema won't be loaded from the DB + # And now we can connect to the DB - the schema won't be loaded + # from the DB sam_ldb.connect(paths.samdb) else: sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"]) sam_ldb.transaction_start() - empty = ldb.Message() - message(SIMPLE,"There are %d missing objects"%(len(listMissing))) - for dn in listMissing: - reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"]) - delta = sam_ldb.msg_diff(empty,reference[0]) - for att in hashAttrNotCopied.keys(): - delta.remove(att) - for att in backlinked: - delta.remove(att) - delta.dn = dn + err_num = 0 + err_msg = "" + while len(listMissing)> 0: + listMissing2 = [] + + empty = ldb.Message() + message(SIMPLE,"There are still %d objects missing"%(len(listMissing))) - sam_ldb.add(delta,["relax:0"]) + for dn in listMissing: + reference = newsam_ldb.search(expression="dn=%s" % (str(dn)), + base=basedn, scope=SCOPE_SUBTREE, + controls=["search_options:1:2"]) + delta = sam_ldb.msg_diff(empty,reference[0]) + for att in hashAttrNotCopied.keys(): + delta.remove(att) + for att in backlinked: + delta.remove(att) + delta.dn = dn + + try: + sam_ldb.add(delta,["relax:0"]) + # This is needed here since otherwise the + # "replmd_meta_data" module doesn't see the + # updated data + sam_ldb.transaction_commit() + sam_ldb.transaction_start() + except LdbError, (num, msg): + # An exception can happen if a linked object + # doesn't exist which can happen if it is also + # to be added + err_num = num + err_msg = msg + listMissing2.append(dn) + + if len(listMissing2) == len(listMissing): + # We couldn't add any object in this iteration -> + # we have to resign and hope that the user manually + # fixes the damage + + message(ERROR, "The script isn't capable to do the upgrade fully automatically!") + message(ERROR, "Often this happens when important system objects moved their location. Please look for them (for example doable using the displayed 'sAMAccountName' attribute), backup if personally changed and remove them.") + message(ERROR, "Reinvoke this script and reapply eventual modifications done before. It is possible to get this error more than once (for each problematic object).") + + raise LdbError(err_num, err_msg) + + listMissing = listMissing2
I'm not too pleased with this change as it tends to commit stuff partially instead of one together once we are sure that everything was (correctly) added at least with this way of doing we are sure that once that the commit is done all the schema or all the partitions has been updated and that the whole thing is relatively coherent.
Also apart from the groupType that we talk last sunday on irc, you told me that some object where misplaced but when I do an upgradeprovision against a alpha10 provision and I only found those 2 changes:
* CN=dns,CN=Users,DC=home,DC=matws,DC=net exist but with the wrong objectSID * CN=RID Set,CN=ARES,OU=Domain Controllers,DC=home,DC=matws,DC=net Where are the other problem that you faced ? Mattieu.
