The branch, master has been updated
via 38a26f7... s4 upgradeprovision: Make grouped commit / rollback more
resistant to unexpected problems
via c4f7b0e... s4 upgradeprovision: Check that the policy for DC is
present if not warn the user
via aea0003... s4 upgradeprovision: Emit message instead of crashing
when not able to set acl
via 17af115... s4 upgradeprovision: add an option to force the
rebuilding of FS ACLs on sysvols share
via 59f17f9... s4 unittests: add unit tests for upgradehelpers
via 75389ce... s4 upgradeprovision: Add function for searching stored
constructed attributes
via f3e7d0a... s4: Using control bypassoperational allow the logic of
this module to be bypassed for some given attributes
via 3ebe560... ldb: add a new control bypassioperationnal
via 9c5f0ed... s4 upgradeprovision: additional restyling
via 423f991... s4 upgradeprovision: Restyle imports
via fbeacc1... s4 upgradeprovision: Move functions to helpers and
improve code
via 8ff65b0... s4 python: Update unit tests related to create secrets
via 9c808c4... s4: Add comments about setup_secrets
via 84342b1... s4 upgradeprovision: Add documentation on the update
process
via a466e0d... s4 python: Add unit tests for upgradeprovision related
stuff
via ad55248... s4 upgradeprovision: move some functions to
upgradehelpers for unit tests
via 0537de1... s4 upgradeprovision: Fix style
via b624440... s4 upgradeprovision: Use replPropertyMetaData for better
guess
via dd963dd... s4 upgradeprovision: Reformat attributes lists and
reformat parser
via 60400a7... s4 upgradeprovision: Inform about new dns dynamic update
if the provision didn't have it
via 26ccc3f... s4 upgradeprovision: fix style
via 0ff46ec... s4 upgrade provision: Refactor code to do all the
modification within 1 transaction
via ec90b1b... s4 upgrade provision: Fix style in gen_dn_index
via 50072e2... s4 Add functions related to ldb manipulation when doing
upgrade
via e2df3c2... s4 provision: Add information about provisioned usn
range in sam.ldb
from c92db7b... python: Use samba.tests.TestCase, make sure base class
tearDown and setUp methods are called, fix formatting.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 38a26f79eaded8364a178ba2aac71e64f5d60be5
Author: Matthieu Patou <[email protected]>
Date: Wed Jun 16 11:25:19 2010 +0400
s4 upgradeprovision: Make grouped commit / rollback more resistant to
unexpected problems
Signed-off-by: Jelmer Vernooij <[email protected]>
commit c4f7b0e5f673943dfdda88f3e289912778a07a33
Author: Matthieu Patou <[email protected]>
Date: Mon Jun 14 12:28:58 2010 +0400
s4 upgradeprovision: Check that the policy for DC is present if not warn
the user
Signed-off-by: Jelmer Vernooij <[email protected]>
commit aea0003d088f5e5f7d1393d4d75f570418dda043
Author: Matthieu Patou <[email protected]>
Date: Mon Jun 14 02:14:48 2010 +0400
s4 upgradeprovision: Emit message instead of crashing when not able to set
acl
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 17af115de59fc3b52134a44ae1b0c5170b8f67e3
Author: Matthieu Patou <[email protected]>
Date: Mon Jun 14 01:50:47 2010 +0400
s4 upgradeprovision: add an option to force the rebuilding of FS ACLs on
sysvols share
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 59f17f9e64f4fdf4a63440e20d6b30008072b4df
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 15 12:53:18 2010 +0400
s4 unittests: add unit tests for upgradehelpers
The functions tested are:
* construct_existor_expr
* search_constructed_attrs_stored
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 75389cecdde884356e222e3f846e7358f82c20c0
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 15 12:50:29 2010 +0400
s4 upgradeprovision: Add function for searching stored constructed
attributes
Signed-off-by: Jelmer Vernooij <[email protected]>
commit f3e7d0ae8f63c57fc0ec7680b2863c6f50e167fe
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 15 02:41:18 2010 +0400
s4: Using control bypassoperational allow the logic of this module to be
bypassed for some given attributes
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 3ebe56062297e52cf31499c6eb63c7ce70073bcc
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 15 02:23:11 2010 +0400
ldb: add a new control bypassioperationnal
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 9c5f0ed7298e666fcfa05257fc7abfb6d3208433
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 15 23:41:39 2010 +0400
s4 upgradeprovision: additional restyling
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 423f99172efcb57a654af5a6fcbad1045f210027
Author: Matthieu Patou <[email protected]>
Date: Thu Jun 10 01:00:43 2010 +0400
s4 upgradeprovision: Restyle imports
Signed-off-by: Jelmer Vernooij <[email protected]>
commit fbeacc1013bc3a95f19d7932a2bbf3d28176a977
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 8 00:01:16 2010 +0400
s4 upgradeprovision: Move functions to helpers and improve code
Among code improvement the most significant part is that we now
compare DN object instead of their string representation. It allow
to better react to case an white space difference.
Some new move objects have been added (ie. System into well known
security principals).
This will allow more unittesting
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 8ff65b0136f442204f4d059fb1a13ad4a6419ab4
Author: Matthieu Patou <[email protected]>
Date: Fri May 7 04:22:36 2010 +0400
s4 python: Update unit tests related to create secrets
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 9c808c47fc2fddac396d12452428443f3ab26073
Author: Matthieu Patou <[email protected]>
Date: Mon May 24 09:41:44 2010 +0400
s4: Add comments about setup_secrets
Comments are to inform people that this function should not handle
transaction within the function as it is mainly used in provision and
that we want to commit secrets only if all the action on secrets have
worked.
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 84342b1c7f289e5288470d4d4e3899aac6f042c5
Author: Matthieu Patou <[email protected]>
Date: Fri May 7 16:26:26 2010 +0400
s4 upgradeprovision: Add documentation on the update process
Signed-off-by: Jelmer Vernooij <[email protected]>
commit a466e0d61a97da648970eea02c246c08c503c421
Author: Matthieu Patou <[email protected]>
Date: Tue May 4 00:01:00 2010 +0400
s4 python: Add unit tests for upgradeprovision related stuff
Signed-off-by: Jelmer Vernooij <[email protected]>
commit ad55248958fe9aaeb6ebdc6f2d4c66a85ead6786
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 8 00:52:25 2010 +0400
s4 upgradeprovision: move some functions to upgradehelpers for unit tests
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 0537de17c124b8ceccbeb9a57e9636a461239774
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 8 01:13:45 2010 +0400
s4 upgradeprovision: Fix style
reformat *_update_samdb functions
fix_partition_sd
rebuild_sd
update_samdb
update_privilege
update_machine_account_password
update_gpo
Signed-off-by: Jelmer Vernooij <[email protected]>
commit b624440a0fc99c43e97c73ffe7e17621a17b59ae
Author: Matthieu Patou <[email protected]>
Date: Mon Jun 7 16:27:48 2010 +0400
s4 upgradeprovision: Use replPropertyMetaData for better guess
Rework upgradeprovision in order to get more precise updates when doing
upgrade provision.
This is done through the use of replPropertyMetaData information and raw
information revealed by the
"reveal" control.
The code has been changed also to avoid double free error when changing the
schema (for old provision).
Checking of SD is done a bit more cleverly as we compare the different
parts for an ACL separately.
Fix logic when upgrading provision without replPropertyMetaData infos
Also for old provision (pre alpha9) do not copy the usn range because data
here will be wrong
Signed-off-by: Jelmer Vernooij <[email protected]>
commit dd963ddb4e84bb1b7bea6ecb3a1e045d170338dc
Author: Matthieu Patou <[email protected]>
Date: Mon Jun 7 23:47:43 2010 +0400
s4 upgradeprovision: Reformat attributes lists and reformat parser
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 60400a7803d765fd53100fe088f1237e67887fe3
Author: Matthieu Patou <[email protected]>
Date: Fri Apr 9 02:55:38 2010 +0400
s4 upgradeprovision: Inform about new dns dynamic update if the provision
didn't have it
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 26ccc3f4400165448f9a53efdec224d11f290783
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 8 00:21:48 2010 +0400
s4 upgradeprovision: fix style
add_deletedobj_containers
add missing objects
clean add-mising
handle special add + dump denied
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 0ff46ec557009ec2dff0650dd39d6314e9df3a4e
Author: Matthieu Patou <[email protected]>
Date: Sun May 2 19:56:03 2010 +0400
s4 upgrade provision: Refactor code to do all the modification within 1
transaction
Signed-off-by: Jelmer Vernooij <[email protected]>
commit ec90b1b40e1f610dfc1e2aa3ba91c0b27dde4f60
Author: Matthieu Patou <[email protected]>
Date: Tue Jun 8 00:21:00 2010 +0400
s4 upgrade provision: Fix style in gen_dn_index
Signed-off-by: Jelmer Vernooij <[email protected]>
commit 50072e27fec0d3528e111ec566204f4e39e24ea5
Author: Matthieu Patou <[email protected]>
Date: Sun May 2 19:56:31 2010 +0400
s4 Add functions related to ldb manipulation when doing upgrade
Signed-off-by: Jelmer Vernooij <[email protected]>
commit e2df3c251060d634c8538dd7e771819ccf196130
Author: Matthieu Patou <[email protected]>
Date: Thu Apr 22 12:53:12 2010 +0400
s4 provision: Add information about provisioned usn range in sam.ldb
Signed-off-by: Jelmer Vernooij <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/operational.c | 49 +-
source4/lib/ldb/common/ldb_controls.c | 27 +
source4/lib/ldb/include/ldb.h | 9 +
source4/lib/ldb/tests/test-controls.sh | 1 +
source4/scripting/bin/upgradeprovision | 1714 +++++++++++++-------
source4/scripting/python/samba/provision.py | 98 ++
source4/scripting/python/samba/tests/provision.py | 13 +
.../python/samba/tests/upgradeprovision.py | 137 ++
.../python/samba/tests/upgradeprovisionneeddc.py | 144 ++
source4/scripting/python/samba/upgradehelpers.py | 653 +++++++-
source4/selftest/tests.sh | 2 +
source4/setup/schema_samba4.ldif | 1 +
12 files changed, 2211 insertions(+), 637 deletions(-)
create mode 100644 source4/scripting/python/samba/tests/upgradeprovision.py
create mode 100644
source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index e967f8a..e5aa516 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -478,6 +478,18 @@ static int construct_msds_keyversionnumber(struct
ldb_module *module,
}
+struct op_controls_flags {
+ bool sd;
+ bool bypassoperational;
+};
+
+static bool check_keep_control_for_attribute(struct op_controls_flags*
controls_flags, const char* attr) {
+ if (ldb_attr_cmp(attr, "msDS-KeyVersionNumber") == 0 &&
controls_flags->bypassoperational) {
+ return true;
+ }
+ return false;
+}
+
/*
a list of attribute names that should be substituted in the parse
tree before the search is done
@@ -517,7 +529,8 @@ static const struct {
enum op_remove {
OPERATIONAL_REMOVE_ALWAYS, /* remove always */
OPERATIONAL_REMOVE_UNASKED,/* remove if not requested */
- OPERATIONAL_SD_FLAGS /* show if SD_FLAGS_OID set, or asked for */
+ OPERATIONAL_SD_FLAGS, /* show if SD_FLAGS_OID set, or asked for */
+ OPERATIONAL_REMOVE_UNLESS_CONTROL /* remove always unless an
adhoc control has been specified */
};
/*
@@ -531,7 +544,7 @@ static const struct {
enum op_remove op;
} operational_remove[] = {
{ "nTSecurityDescriptor", OPERATIONAL_SD_FLAGS },
- { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_ALWAYS },
+ { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_UNLESS_CONTROL },
{ "parentGUID", OPERATIONAL_REMOVE_ALWAYS },
{ "replPropertyMetaData", OPERATIONAL_REMOVE_UNASKED },
{ "unicodePwd", OPERATIONAL_REMOVE_UNASKED },
@@ -553,7 +566,7 @@ static int operational_search_post_process(struct
ldb_module *module,
enum ldb_scope scope,
const char * const *attrs_from_user,
const char * const
*attrs_searched_for,
- bool sd_flags_set)
+ struct op_controls_flags*
controls_flags)
{
struct ldb_context *ldb;
unsigned int i, a = 0;
@@ -574,8 +587,15 @@ static int operational_search_post_process(struct
ldb_module *module,
case OPERATIONAL_REMOVE_ALWAYS:
ldb_msg_remove_attr(msg, operational_remove[i].attr);
break;
+ case OPERATIONAL_REMOVE_UNLESS_CONTROL:
+ if (!check_keep_control_for_attribute(controls_flags,
operational_remove[i].attr)) {
+ ldb_msg_remove_attr(msg,
operational_remove[i].attr);
+ break;
+ } else {
+ continue;
+ }
case OPERATIONAL_SD_FLAGS:
- if (sd_flags_set ||
+ if (controls_flags->sd ||
ldb_attr_in_list(attrs_from_user,
operational_remove[i].attr)) {
continue;
}
@@ -585,6 +605,9 @@ static int operational_search_post_process(struct
ldb_module *module,
}
for (a=0;attrs_from_user && attrs_from_user[a];a++) {
+ if (check_keep_control_for_attribute(controls_flags,
attrs_from_user[a])) {
+ continue;
+ }
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(attrs_from_user[a],
search_sub[i].attr) != 0) {
continue;
@@ -633,7 +656,6 @@ failed:
return -1;
}
-
/*
hook search operations
*/
@@ -643,7 +665,7 @@ struct operational_context {
struct ldb_request *req;
enum ldb_scope scope;
const char * const *attrs;
- bool sd_flags_set;
+ struct op_controls_flags* controls_flags;
};
static int operational_callback(struct ldb_request *req, struct ldb_reply
*ares)
@@ -671,7 +693,7 @@ static int operational_callback(struct ldb_request *req,
struct ldb_reply *ares)
ac->scope,
ac->attrs,
req->op.search.attrs,
- ac->sd_flags_set);
+ ac->controls_flags);
if (ret != 0) {
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
@@ -728,10 +750,20 @@ static int operational_search(struct ldb_module *module,
struct ldb_request *req
parse_tree_sub[i].replace);
}
+ ac->controls_flags = talloc(ac, struct op_controls_flags);
+ /* remember if the SD_FLAGS_OID was set */
+ ac->controls_flags->sd = (ldb_request_get_control(req,
LDB_CONTROL_SD_FLAGS_OID) != NULL);
+ /* remember if the LDB_CONTROL_BYPASSOPERATIONAL_OID */
+ ac->controls_flags->bypassoperational = (ldb_request_get_control(req,
+
LDB_CONTROL_BYPASSOPERATIONAL_OID) != NULL);
+
/* in the list of attributes we are looking for, rename any
attributes to the alias for any hidden attributes that can
be fetched directly using non-hidden names */
for (a=0;ac->attrs && ac->attrs[a];a++) {
+ if (check_keep_control_for_attribute(ac->controls_flags,
ac->attrs[a])) {
+ continue;
+ }
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(ac->attrs[a], search_sub[i].attr) == 0
&&
search_sub[i].replace) {
@@ -763,9 +795,6 @@ static int operational_search(struct ldb_module *module,
struct ldb_request *req
}
}
- /* remember if the SD_FLAGS_OID was set */
- ac->sd_flags_set = (ldb_request_get_control(req,
LDB_CONTROL_SD_FLAGS_OID) != NULL);
-
ret = ldb_build_search_req_ex(&down_req, ldb, ac,
req->op.search.base,
req->op.search.scope,
diff --git a/source4/lib/ldb/common/ldb_controls.c
b/source4/lib/ldb/common/ldb_controls.c
index 010ed2d..aff03a0 100644
--- a/source4/lib/ldb/common/ldb_controls.c
+++ b/source4/lib/ldb/common/ldb_controls.c
@@ -486,6 +486,33 @@ struct ldb_control **ldb_parse_control_strings(struct
ldb_context *ldb, void *me
continue;
}
+ if (strncmp(control_strings[i], "bypassoperational:", 18) == 0)
{
+ const char *p;
+ int crit, ret;
+
+ p = &(control_strings[i][18]);
+ ret = sscanf(p, "%d", &crit);
+ if ((ret != 1) || (crit < 0) || (crit > 1)) {
+ error_string = talloc_asprintf(mem_ctx,
"invalid bypassopreational control syntax\n");
+ error_string =
talloc_asprintf_append(error_string, " syntax: crit(b)\n");
+ error_string =
talloc_asprintf_append(error_string, " note: b = boolean");
+ ldb_set_errstring(ldb, error_string);
+ talloc_free(error_string);
+ return NULL;
+ }
+
+ ctrl[i] = talloc(ctrl, struct ldb_control);
+ if (!ctrl[i]) {
+ ldb_oom(ldb);
+ return NULL;
+ }
+ ctrl[i]->oid = LDB_CONTROL_BYPASSOPERATIONAL_OID;
+ ctrl[i]->critical = crit;
+ ctrl[i]->data = NULL;
+
+ continue;
+ }
+
if (strncmp(control_strings[i], "relax:", 6) == 0) {
const char *p;
int crit, ret;
diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h
index 2eb395c..9958325 100644
--- a/source4/lib/ldb/include/ldb.h
+++ b/source4/lib/ldb/include/ldb.h
@@ -463,6 +463,15 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2,
void *opaque);
\sa <a
href="http://opends.dev.java.net/public/standards/draft-zeilenga-ldap-managedit.txt";>draft
managedit</a>.
*/
#define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
+
+/**
+ OID for getting and manipulating attributes from the ldb
+ without interception in the operational module.
+ It can be used to access attribute that used to be stored in the sam
+ and that are now calculated.
+*/
+#define LDB_CONTROL_BYPASSOPERATIONAL_OID "1.3.6.1.4.1.7165.4.3.13"
+
/**
OID for recalculate SD control. This control force the
dsdb code to recalculate the SD of the object as if the
diff --git a/source4/lib/ldb/tests/test-controls.sh
b/source4/lib/ldb/tests/test-controls.sh
index db139bb..c78acbf 100755
--- a/source4/lib/ldb/tests/test-controls.sh
+++ b/source4/lib/ldb/tests/test-controls.sh
@@ -42,5 +42,6 @@ replace someThing
someThing: someThingElseBetter
EOF
+$VALGRIND ldbsearch --controls "bypassoperational:0" >/dev/null 2>&1 || exit 1
set
diff --git a/source4/scripting/bin/upgradeprovision
b/source4/scripting/bin/upgradeprovision
index b7582d0..a478856 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -1,7 +1,7 @@
#!/usr/bin/env python
# vim: expandtab
#
-# Copyright (C) Matthieu Patou <[email protected]> 2009
+# Copyright (C) Matthieu Patou <[email protected]> 2009 - 2010
#
# Based on provision a Samba4 server by
# Copyright (C) Jelmer Vernooij <[email protected]> 2007-2008
@@ -28,6 +28,8 @@ import os
import shutil
import sys
import tempfile
+import re
+import traceback
# Allow to run from s4 source directory (without installing samba)
sys.path.insert(0, "bin/python")
@@ -35,33 +37,37 @@ import samba
import samba.getopt as options
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session, admin_session
-from samba import Ldb, version
-from ldb import (SCOPE_SUBTREE, SCOPE_BASE, FLAG_MOD_REPLACE,
- FLAG_MOD_ADD, FLAG_MOD_DELETE, MessageElement, Message, Dn)
+from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
+ FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
+ MessageElement, Message, Dn)
from samba import param
from samba.misc import messageEltFlagToString
from samba.provision import (find_setup_dir, get_domain_descriptor,
- get_config_descriptor, secretsdb_self_join, set_gpo_acl,
- getpolicypath, create_gpo_struct, ProvisioningError)
+ get_config_descriptor, secretsdb_self_join,
+ ProvisioningError, getLastProvisionUSN,
+ get_max_usn, updateProvisionUSN)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
-from samba.dcerpc import security
+from samba.dcerpc import security, drsblobs
from samba.ndr import ndr_unpack
from samba.dcerpc.misc import SEC_CHAN_BDC
-from samba.upgradehelpers import dn_sort, get_paths, newprovision,
find_provision_key_parameters
-
+from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
+ find_provision_key_parameters, get_ldbs,
+ usn_in_range, identic_rename, get_diff_sddls,
+ update_secrets, CHANGE, ERROR, SIMPLE,
+ CHANGEALL, GUESS, CHANGESD, PROVISION,
+ updateOEMInfo, getOEMInfo, update_gpo,
+ delta_update_basesamdb, update_policyids)
+
+replace=2**FLAG_MOD_REPLACE
+add=2**FLAG_MOD_ADD
+delete=2**FLAG_MOD_DELETE
never=0
-replace=2^FLAG_MOD_REPLACE
-add=2^FLAG_MOD_ADD
-delete=2^FLAG_MOD_DELETE
+
+
+# Will be modified during provision to tell if default sd has been modified
+# somehow ...
#Errors are always logged
-ERROR = -1
-SIMPLE = 0x00
-CHANGE = 0x01
-CHANGESD = 0x02
-GUESS = 0x04
-PROVISION = 0x08
-CHANGEALL = 0xff
__docformat__ = "restructuredText"
@@ -70,24 +76,38 @@ __docformat__ = "restructuredText"
# This is most probably because they are populated automatcally when object is
# created
# This also apply to imported object from reference provision
-hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
"objectGUID": 1, "replPropertyMetaData": 1, "uSNChanged": 1,
- "uSNCreated": 1, "parentGUID": 1, "objectCategory": 1,
"distinguishedName": 1,
- "showInAdvancedViewOnly": 1, "instanceType": 1, "cn":
1, "msDS-Behavior-Version":1, "nextRid":1,
- "nTMixedDomain": 1, "versionNumber":1,
"lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,
- "dBCSPwd":1, "supplementalCredentials":1,
"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,
- "maxPwdAge":1, "mail":1, "secret":1,
"possibleInferiors":1, "sAMAccountType":1}
+hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
+ "objectGUID": 1, "uSNCreated": 1,
+ "replPropertyMetaData": 1, "uSNChanged": 1,
+ "parentGUID": 1, "objectCategory": 1,
+ "distinguishedName": 1, "nTMixedDomain": 1,
+ "showInAdvancedViewOnly": 1, "instanceType": 1,
+ "msDS-Behavior-Version":1, "nextRid":1, "cn": 1,
+ "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1,
+ "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1,
+ "supplementalCredentials":1, "gPCUserExtensionNames":1,
+ "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1,
+ "possibleInferiors":1, "privilege":1,
+ "sAMAccountType":1 }
# Usually for an object that already exists we do not overwrite attributes as
# they might have been changed for good reasons. Anyway for a few of them it's
# mandatory to replace them otherwise the provision will be broken somehow.
-hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
"systemOnly":replace, "searchFlags":replace,
- "mayContain":replace, "systemFlags":replace,
"description":replace,
- "oEMInformation":never,
"operatingSystemVersion":replace, "adminPropertyPages":replace,
- "defaultSecurityDescriptor": replace,
"wellKnownObjects":replace, "privilege":delete, "groupType":replace,
- "rIDAvailablePool": never}
+# But for attribute that are just missing we do not have to specify them as
the default
+# behavior is to add missing attribute
+hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
+ "systemOnly":replace, "searchFlags":replace,
+ "mayContain":replace, "systemFlags":replace+add,
+ "description":replace,
"operatingSystemVersion":replace,
+ "adminPropertyPages":replace, "groupType":replace,
+ "wellKnownObjects":replace, "privilege":never,
+ "defaultSecurityDescriptor": replace,
+ "rIDAvailablePool": never,
+ "defaultSecurityDescriptor": replace + add }
backlinked = []
+forwardlinked = {}
dn_syntax_att = []
def define_what_to_log(opts):
what = 0
@@ -111,13 +131,20 @@ parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--setupdir", type="string", metavar="DIR",
- help="directory with setup files")
+ help="directory with setup files")
parser.add_option("--debugprovision", help="Debug provision",
action="store_true")
-parser.add_option("--debugguess", help="Print information on what is different
but won't be changed", action="store_true")
-parser.add_option("--debugchange", help="Print information on what is
different but won't be changed", action="store_true")
-parser.add_option("--debugchangesd", help="Print information security
descriptors differences", action="store_true")
-parser.add_option("--debugall", help="Print all available information (very
verbose)", action="store_true")
-parser.add_option("--full", help="Perform full upgrade of the samdb (schema,
configuration, new objects, ...", action="store_true")
+parser.add_option("--debugguess", action="store_true",
+ help="Print information on what is different but won't be
changed")
+parser.add_option("--debugchange", action="store_true",
+ help="Print information on what is different but won't be
changed")
+parser.add_option("--debugchangesd", action="store_true",
+ help="Print information security descriptors differences")
+parser.add_option("--debugall", action="store_true",
+ help="Print all available information (very verbose)")
+parser.add_option("--resetfileacl", action="store_true",
+ help="Force a reset on filesystem acls in sysvol / netlogon
share")
+parser.add_option("--full", action="store_true",
+ help="Perform full upgrade of the samdb (schema,
configuration, new objects, ...")
opts = parser.parse_args()[0]
@@ -149,65 +176,84 @@ setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = find_setup_dir()
-session = system_session()
-def identic_rename(ldbobj,dn):
- """Perform a back and forth rename to trigger renaming on attribute that
can't be directly modified.
- :param lbdobj: An Ldb Object
- :param dn: DN of the object to manipulate """
- (before,sep,after)=str(dn).partition('=')
- ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
- ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
+def check_for_DNS(refprivate, private):
+ """Check if the provision has already the requirement for dynamic dns
+
+ :param refprivate: The path to the private directory of the reference
+ provision
+ :param private: The path to the private directory of the upgraded
+ provision"""
+
+ spnfile = "%s/spn_update_list" % private
+ namedfile = lp.get("dnsupdate:path")
+
+ if not namedfile:
+ namedfile = "%s/named.conf.update" % private
+
+ if not os.path.exists(spnfile):
+ shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile)
+ destdir = "%s/new_dns" % private
+ dnsdir = "%s/dns" % private
-def populate_backlink(newpaths,creds,session,schemadn):
+ if not os.path.exists(namedfile):
+ if not os.path.exists(destdir):
+ os.mkdir(destdir)
+ if not os.path.exists(dnsdir):
+ os.mkdir(dnsdir)
+ shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
+ shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
+ message(SIMPLE, "It seems that you provision didn't integrate new
rules "
+ "for dynamic dns update of domain related entries")
+ message(SIMPLE, "A copy of the new bind configuration files and "
+ "template as been put in %s, you should read them and
configure dynamic "
+ " dns update" % destdir)
+
+
+def populate_links(samdb, schemadn):
"""Populate an array with all the back linked attributes
This attributes that are modified automaticaly when
front attibutes are changed
- :param newpaths: a list of paths for different provision objects
- :param creds: credential for the authentification
- :param session: session for connexion
+ :param samdb: A LDB object for sam.ldb file
:param schemadn: DN of the schema for the partition"""
- newsam_ldb = Ldb(newpaths.samdb, session_info=session,
credentials=creds,lp=lp)
- linkedAttHash =
get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
+ linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb)
backlinked.extend(linkedAttHash.values())
+ for t in linkedAttHash.keys():
+ forwardlinked[t] = 1
-def populate_dnsyntax(newpaths,creds,session,schemadn):
- """Populate an array with all the attributes that have DN synthax (oid
2.5.5.1)
+def populate_dnsyntax(samdb, schemadn):
+ """Populate an array with all the attributes that have DN synthax
+ (oid 2.5.5.1)
- :param newpaths: a list of paths for different provision objects
- :param creds: credential for the authentification
- :param session: session for connexion
+ :param samdb: A LDB object for sam.ldb file
:param schemadn: DN of the schema for the partition"""
- newsam_ldb = Ldb(newpaths.samdb, session_info=session,
credentials=creds,lp=lp)
- res =
newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
- scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
+ res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb,
+ str(schemadn)), scope=SCOPE_SUBTREE,
+ attrs=["lDAPDisplayName"])
for elem in res:
dn_syntax_att.append(elem["lDAPDisplayName"])
-def sanitychecks(credentials,session_info,names,paths):
- """Populate an array with all the attributes that have DN synthax (oid
2.5.5.1)
+def sanitychecks(samdb, names):
+ """Make some checks before trying to update
- :param creds: credential for the authentification
- :param session_info: session for connexion
+ :param samdb: An LDB object opened on sam.ldb
:param names: list of key provision parameters
- :param paths: list of path to provision object
:return: Status of check (1 for Ok, 0 for not Ok) """
- sam_ldb = Ldb(paths.samdb, session_info=session,
credentials=creds,lp=lp,options=["modules:samba_dsdb"])
-
- sam_ldb.set_session_info(session)
- res = sam_ldb.search(expression="objectClass=ntdsdsa",
base=str(names.configdn),
- scope=SCOPE_SUBTREE, attrs=["dn"],
controls=["search_options:1:2"])
+ res = samdb.search(expression="objectClass=ntdsdsa",
base=str(names.configdn),
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
if len(res) == 0:
print "No DC found, your provision is most probably hardly broken !"
return False
elif len(res) != 1:
- print "Found %d domain controllers, for the moment upgradeprovision is
not able to handle upgrade on \
-domain with more than one DC, please demote the other(s) DC(s) before
upgrading"%len(res)
+ print "Found %d domain controllers, for the moment upgradeprovision" \
+ "is not able to handle upgrade on domain with more than one DC,
please demote" \
+ " the other(s) DC(s) before upgrading" % len(res)
return False
else:
return True
@@ -217,85 +263,95 @@ def print_provision_key_parameters(names):
"""Do a a pretty print of provision parameters
:param names: list of key provision parameters """
- message(GUESS, "rootdn :"+str(names.rootdn))
- message(GUESS, "configdn :"+str(names.configdn))
- message(GUESS, "schemadn :"+str(names.schemadn))
- message(GUESS, "serverdn :"+str(names.serverdn))
- message(GUESS, "netbiosname :"+names.netbiosname)
- message(GUESS, "defaultsite :"+names.sitename)
- message(GUESS, "dnsdomain :"+names.dnsdomain)
- message(GUESS, "hostname :"+names.hostname)
- message(GUESS, "domain :"+names.domain)
- message(GUESS, "realm :"+names.realm)
- message(GUESS, "invocationid:"+names.invocation)
- message(GUESS, "policyguid :"+names.policyid)
- message(GUESS, "policyguiddc:"+str(names.policyid_dc))
- message(GUESS, "domainsid :"+str(names.domainsid))
- message(GUESS, "domainguid :"+names.domainguid)
- message(GUESS, "ntdsguid :"+names.ntdsguid)
- message(GUESS, "domainlevel :"+str(names.domainlevel))
-
--
Samba Shared Repository
