The branch, master has been updated via a353b49 s4-dsdb: bypass validation when relax set via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap server via ff8cdee samba-tool: expanded dbcheck DN checking via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in from 21af0af s3: Added missing includes to .clang_complete.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf Author: Andrew Tridgell <tri...@samba.org> Date: Wed Jun 22 18:14:14 2011 +1000 s4-dsdb: bypass validation when relax set this allows dbcheck to fix bad attributes Autobuild-User: Andrew Tridgell <tri...@samba.org> Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104 commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8 Author: Andrew Tridgell <tri...@samba.org> Date: Wed Jun 22 17:38:19 2011 +1000 samba-tool: allow for running dbcheck against a remove ldap server this is useful for running it against a Windows server commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1 Author: Andrew Tridgell <tri...@samba.org> Date: Wed Jun 22 17:08:28 2011 +1000 samba-tool: expanded dbcheck DN checking this now checks for bad GUID elements in DN links, and offers to fix them when possible Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08 Author: Andrew Tridgell <tri...@samba.org> Date: Wed Jun 22 17:07:39 2011 +1000 s4-dsdb: prioritise GUID in extended_dn_in if we search with a base DN that has both a GUID and a SID, then use the GUID first. This matters for the S-1-5-17 SID. Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600 Author: Andrew Tridgell <tri...@samba.org> Date: Wed Jun 22 17:05:08 2011 +1000 s4-dsdb: catch duplicate matches in extended_dn_in When searching using extended DNs, if there are multiple matches then return an object not found error. This is needed for the case of a duplicate objectSid, which happens for S-1-5-17 Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 31 +++- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 3 +- source4/scripting/python/samba/netcmd/dbcheck.py | 144 ++++++++++++++++---- 3 files changed, 143 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 3e2004d..9a70d9a 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are switch (ares->type) { case LDB_REPLY_ENTRY: + if (ac->basedn) { + /* we have more than one match! This can + happen as S-1-5-17 appears twice in a + normal provision. We need to return + NO_SUCH_OBJECT */ + const char *str = talloc_asprintf(req, "Duplicate base-DN matches found for '%s'", + ldb_dn_get_extended_linearized(req, ac->req->op.search.base, 1)); + ldb_set_errstring(ldb_module_get_ctx(ac->module), str); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + if (!ac->wellknown_object) { ac->basedn = talloc_steal(ac, ares->message->dn); break; @@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req guid_val = ldb_dn_get_extended_component(dn, "GUID"); wkguid_val = ldb_dn_get_extended_component(dn, "WKGUID"); - if (sid_val) { + /* + prioritise the GUID - we have had instances of + duplicate SIDs in the database in the + ForeignSecurityPrinciples due to provision errors + */ + if (guid_val) { all_partitions = true; base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module)); - base_dn_filter = talloc_asprintf(req, "(objectSid=%s)", - ldb_binary_encode(req, *sid_val)); + base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)", + ldb_binary_encode(req, *guid_val)); if (!base_dn_filter) { return ldb_oom(ldb_module_get_ctx(module)); } base_dn_scope = LDB_SCOPE_SUBTREE; base_dn_attrs = no_attr; - } else if (guid_val) { - + } else if (sid_val) { all_partitions = true; base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module)); - base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)", - ldb_binary_encode(req, *guid_val)); + base_dn_filter = talloc_asprintf(req, "(objectSid=%s)", + ldb_binary_encode(req, *sid_val)); if (!base_dn_filter) { return ldb_oom(ldb_module_get_ctx(module)); } base_dn_scope = LDB_SCOPE_SUBTREE; base_dn_attrs = no_attr; - } else if (wkguid_val) { char *wkguid_dup; char *tail_str; diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 9df1210..5639a7a 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -140,7 +140,8 @@ static int attr_handler(struct oc_context *ac) if (!(msg->elements[i].flags & LDB_FLAG_INTERNAL_DISABLE_VALIDATION)) { werr = attr->syntax->validate_ldb(&syntax_ctx, attr, &msg->elements[i]); - if (!W_ERROR_IS_OK(werr)) { + if (!W_ERROR_IS_OK(werr) && + !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' contains at least one invalid value!", msg->elements[i].name, ldb_dn_get_linearized(msg->dn)); diff --git a/source4/scripting/python/samba/netcmd/dbcheck.py b/source4/scripting/python/samba/netcmd/dbcheck.py index 4c9e0a1..93fe3f6 100644 --- a/source4/scripting/python/samba/netcmd/dbcheck.py +++ b/source4/scripting/python/samba/netcmd/dbcheck.py @@ -21,7 +21,7 @@ import ldb, sys import samba.getopt as options from samba import dsdb -from samba.common import confirm +from samba import common from samba.auth import system_session from samba.samdb import SamDB from samba.dcerpc import misc @@ -74,20 +74,27 @@ class cmd_dbcheck(Command): Option("--fix", dest="fix", default=False, action='store_true', help='Fix any errors found'), Option("--yes", dest="yes", default=False, action='store_true', - help="don't confirm changes, just do them all"), + help="don't confirm changes, just do them all as a single transaction"), Option("--cross-ncs", dest="cross_ncs", default=False, action='store_true', help="cross naming context boundaries"), Option("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Print more details of checking"), + Option("-H", help="LDB URL for database or target server (defaults to local SAM database)", type=str), ] - def run(self, DN=None, verbose=False, fix=False, yes=False, cross_ncs=False, + def run(self, H=None, DN=None, verbose=False, fix=False, yes=False, cross_ncs=False, scope="SUB", credopts=None, sambaopts=None, versionopts=None): self.lp = sambaopts.get_loadparm() self.creds = credopts.get_credentials(self.lp, fallback_machine=True) - self.samdb = SamDB(session_info=system_session(), url=None, + self.samdb = SamDB(session_info=system_session(), url=H, credentials=self.creds, lp=self.lp) + if H is None: + self.local_samdb = self.samdb + else: + self.local_samdb = SamDB(session_info=system_session(), url=None, + credentials=self.creds, lp=self.lp) + self.verbose = verbose self.fix = fix self.yes = yes @@ -99,9 +106,14 @@ class cmd_dbcheck(Command): self.search_scope = scope_map[scope] controls = [] + if H is not None: + controls.append('paged_results:1:1000') if cross_ncs: controls.append("search_options:1:2") + if self.yes and self.fix: + self.samdb.transaction_start() + res = self.samdb.search(base=DN, scope=self.search_scope, attrs=['dn'], controls=controls) print('Checking %u objects' % len(res)) error_count = 0 @@ -110,18 +122,30 @@ class cmd_dbcheck(Command): if error_count != 0 and not self.fix: print("Please use --fix to fix these errors") print('Checked %u objects (%u errors)' % (len(res), error_count)) + + if self.yes and self.fix: + self.samdb.transaction_commit() + if error_count != 0: sys.exit(1) + + ################################################################ + # a local confirm function that obeys the --fix and --yes options + def confirm(self, msg): + '''confirm a change''' + if not self.fix: + return False + return common.confirm(msg, forced=self.yes) + + ################################################################ # handle empty attributes def err_empty_attribute(self, dn, attrname): '''fix empty attributes''' print("ERROR: Empty attribute %s in %s" % (attrname, dn)) - if not self.fix: - return - if not confirm('Remove empty attribute %s from %s?' % (attrname, dn), self.yes): + if not self.confirm('Remove empty attribute %s from %s?' % (attrname, dn)): print("Not fixing empty attribute %s" % attrname) return @@ -145,16 +169,14 @@ class cmd_dbcheck(Command): print("ERROR: Normalisation error for attribute %s in %s" % (attrname, dn)) mod_list = [] for val in values: - normalised = self.samdb.dsdb_normalise_attributes(self.samdb, attrname, [val]) + normalised = self.samdb.dsdb_normalise_attributes(self.local_samdb, attrname, [val]) if len(normalised) != 1: print("Unable to normalise value '%s'" % val) mod_list.append((val, '')) elif (normalised[0] != val): print("value '%s' should be '%s'" % (val, normalised[0])) mod_list.append((val, normalised[0])) - if not self.fix: - return - if not confirm('Fix normalisation for %s from %s?' % (attrname, dn), self.yes): + if not self.confirm('Fix normalisation for %s from %s?' % (attrname, dn)): print("Not fixing attribute %s" % attrname) return @@ -178,19 +200,18 @@ class cmd_dbcheck(Command): ################################################################ # handle a missing GUID extended DN component - def err_missing_dn_GUID(self, dn, attrname, val, dsdb_dn): - print("ERROR: missing GUID component for %s in object %s - %s" % (attrname, dn, val)) + def err_incorrect_dn_GUID(self, dn, attrname, val, dsdb_dn, errstr): + print("ERROR: %s component for %s in object %s - %s" % (errstr, attrname, dn, val)) try: - res = self.samdb.search(base=dsdb_dn.dn, scope=ldb.SCOPE_BASE, attrs=['objectGUID']) - except LdbError, (enum, estr): + res = self.samdb.search(base=dsdb_dn.dn, scope=ldb.SCOPE_BASE, + attrs=[], controls=["extended_dn:1:1"]) + except ldb.LdbError, (enum, estr): print("unable to find object for DN %s - cannot fix (%s)" % (dsdb_dn.dn, estr)) return - guid = res[0]['objectGUID'][0] - guidstr = str(misc.GUID(guid)) - dsdb_dn.dn.set_extended_component("GUID", guid) + dsdb_dn.dn = res[0].dn - if not confirm('Add GUID %s giving DN %s?' % (guidstr, str(dsdb_dn))): - print("Not fixing missing GUID") + if not self.confirm('Change DN to %s?' % str(dsdb_dn)): + print("Not fixing %s" % errstr) return m = ldb.Message() m.dn = dn @@ -201,11 +222,54 @@ class cmd_dbcheck(Command): try: self.samdb.modify(m) except Exception, msg: - print("Failed to fix missing GUID on attribute %s : %s" % (attrname, msg)) + print("Failed to fix %s on attribute %s : %s" % (errstr, attrname, msg)) return - print("Fixed missing GUID on attribute %s" % attrname) + print("Fixed %s on attribute %s" % (errstr, attrname)) + ################################################################ + # handle a DN pointing to a deleted object + def err_deleted_dn(self, dn, attrname, val, dsdb_dn, correct_dn): + print("ERROR: target DN is deleted for %s in object %s - %s" % (attrname, dn, val)) + print("Target GUID points at deleted DN %s" % correct_dn) + if not self.confirm('Remove DN?'): + print("Not removing") + return + m = ldb.Message() + m.dn = dn + m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname) + if self.verbose: + print(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY)) + try: + self.samdb.modify(m) + except Exception, msg: + print("Failed to remove deleted DN attribute %s : %s" % (attrname, msg)) + return + print("Removed deleted DN on attribute %s" % attrname) + + + ################################################################ + # handle a DN string being incorrect + def err_dn_target_mismatch(self, dn, attrname, val, dsdb_dn, correct_dn): + print("ERROR: incorrect DN string component for %s in object %s - %s" % (attrname, dn, val)) + dsdb_dn.dn = correct_dn + + if not self.confirm('Change DN to %s?' % str(dsdb_dn)): + print("Not fixing %s" % errstr) + return + m = ldb.Message() + m.dn = dn + m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname) + m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname) + if self.verbose: + print(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY)) + try: + self.samdb.modify(m) + except Exception, msg: + print("Failed to fix incorrect DN string on attribute %s : %s" % (attrname, msg)) + return + print("Fixed incorrect DN string on attribute %s" % (attrname)) + ################################################################ # specialised checking for a dn attribute @@ -219,9 +283,37 @@ class cmd_dbcheck(Command): guid = dsdb_dn.dn.get_extended_component("GUID") if guid is None: error_count += 1 - self.err_missing_dn_GUID(obj.dn, attrname, val, dsdb_dn) + self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "missing GUID") + continue - return 0 + guidstr = str(misc.GUID(guid)) + + # check its the right GUID + try: + res = self.samdb.search(base="<GUID=%s>" % guidstr, scope=ldb.SCOPE_BASE, + attrs=['isDeleted'], controls=["extended_dn:1:1", "show_deleted:1"]) + except ldb.LdbError, (enum, estr): + error_count += 1 + self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "incorrect GUID") + continue + + # the target DN might be deleted + if (dsdb_dn.prefix != "B:32:18E2EA80684F11D2B9AA00C04F79F805:" and + 'isDeleted' in res[0] and + res[0]['isDeleted'][0].upper() == "TRUE"): + # note that we don't check this for the special wellKnownObjects prefix + # for Deleted Objects, as we expect that to be deleted + error_count += 1 + self.err_deleted_dn(obj.dn, attrname, val, dsdb_dn, res[0].dn) + continue + + # check the DN matches in string form + if res[0].dn.extended_str() != dsdb_dn.dn.extended_str(): + error_count += 1 + self.err_dn_target_mismatch(obj.dn, attrname, val, dsdb_dn, res[0].dn) + continue + + return error_count @@ -250,7 +342,7 @@ class cmd_dbcheck(Command): # get the syntax oid for the attribute, so we can can have # special handling for some specific attribute types - syntax_oid = self.samdb.get_syntax_oid_from_lDAPDisplayName(attrname) + syntax_oid = self.local_samdb.get_syntax_oid_from_lDAPDisplayName(attrname) if syntax_oid in [ dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_OR_NAME, dsdb.DSDB_SYNTAX_STRING_DN, ldb.LDB_SYNTAX_DN ]: @@ -259,7 +351,7 @@ class cmd_dbcheck(Command): # check for incorrectly normalised attributes for val in obj[attrname]: - normalised = self.samdb.dsdb_normalise_attributes(self.samdb, attrname, [val]) + normalised = self.samdb.dsdb_normalise_attributes(self.local_samdb, attrname, [val]) if len(normalised) != 1 or normalised[0] != val: self.err_normalise_mismatch(dn, attrname, obj[attrname]) error_count += 1 -- Samba Shared Repository