The branch, master has been updated via 7ca706d dbcheck: Add a check that every FSMO role has a valid owner via 6b2753d s4-samba-tool: Fix samba-tool fsmo seize via a2b7a9e s4-s3upgrade: Do not ever set a domain-wide maxPwdAge of 0 via a5905bf s4-s3upgrade: Ignore (with warning) groups that are listed but we cannot list members for from 916297e Fix samba3.raw.samba3hide test - ensure we set up POSIX capabilities before doing POSIX calls like chmod.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7ca706de8c9f52ee530dfa4ff9188d2a7403e87d Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 19 14:14:35 2012 +1000 dbcheck: Add a check that every FSMO role has a valid owner Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Thu Apr 19 07:49:54 CEST 2012 on sn-devel-104 commit 6b2753d71ea9e9a64fa749cfeeaef4f451c6cae4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 19 13:57:29 2012 +1000 s4-samba-tool: Fix samba-tool fsmo seize This is currently untested, and a restructure broke it. Andrew Bartlett commit a2b7a9e2a23e395a06700dd0968f4916bde56cdf Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 19 10:42:05 2012 +1000 s4-s3upgrade: Do not ever set a domain-wide maxPwdAge of 0 This means no-expiry in s3, and so we must treat it like -1. Andrew Bartlett commit a5905bfb39e297ed6ac453faa5518ba5ff47640a Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 19 09:59:40 2012 +1000 s4-s3upgrade: Ignore (with warning) groups that are listed but we cannot list members for ----------------------------------------------------------------------- Summary of changes: source4/scripting/python/samba/dbchecker.py | 41 +++++++++++ source4/scripting/python/samba/netcmd/fsmo.py | 95 +++++++++++++------------ source4/scripting/python/samba/upgrade.py | 18 ++++- 3 files changed, 106 insertions(+), 48 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py index 7993b54..587d63c 100644 --- a/source4/scripting/python/samba/dbchecker.py +++ b/source4/scripting/python/samba/dbchecker.py @@ -49,7 +49,12 @@ class dbcheck(object): self.fix_all_missing_backlinks = False self.fix_all_orphaned_backlinks = False self.fix_rmd_flags = False + self.seize_fsmo_role = False self.in_transaction = in_transaction + self.infrastructure_dn = ldb.Dn(samdb, "CN=Infrastructure," + samdb.domain_dn()) + self.naming_dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn()) + self.schema_dn = samdb.get_schema_basedn() + self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn()) def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']): '''perform a database check, returning the number of errors found''' @@ -310,6 +315,23 @@ class dbcheck(object): "Failed to fix orphaned backlink %s" % link_name): self.report("Fixed orphaned backlink %s" % (link_name)) + def err_no_fsmoRoleOwner(self, obj): + '''handle a missing fSMORoleOwner''' + self.report("ERROR: fSMORoleOwner not found for role %s" % (obj.dn)) + res = self.samdb.search("", + scope=ldb.SCOPE_BASE, attrs=["dsServiceName"]) + assert len(res) == 1 + serviceName = res[0]["dsServiceName"][0] + if not self.confirm_all('Sieze role %s onto current DC by adding fSMORoleOwner=%s' % (obj.dn, serviceName), 'seize_fsmo_role'): + self.report("Not Siezing role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName)) + return + m = ldb.Message() + m.dn = obj.dn + m['value'] = ldb.MessageElement(serviceName, ldb.FLAG_MOD_ADD, 'fSMORoleOwner') + if self.do_modify(m, [], + "Failed to sieze role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName)): + self.report("Siezed role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName)) + def find_revealed_link(self, dn, attrname, guid): '''return a revealed link in an object''' res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname], @@ -441,6 +463,20 @@ class dbcheck(object): "Failed to fix metadata for attribute %s" % attr): self.report("Fixed metadata for attribute %s" % attr) + def is_fsmo_role(self, dn): + if dn == self.samdb.domain_dn: + return True + if dn == self.infrastructure_dn: + return True + if dn == self.naming_dn: + return True + if dn == self.schema_dn: + return True + if dn == self.rid_dn: + return True + + return False + def check_object(self, dn, attrs=['*']): '''check one object''' if self.verbose: @@ -550,6 +586,11 @@ class dbcheck(object): continue self.fix_metadata(dn, att) + if self.is_fsmo_role(dn): + if "fSMORoleOwner" not in obj: + self.err_no_fsmoRoleOwner(obj) + error_count += 1 + return error_count ################################################################ diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py index 84e50e0..86c6949 100644 --- a/source4/scripting/python/samba/netcmd/fsmo.py +++ b/source4/scripting/python/samba/netcmd/fsmo.py @@ -30,6 +30,43 @@ from samba.netcmd import ( ) from samba.samdb import SamDB +def transfer_role(outf, role, samdb): + m = ldb.Message() + m.dn = ldb.Dn(samdb, "") + if role == "rid": + m["becomeRidMaster"]= ldb.MessageElement( + "1", ldb.FLAG_MOD_REPLACE, + "becomeRidMaster") + elif role == "pdc": + domain_dn = samdb.domain_dn() + res = samdb.search(domain_dn, + scope=ldb.SCOPE_BASE, attrs=["objectSid"]) + assert len(res) == 1 + sid = res[0]["objectSid"][0] + m["becomePdc"]= ldb.MessageElement( + sid, ldb.FLAG_MOD_REPLACE, + "becomePdc") + elif role == "naming": + m["becomeDomainMaster"]= ldb.MessageElement( + "1", ldb.FLAG_MOD_REPLACE, + "becomeDomainMaster") + samdb.modify(m) + elif role == "infrastructure": + m["becomeInfrastructureMaster"]= ldb.MessageElement( + "1", ldb.FLAG_MOD_REPLACE, + "becomeInfrastructureMaster") + elif role == "schema": + m["becomeSchemaMaster"]= ldb.MessageElement( + "1", ldb.FLAG_MOD_REPLACE, + "becomeSchemaMaster") + else: + raise CommandError("Invalid FSMO role.") + try: + samdb.modify(m) + except LdbError, (num, msg): + raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg)) + outf.write("FSMO transfer of '%s' role successful\n" % role) + class cmd_fsmo_seize(Command): """Seize the role""" @@ -64,6 +101,11 @@ all=all of the above"""), assert len(res) == 1 serviceName = res[0]["dsServiceName"][0] domain_dn = samdb.domain_dn() + self.infrastructure_dn = "CN=Infrastructure," + domain_dn + self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn() + self.schema_dn = samdb.get_schema_basedn() + self.rid_dn = "CN=RID Manager$,CN=System," + domain_dn + m = ldb.Message() if role == "rid": m.dn = ldb.Dn(samdb, self.rid_dn) @@ -81,8 +123,8 @@ all=all of the above"""), if force is None: self.message("Attempting transfer...") try: - self.transfer_role(role, samdb) - except LdbError, (num, _): + transfer_role(self.outf, role, samdb) + except CommandError: #transfer failed, use the big axe... self.message("Transfer unsuccessful, seizing...") m["fSMORoleOwner"]= ldb.MessageElement( @@ -207,43 +249,6 @@ all=all of the above"""), takes_args = [] - def transfer_role(self, role, samdb): - m = ldb.Message() - m.dn = ldb.Dn(samdb, "") - if role == "rid": - m["becomeRidMaster"]= ldb.MessageElement( - "1", ldb.FLAG_MOD_REPLACE, - "becomeRidMaster") - elif role == "pdc": - domain_dn = samdb.domain_dn() - res = samdb.search(domain_dn, - scope=ldb.SCOPE_BASE, attrs=["objectSid"]) - assert len(res) == 1 - sid = res[0]["objectSid"][0] - m["becomePdc"]= ldb.MessageElement( - sid, ldb.FLAG_MOD_REPLACE, - "becomePdc") - elif role == "naming": - m["becomeDomainMaster"]= ldb.MessageElement( - "1", ldb.FLAG_MOD_REPLACE, - "becomeDomainMaster") - samdb.modify(m) - elif role == "infrastructure": - m["becomeInfrastructureMaster"]= ldb.MessageElement( - "1", ldb.FLAG_MOD_REPLACE, - "becomeInfrastructureMaster") - elif role == "schema": - m["becomeSchemaMaster"]= ldb.MessageElement( - "1", ldb.FLAG_MOD_REPLACE, - "becomeSchemaMaster") - else: - raise CommandError("Invalid FSMO role.") - try: - samdb.modify(m) - except LdbError, (num, msg): - raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg)) - self.outf.write("FSMO transfer of '%s' role successful\n" % role) - def run(self, force=None, H=None, role=None, credopts=None, sambaopts=None, versionopts=None): @@ -254,13 +259,13 @@ all=all of the above"""), credentials=creds, lp=lp) if role == "all": - self.transfer_role("rid", samdb) - self.transfer_role("pdc", samdb) - self.transfer_role("naming", samdb) - self.transfer_role("infrastructure", samdb) - self.transfer_role("schema", samdb) + transfer_role(self.outf, "rid", samdb) + transfer_role(self.outf, "pdc", samdb) + transfer_role(self.outf, "naming", samdb) + transfer_role(self.outf, "infrastructure", samdb) + transfer_role(self.outf, "schema", samdb) else: - self.transfer_role(role, samdb) + transfer_role(self.outf, role, samdb) class cmd_fsmo(SuperCommand): diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index b2fb51e..8b8d05d 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -65,7 +65,7 @@ def import_sam_policy(samdb, policy, logger): 'minPwdAge') max_pw_age_unix = policy['maximum password age'] - if max_pw_age_unix == -1: + if max_pw_age_unix == -1 or max_pw_age_unix == 0: max_pw_age_nt = -0x8000000000000000 else: max_pw_age_nt = int(-max_pw_age_unix * (1e7 * 60 * 60 * 24)) @@ -534,11 +534,18 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa # Get members for each group/alias if group.sid_name_use == lsa.SID_NAME_ALIAS: - members = s3db.enum_aliasmem(group.sid) + try: + members = s3db.enum_aliasmem(group.sid) + except passdb.error: + logger.warn("Ignoring group '%s' %s listed but then not found: %s", + group.nt_name, group.sid, passdb.error) + continue elif group.sid_name_use == lsa.SID_NAME_DOM_GRP: try: members = s3db.enum_group_members(group.sid) except passdb.error: + logger.warn("Ignoring group '%s' %s listed but then not found: %s", + group.nt_name, group.sid, passdb.error) continue groupmembers[group.nt_name] = members elif group.sid_name_use == lsa.SID_NAME_WKN_GRP: @@ -548,7 +555,12 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa group.nt_name) continue # A number of buggy databases mix up well known groups and aliases. - members = s3db.enum_aliasmem(group.sid) + try: + members = s3db.enum_aliasmem(group.sid) + except passdb.error: + logger.warn("Ignoring group '%s' %s listed but then not found: %s", + group.nt_name, group.sid, passdb.error) + continue else: logger.warn("Ignoring group '%s' with sid_name_use=%d", group.nt_name, group.sid_name_use) -- Samba Shared Repository