[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Nov 30 18:18:42 MST 2009
The branch, master has been updated
via a88f086... s4:setup Adjust upgradeprovision blackbox test now we don't have --targetdir
via 1d0d78a... s4: Remove targetdir as it can cause some trouble and can be replaced by an adapted -s smb.conf
via fe12912... s4: Handle the case in secrets.ldb without name attribute
via 4861ad5... s4: don't forget to update defaultSecurityDescriptor
via bf2c1e9... s4: load the domain level of the current provision and create a provision with the same domain level
via f653608... s4:ldap.py Add test of namingContext behaviour after tridge found a bug
via ce86fdf... s4:WHATSNEW Nadezhda's acl module handles modifies
from 48f4079... Fix DEBUG 0 -> DEBUG 10 (left over code). Fix opendir status return if access denied. Jeremy.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a88f086d96df01f974696f7fd76f68042e75a7d1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 1 09:04:21 2009 +1100
s4:setup Adjust upgradeprovision blackbox test now we don't have --targetdir
commit 1d0d78ab3d1f4210984a5a012cdb6d17862cec51
Author: Matthieu Patou <mat at matws.net>
Date: Sun Nov 29 19:44:08 2009 +0300
s4: Remove targetdir as it can cause some trouble and can be replaced by an adapted -s smb.conf
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit fe1291227f0a3137938dc369afc2f63626c30359
Author: Matthieu Patou <mat at matws.net>
Date: Sun Nov 29 16:26:31 2009 +0300
s4: Handle the case in secrets.ldb without name attribute
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4861ad57fb533dbb060faa0a0630f8d8afe87421
Author: Matthieu Patou <mat at matws.net>
Date: Sun Nov 29 02:28:26 2009 +0300
s4: don't forget to update defaultSecurityDescriptor
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit bf2c1e9c4f6fa7d1ea778f54593c308b56efacd2
Author: Matthieu Patou <mat at matws.net>
Date: Fri Nov 27 20:50:04 2009 +0300
s4: load the domain level of the current provision and create a provision with the same domain level
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f65360840a43616d870b0f26925067f248aa6376
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 30 18:39:58 2009 +1100
s4:ldap.py Add test of namingContext behaviour after tridge found a bug
Tridge found that the partitions.c module was being initialised twice,
and setting the partitions into the rootDSE twice.
Andrew Bartlett
commit ce86fdfed9f7b9b5012f02210aaa1c5bf6ffcdf1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 30 14:46:03 2009 +1100
s4:WHATSNEW Nadezhda's acl module handles modifies
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW4.txt | 4 +-
source4/lib/ldb/tests/python/ldap.py | 15 +++++++
source4/scripting/bin/upgradeprovision | 49 ++++++++++++++++-----
source4/scripting/python/samba/provision.py | 2 +-
source4/setup/tests/blackbox_upgradeprovision.sh | 4 +-
5 files changed, 57 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW4.txt b/WHATSNEW4.txt
index 1c9d1e4..4513f22 100644
--- a/WHATSNEW4.txt
+++ b/WHATSNEW4.txt
@@ -80,8 +80,8 @@ continued to evolve, but you may particularly notice these areas
Access Control Lists (in nTSecurityDescriptor) are now set correctly
on objects in the directory, based on the same rules as Windows 2008.
- (Searches and modifications still use a simplistic administrator/not
- administrator criteria)
+ (Searches and still use a simplistic administrator/not administrator
+ criteria)
These are just some of the user-visible highlights of the work done in
the past few months. More details of the work done 'under the hood'
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index 0292422..384e69e 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -1923,6 +1923,21 @@ class BaseDnTests(unittest.TestCase):
attrs=["netlogon", "highestCommittedUSN"])
self.assertEquals(len(res), 0)
+ def test_namingContexts(self):
+ """Testing for namingContexts in rootDSE"""
+ res = self.ldb.search("", scope=SCOPE_BASE,
+ attrs=["namingContexts", "defaultNamingContext", "schemaNamingContext", "configurationNamingContext"])
+ self.assertEquals(len(res), 1)
+
+ ncs = set([])
+ for nc in res[0]["namingContexts"]:
+ self.assertTrue(nc not in ncs)
+ ncs.add(nc)
+
+ self.assertTrue(res[0]["defaultNamingContext"][0] in ncs)
+ self.assertTrue(res[0]["configurationNamingContext"][0] in ncs)
+ self.assertTrue(res[0]["schemaNamingContext"][0] in ncs)
+
class SchemaTests(unittest.TestCase):
def delete_force(self, ldb, dn):
try:
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 2f0ce84..48f6747 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -39,7 +39,7 @@ from base64 import b64encode
import samba
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session, admin_session
-from samba import Ldb
+from samba import Ldb, DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
import ldb
import samba.getopt as options
@@ -73,13 +73,14 @@ hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1
"showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\
"nTMixedDomain": 1,"versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,\
"dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\
- "maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1}
+ "maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1, "sAMAccountType":1}
# Usually for an object that already exists we do not overwrite attributes as they might have been changed for good
# reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow.
hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,"systemOnly":replace, "searchFlags":replace,\
"mayContain":replace, "systemFlags":replace,
- "oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":1,"possibleInferiors":replace+delete}
+ "oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":replace,
+ "defaultSecurityDescriptor": replace}
backlinked = []
def define_what_to_log(opts):
@@ -111,8 +112,6 @@ parser.add_option("--debugchange", help="Print information on what is different
parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
-parser.add_option("--targetdir", type="string", metavar="DIR",
- help="Set target directory")
opts = parser.parse_args()[0]
@@ -222,10 +221,14 @@ def guess_names_from_current_provision(credentials,session_info,paths):
names.ntdsguid = str(ndr_unpack( misc.GUID,res5[0]["objectGUID"][0]))
# domain guid/sid
- attrs6 = ["objectGUID", "objectSid", ]
+ attrs6 = ["objectGUID", "objectSid","msDS-Behavior-Version" ]
res6 = samdb.search(expression="(objectClass=*)",base=basedn, scope=SCOPE_BASE, attrs=attrs6)
names.domainguid = str(ndr_unpack( misc.GUID,res6[0]["objectGUID"][0]))
names.domainsid = ndr_unpack( security.dom_sid,res6[0]["objectSid"][0])
+ if res6[0].get("msDS-Behavior-Version") == None or int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
+ names.domainlevel = DS_DOMAIN_FUNCTION_2000
+ else:
+ names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
# policy guid
attrs7 = ["cn","displayName"]
@@ -262,6 +265,7 @@ def print_names(names):
message(GUESS, "domainsid :"+str(names.domainsid))
message(GUESS, "domainguid :"+names.domainguid)
message(GUESS, "ntdsguid :"+names.ntdsguid)
+ message(GUESS, "domainlevel :"+str(names.domainlevel))
# Create a fresh new reference provision
# This provision will be the reference for knowing what has changed in the
@@ -297,6 +301,7 @@ def newprovision(names,setup_dir,creds,session,smbconf):
slapd_path=None,
setup_ds_path=None,
nosync=None,
+ dom_for_fun_level=names.domainlevel,
ldap_dryrun_mode=None)
return provdir
@@ -340,7 +345,7 @@ def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
hashSD["oldSD"] = old[0][att]
hashSD["newSD"] = new[0][att]
hashallSD[str(old[0].dn)] = hashSD
- return 1
+ return 0
if att == "nTSecurityDescriptor" and msgElt.flags() == ldb.FLAG_MOD_REPLACE:
if ischema == 0:
hashSD = {}
@@ -450,12 +455,31 @@ def update_secrets(newpaths,paths,creds,session):
delta.remove(att)
for att in delta:
i = i + 1
+
+ if att == "name":
+ message(CHANGE,"Found attribute name on %s, must rename the DN "%(res2[0].dn))
+ secrets_ldb.rename(res2[0].dn,ldb.Dn(secrets_ldb,"%sfoo"%str(res2[0].dn)))
+ secrets_ldb.rename(ldb.Dn(secrets_ldb,"%sfoo"%str(res2[0].dn)),res2[0].dn)
+ else:
+ delta.remove(att)
+
+
+ for entry in listPresent:
+ res = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
+ res2 = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
+ delta = secrets_ldb.msg_diff(res2[0],res[0])
+ i=0
+ for att in hashAttrNotCopied.keys():
+ delta.remove(att)
+ for att in delta:
+ i = i + 1
if att != "dn":
message(CHANGE," Adding/Changing attribute %s to %s"%(att,res2[0].dn))
delta.dn = res2[0].dn
secrets_ldb.modify(delta)
+
# Check difference between the current provision and the reference provision.
# It looks for all object which base DN is name if ischema is false then scan is done in
# cross partition mode.
@@ -587,8 +611,8 @@ def check_updated_sd(newpaths,paths,creds,session,names):
# Simple update method for updating the SD that rely on the fact that nobody should have modified the SD
# This assumption is safe right now (alpha9) but should be removed asap
-def update_sd(newpaths,paths,creds,session,names):
- sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
+def update_sd(paths,creds,session,names):
+ sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
sam_ldb.transaction_start()
# First update the SD for the rootdn
sam_ldb.set_session_info(session)
@@ -722,7 +746,7 @@ def update_machine_account_password(paths,creds,session,names):
# From here start the big steps of the program
# First get files paths
-paths=get_paths(targetdir=opts.targetdir,smbconf=smbconf)
+paths=get_paths(smbconf=smbconf)
paths.setup = setup_dir
def setup_path(file):
return os.path.join(setup_dir, file)
@@ -747,8 +771,9 @@ if opts.full:
# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
# to recreate them with the good form but with system account and then give the ownership to admin ...
admin_session_info = admin_session(lp, str(names.domainsid))
-update_sd(newpaths,paths,creds,session,names)
-update_sd(newpaths,paths,creds,admin_session_info,names)
+message(SIMPLE,"Updating SD")
+update_sd(paths,creds,session,names)
+update_sd(paths,creds,admin_session_info,names)
check_updated_sd(newpaths,paths,creds,session,names)
message(SIMPLE,"Upgrade finished !")
# remove reference provision now that everything is done !
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f9f7ec9..44ccaa8 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -839,7 +839,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
if dom_for_fun_level is None:
dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
if dom_for_fun_level < DS_DOMAIN_FUNCTION_2003:
- raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level lower than Windows 2003 (Native). This isn't supported!")
+ message("You want to run SAMBA 4 on a domain and forest function level lower than Windows 2003 (Native). This is not recommended")
if dom_for_fun_level > domainControllerFunctionality:
raise ProvisioningError("You want to run SAMBA 4 on a domain and forest function level which itself is higher than its actual DC function level (2008). This won't work!")
diff --git a/source4/setup/tests/blackbox_upgradeprovision.sh b/source4/setup/tests/blackbox_upgradeprovision.sh
index 8e3984a..c1d3e46 100755
--- a/source4/setup/tests/blackbox_upgradeprovision.sh
+++ b/source4/setup/tests/blackbox_upgradeprovision.sh
@@ -14,12 +14,12 @@ shift 1
upgradeprovision() {
$PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision" --server-role="dc"
- $PYTHON ./scripting/bin/upgradeprovision --targetdir="$PREFIX/upgradeprovision"
+ $PYTHON ./scripting/bin/upgradeprovision -s "$PREFIX/upgradeprovision/etc/smb.conf"
}
upgradeprovision_full() {
$PYTHON ./setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision_full" --server-role="dc"
- $PYTHON ./scripting/bin/upgradeprovision --targetdir="$PREFIX/upgradeprovision_full" --full
+ $PYTHON ./scripting/bin/upgradeprovision -s "$PREFIX/upgradeprovision_full/etc/smb.conf" --full
}
testit "upgradeprovision" upgradeprovision
--
Samba Shared Repository
More information about the samba-cvs
mailing list