[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-434-g752904f
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Sep 18 09:51:34 MDT 2009
The branch, master has been updated
via 752904f12c7dcd76712ca27a10a8fe2062945bbf (commit)
via b15ef6d854f8c39f8424c2ee524f1aca6bf2906c (commit)
via 11a7842854c0be8c427a2dbf0a8fc3761cda6298 (commit)
via 89f5df6fa7cca1aaec81e29b8777bab5b4068003 (commit)
from fa4023d6f73920765aa5fdbcdd6fd934782258cf (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 752904f12c7dcd76712ca27a10a8fe2062945bbf
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Fri Sep 18 17:34:02 2009 +0200
s4:domainlevel - Add a script which allows raising the domain/forest level
This simple script allows raising the domain and/or forest level for s4.
I integrated also the basic checks (since we don't perform them in LDB yet):
e.g. the forest level can't be higher than the domain level(s).
commit b15ef6d854f8c39f8424c2ee524f1aca6bf2906c
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Fri Sep 18 17:33:24 2009 +0200
s4:pwsettings - Simplify the error handling a bit
commit 11a7842854c0be8c427a2dbf0a8fc3761cda6298
Author: Matthieu Patou <mat at matws.net>
Date: Fri Sep 18 15:55:57 2009 +0400
python: create a script for reorgnizing an LDB file.
This script helps to reclaim waisted place.
commit 89f5df6fa7cca1aaec81e29b8777bab5b4068003
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Fri Sep 18 16:21:29 2009 +0200
s4:provision - Bump down the domain and forest level to Windows 2000
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
-----------------------------------------------------------------------
Summary of changes:
source4/scripting/bin/reorgldb.py | 60 +++++++++
source4/scripting/python/samba/provision.py | 6 +-
source4/setup/domainlevel | 181 +++++++++++++++++++++++++++
source4/setup/provision_configuration.ldif | 13 +-
source4/setup/pwsettings | 7 +-
5 files changed, 253 insertions(+), 14 deletions(-)
create mode 100755 source4/scripting/bin/reorgldb.py
create mode 100755 source4/setup/domainlevel
Changeset truncated at 500 lines:
diff --git a/source4/scripting/bin/reorgldb.py b/source4/scripting/bin/reorgldb.py
new file mode 100755
index 0000000..571363f
--- /dev/null
+++ b/source4/scripting/bin/reorgldb.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python
+#
+# Copyright (C) Matthieu Patou <mat at matws.net> 2009
+# This script realize an offline reorganisation of an LDB
+# file it helps to reduce (sometime drastically) the
+# size of LDB files.
+import sys
+import optparse
+import os
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.credentials import DONT_USE_KERBEROS
+from samba.auth import system_session
+from samba import Ldb, substitute_var, valid_netbios_name, check_all_substituted
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+import ldb
+import samba.getopt as options
+from samba.samdb import SamDB
+from samba import param
+from samba.provision import ProvisionPaths, ProvisionNames,provision_paths_from_lp, Schema
+
+parser = optparse.OptionParser("provision [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--database", type="string", metavar="FILE",
+ help="LDB to reorganize")
+opts = parser.parse_args()[0]
+lp = sambaopts.get_loadparm()
+smbconf = lp.configfile
+
+if not opts.database:
+ print "Parameter database is mandatory"
+ sys.exit(1)
+creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+session = system_session()
+empty = ldb.Message()
+newname="%s.new"%(opts.database)
+if os.path.exists(newname):
+ os.remove(newname)
+old_ldb = Ldb(opts.database, session_info=session, credentials=creds,lp=lp)
+new_ldb = Ldb(newname,session_info=session, credentials=creds,lp=lp)
+
+new_ldb.transaction_start()
+res = old_ldb.search(expression="(dn=*)",base="", scope=SCOPE_SUBTREE)
+for i in range(0,len(res)):
+ if str(res[i].dn) == "@BASEINFO":
+ continue
+ if str(res[i].dn).startswith("@INDEX:"):
+ continue
+ delta = new_ldb.msg_diff(empty,res[i])
+ delta.dn = res[i].dn
+ delta.remove("distinguishedName")
+ new_ldb.add(delta)
+
+new_ldb.transaction_commit()
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index ca98503..065677f 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS
from auth import system_session, admin_session
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted
-from samba import DS_DOMAIN_FUNCTION_2008_R2, DS_DC_FUNCTION_2008_R2
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
@@ -835,8 +835,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
:note: This will wipe the main SAM database file!
"""
- domainFunctionality = DS_DOMAIN_FUNCTION_2008_R2
- forestFunctionality = DS_DOMAIN_FUNCTION_2008_R2
+ domainFunctionality = DS_DOMAIN_FUNCTION_2000
+ forestFunctionality = DS_DOMAIN_FUNCTION_2000
domainControllerFunctionality = DS_DC_FUNCTION_2008_R2
# Also wipes the database
diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel
new file mode 100755
index 0000000..3551cd5
--- /dev/null
+++ b/source4/setup/domainlevel
@@ -0,0 +1,181 @@
+#!/usr/bin/python
+#
+# Raises domain and forest function levels
+#
+# Copyright Matthias Dieter Wallnoefer 2009
+# Released under the GNU GPL version 3 or later
+#
+import os, sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
+
+import samba.getopt as options
+import optparse
+import pwd
+import ldb
+
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003
+from samba import DS_DOMAIN_FUNCTION_2008, DS_DOMAIN_FUNCTION_2008_R2
+
+parser = optparse.OptionParser("domainlevel (show | raise <options>)")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--quiet", help="Be quiet", action="store_true")
+parser.add_option("-H", help="LDB URL for database or target server", type=str)
+parser.add_option("--forest",
+ help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+parser.add_option("--domain",
+ help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+opts, args = parser.parse_args()
+
+#
+# print a message if quiet is not set
+#
+def message(text):
+ if not opts.quiet:
+ print text
+
+if len(args) == 0:
+ parser.print_usage()
+ sys.exit(1)
+
+lp = sambaopts.get_loadparm()
+
+creds = credopts.get_credentials(lp)
+
+if opts.H is not None:
+ url = opts.H
+else:
+ url = lp.get("sam database")
+
+samdb = SamDB(url=url, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+domain_dn = SamDB.domain_dn(samdb)
+
+res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn,
+ scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
+assert(len(res_forest) == 1)
+
+res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
+ attrs=["msDS-Behavior-Version"])
+assert(len(res_domain) == 1)
+
+try:
+ level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
+ level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
+
+ if level_forest < 0 or level_forest == 1 or level_forest > 4 or level_domain < 0 or level_domain == 1 or level_domain > 4:
+ print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!"
+ sys.exit(1)
+ if level_forest > level_domain:
+ print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!"
+ sys.exit(1)
+except:
+ print "ERROR: Could not retrieve the actual domain and forest level!"
+ if args[0] == "show":
+ print "So the levels can't be displayed!"
+ sys.exit(1)
+
+if args[0] == "show":
+ message("Domain and forest function level for domain '" + domain_dn + "'")
+ message("")
+
+ if level_forest == DS_DOMAIN_FUNCTION_2000:
+ outstr = "2000"
+ elif level_forest == DS_DOMAIN_FUNCTION_2003:
+ outstr = "2003"
+ elif level_forest == DS_DOMAIN_FUNCTION_2008:
+ outstr = "2008"
+ elif level_forest == DS_DOMAIN_FUNCTION_2008_R2:
+ outstr = "2008 R2"
+ message("Forest function level: (Windows) " + outstr)
+
+ if level_domain == DS_DOMAIN_FUNCTION_2000:
+ outstr = "2000"
+ elif level_domain == DS_DOMAIN_FUNCTION_2003:
+ outstr = "2003"
+ elif level_domain == DS_DOMAIN_FUNCTION_2008:
+ outstr = "2008"
+ elif level_domain == DS_DOMAIN_FUNCTION_2008_R2:
+ outstr = "2008 R2"
+ message("Domain function level: (Windows) " + outstr)
+
+elif args[0] == "raise":
+ msgs = []
+
+ if opts.domain is not None:
+ arg = opts.domain
+
+ if arg == "2000":
+ new_level_domain = DS_DOMAIN_FUNCTION_2000
+ elif arg == "2003":
+ new_level_domain = DS_DOMAIN_FUNCTION_2003
+ elif arg == "2008":
+ new_level_domain = DS_DOMAIN_FUNCTION_2008
+ elif arg == "2008_R2":
+ new_level_domain = DS_DOMAIN_FUNCTION_2008_R2
+ else:
+ print "ERROR: Wrong argument '" + arg + "'!"
+ sys.exit(1)
+
+ if new_level_domain <= level_domain:
+ print "ERROR: Domain function level can't be smaller equal to the actual one!"
+ sys.exit(1)
+
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, domain_dn)
+ m["msDS-Behavior-Version"]= ldb.MessageElement(
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ "msDS-Behavior-Version")
+ samdb.modify(m)
+
+ level_domain = new_level_domain
+
+ msgs.append("Domain function level changed!")
+
+ if opts.forest is not None:
+ arg = opts.forest
+
+ if arg == "2000":
+ new_level_forest = DS_DOMAIN_FUNCTION_2000
+ elif arg == "2003":
+ new_level_forest = DS_DOMAIN_FUNCTION_2003
+ elif arg == "2008":
+ new_level_forest = DS_DOMAIN_FUNCTION_2008
+ elif arg == "2008_R2":
+ new_level_forest = DS_DOMAIN_FUNCTION_2008_R2
+ else:
+ print "ERROR: Wrong argument '" + arg + "'!"
+ sys.exit(1)
+
+ if new_level_forest <= level_forest:
+ print "ERROR: Forest function level can't be smaller equal to the actual one!"
+ sys.exit(1)
+
+ if new_level_forest > level_domain:
+ print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!"
+ sys.exit(1)
+
+ m = ldb.Message()
+
+ m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration,"
+ + domain_dn)
+ m["msDS-Behavior-Version"]= ldb.MessageElement(
+ str(new_level_forest), ldb.FLAG_MOD_REPLACE,
+ "msDS-Behavior-Version")
+ samdb.modify(m)
+
+ msgs.append("Forest function level changed!")
+
+ msgs.append("All changes applied successfully!")
+
+ message("\n".join(msgs))
+else:
+ print "ERROR: Wrong argument '" + args[0] + "'!"
+ sys.exit(1)
diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index a740996..098cb91 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -828,24 +828,25 @@ showInAdvancedViewOnly: TRUE
dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 1
-nCName: ${CONFIGDN}
dnsRoot: ${DNSDOMAIN}
+nCName: ${CONFIGDN}
+systemFlags: 1
dn: CN=Enterprise Schema,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 1
-nCName: ${SCHEMADN}
dnsRoot: ${DNSDOMAIN}
+nCName: ${SCHEMADN}
+systemFlags: 1
dn: CN=${DOMAIN},CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 3
+dnsRoot: ${DNSDOMAIN}
nCName: ${DOMAINDN}
nETBIOSName: ${DOMAIN}
-dnsRoot: ${DNSDOMAIN}
+nTMixedDomain: 0
+systemFlags: 3
dn: CN=Physical Locations,${CONFIGDN}
objectClass: top
diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings
index cd9c07d..fccd73f 100755
--- a/source4/setup/pwsettings
+++ b/source4/setup/pwsettings
@@ -79,13 +79,10 @@ try:
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except:
+ print "ERROR: Could not retrieve password properties!"
if args[0] == "show":
- print "ERROR: Password informations missing in your AD domain object!"
print "So no settings can be displayed!"
- sys.exit(1)
- else:
- print "ERROR: Could not retrieve password properties (used for password complexity setting)"
- sys.exit(1)
+ sys.exit(1)
if args[0] == "show":
message("Password informations for domain '" + domain_dn + "'")
--
Samba Shared Repository
More information about the samba-cvs
mailing list