[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Sun Jan 10 14:48:55 MST 2010
The branch, master has been updated
via 2cedefa... s4:upgradeprovision - fix up the script regarding linked attributes
via e0d6b097.. s4:upgradeprovision - Reformat comments
via 601ea3a... s4:repl_meta_data - Transform a "1" into a "true" on a boolean variable
via 91e2100... s4:provision_users.ldif - Add objects for IIS
via e72787f... s4:provision_self_join_modify.ldif - Point out that account "dns" is s4 specific
via 9ee895f... s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group
from 81a848b... s3: Remove some unused variables
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2cedefabc93c8a1fcb49d65a3f78a344e814f826
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 21:34:05 2010 +0100
s4:upgradeprovision - fix up the script regarding linked attributes
We have to try to add new objects until between two iterations we didn't make
any progress. Either we are then done (no objects remaining) or we are
incapable to do this fully automatically.
The latter can happen if important system objects (builtin groups, users...)
moved (e.g. consider one of my recent comments). Then the new object can't be
added if it contains the same "sAMAccountName" attribute as the old one. We
have to let the user delete the old one (also to give him a chance to backup
personal changes - if needed) and only then the script is capable to add the
new one onto the right place. Make this clear with an exhaustive error output.
I personally don't see a good way how to do this better for now so I would leave
this as a manual step.
commit e0d6b0977eb5c5a2c95ee2de10c7b18550371b50
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 20:08:50 2010 +0100
s4:upgradeprovision - Reformat comments
Make them break at line 80 (better readability).
commit 601ea3a442ba20fe16797953e946d7a113c9b635
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 19:49:40 2010 +0100
s4:repl_meta_data - Transform a "1" into a "true" on a boolean variable
commit 91e210028790397996659116446e6add452707f6
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 14:20:09 2010 +0100
s4:provision_users.ldif - Add objects for IIS
Some WSPP locations point out that they're defacto-standards for Windows Server deployments starting with 2008. So we should add them to s4 too.
commit e72787f0af71c616f44d812ccd90e050d74b2630
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 15:43:07 2010 +0100
s4:provision_self_join_modify.ldif - Point out that account "dns" is s4 specific
commit 9ee895fcf6327b1c2f5ee09fa565bd62974e9c58
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 10 15:38:55 2010 +0100
s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 2 +-
source4/scripting/bin/upgradeprovision | 128 ++++++++++++++++-------
source4/setup/provision_self_join_modify.ldif | 1 +
source4/setup/provision_users.ldif | 29 +++++
4 files changed, 120 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 394ce3e..b4caac4 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -672,7 +672,7 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req)
/* check if there's a show relax control (used by provision to say 'I know what I'm doing') */
control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
if (control) {
- allow_add_guid = 1;
+ allow_add_guid = true;
}
/* do not manipulate our control entries */
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index da827ac..23980cd 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -66,8 +66,10 @@ GUESS = 0x04
PROVISION = 0x08
CHANGEALL = 0xff
-# Attributes that not copied from the reference provision even if they do not exists in the destination object
-# This is most probably because they are populated automatcally when object is created
+# Attributes that are never copied from the reference provision (even if they
+# do not exist in the destination object).
+# This is most probably because they are populated automatcally when object is
+# created
hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1,"replPropertyMetaData": 1,"uSNChanged": 1,\
"uSNCreated": 1,"parentGUID": 1,"objectCategory": 1,"distinguishedName": 1,\
"showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\
@@ -75,8 +77,9 @@ hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1
"dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\
"maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1, "sAMAccountType":1}
-# Usually for an object that already exists we do not overwrite attributes as they might have been changed for good
-# reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow.
+# Usually for an object that already exists we do not overwrite attributes as
+# they might have been changed for good reasons. Anyway for a few of them it's
+# mandatory to replace them otherwise the provision will be broken somehow.
hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,"systemOnly":replace, "searchFlags":replace,\
"mayContain":replace, "systemFlags":replace,"description":replace,
"oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":replace,
@@ -167,11 +170,13 @@ def get_paths(targetdir=None,smbconf=None):
lp = param.LoadParm()
lp.load(smbconf)
-# Normaly we need the domain name for this function but for our needs it's pointless
+# Normally we need the domain name for this function but for our needs it's
+# pointless
paths = provision_paths_from_lp(lp,"foo")
return paths
-# This function guess(fetch) informations needed to make a fresh provision from the current provision
+# This function guesses (fetches) informations needed to make a fresh provision
+# from the current provision
# It includes: realm, workgroup, partitions, netbiosname, domain guid, ...
def guess_names_from_current_provision(credentials,session_info,paths):
lp = param.LoadParm()
@@ -191,11 +196,13 @@ def guess_names_from_current_provision(credentials,session_info,paths):
names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
names.smbconf = smbconf
- #It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ...
+ # It's important here to let ldb load with the old module or it's quite
+ # certain that the LDB won't load ...
samdb = Ldb(paths.samdb, session_info=session_info,
credentials=credentials, lp=lp, options=["modules:samba_dsdb"])
- # That's a bit simplistic but it's ok as long as we have only 3 partitions
+ # That's a bit simplistic but it's ok as long as we have only 3
+ # partitions
attrs2 = ["defaultNamingContext", "schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
current = samdb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2)
@@ -311,9 +318,10 @@ def newprovision(names,setup_dir,creds,session,smbconf):
ldap_dryrun_mode=None)
return provdir
-# This function sorts two dn in the lexicographical order and put higher level DN before
-# So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller (-1) as it has less
-# level
+# This function sorts two DNs in the lexicographical order and put higher level
+# DN before.
+# So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller
+# (-1) as it has less level
def dn_sort(x,y):
p = re.compile(r'(?<!\\),')
tab1 = p.split(str(x))
@@ -343,7 +351,7 @@ def dn_sort(x,y):
return -1
return ret
-# check from security descriptors modifications return 1 if it is 0 otherwise
+# Check for security descriptors modifications return 1 if it is and 0 otherwise
# it also populate hash structure for later use in the upgrade process
def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
if ischema == 1 and att == "defaultSecurityDescriptor" and msgElt.flags() == ldb.FLAG_MOD_REPLACE:
@@ -361,8 +369,8 @@ def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
return 1
return 0
-# Hangle special cases ... That's when we want to update an attribute only
-# if it has a certain value or if it's for a certain object or
+# Handle special cases ... That's when we want to update a particular attribute
+# only, e.g. if it has a certain value or if it's for a certain object or
# a class of object.
# It can be also if we want to do a merge of value instead of a simple replace
def handle_special_case(att,delta,new,old,ischema):
@@ -431,7 +439,8 @@ def update_secrets(newpaths,paths,creds,session):
for i in range(0,len(reference)):
hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
- # Create a hash for speeding the search of existing object in the current provision
+ # Create a hash for speeding the search of existing object in the
+ # current provision
for i in range(0,len(current)):
hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
@@ -486,9 +495,9 @@ def update_secrets(newpaths,paths,creds,session):
# Check difference between the current provision and the reference provision.
-# It looks for all object which base DN is name if ischema is false then scan is done in
-# cross partition mode.
-# If ischema is true, then special handling is done for dealing with schema
+# It looks for all objects which base DN is name. If ischema is "false" then
+# the scan is done in cross partition mode.
+# If "ischema" is true, then special handling is done for dealing with schema
def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
hash_new = {}
hash = {}
@@ -497,7 +506,8 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
listPresent = []
reference = []
current = []
- # Connect to the reference provision and get all the attribute in the partition referred by name
+ # Connect to the reference provision and get all the attribute in the
+ # partition referred by name
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
sam_ldb.transaction_start()
@@ -513,7 +523,8 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
for i in range(0,len(reference)):
hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
- # Create a hash for speeding the search of existing object in the current provision
+ # Create a hash for speeding the search of existing object in the
+ # current provision
for i in range(0,len(current)):
hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
@@ -523,40 +534,78 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
else:
listPresent.append(hash_new[k])
- # Sort the missing object in order to have object of the lowest level first (which can be
- # containers for higher level objects)
+ # Sort the missing object in order to have object of the lowest level
+ # first (which can be containers for higher level objects)
listMissing.sort(dn_sort)
listPresent.sort(dn_sort)
if ischema:
- # The following lines (up to the for loop) is to load the up to date schema into our current LDB
- # a complete schema is needed as the insertion of attributes and class is done against it
+ # The following lines (up to the for loop) is to load the up to
+ # date schema into our current LDB
+ # a complete schema is needed as the insertion of attributes
+ # and class is done against it
# and the schema is self validated
- # The double ldb open and schema validation is taken from the initial provision script
+ # The double ldb open and schema validation is taken from the
+ # initial provision script
# it's not certain that it is really needed ....
sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
# Load the schema from the one we computed earlier
sam_ldb.set_schema_from_ldb(schema.ldb)
- # And now we can connect to the DB - the schema won't be loaded from the DB
+ # And now we can connect to the DB - the schema won't be loaded
+ # from the DB
sam_ldb.connect(paths.samdb)
else:
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
sam_ldb.transaction_start()
- empty = ldb.Message()
- message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
- for dn in listMissing:
- reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
- delta = sam_ldb.msg_diff(empty,reference[0])
- for att in hashAttrNotCopied.keys():
- delta.remove(att)
- for att in backlinked:
- delta.remove(att)
- delta.dn = dn
+ err_num = 0
+ err_msg = ""
+ while len(listMissing) > 0:
+ listMissing2 = []
+
+ empty = ldb.Message()
+ message(SIMPLE,"There are still %d objects missing"%(len(listMissing)))
- sam_ldb.add(delta,["relax:0"])
+ for dn in listMissing:
+ reference = newsam_ldb.search(expression="dn=%s" % (str(dn)),
+ base=basedn, scope=SCOPE_SUBTREE,
+ controls=["search_options:1:2"])
+ delta = sam_ldb.msg_diff(empty,reference[0])
+ for att in hashAttrNotCopied.keys():
+ delta.remove(att)
+ for att in backlinked:
+ delta.remove(att)
+ delta.dn = dn
+
+ try:
+ sam_ldb.add(delta,["relax:0"])
+ # This is needed here since otherwise the
+ # "replmd_meta_data" module doesn't see the
+ # updated data
+ sam_ldb.transaction_commit()
+ sam_ldb.transaction_start()
+ except LdbError, (num, msg):
+ # An exception can happen if a linked object
+ # doesn't exist which can happen if it is also
+ # to be added
+ err_num = num
+ err_msg = msg
+ listMissing2.append(dn)
+
+ if len(listMissing2) == len(listMissing):
+ # We couldn't add any object in this iteration ->
+ # we have to resign and hope that the user manually
+ # fixes the damage
+
+ message(ERROR, "The script isn't capable to do the upgrade fully automatically!")
+ message(ERROR, "Often this happens when important system objects moved their location. Please look for them (for example doable using the displayed 'sAMAccountName' attribute), backup if personally changed and remove them.")
+ message(ERROR, "Reinvoke this script and reapply eventual modifications done before. It is possible to get this error more than once (for each problematic object).")
+
+ raise LdbError(err_num, err_msg)
+
+ listMissing = listMissing2
changed = 0
for dn in listPresent:
@@ -626,7 +675,8 @@ def check_updated_sd(newpaths,paths,creds,session,names):
print "%s new sddl/sddl in ref"%key
print "%s\n%s"%(sddl,hash_new[key])
-# Simple update method for updating the SD that rely on the fact that nobody should have modified the SD
+# Simple update method for updating the SD that rely on the fact that nobody
+# should have modified the SD
# This assumption is safe right now (alpha9) but should be removed asap
def update_sd(paths,creds,session,names):
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
@@ -748,7 +798,7 @@ def update_machine_account_password(paths,creds,session,names):
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm,
- domainsid=names.domainsid,
+ domainsid=names.domainsid,
dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname,
machinepass=machinepass,
diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif
index 394398a..f81a2b6 100644
--- a/source4/setup/provision_self_join_modify.ldif
+++ b/source4/setup/provision_self_join_modify.ldif
@@ -34,6 +34,7 @@ add: servicePrincipalName
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+# NOTE: This account is SAMBA4 specific!
dn: CN=dns,CN=Users,${DOMAINDN}
changetype: add
objectClass: top
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 1fc0936..2247094 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -165,6 +165,14 @@ dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
+member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Cert Publishers,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Schema Admins,CN=Users,${DOMAINDN}
+member: CN=Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=krbtgt,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-572
sAMAccountName: Denied RODC Password Replication Group
groupType: -2147483644
@@ -187,6 +195,11 @@ objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-11
+dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-17
+
dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
@@ -381,6 +394,17 @@ systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Integrated group used by the IIS
+member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-568
+sAMAccountName: IIS_IUSRS
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -468,6 +492,11 @@ objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-4
+dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-17
+
dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
--
Samba Shared Repository
More information about the samba-cvs
mailing list