[SCM] Samba Shared Repository - branch master updated
Jelmer Vernooij
jelmer at samba.org
Sat Jun 19 16:43:51 MDT 2010
The branch, master has been updated
via 38a26f7... s4 upgradeprovision: Make grouped commit / rollback more resistant to unexpected problems
via c4f7b0e... s4 upgradeprovision: Check that the policy for DC is present if not warn the user
via aea0003... s4 upgradeprovision: Emit message instead of crashing when not able to set acl
via 17af115... s4 upgradeprovision: add an option to force the rebuilding of FS ACLs on sysvols share
via 59f17f9... s4 unittests: add unit tests for upgradehelpers
via 75389ce... s4 upgradeprovision: Add function for searching stored constructed attributes
via f3e7d0a... s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes
via 3ebe560... ldb: add a new control bypassioperationnal
via 9c5f0ed... s4 upgradeprovision: additional restyling
via 423f991... s4 upgradeprovision: Restyle imports
via fbeacc1... s4 upgradeprovision: Move functions to helpers and improve code
via 8ff65b0... s4 python: Update unit tests related to create secrets
via 9c808c4... s4: Add comments about setup_secrets
via 84342b1... s4 upgradeprovision: Add documentation on the update process
via a466e0d... s4 python: Add unit tests for upgradeprovision related stuff
via ad55248... s4 upgradeprovision: move some functions to upgradehelpers for unit tests
via 0537de1... s4 upgradeprovision: Fix style
via b624440... s4 upgradeprovision: Use replPropertyMetaData for better guess
via dd963dd... s4 upgradeprovision: Reformat attributes lists and reformat parser
via 60400a7... s4 upgradeprovision: Inform about new dns dynamic update if the provision didn't have it
via 26ccc3f... s4 upgradeprovision: fix style
via 0ff46ec... s4 upgrade provision: Refactor code to do all the modification within 1 transaction
via ec90b1b... s4 upgrade provision: Fix style in gen_dn_index
via 50072e2... s4 Add functions related to ldb manipulation when doing upgrade
via e2df3c2... s4 provision: Add information about provisioned usn range in sam.ldb
from c92db7b... python: Use samba.tests.TestCase, make sure base class tearDown and setUp methods are called, fix formatting.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 38a26f79eaded8364a178ba2aac71e64f5d60be5
Author: Matthieu Patou <mat at matws.net>
Date: Wed Jun 16 11:25:19 2010 +0400
s4 upgradeprovision: Make grouped commit / rollback more resistant to unexpected problems
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit c4f7b0e5f673943dfdda88f3e289912778a07a33
Author: Matthieu Patou <mat at matws.net>
Date: Mon Jun 14 12:28:58 2010 +0400
s4 upgradeprovision: Check that the policy for DC is present if not warn the user
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit aea0003d088f5e5f7d1393d4d75f570418dda043
Author: Matthieu Patou <mat at matws.net>
Date: Mon Jun 14 02:14:48 2010 +0400
s4 upgradeprovision: Emit message instead of crashing when not able to set acl
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 17af115de59fc3b52134a44ae1b0c5170b8f67e3
Author: Matthieu Patou <mat at matws.net>
Date: Mon Jun 14 01:50:47 2010 +0400
s4 upgradeprovision: add an option to force the rebuilding of FS ACLs on sysvols share
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 59f17f9e64f4fdf4a63440e20d6b30008072b4df
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 15 12:53:18 2010 +0400
s4 unittests: add unit tests for upgradehelpers
The functions tested are:
* construct_existor_expr
* search_constructed_attrs_stored
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 75389cecdde884356e222e3f846e7358f82c20c0
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 15 12:50:29 2010 +0400
s4 upgradeprovision: Add function for searching stored constructed attributes
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit f3e7d0ae8f63c57fc0ec7680b2863c6f50e167fe
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 15 02:41:18 2010 +0400
s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 3ebe56062297e52cf31499c6eb63c7ce70073bcc
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 15 02:23:11 2010 +0400
ldb: add a new control bypassioperationnal
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 9c5f0ed7298e666fcfa05257fc7abfb6d3208433
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 15 23:41:39 2010 +0400
s4 upgradeprovision: additional restyling
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 423f99172efcb57a654af5a6fcbad1045f210027
Author: Matthieu Patou <mat at matws.net>
Date: Thu Jun 10 01:00:43 2010 +0400
s4 upgradeprovision: Restyle imports
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit fbeacc1013bc3a95f19d7932a2bbf3d28176a977
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 8 00:01:16 2010 +0400
s4 upgradeprovision: Move functions to helpers and improve code
Among code improvement the most significant part is that we now
compare DN object instead of their string representation. It allow
to better react to case an white space difference.
Some new move objects have been added (ie. System into well known
security principals).
This will allow more unittesting
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 8ff65b0136f442204f4d059fb1a13ad4a6419ab4
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 7 04:22:36 2010 +0400
s4 python: Update unit tests related to create secrets
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 9c808c47fc2fddac396d12452428443f3ab26073
Author: Matthieu Patou <mat at matws.net>
Date: Mon May 24 09:41:44 2010 +0400
s4: Add comments about setup_secrets
Comments are to inform people that this function should not handle
transaction within the function as it is mainly used in provision and
that we want to commit secrets only if all the action on secrets have
worked.
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 84342b1c7f289e5288470d4d4e3899aac6f042c5
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 7 16:26:26 2010 +0400
s4 upgradeprovision: Add documentation on the update process
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit a466e0d61a97da648970eea02c246c08c503c421
Author: Matthieu Patou <mat at matws.net>
Date: Tue May 4 00:01:00 2010 +0400
s4 python: Add unit tests for upgradeprovision related stuff
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit ad55248958fe9aaeb6ebdc6f2d4c66a85ead6786
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 8 00:52:25 2010 +0400
s4 upgradeprovision: move some functions to upgradehelpers for unit tests
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 0537de17c124b8ceccbeb9a57e9636a461239774
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 8 01:13:45 2010 +0400
s4 upgradeprovision: Fix style
reformat *_update_samdb functions
fix_partition_sd
rebuild_sd
update_samdb
update_privilege
update_machine_account_password
update_gpo
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit b624440a0fc99c43e97c73ffe7e17621a17b59ae
Author: Matthieu Patou <mat at matws.net>
Date: Mon Jun 7 16:27:48 2010 +0400
s4 upgradeprovision: Use replPropertyMetaData for better guess
Rework upgradeprovision in order to get more precise updates when doing upgrade provision.
This is done through the use of replPropertyMetaData information and raw information revealed by the
"reveal" control.
The code has been changed also to avoid double free error when changing the schema (for old provision).
Checking of SD is done a bit more cleverly as we compare the different parts for an ACL separately.
Fix logic when upgrading provision without replPropertyMetaData infos
Also for old provision (pre alpha9) do not copy the usn range because data here will be wrong
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit dd963ddb4e84bb1b7bea6ecb3a1e045d170338dc
Author: Matthieu Patou <mat at matws.net>
Date: Mon Jun 7 23:47:43 2010 +0400
s4 upgradeprovision: Reformat attributes lists and reformat parser
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 60400a7803d765fd53100fe088f1237e67887fe3
Author: Matthieu Patou <mat at matws.net>
Date: Fri Apr 9 02:55:38 2010 +0400
s4 upgradeprovision: Inform about new dns dynamic update if the provision didn't have it
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 26ccc3f4400165448f9a53efdec224d11f290783
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 8 00:21:48 2010 +0400
s4 upgradeprovision: fix style
add_deletedobj_containers
add missing objects
clean add-mising
handle special add + dump denied
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 0ff46ec557009ec2dff0650dd39d6314e9df3a4e
Author: Matthieu Patou <mat at matws.net>
Date: Sun May 2 19:56:03 2010 +0400
s4 upgrade provision: Refactor code to do all the modification within 1 transaction
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit ec90b1b40e1f610dfc1e2aa3ba91c0b27dde4f60
Author: Matthieu Patou <mat at matws.net>
Date: Tue Jun 8 00:21:00 2010 +0400
s4 upgrade provision: Fix style in gen_dn_index
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit 50072e27fec0d3528e111ec566204f4e39e24ea5
Author: Matthieu Patou <mat at matws.net>
Date: Sun May 2 19:56:31 2010 +0400
s4 Add functions related to ldb manipulation when doing upgrade
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
commit e2df3c251060d634c8538dd7e771819ccf196130
Author: Matthieu Patou <mat at matws.net>
Date: Thu Apr 22 12:53:12 2010 +0400
s4 provision: Add information about provisioned usn range in sam.ldb
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/operational.c | 49 +-
source4/lib/ldb/common/ldb_controls.c | 27 +
source4/lib/ldb/include/ldb.h | 9 +
source4/lib/ldb/tests/test-controls.sh | 1 +
source4/scripting/bin/upgradeprovision | 1714 +++++++++++++-------
source4/scripting/python/samba/provision.py | 98 ++
source4/scripting/python/samba/tests/provision.py | 13 +
.../python/samba/tests/upgradeprovision.py | 137 ++
.../python/samba/tests/upgradeprovisionneeddc.py | 144 ++
source4/scripting/python/samba/upgradehelpers.py | 653 +++++++-
source4/selftest/tests.sh | 2 +
source4/setup/schema_samba4.ldif | 1 +
12 files changed, 2211 insertions(+), 637 deletions(-)
create mode 100644 source4/scripting/python/samba/tests/upgradeprovision.py
create mode 100644 source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index e967f8a..e5aa516 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -478,6 +478,18 @@ static int construct_msds_keyversionnumber(struct ldb_module *module,
}
+struct op_controls_flags {
+ bool sd;
+ bool bypassoperational;
+};
+
+static bool check_keep_control_for_attribute(struct op_controls_flags* controls_flags, const char* attr) {
+ if (ldb_attr_cmp(attr, "msDS-KeyVersionNumber") == 0 && controls_flags->bypassoperational) {
+ return true;
+ }
+ return false;
+}
+
/*
a list of attribute names that should be substituted in the parse
tree before the search is done
@@ -517,7 +529,8 @@ static const struct {
enum op_remove {
OPERATIONAL_REMOVE_ALWAYS, /* remove always */
OPERATIONAL_REMOVE_UNASKED,/* remove if not requested */
- OPERATIONAL_SD_FLAGS /* show if SD_FLAGS_OID set, or asked for */
+ OPERATIONAL_SD_FLAGS, /* show if SD_FLAGS_OID set, or asked for */
+ OPERATIONAL_REMOVE_UNLESS_CONTROL /* remove always unless an adhoc control has been specified */
};
/*
@@ -531,7 +544,7 @@ static const struct {
enum op_remove op;
} operational_remove[] = {
{ "nTSecurityDescriptor", OPERATIONAL_SD_FLAGS },
- { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_ALWAYS },
+ { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_UNLESS_CONTROL },
{ "parentGUID", OPERATIONAL_REMOVE_ALWAYS },
{ "replPropertyMetaData", OPERATIONAL_REMOVE_UNASKED },
{ "unicodePwd", OPERATIONAL_REMOVE_UNASKED },
@@ -553,7 +566,7 @@ static int operational_search_post_process(struct ldb_module *module,
enum ldb_scope scope,
const char * const *attrs_from_user,
const char * const *attrs_searched_for,
- bool sd_flags_set)
+ struct op_controls_flags* controls_flags)
{
struct ldb_context *ldb;
unsigned int i, a = 0;
@@ -574,8 +587,15 @@ static int operational_search_post_process(struct ldb_module *module,
case OPERATIONAL_REMOVE_ALWAYS:
ldb_msg_remove_attr(msg, operational_remove[i].attr);
break;
+ case OPERATIONAL_REMOVE_UNLESS_CONTROL:
+ if (!check_keep_control_for_attribute(controls_flags, operational_remove[i].attr)) {
+ ldb_msg_remove_attr(msg, operational_remove[i].attr);
+ break;
+ } else {
+ continue;
+ }
case OPERATIONAL_SD_FLAGS:
- if (sd_flags_set ||
+ if (controls_flags->sd ||
ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
continue;
}
@@ -585,6 +605,9 @@ static int operational_search_post_process(struct ldb_module *module,
}
for (a=0;attrs_from_user && attrs_from_user[a];a++) {
+ if (check_keep_control_for_attribute(controls_flags, attrs_from_user[a])) {
+ continue;
+ }
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(attrs_from_user[a], search_sub[i].attr) != 0) {
continue;
@@ -633,7 +656,6 @@ failed:
return -1;
}
-
/*
hook search operations
*/
@@ -643,7 +665,7 @@ struct operational_context {
struct ldb_request *req;
enum ldb_scope scope;
const char * const *attrs;
- bool sd_flags_set;
+ struct op_controls_flags* controls_flags;
};
static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
@@ -671,7 +693,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
ac->scope,
ac->attrs,
req->op.search.attrs,
- ac->sd_flags_set);
+ ac->controls_flags);
if (ret != 0) {
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
@@ -728,10 +750,20 @@ static int operational_search(struct ldb_module *module, struct ldb_request *req
parse_tree_sub[i].replace);
}
+ ac->controls_flags = talloc(ac, struct op_controls_flags);
+ /* remember if the SD_FLAGS_OID was set */
+ ac->controls_flags->sd = (ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID) != NULL);
+ /* remember if the LDB_CONTROL_BYPASSOPERATIONAL_OID */
+ ac->controls_flags->bypassoperational = (ldb_request_get_control(req,
+ LDB_CONTROL_BYPASSOPERATIONAL_OID) != NULL);
+
/* in the list of attributes we are looking for, rename any
attributes to the alias for any hidden attributes that can
be fetched directly using non-hidden names */
for (a=0;ac->attrs && ac->attrs[a];a++) {
+ if (check_keep_control_for_attribute(ac->controls_flags, ac->attrs[a])) {
+ continue;
+ }
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(ac->attrs[a], search_sub[i].attr) == 0 &&
search_sub[i].replace) {
@@ -763,9 +795,6 @@ static int operational_search(struct ldb_module *module, struct ldb_request *req
}
}
- /* remember if the SD_FLAGS_OID was set */
- ac->sd_flags_set = (ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID) != NULL);
-
ret = ldb_build_search_req_ex(&down_req, ldb, ac,
req->op.search.base,
req->op.search.scope,
diff --git a/source4/lib/ldb/common/ldb_controls.c b/source4/lib/ldb/common/ldb_controls.c
index 010ed2d..aff03a0 100644
--- a/source4/lib/ldb/common/ldb_controls.c
+++ b/source4/lib/ldb/common/ldb_controls.c
@@ -486,6 +486,33 @@ struct ldb_control **ldb_parse_control_strings(struct ldb_context *ldb, void *me
continue;
}
+ if (strncmp(control_strings[i], "bypassoperational:", 18) == 0) {
+ const char *p;
+ int crit, ret;
+
+ p = &(control_strings[i][18]);
+ ret = sscanf(p, "%d", &crit);
+ if ((ret != 1) || (crit < 0) || (crit > 1)) {
+ error_string = talloc_asprintf(mem_ctx, "invalid bypassopreational control syntax\n");
+ error_string = talloc_asprintf_append(error_string, " syntax: crit(b)\n");
+ error_string = talloc_asprintf_append(error_string, " note: b = boolean");
+ ldb_set_errstring(ldb, error_string);
+ talloc_free(error_string);
+ return NULL;
+ }
+
+ ctrl[i] = talloc(ctrl, struct ldb_control);
+ if (!ctrl[i]) {
+ ldb_oom(ldb);
+ return NULL;
+ }
+ ctrl[i]->oid = LDB_CONTROL_BYPASSOPERATIONAL_OID;
+ ctrl[i]->critical = crit;
+ ctrl[i]->data = NULL;
+
+ continue;
+ }
+
if (strncmp(control_strings[i], "relax:", 6) == 0) {
const char *p;
int crit, ret;
diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h
index 2eb395c..9958325 100644
--- a/source4/lib/ldb/include/ldb.h
+++ b/source4/lib/ldb/include/ldb.h
@@ -463,6 +463,15 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
\sa <a href="http://opends.dev.java.net/public/standards/draft-zeilenga-ldap-managedit.txt">draft managedit</a>.
*/
#define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
+
+/**
+ OID for getting and manipulating attributes from the ldb
+ without interception in the operational module.
+ It can be used to access attribute that used to be stored in the sam
+ and that are now calculated.
+*/
+#define LDB_CONTROL_BYPASSOPERATIONAL_OID "1.3.6.1.4.1.7165.4.3.13"
+
/**
OID for recalculate SD control. This control force the
dsdb code to recalculate the SD of the object as if the
diff --git a/source4/lib/ldb/tests/test-controls.sh b/source4/lib/ldb/tests/test-controls.sh
index db139bb..c78acbf 100755
--- a/source4/lib/ldb/tests/test-controls.sh
+++ b/source4/lib/ldb/tests/test-controls.sh
@@ -42,5 +42,6 @@ replace someThing
someThing: someThingElseBetter
EOF
+$VALGRIND ldbsearch --controls "bypassoperational:0" >/dev/null 2>&1 || exit 1
set
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index b7582d0..a478856 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -1,7 +1,7 @@
#!/usr/bin/env python
# vim: expandtab
#
-# Copyright (C) Matthieu Patou <mat at matws.net> 2009
+# Copyright (C) Matthieu Patou <mat at matws.net> 2009 - 2010
#
# Based on provision a Samba4 server by
# Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2007-2008
@@ -28,6 +28,8 @@ import os
import shutil
import sys
import tempfile
+import re
+import traceback
# Allow to run from s4 source directory (without installing samba)
sys.path.insert(0, "bin/python")
@@ -35,33 +37,37 @@ import samba
import samba.getopt as options
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session, admin_session
-from samba import Ldb, version
-from ldb import (SCOPE_SUBTREE, SCOPE_BASE, FLAG_MOD_REPLACE,
- FLAG_MOD_ADD, FLAG_MOD_DELETE, MessageElement, Message, Dn)
+from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
+ FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
+ MessageElement, Message, Dn)
from samba import param
from samba.misc import messageEltFlagToString
from samba.provision import (find_setup_dir, get_domain_descriptor,
- get_config_descriptor, secretsdb_self_join, set_gpo_acl,
- getpolicypath, create_gpo_struct, ProvisioningError)
+ get_config_descriptor, secretsdb_self_join,
+ ProvisioningError, getLastProvisionUSN,
+ get_max_usn, updateProvisionUSN)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
-from samba.dcerpc import security
+from samba.dcerpc import security, drsblobs
from samba.ndr import ndr_unpack
from samba.dcerpc.misc import SEC_CHAN_BDC
-from samba.upgradehelpers import dn_sort, get_paths, newprovision, find_provision_key_parameters
-
+from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
+ find_provision_key_parameters, get_ldbs,
+ usn_in_range, identic_rename, get_diff_sddls,
+ update_secrets, CHANGE, ERROR, SIMPLE,
+ CHANGEALL, GUESS, CHANGESD, PROVISION,
+ updateOEMInfo, getOEMInfo, update_gpo,
+ delta_update_basesamdb, update_policyids)
+
+replace=2**FLAG_MOD_REPLACE
+add=2**FLAG_MOD_ADD
+delete=2**FLAG_MOD_DELETE
never=0
-replace=2^FLAG_MOD_REPLACE
-add=2^FLAG_MOD_ADD
-delete=2^FLAG_MOD_DELETE
+
+
+# Will be modified during provision to tell if default sd has been modified
+# somehow ...
#Errors are always logged
-ERROR = -1
-SIMPLE = 0x00
-CHANGE = 0x01
-CHANGESD = 0x02
-GUESS = 0x04
-PROVISION = 0x08
-CHANGEALL = 0xff
__docformat__ = "restructuredText"
@@ -70,24 +76,38 @@ __docformat__ = "restructuredText"
# This is most probably because they are populated automatcally when object is
# created
# This also apply to imported object from reference provision
-hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1, "objectGUID": 1, "replPropertyMetaData": 1, "uSNChanged": 1,
- "uSNCreated": 1, "parentGUID": 1, "objectCategory": 1, "distinguishedName": 1,
- "showInAdvancedViewOnly": 1, "instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,
- "nTMixedDomain": 1, "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,
- "dBCSPwd":1, "supplementalCredentials":1, "gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,
- "maxPwdAge":1, "mail":1, "secret":1, "possibleInferiors":1, "sAMAccountType":1}
+hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
+ "objectGUID": 1, "uSNCreated": 1,
+ "replPropertyMetaData": 1, "uSNChanged": 1,
+ "parentGUID": 1, "objectCategory": 1,
+ "distinguishedName": 1, "nTMixedDomain": 1,
+ "showInAdvancedViewOnly": 1, "instanceType": 1,
+ "msDS-Behavior-Version":1, "nextRid":1, "cn": 1,
+ "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1,
+ "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1,
+ "supplementalCredentials":1, "gPCUserExtensionNames":1,
+ "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1,
+ "possibleInferiors":1, "privilege":1,
+ "sAMAccountType":1 }
# Usually for an object that already exists we do not overwrite attributes as
# they might have been changed for good reasons. Anyway for a few of them it's
# mandatory to replace them otherwise the provision will be broken somehow.
-hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, "systemOnly":replace, "searchFlags":replace,
- "mayContain":replace, "systemFlags":replace, "description":replace,
- "oEMInformation":never, "operatingSystemVersion":replace, "adminPropertyPages":replace,
- "defaultSecurityDescriptor": replace, "wellKnownObjects":replace, "privilege":delete, "groupType":replace,
- "rIDAvailablePool": never}
+# But for attribute that are just missing we do not have to specify them as the default
+# behavior is to add missing attribute
+hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
+ "systemOnly":replace, "searchFlags":replace,
+ "mayContain":replace, "systemFlags":replace+add,
+ "description":replace, "operatingSystemVersion":replace,
+ "adminPropertyPages":replace, "groupType":replace,
+ "wellKnownObjects":replace, "privilege":never,
+ "defaultSecurityDescriptor": replace,
+ "rIDAvailablePool": never,
+ "defaultSecurityDescriptor": replace + add }
backlinked = []
+forwardlinked = {}
dn_syntax_att = []
def define_what_to_log(opts):
what = 0
@@ -111,13 +131,20 @@ parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--setupdir", type="string", metavar="DIR",
- help="directory with setup files")
+ help="directory with setup files")
parser.add_option("--debugprovision", help="Debug provision", action="store_true")
-parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true")
-parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true")
-parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
-parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
-parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
+parser.add_option("--debugguess", action="store_true",
+ help="Print information on what is different but won't be changed")
+parser.add_option("--debugchange", action="store_true",
+ help="Print information on what is different but won't be changed")
+parser.add_option("--debugchangesd", action="store_true",
+ help="Print information security descriptors differences")
+parser.add_option("--debugall", action="store_true",
+ help="Print all available information (very verbose)")
+parser.add_option("--resetfileacl", action="store_true",
+ help="Force a reset on filesystem acls in sysvol / netlogon share")
+parser.add_option("--full", action="store_true",
+ help="Perform full upgrade of the samdb (schema, configuration, new objects, ...")
opts = parser.parse_args()[0]
@@ -149,65 +176,84 @@ setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = find_setup_dir()
-session = system_session()
-def identic_rename(ldbobj,dn):
- """Perform a back and forth rename to trigger renaming on attribute that can't be directly modified.
- :param lbdobj: An Ldb Object
- :param dn: DN of the object to manipulate """
- (before,sep,after)=str(dn).partition('=')
- ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
- ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
+def check_for_DNS(refprivate, private):
+ """Check if the provision has already the requirement for dynamic dns
+
+ :param refprivate: The path to the private directory of the reference
+ provision
+ :param private: The path to the private directory of the upgraded
+ provision"""
+
+ spnfile = "%s/spn_update_list" % private
+ namedfile = lp.get("dnsupdate:path")
+
+ if not namedfile:
+ namedfile = "%s/named.conf.update" % private
+
+ if not os.path.exists(spnfile):
+ shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile)
+ destdir = "%s/new_dns" % private
+ dnsdir = "%s/dns" % private
-def populate_backlink(newpaths,creds,session,schemadn):
+ if not os.path.exists(namedfile):
+ if not os.path.exists(destdir):
+ os.mkdir(destdir)
+ if not os.path.exists(dnsdir):
+ os.mkdir(dnsdir)
+ shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
+ shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
+ message(SIMPLE, "It seems that you provision didn't integrate new rules "
+ "for dynamic dns update of domain related entries")
+ message(SIMPLE, "A copy of the new bind configuration files and "
+ "template as been put in %s, you should read them and configure dynamic "
+ " dns update" % destdir)
+
+
+def populate_links(samdb, schemadn):
"""Populate an array with all the back linked attributes
This attributes that are modified automaticaly when
front attibutes are changed
- :param newpaths: a list of paths for different provision objects
- :param creds: credential for the authentification
- :param session: session for connexion
+ :param samdb: A LDB object for sam.ldb file
:param schemadn: DN of the schema for the partition"""
- newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
- linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
+ linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb)
backlinked.extend(linkedAttHash.values())
+ for t in linkedAttHash.keys():
+ forwardlinked[t] = 1
-def populate_dnsyntax(newpaths,creds,session,schemadn):
- """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1)
+def populate_dnsyntax(samdb, schemadn):
+ """Populate an array with all the attributes that have DN synthax
+ (oid 2.5.5.1)
- :param newpaths: a list of paths for different provision objects
- :param creds: credential for the authentification
- :param session: session for connexion
+ :param samdb: A LDB object for sam.ldb file
:param schemadn: DN of the schema for the partition"""
- newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
- res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
- scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
+ res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb,
+ str(schemadn)), scope=SCOPE_SUBTREE,
+ attrs=["lDAPDisplayName"])
for elem in res:
dn_syntax_att.append(elem["lDAPDisplayName"])
-def sanitychecks(credentials,session_info,names,paths):
- """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1)
+def sanitychecks(samdb, names):
+ """Make some checks before trying to update
- :param creds: credential for the authentification
- :param session_info: session for connexion
+ :param samdb: An LDB object opened on sam.ldb
:param names: list of key provision parameters
- :param paths: list of path to provision object
:return: Status of check (1 for Ok, 0 for not Ok) """
- sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
-
- sam_ldb.set_session_info(session)
- res = sam_ldb.search(expression="objectClass=ntdsdsa", base=str(names.configdn),
- scope=SCOPE_SUBTREE, attrs=["dn"], controls=["search_options:1:2"])
+ res = samdb.search(expression="objectClass=ntdsdsa", base=str(names.configdn),
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
if len(res) == 0:
print "No DC found, your provision is most probably hardly broken !"
return False
elif len(res) != 1:
- print "Found %d domain controllers, for the moment upgradeprovision is not able to handle upgrade on \
-domain with more than one DC, please demote the other(s) DC(s) before upgrading"%len(res)
+ print "Found %d domain controllers, for the moment upgradeprovision" \
+ "is not able to handle upgrade on domain with more than one DC, please demote" \
+ " the other(s) DC(s) before upgrading" % len(res)
return False
else:
return True
@@ -217,85 +263,95 @@ def print_provision_key_parameters(names):
"""Do a a pretty print of provision parameters
:param names: list of key provision parameters """
- message(GUESS, "rootdn :"+str(names.rootdn))
- message(GUESS, "configdn :"+str(names.configdn))
- message(GUESS, "schemadn :"+str(names.schemadn))
- message(GUESS, "serverdn :"+str(names.serverdn))
- message(GUESS, "netbiosname :"+names.netbiosname)
- message(GUESS, "defaultsite :"+names.sitename)
- message(GUESS, "dnsdomain :"+names.dnsdomain)
- message(GUESS, "hostname :"+names.hostname)
- message(GUESS, "domain :"+names.domain)
- message(GUESS, "realm :"+names.realm)
- message(GUESS, "invocationid:"+names.invocation)
- message(GUESS, "policyguid :"+names.policyid)
- message(GUESS, "policyguiddc:"+str(names.policyid_dc))
- message(GUESS, "domainsid :"+str(names.domainsid))
- message(GUESS, "domainguid :"+names.domainguid)
- message(GUESS, "ntdsguid :"+names.ntdsguid)
- message(GUESS, "domainlevel :"+str(names.domainlevel))
-
--
Samba Shared Repository
More information about the samba-cvs
mailing list