[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Wed Jun 22 04:28:02 MDT 2011
The branch, master has been updated
via a353b49 s4-dsdb: bypass validation when relax set
via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap server
via ff8cdee samba-tool: expanded dbcheck DN checking
via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in
via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in
from 21af0af s3: Added missing includes to .clang_complete.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Jun 22 18:14:14 2011 +1000
s4-dsdb: bypass validation when relax set
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell <tridge at samba.org>
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Jun 22 17:38:19 2011 +1000
samba-tool: allow for running dbcheck against a remove ldap server
this is useful for running it against a Windows server
commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Jun 22 17:08:28 2011 +1000
samba-tool: expanded dbcheck DN checking
this now checks for bad GUID elements in DN links, and offers to fix
them when possible
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Jun 22 17:07:39 2011 +1000
s4-dsdb: prioritise GUID in extended_dn_in
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Jun 22 17:05:08 2011 +1000
s4-dsdb: catch duplicate matches in extended_dn_in
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 31 +++-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 3 +-
source4/scripting/python/samba/netcmd/dbcheck.py | 144 ++++++++++++++++----
3 files changed, 143 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 3e2004d..9a70d9a 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are
switch (ares->type) {
case LDB_REPLY_ENTRY:
+ if (ac->basedn) {
+ /* we have more than one match! This can
+ happen as S-1-5-17 appears twice in a
+ normal provision. We need to return
+ NO_SUCH_OBJECT */
+ const char *str = talloc_asprintf(req, "Duplicate base-DN matches found for '%s'",
+ ldb_dn_get_extended_linearized(req, ac->req->op.search.base, 1));
+ ldb_set_errstring(ldb_module_get_ctx(ac->module), str);
+ return ldb_module_done(ac->req, NULL, NULL,
+ LDB_ERR_NO_SUCH_OBJECT);
+ }
+
if (!ac->wellknown_object) {
ac->basedn = talloc_steal(ac, ares->message->dn);
break;
@@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req
guid_val = ldb_dn_get_extended_component(dn, "GUID");
wkguid_val = ldb_dn_get_extended_component(dn, "WKGUID");
- if (sid_val) {
+ /*
+ prioritise the GUID - we have had instances of
+ duplicate SIDs in the database in the
+ ForeignSecurityPrinciples due to provision errors
+ */
+ if (guid_val) {
all_partitions = true;
base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module));
- base_dn_filter = talloc_asprintf(req, "(objectSid=%s)",
- ldb_binary_encode(req, *sid_val));
+ base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)",
+ ldb_binary_encode(req, *guid_val));
if (!base_dn_filter) {
return ldb_oom(ldb_module_get_ctx(module));
}
base_dn_scope = LDB_SCOPE_SUBTREE;
base_dn_attrs = no_attr;
- } else if (guid_val) {
-
+ } else if (sid_val) {
all_partitions = true;
base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module));
- base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)",
- ldb_binary_encode(req, *guid_val));
+ base_dn_filter = talloc_asprintf(req, "(objectSid=%s)",
+ ldb_binary_encode(req, *sid_val));
if (!base_dn_filter) {
return ldb_oom(ldb_module_get_ctx(module));
}
base_dn_scope = LDB_SCOPE_SUBTREE;
base_dn_attrs = no_attr;
-
} else if (wkguid_val) {
char *wkguid_dup;
char *tail_str;
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 9df1210..5639a7a 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -140,7 +140,8 @@ static int attr_handler(struct oc_context *ac)
if (!(msg->elements[i].flags & LDB_FLAG_INTERNAL_DISABLE_VALIDATION)) {
werr = attr->syntax->validate_ldb(&syntax_ctx, attr,
&msg->elements[i]);
- if (!W_ERROR_IS_OK(werr)) {
+ if (!W_ERROR_IS_OK(werr) &&
+ !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' contains at least one invalid value!",
msg->elements[i].name,
ldb_dn_get_linearized(msg->dn));
diff --git a/source4/scripting/python/samba/netcmd/dbcheck.py b/source4/scripting/python/samba/netcmd/dbcheck.py
index 4c9e0a1..93fe3f6 100644
--- a/source4/scripting/python/samba/netcmd/dbcheck.py
+++ b/source4/scripting/python/samba/netcmd/dbcheck.py
@@ -21,7 +21,7 @@
import ldb, sys
import samba.getopt as options
from samba import dsdb
-from samba.common import confirm
+from samba import common
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc import misc
@@ -74,20 +74,27 @@ class cmd_dbcheck(Command):
Option("--fix", dest="fix", default=False, action='store_true',
help='Fix any errors found'),
Option("--yes", dest="yes", default=False, action='store_true',
- help="don't confirm changes, just do them all"),
+ help="don't confirm changes, just do them all as a single transaction"),
Option("--cross-ncs", dest="cross_ncs", default=False, action='store_true',
help="cross naming context boundaries"),
Option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="Print more details of checking"),
+ Option("-H", help="LDB URL for database or target server (defaults to local SAM database)", type=str),
]
- def run(self, DN=None, verbose=False, fix=False, yes=False, cross_ncs=False,
+ def run(self, H=None, DN=None, verbose=False, fix=False, yes=False, cross_ncs=False,
scope="SUB", credopts=None, sambaopts=None, versionopts=None):
self.lp = sambaopts.get_loadparm()
self.creds = credopts.get_credentials(self.lp, fallback_machine=True)
- self.samdb = SamDB(session_info=system_session(), url=None,
+ self.samdb = SamDB(session_info=system_session(), url=H,
credentials=self.creds, lp=self.lp)
+ if H is None:
+ self.local_samdb = self.samdb
+ else:
+ self.local_samdb = SamDB(session_info=system_session(), url=None,
+ credentials=self.creds, lp=self.lp)
+
self.verbose = verbose
self.fix = fix
self.yes = yes
@@ -99,9 +106,14 @@ class cmd_dbcheck(Command):
self.search_scope = scope_map[scope]
controls = []
+ if H is not None:
+ controls.append('paged_results:1:1000')
if cross_ncs:
controls.append("search_options:1:2")
+ if self.yes and self.fix:
+ self.samdb.transaction_start()
+
res = self.samdb.search(base=DN, scope=self.search_scope, attrs=['dn'], controls=controls)
print('Checking %u objects' % len(res))
error_count = 0
@@ -110,18 +122,30 @@ class cmd_dbcheck(Command):
if error_count != 0 and not self.fix:
print("Please use --fix to fix these errors")
print('Checked %u objects (%u errors)' % (len(res), error_count))
+
+ if self.yes and self.fix:
+ self.samdb.transaction_commit()
+
if error_count != 0:
sys.exit(1)
+
+ ################################################################
+ # a local confirm function that obeys the --fix and --yes options
+ def confirm(self, msg):
+ '''confirm a change'''
+ if not self.fix:
+ return False
+ return common.confirm(msg, forced=self.yes)
+
+
################################################################
# handle empty attributes
def err_empty_attribute(self, dn, attrname):
'''fix empty attributes'''
print("ERROR: Empty attribute %s in %s" % (attrname, dn))
- if not self.fix:
- return
- if not confirm('Remove empty attribute %s from %s?' % (attrname, dn), self.yes):
+ if not self.confirm('Remove empty attribute %s from %s?' % (attrname, dn)):
print("Not fixing empty attribute %s" % attrname)
return
@@ -145,16 +169,14 @@ class cmd_dbcheck(Command):
print("ERROR: Normalisation error for attribute %s in %s" % (attrname, dn))
mod_list = []
for val in values:
- normalised = self.samdb.dsdb_normalise_attributes(self.samdb, attrname, [val])
+ normalised = self.samdb.dsdb_normalise_attributes(self.local_samdb, attrname, [val])
if len(normalised) != 1:
print("Unable to normalise value '%s'" % val)
mod_list.append((val, ''))
elif (normalised[0] != val):
print("value '%s' should be '%s'" % (val, normalised[0]))
mod_list.append((val, normalised[0]))
- if not self.fix:
- return
- if not confirm('Fix normalisation for %s from %s?' % (attrname, dn), self.yes):
+ if not self.confirm('Fix normalisation for %s from %s?' % (attrname, dn)):
print("Not fixing attribute %s" % attrname)
return
@@ -178,19 +200,18 @@ class cmd_dbcheck(Command):
################################################################
# handle a missing GUID extended DN component
- def err_missing_dn_GUID(self, dn, attrname, val, dsdb_dn):
- print("ERROR: missing GUID component for %s in object %s - %s" % (attrname, dn, val))
+ def err_incorrect_dn_GUID(self, dn, attrname, val, dsdb_dn, errstr):
+ print("ERROR: %s component for %s in object %s - %s" % (errstr, attrname, dn, val))
try:
- res = self.samdb.search(base=dsdb_dn.dn, scope=ldb.SCOPE_BASE, attrs=['objectGUID'])
- except LdbError, (enum, estr):
+ res = self.samdb.search(base=dsdb_dn.dn, scope=ldb.SCOPE_BASE,
+ attrs=[], controls=["extended_dn:1:1"])
+ except ldb.LdbError, (enum, estr):
print("unable to find object for DN %s - cannot fix (%s)" % (dsdb_dn.dn, estr))
return
- guid = res[0]['objectGUID'][0]
- guidstr = str(misc.GUID(guid))
- dsdb_dn.dn.set_extended_component("GUID", guid)
+ dsdb_dn.dn = res[0].dn
- if not confirm('Add GUID %s giving DN %s?' % (guidstr, str(dsdb_dn))):
- print("Not fixing missing GUID")
+ if not self.confirm('Change DN to %s?' % str(dsdb_dn)):
+ print("Not fixing %s" % errstr)
return
m = ldb.Message()
m.dn = dn
@@ -201,11 +222,54 @@ class cmd_dbcheck(Command):
try:
self.samdb.modify(m)
except Exception, msg:
- print("Failed to fix missing GUID on attribute %s : %s" % (attrname, msg))
+ print("Failed to fix %s on attribute %s : %s" % (errstr, attrname, msg))
return
- print("Fixed missing GUID on attribute %s" % attrname)
+ print("Fixed %s on attribute %s" % (errstr, attrname))
+ ################################################################
+ # handle a DN pointing to a deleted object
+ def err_deleted_dn(self, dn, attrname, val, dsdb_dn, correct_dn):
+ print("ERROR: target DN is deleted for %s in object %s - %s" % (attrname, dn, val))
+ print("Target GUID points at deleted DN %s" % correct_dn)
+ if not self.confirm('Remove DN?'):
+ print("Not removing")
+ return
+ m = ldb.Message()
+ m.dn = dn
+ m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+ if self.verbose:
+ print(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+ try:
+ self.samdb.modify(m)
+ except Exception, msg:
+ print("Failed to remove deleted DN attribute %s : %s" % (attrname, msg))
+ return
+ print("Removed deleted DN on attribute %s" % attrname)
+
+
+ ################################################################
+ # handle a DN string being incorrect
+ def err_dn_target_mismatch(self, dn, attrname, val, dsdb_dn, correct_dn):
+ print("ERROR: incorrect DN string component for %s in object %s - %s" % (attrname, dn, val))
+ dsdb_dn.dn = correct_dn
+
+ if not self.confirm('Change DN to %s?' % str(dsdb_dn)):
+ print("Not fixing %s" % errstr)
+ return
+ m = ldb.Message()
+ m.dn = dn
+ m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
+ m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname)
+ if self.verbose:
+ print(self.samdb.write_ldif(m, ldb.CHANGETYPE_MODIFY))
+ try:
+ self.samdb.modify(m)
+ except Exception, msg:
+ print("Failed to fix incorrect DN string on attribute %s : %s" % (attrname, msg))
+ return
+ print("Fixed incorrect DN string on attribute %s" % (attrname))
+
################################################################
# specialised checking for a dn attribute
@@ -219,9 +283,37 @@ class cmd_dbcheck(Command):
guid = dsdb_dn.dn.get_extended_component("GUID")
if guid is None:
error_count += 1
- self.err_missing_dn_GUID(obj.dn, attrname, val, dsdb_dn)
+ self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "missing GUID")
+ continue
- return 0
+ guidstr = str(misc.GUID(guid))
+
+ # check its the right GUID
+ try:
+ res = self.samdb.search(base="<GUID=%s>" % guidstr, scope=ldb.SCOPE_BASE,
+ attrs=['isDeleted'], controls=["extended_dn:1:1", "show_deleted:1"])
+ except ldb.LdbError, (enum, estr):
+ error_count += 1
+ self.err_incorrect_dn_GUID(obj.dn, attrname, val, dsdb_dn, "incorrect GUID")
+ continue
+
+ # the target DN might be deleted
+ if (dsdb_dn.prefix != "B:32:18E2EA80684F11D2B9AA00C04F79F805:" and
+ 'isDeleted' in res[0] and
+ res[0]['isDeleted'][0].upper() == "TRUE"):
+ # note that we don't check this for the special wellKnownObjects prefix
+ # for Deleted Objects, as we expect that to be deleted
+ error_count += 1
+ self.err_deleted_dn(obj.dn, attrname, val, dsdb_dn, res[0].dn)
+ continue
+
+ # check the DN matches in string form
+ if res[0].dn.extended_str() != dsdb_dn.dn.extended_str():
+ error_count += 1
+ self.err_dn_target_mismatch(obj.dn, attrname, val, dsdb_dn, res[0].dn)
+ continue
+
+ return error_count
@@ -250,7 +342,7 @@ class cmd_dbcheck(Command):
# get the syntax oid for the attribute, so we can can have
# special handling for some specific attribute types
- syntax_oid = self.samdb.get_syntax_oid_from_lDAPDisplayName(attrname)
+ syntax_oid = self.local_samdb.get_syntax_oid_from_lDAPDisplayName(attrname)
if syntax_oid in [ dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_OR_NAME,
dsdb.DSDB_SYNTAX_STRING_DN, ldb.LDB_SYNTAX_DN ]:
@@ -259,7 +351,7 @@ class cmd_dbcheck(Command):
# check for incorrectly normalised attributes
for val in obj[attrname]:
- normalised = self.samdb.dsdb_normalise_attributes(self.samdb, attrname, [val])
+ normalised = self.samdb.dsdb_normalise_attributes(self.local_samdb, attrname, [val])
if len(normalised) != 1 or normalised[0] != val:
self.err_normalise_mismatch(dn, attrname, obj[attrname])
error_count += 1
--
Samba Shared Repository
More information about the samba-cvs
mailing list