[SCM] Samba Shared Repository - branch master updated
Matthieu Patou
mat at samba.org
Sat May 21 01:51:02 MDT 2011
The branch, master has been updated
via 49c99d0 s4: add blackbox test for rename
via f187338 upgradeprovision: add hostname in the blackbox tests
via 535a9b3 Make the purge first so that the provision can reused during tests
via a0db60d Add a script for renaming a DC
via 22a638b s4-python: Remove not used imports
via 6071ed6 s4-python: move function find_provision_key_parameters to provision namespace as it can be used not only for upgradeprovision
from 4360c5b Patch for bug #8156 - net ads join fails to use the user's kerberos ticket.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 49c99d05159fb601ea076824e0f6a64326fdf8d9
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 20 23:50:55 2011 +0400
s4: add blackbox test for rename
Autobuild-User: Matthieu Patou <mat at samba.org>
Autobuild-Date: Sat May 21 09:50:34 CEST 2011 on sn-devel-104
commit f1873382da63d2344909395d6fa0c1ed9ffa961d
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 20 23:50:11 2011 +0400
upgradeprovision: add hostname in the blackbox tests
commit 535a9b31331c8f0741c786616f9be034abba8e08
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 20 20:45:43 2011 +0400
Make the purge first so that the provision can reused during tests
commit a0db60d3eabc309c3e65915b00e023acd9a13897
Author: Matthieu Patou <mat at matws.net>
Date: Tue Apr 26 00:04:32 2011 +0400
Add a script for renaming a DC
commit 22a638b6165518eb9e640b1437b4552d685925dc
Author: Matthieu Patou <mat at matws.net>
Date: Sat Apr 23 13:47:27 2011 +0400
s4-python: Remove not used imports
commit 6071ed67bf413b0f9245be9038e2e600d8ebb5aa
Author: Matthieu Patou <mat at matws.net>
Date: Fri May 20 19:43:19 2011 +0400
s4-python: move function find_provision_key_parameters to provision namespace as it can be used not only for upgradeprovision
-----------------------------------------------------------------------
Summary of changes:
source4/scripting/bin/renamedc | 200 ++++++++++++++++++++
source4/scripting/bin/upgradeprovision | 4 +-
source4/scripting/devel/chgtdcpass | 3 +-
.../scripting/python/samba/provision/__init__.py | 110 +++++++++++-
.../python/samba/tests/upgradeprovisionneeddc.py | 4 +-
source4/scripting/python/samba/upgradehelpers.py | 113 +-----------
source4/selftest/tests.py | 3 +
source4/setup/tests/blackbox_upgradeprovision.sh | 8 +-
testprogs/blackbox/renamedc.sh | 42 ++++
9 files changed, 364 insertions(+), 123 deletions(-)
create mode 100755 source4/scripting/bin/renamedc
create mode 100755 testprogs/blackbox/renamedc.sh
Changeset truncated at 500 lines:
diff --git a/source4/scripting/bin/renamedc b/source4/scripting/bin/renamedc
new file mode 100755
index 0000000..0915b15
--- /dev/null
+++ b/source4/scripting/bin/renamedc
@@ -0,0 +1,200 @@
+#!/usr/bin/env python
+# vim: expandtab
+#
+# Copyright (C) Matthieu Patou <mat at matws.net> 2011
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+import optparse
+import sys
+# Allow to run from s4 source directory (without installing samba)
+sys.path.insert(0, "bin/python")
+
+import ldb
+import samba
+import samba.getopt as options
+import os
+
+from samba.credentials import DONT_USE_KERBEROS
+from samba.auth import system_session
+from samba import param
+from samba.provision import find_provision_key_parameters, secretsdb_self_join
+from samba.upgradehelpers import get_ldbs, get_paths
+
+
+__docformat__ = "restructuredText"
+
+parser = optparse.OptionParser("provision [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--oldname",
+ help="Old DC name")
+parser.add_option("--newname",
+ help="New DC name")
+
+opts = parser.parse_args()[0]
+
+if len(sys.argv) == 1:
+ opts.interactive = True
+lp = sambaopts.get_loadparm()
+smbconf = lp.configfile
+
+creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
+
+if __name__ == '__main__':
+ global defSDmodified
+ defSDmodified = False
+ # 1) First get files paths
+ paths = get_paths(param, smbconf=smbconf)
+ # Get ldbs with the system session, it is needed for searching
+ # provision parameters
+ session = system_session()
+
+ ldbs = get_ldbs(paths, creds, session, lp)
+ ldbs.sam.transaction_start()
+ ldbs.secrets.transaction_start()
+
+ if opts.oldname is None or opts.newname is None:
+ raise Exception("Option oldname or newname is missing")
+ res = ldbs.sam.search(expression="(&(name=%s)(serverReferenceBL=*))" % opts.oldname)
+ if res is None or len(res) != 1:
+ raise Exception("Wrong number of result returned, are you sure of the old name %s" %
+ opts.oldname)
+
+ # Ok got it then check that the new name is not used as well
+ res2 = ldbs.sam.search(expression="(&(name=%s)(objectclass=computer))" % opts.newname)
+ if len(res2) != 0:
+ raise Exception("Seems that %s is a name that already exists, pick another one" %
+ opts.newname)
+
+ names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
+ paths, smbconf, lp)
+
+ #First rename the entry
+ # provision put the name in upper case so let's do it too !
+ newdn = str(res[0].dn).replace("CN=%s" % opts.oldname, "CN=%s" % opts.newname.upper())
+ dnobj = ldb.Dn(ldbs.sam, newdn)
+ ldbs.sam.rename(res[0].dn, dnobj)
+
+ # Then change password and samaccountname and dnshostname
+ msg = ldb.Message(dnobj)
+ machinepass = samba.generate_random_password(128, 255)
+ mputf16 = machinepass.encode('utf-16-le')
+
+ account = "%s$" % opts.newname.upper()
+ msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+ ldb.FLAG_MOD_REPLACE,
+ "clearTextPassword")
+
+ msg["sAMAccountName"] = ldb.MessageElement(account,
+ ldb.FLAG_MOD_REPLACE,
+ "sAMAccountName")
+
+ msg["dNSHostName"] = ldb.MessageElement("%s.%s" % (opts.newname,
+ names.dnsdomain),
+ ldb.FLAG_MOD_REPLACE,
+ "dNSHostName")
+ ldbs.sam.modify(msg)
+
+ # Do a self join one more time to resync the secrets file
+ res = ldbs.sam.search(expression=("dn=%s" % newdn),
+ attrs=["msDs-keyVersionNumber", "serverReferenceBL"])
+ assert(len(res) == 1)
+ kvno = int(str(res[0]["msDs-keyVersionNumber"]))
+ serverbldn = ldb.Dn(ldbs.sam, str(res[0]["serverReferenceBL"]))
+
+ secrets_msg = ldbs.secrets.search(expression="sAMAccountName=%s$" %
+ opts.oldname.upper(),
+ attrs=["secureChannelType"])
+
+ secChanType = int(secrets_msg[0]["secureChannelType"][0])
+
+ secretsdb_self_join(ldbs.secrets, domain=names.domain,
+ realm=names.realm,
+ domainsid=names.domainsid,
+ dnsdomain=names.dnsdomain,
+ netbiosname=opts.newname.upper(),
+ machinepass=machinepass,
+ key_version_number=kvno,
+ secure_channel_type=secChanType)
+
+ # Update RID set reference as there is no back link for the moment.
+
+ res = ldbs.sam.search(expression="(objectClass=rIDSet)", base=newdn, attrs=[])
+ assert(len(res) == 1)
+ newridset = str(res[0].dn)
+ msg = ldb.Message(dnobj)
+
+ msg["rIDSetReferences"] = ldb.MessageElement(newridset,
+ ldb.FLAG_MOD_REPLACE,
+ "rIDSetReferences")
+ ldbs.sam.modify(msg)
+
+ # Update the server's sites configuration
+ if False:
+ # Desactivated for the moment we have a couple of issues with site
+ # renaming first one is that it's currently forbidden
+ # second one is that a lot of links are not backlinked
+ # and so won't be updated when the DN change (ie. fmsowner ...)
+ serverbl = str(serverbldn)
+ dnparts = serverbl.split(",")
+ dnparts[0] = "CN=%s" % opts.newname.upper()
+ newserverref = ",".join(dnparts)
+
+ newserverrefdn = ldb.Dn(ldbs.sam, newserverref)
+
+ ldbs.sam.rename(serverbldn, newserverrefdn)
+
+ msg = ldb.Message(newserverrefdn)
+ msg["dNSHostName"] = ldb.MessageElement("%s.%s" % (opts.newname,
+ names.dnsdomain),
+ ldb.FLAG_MOD_REPLACE,
+ "dNSHostName")
+ ldbs.sam.modify(msg)
+
+ try:
+ ldbs.sam.transaction_prepare_commit()
+ ldbs.secrets.transaction_prepare_commit()
+ except Exception:
+ ldbs.sam.rollback()
+ ldbs.secrets.rollback()
+ sys.exit(1)
+
+ try:
+ ldbs.sam.transaction_commit()
+ ldbs.secrets.transaction_commit()
+ except Exception:
+ ldbs.sam.rollback()
+ ldbs.secrets.rollback()
+
+ # All good so far
+ #print lp.get("private dir")
+ cf = open(lp.configfile)
+ ncfname = "%s.new" % lp.configfile
+ newconf = open(ncfname, 'w')
+ for l in cf.readlines():
+ if l.find("netbios name") > 0:
+ newconf.write("\tnetbios name = %s\n" % opts.newname.upper())
+ else:
+ newconf.write(l)
+ newconf.close()
+ cf.close()
+ os.rename(ncfname, lp.configfile)
+
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 4e48a48..e58a264 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -44,7 +44,7 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
MessageElement, Message, Dn)
from samba import param, dsdb, Ldb
-from samba.provision import (get_domain_descriptor,
+from samba.provision import (get_domain_descriptor, find_provision_key_parameters,
get_config_descriptor,
ProvisioningError, get_last_provision_usn,
get_max_usn, update_provision_usn, setup_path)
@@ -52,7 +52,7 @@ from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security, drsblobs, xattr
from samba.ndr import ndr_unpack
from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
- find_provision_key_parameters, get_ldbs,
+ get_ldbs,
usn_in_range, identic_rename, get_diff_sddls,
update_secrets, CHANGE, ERROR, SIMPLE,
CHANGEALL, GUESS, CHANGESD, PROVISION,
diff --git a/source4/scripting/devel/chgtdcpass b/source4/scripting/devel/chgtdcpass
index dc24983..4f5ea15 100755
--- a/source4/scripting/devel/chgtdcpass
+++ b/source4/scripting/devel/chgtdcpass
@@ -29,8 +29,9 @@ import samba.getopt as options
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
from samba import param
+from samba.provision import find_provision_key_parameters
from samba.upgradehelpers import (get_paths,
- find_provision_key_parameters, get_ldbs,
+ get_ldbs,
update_machine_account_password)
parser = optparse.OptionParser("chgtdcpass [options]")
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index bdca992..8433f23 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -38,23 +38,23 @@ import uuid
import socket
import urllib
import shutil
+import string
import ldb
from samba.auth import system_session, admin_session
import samba
+from samba.dsdb import DS_DOMAIN_FUNCTION_2000
from samba import (
Ldb,
check_all_substituted,
- in_source_tree,
- source_tree_topdir,
read_and_sub_file,
setup_file,
substitute_var,
valid_netbios_name,
version,
)
-from samba.dcerpc import security
+from samba.dcerpc import security, misc
from samba.dcerpc.misc import (
SEC_CHAN_BDC,
SEC_CHAN_WKSTA,
@@ -217,6 +217,110 @@ class ProvisionNames(object):
self.sitename = None
self.smbconf = None
+def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
+ """Get key provision parameters (realm, domain, ...) from a given provision
+
+ :param samdb: An LDB object connected to the sam.ldb file
+ :param secretsdb: An LDB object connected to the secrets.ldb file
+ :param idmapdb: An LDB object connected to the idmap.ldb file
+ :param paths: A list of path to provision object
+ :param smbconf: Path to the smb.conf file
+ :param lp: A LoadParm object
+ :return: A list of key provision parameters
+ """
+ names = ProvisionNames()
+ names.adminpass = None
+
+ # NT domain, kerberos realm, root dn, domain dn, domain dns name
+ names.domain = string.upper(lp.get("workgroup"))
+ names.realm = lp.get("realm")
+ basedn = "DC=" + names.realm.replace(".",",DC=")
+ names.dnsdomain = names.realm.lower()
+ names.realm = string.upper(names.realm)
+ # netbiosname
+ # Get the netbiosname first (could be obtained from smb.conf in theory)
+ res = secretsdb.search(expression="(flatname=%s)" %
+ names.domain,base="CN=Primary Domains",
+ scope=ldb.SCOPE_SUBTREE, attrs=["sAMAccountName"])
+ names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
+
+ names.smbconf = smbconf
+
+ # That's a bit simplistic but it's ok as long as we have only 3
+ # partitions
+ current = samdb.search(expression="(objectClass=*)",
+ base="", scope=ldb.SCOPE_BASE,
+ attrs=["defaultNamingContext", "schemaNamingContext",
+ "configurationNamingContext","rootDomainNamingContext"])
+
+ names.configdn = current[0]["configurationNamingContext"]
+ configdn = str(names.configdn)
+ names.schemadn = current[0]["schemaNamingContext"]
+ if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
+ current[0]["defaultNamingContext"][0]))):
+ raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
+ "is not the same ..." % (paths.samdb,
+ str(current[0]["defaultNamingContext"][0]),
+ paths.smbconf, basedn)))
+
+ names.domaindn=current[0]["defaultNamingContext"]
+ names.rootdn=current[0]["rootDomainNamingContext"]
+ # default site name
+ res3 = samdb.search(expression="(objectClass=*)",
+ base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
+ names.sitename = str(res3[0]["cn"])
+
+ # dns hostname and server dn
+ res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
+ base="OU=Domain Controllers,%s" % basedn,
+ scope=ldb.SCOPE_ONELEVEL, attrs=["dNSHostName"])
+ names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain,"")
+
+ server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
+ attrs=[], base=configdn)
+ names.serverdn = server_res[0].dn
+
+ # invocation id/objectguid
+ res5 = samdb.search(expression="(objectClass=*)",
+ base="CN=NTDS Settings,%s" % str(names.serverdn), scope=ldb.SCOPE_BASE,
+ attrs=["invocationID", "objectGUID"])
+ names.invocation = str(ndr_unpack(misc.GUID, res5[0]["invocationId"][0]))
+ names.ntdsguid = str(ndr_unpack(misc.GUID, res5[0]["objectGUID"][0]))
+
+ # domain guid/sid
+ res6 = samdb.search(expression="(objectClass=*)", base=basedn,
+ scope=ldb.SCOPE_BASE, attrs=["objectGUID",
+ "objectSid","msDS-Behavior-Version" ])
+ names.domainguid = str(ndr_unpack(misc.GUID, res6[0]["objectGUID"][0]))
+ names.domainsid = ndr_unpack( security.dom_sid, res6[0]["objectSid"][0])
+ if res6[0].get("msDS-Behavior-Version") is None or \
+ int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
+ names.domainlevel = DS_DOMAIN_FUNCTION_2000
+ else:
+ names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
+
+ # policy guid
+ res7 = samdb.search(expression="(displayName=Default Domain Policy)",
+ base="CN=Policies,CN=System," + basedn,
+ scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
+ names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
+ # dc policy guid
+ res8 = samdb.search(expression="(displayName=Default Domain Controllers"
+ " Policy)",
+ base="CN=Policies,CN=System," + basedn,
+ scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"])
+ if len(res8) == 1:
+ names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
+ else:
+ names.policyid_dc = None
+ res9 = idmapdb.search(expression="(cn=%s)" %
+ (security.SID_BUILTIN_ADMINISTRATORS),
+ attrs=["xidNumber"])
+ if len(res9) == 1:
+ names.wheel_gid = res9[0]["xidNumber"]
+ else:
+ raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
+ return names
def update_provision_usn(samdb, low, high, replace=False):
"""Update the field provisionUSN in sam.ldb
diff --git a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
index 3a9c78e..596cff6 100644
--- a/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
+++ b/source4/scripting/python/samba/tests/upgradeprovisionneeddc.py
@@ -26,9 +26,9 @@ import shutil
from samba import param
from samba.credentials import Credentials
from samba.auth import system_session
-from samba.provision import getpolicypath
+from samba.provision import getpolicypath,find_provision_key_parameters
from samba.upgradehelpers import (get_paths, get_ldbs,
- find_provision_key_parameters, identic_rename,
+ identic_rename,
updateOEMInfo, getOEMInfo, update_gpo,
delta_update_basesamdb,
update_dns_account_password,
diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index 729231e..16e4ea0 100755
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -24,22 +24,19 @@
"""Helpers used for upgrading between different database formats."""
import os
-import string
import re
import shutil
import samba
from samba import Ldb, version, ntacls
-from samba.dsdb import DS_DOMAIN_FUNCTION_2000
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
import ldb
-from samba.provision import (ProvisionNames, provision_paths_from_lp,
+from samba.provision import (provision_paths_from_lp,
getpolicypath, set_gpos_acl, create_gpo_struct,
FILL_FULL, provision, ProvisioningError,
setsysvolacl, secretsdb_self_join)
-from samba.dcerpc import misc, security, xattr
+from samba.dcerpc import xattr
from samba.dcerpc.misc import SEC_CHAN_BDC
-from samba.ndr import ndr_unpack
from samba.samdb import SamDB
# All the ldb related to registry are commented because the path for them is
@@ -242,112 +239,6 @@ def update_policyids(names, samdb):
names.policyid_dc = None
-def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
- """Get key provision parameters (realm, domain, ...) from a given provision
-
- :param samdb: An LDB object connected to the sam.ldb file
- :param secretsdb: An LDB object connected to the secrets.ldb file
- :param idmapdb: An LDB object connected to the idmap.ldb file
- :param paths: A list of path to provision object
- :param smbconf: Path to the smb.conf file
- :param lp: A LoadParm object
- :return: A list of key provision parameters
- """
- names = ProvisionNames()
- names.adminpass = None
-
- # NT domain, kerberos realm, root dn, domain dn, domain dns name
- names.domain = string.upper(lp.get("workgroup"))
- names.realm = lp.get("realm")
- basedn = "DC=" + names.realm.replace(".",",DC=")
- names.dnsdomain = names.realm.lower()
- names.realm = string.upper(names.realm)
- # netbiosname
- # Get the netbiosname first (could be obtained from smb.conf in theory)
- res = secretsdb.search(expression="(flatname=%s)" %
- names.domain,base="CN=Primary Domains",
- scope=SCOPE_SUBTREE, attrs=["sAMAccountName"])
- names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
-
- names.smbconf = smbconf
-
- # That's a bit simplistic but it's ok as long as we have only 3
- # partitions
- current = samdb.search(expression="(objectClass=*)",
- base="", scope=SCOPE_BASE,
- attrs=["defaultNamingContext", "schemaNamingContext",
- "configurationNamingContext","rootDomainNamingContext"])
-
- names.configdn = current[0]["configurationNamingContext"]
- configdn = str(names.configdn)
- names.schemadn = current[0]["schemaNamingContext"]
- if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
- current[0]["defaultNamingContext"][0]))):
- raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
- "is not the same ..." % (paths.samdb,
- str(current[0]["defaultNamingContext"][0]),
- paths.smbconf, basedn)))
-
- names.domaindn=current[0]["defaultNamingContext"]
- names.rootdn=current[0]["rootDomainNamingContext"]
- # default site name
- res3 = samdb.search(expression="(objectClass=*)",
- base="CN=Sites," + configdn, scope=SCOPE_ONELEVEL, attrs=["cn"])
- names.sitename = str(res3[0]["cn"])
-
- # dns hostname and server dn
- res4 = samdb.search(expression="(CN=%s)" % names.netbiosname,
- base="OU=Domain Controllers,%s" % basedn,
- scope=SCOPE_ONELEVEL, attrs=["dNSHostName"])
- names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain,"")
-
- server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
- attrs=[], base=configdn)
- names.serverdn = server_res[0].dn
-
- # invocation id/objectguid
- res5 = samdb.search(expression="(objectClass=*)",
- base="CN=NTDS Settings,%s" % str(names.serverdn), scope=SCOPE_BASE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list