[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Sep 4 20:59:03 MDT 2011
The branch, master has been updated
via 1316bc4 s4-provision handle a number of invalid but real-world upgrade cases
via 4a9f5d7 s4-provision Fix type error on existing idmap entries in s3 upgrade
via fe754cc s4-dsdb Print clearer error messages when invalid account flags are specified on add
via 3d05a08 s4-provision Use ProvisioningError and the eadb
via 5c8bf14 s4-provision Add realm to DC configuration in upgrade_from_s3 test
from 389cb93 s4-provision Allow a missing idmap DB in upgrade.py
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1316bc4b081c1b3b8499ac2b699be29dca247331
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 5 11:10:36 2011 +1000
s4-provision handle a number of invalid but real-world upgrade cases
Real world databass have the wrong account flags (U and W at the same time) and have the wrong
group type in group mapping databases. Cope with these.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Mon Sep 5 04:58:09 CEST 2011 on sn-devel-104
commit 4a9f5d759f0b244fb27ea8a01455b5fd0a43c334
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 5 11:09:14 2011 +1000
s4-provision Fix type error on existing idmap entries in s3 upgrade
This is already a DN object.
Andrew Bartlett
commit fe754cc7ac9587da8fe6c103052e290361b03eee
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 5 11:08:20 2011 +1000
s4-dsdb Print clearer error messages when invalid account flags are specified on add
commit 3d05a0856fd44bbd6c7bd88ce407eb0098f6f94c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 5 11:07:39 2011 +1000
s4-provision Use ProvisioningError and the eadb
The eadb flag tells us to avoid using system extended attributes, typcially if we
are not running as root (ie, in a test environment).
The ProvisioningError class allows us to return failures to the upgrade_from_s3 script
which can then be detected correctly by the selftest framework.
Andrew Bartlett
commit 5c8bf1434dd2b68a635b9a273ecf2efba0127cea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 5 11:04:42 2011 +1000
s4-provision Add realm to DC configuration in upgrade_from_s3 test
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/common/util_samr.c | 9 +++++
source4/scripting/python/samba/upgrade.py | 57 +++++++++++++++++++++--------
source4/setup/tests/blackbox_s3upgrade.sh | 1 +
source4/setup/upgrade_from_s3 | 23 +++++++++++-
4 files changed, 74 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util_samr.c b/source4/dsdb/common/util_samr.c
index b9663ef..184dfd5 100644
--- a/source4/dsdb/common/util_samr.c
+++ b/source4/dsdb/common/util_samr.c
@@ -127,7 +127,16 @@ NTSTATUS dsdb_add_user(struct ldb_context *ldb,
cn_name[cn_name_len - 1] = '\0';
container = "OU=Domain Controllers";
obj_class = "computer";
+ } else if (acct_flags == ACB_DOMTRUST) {
+ DEBUG(3, ("Invalid account flags specified: cannot create domain trusts via this interface (must use LSA CreateTrustedDomain calls\n"));
+ ldb_transaction_cancel(ldb);
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_PARAMETER;
} else {
+ DEBUG(3, ("Invalid account flags specified 0x%08X, must be exactly one of \n"
+ "ACB_NORMAL (0x%08X) ACB_WSTRUST (0x%08X) or ACB_SVRTRUST (0x%08X)\n",
+ acct_flags,
+ ACB_NORMAL, ACB_WSTRUST, ACB_SVRTRUST));
ldb_transaction_cancel(ldb);
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_PARAMETER;
diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 09a66db..58be991 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -26,10 +26,10 @@ import pwd
from samba import Ldb, registry
from samba.param import LoadParm
-from samba.provision import provision, FILL_FULL
+from samba.provision import provision, FILL_FULL, ProvisioningError
from samba.samba3 import passdb
from samba.samba3 import param as s3param
-from samba.dcerpc import lsa
+from samba.dcerpc import lsa, samr, security
from samba.dcerpc.security import dom_sid
from samba import dsdb
from samba.ndr import ndr_pack
@@ -89,7 +89,7 @@ def add_idmap_entry(idmapdb, sid, xid, xid_type, logger):
if found:
try:
m = ldb.Message()
- m.dn = ldb.Dn(idmapdb, msg[0]['dn'])
+ m.dn = msg[0]['dn']
m['xidNumber'] = ldb.MessageElement(str(xid), ldb.FLAG_MOD_REPLACE, 'xidNumber')
m['type'] = ldb.MessageElement(xid_type, ldb.FLAG_MOD_REPLACE, 'type')
idmapdb.modify(m)
@@ -169,7 +169,10 @@ def add_group_from_mapping_entry(samdb, groupmap, logger):
str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
else:
if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
- return
+ # In a lot of Samba3 databases, aliases are marked as well known groups
+ (group_dom_sid, rid) = group.sid.split()
+ if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
+ return
m = ldb.Message()
m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name, samdb.get_default_basedn()))
@@ -179,7 +182,8 @@ def add_group_from_mapping_entry(samdb, groupmap, logger):
m['a04'] = ldb.MessageElement(groupmap.comment, ldb.FLAG_MOD_ADD, 'description')
m['a05'] = ldb.MessageElement(groupmap.nt_name, ldb.FLAG_MOD_ADD, 'sAMAccountName')
- if groupmap.sid_name_use == lsa.SID_NAME_ALIAS:
+ # Fix up incorrect 'well known' groups that are actually builtin (per test above) to be aliases
+ if groupmap.sid_name_use == lsa.SID_NAME_ALIAS or groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
m['a06'] = ldb.MessageElement(str(dsdb.GTYPE_SECURITY_DOMAIN_LOCAL_GROUP), ldb.FLAG_MOD_ADD, 'groupType')
try:
@@ -414,7 +418,7 @@ def import_registry(samba4_registry, samba3_regdb):
key_handle.set_value(value_name, value_type, value_data)
-def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
+def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=False):
"""Upgrade from samba3 database to samba4 AD database
:param samba3: samba3 object
@@ -445,8 +449,7 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
if not realm:
if serverrole == "domain controller":
- logger.warning("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (generally it's the upcased DNS domainname).")
- return
+ raise ProvisioningError("No realm specified in smb.conf file and being a DC. That upgrade path doesn't work! Please add a 'realm' directive to your old smb.conf to let us know which one you want to use (it is the DNS name of the AD domain you wish to create.")
else:
realm = domainname.upper()
logger.warning("No realm specified in smb.conf file, assuming '%s'",
@@ -505,15 +508,19 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
members = s3db.enum_group_members(group.sid)
except:
continue
+ groupmembers[group.nt_name] = members
elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
- logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
- group.nt_name, group.sid_name_use)
- continue
+ (group_dom_sid, rid) = group.sid.split()
+ if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
+ logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
+ group.nt_name)
+ continue
+ # A number of buggy databases mix up well known groups and aliases.
+ members = s3db.enum_aliasmem(group.sid)
else:
logger.warn("Ignoring group '%s' with sid_name_use=%d",
group.nt_name, group.sid_name_use)
continue
- groupmembers[group.nt_name] = members
# Export users from old passdb backend
@@ -531,10 +538,29 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
continue
if entry['rid'] >= next_rid:
next_rid = entry['rid'] + 1
+
+ user = s3db.getsampwnam(username)
+ acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
+ if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST or acct_type == samr.ACB_SVRTRUST):
+ pass
+ elif acct_type == samr.ACB_DOMTRUST:
+ logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
+ continue
+ elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$':
+ logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username)
+ user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL)
+ else:
+ raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of
+ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X).
+
+Please fix this account before attempting to upgrade again
+"""
+ % (user.acct_flags, username,
+ samr.ACB_NORMAL, samr.ACB_WSTRUST, samr.ACB_SVRTRUST, samr.ACB_DOMTRUST))
- userdata[username] = s3db.getsampwnam(username)
+ userdata[username] = user
try:
- uids[username] = s3db.sid_to_id(userdata[username].user_sid)[0]
+ uids[username] = s3db.sid_to_id(user.user_sid)[0]
except:
try:
uids[username] = pwd.getpwnam(username).pw_uid
@@ -554,7 +580,8 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
domainsid=str(domainsid), next_rid=next_rid,
dc_rid=machinerid,
hostname=netbiosname, machinepass=machinepass,
- serverrole=serverrole, samdb_fill=FILL_FULL)
+ serverrole=serverrole, samdb_fill=FILL_FULL,
+ useeadb=useeadb)
# Import WINS database
logger.info("Importing WINS database")
diff --git a/source4/setup/tests/blackbox_s3upgrade.sh b/source4/setup/tests/blackbox_s3upgrade.sh
index 08ac790..59bd70e 100755
--- a/source4/setup/tests/blackbox_s3upgrade.sh
+++ b/source4/setup/tests/blackbox_s3upgrade.sh
@@ -43,6 +43,7 @@ cat - > $PREFIX/samba3-upgrade/samba3/smb2.conf <<EOF
workgroup = SAMBA
netbiosname = S3UPGRADE
security = user
+ realm = s3.samba.example.com
passdb backend = tdbsam:$PREFIX/samba3-upgrade/samba3/passdb.tdb
private dir = $PREFIX/samba3-upgrade/samba3
lock directory = $PREFIX/samba3-upgrade/samba3
diff --git a/source4/setup/upgrade_from_s3 b/source4/setup/upgrade_from_s3
index 81609e0..6aaf99d 100755
--- a/source4/setup/upgrade_from_s3
+++ b/source4/setup/upgrade_from_s3
@@ -19,6 +19,7 @@
import logging
import optparse
import os, sys
+import tempfile
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
@@ -29,6 +30,7 @@ from samba.auth import system_session
from samba.upgrade import upgrade_from_samba3
from samba.samba3 import Samba3
from samba.samba3 import param as s3param
+from samba.provision import ProvisioningError
def get_testparm_var(testparm, varname):
cmd = "%s -s -l --parameter-name='%s' 2>/dev/null" % (testparm, varname)
@@ -51,6 +53,7 @@ parser.add_option("--libdir", type="string", metavar="DIR",
help="samba3 database directory")
parser.add_option("--testparm", type="string", metavar="PATH",
help="samba3 testparm utility")
+parser.add_option("--use-xattrs", type="choice", choices=["yes","no","auto"], help="Define if we should use the native fs capabilities or a tdb file for storing attributes likes ntacl, auto tries to make an inteligent guess based on the user rights and system capabilities", default="auto")
opts, args = parser.parse_args()
@@ -88,6 +91,20 @@ else:
s3conf = s3param.get_context()
+eadb = True
+if opts.use_xattrs == "yes":
+ eadb = False
+elif opts.use_xattrs == "auto" and not s3conf.get("posix:eadb"):
+ file = tempfile.NamedTemporaryFile()
+ try:
+ samba.ntacls.setntacl(lp, file.name,
+ "O:S-1-5-32G:S-1-5-32", "S-1-5-32", "native")
+ eadb = False
+ except:
+ logger.info("You are not root or your system do not support xattr, using tdb backend for attributes. "
+ "If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.")
+ file.close()
+
# Set correct default values from libdir or testparm
paths = {}
if libdir:
@@ -108,4 +125,8 @@ s3conf.load(smbconf)
samba3 = Samba3(smbconf, s3conf)
logger.info("Provisioning")
-upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session())
+try:
+ upgrade_from_samba3(samba3, logger, targetdir, session_info=system_session(), useeadb=eadb)
+except ProvisioningError, e:
+ print str(e)
+ exit(1)
--
Samba Shared Repository
More information about the samba-cvs
mailing list