[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Apr 18 23:50:04 MDT 2012
The branch, master has been updated
via 7ca706d dbcheck: Add a check that every FSMO role has a valid owner
via 6b2753d s4-samba-tool: Fix samba-tool fsmo seize
via a2b7a9e s4-s3upgrade: Do not ever set a domain-wide maxPwdAge of 0
via a5905bf s4-s3upgrade: Ignore (with warning) groups that are listed but we cannot list members for
from 916297e Fix samba3.raw.samba3hide test - ensure we set up POSIX capabilities before doing POSIX calls like chmod.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7ca706de8c9f52ee530dfa4ff9188d2a7403e87d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 19 14:14:35 2012 +1000
dbcheck: Add a check that every FSMO role has a valid owner
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Apr 19 07:49:54 CEST 2012 on sn-devel-104
commit 6b2753d71ea9e9a64fa749cfeeaef4f451c6cae4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 19 13:57:29 2012 +1000
s4-samba-tool: Fix samba-tool fsmo seize
This is currently untested, and a restructure broke it.
Andrew Bartlett
commit a2b7a9e2a23e395a06700dd0968f4916bde56cdf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 19 10:42:05 2012 +1000
s4-s3upgrade: Do not ever set a domain-wide maxPwdAge of 0
This means no-expiry in s3, and so we must treat it like -1.
Andrew Bartlett
commit a5905bfb39e297ed6ac453faa5518ba5ff47640a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 19 09:59:40 2012 +1000
s4-s3upgrade: Ignore (with warning) groups that are listed but we cannot list members for
-----------------------------------------------------------------------
Summary of changes:
source4/scripting/python/samba/dbchecker.py | 41 +++++++++++
source4/scripting/python/samba/netcmd/fsmo.py | 95 +++++++++++++------------
source4/scripting/python/samba/upgrade.py | 18 ++++-
3 files changed, 106 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py
index 7993b54..587d63c 100644
--- a/source4/scripting/python/samba/dbchecker.py
+++ b/source4/scripting/python/samba/dbchecker.py
@@ -49,7 +49,12 @@ class dbcheck(object):
self.fix_all_missing_backlinks = False
self.fix_all_orphaned_backlinks = False
self.fix_rmd_flags = False
+ self.seize_fsmo_role = False
self.in_transaction = in_transaction
+ self.infrastructure_dn = ldb.Dn(samdb, "CN=Infrastructure," + samdb.domain_dn())
+ self.naming_dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
+ self.schema_dn = samdb.get_schema_basedn()
+ self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn())
def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']):
'''perform a database check, returning the number of errors found'''
@@ -310,6 +315,23 @@ class dbcheck(object):
"Failed to fix orphaned backlink %s" % link_name):
self.report("Fixed orphaned backlink %s" % (link_name))
+ def err_no_fsmoRoleOwner(self, obj):
+ '''handle a missing fSMORoleOwner'''
+ self.report("ERROR: fSMORoleOwner not found for role %s" % (obj.dn))
+ res = self.samdb.search("",
+ scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
+ assert len(res) == 1
+ serviceName = res[0]["dsServiceName"][0]
+ if not self.confirm_all('Sieze role %s onto current DC by adding fSMORoleOwner=%s' % (obj.dn, serviceName), 'seize_fsmo_role'):
+ self.report("Not Siezing role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName))
+ return
+ m = ldb.Message()
+ m.dn = obj.dn
+ m['value'] = ldb.MessageElement(serviceName, ldb.FLAG_MOD_ADD, 'fSMORoleOwner')
+ if self.do_modify(m, [],
+ "Failed to sieze role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName)):
+ self.report("Siezed role %s onto current DC by adding fSMORoleOwner=%s" % (obj.dn, serviceName))
+
def find_revealed_link(self, dn, attrname, guid):
'''return a revealed link in an object'''
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname],
@@ -441,6 +463,20 @@ class dbcheck(object):
"Failed to fix metadata for attribute %s" % attr):
self.report("Fixed metadata for attribute %s" % attr)
+ def is_fsmo_role(self, dn):
+ if dn == self.samdb.domain_dn:
+ return True
+ if dn == self.infrastructure_dn:
+ return True
+ if dn == self.naming_dn:
+ return True
+ if dn == self.schema_dn:
+ return True
+ if dn == self.rid_dn:
+ return True
+
+ return False
+
def check_object(self, dn, attrs=['*']):
'''check one object'''
if self.verbose:
@@ -550,6 +586,11 @@ class dbcheck(object):
continue
self.fix_metadata(dn, att)
+ if self.is_fsmo_role(dn):
+ if "fSMORoleOwner" not in obj:
+ self.err_no_fsmoRoleOwner(obj)
+ error_count += 1
+
return error_count
################################################################
diff --git a/source4/scripting/python/samba/netcmd/fsmo.py b/source4/scripting/python/samba/netcmd/fsmo.py
index 84e50e0..86c6949 100644
--- a/source4/scripting/python/samba/netcmd/fsmo.py
+++ b/source4/scripting/python/samba/netcmd/fsmo.py
@@ -30,6 +30,43 @@ from samba.netcmd import (
)
from samba.samdb import SamDB
+def transfer_role(outf, role, samdb):
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, "")
+ if role == "rid":
+ m["becomeRidMaster"]= ldb.MessageElement(
+ "1", ldb.FLAG_MOD_REPLACE,
+ "becomeRidMaster")
+ elif role == "pdc":
+ domain_dn = samdb.domain_dn()
+ res = samdb.search(domain_dn,
+ scope=ldb.SCOPE_BASE, attrs=["objectSid"])
+ assert len(res) == 1
+ sid = res[0]["objectSid"][0]
+ m["becomePdc"]= ldb.MessageElement(
+ sid, ldb.FLAG_MOD_REPLACE,
+ "becomePdc")
+ elif role == "naming":
+ m["becomeDomainMaster"]= ldb.MessageElement(
+ "1", ldb.FLAG_MOD_REPLACE,
+ "becomeDomainMaster")
+ samdb.modify(m)
+ elif role == "infrastructure":
+ m["becomeInfrastructureMaster"]= ldb.MessageElement(
+ "1", ldb.FLAG_MOD_REPLACE,
+ "becomeInfrastructureMaster")
+ elif role == "schema":
+ m["becomeSchemaMaster"]= ldb.MessageElement(
+ "1", ldb.FLAG_MOD_REPLACE,
+ "becomeSchemaMaster")
+ else:
+ raise CommandError("Invalid FSMO role.")
+ try:
+ samdb.modify(m)
+ except LdbError, (num, msg):
+ raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
+ outf.write("FSMO transfer of '%s' role successful\n" % role)
+
class cmd_fsmo_seize(Command):
"""Seize the role"""
@@ -64,6 +101,11 @@ all=all of the above"""),
assert len(res) == 1
serviceName = res[0]["dsServiceName"][0]
domain_dn = samdb.domain_dn()
+ self.infrastructure_dn = "CN=Infrastructure," + domain_dn
+ self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
+ self.schema_dn = samdb.get_schema_basedn()
+ self.rid_dn = "CN=RID Manager$,CN=System," + domain_dn
+
m = ldb.Message()
if role == "rid":
m.dn = ldb.Dn(samdb, self.rid_dn)
@@ -81,8 +123,8 @@ all=all of the above"""),
if force is None:
self.message("Attempting transfer...")
try:
- self.transfer_role(role, samdb)
- except LdbError, (num, _):
+ transfer_role(self.outf, role, samdb)
+ except CommandError:
#transfer failed, use the big axe...
self.message("Transfer unsuccessful, seizing...")
m["fSMORoleOwner"]= ldb.MessageElement(
@@ -207,43 +249,6 @@ all=all of the above"""),
takes_args = []
- def transfer_role(self, role, samdb):
- m = ldb.Message()
- m.dn = ldb.Dn(samdb, "")
- if role == "rid":
- m["becomeRidMaster"]= ldb.MessageElement(
- "1", ldb.FLAG_MOD_REPLACE,
- "becomeRidMaster")
- elif role == "pdc":
- domain_dn = samdb.domain_dn()
- res = samdb.search(domain_dn,
- scope=ldb.SCOPE_BASE, attrs=["objectSid"])
- assert len(res) == 1
- sid = res[0]["objectSid"][0]
- m["becomePdc"]= ldb.MessageElement(
- sid, ldb.FLAG_MOD_REPLACE,
- "becomePdc")
- elif role == "naming":
- m["becomeDomainMaster"]= ldb.MessageElement(
- "1", ldb.FLAG_MOD_REPLACE,
- "becomeDomainMaster")
- samdb.modify(m)
- elif role == "infrastructure":
- m["becomeInfrastructureMaster"]= ldb.MessageElement(
- "1", ldb.FLAG_MOD_REPLACE,
- "becomeInfrastructureMaster")
- elif role == "schema":
- m["becomeSchemaMaster"]= ldb.MessageElement(
- "1", ldb.FLAG_MOD_REPLACE,
- "becomeSchemaMaster")
- else:
- raise CommandError("Invalid FSMO role.")
- try:
- samdb.modify(m)
- except LdbError, (num, msg):
- raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
- self.outf.write("FSMO transfer of '%s' role successful\n" % role)
-
def run(self, force=None, H=None, role=None,
credopts=None, sambaopts=None, versionopts=None):
@@ -254,13 +259,13 @@ all=all of the above"""),
credentials=creds, lp=lp)
if role == "all":
- self.transfer_role("rid", samdb)
- self.transfer_role("pdc", samdb)
- self.transfer_role("naming", samdb)
- self.transfer_role("infrastructure", samdb)
- self.transfer_role("schema", samdb)
+ transfer_role(self.outf, "rid", samdb)
+ transfer_role(self.outf, "pdc", samdb)
+ transfer_role(self.outf, "naming", samdb)
+ transfer_role(self.outf, "infrastructure", samdb)
+ transfer_role(self.outf, "schema", samdb)
else:
- self.transfer_role(role, samdb)
+ transfer_role(self.outf, role, samdb)
class cmd_fsmo(SuperCommand):
diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index b2fb51e..8b8d05d 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -65,7 +65,7 @@ def import_sam_policy(samdb, policy, logger):
'minPwdAge')
max_pw_age_unix = policy['maximum password age']
- if max_pw_age_unix == -1:
+ if max_pw_age_unix == -1 or max_pw_age_unix == 0:
max_pw_age_nt = -0x8000000000000000
else:
max_pw_age_nt = int(-max_pw_age_unix * (1e7 * 60 * 60 * 24))
@@ -534,11 +534,18 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa
# Get members for each group/alias
if group.sid_name_use == lsa.SID_NAME_ALIAS:
- members = s3db.enum_aliasmem(group.sid)
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ except passdb.error:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, passdb.error)
+ continue
elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
try:
members = s3db.enum_group_members(group.sid)
except passdb.error:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, passdb.error)
continue
groupmembers[group.nt_name] = members
elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
@@ -548,7 +555,12 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa
group.nt_name)
continue
# A number of buggy databases mix up well known groups and aliases.
- members = s3db.enum_aliasmem(group.sid)
+ try:
+ members = s3db.enum_aliasmem(group.sid)
+ except passdb.error:
+ logger.warn("Ignoring group '%s' %s listed but then not found: %s",
+ group.nt_name, group.sid, passdb.error)
+ continue
else:
logger.warn("Ignoring group '%s' with sid_name_use=%d",
group.nt_name, group.sid_name_use)
--
Samba Shared Repository
More information about the samba-cvs
mailing list