[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Jan 21 16:13:03 MST 2013
The branch, master has been updated
via 0a4a4ba devel-script: add options for RODC and partial replica for replicate flags
via fa591a6 devel-scripts: ask with WRIT_REP by default
via 0755b83 devel-getncchange: try to find the dest_dsa automatically
via 7822952 security: Add documentation
via c0638da libcli-security: Add documentation for object_tree_modify_access
via 3b79774 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC
from abc0030 dsdb: Fix warning about unused var
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0a4a4ba3f6b9748e3fccb546b284de565de2c8b5
Author: Matthieu Patou <mat at matws.net>
Date: Mon Oct 29 22:12:33 2012 -0700
devel-script: add options for RODC and partial replica for replicate flags
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Jan 22 00:12:17 CET 2013 on sn-devel-104
commit fa591a6d3cf9182b6d49621c83a6c3fbfeab1ee7
Author: Matthieu Patou <mat at matws.net>
Date: Mon Oct 29 21:43:14 2012 -0700
devel-scripts: ask with WRIT_REP by default
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0755b835cc4e474f752de1b8cc56a9a6da14a3cd
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 23 22:12:08 2012 -0700
devel-getncchange: try to find the dest_dsa automatically
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7822952a11707ff8aaa415adef62082c158c2398
Author: Matthieu Patou <mat at matws.net>
Date: Sat Oct 13 15:02:57 2012 -0700
security: Add documentation
Names seems to be a bit cryptic and misleading (at least for me).
So documenting them should remove at least partially this problem.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0638dae6cbf8915e6a436d575562fc131ba772a
Author: Matthieu Patou <mat at matws.net>
Date: Sat Oct 13 15:28:08 2012 -0700
libcli-security: Add documentation for object_tree_modify_access
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b7977419726a8630de828b634d669625ee358dd
Author: Matthieu Patou <mat at matws.net>
Date: Tue Oct 23 22:09:20 2012 -0700
dbcheck: look in hasMasterNCs as well for determining the instance type of a NC
Forest of level 2000 don't hve the msDS-hasMasterNCs parameter
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/object_tree.c | 14 +++++++-
libcli/security/security.h | 9 +++++
source4/scripting/devel/getncchanges | 45 ++++++++++++++++++++++++--
source4/scripting/python/samba/dbchecker.py | 12 ++++++-
4 files changed, 72 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c
index 3e5ee10..fd00068 100644
--- a/libcli/security/object_tree.c
+++ b/libcli/security/object_tree.c
@@ -104,8 +104,18 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
return result;
}
-/* Change the granted access per each ACE */
-
+/**
+ * @brief Modify the tree to mark specified access rights as granted
+ *
+ * This function will modify the root and the child of the tree pointed by
+ * root, so that for each tree element the bits set in access_mask are
+ * marked as granted.
+ *
+ * @param[in] root An object_tree structure that we want to modify
+ *
+ * @param[in] access_mask A bitfield of access right that we want to mark as
+ * granted in the whole tree.
+ */
void object_tree_modify_access(struct object_tree *root,
uint32_t access_mask)
{
diff --git a/libcli/security/security.h b/libcli/security/security.h
index 659d341..6e4b172 100644
--- a/libcli/security/security.h
+++ b/libcli/security/security.h
@@ -89,6 +89,15 @@
#define SHARE_ALL_ACCESS FILE_GENERIC_ALL
#define SHARE_READ_ONLY (FILE_GENERIC_READ|FILE_EXECUTE)
+/**
+ * Remaining access is a bit mask of remaining access rights (bits) that have
+ * to be granted in order to fulfill the requested access.
+ *
+ * The GUID is optional, if specified it restricts this object tree and its
+ * childs to object/attributes that inherits from this GUID.
+ * For DS access an object inherits from a GUID if one of its class has this GUID
+ * in the schemaIDGUID attribute.
+ */
struct object_tree {
uint32_t remaining_access;
struct GUID guid;
diff --git a/source4/scripting/devel/getncchanges b/source4/scripting/devel/getncchanges
index d401c82..37ec18b 100755
--- a/source4/scripting/devel/getncchanges
+++ b/source4/scripting/devel/getncchanges
@@ -13,6 +13,7 @@ import samba.getopt as options
from samba.dcerpc import drsuapi, misc
from samba.samdb import SamDB
from samba.auth import system_session
+from samba.ndr import ndr_unpack
def do_DsBind(drs):
'''make a DsBind call, returning the binding handle'''
@@ -100,18 +101,35 @@ if __name__ == "__main__":
parser.add_option("", "--dn", dest="dn", help="DN to replicate",)
parser.add_option("", "--exop", dest="exop", help="extended operation",)
parser.add_option("", "--pas", dest="use_pas", action='store_true', default=False,
- help="send partial attribute set",)
+ help="send partial attribute set (for RODC)")
parser.add_option("", "--nb-iter", type='int', help="Number of getncchange iterations")
- parser.add_option("", "--dest-dsa", type='str',
- default='"9c637462-5b8c-4467-aef2-bdb1f57bc4ef"', help="destination DSA GUID")
+ parser.add_option("", "--dest-dsa", type='str', help="destination DSA GUID")
+ parser.add_option("", "--rodc", action='store_true', default=False,
+ help='use RODC replica flags')
+ parser.add_option("", "--partial-rw", action='store_true', default=False,
+ help='use RW partial replica flags, not be confused with --pas')
parser.add_option("", "--replica-flags", type='int',
default=drsuapi.DRSUAPI_DRS_INIT_SYNC |
drsuapi.DRSUAPI_DRS_PER_SYNC |
+ drsuapi.DRSUAPI_DRS_WRIT_REP |
drsuapi.DRSUAPI_DRS_GET_ANC |
drsuapi.DRSUAPI_DRS_NEVER_SYNCED,
help='replica flags')
(opts, args) = parser.parse_args()
+ if opts.rodc:
+ opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\
+ drsuapi.DRSUAPI_DRS_PER_SYNC |\
+ drsuapi.DRSUAPI_DRS_GET_ANC |\
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED |\
+ drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |\
+ drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP
+
+ if opts.partial_rw:
+ opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\
+ drsuapi.DRSUAPI_DRS_PER_SYNC |\
+ drsuapi.DRSUAPI_DRS_GET_ANC |\
+ drsuapi.DRSUAPI_DRS_NEVER_SYNCED
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
@@ -122,6 +140,9 @@ if __name__ == "__main__":
if creds.is_anonymous():
parser.error("You must supply credentials")
+ if opts.partial_rw and opts.rodc:
+ parser.error("Can't specify --partial-rw and --rodc")
+
server = args[0]
binding_str = "ncacn_ip_tcp:%s[seal,print]" % server
@@ -148,8 +169,24 @@ if __name__ == "__main__":
else:
exop = int(opts.exop)
+ dest_dsa = opts.dest_dsa
+ if not dest_dsa:
+ print "no dest_dsa specified trying to figure out from ldap"
+ msgs = samdb.search(controls=["search_options:1:2"],
+ expression='(objectclass=ntdsdsa)')
+ if len(msgs) == 1:
+ dest_dsa = str(ndr_unpack(misc.GUID, msgs[0]["invocationId"][0]))
+ print "Found this dsa: %s" % dest_dsa
+ else:
+ # TODO fixme
+ pass
+ if not dest_dsa:
+ print "Unable to find the dest_dsa automatically please specify it"
+ import sys
+ sys.exit(1)
+
null_guid = misc.GUID()
- req8.destination_dsa_guid = misc.GUID(opts.dest_dsa)
+ req8.destination_dsa_guid = misc.GUID(dest_dsa)
req8.source_dsa_invocation_id = misc.GUID(samdb.get_invocation_id())
req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
req8.naming_context.dn = opts.dn.decode("utf-8")
diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py
index 91ae0b6..bc68457 100644
--- a/source4/scripting/python/samba/dbchecker.py
+++ b/source4/scripting/python/samba/dbchecker.py
@@ -59,11 +59,19 @@ class dbcheck(object):
self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn())
self.ntds_dsa = samdb.get_dsServiceName()
- res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs'])
+ res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs'])
if "msDS-hasMasterNCs" in res[0]:
self.write_ncs = res[0]["msDS-hasMasterNCs"]
else:
- self.write_ncs = None
+ # If the Forest Level is less than 2003 then there is no
+ # msDS-hasMasterNCs, so we fall back to hasMasterNCs
+ # no need to merge as all the NCs that are in hasMasterNCs must
+ # also be in msDS-hasMasterNCs (but not the opposite)
+ if "hasMasterNCs" in res[0]:
+ self.write_ncs = res[0]["hasMasterNCs"]
+ else:
+ self.write_ncs = None
+
def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']):
'''perform a database check, returning the number of errors found'''
--
Samba Shared Repository
More information about the samba-cvs
mailing list