[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Mar 22 23:06:01 UTC 2023
The branch, master has been updated
via 86b6353644d python:join: run domain adprep as part of join_provision_own_domain()
via 4bba26579d1 python:provision: run adprep as part of provision
via f6d9f3760f7 samba-tool: let 'domain provision' to use the 2019 schema by default
via 90faa58e7fb samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default
via 245a8aaf41f samba-tool: let 'domain functionalprep' to use functional level 2016 by default
via da74c3fde10 samba-tool: allow 'domain level raise' to support level 2016
via e855fe20681 python/samba: let get_domain_descriptor() include adprep 2016 ACEs
via 1e024f6568e domain_update: implement updates 82-89 in order to reach the latest w2016 level
via c8f8efb31e9 forest_update: behave more like a Windows 2022 server
via c405f211760 setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md
via c4b87dd50de setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft
via dcce25ae8a7 python/samba: adapt ms_schema[_markdown].py to the latest schema definitions
via b2fbfa0ff1c python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md
via 17ce8beac3f python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif()
via 167f0235865 lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject()
via 5011221996f python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif()
via 7055ec0a0b9 lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject()
via 3ad3c1a69d0 python/samba: let modify_ldif() verify the changetype value
via e24e7b96338 lib/ldb: re-order code in ldb_ldif_to_pyobject()
via cc5df80152d lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix
via f860e19c846 domain_update: make use of self.sd_utils.update_aces_in_dacl()
via a3dac8efe4b domain_update: remove useless searches to '(objectClass=samDomain)'
via c87f2606ae3 domain_update: make use of '"CN"' in sddl instead of using an explicit SID
via a10f4f7cd25 domain_update: be more verbose about updates
via a8c0e82f928 forest_update: be more verbose about updates
via 65275acf058 forest_update: make use of self.sd_utils.update_aces_in_dacl()
via a89b158d3f1 forest_update: we don't need any controls to update sddl attributes
via f1f79a2e4b1 forest_update: only update SDDL for schema objects
via 838a36c743c forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif()
via 7fe87d3c8de functional_prep: fix error handling in order to stop on the first error
via 65653bb02c2 schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete
via 65294d56bdf python/tests: use changetype: modify in order to delete a single attribute
via c35ae5a77d5 s4:dsdb/tests: use changetype: modify in order to delete a single attribute
via 01400b59803 blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls
via bb09c06d6d5 libcli/security: rewrite calculate_inherited_from_parent()
via a0217c50e92 s4:dsdb/tests: add more detailed tests to sec_descriptor.py
via 731c85add11 s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022
via 6de4849f9ca s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In()
via 2436d621d19 s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again
via e0a8e043d33 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup
via 7b0d5285361 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly
from 7e3cbc2c641 s4:kdc: Fix typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 86b6353644dc9e32d250efffab13ebde7009477d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:48:26 2023 +0100
python:join: run domain adprep as part of join_provision_own_domain()
This is currently unused as we don't support more than one
domain per forest, but it will help it future.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224
commit 4bba26579d124af6c0767bb98bee67357001e1e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:48:26 2023 +0100
python:provision: run adprep as part of provision
With the default of base_schema=2019 we'll adprep to 2016.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f6d9f3760f7df8595a3882b3ad526326abbba1ca
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:05:01 2023 +0100
samba-tool: let 'domain provision' to use the 2019 schema by default
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 90faa58e7fb7cc7979f0e85bfcf9fc925879e8ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:05:01 2023 +0100
samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 245a8aaf41f652e2112dfa4b2c32613968656380
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:05:01 2023 +0100
samba-tool: let 'domain functionalprep' to use functional level 2016 by default
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit da74c3fde105789919f45088fba6a2731a98c35c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:05:01 2023 +0100
samba-tool: allow 'domain level raise' to support level 2016
We don't support anything higher than 2008_R2 in Samba, but
it's possible to run this against a remove server too.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e855fe206810e48181cb3431a80840bf618d5f16
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 18 16:00:14 2023 +0100
python/samba: let get_domain_descriptor() include adprep 2016 ACEs
We need to make sure a new provision as well as dbcheck
--reset-well-known-acls include acls used by adprep 2016,
otherwise we would undo the adprep result.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e024f6568ec03f7361a941ba7f3d7fb5801a30e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:15:55 2023 +0100
domain_update: implement updates 82-89 in order to reach the latest w2016 level
I implemented them by looking at
source4/setup/adprep/WindowsServerDocs/Domain-Wide-Updates.md.unused
and looking at a network capture where a Windows 2022 joins an
Windows 2008R2 domain.
The strange thing is that Windows (tested with server 2022) uses
c81fc9cc-0130-f4d1-b272-634d74818133 for update 83, while
Domain-Wide-Updates.md and a fresh installation use
c81fc9cc-0130-4fd1-b272-634d74818133. In order to match a fresh
installation we use c81fc9cc-0130-4fd1-b272-634d74818133.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c8f8efb31e9fc7e9e66869811a78ae14ca127e00
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:13:09 2023 +0100
forest_update: behave more like a Windows 2022 server
It means we apply updates from 11-142 and list
all known updates. It turns out that update 53 is actually
update 54...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c405f2117608a6249494e1239faea711a9c756ca
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 23 08:44:05 2019 +0100
setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md
We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only
for completeness, they are not parsed/used yet, so we added .unused in
order to avoid confusion in future.
Initially I tried to go with an ms_domain_updates_markdown.py,
but it is easier to add the current updates by hand to
domain_update.py, which will follow in the next commits.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4b87dd50deacca00dfe70df6ab5872e0cae34e8
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Feb 23 08:44:05 2019 +0100
setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dcce25ae8a769fe5ea5df7ad0eaa27283b1b34cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:02:29 2023 +0100
python/samba: adapt ms_schema[_markdown].py to the latest schema definitions
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b2fbfa0ff1cdecc272d0e71d5ab73febc6af455e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:02:04 2023 +0100
python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 17ce8beac3fc05cd92a9cf6d3d9f179bb03a738b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 15:03:39 2023 +0100
python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 167f0235865e4bffcb140c3e636533aa230c4db7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 14:58:29 2023 +0100
lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5011221996f34c0df0660b55537dfc1a5c7a951b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 14:56:55 2023 +0100
python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7055ec0a0b9ac1bd443360b8b358894e0a79dc69
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 14:55:12 2023 +0100
lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ad3c1a69d01c4de87476824d84539b186b6b587
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 14:42:29 2023 +0100
python/samba: let modify_ldif() verify the changetype value
DELETE and MODRDN are not really supported yet.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e24e7b96338e1d7bd157f89456a917465b658db7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 14:35:20 2023 +0100
lib/ldb: re-order code in ldb_ldif_to_pyobject()
We don't allow MODRDN and DELETE for now as they
don't work as is anyway. We'll add these in the next steps.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc5df80152d713dfa6652efc3c4fa3fa46b8faf8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 14:56:39 2023 +0100
lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix
This is needed in order to process schema updates.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f860e19c8465608266161c2909fea8ad74aec874
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 12:32:10 2023 +0100
domain_update: make use of self.sd_utils.update_aces_in_dacl()
There's only a single domainDNS object in a domain and it's
the partition base object...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3dac8efe4b6c5b55c3dfde7ee40e45706455058
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 12:05:24 2023 +0100
domain_update: remove useless searches to '(objectClass=samDomain)'
samDomain is an auxiliary class of domainDNS, so we'll handle them
in the search for domainDNS anyway. In addition searches for auxiliary
classes will never be found in searches.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c87f2606ae3a2dbca369b8b94d2255371a963226
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 11:57:14 2023 +0100
domain_update: make use of '"CN"' in sddl instead of using an explicit SID
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a10f4f7cd25c06b7d8573195150b3c4557743370
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:10:56 2023 +0100
domain_update: be more verbose about updates
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a8c0e82f9287d3dc4997cb9336dea4742687d8e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:10:33 2023 +0100
forest_update: be more verbose about updates
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65275acf0588a366797f80b8668cdcacaa18e495
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 13:49:09 2023 +0100
forest_update: make use of self.sd_utils.update_aces_in_dacl()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a89b158d3f1cb65f979a762f25624850fd75e311
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 13 13:53:53 2023 +0100
forest_update: we don't need any controls to update sddl attributes
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1f79a2e4b18e4e5a927557889572a9004f7ed32
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 11 03:35:57 2023 +0100
forest_update: only update SDDL for schema objects
Updates to domainDNS objects are done by the domain updates.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 838a36c743c7d0dff98e7ab7c9de6154221c7c9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:11:55 2023 +0100
forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif()
This matches what Windows is doing...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fe87d3c8decea40aa4b76fb4446b47f2aebeac9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:05:59 2023 +0100
functional_prep: fix error handling in order to stop on the first error
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65653bb02c269e132097452a5a82bf991b4b1ea8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 15:03:14 2023 +0100
schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete
They are used in newer schema uprades from Microsoft.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65294d56bdf82aa68ff9087810e593e245b3cb4d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 17:07:20 2023 +0100
python/tests: use changetype: modify in order to delete a single attribute
'changetype: delete' is used to delete a whole object!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c35ae5a77d5883383b5e26358222948dcb79b4d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 17:01:55 2023 +0100
s4:dsdb/tests: use changetype: modify in order to delete a single attribute
'changetype: delete' is used to delete a whole object!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01400b59803b4ff70178dfe9da17cfa0a006821b
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 18 13:54:40 2023 +0100
blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls
This makes sure that we detect if dbcheck --reset-well-known-acls
tries to reset to unexpected values, which we expect to currect in
recent provisions.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bb09c06d6d58a04e1d270a9f99d1179cfa9acbda
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 18 01:17:04 2023 +0100
libcli/security: rewrite calculate_inherited_from_parent()
This allows us to pass the new tests we just added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a0217c50e920557046628bb171f2addea2ad7416
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 22 14:48:00 2023 +0100
s4:dsdb/tests: add more detailed tests to sec_descriptor.py
These demonstrate how inherited aces are constructed and applies
per objectclass, with and without the NO_PROPAGATE_INHERIT flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 731c85add116b8ab192d9a2d3bc56296635a226d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 22 14:48:00 2023 +0100
s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022
We need SEC_STD_DELETE in order to run the test twice against the same server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6de4849f9cacbe7e08834fa340a70f7aebe9e6f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 22 14:48:00 2023 +0100
s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2436d621d1940f127f164ca227a14b1d9b573eb5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 13:02:47 2023 +0100
s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again
Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:04:37 2023 +0100
s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup
Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 20 12:04:37 2023 +0100
s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly
All other tests use the same logic and run before, which means the ACE
is already there and is implicitly required.
As we want to cleanup the ACE after each test in the next step,
as the tests should not have side effects for other tests, e.g.
'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_ldif.c | 20 +
lib/ldb/pyldb.c | 104 +-
libcli/security/create_descriptor.c | 247 +-
python/samba/__init__.py | 17 +-
python/samba/descriptor.py | 7 +
python/samba/domain_update.py | 382 +-
python/samba/forest_update.py | 251 +-
python/samba/join.py | 29 +-
python/samba/ms_forest_updates_markdown.py | 41 +-
python/samba/ms_schema.py | 11 +-
python/samba/ms_schema_markdown.py | 4 +
python/samba/netcmd/domain.py | 81 +-
python/samba/provision/__init__.py | 71 +-
python/samba/schema.py | 10 +-
python/samba/tests/audit_log_dsdb.py | 4 +-
python/samba/upgradehelpers.py | 5 +-
source4/dsdb/tests/python/acl.py | 1 +
source4/dsdb/tests/python/notification.py | 2 +-
source4/dsdb/tests/python/sec_descriptor.py | 812 +-
source4/scripting/bin/samba_upgradeprovision | 2 +-
...f => AD_DS_Attributes_Windows_Server_v1903.ldf} | 26350 ++++-----
... => AD_DS_Attributes__Windows_Server_v1803.ldf} | 26350 ++++-----
....ldf => AD_DS_Classes_Windows_Server_v1903.ldf} | 1254 +-
...ldf => AD_DS_Classes__Windows_Server_v1803.ldf} | 185 +-
.../Domain-Wide-Updates.md.unused | 58 +
.../WindowsServerDocs/Forest-Wide-Updates.md | 95 +-
.../Read-Only-Domain-Controller-Updates.md.unused | 16 +
.../setup/adprep/WindowsServerDocs/Sch49.ldf.diff | 13 +-
.../setup/adprep/WindowsServerDocs/Sch50.ldf.diff | 16 +-
.../setup/adprep/WindowsServerDocs/Sch51.ldf.diff | 30 +-
.../setup/adprep/WindowsServerDocs/Sch57.ldf.diff | 16 +-
.../setup/adprep/WindowsServerDocs/Sch59.ldf.diff | 12 +-
.../adprep/WindowsServerDocs/Schema-Updates.md | 53142 +++++++++++++++++--
source4/setup/tests/blackbox_provision.sh | 30 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 8 +-
testprogs/blackbox/dbcheck.sh | 9 +-
testprogs/blackbox/functionalprep.sh | 23 +-
testprogs/blackbox/schemaupgrade.sh | 2 +-
38 files changed, 77201 insertions(+), 32509 deletions(-)
copy source4/setup/ad-schema/{AD_DS_Attributes__Windows_Server_2016.ldf => AD_DS_Attributes_Windows_Server_v1903.ldf} (96%)
copy source4/setup/ad-schema/{AD_DS_Attributes__Windows_Server_2016.ldf => AD_DS_Attributes__Windows_Server_v1803.ldf} (96%)
copy source4/setup/ad-schema/{AD_DS_Classes__Windows_Server_2016.ldf => AD_DS_Classes_Windows_Server_v1903.ldf} (81%)
copy source4/setup/ad-schema/{AD_DS_Classes__Windows_Server_2016.ldf => AD_DS_Classes__Windows_Server_v1803.ldf} (94%)
create mode 100644 source4/setup/adprep/WindowsServerDocs/Domain-Wide-Updates.md.unused
create mode 100644 source4/setup/adprep/WindowsServerDocs/Read-Only-Domain-Controller-Updates.md.unused
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c
index 6f7589fef68..fc9a4fd0939 100644
--- a/lib/ldb/common/ldb_ldif.c
+++ b/lib/ldb/common/ldb_ldif.c
@@ -584,6 +584,7 @@ int ldb_ldif_parse_modrdn(struct ldb_context *ldb,
struct ldb_dn **_newdn)
{
struct ldb_message *msg = ldif->msg;
+ struct ldb_val _newrdn_val = {};
struct ldb_val *newrdn_val = NULL;
struct ldb_val *deleteoldrdn_val = NULL;
struct ldb_val *newsuperior_val = NULL;
@@ -667,6 +668,25 @@ int ldb_ldif_parse_modrdn(struct ldb_context *ldb,
goto err_op;
}
+ if (newrdn_val->length != 0 && strchr((const char *)newrdn_val->data, '=') == NULL) {
+ const char *rdn_name = ldb_dn_get_rdn_name(olddn);
+ char *new_rdn = NULL;
+
+ new_rdn = talloc_asprintf(tmp_ctx,
+ "%s=%s",
+ rdn_name,
+ (const char *)newrdn_val->data);
+ if (new_rdn == NULL) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "Error: failed to allocate '%s=%s'",
+ rdn_name, (char *)newrdn_val->data);
+ goto err_op;
+ }
+ _newrdn_val.data = (uint8_t *)new_rdn;
+ _newrdn_val.length = strlen(new_rdn);
+ newrdn_val = &_newrdn_val;
+ }
+
newrdn = ldb_dn_from_ldb_val(tmp_ctx, ldb, newrdn_val);
if (!ldb_dn_validate(newrdn)) {
ldb_debug(ldb, LDB_DEBUG_ERROR,
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index da60572ff0f..b7bc3bf0e62 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -1709,20 +1709,97 @@ static PyObject *py_ldb_schema_attribute_add(PyLdbObject *self, PyObject *args)
Py_RETURN_NONE;
}
-static PyObject *ldb_ldif_to_pyobject(struct ldb_ldif *ldif)
+static PyObject *ldb_ldif_to_pyobject(struct ldb_context *ldb, struct ldb_ldif *ldif)
{
+ PyObject *obj = NULL;
+ PyObject *result = NULL;
+
if (ldif == NULL) {
Py_RETURN_NONE;
- } else {
- /* We don't want this attached to the 'ldb' any more */
- PyObject *obj = PyLdbMessage_FromMessage(ldif->msg);
- PyObject *result =
- Py_BuildValue(discard_const_p(char, "(iO)"),
- ldif->changetype,
- obj);
- Py_CLEAR(obj);
- return result;
}
+
+ switch (ldif->changetype) {
+ case LDB_CHANGETYPE_NONE:
+ case LDB_CHANGETYPE_ADD:
+ obj = PyLdbMessage_FromMessage(ldif->msg);
+ break;
+ case LDB_CHANGETYPE_MODIFY:
+ obj = PyLdbMessage_FromMessage(ldif->msg);
+ break;
+ case LDB_CHANGETYPE_DELETE:
+ if (ldif->msg->num_elements != 0) {
+ PyErr_Format(PyExc_ValueError,
+ "CHANGETYPE(DELETE) with num_elements=%u",
+ ldif->msg->num_elements);
+ return NULL;
+ }
+ obj = pyldb_Dn_FromDn(ldif->msg->dn);
+ break;
+ case LDB_CHANGETYPE_MODRDN: {
+ struct ldb_dn *olddn = NULL;
+ PyObject *olddn_obj = NULL;
+ bool deleteoldrdn = false;
+ PyObject *deleteoldrdn_obj = NULL;
+ struct ldb_dn *newdn = NULL;
+ PyObject *newdn_obj = NULL;
+ int ret;
+
+ ret = ldb_ldif_parse_modrdn(ldb,
+ ldif,
+ ldif,
+ &olddn,
+ NULL,
+ &deleteoldrdn,
+ NULL,
+ &newdn);
+ if (ret != LDB_SUCCESS) {
+ PyErr_Format(PyExc_ValueError,
+ "ldb_ldif_parse_modrdn() failed");
+ return NULL;
+ }
+
+ olddn_obj = pyldb_Dn_FromDn(olddn);
+ if (olddn_obj == NULL) {
+ return NULL;
+ }
+ if (deleteoldrdn) {
+ deleteoldrdn_obj = Py_True;
+ } else {
+ deleteoldrdn_obj = Py_False;
+ }
+ newdn_obj = pyldb_Dn_FromDn(newdn);
+ if (olddn_obj == NULL) {
+ deleteoldrdn_obj = NULL;
+ Py_CLEAR(olddn_obj);
+ return NULL;
+ }
+
+ obj = Py_BuildValue(discard_const_p(char, "{s:O,s:O,s:O}"),
+ "olddn", olddn_obj,
+ "deleteoldrdn", deleteoldrdn_obj,
+ "newdn", newdn_obj);
+ Py_CLEAR(olddn_obj);
+ deleteoldrdn_obj = NULL;
+ Py_CLEAR(newdn_obj);
+ }
+ break;
+ default:
+ PyErr_Format(PyExc_NotImplementedError,
+ "Unsupported LDB_CHANGETYPE(%u)",
+ ldif->changetype);
+ return NULL;
+ }
+
+ if (obj == NULL) {
+ return NULL;
+ }
+
+ /* We don't want this being attached * to the 'ldb' any more */
+ result = Py_BuildValue(discard_const_p(char, "(iO)"),
+ ldif->changetype,
+ obj);
+ Py_CLEAR(obj);
+ return result;
}
@@ -1784,10 +1861,12 @@ static PyObject *py_ldb_parse_ldif(PyLdbObject *self, PyObject *args)
talloc_steal(mem_ctx, ldif);
if (ldif) {
int res = 0;
- PyObject *py_ldif = ldb_ldif_to_pyobject(ldif);
+ PyObject *py_ldif = ldb_ldif_to_pyobject(self->ldb_ctx, ldif);
if (py_ldif == NULL) {
Py_CLEAR(list);
- PyErr_BadArgument();
+ if (PyErr_Occurred() == NULL) {
+ PyErr_BadArgument();
+ }
talloc_free(mem_ctx);
return NULL;
}
@@ -4427,6 +4506,7 @@ static PyObject* module_init(void)
ADD_LDB_INT(CHANGETYPE_ADD);
ADD_LDB_INT(CHANGETYPE_DELETE);
ADD_LDB_INT(CHANGETYPE_MODIFY);
+ ADD_LDB_INT(CHANGETYPE_MODRDN);
ADD_LDB_INT(FLAG_MOD_ADD);
ADD_LDB_INT(FLAG_MOD_REPLACE);
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 5a2351511ce..ccb32593ecb 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -79,7 +79,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask)
/* Not sure what this has to be,
* and it does not seem to have any influence */
-static bool object_in_list(struct GUID *object_list, struct GUID *object)
+static bool object_in_list(const struct GUID *object_list, const struct GUID *object)
{
size_t i;
@@ -108,7 +108,7 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object)
/* returns true if the ACE gontains generic information
* that needs to be processed additionally */
-static bool desc_ace_has_generic(struct security_ace *ace)
+static bool desc_ace_has_generic(const struct security_ace *ace)
{
if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ ||
ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) {
@@ -156,12 +156,114 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
}
for (i=0; i < acl->num_aces; i++) {
- struct security_ace *ace = &acl->aces[i];
- if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
- (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
- struct GUID inherited_object = GUID_zero();
+ const struct security_ace *ace = &acl->aces[i];
+ const struct GUID *inherited_object = NULL;
+ const struct GUID *inherited_property = NULL;
+ struct security_ace *tmp_ace = NULL;
+ bool applies = false;
+ bool inherited_only = false;
+ bool expand_ace = false;
+ bool expand_only = false;
+
+ if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+ applies = true;
+ } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ applies = true;
+ }
+
+ if (!applies) {
+ /*
+ * If the ace doesn't apply to the
+ * current node, we should only keep
+ * it as SEC_ACE_FLAG_OBJECT_INHERIT
+ * on a container. We'll add
+ * SEC_ACE_FLAG_INHERITED_ACE
+ * and SEC_ACE_FLAG_INHERIT_ONLY below.
+ *
+ * Otherwise we should completely ignore it.
+ */
+ if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ continue;
+ }
+ }
+
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ break;
+
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
+ inherited_property = &ace->object.object.type.type;
+ }
+ if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
+ inherited_object = &ace->object.object.inherited_type.inherited_type;
+ }
+
+ if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) {
+ /*
+ * An explicit object class schemaId is given,
+ * but doesn't belong to the current object.
+ */
+ applies = false;
+ }
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces,
+ break;
+ }
+
+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+ if (!applies) {
+ /*
+ * If the ACE doesn't apply to
+ * the current object, we should
+ * ignore it as it should not be
+ * inherited any further
+ */
+ continue;
+ }
+ /*
+ * We should only keep the expanded version
+ * of the ACE on the current object.
+ */
+ expand_ace = true;
+ expand_only = true;
+ } else if (applies) {
+ /*
+ * We check if should also add
+ * the expanded version of the ACE
+ * in addition, in case we should
+ * expand generic access bits or
+ * special sids.
+ *
+ * In that case we need to
+ * keep the original ACE with
+ * SEC_ACE_FLAG_INHERIT_ONLY.
+ */
+ expand_ace = desc_ace_has_generic(ace);
+ if (expand_ace) {
+ inherited_only = true;
+ }
+ } else {
+ /*
+ * If the ACE doesn't apply
+ * to the current object,
+ * we need to keep it with
+ * SEC_ACE_FLAG_INHERIT_ONLY
+ * in order to apply them to
+ * grandchildren
+ */
+ inherited_only = true;
+ }
+
+ if (expand_ace) {
+ tmp_acl->aces = talloc_realloc(tmp_acl,
+ tmp_acl->aces,
struct security_ace,
tmp_acl->num_aces+1);
if (tmp_acl->aces == NULL) {
@@ -169,61 +271,96 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
return NULL;
}
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
- /* remove IO flag from the child's ace */
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
- !desc_ace_has_generic(ace)) {
- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
- }
+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
+ tmp_acl->num_aces++;
- if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- case SEC_ACE_TYPE_ACCESS_DENIED:
- case SEC_ACE_TYPE_SYSTEM_AUDIT:
- case SEC_ACE_TYPE_SYSTEM_ALARM:
- case SEC_ACE_TYPE_ALLOWED_COMPOUND:
- break;
-
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
- if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
- inherited_object = ace->object.object.inherited_type.inherited_type;
- }
+ *tmp_ace = *ace;
+
+ /*
+ * Expand generic access bits as well as special
+ * sids.
+ */
+ desc_expand_generic(tmp_ace, owner, group);
+
+ /*
+ * Expanded ACEs are marked as inherited,
+ * but never inherited any further to
+ * grandchildren.
+ */
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
+
+ /*
+ * Expanded ACEs never have an explicit
+ * object class schemaId, so clear it
+ * if present.
+ */
+ if (inherited_object != NULL) {
+ tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT;
+ }
- if (!object_in_list(object_list, &inherited_object)) {
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ /*
+ * If the ACE had an explicit object class
+ * schemaId, but no attribute/propertySet
+ * we need to downgrate the _OBJECT variants
+ * to the normal ones.
+ */
+ if (inherited_property == NULL) {
+ switch (tmp_ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+ break;
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED;
+ break;
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM;
+ break;
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT;
+ break;
}
-
- break;
}
- tmp_acl->num_aces++;
- if (is_container) {
- if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) &&
- (desc_ace_has_generic(ace))) {
- tmp_acl->aces = talloc_realloc(tmp_acl,
- tmp_acl->aces,
- struct security_ace,
- tmp_acl->num_aces+1);
- if (tmp_acl->aces == NULL) {
- talloc_free(tmp_ctx);
- return NULL;
- }
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces],
- owner,
- group);
- tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE;
- tmp_acl->num_aces++;
- }
+ if (expand_only) {
+ continue;
}
}
+
+ tmp_acl->aces = talloc_realloc(tmp_acl,
+ tmp_acl->aces,
+ struct security_ace,
+ tmp_acl->num_aces+1);
+ if (tmp_acl->aces == NULL) {
+ talloc_free(tmp_ctx);
+ return NULL;
+ }
+
+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces];
+ tmp_acl->num_aces++;
+
+ *tmp_ace = *ace;
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE;
+
+ if (inherited_only) {
+ tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ } else {
+ tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
+ }
+
+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT;
+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT;
+ }
}
if (tmp_acl->num_aces == 0) {
return NULL;
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 54c67fed233..c4ddf18da60 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -235,10 +235,25 @@ class Ldb(_Ldb):
:param ldif: LDIF text.
"""
for changetype, msg in self.parse_ldif(ldif):
+ if changetype == ldb.CHANGETYPE_NONE:
+ changetype = ldb.CHANGETYPE_MODIFY
+
if changetype == ldb.CHANGETYPE_ADD:
self.add(msg, controls)
- else:
+ elif changetype == ldb.CHANGETYPE_MODIFY:
self.modify(msg, controls)
+ elif changetype == ldb.CHANGETYPE_DELETE:
+ deldn = msg
+ self.delete(deldn, controls)
+ elif changetype == ldb.CHANGETYPE_MODRDN:
+ olddn = msg["olddn"]
+ deleteoldrdn = msg["deleteoldrdn"]
+ newdn = msg["newdn"]
+ if deleteoldrdn is False:
+ raise ValueError("Invalid ldb.CHANGETYPE_MODRDN with deleteoldrdn=False")
+ self.rename(olddn, newdn, controls)
+ else:
+ raise ValueError("Invalid ldb.CHANGETYPE_%u: %s" % (changetype, msg))
def substitute_var(text, values):
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index e2d1e38ccf9..5b911685db8 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -201,6 +201,13 @@ def get_domain_descriptor(domain_sid, name_map=None):
"(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
"(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
"(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+ "(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)" \
--
Samba Shared Repository
More information about the samba-cvs
mailing list