[PATCH 09/10] s4: Run twice update_sd, one with the system, one with the domain admin

[Matthieu Patou]

---
 source4/scripting/bin/upgradeprovision |   38 ++++++++++++++-----------------
 1 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 56ff91c..a463b8b 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -582,18 +582,16 @@ def check_updated_sd(newpaths,paths,creds,session,names):
 		if hash_new.has_key(key):
 			sddl = ndr_unpack(security.descriptor,str(res2[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
 			if sddl != hash_new[key]:
-				print key
+				print "%s new sddl/sddl in ref"%key
 				print "%s\n%s"%(sddl,hash_new[key])
 
 # Simple update method for updating the SD that rely on the fact that nobody should have modified the SD 
 # This assumption is safe right now (alpha9) but should be removed asap
 def update_sd(newpaths,paths,creds,session,names):
-	domSID = security.dom_sid(names.domainsid)
-	admin_session_info = admin_session(lp, names.domainsid)
-	sam_ldb = Ldb(paths.samdb, session_info=admin_session, credentials=creds,lp=lp)
+	sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
 	sam_ldb.transaction_start()
 	# First update the SD for the rootdn
-	sam_ldb.set_session_info(admin_session_info)
+	sam_ldb.set_session_info(session)
 	res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
 	delta = ldb.Message()
 	delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
@@ -627,23 +625,17 @@ def update_sd(newpaths,paths,creds,session,names):
 	listkeys = hash.keys()
 	listkeys.sort(dn_sort)
 
-	# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
-	# to recreate them with the good form and then give the ownership to admin ...
-	system_session_info = system_session()
-	sam_ldb.set_session_info(system_session_info)
-	for key in listkeys:
-		delta = ldb.Message()
-		delta.dn = ldb.Dn(sam_ldb,key)
-		delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
-		sam_ldb.modify(delta,["recalculate_sd:0"])
-
-	
-	sam_ldb.set_session_info(admin_session_info)
 	for key in listkeys:
-		delta = ldb.Message()
-		delta.dn = ldb.Dn(sam_ldb,key)
-		delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
-		sam_ldb.modify(delta,["recalculate_sd:0"])
+		try:
+			delta = ldb.Message()
+			delta.dn = ldb.Dn(sam_ldb,key)
+			delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
+			sam_ldb.modify(delta,["recalculate_sd:0"])
+		except:
+			sam_ldb.transaction_cancel()
+			res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
+			print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
+			return
 	sam_ldb.transaction_commit()
 
 def rmall(topdir):
@@ -751,7 +743,11 @@ update_machine_account_password(newpaths,paths,creds,session,names)
 
 if opts.full:
 	update_samdb(newpaths,paths,creds,session,names)
+# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
+# to recreate them with the good form but with system account and then give the ownership to admin ...
+admin_session_info = admin_session(lp, str(names.domainsid))
 update_sd(newpaths,paths,creds,session,names)
+update_sd(newpaths,paths,creds,admin_session_info,names)
 check_updated_sd(newpaths,paths,creds,session,names)
 message(SIMPLE,"Upgrade finished !")
 # remove reference provision now that everything is done !
-- 
1.6.3.3


--------------000902080109040405080503
Content-Type: text/x-patch;
 name="0010-s4-fix-update_machine_account_password.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0010-s4-fix-update_machine_account_password.patch"