upgrade script TP 2

Matthieu Patou mat+Informatique.Samba at matws.net
Sun Sep 13 15:18:16 MDT 2009 

Andrew,

Please find attach a second "release" of my updateprovision script, I 
tried to take in account you remarks:

* do not spawn a separate process for provision
* use search_options, ldb_msg_diff, ldb python bindings instead of LDIF

I identified 5 steps for the script to be complete to my mind:

Step 1
Update different partion
Step 2
Directly call provision function without spawn a separate process
Step 3
Update sensitive fields in a sensible way (ie 
member,SPN,defaultObjectCategory)
For this my plan is to closely inspect fields we have usually a value 
that has changed from the default one because the object has lived a 
little bit (add of services, add of user in the group ...) and we have 
in the provision something else different as well. In this case the idea 
is too add new bits from the fresh provision in the current provision 
(well we can miss some needed removal but let's hope that we won't face 
this problem).
Step 4
Update nTSecurityDescriptors
This is a not very simple update as there is various reason why a SD can 
be different in the current provision and in the reference provision:
1 change has been volontary made on the SD
2 SD calculation algorithm has changed since last provision
3 change in the default security descriptor

In the first time I plan to be able to automatically update in case 2 
and 3 and print an information message in case 1. We can hope that the 1 
case will be pretty rare, in any case a more complicated update method 
could manage to solve simple differences (ie. one right has been 
added/removed, one user/group has been granted/ungranted).

In order to be able to handle case 2 and 3 we must be able to calculate 
with the previous defaultSecurityDescriptor and the previous calculation 
algorithm  so that we can realize that if two SD are different they are 
in fact the same (same value with a constant defaultSecurityDescriptor, 
same value with a constant method of calculation of nTSecurityDescriptor 
when given a certain defaultSecurityDescriptor).

Step 5
Update non provisionned object (ie. created computers,users,group).
The plan here is to list the different type of object that needs to be 
tested (computers,sitelink,subnet,...), then create one instance for 
each of them, then check this instance with existing object and update 
some fields. This part is the most blury right now because I do not have 
any idea of wether it can works or not ... and which fields will need 
update and if it will be easy to define a global behavior for the update 
(add,replace,remove ...). I guess somes tests has to be done for this.


I am currently at step 2.
Any comments welcomed !

Matthieu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: upgradeschema.py
Type: text/x-python
Size: 19000 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090914/a978487f/attachment.py>

More information about the samba-technical mailing list