Upgrade provision script

Matthieu Patou mat at matws.net
Fri Sep 18 09:07:15 MDT 2009

Hello, all,

Find attach as a git patch a script that allow to upgrade a already 
provisionned samba.
It do up to the step 4 stated bellow.

On 09/14/2009 01:18 AM, Matthieu Patou wrote:
> Andrew,
> Please find attach a second "release" of my updateprovision script, I
> tried to take in account you remarks:
> * do not spawn a separate process for provision
> * use search_options, ldb_msg_diff, ldb python bindings instead of LDIF
> I identified 5 steps for the script to be complete to my mind:
> Step 1
> Update different partion
> Step 2
> Directly call provision function without spawn a separate process
> Step 3
> Update sensitive fields in a sensible way (ie
> member,SPN,defaultObjectCategory)
> For this my plan is to closely inspect fields we have usually a value
> that has changed from the default one because the object has lived a
> little bit (add of services, add of user in the group ...) and we have
> in the provision something else different as well. In this case the idea
> is too add new bits from the fresh provision in the current provision
> (well we can miss some needed removal but let's hope that we won't face
> this problem).
> Step 4
> Update nTSecurityDescriptors
> This is a not very simple update as there is various reason why a SD can
> be different in the current provision and in the reference provision:
> 1 change has been volontary made on the SD
> 2 SD calculation algorithm has changed since last provision
> 3 change in the default security descriptor
> In the first time I plan to be able to automatically update in case 2
> and 3 and print an information message in case 1. We can hope that the 1
> case will be pretty rare, in any case a more complicated update method
> could manage to solve simple differences (ie. one right has been
> added/removed, one user/group has been granted/ungranted).
> In order to be able to handle case 2 and 3 we must be able to calculate
> with the previous defaultSecurityDescriptor and the previous calculation
> algorithm so that we can realize that if two SD are different they are
> in fact the same (same value with a constant defaultSecurityDescriptor,
> same value with a constant method of calculation of nTSecurityDescriptor
> when given a certain defaultSecurityDescriptor).
> Step 5
> Update non provisionned object (ie. created computers,users,group).
> The plan here is to list the different type of object that needs to be
> tested (computers,sitelink,subnet,...), then create one instance for
> each of them, then check this instance with existing object and update
> some fields. This part is the most blury right now because I do not have
> any idea of wether it can works or not ... and which fields will need
> update and if it will be easy to define a global behavior for the update
> (add,replace,remove ...). I guess somes tests has to be done for this.
> I am currently at step 2.
> Any comments welcomed !
> Matthieu.

More information about the samba-technical mailing list