Upgrade provision script

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Fri Sep 18 11:26:25 MDT 2009


Hi Matthieu,
About comparing the default security descriptor to the current one - simple comparison may not do the trick in some cases, as there is some preprocessing involved, for example, if an ACE contains the CO or CG SID, its doubled and in the first instance the sid is replaced with the creator's user or group sid. However, you can leave it like that for the time being and I will finish it for you, or we can chat on IRC how you can do it.

Regards,
Nadya
----- Original Message -----
> From: samba-technical-bounces at lists.samba.org <samba-technical-bounces at lists.samba.org>
> To: samba-technical <samba-technical at lists.samba.org>, Andrew Bartlett <abartlet at samba.org>, Matthieu Patou <mat at matws.net>
> Sent: Friday, September 18, 2009 8:04:34 AM GMT-0800 America;Los_Angeles
> Subject: Upgrade provision script

> > Hello, all,
> 
> Find attach as a git patch a script that allow to upgrade a already 
> provisionned samba.
> It do up to the step 4 stated bellow.
> 
> Matthieu.
> On 09/14/2009 01:18 AM, Matthieu Patou wrote:
> > Andrew,
> >
> > Please find attach a second "release" of my updateprovision script, 
> I
> > tried to take in account you remarks:
> >
> > * do not spawn a separate process for provision
> > * use search_options, ldb_msg_diff, ldb python bindings instead of 
> LDIF
> >
> > I identified 5 steps for the script to be complete to my mind:
> >
> > Step 1
> > Update different partion
> > Step 2
> > Directly call provision function without spawn a separate process
> > Step 3
> > Update sensitive fields in a sensible way (ie
> > member,SPN,defaultObjectCategory)
> > For this my plan is to closely inspect fields we have usually a 
> value
> > that has changed from the default one because the object has lived a
> > little bit (add of services, add of user in the group ...) and we 
> have
> > in the provision something else different as well. In this case the 
> idea
> > is too add new bits from the fresh provision in the current 
> provision
> > (well we can miss some needed removal but let's hope that we won't 
> face
> > this problem).
> > Step 4
> > Update nTSecurityDescriptors
> > This is a not very simple update as there is various reason why a SD 
> can
> > be different in the current provision and in the reference 
> provision:
> > 1 change has been volontary made on the SD
> > 2 SD calculation algorithm has changed since last provision
> > 3 change in the default security descriptor
> >
> > In the first time I plan to be able to automatically update in case 
> 2
> > and 3 and print an information message in case 1. We can hope that 
> the 1
> > case will be pretty rare, in any case a more complicated update 
> method
> > could manage to solve simple differences (ie. one right has been
> > added/removed, one user/group has been granted/ungranted).
> >
> > In order to be able to handle case 2 and 3 we must be able to 
> calculate
> > with the previous defaultSecurityDescriptor and the previous 
> calculation
> > algorithm so that we can realize that if two SD are different they 
> are
> > in fact the same (same value with a constant 
> defaultSecurityDescriptor,
> > same value with a constant method of calculation of 
> nTSecurityDescriptor
> > when given a certain defaultSecurityDescriptor).
> >
> > Step 5
> > Update non provisionned object (ie. created computers,users,group).
> > The plan here is to list the different type of object that needs to 
> be
> > tested (computers,sitelink,subnet,...), then create one instance for
> > each of them, then check this instance with existing object and 
> update
> > some fields. This part is the most blury right now because I do not 
> have
> > any idea of wether it can works or not ... and which fields will 
> need
> > update and if it will be easy to define a global behavior for the 
> update
> > (add,replace,remove ...). I guess somes tests has to be done for 
> this.
> >
> >
> > I am currently at step 2.
> > Any comments welcomed !
> >
> > Matthieu.


More information about the samba-technical mailing list