Upgrade provision script

Matthieu Patou mat+Informatique.Samba at matws.net
Fri Sep 18 14:36:19 MDT 2009


I just update my script to keep with the changes introduced by tridge !
I also take the opportunity to add two preliminary patches that are 
needed (I already sent them separately on the list)

If someone can also test it or can give me feedback.
Note: I didn't test this with openldap so feedback is even more wanted 
for those who use it !

On 09/18/2009 07:07 PM, Matthieu Patou wrote:
> Hello, all,
> Find attach as a git patch a script that allow to upgrade a already
> provisionned samba.
> It do up to the step 4 stated bellow.
> Matthieu.
> On 09/14/2009 01:18 AM, Matthieu Patou wrote:
>> Andrew,
>> Please find attach a second "release" of my updateprovision script, I
>> tried to take in account you remarks:
>> * do not spawn a separate process for provision
>> * use search_options, ldb_msg_diff, ldb python bindings instead of LDIF
>> I identified 5 steps for the script to be complete to my mind:
>> Step 1
>> Update different partion
>> Step 2
>> Directly call provision function without spawn a separate process
>> Step 3
>> Update sensitive fields in a sensible way (ie
>> member,SPN,defaultObjectCategory)
>> For this my plan is to closely inspect fields we have usually a value
>> that has changed from the default one because the object has lived a
>> little bit (add of services, add of user in the group ...) and we have
>> in the provision something else different as well. In this case the idea
>> is too add new bits from the fresh provision in the current provision
>> (well we can miss some needed removal but let's hope that we won't face
>> this problem).
>> Step 4
>> Update nTSecurityDescriptors
>> This is a not very simple update as there is various reason why a SD can
>> be different in the current provision and in the reference provision:
>> 1 change has been volontary made on the SD
>> 2 SD calculation algorithm has changed since last provision
>> 3 change in the default security descriptor
>> In the first time I plan to be able to automatically update in case 2
>> and 3 and print an information message in case 1. We can hope that the 1
>> case will be pretty rare, in any case a more complicated update method
>> could manage to solve simple differences (ie. one right has been
>> added/removed, one user/group has been granted/ungranted).
>> In order to be able to handle case 2 and 3 we must be able to calculate
>> with the previous defaultSecurityDescriptor and the previous calculation
>> algorithm so that we can realize that if two SD are different they are
>> in fact the same (same value with a constant defaultSecurityDescriptor,
>> same value with a constant method of calculation of nTSecurityDescriptor
>> when given a certain defaultSecurityDescriptor).
>> Step 5
>> Update non provisionned object (ie. created computers,users,group).
>> The plan here is to list the different type of object that needs to be
>> tested (computers,sitelink,subnet,...), then create one instance for
>> each of them, then check this instance with existing object and update
>> some fields. This part is the most blury right now because I do not have
>> any idea of wether it can works or not ... and which fields will need
>> update and if it will be easy to define a global behavior for the update
>> (add,replace,remove ...). I guess somes tests has to be done for this.
>> I am currently at step 2.
>> Any comments welcomed !
>> Matthieu.

More information about the samba-technical mailing list