Upgrade provision script

Matthieu Patou mat at matws.net
Tue Sep 22 05:52:02 MDT 2009 

Hi Nadya,
 > About comparing the default security descriptor to the current one - 
 > simple comparison may not do the trick in some cases, as there is
 > some preprocessing involved, for example, if an ACE contains the CO
 > or CG SID, its doubled and in the first instance the sid is replaced 
 > with the creator's user or group sid. However, you can leave it like 
 > that for the time being and I will finish it for you, or we can chat 
 > on IRC how you can do it.
Well even if it looks like a simple comparison to the default SD it is 
not ! I was doing the same operation as it was done in the objectclass 
module (function get_sd).

Now of course when I look at the function get_new_descriptor I see a 
difference ...  but is the general idea of comparing two sddl 
representation of an SD ok ?

In fact it seems to be a better idea to embed into the python wrapper a 
call to get_new_descriptor in order to get the SD of an object depending 
on its parent, its class and its dn.

Matthieu.
On 09/18/2009 09:26 PM, Nadezhda Ivanova wrote:
> Hi Matthieu,
> About comparing the default security descriptor to the current one - simple comparison may not do the trick in some cases, as there is some preprocessing involved, for example, if an ACE contains the CO or CG SID, its doubled and in the first instance the sid is replaced with the creator's user or group sid. However, you can leave it like that for the time being and I will finish it for you, or we can chat on IRC how you can do it.
>
> Regards,
> Nadya
> ----- Original Message -----
>> From: samba-technical-bounces at lists.samba.org<samba-technical-bounces at lists.samba.org>
>> To: samba-technical<samba-technical at lists.samba.org>, Andrew Bartlett<abartlet at samba.org>, Matthieu Patou<mat at matws.net>
>> Sent: Friday, September 18, 2009 8:04:34 AM GMT-0800 America;Los_Angeles
>> Subject: Upgrade provision script
>
>>> Hello, all,
>>
>> Find attach as a git patch a script that allow to upgrade a already
>> provisionned samba.
>> It do up to the step 4 stated bellow.
>>
>> Matthieu.
>> On 09/14/2009 01:18 AM, Matthieu Patou wrote:
>>> Andrew,
>>>
>>> Please find attach a second "release" of my updateprovision script,
>> I
>>> tried to take in account you remarks:
>>>
>>> * do not spawn a separate process for provision
>>> * use search_options, ldb_msg_diff, ldb python bindings instead of
>> LDIF
>>>
>>> I identified 5 steps for the script to be complete to my mind:
>>>
>>> Step 1
>>> Update different partion
>>> Step 2
>>> Directly call provision function without spawn a separate process
>>> Step 3
>>> Update sensitive fields in a sensible way (ie
>>> member,SPN,defaultObjectCategory)
>>> For this my plan is to closely inspect fields we have usually a
>> value
>>> that has changed from the default one because the object has lived a
>>> little bit (add of services, add of user in the group ...) and we
>> have
>>> in the provision something else different as well. In this case the
>> idea
>>> is too add new bits from the fresh provision in the current
>> provision
>>> (well we can miss some needed removal but let's hope that we won't
>> face
>>> this problem).
>>> Step 4
>>> Update nTSecurityDescriptors
>>> This is a not very simple update as there is various reason why a SD
>> can
>>> be different in the current provision and in the reference
>> provision:
>>> 1 change has been volontary made on the SD
>>> 2 SD calculation algorithm has changed since last provision
>>> 3 change in the default security descriptor
>>>
>>> In the first time I plan to be able to automatically update in case
>> 2
>>> and 3 and print an information message in case 1. We can hope that
>> the 1
>>> case will be pretty rare, in any case a more complicated update
>> method
>>> could manage to solve simple differences (ie. one right has been
>>> added/removed, one user/group has been granted/ungranted).
>>>
>>> In order to be able to handle case 2 and 3 we must be able to
>> calculate
>>> with the previous defaultSecurityDescriptor and the previous
>> calculation
>>> algorithm so that we can realize that if two SD are different they
>> are
>>> in fact the same (same value with a constant
>> defaultSecurityDescriptor,
>>> same value with a constant method of calculation of
>> nTSecurityDescriptor
>>> when given a certain defaultSecurityDescriptor).
>>>
>>> Step 5
>>> Update non provisionned object (ie. created computers,users,group).
>>> The plan here is to list the different type of object that needs to
>> be
>>> tested (computers,sitelink,subnet,...), then create one instance for
>>> each of them, then check this instance with existing object and
>> update
>>> some fields. This part is the most blury right now because I do not
>> have
>>> any idea of wether it can works or not ... and which fields will
>> need
>>> update and if it will be easy to define a global behavior for the
>> update
>>> (add,replace,remove ...). I guess somes tests has to be done for
>> this.
>>>
>>>
>>> I am currently at step 2.
>>> Any comments welcomed !
>>>
>>> Matthieu.

More information about the samba-technical mailing list