[SCM] Samba Shared Repository - branch master updated

Matthieu Patou mat at matws.net
Tue Jan 12 02:20:06 MST 2010 

Hello Mathias,

On 11/01/2010 00:48, Matthias Dieter WallnXXfer wrote:
> The branch, master has been updated
>         via  2cedefa... s4:upgradeprovision - fix up the script regarding linked attributes
>         via  e0d6b097.. s4:upgradeprovision - Reformat comments
>         via  601ea3a... s4:repl_meta_data - Transform a "1" into a "true" on a boolean variable
>         via  91e2100... s4:provision_users.ldif - Add objects for IIS
>         via  e72787f... s4:provision_self_join_modify.ldif - Point out that account "dns" is s4 specific
>         via  9ee895f... s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group
>        from  81a848b... s3: Remove some unused variables
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -----------------------------------------------------------------
> commit 2cedefabc93c8a1fcb49d65a3f78a344e814f826
> Author: Matthias Dieter Wallnöfer<mwallnoefer at yahoo.de>
> Date:   Sun Jan 10 21:34:05 2010 +0100
>
>      s4:upgradeprovision - fix up the script regarding linked attributes
>
>      We have to try to add new objects until between two iterations we didn't make
>      any progress. Either we are then done (no objects remaining) or we are
>      incapable to do this fully automatically.
>
>      The latter can happen if important system objects (builtin groups, users...)
>      moved (e.g. consider one of my recent comments). Then the new object can't be
>      added if it contains the same "sAMAccountName" attribute as the old one. We
>      have to let the user delete the old one (also to give him a chance to backup
>      personal changes - if needed) and only then the script is capable to add the
>      new one onto the right place. Make this clear with an exhaustive error output.
>
>      I personally don't see a good way how to do this better for now so I would leave
>      this as a manual step.
>
>
> diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
> index 394ce3e..b4caac4 100644
> --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
> +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
> @@ -523,40 +534,78 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
>   		else:
>   			listPresent.append(hash_new[k])
>
> -	# Sort the missing object in order to have object of the lowest level first (which can be
> -	# containers for higher level objects)
> +	# Sort the missing object in order to have object of the lowest level
> +	# first (which can be containers for higher level objects)
>   	listMissing.sort(dn_sort)
>   	listPresent.sort(dn_sort)
>
>   	if ischema:
> -		# The following lines (up to the for loop) is to load the up to date schema into our current LDB
> -		# a complete schema is needed as the insertion of attributes and class is done against it
> +		# The following lines (up to the for loop) is to load the up to
> +		# date schema into our current LDB
> +		# a complete schema is needed as the insertion of attributes
> +		# and class is done against it
>   		# and the schema is self validated
> -		# The double ldb open and schema validation is taken from the initial provision script
> +		# The double ldb open and schema validation is taken from the
> +		# initial provision script
>   		# it's not certain that it is really needed ....
>   		sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
>   		schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
>   		# Load the schema from the one we computed earlier
>   		sam_ldb.set_schema_from_ldb(schema.ldb)
> -		# And now we can connect to the DB - the schema won't be loaded from the DB
> +		# And now we can connect to the DB - the schema won't be loaded
> +		# from the DB
>   		sam_ldb.connect(paths.samdb)
>   	else:
>   		sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
>
>   	sam_ldb.transaction_start()
>
> -	empty = ldb.Message()
> -	message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
> -	for dn in listMissing:
> -		reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
> -		delta = sam_ldb.msg_diff(empty,reference[0])
> -		for att in hashAttrNotCopied.keys():
> -			delta.remove(att)
> -		for att in backlinked:
> -			delta.remove(att)
> -		delta.dn = dn
> +	err_num = 0
> +	err_msg = ""
> +	while len(listMissing)>  0:
> +		listMissing2 = []
> +
> +		empty = ldb.Message()
> +		message(SIMPLE,"There are still %d objects missing"%(len(listMissing)))
>
> -		sam_ldb.add(delta,["relax:0"])
> +		for dn in listMissing:
> +			reference = newsam_ldb.search(expression="dn=%s" % (str(dn)),
> +						      base=basedn, scope=SCOPE_SUBTREE,
> +						      controls=["search_options:1:2"])
> +			delta = sam_ldb.msg_diff(empty,reference[0])
> +			for att in hashAttrNotCopied.keys():
> +				delta.remove(att)
> +			for att in backlinked:
> +				delta.remove(att)
> +			delta.dn = dn
> +
> +			try:
> +				sam_ldb.add(delta,["relax:0"])
> +				# This is needed here since otherwise the
> +				# "replmd_meta_data" module doesn't see the
> +				# updated data
> +				sam_ldb.transaction_commit()
> +				sam_ldb.transaction_start()
> +			except LdbError, (num, msg):
> +				# An exception can happen if a linked object
> +				# doesn't exist which can happen if it is also
> +				# to be added
> +				err_num = num
> +				err_msg = msg
> +				listMissing2.append(dn)
> +
> +		if len(listMissing2) == len(listMissing):
> +			# We couldn't add any object in this iteration ->
> +			# we have to resign and hope that the user manually
> +			# fixes the damage
> +
> +			message(ERROR, "The script isn't capable to do the upgrade fully automatically!")
> +			message(ERROR, "Often this happens when important system objects moved their location. Please look for them (for example doable using the displayed 'sAMAccountName' attribute), backup if personally changed and remove them.")
> +			message(ERROR, "Reinvoke this script and reapply eventual modifications done before. It is possible to get this error more than once (for each problematic object).")
> +
> +			raise LdbError(err_num, err_msg)
> +
> +		listMissing = listMissing2

I'm not too pleased with this change as it tends to commit stuff 
partially instead of one together once we are sure that everything was 
(correctly) added at least with this way of doing we are sure that once 
that the commit is done all the schema or all the partitions has been 
updated and that the whole thing is relatively coherent.


Also apart from the groupType that we talk last sunday on irc, you told 
me that some object where misplaced but when I do an upgradeprovision 
against a alpha10 provision and I only found those 2 changes:


* CN=dns,CN=Users,DC=home,DC=matws,DC=net exist but with the wrong objectSID
* CN=RID Set,CN=ARES,OU=Domain Controllers,DC=home,DC=matws,DC=net

Where are the other problem that you faced ?

Mattieu.

More information about the samba-technical mailing list