[PATCH] samba-tool drs: new subcommand "conflicts"

Andrew Bartlett abartlet at samba.org
Thu Feb 27 20:19:00 MST 2014 

On Thu, 2014-02-27 at 14:54 +1300, Andrew Bartlett wrote:
> On Mon, 2014-02-24 at 14:06 +0100, Felix Botner wrote:
> > http://technet.microsoft.com/en-us/library/bb727059.aspx explains how
> > to deal with object name conflicts in a multimaster environment. One step is
> > to delete conflicting objects.
> > 
> > Since we have encountered conflicting objects in many s4 multimaster
> > environments an easy way to list (and delete) them would be very helpful.
> > 
> > Here a patch to add a new subcommand "conflicts" to samba-tool drs to list all
> > conflicts with the option to delete them (or to delete a specific conflict).
> 
> Thanks for the patch!  With real-world deployment of Samba as an AD DC,
> these kind of tools are becoming really important.  See below for my
> further comments.
> 
> > Signed-off-by: Felix Botner <botner at univention.de>
> > ---
> >  python/samba/netcmd/drs.py |   48 ++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 48 insertions(+)
> > 
> > diff --git a/python/samba/netcmd/drs.py b/python/samba/netcmd/drs.py
> > index 36dc48e..b783e54 100644
> > --- a/python/samba/netcmd/drs.py
> > +++ b/python/samba/netcmd/drs.py
> > @@ -32,6 +32,7 @@ from samba.samdb import SamDB
> >  from samba import drs_utils, nttime2string, dsdb
> >  from samba.dcerpc import drsuapi, misc
> >  import common
> > +import samba.common
> >  
> >  def drsuapi_connect(ctx):
> >      '''make a DRSUAPI connection to the server'''
> > @@ -234,7 +235,53 @@ class cmd_drs_kcc(Command):
> >              raise CommandError("DsExecuteKCC failed", e)
> >          self.message("Consistency check on %s successful." % DC)
> >  
> > +class cmd_drs_conflicts(Command):
> > +    '''list/remove conflicts in local db'''
> >  
> > +    synopsis = "%prog [options]"
> > +
> > +    takes_optiongroups = {
> > +        "sambaopts": options.SambaOptions,
> > +        "versionopts": options.VersionOptions,
> > +        "credopts": options.CredentialsOptions,
> > +    }
> > +
> > +    takes_options = [
> > +        Option("--verbose", help="print ldif of conflict objects", action="store_true", default=False),
> > +        Option("--delete", help="delete all conflict objects", action="store_true", default=False),
> > +        Option("--dn", help="delete only given dn/conflict (if found)", type=str),
> > +        Option("--non-interactive", help="do not ask for deletion", action="store_true", default=False)
> > +        ]
> > +
> > +    def run(self, delete, verbose, dn, non_interactive,
> > +            credopts=None, sambaopts=None, versionopts=None):
> > +        lp = sambaopts.get_loadparm()
> > +        creds = credopts.get_credentials(lp, fallback_machine=True)
> > +        samdb = SamDB(session_info=system_session(), url=None,
> > +                      credentials=creds, lp=lp)
> > +
> > +        domain_dn = samdb.domain_dn()
> > +        scope = ldb.SCOPE_SUBTREE
> > +        if dn:
> > +            domain_dn = dn
> > +            scope = ldb.SCOPE_BASE
> > +        controls = []
> > +        for msg in samdb.search(base=domain_dn, scope=scope, controls=controls):
> > +            if "\\0ACNF" in str(msg.dn):
> > +                print "Conflict: " + str(msg.dn)
> > +                if verbose:
> > +                    print samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
> > +                if delete:
> > +                    if not non_interactive == True:
> > +                        answer = samba.common.confirm("Delete object with dn %s?" % msg.dn, allow_all=True)
> > +                    if answer == "ALL":
> > +                        non_interactive = True
> > +                    elif answer == "NONE":
> > +                        return
> > +                    elif answer == False:
> > +                        continue
> > +                    samdb.delete(msg.dn)
> > +                    print "%s deleted" % str(msg.dn)
> >  
> >  def drs_local_replicate(self, SOURCE_DC, NC):
> >      '''replicate from a source DC to the local SAM'''
> > @@ -519,3 +566,4 @@ class cmd_drs(SuperCommand):
> >      subcommands["replicate"] = cmd_drs_replicate()
> >      subcommands["showrepl"] = cmd_drs_showrepl()
> >      subcommands["options"] = cmd_drs_options()
> > +    subcommands["conflicts"] = cmd_drs_conflicts()
> 
> This looks reasonable, but wouldn't be a better that this be put in
> dbcheck, a bit like the reset-well-known-acls?  That would avoid
> reimplemting the all/none checks.  
> 
> My feeling is while triggered by DRS, these are not really DRS
> operations.

We also should have a test for this, running on and fixing real
conflicts generated by source4/torture/drs/python/replica_sync.py

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list