[PATCH] make samba-tool aware of all 7 fsmo roles

Rowland Penny repenny241155 at gmail.com
Thu Jun 4 04:36:29 MDT 2015


On 03/06/15 00:53, Jelmer Vernooij wrote:
> Hi Rowland,
>
> Thanks for working on improving samba-tool. Here are some quick
> comments - most are around style but there are also some regressions:
>
> On Sat, May 30, 2015 at 04:34:52PM +0100, Rowland Penny wrote:
>>  From a12c46a8b64e025c30b3d8a717c67cb3b164a5d0 Mon Sep 17 00:00:00 2001
>> From: Rowland Penny <repenny241155 at gmail.com>
>> Date: Sat, 30 May 2015 16:23:11 +0100
>> Subject: [PATCH] samba-tool: make 'samba-tool fsmo *' aware of all 7 fsmo
>>   roles
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10734
>>
>> Signed-off-by: Rowland Penny <repenny241155 at gmail.com>
>> ---
>>   python/samba/netcmd/fsmo.py |  282 ++++++++++++++++++++++++++++++++++++-------
>>   1 file changed, 236 insertions(+), 46 deletions(-)
>>
>> diff --git a/python/samba/netcmd/fsmo.py b/python/samba/netcmd/fsmo.py
>> index 1bc4a96..031b927 100644
>> --- a/python/samba/netcmd/fsmo.py
>> +++ b/python/samba/netcmd/fsmo.py
>> +
>> +    try:
>> +        res = samdb.search(role_object, attrs=["fSMORoleOwner"],
>> +                           scope=ldb.SCOPE_BASE, controls=["extended_dn:1:1"])
>> +
>> +        if 'fSMORoleOwner' in res[0]:
>> +            try:
>> +                master_guid = str(misc.GUID(ldb.Dn(samdb, res[0]['fSMORoleOwner'][0]).get_extended_component('GUID')))
> ^^ Please keep lines under 80 characters (see PEP8 -
> https://www.python.org/dev/peps/pep-0008/)
>
>> +                master_owner = str(ldb.Dn(samdb, res[0]['fSMORoleOwner'][0]))
>> +            except:
>> +                print "Can't find GUID in naming master on partition DN %s" % res[0]['fSMORoleOwner'][0]
> ^^ Please write to self.outf rather than stdout *or* raise an
> exception (e.g. CommandError)
>
>> +                return
>> +    except LdbError, (num, msg):
>> +        raise CommandError("DNS partion %s not found : %s" % (role, msg))
>> +        return
> ^^ There is no need to return after "raise"; it doesn't have any effect.
>
>> +
>> +    if role == "domaindns":
>> +        master_dns_name = '%s._msdcs.%s' % (master_guid, samdb.domain_dns_name())
>> +        new_dns_name = '%s._msdcs.%s' % (samdb.get_ntds_GUID(), samdb.domain_dns_name())
>> +    elif role == "forestdns":
>> +        master_dns_name = '%s._msdcs.%s' % (master_guid, samdb.forest_dns_name())
>> +        new_dns_name = '%s._msdcs.%s' % (samdb.get_ntds_GUID(), samdb.forest_dns_name())
>> +
>> +    new_owner = samdb.get_dsServiceName()
>> +
>> +    if master_dns_name != new_dns_name:
>> +        lp = sambaopts.get_loadparm()
>> +        creds = credopts.get_credentials(lp, fallback_machine=True)
>> +        samdb = SamDB(url="ldap://%s" % (master_dns_name), session_info=system_session(),
>> +                      credentials=creds, lp=lp)
>> +
>> +        m = ldb.Message()
>> +        m.dn = ldb.Dn(samdb, role_object)
>> +        m["fSMORoleOwner"]= ldb.MessageElement(
>> +            "%s" % master_owner, ldb.FLAG_MOD_DELETE,
> ^^ master_owner is already a string, there's no need to use a format
> string here. It looks like this could also be all on one line.
>
>> +            "fSMORoleOwner")
>> +
>> +        try:
>> +            samdb.modify(m)
>> +        except LdbError, (num, msg):
>> +            raise CommandError("Failed to delete role '%s': %s" % (role, msg))
>> +        else:
> ^^ If you're raise an exception, there's no need for an else
> statement. No having an else statement prevents lots of indentation,
> making the code easier to read.
>
>> +             m = ldb.Message()
>> +             m.dn = ldb.Dn(samdb, role_object)
>> +             m["fSMORoleOwner"]= ldb.MessageElement(
>> +                 "%s" % new_owner, ldb.FLAG_MOD_ADD,
> ^^ IIUC new_owner is already a string
>
>> +                 "fSMORoleOwner")
>> +             try:
>> +                 samdb.modify(m)
>> +             except LdbError, (num, msg):
>> +                 raise CommandError("Failed to add role '%s': %s" % (role, msg))
>> +             else:
> ^^ Same comment as above wrt else
>
>> +                  try:
>> +                      connection = (samba.drs_utils.drsuapi_connect(samdb.host_dns_name(), lp, creds))
> ^^ There is no need for parentheses around this function call
>
>> +                  except samba.drs_utils.drsException, estr:
>> +                      raise CommandError("Drsuapi Connect failed", estr)
> ^^ estr will actually be an exception object (not a string) so calling
> "estr" is somewhat misleading. Perhaps just "e" ?
>
>> +                  else:
> ^^ Same comment as above wrt else
>
>> +                       try:
>> +                           drsuapi_connection = connection[0]
>> +                           drsuapi_handle = connection[1]
>> +                           req_options = drsuapi.DRSUAPI_DRS_WRIT_REP
>> +                           NC = role_object[18:]
>> +                           samba.drs_utils.sendDsReplicaSync(drsuapi_connection, drsuapi_handle, master_guid, NC, req_options)
>> +                       except samba.drs_utils.drsException, estr:
>> +                           raise CommandError("Replication failed", estr)
>> +
>> +        outf.write("FSMO transfer of '%s' role successful\n" % role)
>> +    else:
>> +        print "This DC already has the '%s' FSMO role" % role
> ^^ Please write to outf and not to standard out.
>
>> +
>> +
>>   def transfer_role(outf, role, samdb):
> ^^ Please add a docstring to this function
>
>> +    domain_dn = samdb.domain_dn()
>> +    new_owner = samdb.get_dsServiceName()
>>       m = ldb.Message()
>>       m.dn = ldb.Dn(samdb, "")
>>       if role == "rid":
>> +        rid_dn = "CN=RID Manager$,CN=System," + domain_dn
>> +        res = samdb.search(rid_dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
> ^^ It seems that there is fair bit of duplication between all of these
> if statements. Perhaps some of the code can be factored out?
>
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>>           m["becomeRidMaster"]= ldb.MessageElement(
>>               "1", ldb.FLAG_MOD_REPLACE,
>>               "becomeRidMaster")
>>       elif role == "pdc":
>> -        domain_dn = samdb.domain_dn()
>> +        res = samdb.search(domain_dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>>           res = samdb.search(domain_dn,
>>                              scope=ldb.SCOPE_BASE, attrs=["objectSid"])
>>           assert len(res) == 1
>> @@ -47,24 +136,44 @@ def transfer_role(outf, role, samdb):
>>               sid, ldb.FLAG_MOD_REPLACE,
>>               "becomePdc")
>>       elif role == "naming":
>> +        naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
>> +        res = samdb.search(naming_dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>>           m["becomeDomainMaster"]= ldb.MessageElement(
>>               "1", ldb.FLAG_MOD_REPLACE,
>>               "becomeDomainMaster")
>>       elif role == "infrastructure":
>> +        infrastructure_dn = "CN=Infrastructure," + domain_dn
>> +        res = samdb.search(infrastructure_dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>>           m["becomeInfrastructureMaster"]= ldb.MessageElement(
>>               "1", ldb.FLAG_MOD_REPLACE,
>>               "becomeInfrastructureMaster")
>>       elif role == "schema":
>> +        schema_dn = str(samdb.get_schema_basedn())
>> +        res = samdb.search(schema_dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>>           m["becomeSchemaMaster"]= ldb.MessageElement(
>>               "1", ldb.FLAG_MOD_REPLACE,
>>               "becomeSchemaMaster")
>>       else:
>>           raise CommandError("Invalid FSMO role.")
>> -    try:
>> -        samdb.modify(m)
>> -    except LdbError, (num, msg):
>> -        raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
>> -    outf.write("FSMO transfer of '%s' role successful\n" % role)
>> +
>> +    if master_owner != new_owner:
>> +        try:
>> +            samdb.modify(m)
>> +        except LdbError, (num, msg):
>> +            raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
>> +        else:
>> +            outf.write("FSMO transfer of '%s' role successful\n" % role)
>> +    else:
>> +        print "This DC already has the '%s' FSMO role" % role
> ^^ Please use outf.write rather than print.
>
>>   
>>   
>>   class cmd_fsmo_seize(Command):
>> @@ -82,23 +191,23 @@ class cmd_fsmo_seize(Command):
>>           Option("-H", "--URL", help="LDB URL for database or target server", type=str,
>>                  metavar="URL", dest="H"),
>>           Option("--force", help="Force seizing of the role without attempting to transfer first.", action="store_true"),
>> -        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure","schema","naming","all"],
>> +        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure","schema","naming","domaindns","forestdns","all"],
> ^^ Please add a space after comma's (see PEP8) and keep lines under 80
> characters. This line actually already seems to be violating that, but
> we should fix it if this line is being changed anyway.
>
>>                  help="""The FSMO role to seize or transfer.\n
>> -rid=RidAllocationMasterRole\n
>> -schema=SchemaMasterRole\n
>> -pdc=PdcEmulationMasterRole\n
>> -naming=DomainNamingMasterRole\n
>> -infrastructure=InfrastructureMasterRole\n
>> -all=all of the above"""),
>> +rid=RidAllocationMasterRole                         \n
> ^^ Why line up the newlines?
>
>> +schema=SchemaMasterRole                             \n
>> +pdc=PdcEmulationMasterRole                          \n
>> +naming=DomainNamingMasterRole                       \n
>> +infrastructure=InfrastructureMasterRole             \n
>> +domaindns=DomainDnsZonesMasterRole                  \n
>> +forestdns=ForestDnsZonesMasterRole                  \n
>> +all=all of the above                                \n
>> +You must provide an Admin user and password."""),
>>           ]
>> @@ -119,26 +228,78 @@ all=all of the above"""),
>>           else:
>>               raise CommandError("Invalid FSMO role.")
>>           #first try to transfer to avoid problem if the owner is still active
>> -        if force is None:
>> -            self.message("Attempting transfer...")
>> +        res = samdb.search(m.dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>> +        if master_owner != serviceName:
>> +            if force is None:
>> +                self.message("Attempting transfer...")
>> +                try:
>> +                    transfer_role(self.outf, role, samdb)
>> +                    self.outf.write("FSMO seize was not required, as transfer of '%s' role was successful\n" % role)
>> +                    return
>> +                except CommandError:
>> +                    #transfer failed, use the big axe...
>> +                    self.message("Transfer unsuccessful, seizing...")
> ^^ Why does this catch CommandError? samba-tool will display it
> properly if you just let it propagate to the caller.
>
> Also, self.message() doesn't raise an exception, so your program flow
> continues here despite the error message saying it is seizing.
>
>> +            else:
>> +                self.message("Will not attempt transfer, seizing...")
> ^^ This should print why it will not transfer. Like above, this
> doesn't actually seize the flow.
>
>> +
>> +            m["fSMORoleOwner"]= ldb.MessageElement(
>> +                serviceName, ldb.FLAG_MOD_REPLACE,
>> +                "fSMORoleOwner")
>>               try:
>> -                transfer_role(self.outf, role, samdb)
>> -                self.outf.write("FSMO seize was not required, as transfer of '%s' role was successful\n" % role)
>> -                return
>> -            except CommandError:
>> -            #transfer failed, use the big axe...
>> -                self.message("Transfer unsuccessful, seizing...")
>> +                samdb.modify(m)
>> +            except LdbError, (num, msg):
>> +                raise CommandError("Failed to initiate role seize of '%s' role: %s" % (role, msg))
>> +            else:
>> +                self.outf.write("FSMO seize of '%s' role successful\n" % role)
>>           else:
>> -            self.message("Will not attempt transfer, seizing...")
>> +            print "This DC already has the '%s' FSMO role" % role
> ^ Please use self.outf or self.message.
>>   
>> -        m["fSMORoleOwner"]= ldb.MessageElement(
>> -            serviceName, ldb.FLAG_MOD_REPLACE,
>> -            "fSMORoleOwner")
>> -        try:
>> -            samdb.modify(m)
>> -        except LdbError, (num, msg):
>> -            raise CommandError("Failed to initiate role seize of '%s' role: %s" % (role, msg))
>> -        self.outf.write("FSMO seize of '%s' role successful\n" % role)
>> +    def seize_dns_role(self, role, samdb, credopts, sambaopts, versionopts, force):
>> +        serviceName = samdb.get_dsServiceName()
>> +        domain_dn = samdb.domain_dn()
>> +        forest_dn = "DC=" + samdb.forest_dns_name().replace(".", ",DC=")
>> +        self.domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
>> +        self.forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
>> +
>> +        m = ldb.Message()
>> +        if role == "domaindns":
>> +            m.dn = ldb.Dn(samdb, self.domaindns_dn)
>> +        elif role == "forestdns":
>> +            m.dn = ldb.Dn(samdb, self.forestdns_dn)
>> +        else:
>> +            raise CommandError("Invalid FSMO role.")
>> +        #first try to transfer to avoid problem if the owner is still active
>> +        res = samdb.search(m.dn,
>> +                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
>> +        assert len(res) == 1
>> +        master_owner = res[0]["fSMORoleOwner"][0]
>> +        if master_owner != serviceName:
>> +            if force is None:
>> +                self.message("Attempting transfer...")
>> +                try:
>> +                    transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>> +                    self.outf.write("FSMO seize was not required, as transfer of '%s' role was successful\n" % role)
> ^ This line looks like it is too long
>> +                    return
>> +                except CommandError:
>> +                #transfer failed, use the big axe...
>> +                    self.message("Transfer unsuccessful, seizing...")
>> +            else:
>> +                self.message("Will not attempt transfer, seizing...")
>> +
>> +            m["fSMORoleOwner"]= ldb.MessageElement(
>> +                serviceName, ldb.FLAG_MOD_REPLACE,
>> +                "fSMORoleOwner")
>> +            try:
>> +                samdb.modify(m)
>> +            except LdbError, (num, msg):
>> +                raise CommandError("Failed to initiate role seize of '%s' role: %s" % (role, msg))
>> +            else:
>> +                self.outf.write("FSMO seize of '%s' role successful\n" % role)
>> +        else:
>> +            print "This DC already has the '%s' FSMO role" % role
>>   
>>       def run(self, force=None, H=None, role=None,
>>               credopts=None, sambaopts=None, versionopts=None):
> Cheers,
>
> Jelmer

OK, hopefully the attached patch addresses all the problems pointed out 
by Jelmer (but I not holding my breath ;-) ), that is apart from the 
lining up of the new lines, I have left these in because, on my 
terminal, it makes it easier to read.

Rowland
-------------- next part --------------
>From ad77410f97f246a685ce52fd0f1730c0d571f760 Mon Sep 17 00:00:00 2001
From: Rowland Penny <repenny241155 at gmail.com>
Date: Thu, 4 Jun 2015 11:24:13 +0100
Subject: [PATCH] samba-tool: make 'samba-tool fsmo *' aware of all 7 fsmo
 roles

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10734

Signed-off-by: Rowland Penny <repenny241155 at gmail.com>
---
 python/samba/netcmd/fsmo.py |  360 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 274 insertions(+), 86 deletions(-)

diff --git a/python/samba/netcmd/fsmo.py b/python/samba/netcmd/fsmo.py
index 1bc4a96..d5f2d09 100644
--- a/python/samba/netcmd/fsmo.py
+++ b/python/samba/netcmd/fsmo.py
@@ -17,10 +17,11 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import samba
 import samba.getopt as options
 import ldb
 from ldb import LdbError
-
+from samba.dcerpc import drsuapi, misc
 from samba.auth import system_session
 from samba.netcmd import (
     Command,
@@ -30,15 +31,131 @@ from samba.netcmd import (
     )
 from samba.samdb import SamDB
 
+def get_fsmo_roleowner(samdb, roledn):
+    """Gets the owner of an FSMO role
+
+    :param roledn: The DN of the FSMO role
+    """
+    res = samdb.search(roledn,
+                       scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
+    assert len(res) == 1
+    master_owner = res[0]["fSMORoleOwner"][0]
+    return master_owner
+
+
+def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
+    """Transfer dns FSMO role. """
+
+    if role == "domaindns":
+        domain_dn = samdb.domain_dn()
+        role_object = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
+    elif role == "forestdns":
+        forest_dn = "DC=" + samdb.forest_dns_name().replace(".", ",DC=")
+        role_object = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
+
+    try:
+        res = samdb.search(role_object, 
+                           attrs=["fSMORoleOwner"],
+                           scope=ldb.SCOPE_BASE, 
+                           controls=["extended_dn:1:1"])
+
+        if 'fSMORoleOwner' in res[0]:
+            try:
+                master_guid = str(misc.GUID(ldb.Dn(samdb, 
+                                  res[0]['fSMORoleOwner'][0])
+                                  .get_extended_component('GUID')))
+                master_owner = str(ldb.Dn(samdb, res[0]['fSMORoleOwner'][0]))
+            except:
+                outf.write("Can't find GUID in naming master on partition DN %s\n"
+                           % res[0]['fSMORoleOwner'][0])
+                return
+    except LdbError, (num, msg):
+        raise CommandError("DNS partion %s not found : %s" % (role, msg))
+
+    if role == "domaindns":
+        master_dns_name = '%s._msdcs.%s' % (master_guid, 
+                                            samdb.domain_dns_name())
+        new_dns_name = '%s._msdcs.%s' % (samdb.get_ntds_GUID(), 
+                                         samdb.domain_dns_name())
+    elif role == "forestdns":
+        master_dns_name = '%s._msdcs.%s' % (master_guid, 
+                                            samdb.forest_dns_name())
+        new_dns_name = '%s._msdcs.%s' % (samdb.get_ntds_GUID(), 
+                                         samdb.forest_dns_name())
+
+    new_owner = samdb.get_dsServiceName()
+
+    if master_dns_name != new_dns_name:
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp, fallback_machine=True)
+        samdb = SamDB(url="ldap://%s" % (master_dns_name), 
+                      session_info=system_session(),
+                      credentials=creds, lp=lp)
+
+        m = ldb.Message()
+        m.dn = ldb.Dn(samdb, role_object)
+        m["fSMORoleOwner"] = ldb.MessageElement(master_owner, 
+                                                ldb.FLAG_MOD_DELETE, 
+                                                "fSMORoleOwner")
+
+        try:
+            samdb.modify(m)
+        except LdbError, (num, msg):
+            raise CommandError("Failed to delete role '%s': %s" % 
+                               (role, msg))
+
+        m = ldb.Message()
+        m.dn = ldb.Dn(samdb, role_object)
+        m["fSMORoleOwner"]= ldb.MessageElement(new_owner, 
+                                               ldb.FLAG_MOD_ADD, 
+                                               "fSMORoleOwner")
+        try:
+            samdb.modify(m)
+        except LdbError, (num, msg):
+            raise CommandError("Failed to add role '%s': %s" % (role, msg))
+
+        try:
+            connection = samba.drs_utils.drsuapi_connect(samdb.host_dns_name(), 
+                                                         lp, creds)
+        except samba.drs_utils.drsException, e:
+            raise CommandError("Drsuapi Connect failed", e)
+
+        try:
+            drsuapi_connection = connection[0]
+            drsuapi_handle = connection[1]
+            req_options = drsuapi.DRSUAPI_DRS_WRIT_REP
+            NC = role_object[18:]
+            samba.drs_utils.sendDsReplicaSync(drsuapi_connection, 
+                                              drsuapi_handle, 
+                                              master_guid,
+                                              NC, req_options)
+        except samba.drs_utils.drsException, estr:
+            raise CommandError("Replication failed", estr)
+
+        outf.write("FSMO transfer of '%s' role successful\n" % role)
+    else:
+        outf.write("This DC already has the '%s' FSMO role\n" % role)
+
+
 def transfer_role(outf, role, samdb):
+    """Transfer standard FSMO role. """
+
+    domain_dn = samdb.domain_dn()
+    rid_dn = "CN=RID Manager$,CN=System," + domain_dn
+    naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
+    infrastructure_dn = "CN=Infrastructure," + domain_dn
+    schema_dn = str(samdb.get_schema_basedn())
+    new_owner = samdb.get_dsServiceName()
     m = ldb.Message()
     m.dn = ldb.Dn(samdb, "")
     if role == "rid":
+        master_owner = get_fsmo_roleowner(samdb, rid_dn)
         m["becomeRidMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeRidMaster")
     elif role == "pdc":
-        domain_dn = samdb.domain_dn()
+        master_owner = get_fsmo_roleowner(samdb, domain_dn)
+
         res = samdb.search(domain_dn,
                            scope=ldb.SCOPE_BASE, attrs=["objectSid"])
         assert len(res) == 1
@@ -47,24 +164,33 @@ def transfer_role(outf, role, samdb):
             sid, ldb.FLAG_MOD_REPLACE,
             "becomePdc")
     elif role == "naming":
+        master_owner = get_fsmo_roleowner(samdb, naming_dn)
         m["becomeDomainMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeDomainMaster")
     elif role == "infrastructure":
+        master_owner = get_fsmo_roleowner(samdb, infrastructure_dn)
         m["becomeInfrastructureMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeInfrastructureMaster")
     elif role == "schema":
+        master_owner = get_fsmo_roleowner(samdb, schema_dn)
         m["becomeSchemaMaster"]= ldb.MessageElement(
             "1", ldb.FLAG_MOD_REPLACE,
             "becomeSchemaMaster")
     else:
         raise CommandError("Invalid FSMO role.")
-    try:
-        samdb.modify(m)
-    except LdbError, (num, msg):
-        raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
-    outf.write("FSMO transfer of '%s' role successful\n" % role)
+
+    if master_owner != new_owner:
+        try:
+            samdb.modify(m)
+        except LdbError, (num, msg):
+            raise CommandError("Transfer of '%s' role failed: %s" %
+                               (role, msg))
+
+        outf.write("FSMO transfer of '%s' role successful\n" % role)
+    else:
+        outf.write("This DC already has the '%s' FSMO role\n" % role)
 
 
 class cmd_fsmo_seize(Command):
@@ -79,26 +205,31 @@ class cmd_fsmo_seize(Command):
         }
 
     takes_options = [
-        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
-               metavar="URL", dest="H"),
-        Option("--force", help="Force seizing of the role without attempting to transfer first.", action="store_true"),
-        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure","schema","naming","all"],
+        Option("-H", "--URL", help="LDB URL for database or target server", 
+               type=str, metavar="URL", dest="H"),
+        Option("--force", 
+               help="Force seizing of the role without attempting to transfer first.", 
+               action="store_true"),
+        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure",
+               "schema", "naming", "domaindns", "forestdns", "all"],
                help="""The FSMO role to seize or transfer.\n
-rid=RidAllocationMasterRole\n
-schema=SchemaMasterRole\n
-pdc=PdcEmulationMasterRole\n
-naming=DomainNamingMasterRole\n
-infrastructure=InfrastructureMasterRole\n
-all=all of the above"""),
+rid=RidAllocationMasterRole                         \n
+schema=SchemaMasterRole                             \n
+pdc=PdcEmulationMasterRole                          \n
+naming=DomainNamingMasterRole                       \n
+infrastructure=InfrastructureMasterRole             \n
+domaindns=DomainDnsZonesMasterRole                  \n
+forestdns=ForestDnsZonesMasterRole                  \n
+all=all of the above                                \n
+You must provide an Admin user and password."""),
         ]
 
     takes_args = []
 
     def seize_role(self, role, samdb, force):
-        res = samdb.search("",
-                           scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
-        assert len(res) == 1
-        serviceName = res[0]["dsServiceName"][0]
+        """Seize standard fsmo role. """
+
+        serviceName = samdb.get_dsServiceName()
         domain_dn = samdb.domain_dn()
         self.infrastructure_dn = "CN=Infrastructure," + domain_dn
         self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
@@ -119,26 +250,78 @@ all=all of the above"""),
         else:
             raise CommandError("Invalid FSMO role.")
         #first try to transfer to avoid problem if the owner is still active
-        if force is None:
-            self.message("Attempting transfer...")
-            try:
-                transfer_role(self.outf, role, samdb)
-                self.outf.write("FSMO seize was not required, as transfer of '%s' role was successful\n" % role)
-                return
-            except CommandError:
-            #transfer failed, use the big axe...
+        if master_owner != serviceName:
+            if force is None:
+                self.message("Attempting transfer...")
+                try:
+                    transfer_role(self.outf, role, samdb)
+                    return
+                except:
+                #transfer failed, use the big axe...
                 self.message("Transfer unsuccessful, seizing...")
+            else:
+                self.message("Seizing %s FSMO role..." % role)
+
+            m["fSMORoleOwner"]= ldb.MessageElement(
+                serviceName, ldb.FLAG_MOD_REPLACE,
+                "fSMORoleOwner")
+            try:
+                samdb.modify(m)
+            except LdbError, (num, msg):
+                raise CommandError("Failed to seize '%s' role: %s" % 
+                                   (role, msg))
+
+            self.outf.write("Successful seize of the '%s' FSMO role\n" % role)
         else:
-            self.message("Will not attempt transfer, seizing...")
+            self.outf.write("This DC already has the '%s' FSMO role\n" % role)
 
-        m["fSMORoleOwner"]= ldb.MessageElement(
-            serviceName, ldb.FLAG_MOD_REPLACE,
-            "fSMORoleOwner")
-        try:
-            samdb.modify(m)
-        except LdbError, (num, msg):
-            raise CommandError("Failed to initiate role seize of '%s' role: %s" % (role, msg))
-        self.outf.write("FSMO seize of '%s' role successful\n" % role)
+
+    def seize_dns_role(self, role, samdb, credopts, sambaopts, 
+                       versionopts, force):
+        """Seize DNS FSMO role. """
+
+        serviceName = samdb.get_dsServiceName()
+        domain_dn = samdb.domain_dn()
+        forest_dn = "DC=" + samdb.forest_dns_name().replace(".", ",DC=")
+        self.domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
+        self.forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
+
+        m = ldb.Message()
+        if role == "domaindns":
+            m.dn = ldb.Dn(samdb, self.domaindns_dn)
+        elif role == "forestdns":
+            m.dn = ldb.Dn(samdb, self.forestdns_dn)
+        else:
+            raise CommandError("Invalid FSMO role.")
+        #first try to transfer to avoid problem if the owner is still active
+        master_owner = get_fsmo_roleowner(samdb, m.dn)
+        if master_owner != serviceName:
+            if force is None:
+                self.message("Attempting transfer...")
+                try:
+                    transfer_dns_role(self.outf, sambaopts, credopts, role, 
+                                      samdb)
+                    #self.outf.write("Transfer of '%s' role was successful\n" % 
+                    #                role)
+                    return
+                except:
+                    #transfer failed, use the big axe...
+                    self.message("Transfer unsuccessful, seizing...")
+            else:
+                self.message("Seizing %s FSMO role..." % role)
+
+            m["fSMORoleOwner"]= ldb.MessageElement(
+                serviceName, ldb.FLAG_MOD_REPLACE,
+                "fSMORoleOwner")
+            try:
+                samdb.modify(m)
+            except LdbError, (num, msg):
+                raise CommandError("Failed to seize '%s' role: %s" % 
+                                   (role, msg))
+            else:
+                self.outf.write("Successful seize of '%s' FSMO role\n" % role)
+        else:
+            self.outf.write("This DC already has the '%s' FSMO role\n" % role)
 
     def run(self, force=None, H=None, role=None,
             credopts=None, sambaopts=None, versionopts=None):
@@ -155,8 +338,16 @@ all=all of the above"""),
             self.seize_role("naming", samdb, force)
             self.seize_role("infrastructure", samdb, force)
             self.seize_role("schema", samdb, force)
+            self.seize_dns_role("domaindns", samdb, credopts, sambaopts, 
+                                versionopts, force)
+            self.seize_dns_role("forestdns", samdb, credopts, sambaopts, 
+                                versionopts, force)
         else:
-            self.seize_role(role, samdb, force)
+            if role == "domaindns" or role == "forestdns":
+                self.seize_dns_role(role, samdb, credopts, sambaopts, 
+                                    versionopts, force)
+            else:
+                self.seize_role(role, samdb, force)
 
 
 class cmd_fsmo_show(Command):
@@ -171,8 +362,8 @@ class cmd_fsmo_show(Command):
         }
 
     takes_options = [
-        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
-               metavar="URL", dest="H"),
+        Option("-H", "--URL", help="LDB URL for database or target server", 
+               type=str, metavar="URL", dest="H"),
         ]
 
     takes_args = []
@@ -185,41 +376,29 @@ class cmd_fsmo_show(Command):
             credentials=creds, lp=lp)
 
         domain_dn = samdb.domain_dn()
-        self.infrastructure_dn = "CN=Infrastructure," + domain_dn
-        self.naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
-        self.schema_dn = samdb.get_schema_basedn()
-        self.rid_dn = "CN=RID Manager$,CN=System," + domain_dn
-
-        res = samdb.search(self.infrastructure_dn,
-                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-        assert len(res) == 1
-        self.infrastructureMaster = res[0]["fSMORoleOwner"][0]
-
-        res = samdb.search(domain_dn,
-                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-        assert len(res) == 1
-        self.pdcEmulator = res[0]["fSMORoleOwner"][0]
-
-        res = samdb.search(self.naming_dn,
-                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-        assert len(res) == 1
-        self.namingMaster = res[0]["fSMORoleOwner"][0]
-
-        res = samdb.search(self.schema_dn,
-                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-        assert len(res) == 1
-        self.schemaMaster = res[0]["fSMORoleOwner"][0]
-
-        res = samdb.search(self.rid_dn,
-                           scope=ldb.SCOPE_BASE, attrs=["fSMORoleOwner"])
-        assert len(res) == 1
-        self.ridMaster = res[0]["fSMORoleOwner"][0]
-
-        self.message("InfrastructureMasterRole owner: " + self.infrastructureMaster)
-        self.message("RidAllocationMasterRole owner: " + self.ridMaster)
-        self.message("PdcEmulationMasterRole owner: " + self.pdcEmulator)
-        self.message("DomainNamingMasterRole owner: " + self.namingMaster)
-        self.message("SchemaMasterRole owner: " + self.schemaMaster)
+        forest_dn = "DC=" + samdb.forest_dns_name().replace(".", ",DC=")
+        infrastructure_dn = "CN=Infrastructure," + domain_dn
+        naming_dn = "CN=Partitions,%s" % samdb.get_config_basedn()
+        schema_dn = samdb.get_schema_basedn()
+        rid_dn = "CN=RID Manager$,CN=System," + domain_dn
+        domaindns_dn = "CN=Infrastructure,DC=DomainDnsZones," + domain_dn
+        forestdns_dn = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
+
+        infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
+        pdcEmulator = get_fsmo_roleowner(samdb, domain_dn)
+        namingMaster = get_fsmo_roleowner(samdb, naming_dn)
+        schemaMaster = get_fsmo_roleowner(samdb, schema_dn)
+        ridMaster = get_fsmo_roleowner(samdb, rid_dn)
+        domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn)
+        forestdnszonesMaster = get_fsmo_roleowner(samdb, forestdns_dn)
+
+        self.message("SchemaMasterRole owner: " + schemaMaster)
+        self.message("InfrastructureMasterRole owner: " + infrastructureMaster)
+        self.message("RidAllocationMasterRole owner: " + ridMaster)
+        self.message("PdcEmulationMasterRole owner: " + pdcEmulator)
+        self.message("DomainNamingMasterRole owner: " + namingMaster)
+        self.message("DomainDnsZonesMasterRole owner: " + domaindnszonesMaster)
+        self.message("ForestDnsZonesMasterRole owner: " + forestdnszonesMaster)
 
 
 class cmd_fsmo_transfer(Command):
@@ -234,16 +413,20 @@ class cmd_fsmo_transfer(Command):
         }
 
     takes_options = [
-        Option("-H", "--URL", help="LDB URL for database or target server", type=str,
-               metavar="URL", dest="H"),
-        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure","schema","naming","all"],
+        Option("-H", "--URL", help="LDB URL for database or target server", 
+               type=str, metavar="URL", dest="H"),
+        Option("--role", type="choice", choices=["rid", "pdc", "infrastructure",
+               "schema", "naming", "domaindns", "forestdns", "all"],
                help="""The FSMO role to seize or transfer.\n
-rid=RidAllocationMasterRole\n
-schema=SchemaMasterRole\n
-pdc=PdcEmulationMasterRole\n
-naming=DomainNamingMasterRole\n
-infrastructure=InfrastructureMasterRole\n
-all=all of the above"""),
+rid=RidAllocationMasterRole                         \n
+schema=SchemaMasterRole                             \n
+pdc=PdcEmulationMasterRole                          \n
+naming=DomainNamingMasterRole                       \n
+infrastructure=InfrastructureMasterRole             \n
+domaindns=DomainDnsZonesMasterRole                  \n
+forestdns=ForestDnsZonesMasterRole                  \n
+all=all of the above                                \n
+You must provide an Admin user and password."""),
         ]
 
     takes_args = []
@@ -263,8 +446,13 @@ all=all of the above"""),
             transfer_role(self.outf, "naming", samdb)
             transfer_role(self.outf, "infrastructure", samdb)
             transfer_role(self.outf, "schema", samdb)
+            transfer_dns_role(self.outf, sambaopts, credopts, "domaindns", samdb)
+            transfer_dns_role(self.outf, sambaopts, credopts, "forestdns", samdb)
         else:
-            transfer_role(self.outf, role, samdb)
+            if role == "domaindns" or role == "forestdns":
+                transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
+            else:
+                transfer_role(self.outf, role, samdb)
 
 
 class cmd_fsmo(SuperCommand):
-- 
1.7.10.4



More information about the samba-technical mailing list