[PATCH 09/10] s4: Run twice update_sd, one with the system, one with the domain admin
Matthieu Patou
mat at matws.net
Fri Nov 27 06:53:58 MST 2009
---
source4/scripting/bin/upgradeprovision | 38 ++++++++++++++-----------------
1 files changed, 17 insertions(+), 21 deletions(-)
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 56ff91c..a463b8b 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -582,18 +582,16 @@ def check_updated_sd(newpaths,paths,creds,session,names):
if hash_new.has_key(key):
sddl = ndr_unpack(security.descriptor,str(res2[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
if sddl != hash_new[key]:
- print key
+ print "%s new sddl/sddl in ref"%key
print "%s\n%s"%(sddl,hash_new[key])
# Simple update method for updating the SD that rely on the fact that nobody should have modified the SD
# This assumption is safe right now (alpha9) but should be removed asap
def update_sd(newpaths,paths,creds,session,names):
- domSID = security.dom_sid(names.domainsid)
- admin_session_info = admin_session(lp, names.domainsid)
- sam_ldb = Ldb(paths.samdb, session_info=admin_session, credentials=creds,lp=lp)
+ sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
sam_ldb.transaction_start()
# First update the SD for the rootdn
- sam_ldb.set_session_info(admin_session_info)
+ sam_ldb.set_session_info(session)
res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
delta = ldb.Message()
delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
@@ -627,23 +625,17 @@ def update_sd(newpaths,paths,creds,session,names):
listkeys = hash.keys()
listkeys.sort(dn_sort)
- # SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
- # to recreate them with the good form and then give the ownership to admin ...
- system_session_info = system_session()
- sam_ldb.set_session_info(system_session_info)
- for key in listkeys:
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,key)
- delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
- sam_ldb.modify(delta,["recalculate_sd:0"])
-
-
- sam_ldb.set_session_info(admin_session_info)
for key in listkeys:
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,key)
- delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
- sam_ldb.modify(delta,["recalculate_sd:0"])
+ try:
+ delta = ldb.Message()
+ delta.dn = ldb.Dn(sam_ldb,key)
+ delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
+ sam_ldb.modify(delta,["recalculate_sd:0"])
+ except:
+ sam_ldb.transaction_cancel()
+ res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
+ print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
+ return
sam_ldb.transaction_commit()
def rmall(topdir):
@@ -751,7 +743,11 @@ update_machine_account_password(newpaths,paths,creds,session,names)
if opts.full:
update_samdb(newpaths,paths,creds,session,names)
+# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
+# to recreate them with the good form but with system account and then give the ownership to admin ...
+admin_session_info = admin_session(lp, str(names.domainsid))
update_sd(newpaths,paths,creds,session,names)
+update_sd(newpaths,paths,creds,admin_session_info,names)
check_updated_sd(newpaths,paths,creds,session,names)
message(SIMPLE,"Upgrade finished !")
# remove reference provision now that everything is done !
--
1.6.3.3
--------------000902080109040405080503
Content-Type: text/x-patch;
name="0010-s4-fix-update_machine_account_password.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="0010-s4-fix-update_machine_account_password.patch"
More information about the samba-technical
mailing list