The branch, master has been updated via f6ecb4e... s4-torture: fixed expected error codes for s4 in SMB2-LOCK via 0920e0b... s4-drstest: don't use getenv("LDB_URL") in test suites via d78921d... s4-pvfs: fixed access check failure in SFILEINFO test via d5387ed... s4-ldb: improve detection of whether the server has a GC port via 7ea485a... s4-ldb: better to test for valid arguments in ldb library than commandline via d3d7ca8... s4-smb2: SMB2 uses NT_STATUS_CANCELLED for cancelled locks via 7c158bd... s4-smb2: sequence numbers are not checked in SMB2_OP_CANCEL via 056473d... torture: fixed SMB2-LOCK valgrind error via 04f235a... s4-smb2: check for invalid SMB2 lock ranges via aa4c516... s4-smb2: check for an invalid lock flags combination via 61a278f... s4-install: fixed install path for python scripts via 8455a76... s4:upgradeprovision Rework update_machine_account_password() tranactions via e6c1608... s4:dsdb Don't segfault with ldb_transaction_prepare_commit() without begin() via 731f560... s4:upgradeprovision add 'exit $failed' to blackbox test via d1faf7c... s4:upgradeprovision Use mkdtemp to create unique tempoary directory names via 6f0f82f... s4:selftest Add tests for upgradeprovision via b9f9588... s4:upgradeprovision Rework script, and reset machine account pw via 2fd8314... s4:ldb Provide bindings for ldb_transaction_prepare_commit() via 09338e6... s4:provision Make setting the domain SID in the self join optional via 4a52ee3... Fix path to upgradeprovision via 44bc8ac... s4: Improve updateprovision via 81a21cb... s4: update What's new and explain how to upgrade a samba4 provision via b25a42d... s4: Rename the script from 1a8f838... s3-kerberos: Fix Bug #6929: build with recent heimdal.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f6ecb4efb063617771dfa519911ae8af069c0f9a Author: Andrew Tridgell <tri...@samba.org> Date: Fri Nov 27 14:54:22 2009 +1100 s4-torture: fixed expected error codes for s4 in SMB2-LOCK I think the error/success codes returned by windows for these tests are quite bogus. The ones s4 gives are much more reasonable. The locking ones returning NT_STATUS_SUCCESS could lead to data loss, as an application thinks it has a file locked correctly when it fact it doesn't, so it could do an unsafe modify. commit 0920e0b63b806c8ed4839271048dd4924ed02b2b Author: Andrew Tridgell <tri...@samba.org> Date: Fri Nov 27 14:42:05 2009 +1100 s4-drstest: don't use getenv("LDB_URL") in test suites I was stumped for a while as to why the drs test suite was failing for me. It turned out that it looked for LDB_URL in the environment, and used it if set. I had it set in my terminal, and it was happily munching on my sam.ldb while testing. Quite a cute bug really :-) commit d78921d78ca0a9211f044092b9a7f29bcfdd5397 Author: Andrew Tridgell <tri...@samba.org> Date: Fri Nov 27 14:22:29 2009 +1100 s4-pvfs: fixed access check failure in SFILEINFO test matching windows behaviour is not always the right thing to do! commit d5387edb88ce29ad1a6f864415c19486a20269af Author: Andrew Tridgell <tri...@samba.org> Date: Fri Nov 27 14:20:47 2009 +1100 s4-ldb: improve detection of whether the server has a GC port We were trying to open $SERVER:3268 regardless, which could result in creating a file called "localdc1:3268", which led to subsequent test failures commit 7ea485a1d20c1bf41926ebb4b0ae8f37a2d909f7 Author: Andrew Tridgell <tri...@samba.org> Date: Fri Nov 27 14:18:39 2009 +1100 s4-ldb: better to test for valid arguments in ldb library than commandline We were testing for valid DNs in ldbrename in the command line tool. This hid a bug in the ldb library where we caught a bad DN in the objectclass module rather than in the main ldb code. It is better to do validation of the DNs passed on the command line in the library code, as this gives us more consistent error handling between the programming APIs for ldb and the command line. commit d3d7ca8eeab13c00705188102855525a21dd5345 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 17:38:50 2009 +1100 s4-smb2: SMB2 uses NT_STATUS_CANCELLED for cancelled locks commit 7c158bdb1d0e217e06f54d2e2cef12a5433d3578 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 17:38:11 2009 +1100 s4-smb2: sequence numbers are not checked in SMB2_OP_CANCEL commit 056473d58836ef3818e816f2d649ea35e7550264 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 17:03:20 2009 +1100 torture: fixed SMB2-LOCK valgrind error commit 04f235a9ebf45422c6ec2a971268c2c38dc081ad Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 16:53:51 2009 +1100 s4-smb2: check for invalid SMB2 lock ranges commit aa4c51602383d50b0801d854e752b575c70f7657 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 16:35:03 2009 +1100 s4-smb2: check for an invalid lock flags combination UNLOCK with FAIL_IMMEDIATELY is not allowed commit 61a278fd8ab3feb26e6bc095d4f170fd97aa5c89 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Nov 26 13:06:01 2009 +1100 s4-install: fixed install path for python scripts when we install python scripts we need to fix the internal path used to find modules. We also need to install the scripts in the right place. Most of them should go in $SBINDIR not share/setup/ commit 8455a765164abf43794e10390978b22156e5c50a Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 27 08:10:54 2009 +1100 s4:upgradeprovision Rework update_machine_account_password() tranactions This balances the transaction_begin() and transactin_prepare_commit() calls Andrew Bartlett commit e6c1608e909b9bbc1bdceeb24d57b9333c453a3d Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 27 08:05:59 2009 +1100 s4:dsdb Don't segfault with ldb_transaction_prepare_commit() without begin() It is up to other modules to complain if ldb_transaction_prepare_commit() is called before ldb_transaction_begin_transaction() Andrew Bartlett commit 731f560ecb0d2c075a04eb4431275f9127b061b7 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 22:01:54 2009 +1100 s4:upgradeprovision add 'exit $failed' to blackbox test commit d1faf7c90c8a23a2d09576ec45558ce457aa9d03 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 21:52:40 2009 +1100 s4:upgradeprovision Use mkdtemp to create unique tempoary directory names commit 6f0f82f7ed9cd351b325d4ae275184b67c4b751b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 15:34:53 2009 +1100 s4:selftest Add tests for upgradeprovision commit b9f95882f0fd9f453c6b90d1ca023111195d757b Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 15:32:49 2009 +1100 s4:upgradeprovision Rework script, and reset machine account pw The rework corrects some duplication and errors in the original script, found when preparing an automated test of the script. The code to reset the machine account password avoids issues with AES keys and salting, which may not otherwise be solved by the upgrade. Andrew Bartlett commit 2fd831407d81a53f79fd4d207d086ee9882e7606 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 15:32:06 2009 +1100 s4:ldb Provide bindings for ldb_transaction_prepare_commit() commit 09338e60bc0003abefd31902de721ecf8fee1552 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 14:57:39 2009 +1100 s4:provision Make setting the domain SID in the self join optional commit 4a52ee3cd591051f05c086d61769ad16b9c8df58 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 26 12:15:22 2009 +1100 Fix path to upgradeprovision commit 44bc8ac22c402e3d320e080f935636bf26e17500 Author: Matthieu Patou <m...@matws.net> Date: Wed Nov 25 16:26:35 2009 +0300 s4: Improve updateprovision * Define a simple upgrade process mode (module storage change, file name change, copy of new file) * Move the schema, configuration and current object upgrade into full upgrade mode * Added the --full switch to select the full upgrade mode, and made simple upgrade mode the default * Make updateprovision works without any switch (update the provision in the default location) * Cleanup the messages * Create the reference provision in a subdirectory of the updated provision commit 81a21cbc40821246f5e806fbb44826cef629bed2 Author: Matthieu Patou <m...@matws.net> Date: Wed Nov 25 17:10:52 2009 +0300 s4: update What's new and explain how to upgrade a samba4 provision commit b25a42d9073283f8e0bbd3b3e35862349b2f6243 Author: Matthieu Patou <m...@matws.net> Date: Wed Nov 25 11:42:16 2009 +0300 s4: Rename the script ----------------------------------------------------------------------- Summary of changes: WHATSNEW4.txt | 5 +- source4/Makefile | 10 +- source4/dsdb/samdb/ldb_modules/linked_attributes.c | 4 + source4/lib/ldb/common/ldb.c | 10 + source4/lib/ldb/pyldb.c | 9 + source4/lib/ldb/tests/python/ldap.py | 14 +- source4/lib/ldb/tools/ldbrename.c | 9 - source4/ntvfs/ntvfs_generic.c | 9 + source4/ntvfs/posix/pvfs_lock.c | 6 +- source4/ntvfs/posix/pvfs_open.c | 13 +- source4/script/installmisc.sh | 35 +- source4/scripting/bin/upgradeprovision | 747 ++++++++++++++++++++ source4/scripting/bin/upgradeschema.py | 694 ------------------ source4/scripting/python/samba/provision.py | 7 +- source4/selftest/knownfail | 2 + source4/selftest/tests.sh | 1 + source4/setup/tests/blackbox_upgradeprovision.sh | 28 + source4/smb_server/smb2/receive.c | 3 +- source4/torture/drs/unit/prefixmap_tests.c | 25 +- source4/torture/smb2/lock.c | 28 +- upgrading-samba4.txt | 24 + 21 files changed, 928 insertions(+), 755 deletions(-) create mode 100755 source4/scripting/bin/upgradeprovision delete mode 100755 source4/scripting/bin/upgradeschema.py create mode 100755 source4/setup/tests/blackbox_upgradeprovision.sh create mode 100644 upgrading-samba4.txt Changeset truncated at 500 lines: diff --git a/WHATSNEW4.txt b/WHATSNEW4.txt index 1cd66d5..e0ec6f1 100644 --- a/WHATSNEW4.txt +++ b/WHATSNEW4.txt @@ -65,7 +65,7 @@ directories. CHANGES SINCE alpha8 ===================== -In the time since Samba4 alpha7 was released in Feburary 2009, Samba has +In the time since Samba4 alpha8 was released in June 2009, Samba has continued to evolve, but you may particularly notice these areas (in no particular order): @@ -117,6 +117,9 @@ KNOWN ISSUES consult upgrading-samba4.txt. We have made a number of changes in this release that should make it easier to upgrade in future. +- ACL are not set by default on shares created by the provision. + Work is underway on this subject and it should be fixed in Alpha10. + RUNNING Samba4 ============== diff --git a/source4/Makefile b/source4/Makefile index 03b4e73..8f23da5 100644 --- a/source4/Makefile +++ b/source4/Makefile @@ -114,14 +114,6 @@ libgpodir := libgpo include data.mk -INSTALL_SCRIPTS = $(addprefix scripting/bin/, \ - autoidl \ - samba3dump \ - rpcclient \ - smbstatus) - -$(foreach SCRIPT,$(INSTALL_SCRIPTS),$(eval $(call binary_install_template,$(SCRIPT)))) - $(DESTDIR)$(bindir)/%: scripting/bin/% installdirs @mkdir -p $(@D) @echo Installing $(@F) as $@ @@ -253,7 +245,7 @@ installman:: manpages installdirs @$(SHELL) $(srcdir)/script/installman.sh $(DESTDIR)$(mandir) $(MANPAGES) installmisc:: installdirs - @$(SHELL) $(srcdir)/script/installmisc.sh $(srcdir) $(DESTDIR)$(setupdir) + @$(SHELL) $(srcdir)/script/installmisc.sh $(srcdir) $(DESTDIR)$(setupdir) $(DESTDIR)$(bindir) $(DESTDIR)$(sbindir) $(pythondir) installpc:: installdirs @$(SHELL) $(srcdir)/script/installpc.sh $(builddir) $(DESTDIR)$(pkgconfigdir) $(PC_FILES) diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c index 32f9cba..bd9af55 100644 --- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c +++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c @@ -1212,6 +1212,10 @@ static int linked_attributes_prepare_commit(struct ldb_module *module) talloc_get_type(ldb_module_get_private(module), struct la_private); struct la_context *ac; + if (!la_private) { + /* prepare commit without begin_transaction - let someone else return the error, just don't segfault */ + return ldb_next_prepare_commit(module); + } /* walk the list backwards, to do the first entry first, as we * added the entries with DLIST_ADD() which puts them at the * start of the list */ diff --git a/source4/lib/ldb/common/ldb.c b/source4/lib/ldb/common/ldb.c index 3a8023a..94a5fb2 100644 --- a/source4/lib/ldb/common/ldb.c +++ b/source4/lib/ldb/common/ldb.c @@ -791,6 +791,16 @@ int ldb_request(struct ldb_context *ldb, struct ldb_request *req) ret = module->ops->del(module, req); break; case LDB_RENAME: + if (!ldb_dn_validate(req->op.rename.olddn)) { + ldb_asprintf_errstring(ldb, "ldb_rename: invalid olddn '%s'", + ldb_dn_get_linearized(req->op.rename.olddn)); + return LDB_ERR_INVALID_DN_SYNTAX; + } + if (!ldb_dn_validate(req->op.rename.newdn)) { + ldb_asprintf_errstring(ldb, "ldb_rename: invalid newdn '%s'", + ldb_dn_get_linearized(req->op.rename.newdn)); + return LDB_ERR_INVALID_DN_SYNTAX; + } FIRST_OP(ldb, rename); ret = module->ops->rename(module, req); break; diff --git a/source4/lib/ldb/pyldb.c b/source4/lib/ldb/pyldb.c index 0d1d2fa..0ba69e1 100644 --- a/source4/lib/ldb/pyldb.c +++ b/source4/lib/ldb/pyldb.c @@ -477,6 +477,12 @@ static PyObject *py_ldb_transaction_commit(PyLdbObject *self) Py_RETURN_NONE; } +static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self) +{ + PyErr_LDB_ERROR_IS_ERR_RAISE(PyExc_LdbError, ldb_transaction_prepare_commit(PyLdb_AsLdbContext(self)), PyLdb_AsLdbContext(self)); + Py_RETURN_NONE; +} + static PyObject *py_ldb_transaction_cancel(PyLdbObject *self) { PyErr_LDB_ERROR_IS_ERR_RAISE(PyExc_LdbError, ldb_transaction_cancel(PyLdb_AsLdbContext(self)), PyLdb_AsLdbContext(self)); @@ -1224,6 +1230,9 @@ static PyMethodDef py_ldb_methods[] = { { "transaction_start", (PyCFunction)py_ldb_transaction_start, METH_NOARGS, "S.transaction_start() -> None\n" "Start a new transaction." }, + { "transaction_prepare_commit", (PyCFunction)py_ldb_transaction_prepare_commit, METH_NOARGS, + "S.transaction_prepare_commit() -> None\n" + "prepare to commit a new transaction (2-stage commit)." }, { "transaction_commit", (PyCFunction)py_ldb_transaction_commit, METH_NOARGS, "S.transaction_commit() -> None\n" "commit a new transaction." }, diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py index a5a9d7c..408246b 100755 --- a/source4/lib/ldb/tests/python/ldap.py +++ b/source4/lib/ldb/tests/python/ldap.py @@ -1366,10 +1366,11 @@ member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """ print "Testing ldb.search for (&(cn=ldaptestuser)(objectCategory=PerSon)) in with 'phantom root' control" - res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) - self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog") + if gc_ldb is not None: + res3control = gc_ldb.search(self.base_dn, expression="(&(cn=ldaptestuser)(objectCategory=PerSon))", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["search_options:1:2"]) + self.assertEquals(len(res3control), 1, "Could not find (&(cn=ldaptestuser)(objectCategory=PerSon)) in Global Catalog") - self.assertEquals(res[0].dn, res3control[0].dn) + self.assertEquals(res[0].dn, res3control[0].dn) ldb.delete(res[0].dn) @@ -2038,8 +2039,11 @@ if not "://" in host: host = "ldap://%s" % host ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) -gc_ldb = Ldb("%s:3268" % host, credentials=creds, - session_info=system_session(), lp=lp) +if not "tdb://" in host: + gc_ldb = Ldb("%s:3268" % host, credentials=creds, + session_info=system_session(), lp=lp) +else: + gc_ldb = None runner = SubunitTestRunner() rc = 0 diff --git a/source4/lib/ldb/tools/ldbrename.c b/source4/lib/ldb/tools/ldbrename.c index fcae766..bfccacc 100644 --- a/source4/lib/ldb/tools/ldbrename.c +++ b/source4/lib/ldb/tools/ldbrename.c @@ -63,15 +63,6 @@ int main(int argc, const char **argv) dn1 = ldb_dn_new(ldb, ldb, options->argv[0]); dn2 = ldb_dn_new(ldb, ldb, options->argv[1]); - if ( ! ldb_dn_validate(dn1)) { - printf("Invalid DN1: %s\n", options->argv[0]); - return -1; - } - if ( ! ldb_dn_validate(dn2)) { - printf("Invalid DN2: %s\n", options->argv[1]); - return -1; - } - ret = ldb_rename(ldb, dn1, dn2); if (ret == 0) { printf("Renamed 1 record\n"); diff --git a/source4/ntvfs/ntvfs_generic.c b/source4/ntvfs/ntvfs_generic.c index 1d81acf..d564db7 100644 --- a/source4/ntvfs/ntvfs_generic.c +++ b/source4/ntvfs/ntvfs_generic.c @@ -1106,6 +1106,9 @@ NTSTATUS ntvfs_map_lock(struct ntvfs_module_context *ntvfs, /* only the first lock gives the UNLOCK bit - see MS-SMB2 3.3.5.14 */ if (lck->smb2.in.locks[0].flags & SMB2_LOCK_FLAG_UNLOCK) { + if (lck->smb2.in.locks[0].flags & SMB2_LOCK_FLAG_FAIL_IMMEDIATELY) { + return NT_STATUS_INVALID_PARAMETER; + } lck2->generic.in.ulock_cnt = lck->smb2.in.lock_count; isunlock = true; } else { @@ -1113,6 +1116,12 @@ NTSTATUS ntvfs_map_lock(struct ntvfs_module_context *ntvfs, isunlock = false; } for (i=0;i<lck->smb2.in.lock_count;i++) { + if (lck->smb2.in.locks[i].length > 1 && + lck->smb2.in.locks[i].offset + + lck->smb2.in.locks[i].length < + lck->smb2.in.locks[i].offset) { + return NT_STATUS_INVALID_LOCK_RANGE; + } if (lck->smb2.in.locks[i].flags == SMB2_LOCK_FLAG_NONE) { return NT_STATUS_INVALID_PARAMETER; } diff --git a/source4/ntvfs/posix/pvfs_lock.c b/source4/ntvfs/posix/pvfs_lock.c index 711c924..11757de 100644 --- a/source4/ntvfs/posix/pvfs_lock.c +++ b/source4/ntvfs/posix/pvfs_lock.c @@ -116,7 +116,11 @@ static void pvfs_pending_lock_continue(void *private_data, enum pvfs_wait_notice /* we don't retry on a cancel */ if (reason == PVFS_WAIT_CANCEL) { - status = NT_STATUS_FILE_LOCK_CONFLICT; + if (pvfs->ntvfs->ctx->protocol != PROTOCOL_SMB2) { + status = NT_STATUS_FILE_LOCK_CONFLICT; + } else { + status = NT_STATUS_CANCELLED; + } } else { /* * here it's important to pass the pending pointer diff --git a/source4/ntvfs/posix/pvfs_open.c b/source4/ntvfs/posix/pvfs_open.c index b100c85..621db3c 100644 --- a/source4/ntvfs/posix/pvfs_open.c +++ b/source4/ntvfs/posix/pvfs_open.c @@ -1941,15 +1941,12 @@ NTSTATUS pvfs_can_update_file_size(struct pvfs_state *pvfs, NTCREATEX_SHARE_ACCESS_WRITE | NTCREATEX_SHARE_ACCESS_DELETE; /* - * I would have thought that we would need to pass - * SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA here too - * - * But you only need SEC_FILE_WRITE_ATTRIBUTE permissions - * to set the filesize. - * - * --metze + * this code previous set only SEC_FILE_WRITE_ATTRIBUTE, with + * a comment that this seemed to be wrong, but matched windows + * behaviour. It now appears that this windows behaviour is + * just a bug. */ - access_mask = SEC_FILE_WRITE_ATTRIBUTE; + access_mask = SEC_FILE_WRITE_ATTRIBUTE | SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA; delete_on_close = false; break_to_none = true; diff --git a/source4/script/installmisc.sh b/source4/script/installmisc.sh index d0376b3..7851d1f 100755 --- a/source4/script/installmisc.sh +++ b/source4/script/installmisc.sh @@ -1,22 +1,53 @@ #!/bin/sh # install miscellaneous files +[ $# -eq 5 ] || { + echo "Usage: installmisc.sh SRCDIR SETUPDIR BINDDIR SBINDDIR PYTHONDIR" + exit 1 +} + SRCDIR="$1" SETUPDIR="$2" +BINDIR="$3" +SBINDIR="$4" +PYTHONDIR="$5" cd $SRCDIR || exit 1 +# fixup a python script to use the right path +fix_python_path() { + f="$1" + egrep 'sys.path.insert.*bin/python' $f > /dev/null && { + sed -i "s|\(sys.path.insert.*\)bin/python\(.*\)$|\1$PYTHONDIR\2|g" $f || exit 1 + } +} + echo "Installing setup templates" mkdir -p $SETUPDIR || exit 1 +mkdir -p $SBINDIR || exit 1 +mkdir -p $BINDIR || exit 1 mkdir -p $SETUPDIR/ad-schema || exit 1 mkdir -p $SETUPDIR/display-specifiers || exit1 cp setup/ad-schema/*.txt $SETUPDIR/ad-schema || exit 1 cp setup/display-specifiers/*.txt $SETUPDIR/display-specifiers || exit 1 + +echo "Installing sbin scripts from setup/*" for p in domainlevel enableaccount newuser provision setexpiry setpassword pwsettings do - chmod a+x setup/$p - cp setup/$p $SETUPDIR || exit 1 + cp setup/$p $SBINDIR || exit 1 + chmod a+x $SBINDIR/$p + fix_python_path $SBINDIR/$p || exit 1 done + +echo "Installing sbin scripts from scripting/bin/*" +for p in upgradeprovision +do + cp scripting/bin/$p $SBINDIR || exit 1 + chmod a+x $SBINDIR/$p + fix_python_path $SBINDIR/$p || exit 1 +done + +echo "Installing remaining files in $SETUPDIR" cp setup/schema-map-* $SETUPDIR || exit 1 cp setup/DB_CONFIG $SETUPDIR || exit 1 cp setup/*.inf $SETUPDIR || exit 1 diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision new file mode 100755 index 0000000..9298c02 --- /dev/null +++ b/source4/scripting/bin/upgradeprovision @@ -0,0 +1,747 @@ +#!/usr/bin/python +# +# Copyright (C) Matthieu Patou <m...@matws.net> 2009 +# +# Based on provision a Samba4 server by +# Copyright (C) Jelmer Vernooij <jel...@samba.org> 2007-2008 +# Copyright (C) Andrew Bartlett <abart...@samba.org> 2008 +# +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +import getopt +import shutil +import optparse +import os +import sys +import random +import string +import re +import base64 +import tempfile +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +from base64 import b64encode + +import samba +from samba.credentials import DONT_USE_KERBEROS +from samba.auth import system_session, admin_session +from samba import Ldb +from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError +import ldb +import samba.getopt as options +from samba.samdb import SamDB +from samba import param +from samba.provision import ProvisionNames,provision_paths_from_lp,find_setup_dir,FILL_FULL,provision +from samba.provisionexceptions import ProvisioningError +from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema +from samba.dcerpc import misc, security +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc.misc import SEC_CHAN_BDC + +replace=2^ldb.FLAG_MOD_REPLACE +add=2^ldb.FLAG_MOD_ADD +delete=2^ldb.FLAG_MOD_DELETE + +#Errors are always logged +ERROR = -1 +SIMPLE = 0x00 +CHANGE = 0x01 +CHANGESD = 0x02 +GUESS = 0x04 +PROVISION = 0x08 +CHANGEALL = 0xff + +# Attributes that not copied from the reference provision even if they do not exists in the destination object +# This is most probably because they are populated automatcally when object is created +hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1,"replPropertyMetaData": 1,"uSNChanged": 1,\ + "uSNCreated": 1,"parentGUID": 1,"objectCategory": 1,"distinguishedName": 1,\ + "showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\ + "nTMixedDomain": 1,"versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,\ + "dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\ + "maxPwdAge":1, "mail":1, "secret":1} + +# Usually for an object that already exists we do not overwrite attributes as they might have been changed for good +# reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow. +hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,"systemOnly":replace, "searchFlags":replace,\ + "mayContain":replace, "systemFlags":replace, + "oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":1,"possibleInferiors":replace+delete} +backlinked = [] + +def define_what_to_log(opts): + what = 0 + if opts.debugchange: + what = what | CHANGE + if opts.debugchangesd: + what = what | CHANGESD + if opts.debugguess: + what = what | GUESS + if opts.debugprovision: + what = what | PROVISION + if opts.debugall: + what = what | CHANGEALL + return what + + +parser = optparse.OptionParser("provision [options]") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--setupdir", type="string", metavar="DIR", + help="directory with setup files") +parser.add_option("--debugprovision", help="Debug provision", action="store_true") +parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true") +parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true") +parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true") +parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true") +parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true") +parser.add_option("--targetdir", type="string", metavar="DIR", + help="Set target directory") + +opts = parser.parse_args()[0] + +whatToLog = define_what_to_log(opts) + +def messageprovision(text): + """print a message if quiet is not set.""" + if opts.debugprovision or opts.debugall: + print text + +def message(what,text): + """print a message if quiet is not set.""" + if (whatToLog & what) or (what <= 0 ): + print text + +if len(sys.argv) == 1: + opts.interactive = True +lp = sambaopts.get_loadparm() +smbconf = lp.configfile + +creds = credopts.get_credentials(lp) +creds.set_kerberos_state(DONT_USE_KERBEROS) +setup_dir = opts.setupdir +if setup_dir is None: + setup_dir = find_setup_dir() + +session = system_session() + +# Create an array of backlinked attributes +def populate_backlink(newpaths,creds,session,schemadn): + newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp) + backlinked.extend(get_linked_attributes(ldb.Dn(newsam_ldb,str(schemadn)),newsam_ldb).values()) + +# Get Paths for important objects (ldb, keytabs ...) +def get_paths(targetdir=None,smbconf=None): + if targetdir is not None: + if (not os.path.exists(os.path.join(targetdir, "etc"))): + os.makedirs(os.path.join(targetdir, "etc")) + smbconf = os.path.join(targetdir, "etc", "smb.conf") + if smbconf is None: + smbconf = param.default_path() + + if not os.path.exists(smbconf): + message(ERROR,"Unable to find smb.conf ..") + parser.print_usage() + sys.exit(1) + + lp = param.LoadParm() + lp.load(smbconf) +# Normaly we need the domain name for this function but for our needs it's pointless + paths = provision_paths_from_lp(lp,"foo") + return paths + +# This function guess(fetch) informations needed to make a fresh provision from the current provision +# It includes: realm, workgroup, partitions, netbiosname, domain guid, ... +def guess_names_from_current_provision(credentials,session_info,paths): + lp = param.LoadParm() + lp.load(paths.smbconf) + names = ProvisionNames() + # NT domain, kerberos realm, root dn, domain dn, domain dns name + names.domain = string.upper(lp.get("workgroup")) + names.realm = lp.get("realm") + basedn = "DC=" + names.realm.replace(".",",DC=") + names.dnsdomain = names.realm + names.realm = string.upper(names.realm) + # netbiosname + secrets_ldb = Ldb(paths.secrets, session_info=session_info, credentials=credentials,lp=lp, options=["modules:samba_secrets"]) + # Get the netbiosname first (could be obtained from smb.conf in theory) + attrs = ["sAMAccountName"] + res = secrets_ldb.search(expression="(flatname=%s)"%names.domain,base="CN=Primary Domains", scope=SCOPE_SUBTREE, attrs=attrs) + names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","") + + names.smbconf = smbconf + #It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ... + samdb = Ldb(paths.samdb, session_info=session_info, + credentials=credentials, lp=lp, options=["modules:samba_dsdb"]) + + # That's a bit simplistic but it's ok as long as we have only 3 partitions + attrs2 = ["defaultNamingContext", "schemaNamingContext","configurationNamingContext","rootDomainNamingContext"] + res2 = samdb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2) + + names.configdn = res2[0]["configurationNamingContext"] + configdn = str(names.configdn) + names.schemadn = res2[0]["schemaNamingContext"] -- Samba Shared Repository