The branch, master has been updated via 38a26f7... s4 upgradeprovision: Make grouped commit / rollback more resistant to unexpected problems via c4f7b0e... s4 upgradeprovision: Check that the policy for DC is present if not warn the user via aea0003... s4 upgradeprovision: Emit message instead of crashing when not able to set acl via 17af115... s4 upgradeprovision: add an option to force the rebuilding of FS ACLs on sysvols share via 59f17f9... s4 unittests: add unit tests for upgradehelpers via 75389ce... s4 upgradeprovision: Add function for searching stored constructed attributes via f3e7d0a... s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes via 3ebe560... ldb: add a new control bypassioperationnal via 9c5f0ed... s4 upgradeprovision: additional restyling via 423f991... s4 upgradeprovision: Restyle imports via fbeacc1... s4 upgradeprovision: Move functions to helpers and improve code via 8ff65b0... s4 python: Update unit tests related to create secrets via 9c808c4... s4: Add comments about setup_secrets via 84342b1... s4 upgradeprovision: Add documentation on the update process via a466e0d... s4 python: Add unit tests for upgradeprovision related stuff via ad55248... s4 upgradeprovision: move some functions to upgradehelpers for unit tests via 0537de1... s4 upgradeprovision: Fix style via b624440... s4 upgradeprovision: Use replPropertyMetaData for better guess via dd963dd... s4 upgradeprovision: Reformat attributes lists and reformat parser via 60400a7... s4 upgradeprovision: Inform about new dns dynamic update if the provision didn't have it via 26ccc3f... s4 upgradeprovision: fix style via 0ff46ec... s4 upgrade provision: Refactor code to do all the modification within 1 transaction via ec90b1b... s4 upgrade provision: Fix style in gen_dn_index via 50072e2... s4 Add functions related to ldb manipulation when doing upgrade via e2df3c2... s4 provision: Add information about provisioned usn range in sam.ldb from c92db7b... python: Use samba.tests.TestCase, make sure base class tearDown and setUp methods are called, fix formatting.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 38a26f79eaded8364a178ba2aac71e64f5d60be5 Author: Matthieu Patou <m...@matws.net> Date: Wed Jun 16 11:25:19 2010 +0400 s4 upgradeprovision: Make grouped commit / rollback more resistant to unexpected problems Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit c4f7b0e5f673943dfdda88f3e289912778a07a33 Author: Matthieu Patou <m...@matws.net> Date: Mon Jun 14 12:28:58 2010 +0400 s4 upgradeprovision: Check that the policy for DC is present if not warn the user Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit aea0003d088f5e5f7d1393d4d75f570418dda043 Author: Matthieu Patou <m...@matws.net> Date: Mon Jun 14 02:14:48 2010 +0400 s4 upgradeprovision: Emit message instead of crashing when not able to set acl Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 17af115de59fc3b52134a44ae1b0c5170b8f67e3 Author: Matthieu Patou <m...@matws.net> Date: Mon Jun 14 01:50:47 2010 +0400 s4 upgradeprovision: add an option to force the rebuilding of FS ACLs on sysvols share Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 59f17f9e64f4fdf4a63440e20d6b30008072b4df Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 15 12:53:18 2010 +0400 s4 unittests: add unit tests for upgradehelpers The functions tested are: * construct_existor_expr * search_constructed_attrs_stored Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 75389cecdde884356e222e3f846e7358f82c20c0 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 15 12:50:29 2010 +0400 s4 upgradeprovision: Add function for searching stored constructed attributes Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit f3e7d0ae8f63c57fc0ec7680b2863c6f50e167fe Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 15 02:41:18 2010 +0400 s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 3ebe56062297e52cf31499c6eb63c7ce70073bcc Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 15 02:23:11 2010 +0400 ldb: add a new control bypassioperationnal Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 9c5f0ed7298e666fcfa05257fc7abfb6d3208433 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 15 23:41:39 2010 +0400 s4 upgradeprovision: additional restyling Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 423f99172efcb57a654af5a6fcbad1045f210027 Author: Matthieu Patou <m...@matws.net> Date: Thu Jun 10 01:00:43 2010 +0400 s4 upgradeprovision: Restyle imports Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit fbeacc1013bc3a95f19d7932a2bbf3d28176a977 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 8 00:01:16 2010 +0400 s4 upgradeprovision: Move functions to helpers and improve code Among code improvement the most significant part is that we now compare DN object instead of their string representation. It allow to better react to case an white space difference. Some new move objects have been added (ie. System into well known security principals). This will allow more unittesting Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 8ff65b0136f442204f4d059fb1a13ad4a6419ab4 Author: Matthieu Patou <m...@matws.net> Date: Fri May 7 04:22:36 2010 +0400 s4 python: Update unit tests related to create secrets Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 9c808c47fc2fddac396d12452428443f3ab26073 Author: Matthieu Patou <m...@matws.net> Date: Mon May 24 09:41:44 2010 +0400 s4: Add comments about setup_secrets Comments are to inform people that this function should not handle transaction within the function as it is mainly used in provision and that we want to commit secrets only if all the action on secrets have worked. Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 84342b1c7f289e5288470d4d4e3899aac6f042c5 Author: Matthieu Patou <m...@matws.net> Date: Fri May 7 16:26:26 2010 +0400 s4 upgradeprovision: Add documentation on the update process Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit a466e0d61a97da648970eea02c246c08c503c421 Author: Matthieu Patou <m...@matws.net> Date: Tue May 4 00:01:00 2010 +0400 s4 python: Add unit tests for upgradeprovision related stuff Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit ad55248958fe9aaeb6ebdc6f2d4c66a85ead6786 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 8 00:52:25 2010 +0400 s4 upgradeprovision: move some functions to upgradehelpers for unit tests Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 0537de17c124b8ceccbeb9a57e9636a461239774 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 8 01:13:45 2010 +0400 s4 upgradeprovision: Fix style reformat *_update_samdb functions fix_partition_sd rebuild_sd update_samdb update_privilege update_machine_account_password update_gpo Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit b624440a0fc99c43e97c73ffe7e17621a17b59ae Author: Matthieu Patou <m...@matws.net> Date: Mon Jun 7 16:27:48 2010 +0400 s4 upgradeprovision: Use replPropertyMetaData for better guess Rework upgradeprovision in order to get more precise updates when doing upgrade provision. This is done through the use of replPropertyMetaData information and raw information revealed by the "reveal" control. The code has been changed also to avoid double free error when changing the schema (for old provision). Checking of SD is done a bit more cleverly as we compare the different parts for an ACL separately. Fix logic when upgrading provision without replPropertyMetaData infos Also for old provision (pre alpha9) do not copy the usn range because data here will be wrong Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit dd963ddb4e84bb1b7bea6ecb3a1e045d170338dc Author: Matthieu Patou <m...@matws.net> Date: Mon Jun 7 23:47:43 2010 +0400 s4 upgradeprovision: Reformat attributes lists and reformat parser Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 60400a7803d765fd53100fe088f1237e67887fe3 Author: Matthieu Patou <m...@matws.net> Date: Fri Apr 9 02:55:38 2010 +0400 s4 upgradeprovision: Inform about new dns dynamic update if the provision didn't have it Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 26ccc3f4400165448f9a53efdec224d11f290783 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 8 00:21:48 2010 +0400 s4 upgradeprovision: fix style add_deletedobj_containers add missing objects clean add-mising handle special add + dump denied Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 0ff46ec557009ec2dff0650dd39d6314e9df3a4e Author: Matthieu Patou <m...@matws.net> Date: Sun May 2 19:56:03 2010 +0400 s4 upgrade provision: Refactor code to do all the modification within 1 transaction Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit ec90b1b40e1f610dfc1e2aa3ba91c0b27dde4f60 Author: Matthieu Patou <m...@matws.net> Date: Tue Jun 8 00:21:00 2010 +0400 s4 upgrade provision: Fix style in gen_dn_index Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit 50072e27fec0d3528e111ec566204f4e39e24ea5 Author: Matthieu Patou <m...@matws.net> Date: Sun May 2 19:56:31 2010 +0400 s4 Add functions related to ldb manipulation when doing upgrade Signed-off-by: Jelmer Vernooij <jel...@samba.org> commit e2df3c251060d634c8538dd7e771819ccf196130 Author: Matthieu Patou <m...@matws.net> Date: Thu Apr 22 12:53:12 2010 +0400 s4 provision: Add information about provisioned usn range in sam.ldb Signed-off-by: Jelmer Vernooij <jel...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/operational.c | 49 +- source4/lib/ldb/common/ldb_controls.c | 27 + source4/lib/ldb/include/ldb.h | 9 + source4/lib/ldb/tests/test-controls.sh | 1 + source4/scripting/bin/upgradeprovision | 1714 +++++++++++++------- source4/scripting/python/samba/provision.py | 98 ++ source4/scripting/python/samba/tests/provision.py | 13 + .../python/samba/tests/upgradeprovision.py | 137 ++ .../python/samba/tests/upgradeprovisionneeddc.py | 144 ++ source4/scripting/python/samba/upgradehelpers.py | 653 +++++++- source4/selftest/tests.sh | 2 + source4/setup/schema_samba4.ldif | 1 + 12 files changed, 2211 insertions(+), 637 deletions(-) create mode 100644 source4/scripting/python/samba/tests/upgradeprovision.py create mode 100644 source4/scripting/python/samba/tests/upgradeprovisionneeddc.py Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index e967f8a..e5aa516 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -478,6 +478,18 @@ static int construct_msds_keyversionnumber(struct ldb_module *module, } +struct op_controls_flags { + bool sd; + bool bypassoperational; +}; + +static bool check_keep_control_for_attribute(struct op_controls_flags* controls_flags, const char* attr) { + if (ldb_attr_cmp(attr, "msDS-KeyVersionNumber") == 0 && controls_flags->bypassoperational) { + return true; + } + return false; +} + /* a list of attribute names that should be substituted in the parse tree before the search is done @@ -517,7 +529,8 @@ static const struct { enum op_remove { OPERATIONAL_REMOVE_ALWAYS, /* remove always */ OPERATIONAL_REMOVE_UNASKED,/* remove if not requested */ - OPERATIONAL_SD_FLAGS /* show if SD_FLAGS_OID set, or asked for */ + OPERATIONAL_SD_FLAGS, /* show if SD_FLAGS_OID set, or asked for */ + OPERATIONAL_REMOVE_UNLESS_CONTROL /* remove always unless an adhoc control has been specified */ }; /* @@ -531,7 +544,7 @@ static const struct { enum op_remove op; } operational_remove[] = { { "nTSecurityDescriptor", OPERATIONAL_SD_FLAGS }, - { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_ALWAYS }, + { "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_UNLESS_CONTROL }, { "parentGUID", OPERATIONAL_REMOVE_ALWAYS }, { "replPropertyMetaData", OPERATIONAL_REMOVE_UNASKED }, { "unicodePwd", OPERATIONAL_REMOVE_UNASKED }, @@ -553,7 +566,7 @@ static int operational_search_post_process(struct ldb_module *module, enum ldb_scope scope, const char * const *attrs_from_user, const char * const *attrs_searched_for, - bool sd_flags_set) + struct op_controls_flags* controls_flags) { struct ldb_context *ldb; unsigned int i, a = 0; @@ -574,8 +587,15 @@ static int operational_search_post_process(struct ldb_module *module, case OPERATIONAL_REMOVE_ALWAYS: ldb_msg_remove_attr(msg, operational_remove[i].attr); break; + case OPERATIONAL_REMOVE_UNLESS_CONTROL: + if (!check_keep_control_for_attribute(controls_flags, operational_remove[i].attr)) { + ldb_msg_remove_attr(msg, operational_remove[i].attr); + break; + } else { + continue; + } case OPERATIONAL_SD_FLAGS: - if (sd_flags_set || + if (controls_flags->sd || ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) { continue; } @@ -585,6 +605,9 @@ static int operational_search_post_process(struct ldb_module *module, } for (a=0;attrs_from_user && attrs_from_user[a];a++) { + if (check_keep_control_for_attribute(controls_flags, attrs_from_user[a])) { + continue; + } for (i=0;i<ARRAY_SIZE(search_sub);i++) { if (ldb_attr_cmp(attrs_from_user[a], search_sub[i].attr) != 0) { continue; @@ -633,7 +656,6 @@ failed: return -1; } - /* hook search operations */ @@ -643,7 +665,7 @@ struct operational_context { struct ldb_request *req; enum ldb_scope scope; const char * const *attrs; - bool sd_flags_set; + struct op_controls_flags* controls_flags; }; static int operational_callback(struct ldb_request *req, struct ldb_reply *ares) @@ -671,7 +693,7 @@ static int operational_callback(struct ldb_request *req, struct ldb_reply *ares) ac->scope, ac->attrs, req->op.search.attrs, - ac->sd_flags_set); + ac->controls_flags); if (ret != 0) { return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); @@ -728,10 +750,20 @@ static int operational_search(struct ldb_module *module, struct ldb_request *req parse_tree_sub[i].replace); } + ac->controls_flags = talloc(ac, struct op_controls_flags); + /* remember if the SD_FLAGS_OID was set */ + ac->controls_flags->sd = (ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID) != NULL); + /* remember if the LDB_CONTROL_BYPASSOPERATIONAL_OID */ + ac->controls_flags->bypassoperational = (ldb_request_get_control(req, + LDB_CONTROL_BYPASSOPERATIONAL_OID) != NULL); + /* in the list of attributes we are looking for, rename any attributes to the alias for any hidden attributes that can be fetched directly using non-hidden names */ for (a=0;ac->attrs && ac->attrs[a];a++) { + if (check_keep_control_for_attribute(ac->controls_flags, ac->attrs[a])) { + continue; + } for (i=0;i<ARRAY_SIZE(search_sub);i++) { if (ldb_attr_cmp(ac->attrs[a], search_sub[i].attr) == 0 && search_sub[i].replace) { @@ -763,9 +795,6 @@ static int operational_search(struct ldb_module *module, struct ldb_request *req } } - /* remember if the SD_FLAGS_OID was set */ - ac->sd_flags_set = (ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID) != NULL); - ret = ldb_build_search_req_ex(&down_req, ldb, ac, req->op.search.base, req->op.search.scope, diff --git a/source4/lib/ldb/common/ldb_controls.c b/source4/lib/ldb/common/ldb_controls.c index 010ed2d..aff03a0 100644 --- a/source4/lib/ldb/common/ldb_controls.c +++ b/source4/lib/ldb/common/ldb_controls.c @@ -486,6 +486,33 @@ struct ldb_control **ldb_parse_control_strings(struct ldb_context *ldb, void *me continue; } + if (strncmp(control_strings[i], "bypassoperational:", 18) == 0) { + const char *p; + int crit, ret; + + p = &(control_strings[i][18]); + ret = sscanf(p, "%d", &crit); + if ((ret != 1) || (crit < 0) || (crit > 1)) { + error_string = talloc_asprintf(mem_ctx, "invalid bypassopreational control syntax\n"); + error_string = talloc_asprintf_append(error_string, " syntax: crit(b)\n"); + error_string = talloc_asprintf_append(error_string, " note: b = boolean"); + ldb_set_errstring(ldb, error_string); + talloc_free(error_string); + return NULL; + } + + ctrl[i] = talloc(ctrl, struct ldb_control); + if (!ctrl[i]) { + ldb_oom(ldb); + return NULL; + } + ctrl[i]->oid = LDB_CONTROL_BYPASSOPERATIONAL_OID; + ctrl[i]->critical = crit; + ctrl[i]->data = NULL; + + continue; + } + if (strncmp(control_strings[i], "relax:", 6) == 0) { const char *p; int crit, ret; diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h index 2eb395c..9958325 100644 --- a/source4/lib/ldb/include/ldb.h +++ b/source4/lib/ldb/include/ldb.h @@ -463,6 +463,15 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque); \sa <a href="http://opends.dev.java.net/public/standards/draft-zeilenga-ldap-managedit.txt">draft managedit</a>. */ #define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12" + +/** + OID for getting and manipulating attributes from the ldb + without interception in the operational module. + It can be used to access attribute that used to be stored in the sam + and that are now calculated. +*/ +#define LDB_CONTROL_BYPASSOPERATIONAL_OID "1.3.6.1.4.1.7165.4.3.13" + /** OID for recalculate SD control. This control force the dsdb code to recalculate the SD of the object as if the diff --git a/source4/lib/ldb/tests/test-controls.sh b/source4/lib/ldb/tests/test-controls.sh index db139bb..c78acbf 100755 --- a/source4/lib/ldb/tests/test-controls.sh +++ b/source4/lib/ldb/tests/test-controls.sh @@ -42,5 +42,6 @@ replace someThing someThing: someThingElseBetter EOF +$VALGRIND ldbsearch --controls "bypassoperational:0" >/dev/null 2>&1 || exit 1 set diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision index b7582d0..a478856 100755 --- a/source4/scripting/bin/upgradeprovision +++ b/source4/scripting/bin/upgradeprovision @@ -1,7 +1,7 @@ #!/usr/bin/env python # vim: expandtab # -# Copyright (C) Matthieu Patou <m...@matws.net> 2009 +# Copyright (C) Matthieu Patou <m...@matws.net> 2009 - 2010 # # Based on provision a Samba4 server by # Copyright (C) Jelmer Vernooij <jel...@samba.org> 2007-2008 @@ -28,6 +28,8 @@ import os import shutil import sys import tempfile +import re +import traceback # Allow to run from s4 source directory (without installing samba) sys.path.insert(0, "bin/python") @@ -35,33 +37,37 @@ import samba import samba.getopt as options from samba.credentials import DONT_USE_KERBEROS from samba.auth import system_session, admin_session -from samba import Ldb, version -from ldb import (SCOPE_SUBTREE, SCOPE_BASE, FLAG_MOD_REPLACE, - FLAG_MOD_ADD, FLAG_MOD_DELETE, MessageElement, Message, Dn) +from ldb import (SCOPE_SUBTREE, SCOPE_BASE, + FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE, + MessageElement, Message, Dn) from samba import param from samba.misc import messageEltFlagToString from samba.provision import (find_setup_dir, get_domain_descriptor, - get_config_descriptor, secretsdb_self_join, set_gpo_acl, - getpolicypath, create_gpo_struct, ProvisioningError) + get_config_descriptor, secretsdb_self_join, + ProvisioningError, getLastProvisionUSN, + get_max_usn, updateProvisionUSN) from samba.schema import get_linked_attributes, Schema, get_schema_descriptor -from samba.dcerpc import security +from samba.dcerpc import security, drsblobs from samba.ndr import ndr_unpack from samba.dcerpc.misc import SEC_CHAN_BDC -from samba.upgradehelpers import dn_sort, get_paths, newprovision, find_provision_key_parameters - +from samba.upgradehelpers import (dn_sort, get_paths, newprovision, + find_provision_key_parameters, get_ldbs, + usn_in_range, identic_rename, get_diff_sddls, + update_secrets, CHANGE, ERROR, SIMPLE, + CHANGEALL, GUESS, CHANGESD, PROVISION, + updateOEMInfo, getOEMInfo, update_gpo, + delta_update_basesamdb, update_policyids) + +replace=2**FLAG_MOD_REPLACE +add=2**FLAG_MOD_ADD +delete=2**FLAG_MOD_DELETE never=0 -replace=2^FLAG_MOD_REPLACE -add=2^FLAG_MOD_ADD -delete=2^FLAG_MOD_DELETE + + +# Will be modified during provision to tell if default sd has been modified +# somehow ... #Errors are always logged -ERROR = -1 -SIMPLE = 0x00 -CHANGE = 0x01 -CHANGESD = 0x02 -GUESS = 0x04 -PROVISION = 0x08 -CHANGEALL = 0xff __docformat__ = "restructuredText" @@ -70,24 +76,38 @@ __docformat__ = "restructuredText" # This is most probably because they are populated automatcally when object is # created # This also apply to imported object from reference provision -hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1, "objectGUID": 1, "replPropertyMetaData": 1, "uSNChanged": 1, - "uSNCreated": 1, "parentGUID": 1, "objectCategory": 1, "distinguishedName": 1, - "showInAdvancedViewOnly": 1, "instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1, - "nTMixedDomain": 1, "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1, - "dBCSPwd":1, "supplementalCredentials":1, "gPCUserExtensionNames":1, "gPCMachineExtensionNames":1, - "maxPwdAge":1, "mail":1, "secret":1, "possibleInferiors":1, "sAMAccountType":1} +hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1, + "objectGUID": 1, "uSNCreated": 1, + "replPropertyMetaData": 1, "uSNChanged": 1, + "parentGUID": 1, "objectCategory": 1, + "distinguishedName": 1, "nTMixedDomain": 1, + "showInAdvancedViewOnly": 1, "instanceType": 1, + "msDS-Behavior-Version":1, "nextRid":1, "cn": 1, + "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, + "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1, + "supplementalCredentials":1, "gPCUserExtensionNames":1, + "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1, + "possibleInferiors":1, "privilege":1, + "sAMAccountType":1 } # Usually for an object that already exists we do not overwrite attributes as # they might have been changed for good reasons. Anyway for a few of them it's # mandatory to replace them otherwise the provision will be broken somehow. -hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, "systemOnly":replace, "searchFlags":replace, - "mayContain":replace, "systemFlags":replace, "description":replace, - "oEMInformation":never, "operatingSystemVersion":replace, "adminPropertyPages":replace, - "defaultSecurityDescriptor": replace, "wellKnownObjects":replace, "privilege":delete, "groupType":replace, - "rIDAvailablePool": never} +# But for attribute that are just missing we do not have to specify them as the default +# behavior is to add missing attribute +hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, + "systemOnly":replace, "searchFlags":replace, + "mayContain":replace, "systemFlags":replace+add, + "description":replace, "operatingSystemVersion":replace, + "adminPropertyPages":replace, "groupType":replace, + "wellKnownObjects":replace, "privilege":never, + "defaultSecurityDescriptor": replace, + "rIDAvailablePool": never, + "defaultSecurityDescriptor": replace + add } backlinked = [] +forwardlinked = {} dn_syntax_att = [] def define_what_to_log(opts): what = 0 @@ -111,13 +131,20 @@ parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--setupdir", type="string", metavar="DIR", - help="directory with setup files") + help="directory with setup files") parser.add_option("--debugprovision", help="Debug provision", action="store_true") -parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true") -parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true") -parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true") -parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true") -parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true") +parser.add_option("--debugguess", action="store_true", + help="Print information on what is different but won't be changed") +parser.add_option("--debugchange", action="store_true", + help="Print information on what is different but won't be changed") +parser.add_option("--debugchangesd", action="store_true", + help="Print information security descriptors differences") +parser.add_option("--debugall", action="store_true", + help="Print all available information (very verbose)") +parser.add_option("--resetfileacl", action="store_true", + help="Force a reset on filesystem acls in sysvol / netlogon share") +parser.add_option("--full", action="store_true", + help="Perform full upgrade of the samdb (schema, configuration, new objects, ...") opts = parser.parse_args()[0] @@ -149,65 +176,84 @@ setup_dir = opts.setupdir if setup_dir is None: setup_dir = find_setup_dir() -session = system_session() -def identic_rename(ldbobj,dn): - """Perform a back and forth rename to trigger renaming on attribute that can't be directly modified. - :param lbdobj: An Ldb Object - :param dn: DN of the object to manipulate """ - (before,sep,after)=str(dn).partition('=') - ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after))) - ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn) +def check_for_DNS(refprivate, private): + """Check if the provision has already the requirement for dynamic dns + + :param refprivate: The path to the private directory of the reference + provision + :param private: The path to the private directory of the upgraded + provision""" + + spnfile = "%s/spn_update_list" % private + namedfile = lp.get("dnsupdate:path") + + if not namedfile: + namedfile = "%s/named.conf.update" % private + + if not os.path.exists(spnfile): + shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile) + destdir = "%s/new_dns" % private + dnsdir = "%s/dns" % private -def populate_backlink(newpaths,creds,session,schemadn): + if not os.path.exists(namedfile): + if not os.path.exists(destdir): + os.mkdir(destdir) + if not os.path.exists(dnsdir): + os.mkdir(dnsdir) + shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir) + shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir) + message(SIMPLE, "It seems that you provision didn't integrate new rules " + "for dynamic dns update of domain related entries") + message(SIMPLE, "A copy of the new bind configuration files and " + "template as been put in %s, you should read them and configure dynamic " + " dns update" % destdir) + + +def populate_links(samdb, schemadn): """Populate an array with all the back linked attributes This attributes that are modified automaticaly when front attibutes are changed - :param newpaths: a list of paths for different provision objects - :param creds: credential for the authentification - :param session: session for connexion + :param samdb: A LDB object for sam.ldb file :param schemadn: DN of the schema for the partition""" - newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp) - linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb) + linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb) backlinked.extend(linkedAttHash.values()) + for t in linkedAttHash.keys(): + forwardlinked[t] = 1 -def populate_dnsyntax(newpaths,creds,session,schemadn): - """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1) +def populate_dnsyntax(samdb, schemadn): + """Populate an array with all the attributes that have DN synthax + (oid 2.5.5.1) - :param newpaths: a list of paths for different provision objects - :param creds: credential for the authentification - :param session: session for connexion + :param samdb: A LDB object for sam.ldb file :param schemadn: DN of the schema for the partition""" - newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp) - res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)), - scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"]) + res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb, + str(schemadn)), scope=SCOPE_SUBTREE, + attrs=["lDAPDisplayName"]) for elem in res: dn_syntax_att.append(elem["lDAPDisplayName"]) -def sanitychecks(credentials,session_info,names,paths): - """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1) +def sanitychecks(samdb, names): + """Make some checks before trying to update - :param creds: credential for the authentification - :param session_info: session for connexion + :param samdb: An LDB object opened on sam.ldb :param names: list of key provision parameters - :param paths: list of path to provision object :return: Status of check (1 for Ok, 0 for not Ok) """ - sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"]) - - sam_ldb.set_session_info(session) - res = sam_ldb.search(expression="objectClass=ntdsdsa", base=str(names.configdn), - scope=SCOPE_SUBTREE, attrs=["dn"], controls=["search_options:1:2"]) + res = samdb.search(expression="objectClass=ntdsdsa", base=str(names.configdn), + scope=SCOPE_SUBTREE, attrs=["dn"], + controls=["search_options:1:2"]) if len(res) == 0: print "No DC found, your provision is most probably hardly broken !" return False elif len(res) != 1: - print "Found %d domain controllers, for the moment upgradeprovision is not able to handle upgrade on \ -domain with more than one DC, please demote the other(s) DC(s) before upgrading"%len(res) + print "Found %d domain controllers, for the moment upgradeprovision" \ + "is not able to handle upgrade on domain with more than one DC, please demote" \ + " the other(s) DC(s) before upgrading" % len(res) return False else: return True @@ -217,85 +263,95 @@ def print_provision_key_parameters(names): """Do a a pretty print of provision parameters :param names: list of key provision parameters """ - message(GUESS, "rootdn :"+str(names.rootdn)) - message(GUESS, "configdn :"+str(names.configdn)) - message(GUESS, "schemadn :"+str(names.schemadn)) - message(GUESS, "serverdn :"+str(names.serverdn)) - message(GUESS, "netbiosname :"+names.netbiosname) - message(GUESS, "defaultsite :"+names.sitename) - message(GUESS, "dnsdomain :"+names.dnsdomain) - message(GUESS, "hostname :"+names.hostname) - message(GUESS, "domain :"+names.domain) - message(GUESS, "realm :"+names.realm) - message(GUESS, "invocationid:"+names.invocation) - message(GUESS, "policyguid :"+names.policyid) - message(GUESS, "policyguiddc:"+str(names.policyid_dc)) - message(GUESS, "domainsid :"+str(names.domainsid)) - message(GUESS, "domainguid :"+names.domainguid) - message(GUESS, "ntdsguid :"+names.ntdsguid) - message(GUESS, "domainlevel :"+str(names.domainlevel)) - -- Samba Shared Repository