The branch, master has been updated via 0a4a4ba devel-script: add options for RODC and partial replica for replicate flags via fa591a6 devel-scripts: ask with WRIT_REP by default via 0755b83 devel-getncchange: try to find the dest_dsa automatically via 7822952 security: Add documentation via c0638da libcli-security: Add documentation for object_tree_modify_access via 3b79774 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC from abc0030 dsdb: Fix warning about unused var
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0a4a4ba3f6b9748e3fccb546b284de565de2c8b5 Author: Matthieu Patou <m...@matws.net> Date: Mon Oct 29 22:12:33 2012 -0700 devel-script: add options for RODC and partial replica for replicate flags Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Jan 22 00:12:17 CET 2013 on sn-devel-104 commit fa591a6d3cf9182b6d49621c83a6c3fbfeab1ee7 Author: Matthieu Patou <m...@matws.net> Date: Mon Oct 29 21:43:14 2012 -0700 devel-scripts: ask with WRIT_REP by default Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0755b835cc4e474f752de1b8cc56a9a6da14a3cd Author: Matthieu Patou <m...@matws.net> Date: Tue Oct 23 22:12:08 2012 -0700 devel-getncchange: try to find the dest_dsa automatically Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7822952a11707ff8aaa415adef62082c158c2398 Author: Matthieu Patou <m...@matws.net> Date: Sat Oct 13 15:02:57 2012 -0700 security: Add documentation Names seems to be a bit cryptic and misleading (at least for me). So documenting them should remove at least partially this problem. Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c0638dae6cbf8915e6a436d575562fc131ba772a Author: Matthieu Patou <m...@matws.net> Date: Sat Oct 13 15:28:08 2012 -0700 libcli-security: Add documentation for object_tree_modify_access Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3b7977419726a8630de828b634d669625ee358dd Author: Matthieu Patou <m...@matws.net> Date: Tue Oct 23 22:09:20 2012 -0700 dbcheck: look in hasMasterNCs as well for determining the instance type of a NC Forest of level 2000 don't hve the msDS-hasMasterNCs parameter Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/security/object_tree.c | 14 +++++++- libcli/security/security.h | 9 +++++ source4/scripting/devel/getncchanges | 45 ++++++++++++++++++++++++-- source4/scripting/python/samba/dbchecker.py | 12 ++++++- 4 files changed, 72 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/object_tree.c b/libcli/security/object_tree.c index 3e5ee10..fd00068 100644 --- a/libcli/security/object_tree.c +++ b/libcli/security/object_tree.c @@ -104,8 +104,18 @@ struct object_tree *get_object_tree_by_GUID(struct object_tree *root, return result; } -/* Change the granted access per each ACE */ - +/** + * @brief Modify the tree to mark specified access rights as granted + * + * This function will modify the root and the child of the tree pointed by + * root, so that for each tree element the bits set in access_mask are + * marked as granted. + * + * @param[in] root An object_tree structure that we want to modify + * + * @param[in] access_mask A bitfield of access right that we want to mark as + * granted in the whole tree. + */ void object_tree_modify_access(struct object_tree *root, uint32_t access_mask) { diff --git a/libcli/security/security.h b/libcli/security/security.h index 659d341..6e4b172 100644 --- a/libcli/security/security.h +++ b/libcli/security/security.h @@ -89,6 +89,15 @@ #define SHARE_ALL_ACCESS FILE_GENERIC_ALL #define SHARE_READ_ONLY (FILE_GENERIC_READ|FILE_EXECUTE) +/** + * Remaining access is a bit mask of remaining access rights (bits) that have + * to be granted in order to fulfill the requested access. + * + * The GUID is optional, if specified it restricts this object tree and its + * childs to object/attributes that inherits from this GUID. + * For DS access an object inherits from a GUID if one of its class has this GUID + * in the schemaIDGUID attribute. + */ struct object_tree { uint32_t remaining_access; struct GUID guid; diff --git a/source4/scripting/devel/getncchanges b/source4/scripting/devel/getncchanges index d401c82..37ec18b 100755 --- a/source4/scripting/devel/getncchanges +++ b/source4/scripting/devel/getncchanges @@ -13,6 +13,7 @@ import samba.getopt as options from samba.dcerpc import drsuapi, misc from samba.samdb import SamDB from samba.auth import system_session +from samba.ndr import ndr_unpack def do_DsBind(drs): '''make a DsBind call, returning the binding handle''' @@ -100,18 +101,35 @@ if __name__ == "__main__": parser.add_option("", "--dn", dest="dn", help="DN to replicate",) parser.add_option("", "--exop", dest="exop", help="extended operation",) parser.add_option("", "--pas", dest="use_pas", action='store_true', default=False, - help="send partial attribute set",) + help="send partial attribute set (for RODC)") parser.add_option("", "--nb-iter", type='int', help="Number of getncchange iterations") - parser.add_option("", "--dest-dsa", type='str', - default='"9c637462-5b8c-4467-aef2-bdb1f57bc4ef"', help="destination DSA GUID") + parser.add_option("", "--dest-dsa", type='str', help="destination DSA GUID") + parser.add_option("", "--rodc", action='store_true', default=False, + help='use RODC replica flags') + parser.add_option("", "--partial-rw", action='store_true', default=False, + help='use RW partial replica flags, not be confused with --pas') parser.add_option("", "--replica-flags", type='int', default=drsuapi.DRSUAPI_DRS_INIT_SYNC | drsuapi.DRSUAPI_DRS_PER_SYNC | + drsuapi.DRSUAPI_DRS_WRIT_REP | drsuapi.DRSUAPI_DRS_GET_ANC | drsuapi.DRSUAPI_DRS_NEVER_SYNCED, help='replica flags') (opts, args) = parser.parse_args() + if opts.rodc: + opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\ + drsuapi.DRSUAPI_DRS_PER_SYNC |\ + drsuapi.DRSUAPI_DRS_GET_ANC |\ + drsuapi.DRSUAPI_DRS_NEVER_SYNCED |\ + drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |\ + drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP + + if opts.partial_rw: + opts.replica_flags = drsuapi.DRSUAPI_DRS_INIT_SYNC |\ + drsuapi.DRSUAPI_DRS_PER_SYNC |\ + drsuapi.DRSUAPI_DRS_GET_ANC |\ + drsuapi.DRSUAPI_DRS_NEVER_SYNCED lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) @@ -122,6 +140,9 @@ if __name__ == "__main__": if creds.is_anonymous(): parser.error("You must supply credentials") + if opts.partial_rw and opts.rodc: + parser.error("Can't specify --partial-rw and --rodc") + server = args[0] binding_str = "ncacn_ip_tcp:%s[seal,print]" % server @@ -148,8 +169,24 @@ if __name__ == "__main__": else: exop = int(opts.exop) + dest_dsa = opts.dest_dsa + if not dest_dsa: + print "no dest_dsa specified trying to figure out from ldap" + msgs = samdb.search(controls=["search_options:1:2"], + expression='(objectclass=ntdsdsa)') + if len(msgs) == 1: + dest_dsa = str(ndr_unpack(misc.GUID, msgs[0]["invocationId"][0])) + print "Found this dsa: %s" % dest_dsa + else: + # TODO fixme + pass + if not dest_dsa: + print "Unable to find the dest_dsa automatically please specify it" + import sys + sys.exit(1) + null_guid = misc.GUID() - req8.destination_dsa_guid = misc.GUID(opts.dest_dsa) + req8.destination_dsa_guid = misc.GUID(dest_dsa) req8.source_dsa_invocation_id = misc.GUID(samdb.get_invocation_id()) req8.naming_context = drsuapi.DsReplicaObjectIdentifier() req8.naming_context.dn = opts.dn.decode("utf-8") diff --git a/source4/scripting/python/samba/dbchecker.py b/source4/scripting/python/samba/dbchecker.py index 91ae0b6..bc68457 100644 --- a/source4/scripting/python/samba/dbchecker.py +++ b/source4/scripting/python/samba/dbchecker.py @@ -59,11 +59,19 @@ class dbcheck(object): self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn()) self.ntds_dsa = samdb.get_dsServiceName() - res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs']) + res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs']) if "msDS-hasMasterNCs" in res[0]: self.write_ncs = res[0]["msDS-hasMasterNCs"] else: - self.write_ncs = None + # If the Forest Level is less than 2003 then there is no + # msDS-hasMasterNCs, so we fall back to hasMasterNCs + # no need to merge as all the NCs that are in hasMasterNCs must + # also be in msDS-hasMasterNCs (but not the opposite) + if "hasMasterNCs" in res[0]: + self.write_ncs = res[0]["hasMasterNCs"] + else: + self.write_ncs = None + def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']): '''perform a database check, returning the number of errors found''' -- Samba Shared Repository