MessageElement, Message, Dn, LdbError)
from samba import param, dsdb, Ldb
from samba.common import confirm
+from samba.descriptor import get_wellknown_sds, get_empty_descriptor, get_diff_sds
from samba.provision import (find_provision_key_parameters,
- get_empty_descriptor,
- get_config_descriptor,
- get_config_partitions_descriptor,
- get_config_sites_descriptor,
- get_config_ntds_quotas_descriptor,
- get_config_delete_protected1_descriptor,
- get_config_delete_protected1wd_descriptor,
- get_config_delete_protected2_descriptor,
- get_domain_descriptor,
- get_domain_infrastructure_descriptor,
- get_domain_builtin_descriptor,
- get_domain_computers_descriptor,
- get_domain_users_descriptor,
- get_domain_controllers_descriptor,
- get_domain_delete_protected1_descriptor,
- get_domain_delete_protected2_descriptor,
- get_dns_partition_descriptor,
- get_dns_forest_microsoft_dns_descriptor,
- get_dns_domain_microsoft_dns_descriptor,
ProvisioningError, get_last_provision_usn,
get_max_usn, update_provision_usn, setup_path)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.ndr import ndr_unpack
from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
get_ldbs, findprovisionrange,
- usn_in_range, identic_rename, get_diff_sds,
+ usn_in_range, identic_rename,
update_secrets, CHANGE, ERROR, SIMPLE,
CHANGEALL, GUESS, CHANGESD, PROVISION,
updateOEMInfo, getOEMInfo, update_gpo,
"attributeDisplayNames": replace + add,
"versionNumber": add}
-dnNotToRecalculate = []
+dnNotToRecalculateFound = False
dnToRecalculate = []
backlinked = []
forwardlinked = set()
message(CHANGESD, "But the SD has been changed by someonelse "
"so it's impossible to know if the difference"
" cames from the modification or from a previous bug")
- dnNotToRecalculate.append(str(dn))
+ dnNotToRecalculateFound = True
else:
- dnToRecalculate.append(str(dn))
+ dnToRecalculate.append(dn)
continue
if attrUSN == -1:
list_wellknown_dns = []
- # Then subcontainers
- subcontainers = [
- ("%s" % str(names.domaindn), get_domain_descriptor),
- ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor),
- ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor),
- ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor),
- ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor),
- ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor),
- ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor),
- ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor),
- ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor),
-
- ("%s" % str(names.configdn), get_config_descriptor),
- ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor),
- ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
- ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor),
- ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
- ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
- ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
- ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
- ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
- ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor),
- ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor),
-
- ("%s" % str(names.schemadn), get_schema_descriptor),
- ]
-
- if names.dnsforestdn is not None:
- c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor)
- subcontainers.append(c)
- c = ("CN=Infrastructure,%s" % str(names.dnsforestdn),
- get_domain_delete_protected1_descriptor)
- subcontainers.append(c)
- c = ("CN=LostAndFound,%s" % str(names.dnsforestdn),
- get_domain_delete_protected2_descriptor)
- subcontainers.append(c)
- c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn),
- get_dns_forest_microsoft_dns_descriptor)
- subcontainers.append(c)
-
- if names.dnsdomaindn is not None:
- c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor)
- subcontainers.append(c)
- c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn),
- get_domain_delete_protected1_descriptor)
- subcontainers.append(c)
- c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn),
- get_domain_delete_protected2_descriptor)
- subcontainers.append(c)
- c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn),
- get_dns_domain_microsoft_dns_descriptor)
- subcontainers.append(c)
+ subcontainers = get_wellknown_sds(samdb)
for [dn, descriptor_fn] in subcontainers:
list_wellknown_dns.append(dn)
if dn in dnToRecalculate:
delta = Message()
- delta.dn = Dn(samdb, str(dn))
+ delta.dn = dn
descr = descriptor_fn(names.domainsid, name_map=names.name_map)
delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
"nTSecurityDescriptor" )
During the different pre release of samba4 security descriptors
(SD) were notarly broken (up to alpha11 included)
- This function allows to get them back in order, this function works
+ This function allows one to get them back in order, this function works
only after the database comparison that --full mode uses and which
populates the dnToRecalculate and dnNotToRecalculate lists.
listWellknown = fix_wellknown_sd(samdb, names)
- hash = {}
- for dn in dnToRecalculate:
- if hash.has_key(dn):
- continue
- # fetch each dn to recalculate and their child within the same partition
- res = samdb.search(expression="objectClass=*", base=dn,
- scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
- for obj in res:
- hash[str(obj["dn"])] = obj["whenCreated"]
-
- listKeys = list(set(hash.keys()))
- listKeys.sort(dn_sort)
-
if len(dnToRecalculate) != 0:
message(CHANGESD, "%d DNs have been marked as needed to be recalculated"
- ", recalculating %d due to inheritance"
- % (len(dnToRecalculate), len(listKeys)))
+ % (len(dnToRecalculate)))
- for key in listKeys:
+ for dn in dnToRecalculate:
# well known SDs have already been reset
- if key in listWellknown:
- continue
- if key in dnNotToRecalculate:
+ if dn in listWellknown:
continue
delta = Message()
- delta.dn = Dn(samdb, key)
+ delta.dn = dn
sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
try:
descr = get_empty_descriptor(names.domainsid)
message(SIMPLE, "Creating a reference provision")
provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
prefix="referenceprovision")
- result = newprovision(names, creds, session, smbconf, provisiondir,
+ result = newprovision(names, session, smbconf, provisiondir,
provision_logger)
result.report_logger(provision_logger)
message(SIMPLE, "Update machine account")
update_machine_account_password(ldbs.sam, ldbs.secrets, names)
- dnToRecalculate.sort(dn_sort)
# 16) SD should be created with admin but as some previous acl were so wrong
# that admin can't modify them we have first to recreate them with the good
# form but with system account and then give the ownership to admin ...
# as we are assured that on this DNs we will have differences !
# Also the check must be done in a clever way as for the moment we just
# compare SDDL
- if len(dnNotToRecalculate) == 0 and (opts.debugchangesd or opts.debugall):
+ if dnNotToRecalculateFound is False and (opts.debugchangesd or opts.debugall):
message(CHANGESD, "Checking recalculated SDs")
check_updated_sd(new_ldbs.sam, ldbs.sam, names)