s4-provision cope with SID_NAME_WKN_GRP mappings in upgrade.py

Some incorrect LDAP backends have entries with this group type, but
due to the pdb_ldap code, we cannot read the group members, and we
already skip them in add_group_from_mapping_entry().

Andrew Bartlett

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 7386d0b4b159c9088896bd4658bcd6b3d669fa01..1ac1ef9054b7bbdde3fb9bde396ec6beb98978d9 100644 (file)
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -491,13 +491,17 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None):
                next_rid = rid + 1
 
         # Get members for each group/alias
                next_rid = rid + 1
 
         # Get members for each group/alias

-        if group.sid_name_use == lsa.SID_NAME_ALIAS or group.sid_name_use == lsa.SID_NAME_WKN_GRP:
+        if group.sid_name_use == lsa.SID_NAME_ALIAS:

             members = s3db.enum_aliasmem(group.sid)
         elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
             try:
                 members = s3db.enum_group_members(group.sid)
             except:
                 continue
             members = s3db.enum_aliasmem(group.sid)
         elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
             try:
                 members = s3db.enum_group_members(group.sid)
             except:
                 continue

+        elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
+            logger.warn("Ignoring 'well known' group '%s' (should already be in AD, and have no members)",
+                        group.nt_name, group.sid_name_use)
+            continue

         else:
             logger.warn("Ignoring group '%s' with sid_name_use=%d",
                         group.nt_name, group.sid_name_use)
         else:
             logger.warn("Ignoring group '%s' with sid_name_use=%d",
                         group.nt_name, group.sid_name_use)