provision: Use the official MS 2008R2 schema by default
authorAndrew Bartlett <abartlet@samba.org>
Mon, 20 Nov 2017 04:10:25 +0000 (17:10 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 14 Dec 2017 07:20:17 +0000 (08:20 +0100)
This fixes us to have the official adminDescription etc.  While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
python/samba/netcmd/domain.py
python/samba/schema.py
testprogs/blackbox/schemaupgrade.sh
testprogs/blackbox/upgradeprovision-oldrelease.sh

index b45e75a..e4dd470 100644 (file)
@@ -236,7 +236,7 @@ class cmd_domain_provision(Command):
                 help="The domain and forest function level (2000 | 2003 | 2008 | 2008_R2 - always native). Default is (Windows) 2008_R2 Native.",
                 default="2008_R2"),
          Option("--base-schema", type="choice", metavar="BASE-SCHEMA",
-                choices=["2008_R2", "2012", "2012_R2"],
+                choices=["2008_R2", "2008_R2_old", "2012", "2012_R2"],
                 help="The base schema files to use. Default is (Windows) 2008_R2.",
                 default="2008_R2"),
          Option("--next-rid", type="int", metavar="NEXTRID", default=1000,
index bc3ae05..67ec357 100644 (file)
@@ -64,8 +64,11 @@ class Schema(object):
 
     # the schema files (and corresponding object version) that we know about
     base_schemas = {
-       "2008_R2" : ("MS-AD_Schema_2K8_R2_Attributes.txt",
-                    "MS-AD_Schema_2K8_R2_Classes.txt",
+       "2008_R2_old" : ("MS-AD_Schema_2K8_R2_Attributes.txt",
+                        "MS-AD_Schema_2K8_R2_Classes.txt",
+                        47),
+       "2008_R2" : ("Attributes_for_AD_DS__Windows_Server_2008_R2.ldf",
+                    "Classes_for_AD_DS__Windows_Server_2008_R2.ldf",
                     47),
        "2012"    : ("AD_DS_Attributes__Windows_Server_2012.ldf",
                     "AD_DS_Classes__Windows_Server_2012.ldf",
index d79915a..b1d3f8c 100755 (executable)
@@ -33,15 +33,13 @@ provision_2008r2() {
     $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_schema --base-schema=2008_R2
 }
 
-ldapcmp() {
+provision_2008r2_old() {
+    $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_old_schema --base-schema=2008_R2_old
+}
 
-    # the original 2008 schema we received from Microsoft was missing
-    # descriptions and display names. This has been fixed up in the current
-    # Microsoft schemas
-    IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName"
+ldapcmp_ignore() {
 
-    # we didn't get showInAdvancedViewOnly right on Samba
-    IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly"
+    IGNORE_ATTRS=$1
 
     # there's discrepancies between the SDDL strings in the adprep LDIF files
     # vs the 2012 schema, where one source will have ACE rights repeated, e.g.
@@ -52,29 +50,73 @@ ldapcmp() {
     # objects, but we don't have the 2012 DisplaySpecifiers documentation...
     IGNORE_ATTRS="$IGNORE_ATTRS,adminContextMenu,adminPropertyPages"
 
-    $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb tdb://$PREFIX_ABS/2012R2_schema/private/sam.ldb --two --filter=$IGNORE_ATTRS
+    $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2_schema/private/sam.ldb tdb://$PREFIX_ABS/$3_schema/private/sam.ldb --two --filter=$IGNORE_ATTRS
+}
+
+ldapcmp_old() {
+    # the original 2008 schema we received from Microsoft was missing
+    # descriptions and display names. This has been fixed up in the current
+    # Microsoft schemas
+    IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName"
+
+    # we didn't get showInAdvancedViewOnly right on Samba
+    IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly"
+
+    ldapcmp_ignore "$IGNORE_ATTRS" "2008R2_old" "2012R2"
+}
+
+ldapcmp() {
+    # The adminDescription and adminDisplayName have been editorially
+    # corrected in the 2012R2 schema but not in the adprep files.
+    ldapcmp_ignore "adminDescription,adminDisplayName"  "2008R2"  "2012R2"
+}
+
+ldapcmp_2008R2_2008R2_old() {
+    # the original 2008 schema we received from Microsoft was missing
+    # descriptions and display names. This has been fixed up in the current
+    # Microsoft schemas
+    IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName"
+
+    # we didn't get showInAdvancedViewOnly right on Samba
+    IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly"
+
+    ldapcmp_ignore $IGNORE_ATTRS  "2008R2"  "2008R2_old"
 }
 
 schema_upgrade() {
        $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb --schema=2012_R2
 }
 
+schema_upgrade_old() {
+       $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_old_schema/private/sam.ldb --schema=2012_R2
+}
+
 # double-check we cleaned up from the last test run
 cleanup_output_directories
 
 # Provision 2 DCs, one based on the 2008R2 schema and one using 2012R2
 testit "provision_2008R2_schema" provision_2008r2
+testit "provision_2008R2_old_schema" provision_2008r2_old
 testit "provision_2012R2_schema" provision_2012r2
 
 # we expect the 2 schemas to be different
 testit_expect_failure "expect_schema_differences" ldapcmp
 
+# check that the 2 schemas are now the same, ignoring Samba bugs
+testit "check_2008R2_2008R2_schemas_same" ldapcmp_2008R2_2008R2_old
+
 # upgrade the 2008 schema to 2012
 testit "schema_upgrade" schema_upgrade
 
 # check that the 2 schemas are now the same
 testit "check_schemas_same" ldapcmp
 
+# upgrade the 2008 schema to 2012
+testit "schema_upgrade_old" schema_upgrade_old
+
+# check that the 2 schemas are now the same, ignoring Samba bugs
+testit "check_schemas_same_old" ldapcmp_old
+
 cleanup_output_directories
 
 exit $failed
index 4f6b4e9..a4a0746 100755 (executable)
@@ -95,7 +95,7 @@ samba_upgradedns() {
 }
 
 referenceprovision() {
-        $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2
+        $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old
 }
 
 ldapcmp() {