3 # Copyright (C) Matthieu Patou <mat@matws.net> 2009
5 # Based on provision a Samba4 server by
6 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
7 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
34 # Find right directory when running from source tree
35 sys.path.insert(0, "bin/python")
37 from base64 import b64encode
40 from samba.credentials import DONT_USE_KERBEROS
41 from samba.auth import system_session, admin_session
43 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
45 import samba.getopt as options
46 from samba.samdb import SamDB
47 from samba import param
48 from samba import glue
49 from samba.provision import ProvisionNames,provision_paths_from_lp,find_setup_dir,FILL_FULL,provision, get_domain_descriptor, get_config_descriptor, secretsdb_self_join
50 from samba.provisionexceptions import ProvisioningError
51 from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema, get_schema_descriptor
52 from samba.dcerpc import misc, security
53 from samba.ndr import ndr_pack, ndr_unpack
54 from samba.dcerpc.misc import SEC_CHAN_BDC
56 replace=2^ldb.FLAG_MOD_REPLACE
57 add=2^ldb.FLAG_MOD_ADD
58 delete=2^ldb.FLAG_MOD_DELETE
60 #Errors are always logged
69 # Attributes that not copied from the reference provision even if they do not exists in the destination object
70 # This is most probably because they are populated automatcally when object is created
71 hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1,"replPropertyMetaData": 1,"uSNChanged": 1,\
72 "uSNCreated": 1,"parentGUID": 1,"objectCategory": 1,"distinguishedName": 1,\
73 "showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\
74 "nTMixedDomain": 1,"versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,\
75 "dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\
76 "maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1}
78 # Usually for an object that already exists we do not overwrite attributes as they might have been changed for good
79 # reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow.
80 hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,"systemOnly":replace, "searchFlags":replace,\
81 "mayContain":replace, "systemFlags":replace,
82 "oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":1,"possibleInferiors":replace+delete}
85 def define_what_to_log(opts):
89 if opts.debugchangesd:
90 what = what | CHANGESD
93 if opts.debugprovision:
94 what = what | PROVISION
96 what = what | CHANGEALL
100 parser = optparse.OptionParser("provision [options]")
101 sambaopts = options.SambaOptions(parser)
102 parser.add_option_group(sambaopts)
103 parser.add_option_group(options.VersionOptions(parser))
104 credopts = options.CredentialsOptions(parser)
105 parser.add_option_group(credopts)
106 parser.add_option("--setupdir", type="string", metavar="DIR",
107 help="directory with setup files")
108 parser.add_option("--debugprovision", help="Debug provision", action="store_true")
109 parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true")
110 parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true")
111 parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
112 parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
113 parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
114 parser.add_option("--targetdir", type="string", metavar="DIR",
115 help="Set target directory")
117 opts = parser.parse_args()[0]
119 whatToLog = define_what_to_log(opts)
121 def messageprovision(text):
122 """print a message if quiet is not set."""
123 if opts.debugprovision or opts.debugall:
126 def message(what,text):
127 """print a message if quiet is not set."""
128 if (whatToLog & what) or (what <= 0 ):
131 if len(sys.argv) == 1:
132 opts.interactive = True
133 lp = sambaopts.get_loadparm()
134 smbconf = lp.configfile
136 creds = credopts.get_credentials(lp)
137 creds.set_kerberos_state(DONT_USE_KERBEROS)
138 setup_dir = opts.setupdir
139 if setup_dir is None:
140 setup_dir = find_setup_dir()
142 session = system_session()
144 # Create an array of backlinked attributes
145 def populate_backlink(newpaths,creds,session,schemadn):
146 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
147 backlinked.extend(get_linked_attributes(ldb.Dn(newsam_ldb,str(schemadn)),newsam_ldb).values())
149 # Get Paths for important objects (ldb, keytabs ...)
150 def get_paths(targetdir=None,smbconf=None):
151 if targetdir is not None:
152 if (not os.path.exists(os.path.join(targetdir, "etc"))):
153 os.makedirs(os.path.join(targetdir, "etc"))
154 smbconf = os.path.join(targetdir, "etc", "smb.conf")
156 smbconf = param.default_path()
158 if not os.path.exists(smbconf):
159 message(ERROR,"Unable to find smb.conf ..")
163 lp = param.LoadParm()
165 # Normaly we need the domain name for this function but for our needs it's pointless
166 paths = provision_paths_from_lp(lp,"foo")
169 # This function guess(fetch) informations needed to make a fresh provision from the current provision
170 # It includes: realm, workgroup, partitions, netbiosname, domain guid, ...
171 def guess_names_from_current_provision(credentials,session_info,paths):
172 lp = param.LoadParm()
173 lp.load(paths.smbconf)
174 names = ProvisionNames()
175 # NT domain, kerberos realm, root dn, domain dn, domain dns name
176 names.domain = string.upper(lp.get("workgroup"))
177 names.realm = lp.get("realm")
178 basedn = "DC=" + names.realm.replace(".",",DC=")
179 names.dnsdomain = names.realm
180 names.realm = string.upper(names.realm)
182 secrets_ldb = Ldb(paths.secrets, session_info=session_info, credentials=credentials,lp=lp, options=["modules:samba_secrets"])
183 # Get the netbiosname first (could be obtained from smb.conf in theory)
184 attrs = ["sAMAccountName"]
185 res = secrets_ldb.search(expression="(flatname=%s)"%names.domain,base="CN=Primary Domains", scope=SCOPE_SUBTREE, attrs=attrs)
186 names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
188 names.smbconf = smbconf
189 #It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ...
190 samdb = Ldb(paths.samdb, session_info=session_info,
191 credentials=credentials, lp=lp, options=["modules:samba_dsdb"])
193 # That's a bit simplistic but it's ok as long as we have only 3 partitions
194 attrs2 = ["defaultNamingContext", "schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
195 res2 = samdb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2)
197 names.configdn = res2[0]["configurationNamingContext"]
198 configdn = str(names.configdn)
199 names.schemadn = res2[0]["schemaNamingContext"]
200 if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb, res2[0]["defaultNamingContext"][0]))):
201 raise ProvisioningError(("basedn in %s (%s) and from %s (%s) is not the same ..." % (paths.samdb, str(res2[0]["defaultNamingContext"][0]), paths.smbconf, basedn)))
203 names.domaindn=res2[0]["defaultNamingContext"]
204 names.rootdn=res2[0]["rootDomainNamingContext"]
207 res3= samdb.search(expression="(objectClass=*)",base="CN=Sites,"+configdn, scope=SCOPE_ONELEVEL, attrs=attrs3)
208 names.sitename = str(res3[0]["cn"])
210 # dns hostname and server dn
211 attrs4 = ["dNSHostName"]
212 res4= samdb.search(expression="(CN=%s)"%names.netbiosname,base="OU=Domain Controllers,"+basedn, \
213 scope=SCOPE_ONELEVEL, attrs=attrs4)
214 names.hostname = str(res4[0]["dNSHostName"]).replace("."+names.dnsdomain,"")
216 server_res = samdb.search(expression="serverReference=%s"%res4[0].dn, attrs=[], base=configdn)
217 names.serverdn = server_res[0].dn
219 # invocation id/objectguid
220 res5 = samdb.search(expression="(objectClass=*)",base="CN=NTDS Settings,%s" % str(names.serverdn), scope=SCOPE_BASE, attrs=["invocationID","objectGUID"])
221 names.invocation = str(ndr_unpack( misc.GUID,res5[0]["invocationId"][0]))
222 names.ntdsguid = str(ndr_unpack( misc.GUID,res5[0]["objectGUID"][0]))
225 attrs6 = ["objectGUID", "objectSid", ]
226 res6 = samdb.search(expression="(objectClass=*)",base=basedn, scope=SCOPE_BASE, attrs=attrs6)
227 names.domainguid = str(ndr_unpack( misc.GUID,res6[0]["objectGUID"][0]))
228 names.domainsid = ndr_unpack( security.dom_sid,res6[0]["objectSid"][0])
231 attrs7 = ["cn","displayName"]
232 res7 = samdb.search(expression="(displayName=Default Domain Policy)",base="CN=Policies,CN=System,"+basedn, \
233 scope=SCOPE_ONELEVEL, attrs=attrs7)
234 names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
236 attrs8 = ["cn","displayName"]
237 res8 = samdb.search(expression="(displayName=Default Domain Controllers Policy)",base="CN=Policies,CN=System,"+basedn, \
238 scope=SCOPE_ONELEVEL, attrs=attrs7)
240 names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
242 names.policyid_dc = None
248 def print_names(names):
249 message(GUESS, "rootdn :"+str(names.rootdn))
250 message(GUESS, "configdn :"+str(names.configdn))
251 message(GUESS, "schemadn :"+str(names.schemadn))
252 message(GUESS, "serverdn :"+str(names.serverdn))
253 message(GUESS, "netbiosname :"+names.netbiosname)
254 message(GUESS, "defaultsite :"+names.sitename)
255 message(GUESS, "dnsdomain :"+names.dnsdomain)
256 message(GUESS, "hostname :"+names.hostname)
257 message(GUESS, "domain :"+names.domain)
258 message(GUESS, "realm :"+names.realm)
259 message(GUESS, "invocationid:"+names.invocation)
260 message(GUESS, "policyguid :"+names.policyid)
261 message(GUESS, "policyguiddc:"+str(names.policyid_dc))
262 message(GUESS, "domainsid :"+str(names.domainsid))
263 message(GUESS, "domainguid :"+names.domainguid)
264 message(GUESS, "ntdsguid :"+names.ntdsguid)
266 # Create a fresh new reference provision
267 # This provision will be the reference for knowing what has changed in the
268 # since the latest upgrade in the current provision
269 def newprovision(names,setup_dir,creds,session,smbconf):
270 message(SIMPLE, "Creating a reference provision")
271 provdir=tempfile.mkdtemp(dir=paths.private_dir, prefix="referenceprovision")
272 if os.path.isdir(provdir):
274 logstd=os.path.join(provdir,"log.std")
275 os.chdir(os.path.join(setup_dir,".."))
278 sys.stderr = open("%s/provision.log"%provdir, "w")
279 message(PROVISION, "Reference provision stored in %s"%provdir)
280 message(PROVISION, "STDERR message of provision will be logged in %s/provision.log"%provdir)
281 sys.stderr = open("/dev/stdout", "w")
282 provision(setup_dir, messageprovision,
283 session, creds, smbconf=smbconf, targetdir=provdir,
284 samdb_fill=FILL_FULL, realm=names.realm, domain=names.domain,
285 domainguid=names.domainguid, domainsid=str(names.domainsid),ntdsguid=names.ntdsguid,
286 policyguid=names.policyid,policyguid_dc=names.policyid_dc,hostname=names.netbiosname,
287 hostip=None, hostip6=None,
288 invocationid=names.invocation, adminpass=None,
289 krbtgtpass=None, machinepass=None,
290 dnspass=None, root=None, nobody=None,
291 wheel=None, users=None,
292 serverrole="domain controller",
293 ldap_backend_extra_port=None,
300 ldap_dryrun_mode=None)
303 # This function sorts two dn in the lexicographical order and put higher level DN before
304 # So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller (-1) as it has less
307 p = re.compile(r'(?<!\\),')
308 tab1 = p.split(str(x))
309 tab2 = p.split(str(y))
311 if (len(tab1) > len(tab2)):
313 elif (len(tab1) < len(tab2)):
320 # Note: python range go up to upper limit but do not include it
321 for i in range(0,min):
322 ret=cmp(tab1[len1-i],tab2[len2-i])
328 message(ERROR,"PB PB PB"+space.join(tab1)+" / "+space.join(tab2))
335 # check from security descriptors modifications return 1 if it is 0 otherwise
336 # it also populate hash structure for later use in the upgrade process
337 def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
338 if ischema == 1 and att == "defaultSecurityDescriptor" and msgElt.flags() == ldb.FLAG_MOD_REPLACE:
340 hashSD["oldSD"] = old[0][att]
341 hashSD["newSD"] = new[0][att]
342 hashallSD[str(old[0].dn)] = hashSD
344 if att == "nTSecurityDescriptor" and msgElt.flags() == ldb.FLAG_MOD_REPLACE:
347 hashSD["oldSD"] = ndr_unpack(security.descriptor,str(old[0][att]))
348 hashSD["newSD"] = ndr_unpack(security.descriptor,str(new[0][att]))
349 hashallSD[str(old[0].dn)] = hashSD
353 # Hangle special cases ... That's when we want to update an attribute only
354 # if it has a certain value or if it's for a certain object or
356 # It can be also if we want to do a merge of value instead of a simple replace
357 def handle_special_case(att,delta,new,old,ischema):
358 flag = delta.get(att).flags()
359 if (att == "gPLink" or att == "gPCFileSysPath") and flag == ldb.FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
362 if att == "forceLogoff":
363 ref=0x8000000000000000
364 oldval=int(old[0][att][0])
365 newval=int(new[0][att][0])
366 ref == old and ref == abs(new)
368 if (att == "adminDisplayName" or att == "adminDescription") and ischema:
370 if (str(old[0].dn) == "CN=Samba4-Local-Domain,%s"%(str(names.schemadn)) and att == "defaultObjectCategory" and flag == ldb.FLAG_MOD_REPLACE):
372 if (str(old[0].dn) == "CN=S-1-5-11,CN=ForeignSecurityPrincipals,%s"%(str(names.rootdn)) and att == "description" and flag == ldb.FLAG_MOD_DELETE):
374 if (str(old[0].dn) == "CN=Title,%s"%(str(names.schemadn)) and att == "rangeUpper" and flag == ldb.FLAG_MOD_REPLACE):
376 if ( (att == "member" or att == "servicePrincipalName") and flag == ldb.FLAG_MOD_REPLACE):
381 for elem in old[0][att]:
383 newval.append(str(elem))
385 for elem in new[0][att]:
386 if not hash.has_key(str(elem)):
388 newval.append(str(elem))
390 delta[att] = ldb.MessageElement(newval, ldb.FLAG_MOD_REPLACE, att)
394 if (str(old[0].dn) == "%s"%(str(names.rootdn)) and att == "subRefs" and flag == ldb.FLAG_MOD_REPLACE):
396 if str(delta.dn).endswith("CN=DisplaySpecifiers,%s"%names.configdn):
400 def update_secrets(newpaths,paths,creds,session):
401 message(SIMPLE,"update secrets.ldb")
402 newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
403 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp, options=["modules:samba_secrets"])
404 res = newsecrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
405 res2 = secrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
406 delta = secrets_ldb.msg_diff(res2[0],res[0])
407 delta.dn = res2[0].dn
408 secrets_ldb.modify(delta)
410 newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
411 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
412 res = newsecrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
413 res2 = secrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
419 empty = ldb.Message()
420 for i in range(0,len(res)):
421 hash_new[str(res[i]["dn"]).lower()] = res[i]["dn"]
423 # Create a hash for speeding the search of existing object in the current provision
424 for i in range(0,len(res2)):
425 hash[str(res2[i]["dn"]).lower()] = res2[i]["dn"]
427 for k in hash_new.keys():
428 if not hash.has_key(k):
429 listMissing.append(hash_new[k])
431 listPresent.append(hash_new[k])
432 for entry in listMissing:
433 res = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
434 res2 = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
435 delta = secrets_ldb.msg_diff(empty,res[0])
436 for att in hashAttrNotCopied.keys():
438 message(CHANGE,"Entry %s is missing from secrets.ldb"%res[0].dn)
440 message(CHANGE," Adding attribute %s"%att)
442 secrets_ldb.add(delta)
444 for entry in listPresent:
445 res = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
446 res2 = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
447 delta = secrets_ldb.msg_diff(res2[0],res[0])
449 for att in hashAttrNotCopied.keys():
454 message(CHANGE," Adding/Changing attribute %s to %s"%(att,res2[0].dn))
456 delta.dn = res2[0].dn
457 secrets_ldb.modify(delta)
459 # Check difference between the current provision and the reference provision.
460 # It looks for all object which base DN is name if ischema is false then scan is done in
461 # cross partition mode.
462 # If ischema is true, then special handling is done for dealing with schema
463 def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
471 # Connect to the reference provision and get all the attribute in the partition referred by name
472 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
473 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
475 res = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
476 res2 = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
478 res = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
479 res2 = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
481 # Create a hash for speeding the search of new object
482 for i in range(0,len(res)):
483 hash_new[str(res[i]["dn"]).lower()] = res[i]["dn"]
485 # Create a hash for speeding the search of existing object in the current provision
486 for i in range(0,len(res2)):
487 hash[str(res2[i]["dn"]).lower()] = res2[i]["dn"]
489 for k in hash_new.keys():
490 if not hash.has_key(k):
491 listMissing.append(hash_new[k])
493 listPresent.append(hash_new[k])
495 # Sort the missing object in order to have object of the lowest level first (which can be
496 # containers for higher level objects)
497 listMissing.sort(dn_sort)
498 listPresent.sort(dn_sort)
501 # The following lines (up to the for loop) is to load the up to date schema into our current LDB
502 # a complete schema is needed as the insertion of attributes and class is done against it
503 # and the schema is self validated
504 # The double ldb open and schema validation is taken from the initial provision script
505 # it's not certain that it is really needed ....
506 sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
507 schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
508 # Load the schema from the one we computed earlier
509 sam_ldb.set_schema_from_ldb(schema.ldb)
510 # And now we can connect to the DB - the schema won't be loaded from the DB
511 sam_ldb.connect(paths.samdb)
512 sam_ldb.transaction_start()
514 sam_ldb.transaction_start()
516 empty = ldb.Message()
517 message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
518 for dn in listMissing:
519 res = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
520 delta = sam_ldb.msg_diff(empty,res[0])
521 for att in hashAttrNotCopied.keys():
523 for att in backlinked:
527 sam_ldb.add(delta,["relax:0"])
530 for dn in listPresent:
531 res = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
532 res2 = sam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
533 delta = sam_ldb.msg_diff(res2[0],res[0])
534 for att in hashAttrNotCopied.keys():
536 for att in backlinked:
538 delta.remove("parentGUID")
541 msgElt = delta.get(att)
544 if handle_security_desc(ischema,att,msgElt,hashallSD,res2,res):
547 if (not hashOverwrittenAtt.has_key(att) or not (hashOverwrittenAtt.get(att)&2^msgElt.flags())):
548 if handle_special_case(att,delta,res,res2,ischema)==0 and msgElt.flags()!=ldb.FLAG_MOD_ADD:
551 message(CHANGE, "dn= "+str(dn)+ " "+att + " with flag "+str(msgElt.flags())+ " is not allowed to be changed/removed, I discard this change ...")
552 for e in range(0,len(res2[0][att])):
553 message(CHANGE,"old %d : %s"%(i,str(res2[0][att][e])))
554 if msgElt.flags() == 2:
556 for e in range(0,len(res[0][att])):
557 message(CHANGE,"new %d : %s"%(i,str(res[0][att][e])))
560 if len(delta.items()) >1:
561 attributes=",".join(delta.keys())
562 message(CHANGE,"%s is different from the reference one, changed attributes: %s"%(dn,attributes))
563 changed = changed + 1
564 sam_ldb.modify(delta)
566 sam_ldb.transaction_commit()
567 message(SIMPLE,"There are %d changed objects"%(changed))
570 # Check that SD are correct
571 def check_updated_sd(newpaths,paths,creds,session,names):
572 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
573 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
574 res = newsam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
575 res2 = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
577 for i in range(0,len(res)):
578 hash_new[str(res[i]["dn"]).lower()] = ndr_unpack(security.descriptor,str(res[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
580 for i in range(0,len(res2)):
581 key = str(res2[i]["dn"]).lower()
582 if hash_new.has_key(key):
583 sddl = ndr_unpack(security.descriptor,str(res2[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
584 if sddl != hash_new[key]:
585 print "%s new sddl/sddl in ref"%key
586 print "%s\n%s"%(sddl,hash_new[key])
588 # Simple update method for updating the SD that rely on the fact that nobody should have modified the SD
589 # This assumption is safe right now (alpha9) but should be removed asap
590 def update_sd(newpaths,paths,creds,session,names):
591 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
592 sam_ldb.transaction_start()
593 # First update the SD for the rootdn
594 sam_ldb.set_session_info(session)
595 res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
596 delta = ldb.Message()
597 delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
598 descr = get_domain_descriptor(names.domainsid)
599 delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
600 sam_ldb.modify(delta,["recalculate_sd:0"])
602 res = sam_ldb.search(expression="objectClass=*",base=str(names.configdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
603 delta = ldb.Message()
604 delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
605 descr = get_config_descriptor(names.domainsid)
606 delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
607 sam_ldb.modify(delta,["recalculate_sd:0"])
609 res = sam_ldb.search(expression="objectClass=*",base=str(names.schemadn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
610 delta = ldb.Message()
611 delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
612 descr = get_schema_descriptor(names.domainsid)
613 delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
614 sam_ldb.modify(delta,["recalculate_sd:0"])
618 res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
620 if not (str(obj["dn"]) == str(names.rootdn) or
621 str(obj["dn"]) == str(names.configdn) or \
622 str(obj["dn"]) == str(names.schemadn)):
623 hash[str(obj["dn"])] = obj["whenCreated"]
625 listkeys = hash.keys()
626 listkeys.sort(dn_sort)
630 delta = ldb.Message()
631 delta.dn = ldb.Dn(sam_ldb,key)
632 delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
633 sam_ldb.modify(delta,["recalculate_sd:0"])
635 sam_ldb.transaction_cancel()
636 res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
637 print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
639 sam_ldb.transaction_commit()
642 for root, dirs, files in os.walk(topdir, topdown=False):
644 os.remove(os.path.join(root, name))
646 os.rmdir(os.path.join(root, name))
650 def update_basesamdb(newpaths,paths,names):
651 message(SIMPLE,"Copy samdb")
652 shutil.copy(newpaths.samdb,paths.samdb)
654 message(SIMPLE,"Update partitions filename if needed")
655 schemaldb=os.path.join(paths.private_dir,"schema.ldb")
656 configldb=os.path.join(paths.private_dir,"configuration.ldb")
657 usersldb=os.path.join(paths.private_dir,"users.ldb")
658 samldbdir=os.path.join(paths.private_dir,"sam.ldb.d")
660 if not os.path.isdir(samldbdir):
662 os.chmod(samldbdir,0700)
663 if os.path.isfile(schemaldb):
664 shutil.copy(schemaldb,os.path.join(samldbdir,"%s.ldb"%str(names.schemadn).upper()))
666 if os.path.isfile(usersldb):
667 shutil.copy(usersldb,os.path.join(samldbdir,"%s.ldb"%str(names.rootdn).upper()))
669 if os.path.isfile(configldb):
670 shutil.copy(configldb,os.path.join(samldbdir,"%s.ldb"%str(names.configdn).upper()))
673 def update_privilege(newpaths,paths):
674 message(SIMPLE,"Copy privilege")
675 shutil.copy(os.path.join(newpaths.private_dir,"privilege.ldb"),os.path.join(paths.private_dir,"privilege.ldb"))
677 # For each partition check the differences
678 def update_samdb(newpaths,paths,creds,session,names):
680 message(SIMPLE, "Doing schema update")
681 hashdef = check_diff_name(newpaths,paths,creds,session,str(names.schemadn),names,1)
682 message(SIMPLE,"Done with schema update")
683 message(SIMPLE,"Scanning whole provision for updates and additions")
684 hashSD = check_diff_name(newpaths,paths,creds,session,str(names.rootdn),names,0)
685 message(SIMPLE,"Done with scanning")
687 def update_machine_account_password(paths,creds,session,names):
689 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
690 secrets_ldb.transaction_start()
691 secrets_msg = secrets_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["secureChannelType"])
692 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
693 sam_ldb.transaction_start()
694 if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
695 res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=[])
696 assert(len(res) == 1)
698 msg = ldb.Message(res[0].dn)
699 machinepass = glue.generate_random_str(12)
700 msg["userPassword"] = ldb.MessageElement(machinepass, ldb.FLAG_MOD_REPLACE, "userPassword")
703 res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname),
704 attrs=["msDs-keyVersionNumber"])
705 assert(len(res) == 1)
706 kvno = int(str(res[0]["msDs-keyVersionNumber"]))
708 secretsdb_self_join(secrets_ldb, domain=names.domain,
710 domainsid=names.domainsid,
711 dnsdomain=names.dnsdomain,
712 netbiosname=names.netbiosname,
713 machinepass=machinepass,
714 key_version_number=kvno,
715 secure_channel_type=int(secrets_msg[0]["secureChannelType"][0]))
716 sam_ldb.transaction_prepare_commit()
717 secrets_ldb.transaction_prepare_commit()
718 sam_ldb.transaction_commit()
719 secrets_ldb.transaction_commit()
721 secrets_ldb.transaction_cancel()
723 # From here start the big steps of the program
724 # First get files paths
725 paths=get_paths(targetdir=opts.targetdir,smbconf=smbconf)
726 paths.setup = setup_dir
727 def setup_path(file):
728 return os.path.join(setup_dir, file)
729 # Guess all the needed names (variables in fact) from the current
731 names = guess_names_from_current_provision(creds,session,paths)
734 # With all this information let's create a fresh new provision used as reference
735 provisiondir = newprovision(names,setup_dir,creds,session,smbconf)
736 # Get file paths of this new provision
737 newpaths = get_paths(targetdir=provisiondir)
738 populate_backlink(newpaths,creds,session,names.schemadn)
739 # Check the difference
740 update_basesamdb(newpaths,paths,names)
741 update_secrets(newpaths,paths,creds,session)
742 update_privilege(newpaths,paths)
743 update_machine_account_password(paths,creds,session,names)
746 update_samdb(newpaths,paths,creds,session,names)
747 # SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
748 # to recreate them with the good form but with system account and then give the ownership to admin ...
749 admin_session_info = admin_session(lp, str(names.domainsid))
750 update_sd(newpaths,paths,creds,session,names)
751 update_sd(newpaths,paths,creds,admin_session_info,names)
752 check_updated_sd(newpaths,paths,creds,session,names)
753 message(SIMPLE,"Upgrade finished !")
754 # remove reference provision now that everything is done !