add=2^ldb.FLAG_MOD_ADD
delete=2^ldb.FLAG_MOD_DELETE
-CHANGE = 0x01
-CHANGESD = 0x02
-GUESS = 0x04
-CHANGEALL = 0xff
+#Errors are always logged
+ERROR = -1
+SIMPLE = 0x00
+CHANGE = 0x01
+CHANGESD = 0x02
+GUESS = 0x04
+PROVISION = 0x08
+CHANGEALL = 0xff
# Attributes that not copied from the reference provision even if they do not exists in the destination object
# This is most probably because they are populated automatcally when object is created
what = what | CHANGESD
if opts.debugguess:
what = what | GUESS
+ if opts.debugprovision:
+ what = what | PROVISION
if opts.debugall:
what = what | CHANGEALL
return what
-
parser = optparse.OptionParser("provision [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true")
parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
+parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
parser.add_option("--targetdir", type="string", metavar="DIR",
help="Set target directory")
def message(what,text):
"""print a message if quiet is not set."""
- if whatToLog & what:
+ if (whatToLog & what) or (what <= 0 ):
print text
if len(sys.argv) == 1:
smbconf = param.default_path()
if not os.path.exists(smbconf):
- print >>sys.stderr, "Unable to find smb.conf .."
+ message(ERROR,"Unable to find smb.conf ..")
parser.print_usage()
sys.exit(1)
names.smbconf = smbconf
#It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ...
samdb = Ldb(paths.samdb, session_info=session_info,
- credentials=credentials, lp=lp)
+ credentials=credentials, lp=lp, options=["modules:samba_dsdb"])
# That's a bit simplistic but it's ok as long as we have only 3 partitions
attrs2 = ["schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
configdn = str(names.configdn)
names.schemadn = res2[0]["schemaNamingContext"]
if not (rootdn == str(res2[0]["rootDomainNamingContext"])):
- print >>sys.stderr, "rootdn in sam.ldb and smb.conf is not the same ..."
+ message(ERROR, "rootdn in sam.ldb and smb.conf is not the same ...")
else:
names.rootdn=res2[0]["rootDomainNamingContext"]
# default site name
# ntds guid
attrs9 = ["objectGUID" ]
exp = "(dn=CN=NTDS Settings,%s)"%(names.serverdn)
- print exp
res9 = samdb.search(expression="(dn=CN=NTDS Settings,%s)"%(names.serverdn),base=str(names.configdn), scope=SCOPE_SUBTREE, attrs=attrs9)
names.ntdsguid = str(ndr_unpack( misc.GUID,res9[0]["objectGUID"][0]))
# This provision will be the reference for knowing what has changed in the
# since the latest upgrade in the current provision
def newprovision(names,setup_dir,creds,session,smbconf):
- random.seed()
- provdir=os.path.join(os.environ["HOME"],"provision"+str(int(100000*random.random())))
+ message(SIMPLE, "Creating a reference provision")
+ provdir=os.path.join(paths.private_dir,"referenceprovision")
+ if os.path.isdir(provdir):
+ rmall(provdir)
logstd=os.path.join(provdir,"log.std")
os.chdir(os.path.join(setup_dir,".."))
os.mkdir(provdir)
-
+ os.close(2)
+ sys.stderr = open("%s/provision.log"%provdir, "w")
+ message(PROVISION, "Reference provision stored in %s"%provdir)
+ message(PROVISION, "STDERR message of provision will be logged in %s/provision.log"%provdir)
+ sys.stderr = open("/dev/stdout", "w")
provision(setup_dir, messageprovision,
session, creds, smbconf=smbconf, targetdir=provdir,
samdb_fill=FILL_FULL, realm=names.realm, domain=names.domain,
setup_ds_path=None,
nosync=None,
ldap_dryrun_mode=None)
- print >>sys.stderr, "provisiondir: "+provdir
return provdir
# This function sorts two dn in the lexicographical order and put higher level DN before
else:
if(i==min-1):
if(len1==len2):
- print >>sys.stderr,"PB PB PB"+space.join(tab1)+" / "+space.join(tab2)
+ message(ERROR,"PB PB PB"+space.join(tab1)+" / "+space.join(tab2))
if(len1>len2):
return 1
else:
return 0
def update_secrets(newpaths,paths,creds,session):
+ message(SIMPLE,"update secrets.ldb")
newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp, options=["modules:samba_secrets"])
res = newsecrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
sam_ldb.transaction_start()
empty = ldb.Message()
- print "There are %d missing objects"%(len(listMissing))
+ message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
for dn in listMissing:
res = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
delta = sam_ldb.msg_diff(empty,res[0])
sam_ldb.modify(delta)
sam_ldb.transaction_commit()
- print "There are %d changed objects"%(changed)
+ message(SIMPLE,"There are %d changed objects"%(changed))
return hashallSD
session = system_session_info
descr = security.descriptor.ntsd_from_defaultsd(defSD, domSID,session)
if descr.as_sddl(domSID) != oldSD:
- print "nTSecurity Descriptor for %s do not directly inherit from the defaultSecurityDescriptor and is different from the one of the reference provision, therefor I can't upgrade i"
- print "Old Descriptor: %s"%(oldSD)
- print "New Descriptor: %s"%(newSD)
+ message(SIMPLE, "nTSecurity Descriptor for %s do not directly inherit from the defaultSecurityDescriptor and is different from the one of the reference provision, therefor I can't upgrade i")
+ message(SIMPLE,"Old Descriptor: %s"%(oldSD))
+ message(SIMPLE,"New Descriptor: %s"%(newSD))
if diffDefSD.has_key(classObj):
# We have a pending modification for the defaultSecurityDescriptor of the class Object of the currently inspected object
# and we have a conflict so write down that we won't upgrade this defaultSD for this class object
sam_ldb.modify(delta)
sam_ldb.transaction_commit()
- print "%d nTSecurityDescriptor attribute(s) have been updated"%(upgrade)
+ message(SIMPLE,"%d nTSecurityDescriptor attribute(s) have been updated"%(upgrade))
sam_ldb.transaction_start()
upgrade = 0
for dn in diffDefSD:
message(CHANGESD,"Not updating the defaultSecurityDescriptor for class object %s as one or more dependant object hasn't been upgraded"%(dn))
sam_ldb.transaction_commit()
- print "%d defaultSecurityDescriptor attribute(s) have been updated"%(upgrade)
+ message(SIMPLE,"%d defaultSecurityDescriptor attribute(s) have been updated"%(upgrade))
def rmall(topdir):
for root, dirs, files in os.walk(topdir, topdown=False):
os.rmdir(os.path.join(root, name))
os.rmdir(topdir)
-# For each partition check the differences
-def check_diff(newpaths,paths,creds,session,names):
- print "Copy samdb"
+def update_basesamdb(newpaths,paths,names):
+ message(SIMPLE,"Copy samdb")
shutil.copy(newpaths.samdb,paths.samdb)
- print "Update ldb names if needed"
+ message(SIMPLE,"Update partitions filename if needed")
schemaldb=os.path.join(paths.private_dir,"schema.ldb")
configldb=os.path.join(paths.private_dir,"configuration.ldb")
usersldb=os.path.join(paths.private_dir,"users.ldb")
if os.path.isfile(configldb):
shutil.copy(configldb,os.path.join(samldbdir,"%s.ldb"%str(names.configdn).upper()))
os.remove(configldb)
+
+def update_privilege(newpaths,paths):
+ message(SIMPLE,"Copy privilege")
shutil.copy(os.path.join(newpaths.private_dir,"privilege.ldb"),os.path.join(paths.private_dir,"privilege.ldb"))
- print "Doing schema update"
+# For each partition check the differences
+def update_samdb(newpaths,paths,creds,session,names):
+
+ message(SIMPLE, "Doing schema update")
hashdef = check_diff_name(newpaths,paths,creds,session,str(names.schemadn),names,1)
- print "Done with schema update"
- print "Scanning whole provision for updates and additions"
+ message(SIMPLE,"Done with schema update")
+ message(SIMPLE,"Scanning whole provision for updates and additions")
hashSD = check_diff_name(newpaths,paths,creds,session,str(names.rootdn),names,0)
- print "Done with scanning"
- print "Updating secrets"
- update_secrets(newpaths,paths,creds,session)
+ message(SIMPLE,"Done with scanning")
# update_sds(hashdef,hashSD,paths,creds,session,str(names.rootdn),names.domainsid)
# From here start the big steps of the program
newpaths = get_paths(targetdir=provisiondir)
populate_backlink(newpaths,creds,session,names.schemadn)
# Check the difference
-check_diff(newpaths,paths,creds,session,names)
+update_basesamdb(newpaths,paths,names)
+update_secrets(newpaths,paths,creds,session)
+update_privilege(newpaths,paths)
+if opts.full:
+ update_samdb(newpaths,paths,creds,session,names)
+message(SIMPLE,"Upgrade finished !")
# remove reference provision now that everything is done !
rmall(provisiondir)
git.samba.org / ira / wip.git / commitdiff