+ def err_missing_sd_owner(self, dn, sd):
+ '''re-write the SD due to a missing owner or group'''
+ sd_attr = "nTSecurityDescriptor"
+ sd_val = ndr_pack(sd)
+ sd_flags = security.SECINFO_OWNER | security.SECINFO_GROUP
+
+ if not self.confirm_all('Fix missing owner or group in %s on %s?' % (sd_attr, dn), 'fix_ntsecuritydescriptor_owner_group'):
+ self.report('Not fixing missing owner or group %s on %s\n' % (sd_attr, dn))
+ return
+
+ nmsg = ldb.Message()
+ nmsg.dn = dn
+ nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
+
+ # By setting the session_info to admin_session_info and
+ # setting the security.SECINFO_OWNER | security.SECINFO_GROUP
+ # flags we cause the descriptor module to set the correct
+ # owner and group on the SD, replacing the None/NULL values
+ # for owner_sid and group_sid currently present.
+ #
+ # The admin_session_info matches that used in provision, and
+ # is the best guess we can make for an existing object that
+ # hasn't had something specifically set.
+ #
+ # This is important for the dns related naming contexts.
+ self.samdb.set_session_info(self.admin_session_info)
+ if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags],
+ "Failed to fix metadata for attribute %s" % sd_attr):
+ self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
+ self.samdb.set_session_info(self.system_session_info)
+