import ldb
import samba
import samba.getopt as options
+
+from base64 import b64encode
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session, admin_session
from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
- MessageElement, Message, Dn)
-from samba import param
-from samba.provision import (find_setup_dir, get_domain_descriptor,
+ MessageElement, Message, Dn, LdbError)
+from samba import param, dsdb, Ldb
+from samba.common import confirm
+from samba.provision import (get_domain_descriptor, find_provision_key_parameters,
get_config_descriptor,
ProvisioningError, get_last_provision_usn,
- get_max_usn, update_provision_usn)
+ get_max_usn, update_provision_usn, setup_path)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security, drsblobs, xattr
from samba.ndr import ndr_unpack
from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
- find_provision_key_parameters, get_ldbs,
+ get_ldbs,
usn_in_range, identic_rename, get_diff_sddls,
update_secrets, CHANGE, ERROR, SIMPLE,
CHANGEALL, GUESS, CHANGESD, PROVISION,
delta_update_basesamdb, update_policyids,
update_machine_account_password,
search_constructed_attrs_stored,
+ int64range2str, update_dns_account_password,
increment_calculated_keyversion_number)
replace=2**FLAG_MOD_REPLACE
# This is most probably because they are populated automatcally when object is
# created
# This also apply to imported object from reference provision
-hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
- "objectGUID": 1, "uSNCreated": 1,
- "replPropertyMetaData": 1, "uSNChanged": 1,
- "parentGUID": 1, "objectCategory": 1,
- "distinguishedName": 1, "nTMixedDomain": 1,
- "showInAdvancedViewOnly": 1, "instanceType": 1,
- "msDS-Behavior-Version":1, "nextRid":1, "cn": 1,
- "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1,
- "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1,
- "supplementalCredentials":1, "gPCUserExtensionNames":1,
- "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1,
- "possibleInferiors":1, "privilege":1,
- "sAMAccountType":1 }
+replAttrNotCopied = [ "dn", "whenCreated", "whenChanged", "objectGUID",
+ "parentGUID", "objectCategory", "distinguishedName",
+ "instanceType", "cn",
+ "lmPwdHistory", "pwdLastSet", "ntPwdHistory",
+ "unicodePwd", "dBCSPwd", "supplementalCredentials",
+ "gPCUserExtensionNames", "gPCMachineExtensionNames",
+ "maxPwdAge", "secret", "possibleInferiors", "privilege",
+ "sAMAccountType", "oEMInformation", "creationTime" ]
+
+nonreplAttrNotCopied = ["uSNCreated", "replPropertyMetaData", "uSNChanged",
+ "nextRid" ,"rIDNextRID", "rIDPreviousAllocationPool"]
+
+nonDSDBAttrNotCopied = ["msDS-KeyVersionNumber", "priorSecret", "priorWhenChanged"]
+
+attrNotCopied = replAttrNotCopied
+attrNotCopied.extend(nonreplAttrNotCopied)
+attrNotCopied.extend(nonDSDBAttrNotCopied)
# Usually for an object that already exists we do not overwrite attributes as
# they might have been changed for good reasons. Anyway for a few of them it's
# mandatory to replace them otherwise the provision will be broken somehow.
"wellKnownObjects":replace, "privilege":never,
"defaultSecurityDescriptor": replace,
"rIDAvailablePool": never,
+ "versionNumber" : add,
+ "rIDNextRID": add, "rIDUsedPool": never,
"defaultSecurityDescriptor": replace + add,
"isMemberOfPartialAttributeSet": delete,
- "attributeDisplayNames": replace + add}
-
+ "attributeDisplayNames": replace + add,
+ "versionNumber": add}
+dnNotToRecalculate = []
+dnToRecalculate = []
backlinked = []
forwardlinked = set()
dn_syntax_att = []
+not_replicated = []
def define_what_to_log(opts):
what = 0
if opts.debugchange:
help="directory with setup files")
parser.add_option("--debugprovision", help="Debug provision", action="store_true")
parser.add_option("--debugguess", action="store_true",
- help="Print information on what is different but won't be changed")
+ help="Print information on which values are guessed")
parser.add_option("--debugchange", action="store_true",
help="Print information on what is different but won't be changed")
parser.add_option("--debugchangesd", action="store_true",
- help="Print information security descriptors differences")
+ help="Print security descriptor differences")
parser.add_option("--debugall", action="store_true",
help="Print all available information (very verbose)")
parser.add_option("--resetfileacl", action="store_true",
help="Force a reset on filesystem acls in sysvol / netlogon share")
+parser.add_option("--fixntacl", action="store_true",
+ help="Only fix NT ACLs in sysvol / netlogon share")
parser.add_option("--full", action="store_true",
help="Perform full upgrade of the samdb (schema, configuration, new objects, ...")
creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
-setup_dir = opts.setupdir
-if setup_dir is None:
- setup_dir = find_setup_dir()
provision"""
spnfile = "%s/spn_update_list" % private
+ dnsfile = "%s/dns_update_list" % private
namedfile = lp.get("dnsupdate:path")
if not namedfile:
if not os.path.exists(spnfile):
shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile)
+ if not os.path.exists(dnsfile):
+ shutil.copy("%s/dns_update_list" % refprivate, "%s" % dnsfile)
+
destdir = "%s/new_dns" % private
dnsdir = "%s/dns" % private
os.mkdir(dnsdir)
shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
- message(SIMPLE, "It seems that you provision didn't integrate new rules "
- "for dynamic dns update of domain related entries")
+ message(SIMPLE, "It seems that your provision did not integrate "
+ "new rules for dynamic dns update of domain related entries")
message(SIMPLE, "A copy of the new bind configuration files and "
- "template as been put in %s, you should read them and configure dynamic "
- " dns update" % destdir)
+ "template has been put in %s, you should read them and "
+ "configure dynamic dns updates" % destdir)
def populate_links(samdb, schemadn):
for t in linkedAttHash.keys():
forwardlinked.add(t)
+def isReplicated(att):
+ """ Indicate if the attribute is replicated or not
+
+ :param att: Name of the attribute to be tested
+ :return: True is the attribute is replicated, False otherwise
+ """
+
+ return (att not in not_replicated)
+
+def populateNotReplicated(samdb, schemadn):
+ """Populate an array with all the attributes that are not replicated
+
+ :param samdb: A LDB object for sam.ldb file
+ :param schemadn: DN of the schema for the partition"""
+ res = samdb.search(expression="(&(objectclass=attributeSchema)(systemflags:1.2.840.113556.1.4.803:=1))", base=Dn(samdb,
+ str(schemadn)), scope=SCOPE_SUBTREE,
+ attrs=["lDAPDisplayName"])
+ for elem in res:
+ not_replicated.append(str(elem["lDAPDisplayName"]))
+
def populate_dnsyntax(samdb, schemadn):
"""Populate an array with all the attributes that have DN synthax
scope=SCOPE_SUBTREE, attrs=["dn"],
controls=["search_options:1:2"])
if len(res) == 0:
- print "No DC found, your provision is most probably hardly broken !"
+ print "No DC found. Your provision is most probably broken!"
return False
elif len(res) != 1:
- print "Found %d domain controllers, for the moment upgradeprovision" \
- "is not able to handle upgrade on domain with more than one DC, please demote" \
- " the other(s) DC(s) before upgrading" % len(res)
+ print "Found %d domain controllers. For the moment " \
+ "upgradeprovision is not able to handle an upgrade on a " \
+ "domain with more than one DC. Please demote the other " \
+ "DC(s) before upgrading" % len(res)
return False
else:
return True
message(GUESS, "domainlevel :" + str(names.domainlevel))
-def handle_special_case(att, delta, new, old, usn, basedn, aldb):
+def handle_special_case(att, delta, new, old, useReplMetadata, basedn, aldb):
"""Define more complicate update rules for some attributes
:param att: The attribute to be updated
between the updated object and the reference one
:param new: The reference object
:param old: The Updated object
- :param usn: The highest usn modified by a previous (upgrade)provision
+ :param useReplMetadata: A boolean that indicate if the update process
+ use replPropertyMetaData to decide what has to be updated.
:param basedn: The base DN of the provision
:param aldb: An ldb object used to build DN
:return: True to indicate that the attribute should be kept, False for
discarding it"""
- flag = delta.get(att).flags()
# We do most of the special case handle if we do not have the
# highest usn as otherwise the replPropertyMetaData will guide us more
# correctly
- if usn is None:
+ if not useReplMetadata:
+ flag = delta.get(att).flags()
if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and
ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT,"
"CN=Services,CN=Configuration,%s" % basedn)
if (str(old[0].dn) == "%s" % (str(names.rootdn))
and att == "subRefs" and flag == FLAG_MOD_REPLACE):
return True
-
+ #Allow to change revision of ForestUpdates objects
+ if (att == "revision" or att == "objectVersion"):
+ if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0:
+ return True
if str(delta.dn).endswith("CN=DisplaySpecifiers, %s" % names.configdn):
return True
# This is a bit of special animal as we might have added
# already SPN entries to the list that has to be modified
# So we go in detail to try to find out what has to be added ...
- if (att == "servicePrincipalName" and flag == FLAG_MOD_REPLACE):
+ if (att == "servicePrincipalName" and delta.get(att).flags() == FLAG_MOD_REPLACE):
hash = {}
newval = []
- changeDelta=0
+ changeDelta = 0
for elem in old[0][att]:
hash[str(elem)]=1
newval.append(str(elem))
for elem in new[0][att]:
if not hash.has_key(str(elem)):
- changeDelta=1
+ changeDelta = 1
newval.append(str(elem))
if changeDelta == 1:
delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
return False
def dump_denied_change(dn, att, flagtxt, current, reference):
- """Print detailed information about why a changed is denied
+ """Print detailed information about why a change is denied
:param dn: DN of the object which attribute is denied
:param att: Attribute that was supposed to be upgraded
:param reference: Value(s) of the reference attribute"""
message(CHANGE, "dn= " + str(dn)+" " + att+" with flag " + flagtxt
- +" is not allowed to be changed/removed, I discard this change")
- if att != "objectSid" :
+ + " must not be changed/removed. Discarding the change")
+ if att == "objectSid" :
+ message(CHANGE, "old : %s" % ndr_unpack(security.dom_sid, current[0]))
+ message(CHANGE, "new : %s" % ndr_unpack(security.dom_sid, reference[0]))
+ elif att == "rIDPreviousAllocationPool" or att == "rIDAllocationPool":
+ message(CHANGE, "old : %s" % int64range2str(current[0]))
+ message(CHANGE, "new : %s" % int64range2str(reference[0]))
+ else:
i = 0
for e in range(0, len(current)):
message(CHANGE, "old %d : %s" % (i, str(current[e])))
for e in range(0, len(reference)):
message(CHANGE, "new %d : %s" % (i, str(reference[e])))
i+=1
- else:
- message(CHANGE, "old : %s" % ndr_unpack(security.dom_sid, current[0]))
- message(CHANGE, "new : %s" % ndr_unpack(security.dom_sid, reference[0]))
-
def handle_special_add(samdb, dn, names):
"""Handle special operation (like remove) on some object needed during
#This entry was misplaced lets remove it if it exists
dntoremove = "CN=Certificate Service DCOM Access,"\
"CN=Users, %s" % names.rootdn
- print dntoremove
objDn = Dn(samdb, "CN=Cryptographic Operators, CN=Builtin, %s" % names.rootdn)
if dn == objDn:
base=str(names.rootdn),
scope=SCOPE_SUBTREE, attrs=["dn"],
controls=["search_options:1:2"])
- if len(res) > 0:
- message(CHANGE, "Existing object %s must be replaced by %s,"
+
+ res2 = samdb.search(expression="(dn=%s)" % dn,
+ base=str(names.rootdn),
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+
+ if len(res) > 0 and len(res2) == 0:
+ message(CHANGE, "Existing object %s must be replaced by %s. "
"Renaming old object" % (str(oldDn), str(dn)))
- samdb.rename(oldDn, objDn)
+ samdb.rename(oldDn, objDn, ["relax:0", "provision:0"])
- return 1
+ return 0
if dntoremove is not None:
+ res = samdb.search(expression="(cn=RID Set)",
+ base=str(names.rootdn),
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+
+ if len(res) == 0:
+ return 2
res = samdb.search(expression="(dn=%s)" % dntoremove,
base=str(names.rootdn),
scope=SCOPE_SUBTREE, attrs=["dn"],
controls=["search_options:1:2"])
if len(res) > 0:
- message(CHANGE, "Existing object %s must be replaced by %s,"
- "removing old object" % (dntoremove, str(dn)))
+ message(CHANGE, "Existing object %s must be replaced by %s. "
+ "Removing old object" % (dntoremove, str(dn)))
samdb.delete(res[0]["dn"])
- return 0
+ return 0
+
+ return 1
def check_dn_nottobecreated(hash, index, listdn):
:param index: Current creation order
:return: True if the object was created False otherwise"""
- if handle_special_add(samdb, dn, names):
- return
+ ret = handle_special_add(samdb, dn, names)
+
+ if ret == 2:
+ return False
+
+ if ret == 0:
+ return True
+
+
reference = ref_samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
scope=SCOPE_SUBTREE, controls=["search_options:1:2"])
empty = Message()
try:
if str(reference[0].get("cn")) == "RID Set":
for klass in reference[0].get("objectClass"):
- if str(klass).lower == "ridset":
+ if str(klass).lower() == "ridset":
skip = True
finally:
if delta.get("objectSid"):
m = re.match(r".*-(\d+)$", sid)
if m and int(m.group(1))>999:
delta.remove("objectSid")
- for att in hashAttrNotCopied.keys():
+ for att in attrNotCopied:
delta.remove(att)
for att in backlinked:
delta.remove(att)
depend_on_yet_tobecreated = check_dn_nottobecreated(hash, index,
delta.get(str(att)))
if depend_on_yet_tobecreated is not None:
- message(CHANGE, "Object %s depends on %s in attribute %s,"
- "delaying the creation" % (dn,
+ message(CHANGE, "Object %s depends on %s in attribute %s. "
+ "Delaying the creation" % (dn,
depend_on_yet_tobecreated, att))
return False
delta.dn = dn
if not skip:
message(CHANGE,"Object %s will be added" % dn)
- samdb.add(delta, ["relax:0"])
+ samdb.add(delta, ["relax:0", "provision:0"])
else:
message(CHANGE,"Object %s was skipped" % dn)
ref_delObjCnt = ref_samdb.search(expression="(cn=Deleted Objects)",
base=part, scope=SCOPE_SUBTREE,
attrs=["dn"],
- controls=["show_deleted:0"])
+ controls=["show_deleted:0",
+ "show_recycled:0"])
delObjCnt = samdb.search(expression="(cn=Deleted Objects)",
base=part, scope=SCOPE_SUBTREE,
attrs=["dn"],
- controls=["show_deleted:0"])
+ controls=["show_deleted:0",
+ "show_recycled:0"])
if len(ref_delObjCnt) > len(delObjCnt):
reference = ref_samdb.search(expression="cn=Deleted Objects",
base=part, scope=SCOPE_SUBTREE,
- controls=["show_deleted:0"])
+ controls=["show_deleted:0",
+ "show_recycled:0"])
empty = Message()
delta = samdb.msg_diff(empty, reference[0])
delta.dn = Dn(samdb, str(reference[0]["dn"]))
- for att in hashAttrNotCopied.keys():
+ for att in attrNotCopied:
delta.remove(att)
- samdb.add(delta)
+
+ modcontrols = ["relax:0", "provision:0"]
+ samdb.add(delta, modcontrols)
listwko = []
res = samdb.search(expression="(objectClass=*)", base=part,
# DN can't be created because it depends on some
# other DN in the list
listDefered.append(dn)
+
if len(listDefered) != 0:
- raise ProvisioningError("Unable to insert missing elements:" \
+ raise ProvisioningError("Unable to insert missing elements: "
"circular references")
def handle_links(samdb, att, basedn, dn, value, ref_value, delta):
:param delta: The MessageElement object that will be applied for
transforming the current provision"""
- res = samdb.search(expression="dn=%s" % dn, base=basedn,
- controls=["search_options:1:2", "reveal:1"],
+ res = samdb.search(base=dn, controls=["search_options:1:2", "reveal:1"],
attrs=[att])
blacklist = {}
newlinklist = []
changed = False
- newlinklist.extend(value)
+ for v in value:
+ newlinklist.append(str(v))
for e in value:
hash[e] = 1
else:
delta.remove(att)
+ return delta
+
msg_elt_flag_strs = {
ldb.FLAG_MOD_ADD: "MOD_ADD",
ldb.FLAG_MOD_REPLACE: "MOD_REPLACE",
ldb.FLAG_MOD_DELETE: "MOD_DELETE" }
+def checkKeepAttributeOldMtd(delta, att, reference, current,
+ basedn, samdb):
+ """ Check if we should keep the attribute modification or not.
+ This function didn't use replicationMetadata to take a decision.
+
+ :param delta: A message diff object
+ :param att: An attribute
+ :param reference: A message object for the current entry comming from
+ the reference provision.
+ :param current: A message object for the current entry commin from
+ the current provision.
+ :param basedn: The DN of the partition
+ :param samdb: A ldb connection to the sam database of the current provision.
+
+ :return: The modified message diff.
+ """
+ # Old school way of handling things for pre alpha12 upgrade
+ global defSDmodified
+ isFirst = False
+ txt = ""
+ dn = current[0].dn
+
+ for att in list(delta):
+ msgElt = delta.get(att)
+
+ if att == "nTSecurityDescriptor":
+ defSDmodified = True
+ delta.remove(att)
+ continue
+
+ if att == "dn":
+ continue
+
+ if not hashOverwrittenAtt.has_key(att):
+ if msgElt.flags() != FLAG_MOD_ADD:
+ if not handle_special_case(att, delta, reference, current,
+ False, basedn, samdb):
+ if opts.debugchange or opts.debugall:
+ try:
+ dump_denied_change(dn, att,
+ msg_elt_flag_strs[msgElt.flags()],
+ current[0][att], reference[0][att])
+ except KeyError:
+ dump_denied_change(dn, att,
+ msg_elt_flag_strs[msgElt.flags()],
+ current[0][att], None)
+ delta.remove(att)
+ continue
+ else:
+ if hashOverwrittenAtt.get(att)&2**msgElt.flags() :
+ continue
+ elif hashOverwrittenAtt.get(att)==never:
+ delta.remove(att)
+ continue
+
+ return delta
+
+def checkKeepAttributeWithMetadata(delta, att, message, reference, current,
+ hash_attr_usn, basedn, usns, samdb):
+ """ Check if we should keep the attribute modification or not
+
+ :param delta: A message diff object
+ :param att: An attribute
+ :param message: A function to print messages
+ :param reference: A message object for the current entry comming from
+ the reference provision.
+ :param current: A message object for the current entry commin from
+ the current provision.
+ :param hash_attr_usn: A dictionnary with attribute name as keys,
+ USN and invocation id as values.
+ :param basedn: The DN of the partition
+ :param usns: A dictionnary with invocation ID as keys and USN ranges
+ as values.
+ :param samdb: A ldb object pointing to the sam DB
+
+ :return: The modified message diff.
+ """
+ global defSDmodified
+ isFirst = True
+ txt = ""
+ dn = current[0].dn
+
+ for att in list(delta):
+ if att in ["dn", "objectSid"]:
+ delta.remove(att)
+ continue
+
+ # We have updated by provision usn information so let's exploit
+ # replMetadataProperties
+ if att in forwardlinked:
+ curval = current[0].get(att, ())
+ refval = reference[0].get(att, ())
+ delta = handle_links(samdb, att, basedn, current[0]["dn"],
+ curval, refval, delta)
+ continue
+
+
+ if isFirst and len(list(delta)) > 1:
+ isFirst = False
+ txt = "%s\n" % (str(dn))
+
+ if handle_special_case(att, delta, reference, current, True, None, None):
+ # This attribute is "complicated" to handle and handling
+ # was done in handle_special_case
+ continue
+
+ attrUSN = None
+ if hash_attr_usn.get(att):
+ [attrUSN, attInvId] = hash_attr_usn.get(att)
+
+ if attrUSN is None:
+ # If it's a replicated attribute and we don't have any USN
+ # information about it. It means that we never saw it before
+ # so let's add it !
+ # If it is a replicated attribute but we are not master on it
+ # (ie. not initially added in the provision we masterize).
+ # attrUSN will be -1
+ if isReplicated(att):
+ continue
+ else:
+ message(CHANGE, "Non replicated attribute %s changed" % att)
+ continue
+
+ if att == "nTSecurityDescriptor":
+ cursd = ndr_unpack(security.descriptor,
+ str(current[0]["nTSecurityDescriptor"]))
+ cursddl = cursd.as_sddl(names.domainsid)
+ refsd = ndr_unpack(security.descriptor,
+ str(reference[0]["nTSecurityDescriptor"]))
+ refsddl = refsd.as_sddl(names.domainsid)
+
+ diff = get_diff_sddls(refsddl, cursddl)
+ if diff == "":
+ # FIXME find a way to have it only with huge huge verbose mode
+ # message(CHANGE, "%ssd are identical" % txt)
+ # txt = ""
+ delta.remove(att)
+ continue
+ else:
+ delta.remove(att)
+ message(CHANGESD, "%ssd are not identical:\n%s" % (txt, diff))
+ txt = ""
+ if attrUSN == -1:
+ message(CHANGESD, "But the SD has been changed by someonelse "\
+ "so it's impossible to know if the difference"\
+ " cames from the modification or from a previous bug")
+ dnNotToRecalculate.append(str(dn))
+ else:
+ dnToRecalculate.append(str(dn))
+ continue
+
+ if attrUSN == -1:
+ # This attribute was last modified by another DC forget
+ # about it
+ message(CHANGE, "%sAttribute: %s has been "
+ "created/modified/deleted by another DC. "
+ "Doing nothing" % (txt, att))
+ txt = ""
+ delta.remove(att)
+ continue
+ elif not usn_in_range(int(attrUSN), usns.get(attInvId)):
+ message(CHANGE, "%sAttribute: %s was not "
+ "created/modified/deleted during a "
+ "provision or upgradeprovision. Current "
+ "usn: %d. Doing nothing" % (txt, att,
+ attrUSN))
+ txt = ""
+ delta.remove(att)
+ continue
+ else:
+ if att == "defaultSecurityDescriptor":
+ defSDmodified = True
+ if attrUSN:
+ message(CHANGE, "%sAttribute: %s will be modified"
+ "/deleted it was last modified "
+ "during a provision. Current usn: "
+ "%d" % (txt, att, attrUSN))
+ txt = ""
+ else:
+ message(CHANGE, "%sAttribute: %s will be added because "
+ "it did not exist before" % (txt, att))
+ txt = ""
+ continue
+
+ return delta
-def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
+def update_present(ref_samdb, samdb, basedn, listPresent, usns):
""" This function updates the object that are already present in the
provision
(ie. DC=foo, DC=bar)
:param listPresent: A list of object that is present in the provision
:param usns: A list of USN range modified by previous provision and
- upgradeprovision
- :param invocationid: The value of the invocationid for the current DC"""
+ upgradeprovision grouped by invocation ID
+ """
- global defSDmodified
# This hash is meant to speedup lookup of attribute name from an oid,
# it's for the replPropertyMetaData handling
hash_oid_name = {}
raise ProvisioningError(msg)
changed = 0
- controls = ["search_options:1:2", "sd_flags:1:2"]
+ controls = ["search_options:1:2", "sd_flags:1:0"]
+ if usns is not None:
+ message(CHANGE, "Using replPropertyMetadata for change selection")
for dn in listPresent:
reference = ref_samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
scope=SCOPE_SUBTREE,
(str(current[0].dn) != str(reference[0].dn)) and
(str(current[0].dn).upper() == str(reference[0].dn).upper())
):
- message(CHANGE, "Name are the same but case change,"\
- "let's rename %s to %s" % (str(current[0].dn),
- str(reference[0].dn)))
+ message(CHANGE, "Names are the same except for the case. "
+ "Renaming %s to %s" % (str(current[0].dn),
+ str(reference[0].dn)))
identic_rename(samdb, reference[0].dn)
current = samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
scope=SCOPE_SUBTREE,
- controls=["search_options:1:2"])
+ controls=controls)
delta = samdb.msg_diff(current[0], reference[0])
- for att in hashAttrNotCopied.keys():
+ for att in backlinked:
delta.remove(att)
- for att in backlinked:
+ for att in attrNotCopied:
delta.remove(att)
delta.remove("name")
- if len(delta.items()) > 1 and usns is not None:
+ nb_items = len(list(delta))
+
+ if nb_items == 1:
+ continue
+
+ if nb_items > 1 and usns is not None:
# Fetch the replPropertyMetaData
res = samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
scope=SCOPE_SUBTREE, controls=controls,
# We put in this hash only modification
# made on the current host
att = hash_oid_name[samdb.get_oid_from_attid(o.attid)]
- if str(o.originating_invocation_id) == str(invocationid):
- # Note we could just use 1 here
- hash_attr_usn[att] = o.originating_usn
+ if str(o.originating_invocation_id) in usns.keys():
+ hash_attr_usn[att] = [o.originating_usn, str(o.originating_invocation_id)]
else:
- hash_attr_usn[att] = -1
-
- isFirst = 0
- txt = ""
-
- for att in delta:
- if usns is not None:
- # We have updated by provision usn information so let's exploit
- # replMetadataProperties
- if att in forwardlinked:
- handle_links(samdb, att, basedn, current[0]["dn"],
- current[0][att], reference[0][att], delta)
-
- if isFirst == 0 and len(delta.items())>1:
- isFirst = 1
- txt = "%s\n" % (str(dn))
- if att == "dn":
- # There is always a dn attribute after a msg_diff
- continue
- if att == "rIDAvailablePool":
- delta.remove(att)
- continue
- if att == "objectSid":
- delta.remove(att)
- continue
- if att == "creationTime":
- delta.remove(att)
- continue
- if att == "oEMInformation":
- delta.remove(att)
- continue
- if att == "msDs-KeyVersionNumber":
- # This is the kvno of the computer/user it's a very bad
- # idea to change it
- delta.remove(att)
- continue
- if handle_special_case(att, delta, reference, current, usns, basedn, samdb):
- # This attribute is "complicated" to handle and handling
- # was done in handle_special_case
- continue
- attrUSN = hash_attr_usn.get(att)
- if att == "forceLogoff" and attrUSN is None:
- continue
- if attrUSN is None:
- delta.remove(att)
- continue
+ hash_attr_usn[att] = [-1, None]
- if attrUSN == -1:
- # This attribute was last modified by another DC forget
- # about it
- message(CHANGE, "%sAttribute: %s has been"
- "created/modified/deleted by another DC,"
- " do nothing" % (txt, att ))
- txt = ""
- delta.remove(att)
- continue
- elif not usn_in_range(int(attrUSN), usns):
- message(CHANGE, "%sAttribute: %s has been"
- "created/modified/deleted not during a"
- " provision or upgradeprovision: current"
- " usn %d , do nothing" % (txt, att, attrUSN))
- txt = ""
- delta.remove(att)
- continue
- else:
- if att == "defaultSecurityDescriptor":
- defSDmodified = True
- if attrUSN:
- message(CHANGE, "%sAttribute: %s will be modified"
- "/deleted it was last modified"
- "during a provision, current usn:"
- "%d" % (txt, att, attrUSN))
- txt = ""
- else:
- message(CHANGE, "%sAttribute: %s will be added because"
- " it hasn't existed before " % (txt, att))
- txt = ""
- continue
+ if usns is not None:
+ delta = checkKeepAttributeWithMetadata(delta, att, message, reference,
+ current, hash_attr_usn,
+ basedn, usns, samdb)
+ else:
+ delta = checkKeepAttributeOldMtd(delta, att, reference, current, basedn, samdb)
- else:
- # Old school way of handling things for pre alpha12 upgrade
- defSDmodified = True
- msgElt = delta.get(att)
+ delta.dn = dn
- if att == "nTSecurityDescriptor":
- delta.remove(att)
- continue
-
- if att == "dn":
- continue
-
- if not hashOverwrittenAtt.has_key(att):
- if msgElt.flags() != FLAG_MOD_ADD:
- if not handle_special_case(att, delta, reference, current,
- usns, basedn, samdb):
- if opts.debugchange or opts.debugall:
- try:
- dump_denied_change(dn, att,
- msg_elt_flag_strs[msgElt.flags()],
- current[0][att], reference[0][att])
- except KeyError:
- dump_denied_change(dn, att,
- msg_elt_flag_strs[msgElt.flags()],
- current[0][att], None)
- delta.remove(att)
- continue
- else:
- if hashOverwrittenAtt.get(att)&2**msgElt.flags() :
- continue
- elif hashOverwrittenAtt.get(att)==never:
- delta.remove(att)
- continue
- delta.dn = dn
- if len(delta.items()) >1:
- attributes=", ".join(delta.keys())
+ if len(delta) >1:
+ # Skip dn as the value is not really changed ...
+ attributes=", ".join(delta.keys()[1:])
+ modcontrols = []
+ relaxedatt = ['iscriticalsystemobject', 'grouptype']
+ # Let's try to reduce as much as possible the use of relax control
+ for attr in delta.keys():
+ if attr.lower() in relaxedatt:
+ modcontrols = ["relax:0", "provision:0"]
message(CHANGE, "%s is different from the reference one, changed"
" attributes: %s\n" % (dn, attributes))
changed += 1
- samdb.modify(delta)
+ samdb.modify(delta, modcontrols)
return changed
+def reload_full_schema(samdb, names):
+ """Load the updated schema with all the new and existing classes
+ and attributes.
+
+ :param samdb: An LDB object connected to the sam.ldb of the update
+ provision
+ :param names: List of key provision parameters
+ """
+
+ schemadn = str(names.schemadn)
+ current = samdb.search(expression="objectClass=*", base=schemadn,
+ scope=SCOPE_SUBTREE)
+ schema_ldif = ""
+ prefixmap_data = ""
-def update_partition(ref_samdb, samdb, basedn, names, schema, provisionUSNs):
+ for ent in current:
+ schema_ldif += samdb.write_ldif(ent, ldb.CHANGETYPE_NONE)
+
+ prefixmap_data = open(setup_path("prefixMap.txt"), 'r').read()
+ prefixmap_data = b64encode(prefixmap_data)
+
+ # We don't actually add this ldif, just parse it
+ prefixmap_ldif = "dn: %s\nprefixMap:: %s\n\n" % (schemadn, prefixmap_data)
+
+ dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif, schemadn)
+
+
+def update_partition(ref_samdb, samdb, basedn, names, schema, provisionUSNs, prereloadfunc):
"""Check differences between the reference provision and the upgraded one.
It looks for all objects which base DN is name.
:param basedn: String value of the DN of the partition
:param names: List of key provision parameters
:param schema: A Schema object
- :param provisionUSNs: The USNs modified by provision/upgradeprovision
- last time"""
+ :param provisionUSNs: A dictionnary with range of USN modified during provision
+ or upgradeprovision. Ranges are grouped by invocationID.
+ :param prereloadfunc: A function that must be executed just before the reload
+ of the schema
+ """
hash_new = {}
hash = {}
add_deletedobj_containers(ref_samdb, samdb, names)
add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
+
+ prereloadfunc()
+ message(SIMPLE, "Reloading a merged schema, which might trigger "
+ "reindexing so please be patient")
+ reload_full_schema(samdb, names)
+ message(SIMPLE, "Schema reloaded!")
+
changed = update_present(ref_samdb, samdb, basedn, listPresent,
- provisionUSNs, names.invocation)
+ provisionUSNs)
message(SIMPLE, "There are %d changed objects" % (changed))
return 1
str(current[i]["nTSecurityDescriptor"]))
sddl = cursd.as_sddl(names.domainsid)
if sddl != hash[key]:
- txt = get_diff_sddls(hash[key], sddl)
+ txt = get_diff_sddls(hash[key], sddl, False)
if txt != "":
message(CHANGESD, "On object %s ACL is different"
" \n%s" % (current[i]["dn"], txt))
:param samdb: An LDB object pointing to the sam of the current provision
:param names: A list of key provision parameters
"""
+ alwaysRecalculate = False
+ if len(dnToRecalculate) == 0 and len(dnNotToRecalculate) == 0:
+ alwaysRecalculate = True
+
+
+ # NC's DN can't be both in dnToRecalculate and dnNotToRecalculate
# First update the SD for the rootdn
- res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
- scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
- controls=["search_options:1:2"])
- delta = Message()
- delta.dn = Dn(samdb, str(res[0]["dn"]))
- descr = get_domain_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
- "nTSecurityDescriptor")
- samdb.modify(delta, ["recalculate_sd:0"])
+ if alwaysRecalculate or str(names.rootdn) in dnToRecalculate:
+ delta = Message()
+ delta.dn = Dn(samdb, str(names.rootdn))
+ descr = get_domain_descriptor(names.domainsid)
+ delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
+ "nTSecurityDescriptor")
+ samdb.modify(delta)
+
# Then the config dn
- res = samdb.search(expression="objectClass=*", base=str(names.configdn),
- scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
- controls=["search_options:1:2"])
- delta = Message()
- delta.dn = Dn(samdb, str(res[0]["dn"]))
- descr = get_config_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
- "nTSecurityDescriptor" )
- samdb.modify(delta, ["recalculate_sd:0"])
- # Then the schema dn
- res = samdb.search(expression="objectClass=*", base=str(names.schemadn),
- scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
- controls=["search_options:1:2"])
+ if alwaysRecalculate or str(names.configdn) in dnToRecalculate:
+ delta = Message()
+ delta.dn = Dn(samdb, str(names.configdn))
+ descr = get_config_descriptor(names.domainsid)
+ delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
+ "nTSecurityDescriptor" )
+ samdb.modify(delta)
- delta = Message()
- delta.dn = Dn(samdb, str(res[0]["dn"]))
- descr = get_schema_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
- "nTSecurityDescriptor" )
- samdb.modify(delta, ["recalculate_sd:0"])
+ # Then the schema dn
+ if alwaysRecalculate or str(names.schemadn) in dnToRecalculate:
+ delta = Message()
+ delta.dn = Dn(samdb, str(names.schemadn))
+ descr = get_schema_descriptor(names.domainsid)
+ delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
+ "nTSecurityDescriptor" )
+ samdb.modify(delta)
def rebuild_sd(samdb, names):
"""Rebuild security descriptor of the current provision from scratch
:param names: List of key provision parameters"""
+ fix_partition_sd(samdb, names)
+ # List of namming contexts
+ listNC = [str(names.rootdn), str(names.configdn), str(names.schemadn)]
hash = {}
- res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
+ if len(dnToRecalculate) == 0:
+ res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"],
controls=["search_options:1:2"])
- for obj in res:
- if not (str(obj["dn"]) == str(names.rootdn) or
- str(obj["dn"]) == str(names.configdn) or
- str(obj["dn"]) == str(names.schemadn)):
- hash[str(obj["dn"])] = obj["whenCreated"]
-
- listkeys = hash.keys()
- listkeys.sort(dn_sort)
-
- for key in listkeys:
+ for obj in res:
+ hash[str(obj["dn"])] = obj["whenCreated"]
+ else:
+ for dn in dnToRecalculate:
+ if hash.has_key(dn):
+ continue
+ # fetch each dn to recalculate and their child within the same partition
+ res = samdb.search(expression="objectClass=*", base=dn,
+ scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
+ for obj in res:
+ hash[str(obj["dn"])] = obj["whenCreated"]
+
+ listKeys = list(set(hash.keys()))
+ listKeys.sort(dn_sort)
+
+ if len(dnToRecalculate) != 0:
+ message(CHANGESD, "%d DNs have been marked as needed to be recalculated"\
+ ", recalculating %d due to inheritance"
+ % (len(dnToRecalculate), len(listKeys)))
+
+ for key in listKeys:
+ if (key in listNC or
+ key in dnNotToRecalculate):
+ continue
+ delta = Message()
+ delta.dn = Dn(samdb, key)
try:
- delta = Message()
- delta.dn = Dn(samdb, key)
delta["whenCreated"] = MessageElement(hash[key], FLAG_MOD_REPLACE,
"whenCreated" )
- samdb.modify(delta, ["recalculate_sd:0"])
- except:
- # XXX: We should always catch an explicit exception.
- # What could go wrong here?
+ samdb.modify(delta, ["recalculate_sd:0","relax:0"])
+ except LdbError, e:
samdb.transaction_cancel()
res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
scope=SCOPE_SUBTREE,
controls=["search_options:1:2"])
badsd = ndr_unpack(security.descriptor,
str(res[0]["nTSecurityDescriptor"]))
- print "bad stuff %s" % badsd.as_sddl(names.domainsid)
+ message(ERROR, "On %s bad stuff %s" % (str(delta.dn),badsd.as_sddl(names.domainsid)))
return
+def hasATProvision(samdb):
+ entry = samdb.search(expression="dn=@PROVISION", base = "",
+ scope=SCOPE_BASE,
+ attrs=["dn"])
+
+ if entry != None and len(entry) == 1:
+ return True
+ else:
+ return False
+
def removeProvisionUSN(samdb):
attrs = [samba.provision.LAST_PROVISION_USN_ATTRIBUTE, "dn"]
entry = samdb.search(expression="dn=@PROVISION", base = "",
- scope=SCOPE_SUBTREE,
- controls=["search_options:1:2"],
+ scope=SCOPE_BASE,
attrs=attrs)
empty = Message()
empty.dn = entry[0].dn
os.path.join(cur_private_path, "privilege.ldb"))
-def update_samdb(ref_samdb, samdb, names, highestUSN, schema):
+def update_samdb(ref_samdb, samdb, names, provisionUSNs, schema, prereloadfunc):
"""Upgrade the SAM DB contents for all the provision partitions
:param ref_sambdb: An LDB object conntected to the sam.ldb of the reference
:param samdb: An LDB object connected to the sam.ldb of the update
provision
:param names: List of key provision parameters
- :param highestUSN: The highest USN modified by provision/upgradeprovision
- last time
- :param schema: A Schema object that represent the schema of the provision"""
+ :param provisionUSNs: A dictionnary with range of USN modified during provision
+ or upgradeprovision. Ranges are grouped by invocationID.
+ :param schema: A Schema object that represent the schema of the provision
+ :param prereloadfunc: A function that must be executed just before the reload
+ of the schema
+ """
message(SIMPLE, "Starting update of samdb")
ret = update_partition(ref_samdb, samdb, str(names.rootdn), names,
- schema, highestUSN)
+ schema, provisionUSNs, prereloadfunc)
if ret:
message(SIMPLE, "Update of samdb finished")
return 1
samba.xattr_native.wrap_setxattr(tgt,
xattr.XATTR_NTACL_NAME,
attribute)
- except:
+ except Exception:
noxattr = 1
attribute = samba.xattr_native.wrap_getxattr(ref,
"system.posix_acl_access")
samba.xattr_native.wrap_setxattr(tgt,
"system.posix_acl_access",
attribute)
- except:
+ except Exception:
continue
for name in dirs:
subdir=root[len(dir):]
samba.xattr_native.wrap_setxattr(tgt,
xattr.XATTR_NTACL_NAME,
attribute)
- except:
+ except Exception:
noxattr = 1
attribute = samba.xattr_native.wrap_getxattr(ref,
"system.posix_acl_access")
"system.posix_acl_access",
attribute)
- except:
+ except Exception:
continue
:param samdb: An LDB object attached to the currently upgraded samdb
:param names: Various key parameter about current provision.
"""
- listAttrs = ["msDs-KeyVersionAttribute"]
+ listAttrs = ["msDs-KeyVersionNumber"]
hash = search_constructed_attrs_stored(samdb, names.rootdn, listAttrs)
- increment_calculated_keyversion_number(samdb, names.rootdn, hash)
-
-def setup_path(file):
- return os.path.join(setup_dir, file)
+ if hash.has_key("msDs-KeyVersionNumber"):
+ increment_calculated_keyversion_number(samdb, names.rootdn,
+ hash["msDs-KeyVersionNumber"])
# Synopsis for updateprovision
# 1) get path related to provision to be update (called current)
# This resulting object is filtered to remove all the back link attribute
# (ie. memberOf) as they will be created by the other linked object (ie.
# the one with the member attribute)
-# All attributes specified in the hashAttrNotCopied associative array are
+# All attributes specified in the attrNotCopied array are
# also removed it's most of the time generated attributes
# After missing entries have been added the update_partition function will
# From here start the big steps of the program
# 1) First get files paths
paths = get_paths(param, smbconf=smbconf)
- paths.setup = setup_dir
# Get ldbs with the system session, it is needed for searching
# provision parameters
session = system_session()
# 4)
lastProvisionUSNs = get_last_provision_usn(ldbs.sam)
if lastProvisionUSNs is not None:
+ v = 0
+ for k in lastProvisionUSNs.keys():
+ for r in lastProvisionUSNs[k]:
+ v = v + 1
+
message(CHANGE,
- "Find a last provision USN, %d range(s)" % len(lastProvisionUSNs))
+ "Find last provision USN, %d invocation(s) for a total of %d ranges" % \
+ (len(lastProvisionUSNs.keys()), v /2 ))
+
+ if lastProvisionUSNs.get("default") != None:
+ message(CHANGE, "Old style for usn ranges used")
+ lastProvisionUSNs[str(names.invocation)] = lastProvisionUSNs["default"]
+ del lastProvisionUSNs["default"]
+ else:
+ message(SIMPLE, "Your provision lacks provision range information")
+ if confirm("Do you want to run findprovisionusnranges to try to find them ?", False):
+ ldbs.groupedRollback()
+ os.system("%s %s %s %s %s" % (os.path.join(os.path.dirname(sys.argv[0]),
+ "findprovisionusnranges"),
+ "--storedir",
+ paths.private_dir,
+ "-s",
+ smbconf))
+ message(SIMPLE, "Once you applied/adapted the change(s) please restart the upgradeprovision script")
+ sys.exit(0)
# Objects will be created with the admin session
# (not anymore system session)
adm_session = admin_session(lp, str(names.domainsid))
# So we reget handle on objects
# ldbs = get_ldbs(paths, creds, adm_session, lp)
-
- if not sanitychecks(ldbs.sam, names):
- message(SIMPLE, "Sanity checks for the upgrade fails, checks messages"
- " and correct them before rerunning upgradeprovision")
- sys.exit(1)
-
- # Let's see provision parameters
- print_provision_key_parameters(names)
-
- # 5) With all this information let's create a fresh new provision used as
- # reference
- message(SIMPLE, "Creating a reference provision")
- provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
- prefix="referenceprovision")
- newprovision(names, setup_dir, creds, session, smbconf, provisiondir,
- provision_logger)
-
- # TODO
- # 6) and 7)
- # We need to get a list of object which SD is directly computed from
- # defaultSecurityDescriptor.
- # This will allow us to know which object we can rebuild the SD in case
- # of change of the parent's SD or of the defaultSD.
- # Get file paths of this new provision
- newpaths = get_paths(param, targetdir=provisiondir)
- new_ldbs = get_ldbs(newpaths, creds, session, lp)
- new_ldbs.startTransactions()
-
- # 8) Populate some associative array to ease the update process
- # List of attribute which are link and backlink
- populate_links(new_ldbs.sam, names.schemadn)
- # List of attribute with ASN DN synthax)
- populate_dnsyntax(new_ldbs.sam, names.schemadn)
- # 9)
- update_privilege(newpaths.private_dir, paths.private_dir)
- # 10)
- oem = getOEMInfo(ldbs.sam, str(names.rootdn))
- # Do some modification on sam.ldb
- ldbs.groupedCommit()
- new_ldbs.groupedCommit()
-
- # 11)
- if re.match(".*alpha((9)|(\d\d+)).*", str(oem)):
- # 11) A
- # Starting from alpha9 we can consider that the structure is quite ok
- # and that we should do only dela
- delta_update_basesamdb(newpaths.samdb, paths.samdb, creds, session, lp, message)
- else:
- # 11) B
- simple_update_basesamdb(newpaths, paths, names)
- ldbs = get_ldbs(paths, creds, session, lp)
- removeProvisionUSN(ldbs.sam)
-
- ldbs.startTransactions()
- minUSN = int(str(get_max_usn(ldbs.sam, str(names.rootdn)))) + 1
- new_ldbs.startTransactions()
-
- # 12)
- schema = Schema(setup_path, names.domainsid, schemadn=str(names.schemadn),
- serverdn=str(names.serverdn))
-
- # 13)
- if opts.full:
- if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
- schema):
- message(SIMPLE, "Rollbacking every changes. Check the reason"
- " of the problem")
- message(SIMPLE, "In any case your system as it was before"
- " the upgrade")
+ if not opts.fixntacl:
+ if not sanitychecks(ldbs.sam, names):
+ message(SIMPLE, "Sanity checks for the upgrade have failed. "
+ "Check the messages and correct the errors "
+ "before rerunning upgradeprovision")
ldbs.groupedRollback()
- new_ldbs.groupedRollback()
- shutil.rmtree(provisiondir)
sys.exit(1)
+
+ # Let's see provision parameters
+ print_provision_key_parameters(names)
+
+ # 5) With all this information let's create a fresh new provision used as
+ # reference
+ message(SIMPLE, "Creating a reference provision")
+ provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
+ prefix="referenceprovision")
+ newprovision(names, creds, session, smbconf, provisiondir,
+ provision_logger)
+
+ # TODO
+ # 6) and 7)
+ # We need to get a list of object which SD is directly computed from
+ # defaultSecurityDescriptor.
+ # This will allow us to know which object we can rebuild the SD in case
+ # of change of the parent's SD or of the defaultSD.
+ # Get file paths of this new provision
+ newpaths = get_paths(param, targetdir=provisiondir)
+ new_ldbs = get_ldbs(newpaths, creds, session, lp)
+ new_ldbs.startTransactions()
+
+ populateNotReplicated(new_ldbs.sam, names.schemadn)
+ # 8) Populate some associative array to ease the update process
+ # List of attribute which are link and backlink
+ populate_links(new_ldbs.sam, names.schemadn)
+ # List of attribute with ASN DN synthax)
+ populate_dnsyntax(new_ldbs.sam, names.schemadn)
+ # 9)
+ update_privilege(newpaths.private_dir, paths.private_dir)
+ # 10)
+ oem = getOEMInfo(ldbs.sam, str(names.rootdn))
+ # Do some modification on sam.ldb
+ ldbs.groupedCommit()
+ new_ldbs.groupedCommit()
+ deltaattr = None
+ # 11)
+ message(GUESS, oem)
+ if oem is None or hasATProvision(ldbs.sam) or re.match(".*alpha((9)|(\d\d+)).*", str(oem)):
+ # 11) A
+ # Starting from alpha9 we can consider that the structure is quite ok
+ # and that we should do only dela
+ deltaattr = delta_update_basesamdb(newpaths.samdb,
+ paths.samdb,
+ creds,
+ session,
+ lp,
+ message)
+ else:
+ # 11) B
+ simple_update_basesamdb(newpaths, paths, names)
+ ldbs = get_ldbs(paths, creds, session, lp)
+ removeProvisionUSN(ldbs.sam)
+
+ ldbs.startTransactions()
+ minUSN = int(str(get_max_usn(ldbs.sam, str(names.rootdn)))) + 1
+ new_ldbs.startTransactions()
+
+ # 12)
+ schema = Schema(names.domainsid, schemadn=str(names.schemadn))
+ # We create a closure that will be invoked just before schema reload
+ def schemareloadclosure():
+ basesam = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp,
+ options=["modules:"])
+ doit = False
+ if deltaattr is not None and len(deltaattr) > 1:
+ doit = True
+ if doit:
+ deltaattr.remove("dn")
+ for att in deltaattr:
+ if att.lower() == "dn":
+ continue
+ if (deltaattr.get(att) is not None
+ and deltaattr.get(att).flags() != FLAG_MOD_ADD):
+ doit = False
+ elif deltaattr.get(att) is None:
+ doit = False
+ if doit:
+ message(CHANGE, "Applying delta to @ATTRIBUTES")
+ deltaattr.dn = ldb.Dn(basesam, "@ATTRIBUTES")
+ basesam.modify(deltaattr)
+ else:
+ message(CHANGE, "Not applying delta to @ATTRIBUTES because "
+ "there is not only add")
+ # 13)
+ if opts.full:
+ if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
+ schema, schemareloadclosure):
+ message(SIMPLE, "Rolling back all changes. Check the cause"
+ " of the problem")
+ message(SIMPLE, "Your system is as it was before the upgrade")
+ ldbs.groupedRollback()
+ new_ldbs.groupedRollback()
+ shutil.rmtree(provisiondir)
+ sys.exit(1)
else:
+ # Try to reapply the change also when we do not change the sam
+ # as the delta_upgrade
+ schemareloadclosure()
sync_calculated_attributes(ldbs.sam, names)
- # 14)
- update_secrets(new_ldbs.secrets, ldbs.secrets, message)
- # 15)
- message(SIMPLE, "Update machine account")
- update_machine_account_password(ldbs.sam, ldbs.secrets, names)
-
- # 16) SD should be created with admin but as some previous acl were so wrong
- # that admin can't modify them we have first to recreate them with the good
- # form but with system account and then give the ownership to admin ...
- if not re.match(r'.*alpha(9|\d\d+)', str(oem)):
- message(SIMPLE, "Fixing old povision SD")
- fix_partition_sd(ldbs.sam, names)
- rebuild_sd(ldbs.sam, names)
-
- # We calculate the max USN before recalculating the SD because we might
- # touch object that have been modified after a provision and we do not
- # want that the next upgradeprovision thinks that it has a green light
- # to modify them
-
- # 17)
- maxUSN = get_max_usn(ldbs.sam, str(names.rootdn))
-
- # 18) We rebuild SD only if defaultSecurityDescriptor is modified
- # But in fact we should do it also if one object has its SD modified as
- # child might need rebuild
- if defSDmodified:
- message(SIMPLE, "Updating SD")
- ldbs.sam.set_session_info(adm_session)
- # Alpha10 was a bit broken still
- if re.match(r'.*alpha(\d|10)', str(oem)):
- fix_partition_sd(ldbs.sam, names)
- rebuild_sd(ldbs.sam, names)
-
- # 19)
- # Now we are quite confident in the recalculate process of the SD, we make
- # it optional.
- # Also the check must be done in a clever way as for the moment we just
- # compare SDDL
- if opts.debugchangesd:
- check_updated_sd(new_ldbs.sam, ldbs.sam, names)
-
- # 20)
- updateOEMInfo(ldbs.sam, str(names.rootdn))
- # 21)
- check_for_DNS(newpaths.private_dir, paths.private_dir)
- # 22)
- if lastProvisionUSNs is not None:
- update_provision_usn(ldbs.sam, minUSN, maxUSN)
- if opts.full and (names.policyid is None or names.policyid_dc is None):
- update_policyids(names, ldbs.sam)
- if opts.full or opts.resetfileacl:
+ res = ldbs.sam.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+ if len(res) > 0:
+ message(SIMPLE, "You still have the old DNS object for managing "
+ "dynamic DNS, but you didn't supply --full so "
+ "a correct update can't be done")
+ ldbs.groupedRollback()
+ new_ldbs.groupedRollback()
+ shutil.rmtree(provisiondir)
+ sys.exit(1)
+ # 14)
+ update_secrets(new_ldbs.secrets, ldbs.secrets, message)
+ # 14bis)
+ res = ldbs.sam.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"],
+ controls=["search_options:1:2"])
+
+ if (len(res) == 1):
+ ldbs.sam.delete(res[0]["dn"])
+ res2 = ldbs.secrets.search(expression="(samaccountname=dns)",
+ scope=SCOPE_SUBTREE, attrs=["dn"])
+ update_dns_account_password(ldbs.sam, ldbs.secrets, names)
+ message(SIMPLE, "IMPORTANT!!! "
+ "If you were using Dynamic DNS before you need "
+ "to update your configuration, so that the "
+ "tkey-gssapi-credential has the following value: "
+ "DNS/%s.%s" % (names.netbiosname.lower(),
+ names.realm.lower()))
+ # 15)
+ message(SIMPLE, "Update machine account")
+ update_machine_account_password(ldbs.sam, ldbs.secrets, names)
+
+ dnToRecalculate.sort(dn_sort)
+ # 16) SD should be created with admin but as some previous acl were so wrong
+ # that admin can't modify them we have first to recreate them with the good
+ # form but with system account and then give the ownership to admin ...
+ if str(oem) != "" and not re.match(r'.*alpha(9|\d\d+)', str(oem)):
+ message(SIMPLE, "Fixing very old provision SD")
+ rebuild_sd(ldbs.sam, names)
+
+ # We calculate the max USN before recalculating the SD because we might
+ # touch object that have been modified after a provision and we do not
+ # want that the next upgradeprovision thinks that it has a green light
+ # to modify them
+
+ # 17)
+ maxUSN = get_max_usn(ldbs.sam, str(names.rootdn))
+
+ # 18) We rebuild SD if a we have a list of DN to recalculate or if the
+ # defSDmodified is set.
+ if defSDmodified or len(dnToRecalculate) >0:
+ message(SIMPLE, "Some defaultSecurityDescriptors and/or"
+ "securityDescriptor have changed, recalculating SD ")
+ ldbs.sam.set_session_info(adm_session)
+ rebuild_sd(ldbs.sam, names)
+
+ # 19)
+ # Now we are quite confident in the recalculate process of the SD, we make
+ # it optional. And we don't do it if there is DN that we must touch
+ # as we are assured that on this DNs we will have differences !
+ # Also the check must be done in a clever way as for the moment we just
+ # compare SDDL
+ if len(dnNotToRecalculate) == 0 and (opts.debugchangesd or opts.debugall):
+ message(CHANGESD, "Checking recalculated SDs")
+ check_updated_sd(new_ldbs.sam, ldbs.sam, names)
+
+ # 20)
+ updateOEMInfo(ldbs.sam, str(names.rootdn))
+ # 21)
+ check_for_DNS(newpaths.private_dir, paths.private_dir)
+ # 22)
+ if lastProvisionUSNs is not None:
+ update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation)
+ if opts.full and (names.policyid is None or names.policyid_dc is None):
+ update_policyids(names, ldbs.sam)
+ if opts.full or opts.resetfileacl or opts.fixntacl:
try:
update_gpo(paths, ldbs.sam, names, lp, message, 1)
except ProvisioningError, e:
- message(ERROR, "The policy for domain controller is missing,"
- " you should restart upgradeprovision with --full")
+ message(ERROR, "The policy for domain controller is missing. "
+ "You should restart upgradeprovision with --full")
+ except IOError, e:
+ message(ERROR, "Setting ACL not supported on your filesystem")
else:
try:
update_gpo(paths, ldbs.sam, names, lp, message, 0)
except ProvisioningError, e:
- message(ERROR, "The policy for domain controller is missing,"
- " you should restart upgradeprovision with --full")
- ldbs.groupedCommit()
- new_ldbs.groupedCommit()
- message(SIMPLE, "Upgrade finished !")
- # remove reference provision now that everything is done !
- shutil.rmtree(provisiondir)
+ message(ERROR, "The policy for domain controller is missing. "
+ "You should restart upgradeprovision with --full")
+ if not opts.fixntacl:
+ ldbs.groupedCommit()
+ new_ldbs.groupedCommit()
+ message(SIMPLE, "Upgrade finished!")
+ # remove reference provision now that everything is done !
+ # So we have reindexed first if need when the merged schema was reloaded
+ # (as new attributes could have quick in)
+ # But the second part of the update (when we update existing objects
+ # can also have an influence on indexing as some attribute might have their
+ # searchflag modificated
+ message(SIMPLE, "Reopenning samdb to trigger reindexing if needed "
+ "after modification")
+ samdb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp)
+ message(SIMPLE, "Reindexing finished")
+
+ shutil.rmtree(provisiondir)
+ else:
+ ldbs.groupedRollback()
+ message(SIMPLE, "ACLs fixed !")
except StandardError, err:
- message(ERROR,"A problem has occured when trying to upgrade your provision,"
- " a full backup is located at %s" % backupdir)
- if opts.changeall:
+ message(ERROR, "A problem occurred while trying to upgrade your "
+ "provision. A full backup is located at %s" % backupdir)
+ if opts.debugall or opts.debugchange:
(typ, val, tb) = sys.exc_info()
traceback.print_exception(typ, val, tb)
+ sys.exit(1)
git.samba.org / sfrench / samba-autobuild / .git / blobdiff