search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture/smb2: add smb2.read.bug14607 test
[Samba.git] / python / samba / upgradehelpers.py
blob7f92b45f3fb20d04c67076b384277be0a160424c
1 # Helpers for provision stuff
2 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2012
3 #
4 # Based on provision a Samba4 server by
5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
7 #
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21
22 """Helpers used for upgrading between different database formats."""
23
24 import os
25 import re
26 import shutil
27 import samba
28
29 from samba.common import cmp
30 from samba import Ldb, version, ntacls
31 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
32 import ldb
33 from samba.provision import (provision_paths_from_lp,
34 getpolicypath, create_gpo_struct,
35 provision, ProvisioningError,
36 secretsdb_self_join)
37 from samba.provision.common import FILL_FULL
38 from samba.dcerpc import drsblobs
39 from samba.dcerpc.misc import SEC_CHAN_BDC
40 from samba.ndr import ndr_unpack
41 from samba.samdb import SamDB
42 from samba import _glue
43 import tempfile
44
45 # All the ldb related to registry are commented because the path for them is
46 # relative in the provisionPath object
47 # And so opening them create a file in the current directory which is not what
48 # we want
49 # I still keep them commented because I plan soon to make more cleaner
50 ERROR = -1
51 SIMPLE = 0x00
52 CHANGE = 0x01
53 CHANGESD = 0x02
54 GUESS = 0x04
55 PROVISION = 0x08
56 CHANGEALL = 0xff
57
58 hashAttrNotCopied = set(["dn", "whenCreated", "whenChanged", "objectGUID",
59 "uSNCreated", "replPropertyMetaData", "uSNChanged", "parentGUID",
60 "objectCategory", "distinguishedName", "nTMixedDomain",
61 "showInAdvancedViewOnly", "instanceType", "msDS-Behavior-Version",
62 "nextRid", "cn", "versionNumber", "lmPwdHistory", "pwdLastSet",
63 "ntPwdHistory", "unicodePwd", "dBCSPwd", "supplementalCredentials",
64 "gPCUserExtensionNames", "gPCMachineExtensionNames", "maxPwdAge", "secret",
65 "possibleInferiors", "privilege", "sAMAccountType"])
66
67
68 class ProvisionLDB(object):
69
70 def __init__(self):
71 self.sam = None
72 self.secrets = None
73 self.idmap = None
74 self.privilege = None
75 self.hkcr = None
76 self.hkcu = None
77 self.hku = None
78 self.hklm = None
79
80 def dbs(self):
81 return (self.sam, self.secrets, self.idmap, self.privilege)
82
83 def startTransactions(self):
84 for db in self.dbs():
85 db.transaction_start()
86 # TO BE DONE
87 # self.hkcr.transaction_start()
88 # self.hkcu.transaction_start()
89 # self.hku.transaction_start()
90 # self.hklm.transaction_start()
91
92 def groupedRollback(self):
93 ok = True
94 for db in self.dbs():
95 try:
96 db.transaction_cancel()
97 except Exception:
98 ok = False
99 return ok
100 # TO BE DONE
101 # self.hkcr.transaction_cancel()
102 # self.hkcu.transaction_cancel()
103 # self.hku.transaction_cancel()
104 # self.hklm.transaction_cancel()
105
106 def groupedCommit(self):
107 try:
108 for db in self.dbs():
109 db.transaction_prepare_commit()
110 except Exception:
111 return self.groupedRollback()
112 # TO BE DONE
113 # self.hkcr.transaction_prepare_commit()
114 # self.hkcu.transaction_prepare_commit()
115 # self.hku.transaction_prepare_commit()
116 # self.hklm.transaction_prepare_commit()
117 try:
118 for db in self.dbs():
119 db.transaction_commit()
120 except Exception:
121 return self.groupedRollback()
122
123 # TO BE DONE
124 # self.hkcr.transaction_commit()
125 # self.hkcu.transaction_commit()
126 # self.hku.transaction_commit()
127 # self.hklm.transaction_commit()
128 return True
129
130
131 def get_ldbs(paths, creds, session, lp):
132 """Return LDB object mapped on most important databases
133
134 :param paths: An object holding the different importants paths for provision object
135 :param creds: Credential used for openning LDB files
136 :param session: Session to use for openning LDB files
137 :param lp: A loadparam object
138 :return: A ProvisionLDB object that contains LDB object for the different LDB files of the provision"""
139
140 ldbs = ProvisionLDB()
141
142 ldbs.sam = SamDB(paths.samdb,
143 session_info=session,
144 credentials=creds,
145 lp=lp,
146 options=["modules:samba_dsdb"],
147 flags=0)
148 ldbs.secrets = Ldb(paths.secrets, session_info=session, credentials=creds, lp=lp)
149 ldbs.idmap = Ldb(paths.idmapdb, session_info=session, credentials=creds, lp=lp)
150 ldbs.privilege = Ldb(paths.privilege, session_info=session, credentials=creds, lp=lp)
151 # ldbs.hkcr = Ldb(paths.hkcr, session_info=session, credentials=creds, lp=lp)
152 # ldbs.hkcu = Ldb(paths.hkcu, session_info=session, credentials=creds, lp=lp)
153 # ldbs.hku = Ldb(paths.hku, session_info=session, credentials=creds, lp=lp)
154 # ldbs.hklm = Ldb(paths.hklm, session_info=session, credentials=creds, lp=lp)
155
156 return ldbs
157
158
159 def usn_in_range(usn, range):
160 """Check if the usn is in one of the range provided.
161 To do so, the value is checked to be between the lower bound and
162 higher bound of a range
163
164 :param usn: A integer value corresponding to the usn that we want to update
165 :param range: A list of integer representing ranges, lower bounds are in
166 the even indices, higher in odd indices
167 :return: True if the usn is in one of the range, False otherwise
168 """
169
170 idx = 0
171 cont = True
172 ok = False
173 while cont:
174 if idx == len(range):
175 cont = False
176 continue
177 if usn < int(range[idx]):
178 if idx % 2 == 1:
179 ok = True
180 cont = False
181 if usn == int(range[idx]):
182 cont = False
183 ok = True
184 idx = idx + 1
185 return ok
186
187
188 def get_paths(param, targetdir=None, smbconf=None):
189 """Get paths to important provision objects (smb.conf, ldb files, ...)
190
191 :param param: Param object
192 :param targetdir: Directory where the provision is (or will be) stored
193 :param smbconf: Path to the smb.conf file
194 :return: A list with the path of important provision objects"""
195 if targetdir is not None:
196 if not os.path.exists(targetdir):
197 os.mkdir(targetdir)
198 etcdir = os.path.join(targetdir, "etc")
199 if not os.path.exists(etcdir):
200 os.makedirs(etcdir)
201 smbconf = os.path.join(etcdir, "smb.conf")
202 if smbconf is None:
203 smbconf = param.default_path()
204
205 if not os.path.exists(smbconf):
206 raise ProvisioningError("Unable to find smb.conf at %s" % smbconf)
207
208 lp = param.LoadParm()
209 lp.load(smbconf)
210 paths = provision_paths_from_lp(lp, lp.get("realm"))
211 return paths
212
213
214 def update_policyids(names, samdb):
215 """Update policy ids that could have changed after sam update
216
217 :param names: List of key provision parameters
218 :param samdb: An Ldb object conntected with the sam DB
219 """
220 # policy guid
221 res = samdb.search(expression="(displayName=Default Domain Policy)",
222 base="CN=Policies,CN=System," + str(names.rootdn),
223 scope=SCOPE_ONELEVEL, attrs=["cn", "displayName"])
224 names.policyid = str(res[0]["cn"]).replace("{", "").replace("}", "")
225 # dc policy guid
226 res2 = samdb.search(expression="(displayName=Default Domain Controllers"
227 " Policy)",
228 base="CN=Policies,CN=System," + str(names.rootdn),
229 scope=SCOPE_ONELEVEL, attrs=["cn", "displayName"])
230 if len(res2) == 1:
231 names.policyid_dc = str(res2[0]["cn"]).replace("{", "").replace("}", "")
232 else:
233 names.policyid_dc = None
234
235
236 def newprovision(names, session, smbconf, provdir, logger, base_schema=None):
237 """Create a new provision.
238
239 This provision will be the reference for knowing what has changed in the
240 since the latest upgrade in the current provision
241
242 :param names: List of provision parameters
243 :param creds: Credentials for the authentification
244 :param session: Session object
245 :param smbconf: Path to the smb.conf file
246 :param provdir: Directory where the provision will be stored
247 :param logger: A Logger
248 """
249 if os.path.isdir(provdir):
250 shutil.rmtree(provdir)
251 os.mkdir(provdir)
252 logger.info("Provision stored in %s", provdir)
253 return provision(logger, session, smbconf=smbconf,
254 targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
255 domain=names.domain, domainguid=names.domainguid,
256 domainsid=names.domainsid, ntdsguid=names.ntdsguid,
257 policyguid=names.policyid, policyguid_dc=names.policyid_dc,
258 hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
259 invocationid=names.invocation, adminpass=names.adminpass,
260 krbtgtpass=None, machinepass=None, dnspass=None, root=None,
261 nobody=None, users=None,
262 serverrole="domain controller",
263 dom_for_fun_level=names.domainlevel, dns_backend=names.dns_backend,
264 useeadb=True, use_ntvfs=True, base_schema=base_schema)
265
266
267 def dn_sort(x, y):
268 """Sorts two DNs in the lexicographical order it and put higher level DN
269 before.
270
271 So given the dns cn=bar,cn=foo and cn=foo the later will be return as
272 smaller
273
274 :param x: First object to compare
275 :param y: Second object to compare
276 """
277 p = re.compile(r'(?<!\\), ?')
278 tab1 = p.split(str(x))
279 tab2 = p.split(str(y))
280 minimum = min(len(tab1), len(tab2))
281 len1 = len(tab1) - 1
282 len2 = len(tab2) - 1
283 # Note: python range go up to upper limit but do not include it
284 for i in range(0, minimum):
285 ret = cmp(tab1[len1 - i], tab2[len2 - i])
286 if ret != 0:
287 return ret
288 else:
289 if i == minimum - 1:
290 assert len1 != len2, "PB PB PB" + " ".join(tab1) + " / " + " ".join(tab2)
291 if len1 > len2:
292 return 1
293 else:
294 return -1
295 return ret
296
297
298 def identic_rename(ldbobj, dn):
299 """Perform a back and forth rename to trigger renaming on attribute that
300 can't be directly modified.
301
302 :param lbdobj: An Ldb Object
303 :param dn: DN of the object to manipulate
304 """
305 (before, after) = str(dn).split('=', 1)
306 # we need to use relax to avoid the subtree_rename constraints
307 ldbobj.rename(dn, ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), ["relax:0"])
308 ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn, ["relax:0"])
309
310
311 def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
312 """Update secrets.ldb
313
314 :param newsecrets_ldb: An LDB object that is connected to the secrets.ldb
315 of the reference provision
316 :param secrets_ldb: An LDB object that is connected to the secrets.ldb
317 of the updated provision
318 """
319
320 messagefunc(SIMPLE, "Update of secrets.ldb")
321 reference = newsecrets_ldb.search(base="@MODULES", scope=SCOPE_BASE)
322 current = secrets_ldb.search(base="@MODULES", scope=SCOPE_BASE)
323 assert reference, "Reference modules list can not be empty"
324 if len(current) == 0:
325 # No modules present
326 delta = secrets_ldb.msg_diff(ldb.Message(), reference[0])
327 delta.dn = reference[0].dn
328 secrets_ldb.add(reference[0])
329 else:
330 delta = secrets_ldb.msg_diff(current[0], reference[0])
331 delta.dn = current[0].dn
332 secrets_ldb.modify(delta)
333
334 reference = newsecrets_ldb.search(expression="objectClass=top", base="",
335 scope=SCOPE_SUBTREE, attrs=["dn"])
336 current = secrets_ldb.search(expression="objectClass=top", base="",
337 scope=SCOPE_SUBTREE, attrs=["dn"])
338 hash_new = {}
339 hash = {}
340 listMissing = []
341 listPresent = []
342
343 empty = ldb.Message()
344 for i in range(0, len(reference)):
345 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
346
347 # Create a hash for speeding the search of existing object in the
348 # current provision
349 for i in range(0, len(current)):
350 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
351
352 for k in hash_new.keys():
353 if k not in hash:
354 listMissing.append(hash_new[k])
355 else:
356 listPresent.append(hash_new[k])
357
358 for entry in listMissing:
359 reference = newsecrets_ldb.search(expression="distinguishedName=%s" % entry,
360 base="", scope=SCOPE_SUBTREE)
361 current = secrets_ldb.search(expression="distinguishedName=%s" % entry,
362 base="", scope=SCOPE_SUBTREE)
363 delta = secrets_ldb.msg_diff(empty, reference[0])
364 for att in hashAttrNotCopied:
365 delta.remove(att)
366 messagefunc(CHANGE, "Entry %s is missing from secrets.ldb" %
367 reference[0].dn)
368 for att in delta:
369 messagefunc(CHANGE, " Adding attribute %s" % att)
370 delta.dn = reference[0].dn
371 secrets_ldb.add(delta)
372
373 for entry in listPresent:
374 reference = newsecrets_ldb.search(expression="distinguishedName=%s" % entry,
375 base="", scope=SCOPE_SUBTREE)
376 current = secrets_ldb.search(expression="distinguishedName=%s" % entry, base="",
377 scope=SCOPE_SUBTREE)
378 delta = secrets_ldb.msg_diff(current[0], reference[0])
379 for att in hashAttrNotCopied:
380 delta.remove(att)
381 for att in delta:
382 if att == "name":
383 messagefunc(CHANGE, "Found attribute name on %s,"
384 " must rename the DN" % (current[0].dn))
385 identic_rename(secrets_ldb, reference[0].dn)
386 else:
387 delta.remove(att)
388
389 for entry in listPresent:
390 reference = newsecrets_ldb.search(expression="distinguishedName=%s" % entry, base="",
391 scope=SCOPE_SUBTREE)
392 current = secrets_ldb.search(expression="distinguishedName=%s" % entry, base="",
393 scope=SCOPE_SUBTREE)
394 delta = secrets_ldb.msg_diff(current[0], reference[0])
395 for att in hashAttrNotCopied:
396 delta.remove(att)
397 for att in delta:
398 if att == "msDS-KeyVersionNumber":
399 delta.remove(att)
400 if att != "dn":
401 messagefunc(CHANGE,
402 "Adding/Changing attribute %s to %s" %
403 (att, current[0].dn))
404
405 delta.dn = current[0].dn
406 secrets_ldb.modify(delta)
407
408 res2 = secrets_ldb.search(expression="(samaccountname=dns)",
409 scope=SCOPE_SUBTREE, attrs=["dn"])
410
411 if len(res2) == 1:
412 messagefunc(SIMPLE, "Remove old dns account")
413 secrets_ldb.delete(res2[0]["dn"])
414
415
416 def getOEMInfo(samdb, rootdn):
417 """Return OEM Information on the top level Samba4 use to store version
418 info in this field
419
420 :param samdb: An LDB object connect to sam.ldb
421 :param rootdn: Root DN of the domain
422 :return: The content of the field oEMInformation (if any)
423 """
424 res = samdb.search(expression="(objectClass=*)", base=str(rootdn),
425 scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
426 if len(res) > 0 and res[0].get("oEMInformation"):
427 info = res[0]["oEMInformation"]
428 return info
429 else:
430 return ""
431
432
433 def updateOEMInfo(samdb, rootdn):
434 """Update the OEMinfo field to add information about upgrade
435
436 :param samdb: an LDB object connected to the sam DB
437 :param rootdn: The string representation of the root DN of
438 the provision (ie. DC=...,DC=...)
439 """
440 res = samdb.search(expression="(objectClass=*)", base=rootdn,
441 scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
442 if len(res) > 0:
443 if res[0].get("oEMInformation"):
444 info = str(res[0]["oEMInformation"])
445 else:
446 info = ""
447 info = "%s, upgrade to %s" % (info, version)
448 delta = ldb.Message()
449 delta.dn = ldb.Dn(samdb, str(res[0]["dn"]))
450 delta["oEMInformation"] = ldb.MessageElement(info, ldb.FLAG_MOD_REPLACE,
451 "oEMInformation")
452 samdb.modify(delta)
453
454
455 def update_gpo(paths, samdb, names, lp, message):
456 """Create missing GPO file object if needed
457 """
458 dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid)
459 if not os.path.isdir(dir):
460 create_gpo_struct(dir)
461
462 if names.policyid_dc is None:
463 raise ProvisioningError("Policy ID for Domain controller is missing")
464 dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid_dc)
465 if not os.path.isdir(dir):
466 create_gpo_struct(dir)
467
468
469 def increment_calculated_keyversion_number(samdb, rootdn, hashDns):
470 """For a given hash associating dn and a number, this function will
471 update the replPropertyMetaData of each dn in the hash, so that the
472 calculated value of the msDs-KeyVersionNumber is equal or superior to the
473 one associated to the given dn.
474
475 :param samdb: An SamDB object pointing to the sam
476 :param rootdn: The base DN where we want to start
477 :param hashDns: A hash with dn as key and number representing the
478 minimum value of msDs-KeyVersionNumber that we want to
479 have
480 """
481 entry = samdb.search(expression='(objectClass=user)',
482 base=ldb.Dn(samdb, str(rootdn)),
483 scope=SCOPE_SUBTREE, attrs=["msDs-KeyVersionNumber"],
484 controls=["search_options:1:2"])
485 done = 0
486 if len(entry) == 0:
487 raise ProvisioningError("Unable to find msDs-KeyVersionNumber")
488 else:
489 for e in entry:
490 if str(e.dn).lower() in hashDns:
491 val = e.get("msDs-KeyVersionNumber")
492 if not val:
493 val = "0"
494 version = int(str(hashDns[str(e.dn).lower()]))
495 if int(str(val)) < version:
496 done = done + 1
497 samdb.set_attribute_replmetadata_version(str(e.dn),
498 "unicodePwd",
499 version, True)
500
501
502 def delta_update_basesamdb(refsampath, sampath, creds, session, lp, message):
503 """Update the provision container db: sam.ldb
504 This function is aimed for alpha9 and newer;
505
506 :param refsampath: Path to the samdb in the reference provision
507 :param sampath: Path to the samdb in the upgraded provision
508 :param creds: Credential used for openning LDB files
509 :param session: Session to use for openning LDB files
510 :param lp: A loadparam object
511 :return: A msg_diff object with the difference between the @ATTRIBUTES
512 of the current provision and the reference provision
513 """
514
515 message(SIMPLE,
516 "Update base samdb by searching difference with reference one")
517 refsam = Ldb(refsampath, session_info=session, credentials=creds,
518 lp=lp, options=["modules:"])
519 sam = Ldb(sampath, session_info=session, credentials=creds, lp=lp,
520 options=["modules:"])
521
522 empty = ldb.Message()
523 deltaattr = None
524 reference = refsam.search(expression="")
525
526 for refentry in reference:
527 entry = sam.search(expression="distinguishedName=%s" % refentry["dn"],
528 scope=SCOPE_SUBTREE)
529 if not len(entry):
530 delta = sam.msg_diff(empty, refentry)
531 message(CHANGE, "Adding %s to sam db" % str(refentry.dn))
532 if str(refentry.dn) == "@PROVISION" and\
533 delta.get(samba.provision.LAST_PROVISION_USN_ATTRIBUTE):
534 delta.remove(samba.provision.LAST_PROVISION_USN_ATTRIBUTE)
535 delta.dn = refentry.dn
536 sam.add(delta)
537 else:
538 delta = sam.msg_diff(entry[0], refentry)
539 if str(refentry.dn) == "@ATTRIBUTES":
540 deltaattr = sam.msg_diff(refentry, entry[0])
541 if str(refentry.dn) == "@PROVISION" and\
542 delta.get(samba.provision.LAST_PROVISION_USN_ATTRIBUTE):
543 delta.remove(samba.provision.LAST_PROVISION_USN_ATTRIBUTE)
544 if len(delta.items()) > 1:
545 delta.dn = refentry.dn
546 sam.modify(delta)
547
548 return deltaattr
549
550
551 def construct_existor_expr(attrs):
552 """Construct a exists or LDAP search expression.
553
554 :param attrs: List of attribute on which we want to create the search
555 expression.
556 :return: A string representing the expression, if attrs is empty an
557 empty string is returned
558 """
559 expr = ""
560 if len(attrs) > 0:
561 expr = "(|"
562 for att in attrs:
563 expr = "%s(%s=*)" %(expr, att)
564 expr = "%s)" %expr
565 return expr
566
567
568 def update_machine_account_password(samdb, secrets_ldb, names):
569 """Update (change) the password of the current DC both in the SAM db and in
570 secret one
571
572 :param samdb: An LDB object related to the sam.ldb file of a given provision
573 :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
574 provision
575 :param names: List of key provision parameters"""
576
577 expression = "samAccountName=%s$" % names.netbiosname
578 secrets_msg = secrets_ldb.search(expression=expression,
579 attrs=["secureChannelType"])
580 if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
581 res = samdb.search(expression=expression, attrs=[])
582 assert(len(res) == 1)
583
584 msg = ldb.Message(res[0].dn)
585 machinepass = samba.generate_random_machine_password(128, 255)
586 mputf16 = machinepass.encode('utf-16-le')
587 msg["clearTextPassword"] = ldb.MessageElement(mputf16,
588 ldb.FLAG_MOD_REPLACE,
589 "clearTextPassword")
590 samdb.modify(msg)
591
592 res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
593 attrs=["msDs-keyVersionNumber"])
594 assert(len(res) == 1)
595 kvno = int(str(res[0]["msDs-keyVersionNumber"]))
596 secChanType = int(secrets_msg[0]["secureChannelType"][0])
597
598 secretsdb_self_join(secrets_ldb, domain=names.domain,
599 realm=names.realm,
600 domainsid=names.domainsid,
601 dnsdomain=names.dnsdomain,
602 netbiosname=names.netbiosname,
603 machinepass=machinepass,
604 key_version_number=kvno,
605 secure_channel_type=secChanType)
606 else:
607 raise ProvisioningError("Unable to find a Secure Channel"
608 "of type SEC_CHAN_BDC")
609
610
611 def update_dns_account_password(samdb, secrets_ldb, names):
612 """Update (change) the password of the dns both in the SAM db and in
613 secret one
614
615 :param samdb: An LDB object related to the sam.ldb file of a given provision
616 :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
617 provision
618 :param names: List of key provision parameters"""
619
620 expression = "samAccountName=dns-%s" % names.netbiosname
621 secrets_msg = secrets_ldb.search(expression=expression)
622 if len(secrets_msg) == 1:
623 res = samdb.search(expression=expression, attrs=[])
624 assert(len(res) == 1)
625
626 msg = ldb.Message(res[0].dn)
627 machinepass = samba.generate_random_password(128, 255)
628 mputf16 = machinepass.encode('utf-16-le')
629 msg["clearTextPassword"] = ldb.MessageElement(mputf16,
630 ldb.FLAG_MOD_REPLACE,
631 "clearTextPassword")
632
633 samdb.modify(msg)
634
635 res = samdb.search(expression=expression,
636 attrs=["msDs-keyVersionNumber"])
637 assert(len(res) == 1)
638 kvno = str(res[0]["msDs-keyVersionNumber"])
639
640 msg = ldb.Message(secrets_msg[0].dn)
641 msg["secret"] = ldb.MessageElement(machinepass,
642 ldb.FLAG_MOD_REPLACE,
643 "secret")
644 msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
645 ldb.FLAG_MOD_REPLACE,
646 "msDS-KeyVersionNumber")
647
648 secrets_ldb.modify(msg)
649
650
651 def update_krbtgt_account_password(samdb):
652 """Update (change) the password of the krbtgt account
653
654 :param samdb: An LDB object related to the sam.ldb file of a given provision"""
655
656 expression = "samAccountName=krbtgt"
657 res = samdb.search(expression=expression, attrs=[])
658 assert(len(res) == 1)
659
660 msg = ldb.Message(res[0].dn)
661 machinepass = samba.generate_random_machine_password(128, 255)
662 mputf16 = machinepass.encode('utf-16-le')
663 msg["clearTextPassword"] = ldb.MessageElement(mputf16,
664 ldb.FLAG_MOD_REPLACE,
665 "clearTextPassword")
666
667 samdb.modify(msg)
668
669
670 def search_constructed_attrs_stored(samdb, rootdn, attrs):
671 """Search a given sam DB for calculated attributes that are
672 still stored in the db.
673
674 :param samdb: An LDB object pointing to the sam
675 :param rootdn: The base DN where the search should start
676 :param attrs: A list of attributes to be searched
677 :return: A hash with attributes as key and an array of
678 array. Each array contains the dn and the associated
679 values for this attribute as they are stored in the
680 sam."""
681
682 hashAtt = {}
683 expr = construct_existor_expr(attrs)
684 if expr == "":
685 return hashAtt
686 entry = samdb.search(expression=expr, base=ldb.Dn(samdb, str(rootdn)),
687 scope=SCOPE_SUBTREE, attrs=attrs,
688 controls=["search_options:1:2", "bypassoperational:0"])
689 if len(entry) == 0:
690 # Nothing anymore
691 return hashAtt
692
693 for ent in entry:
694 for att in attrs:
695 if ent.get(att):
696 if att in hashAtt:
697 hashAtt[att][str(ent.dn).lower()] = str(ent[att])
698 else:
699 hashAtt[att] = {}
700 hashAtt[att][str(ent.dn).lower()] = str(ent[att])
701
702 return hashAtt
703
704
705 def findprovisionrange(samdb, basedn):
706 """ Find ranges of usn grouped by invocation id and then by timestamp
707 rouned at 1 minute
708
709 :param samdb: An LDB object pointing to the samdb
710 :param basedn: The DN of the forest
711
712 :return: A two level dictionary with invoication id as the
713 first level, timestamp as the second one and then
714 max, min, and number as subkeys, representing respectivily
715 the maximum usn for the range, the minimum usn and the number
716 of object with usn in this range.
717 """
718 nb_obj = 0
719 hash_id = {}
720
721 res = samdb.search(base=basedn, expression="objectClass=*",
722 scope=ldb.SCOPE_SUBTREE,
723 attrs=["replPropertyMetaData"],
724 controls=["search_options:1:2"])
725
726 for e in res:
727 nb_obj = nb_obj + 1
728 obj = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
729 str(e["replPropertyMetaData"])).ctr
730
731 for o in obj.array:
732 # like a timestamp but with the resolution of 1 minute
733 minutestamp = _glue.nttime2unix(o.originating_change_time) // 60
734 hash_ts = hash_id.get(str(o.originating_invocation_id))
735
736 if hash_ts is None:
737 ob = {}
738 ob["min"] = o.originating_usn
739 ob["max"] = o.originating_usn
740 ob["num"] = 1
741 ob["list"] = [str(e.dn)]
742 hash_ts = {}
743 else:
744 ob = hash_ts.get(minutestamp)
745 if ob is None:
746 ob = {}
747 ob["min"] = o.originating_usn
748 ob["max"] = o.originating_usn
749 ob["num"] = 1
750 ob["list"] = [str(e.dn)]
751 else:
752 if ob["min"] > o.originating_usn:
753 ob["min"] = o.originating_usn
754 if ob["max"] < o.originating_usn:
755 ob["max"] = o.originating_usn
756 if not (str(e.dn) in ob["list"]):
757 ob["num"] = ob["num"] + 1
758 ob["list"].append(str(e.dn))
759 hash_ts[minutestamp] = ob
760 hash_id[str(o.originating_invocation_id)] = hash_ts
761
762 return (hash_id, nb_obj)
763
764
765 def print_provision_ranges(dic, limit_print, dest, samdb_path, invocationid):
766 """ print the differents ranges passed as parameter
767
768 :param dic: A dictionary as returned by findprovisionrange
769 :param limit_print: minimum number of object in a range in order to print it
770 :param dest: Destination directory
771 :param samdb_path: Path to the sam.ldb file
772 :param invoicationid: Invocation ID for the current provision
773 """
774 ldif = ""
775
776 for id in dic:
777 hash_ts = dic[id]
778 sorted_keys = []
779 sorted_keys.extend(hash_ts.keys())
780 sorted_keys.sort()
781
782 kept_record = []
783 for k in sorted_keys:
784 obj = hash_ts[k]
785 if obj["num"] > limit_print:
786 dt = _glue.nttime2string(_glue.unix2nttime(k * 60))
787 print("%s # of modification: %d \tmin: %d max: %d" % (dt, obj["num"],
788 obj["min"],
789 obj["max"]))
790 if hash_ts[k]["num"] > 600:
791 kept_record.append(k)
792
793 # Let's try to concatenate consecutive block if they are in the almost same minutestamp
794 for i in range(0, len(kept_record)):
795 if i != 0:
796 key1 = kept_record[i]
797 key2 = kept_record[i - 1]
798 if key1 - key2 == 1:
799 # previous record is just 1 minute away from current
800 if int(hash_ts[key1]["min"]) == int(hash_ts[key2]["max"]) + 1:
801 # Copy the highest USN in the previous record
802 # and mark the current as skipped
803 hash_ts[key2]["max"] = hash_ts[key1]["max"]
804 hash_ts[key1]["skipped"] = True
805
806 for k in kept_record:
807 obj = hash_ts[k]
808 if obj.get("skipped") is None:
809 ldif = "%slastProvisionUSN: %d-%d;%s\n" % (ldif, obj["min"],
810 obj["max"], id)
811
812 if ldif != "":
813 fd, file = tempfile.mkstemp(dir=dest, prefix="usnprov", suffix=".ldif")
814 print()
815 print("To track the USNs modified/created by provision and upgrade proivsion,")
816 print(" the following ranges are proposed to be added to your provision sam.ldb: \n%s" % ldif)
817 print("We recommend to review them, and if it's correct to integrate the following ldif: %s in your sam.ldb" % file)
818 print("You can load this file like this: ldbadd -H %s %s\n" %(str(samdb_path), file))
819 ldif = "dn: @PROVISION\nprovisionnerID: %s\n%s" % (invocationid, ldif)
820 os.write(fd, ldif)
821 os.close(fd)
822
823
824 def int64range2str(value):
825 """Display the int64 range stored in value as xxx-yyy
826
827 :param value: The int64 range
828 :return: A string of the representation of the range
829 """
830 lvalue = int(value)
831 str = "%d-%d" % (lvalue &0xFFFFFFFF, lvalue >>32)
832 return str
Samba GIT mirror