testprogs/blackbox/ldapcmp_restoredc.sh

   1 #!/bin/sh
   2 # Does an ldapcmp between a newly restored testenv and the original testenv it
   3 # was based on
   4
   5 if [ $# -lt 2 ]; then
   6         cat <<EOF
   7 Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX
   8 EOF
   9         exit 1
  10 fi
  11
  12 ORIG_DC_PREFIX_ABS="$1"
  13 RESTORED_DC_PREFIX_ABS="$2"
  14 shift 2
  15
  16 . $(dirname $0)/subunit.sh
  17
  18 basedn()
  19 {
  20         SAMDB_PATH=$1
  21         $BINDIR/ldbsearch -H $SAMDB_PATH --basedn='' --scope=base defaultNamingContext | grep defaultNamingContext | awk '{print $2}'
  22 }
  23
  24 ldapcmp_with_orig()
  25 {
  26
  27         DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb"
  28         DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb"
  29
  30         # check if the 2 DCs are in different domains
  31         DC1_BASEDN=$(basedn $DB1_PATH)
  32         DC2_BASEDN=$(basedn $DB2_PATH)
  33         BASE_DN_OPTS=""
  34
  35         # if necessary, pass extra args to ldapcmp to handle the difference in base DNs
  36         if [ "$DC1_BASEDN" != "$DC2_BASEDN" ]; then
  37                 BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN"
  38         fi
  39
  40         # the restored DC will remove DNS entries for the old DC(s)
  41         IGNORE_ATTRS="dnsRecord,dNSTombstoned"
  42
  43         # DC2 joined DC1, so it will have different DRS info
  44         IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs"
  45         IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator"
  46
  47         # there's a servicePrincipalName that uses the objectGUID of the DC's NTDS
  48         # Settings that will differ between the two DCs
  49         IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName"
  50
  51         # the restore changes the new DC's password twice
  52         IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp"
  53
  54         # The RID pools get bumped during the restore process
  55         IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool"
  56
  57         # these are just differences between provisioning a domain and joining a DC
  58         IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName"
  59
  60         # the restored DC may use a different side compared to the original DC
  61         IGNORE_ATTRS="$IGNORE_ATTRS,serverReferenceBL,msDS-IsDomainFor"
  62
  63         LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp"
  64         $LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --skip-missing-dn --filter=$IGNORE_ATTRS $BASE_DN_OPTS
  65 }
  66
  67 # check that the restored testenv DC basically matches the original
  68 testit "orig_dc_matches" ldapcmp_with_orig
  69
  70 exit $failed