| blob | c0ce040801baa74841699514f5db8dcfab7098f4 |
1 #!/usr/bin/env python
2 # vim: expandtab
3 #
4 # Copyright (C) Matthieu Patou <mat@matws.net> 2009 - 2010
5 #
6 # Based on provision a Samba4 server by
7 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
8 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
9 #
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25 import logging
26 import optparse
27 import os
28 import shutil
29 import sys
30 import tempfile
31 import re
32 import traceback
33 # Allow to run from s4 source directory (without installing samba)
36 import ldb
37 import samba
65 update_machine_account_password,
66 search_constructed_attrs_stored,
68 increment_calculated_keyversion_number,
69 print_provision_ranges)
72 # make sure the script dies immediately when hitting control-C,
73 # rather than raising KeyboardInterrupt. As we do all database
74 # operations using transactions, this is safe.
75 import signal
84 # Will be modified during provision to tell if default sd has been modified
85 # somehow ...
87 #Errors are always logged
91 # Attributes that are never copied from the reference provision (even if they
92 # do not exist in the destination object).
93 # This is most probably because they are populated automatcally when object is
94 # created
95 # This also apply to imported object from reference provision
111 attrNotCopied = replAttrNotCopied
114 # Usually for an object that already exists we do not overwrite attributes as
115 # they might have been changed for good reasons. Anyway for a few of them it's
116 # mandatory to replace them otherwise the provision will be broken somehow.
117 # But for attribute that are just missing we do not have to specify them as the default
118 # behavior is to add missing attribute
135 dnToRecalculate = []
136 backlinked = []
138 dn_syntax_att = []
139 not_replicated = []
143 what = what | CHANGE
145 what = what | CHANGESD
147 what = what | GUESS
149 what = what | PROVISION
151 what = what | CHANGEALL
152 return what
177 help="Perform additional forced SD resets required for a database from before Samba 4.0.0alpha9.")
193 """Print a message if this message type has been selected to be printed
195 :param what: Category of the message
196 :param text: Message to print """
211 """Check if the provision has already the requirement for dynamic dns
213 :param refprivate: The path to the private directory of the reference
214 provision
215 :param private: The path to the private directory of the upgraded
216 provision"""
228 return
251 """Populate an array with all the back linked attributes
253 This attributes that are modified automaticaly when
254 front attibutes are changed
256 :param samdb: A LDB object for sam.ldb file
257 :param schemadn: DN of the schema for the partition"""
264 """ Indicate if the attribute is replicated or not
266 :param att: Name of the attribute to be tested
267 :return: True is the attribute is replicated, False otherwise
268 """
273 """Populate an array with all the attributes that are not replicated
275 :param samdb: A LDB object for sam.ldb file
276 :param schemadn: DN of the schema for the partition"""
277 res = samdb.search(expression="(&(objectclass=attributeSchema)(systemflags:1.2.840.113556.1.4.803:=1))", base=Dn(samdb,
285 """Populate an array with all the attributes that have DN synthax
286 (oid 2.5.5.1)
288 :param samdb: A LDB object for sam.ldb file
289 :param schemadn: DN of the schema for the partition"""
298 """Make some checks before trying to update
300 :param samdb: An LDB object opened on sam.ldb
301 :param names: list of key provision parameters
302 :return: Status of check (1 for Ok, 0 for not Ok) """
308 return False
311 "upgradeprovision is not able to handle an upgrade on a " \
312 "domain with more than one DC. Please demote the other " \
314 return False
316 return True
320 """Do a a pretty print of provision parameters
322 :param names: list of key provision parameters """
343 """Define more complicate update rules for some attributes
345 :param att: The attribute to be updated
346 :param delta: A messageElement object that correspond to the difference
347 between the updated object and the reference one
348 :param new: The reference object
349 :param old: The Updated object
350 :param useReplMetadata: A boolean that indicate if the update process
351 use replPropertyMetaData to decide what has to be updated.
352 :param basedn: The base DN of the provision
353 :param aldb: An ldb object used to build DN
354 :return: True to indicate that the attribute should be kept, False for
355 discarding it"""
357 # We do most of the special case handle if we do not have the
358 # highest usn as otherwise the replPropertyMetaData will guide us more
359 # correctly
366 return True
373 return False
377 return True
381 newval = []
395 return True
401 return True
408 return True
411 return True
415 return True
419 return True
423 return True
424 #Allow to change revision of ForestUpdates objects
426 if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0:
427 return True
429 return True
431 # This is a bit of special animal as we might have added
432 # already SPN entries to the list that has to be modified
433 # So we go in detail to try to find out what has to be added ...
436 newval = []
450 return True
452 return False
455 """Print detailed information about why a change is denied
457 :param dn: DN of the object which attribute is denied
458 :param att: Attribute that was supposed to be upgraded
459 :param flagtxt: Type of the update that should be performed
460 (add, change, remove, ...)
461 :param current: Value(s) of the current attribute
462 :param reference: Value(s) of the reference attribute"""
484 """Handle special operation (like remove) on some object needed during
485 upgrade
487 This is mostly due to wrong creation of the object in previous provision.
488 :param samdb: An Ldb object representing the SAM database
489 :param dn: DN of the object to inspect
490 :param names: list of key provision parameters
491 """
496 #This entry was misplaced lets remove it if it exists
502 #This entry was misplaced lets remove it if it exists
508 #This entry was misplaced lets remove it if it exists
513 #This entry was misplaced lets remove it if it exists
520 "CN=WellKnown Security Principals,"
562 """Check if one of the DN present in the list has a creation order
563 greater than the current.
565 Hash is indexed by dn to be created, with each key
566 is associated the creation order.
568 First dn to be created has the creation order 0, second has 1, ...
569 Index contain the current creation order
571 :param hash: Hash holding the different DN of the object to be
572 created as key
573 :param index: Current creation order
574 :param listdn: List of DNs on which the current DN depends on
575 :return: None if the current object do not depend on other
576 object or if all object have been created before."""
578 return None
583 return None
588 """Add a new object if the dependencies are satisfied
590 The function add the object if the object on which it depends are already
591 created
593 :param ref_samdb: Ldb object representing the SAM db of the reference
594 provision
595 :param samdb: Ldb object representing the SAM db of the upgraded
596 provision
597 :param dn: DN of the object to be added
598 :param names: List of key provision parameters
599 :param basedn: DN of the partition to be updated
600 :param hash: Hash holding the different DN of the object to be
601 created as key
602 :param index: Current creation order
603 :return: True if the object was created False otherwise"""
608 return False
611 return True
619 delta.dn
644 return False
653 return True
656 """Generate a hash associating the DN to its creation order
658 :param listMissing: List of DN
659 :return: Hash with DN as keys and creation order as values"""
666 """Add the object containter: CN=Deleted Objects
668 This function create the container for each partition that need one and
669 then reference the object into the root of the partition
671 :param ref_samdb: Ldb object representing the SAM db of the reference
672 provision
673 :param samdb: Ldb object representing the SAM db of the upgraded provision
674 :param names: List of key provision parameters"""
705 listwko = []
716 # The wellKnownObject that we want to add.
728 FLAG_MOD_REPLACE,
733 """Add the missing object whose DN is the list
735 The function add the object if the objects on which it depends are
736 already created.
738 :param ref_samdb: Ldb object representing the SAM db of the reference
739 provision
740 :param samdb: Ldb object representing the SAM db of the upgraded
741 provision
742 :param dn: DN of the object to be added
743 :param names: List of key provision parameters
744 :param basedn: DN of the partition to be updated
745 :param list: List of DN to be added in the upgraded provision"""
747 listMissing = []
752 listMissing = listDefered
753 listDefered = []
760 # DN can't be created because it depends on some
761 # other DN in the list
769 """This function handle updates on links
771 :param samdb: An LDB object pointing to the updated provision
772 :param att: Attribute to update
773 :param basedn: The root DN of the provision
774 :param dn: The DN of the inspected object
775 :param value: The value of the attribute
776 :param ref_value: The value of this attribute in the reference provision
777 :param delta: The MessageElement object that will be applied for
778 transforming the current provision"""
783 blacklist = {}
785 newlinklist = []
793 # for w2k domain level the reveal won't reveal anything ...
794 # it means that we can readd links that were removed on purpose ...
795 # Also this function in fact just accept add not removal
799 # We put in the blacklist all the element that are in the "revealed"
800 # result and not in the "standard" result
801 # This element are links that were removed before and so that
802 # we don't wan't to readd
814 return delta
819 """ Check if we should keep the attribute modification or not
821 :param delta: A message diff object
822 :param att: An attribute
823 :param message: A function to print messages
824 :param reference: A message object for the current entry comming from
825 the reference provision.
826 :param current: A message object for the current entry commin from
827 the current provision.
828 :param hash_attr_usn: A dictionnary with attribute name as keys,
829 USN and invocation id as values.
830 :param basedn: The DN of the partition
831 :param usns: A dictionnary with invocation ID as keys and USN ranges
832 as values.
833 :param samdb: A ldb object pointing to the sam DB
835 :return: The modified message diff.
836 """
837 global defSDmodified
845 continue
847 # We have updated by provision usn information so let's exploit
848 # replMetadataProperties
854 continue
862 # This attribute is "complicated" to handle and handling
863 # was done in handle_special_case
864 continue
871 # If it's a replicated attribute and we don't have any USN
872 # information about it. It means that we never saw it before
873 # so let's add it !
874 # If it is a replicated attribute but we are not master on it
875 # (ie. not initially added in the provision we masterize).
876 # attrUSN will be -1
878 continue
881 continue
891 # FIXME find a way to have it only with huge huge verbose mode
892 # message(CHANGE, "%ssd are identical" % txt)
893 # txt = ""
895 continue
902 "so it's impossible to know if the difference"
907 continue
910 # This attribute was last modified by another DC forget
911 # about it
913 "created/modified/deleted by another DC. "
917 continue
920 "created/modified/deleted during a "
921 "provision or upgradeprovision. Current "
923 attrUSN))
926 continue
932 "/deleted it was last modified "
933 "during a provision. Current usn: "
940 continue
942 return delta
945 """ This function updates the object that are already present in the
946 provision
948 :param ref_samdb: An LDB object pointing to the reference provision
949 :param samdb: An LDB object pointing to the updated provision
950 :param basedn: A string with the value of the base DN for the provision
951 (ie. DC=foo, DC=bar)
952 :param listPresent: A list of object that is present in the provision
953 :param usns: A list of USN range modified by previous provision and
954 upgradeprovision grouped by invocation ID
955 """
957 # This hash is meant to speedup lookup of attribute name from an oid,
958 # it's for the replPropertyMetaData handling
959 hash_oid_name = {}
972 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
985 ):
1007 continue
1010 # Fetch the replPropertyMetaData
1017 hash_attr_usn = {}
1019 # We put in this hash only modification
1020 # made on the current host
1035 # Skip dn as the value is not really changed ...
1037 modcontrols = []
1039 # Let's try to reduce as much as possible the use of relax control
1047 return changed
1050 """Load the updated schema with all the new and existing classes
1051 and attributes.
1053 :param samdb: An LDB object connected to the sam.ldb of the update
1054 provision
1055 :param names: List of key provision parameters
1056 """
1070 # We don't actually add this ldif, just parse it
1077 """Check differences between the reference provision and the upgraded one.
1079 It looks for all objects which base DN is name.
1081 This function will also add the missing object and update existing object
1082 to add or remove attributes that were missing.
1084 :param ref_sambdb: An LDB object conntected to the sam.ldb of the
1085 reference provision
1086 :param samdb: An LDB object connected to the sam.ldb of the update
1087 provision
1088 :param basedn: String value of the DN of the partition
1089 :param names: List of key provision parameters
1090 :param schema: A Schema object
1091 :param provisionUSNs: A dictionnary with range of USN modified during provision
1092 or upgradeprovision. Ranges are grouped by invocationID.
1093 :param prereloadfunc: A function that must be executed just before the reload
1094 of the schema
1095 """
1097 hash_new = {}
1099 listMissing = []
1100 listPresent = []
1101 reference = []
1102 current = []
1104 # Connect to the reference provision and get all the attribute in the
1105 # partition referred by name
1113 # Create a hash for speeding the search of new object
1117 # Create a hash for speeding the search of existing object in the
1118 # current provision
1130 # Sort the missing object in order to have object of the lowest level
1131 # first (which can be containers for higher level objects)
1135 # The following lines is to load the up to
1136 # date schema into our current LDB
1137 # a complete schema is needed as the insertion of attributes
1138 # and class is done against it
1139 # and the schema is self validated
1154 provisionUSNs)
1166 """Check if the security descriptor in the upgraded provision are the same
1167 as the reference
1169 :param ref_sam: A LDB object connected to the sam.ldb file used as
1170 the reference provision
1171 :param cur_sam: A LDB object connected to the sam.ldb file used as
1172 upgraded provision
1173 :param names: List of key provision parameters"""
1193 cursd_blob)
1205 """This function fix the SD for partition/wellknown containers (basedn, configdn, ...)
1206 This is needed because some provision use to have broken SD on containers
1208 :param samdb: An LDB object pointing to the sam of the current provision
1209 :param names: A list of key provision parameters
1210 """
1212 list_wellknown_dns = []
1227 return list_wellknown_dns
1230 """Rebuild security descriptor of the current provision from scratch
1232 During the different pre release of samba4 security descriptors
1233 (SD) were notarly broken (up to alpha11 included)
1235 This function allows to get them back in order, this function works
1236 only after the database comparison that --full mode uses and which
1237 populates the dnToRecalculate and dnNotToRecalculate lists.
1239 The idea is that the SD can be safely recalculated from scratch to get it right.
1241 :param names: List of key provision parameters"""
1250 # well known SDs have already been reset
1252 continue
1255 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
1260 samdb.modify(delta, ["sd_flags:1:%d" % sd_flags,"relax:0","local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK])
1270 return
1278 return True
1280 return False
1295 """Remove previously stored constructed attributes
1297 :param paths: List of paths for different provision objects
1298 from the upgraded provision
1299 :param creds: A credential object
1300 :param session: A session object
1301 :param lp: A line parser object
1302 :return: An associative array whose key are the different constructed
1303 attributes and the value the dn where this attributes were found.
1304 """
1308 """Update the provision container db: sam.ldb
1309 This function is aimed at very old provision (before alpha9)
1311 :param newpaths: List of paths for different provision objects
1312 from the reference provision
1313 :param paths: List of paths for different provision objects
1314 from the upgraded provision
1315 :param names: List of key provision parameters"""
1344 """Upgrade the SAM DB contents for all the provision partitions
1346 :param ref_sambdb: An LDB object conntected to the sam.ldb of the reference
1347 provision
1348 :param samdb: An LDB object connected to the sam.ldb of the update
1349 provision
1350 :param names: List of key provision parameters
1351 :param provisionUSNs: A dictionnary with range of USN modified during provision
1352 or upgradeprovision. Ranges are grouped by invocationID.
1353 :param schema: A Schema object that represent the schema of the provision
1354 :param prereloadfunc: A function that must be executed just before the reload
1355 of the schema
1356 """
1370 """This function backup the provision files so that a rollback
1371 is possible
1373 :param paths: Paths to different objects
1374 :param dir: Directory where to store the backup
1375 :param only_db: Skip sysvol for users with big sysvol
1376 """
1406 """Synchronize attributes used for constructed ones, with the
1407 old constructed that were stored in the database.
1409 This apply for instance to msds-keyversionnumber that was
1410 stored and that is now constructed from replpropertymetadata.
1412 :param samdb: An LDB object attached to the currently upgraded samdb
1413 :param names: Various key parameter about current provision.
1414 """
1421 # Synopsis for updateprovision
1422 # 1) get path related to provision to be update (called current)
1423 # 2) open current provision ldbs
1424 # 3) fetch the key provision parameter (domain sid, domain guid, invocationid
1425 # of the DC ....)
1426 # 4) research of lastProvisionUSN in order to get ranges of USN modified
1427 # by either upgradeprovision or provision
1428 # 5) creation of a new provision the latest version of provision script
1429 # (called reference)
1430 # 6) get reference provision paths
1431 # 7) open reference provision ldbs
1432 # 8) setup helpers data that will help the update process
1433 # 9) (SKIPPED) we no longer update the privilege ldb by copying the one of referecence provision to
1434 # the current provision, because a shutil.copy would break the transaction locks both databases are under
1435 # and this database has not changed between 2009 and Samba 4.0.3 in Feb 2013 (at least)
1436 # 10)get the oemInfo field, this field contains information about the different
1437 # provision that have been done
1438 # 11)Depending on if the --very-old-pre-alpha9 flag is set the following things are done
1439 # A) When alpha9 or alphaxx not specified (default)
1440 # The base sam.ldb file is updated by looking at the difference between
1441 # referrence one and the current one. Everything is copied with the
1442 # exception of lastProvisionUSN attributes.
1443 # B) Other case (it reflect that that provision was done before alpha9)
1444 # The base sam.ldb of the reference provision is copied over
1445 # the current one, if necessary ldb related to partitions are moved
1446 # and renamed
1447 # The highest used USN is fetched so that changed by upgradeprovision
1448 # usn can be tracked
1449 # 12)A Schema object is created, it will be used to provide a complete
1450 # schema to current provision during update (as the schema of the
1451 # current provision might not be complete and so won't allow some
1452 # object to be created)
1453 # 13)Proceed to full update of sam DB (see the separate paragraph about i)
1454 # 14)The secrets db is updated by pull all the difference from the reference
1455 # provision into the current provision
1456 # 15)As the previous step has most probably modified the password stored in
1457 # in secret for the current DC, a new password is generated,
1458 # the kvno is bumped and the entry in samdb is also updated
1459 # 16)For current provision older than alpha9, we must fix the SD a little bit
1460 # administrator to update them because SD used to be generated with the
1461 # system account before alpha9.
1462 # 17)The highest usn modified so far is searched in the database it will be
1463 # the upper limit for usn modified during provision.
1464 # This is done before potential SD recalculation because we do not want
1465 # SD modified during recalculation to be marked as modified during provision
1466 # (and so possibly remplaced at next upgradeprovision)
1467 # 18)Rebuilt SD if the flag indicate to do so
1468 # 19)Check difference between SD of reference provision and those of the
1469 # current provision. The check is done by getting the sddl representation
1470 # of the SD. Each sddl in chuncked into parts (user,group,dacl,sacl)
1471 # Each part is verified separetly, for dacl and sacl ACL is splited into
1472 # ACEs and each ACE is verified separately (so that a permutation in ACE
1473 # didn't raise as an error).
1474 # 20)The oemInfo field is updated to add information about the fact that the
1475 # provision has been updated by the upgradeprovision version xxx
1476 # (the version is the one obtained when starting samba with the --version
1477 # parameter)
1478 # 21)Check if the current provision has all the settings needed for dynamic
1479 # DNS update to work (that is to say the provision is newer than
1480 # january 2010). If not dns configuration file from reference provision
1481 # are copied in a sub folder and the administrator is invited to
1482 # do what is needed.
1483 # 22)If the lastProvisionUSN attribute was present it is updated to add
1484 # the range of usns modified by the current upgradeprovision
1487 # About updating the sam DB
1488 # The update takes place in update_partition function
1489 # This function read both current and reference provision and list all
1490 # the available DN of objects
1491 # If the string representation of a DN in reference provision is
1492 # equal to the string representation of a DN in current provision
1493 # (without taking care of case) then the object is flaged as being
1494 # present. If the object is not present in current provision the object
1495 # is being flaged as missing in current provision. Object present in current
1496 # provision but not in reference provision are ignored.
1497 # Once the list of objects present and missing is done, the deleted object
1498 # containers are created in the differents partitions (if missing)
1499 #
1500 # Then the function add_missing_entries is called
1501 # This function will go through the list of missing entries by calling
1502 # add_missing_object for the given object. If this function returns 0
1503 # it means that the object needs some other object in order to be created
1504 # The object is reappended at the end of the list to be created later
1505 # (and preferably after all the needed object have been created)
1506 # The function keeps on looping on the list of object to be created until
1507 # it's empty or that the number of defered creation is equal to the number
1508 # of object that still needs to be created.
1510 # The function add_missing_object will first check if the object can be created.
1511 # That is to say that it didn't depends other not yet created objects
1512 # If requisit can't be fullfilled it exists with 0
1513 # Then it will try to create the missing entry by creating doing
1514 # an ldb_message_diff between the object in the reference provision and
1515 # an empty object.
1516 # This resulting object is filtered to remove all the back link attribute
1517 # (ie. memberOf) as they will be created by the other linked object (ie.
1518 # the one with the member attribute)
1519 # All attributes specified in the attrNotCopied array are
1520 # also removed it's most of the time generated attributes
1522 # After missing entries have been added the update_partition function will
1523 # take care of object that exist but that need some update.
1524 # In order to do so the function update_present is called with the list
1525 # of object that are present in both provision and that might need an update.
1527 # This function handle first case mismatch so that the DN in the current
1528 # provision have the same case as in reference provision
1530 # It will then construct an associative array consiting of attributes as
1531 # key and invocationid as value( if the originating invocation id is
1532 # different from the invocation id of the current DC the value is -1 instead).
1534 # If the range of provision modified attributes is present, the function will
1535 # use the replMetadataProperty update method which is the following:
1536 # Removing attributes that should not be updated: rIDAvailablePool, objectSid,
1537 # creationTime, msDs-KeyVersionNumber, oEMInformation
1538 # Check for each attribute if its usn is within one of the modified by
1539 # provision range and if its originating id is the invocation id of the
1540 # current DC, then validate the update from reference to current.
1541 # If not or if there is no replMetatdataProperty for this attribute then we
1542 # do not update it.
1543 # Otherwise (case the range of provision modified attribute is not present) it
1544 # use the following process:
1545 # All attributes that need to be added are accepted at the exeption of those
1546 # listed in hashOverwrittenAtt, in this case the attribute needs to have the
1547 # correct flags specified.
1548 # For attributes that need to be modified or removed, a check is performed
1549 # in OverwrittenAtt, if the attribute is present and the modification flag
1550 # (remove, delete) is one of those listed for this attribute then modification
1551 # is accepted. For complicated handling of attribute update, the control is passed
1552 # to handle_special_case
1557 global defSDmodified
1560 # From here start the big steps of the program
1561 # 1) First get files paths
1563 # Get ldbs with the system session, it is needed for searching
1564 # provision parameters
1567 # This variable will hold the last provision USN once if it exists.
1569 # 2)
1577 # 3) Guess all the needed names (variables in fact) from the current
1578 # provision.
1581 # 4)
1603 message(SIMPLE, "Here is a list of changes that modified more than %d objects in 1 minute." % minobj)
1604 message(SIMPLE, "Usually changes made by provision and upgradeprovision are those who affect a couple"
1611 message(SIMPLE, "Once you applied/adapted the change(s) please restart the upgradeprovision script")
1614 # Objects will be created with the admin session
1615 # (not anymore system session)
1617 # So we reget handle on objects
1618 # ldbs = get_ldbs(paths, creds, adm_session, lp)
1622 "Check the messages and correct the errors "
1627 # Let's see provision parameters
1630 # 5) With all this information let's create a fresh new provision used as
1631 # reference
1636 provision_logger)
1639 # TODO
1640 # 6) and 7)
1641 # We need to get a list of object which SD is directly computed from
1642 # defaultSecurityDescriptor.
1643 # This will allow us to know which object we can rebuild the SD in case
1644 # of change of the parent's SD or of the defaultSD.
1645 # Get file paths of this new provision
1651 # 8) Populate some associative array to ease the update process
1652 # List of attribute which are link and backlink
1654 # List of attribute with ASN DN synthax)
1656 # 9) (now skipped, was copy of privileges.ldb)
1657 # 10)
1659 # Do some modification on sam.ldb
1663 # 11)
1666 # 11) A
1667 # Starting from alpha9 we can consider that the structure is quite ok
1668 # and that we should do only dela
1671 creds,
1672 session,
1673 lp,
1674 message)
1676 # 11) B
1685 # 12)
1687 # We create a closure that will be invoked just before schema reload
1698 continue
1711 # 13)
1723 # Try to reapply the change also when we do not change the sam
1724 # as the delta_upgrade
1732 "dynamic DNS, but you didn't supply --full so "
1738 # 14)
1740 # 14bis)
1751 "If you were using Dynamic DNS before you need "
1752 "to update your configuration, so that the "
1753 "tkey-gssapi-credential has the following value: "
1756 # 15)
1760 # 16) SD should be created with admin but as some previous acl were so wrong
1761 # that admin can't modify them we have first to recreate them with the good
1762 # form but with system account and then give the ownership to admin ...
1767 # We calculate the max USN before recalculating the SD because we might
1768 # touch object that have been modified after a provision and we do not
1769 # want that the next upgradeprovision thinks that it has a green light
1770 # to modify them
1772 # 17)
1775 # 18) We rebuild SD if a we have a list of DN to recalculate or if the
1776 # defSDmodified is set.
1783 # 19)
1784 # Now we are quite confident in the recalculate process of the SD, we make
1785 # it optional. And we don't do it if there is DN that we must touch
1786 # as we are assured that on this DNs we will have differences !
1787 # Also the check must be done in a clever way as for the moment we just
1788 # compare SDDL
1793 # 20)
1795 # 21)
1797 # 22)
1812 # remove reference provision now that everything is done !
1813 # So we have reindexed first if need when the merged schema was reloaded
1814 # (as new attributes could have quick in)
1815 # But the second part of the update (when we update existing objects
1816 # can also have an influence on indexing as some attribute might have their
1817 # searchflag modificated