search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-upgradeprovision: improve message output
[Samba/gebeck_regimport.git] / source4 / scripting / python / samba / upgradehelpers.py
blobe15523033fb82c1fc43f37331d0e2e43cc81eec3
1 #!/usr/bin/env python
2 #
3 # Helpers for provision stuff
4 # Copyright (C) Matthieu Patou <mat@matws.net> 2009-2010
5 #
6 # Based on provision a Samba4 server by
7 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
8 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
9 #
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23
24 """Helpers used for upgrading between different database formats."""
25
26 import os
27 import re
28 import shutil
29 import samba
30
31 from samba import Ldb, version, ntacls
32 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
33 import ldb
34 from samba.provision import (provision_paths_from_lp,
35 getpolicypath, set_gpos_acl, create_gpo_struct,
36 FILL_FULL, provision, ProvisioningError,
37 setsysvolacl, secretsdb_self_join)
38 from samba.dcerpc import xattr
39 from samba.dcerpc.misc import SEC_CHAN_BDC
40 from samba.samdb import SamDB
41
42 # All the ldb related to registry are commented because the path for them is
43 # relative in the provisionPath object
44 # And so opening them create a file in the current directory which is not what
45 # we want
46 # I still keep them commented because I plan soon to make more cleaner
47 ERROR = -1
48 SIMPLE = 0x00
49 CHANGE = 0x01
50 CHANGESD = 0x02
51 GUESS = 0x04
52 PROVISION = 0x08
53 CHANGEALL = 0xff
54
55 hashAttrNotCopied = set(["dn", "whenCreated", "whenChanged", "objectGUID",
56 "uSNCreated", "replPropertyMetaData", "uSNChanged", "parentGUID",
57 "objectCategory", "distinguishedName", "nTMixedDomain",
58 "showInAdvancedViewOnly", "instanceType", "msDS-Behavior-Version",
59 "nextRid", "cn", "versionNumber", "lmPwdHistory", "pwdLastSet",
60 "ntPwdHistory", "unicodePwd","dBCSPwd", "supplementalCredentials",
61 "gPCUserExtensionNames", "gPCMachineExtensionNames","maxPwdAge", "secret",
62 "possibleInferiors", "privilege", "sAMAccountType"])
63
64
65 class ProvisionLDB(object):
66
67 def __init__(self):
68 self.sam = None
69 self.secrets = None
70 self.idmap = None
71 self.privilege = None
72 self.hkcr = None
73 self.hkcu = None
74 self.hku = None
75 self.hklm = None
76
77 def startTransactions(self):
78 self.sam.transaction_start()
79 self.secrets.transaction_start()
80 self.idmap.transaction_start()
81 self.privilege.transaction_start()
82 # TO BE DONE
83 # self.hkcr.transaction_start()
84 # self.hkcu.transaction_start()
85 # self.hku.transaction_start()
86 # self.hklm.transaction_start()
87
88 def groupedRollback(self):
89 ok = True
90 try:
91 self.sam.transaction_cancel()
92 except Exception:
93 ok = False
94
95 try:
96 self.secrets.transaction_cancel()
97 except Exception:
98 ok = False
99
100 try:
101 self.idmap.transaction_cancel()
102 except Exception:
103 ok = False
104
105 try:
106 self.privilege.transaction_cancel()
107 except Exception:
108 ok = False
109
110 return ok
111 # TO BE DONE
112 # self.hkcr.transaction_cancel()
113 # self.hkcu.transaction_cancel()
114 # self.hku.transaction_cancel()
115 # self.hklm.transaction_cancel()
116
117 def groupedCommit(self):
118 try:
119 self.sam.transaction_prepare_commit()
120 self.secrets.transaction_prepare_commit()
121 self.idmap.transaction_prepare_commit()
122 self.privilege.transaction_prepare_commit()
123 except Exception:
124 return self.groupedRollback()
125 # TO BE DONE
126 # self.hkcr.transaction_prepare_commit()
127 # self.hkcu.transaction_prepare_commit()
128 # self.hku.transaction_prepare_commit()
129 # self.hklm.transaction_prepare_commit()
130 try:
131 self.sam.transaction_commit()
132 self.secrets.transaction_commit()
133 self.idmap.transaction_commit()
134 self.privilege.transaction_commit()
135 except Exception:
136 return self.groupedRollback()
137
138 # TO BE DONE
139 # self.hkcr.transaction_commit()
140 # self.hkcu.transaction_commit()
141 # self.hku.transaction_commit()
142 # self.hklm.transaction_commit()
143 return True
144
145 def get_ldbs(paths, creds, session, lp):
146 """Return LDB object mapped on most important databases
147
148 :param paths: An object holding the different importants paths for provision object
149 :param creds: Credential used for openning LDB files
150 :param session: Session to use for openning LDB files
151 :param lp: A loadparam object
152 :return: A ProvisionLDB object that contains LDB object for the different LDB files of the provision"""
153
154 ldbs = ProvisionLDB()
155
156 ldbs.sam = SamDB(paths.samdb, session_info=session, credentials=creds, lp=lp, options=["modules:samba_dsdb"])
157 ldbs.secrets = Ldb(paths.secrets, session_info=session, credentials=creds, lp=lp)
158 ldbs.idmap = Ldb(paths.idmapdb, session_info=session, credentials=creds, lp=lp)
159 ldbs.privilege = Ldb(paths.privilege, session_info=session, credentials=creds, lp=lp)
160 # ldbs.hkcr = Ldb(paths.hkcr, session_info=session, credentials=creds, lp=lp)
161 # ldbs.hkcu = Ldb(paths.hkcu, session_info=session, credentials=creds, lp=lp)
162 # ldbs.hku = Ldb(paths.hku, session_info=session, credentials=creds, lp=lp)
163 # ldbs.hklm = Ldb(paths.hklm, session_info=session, credentials=creds, lp=lp)
164
165 return ldbs
166
167
168 def usn_in_range(usn, range):
169 """Check if the usn is in one of the range provided.
170 To do so, the value is checked to be between the lower bound and
171 higher bound of a range
172
173 :param usn: A integer value corresponding to the usn that we want to update
174 :param range: A list of integer representing ranges, lower bounds are in
175 the even indices, higher in odd indices
176 :return: True if the usn is in one of the range, False otherwise
177 """
178
179 idx = 0
180 cont = True
181 ok = False
182 while cont:
183 if idx == len(range):
184 cont = False
185 continue
186 if usn < int(range[idx]):
187 if idx %2 == 1:
188 ok = True
189 cont = False
190 if usn == int(range[idx]):
191 cont = False
192 ok = True
193 idx = idx + 1
194 return ok
195
196
197 def get_paths(param, targetdir=None, smbconf=None):
198 """Get paths to important provision objects (smb.conf, ldb files, ...)
199
200 :param param: Param object
201 :param targetdir: Directory where the provision is (or will be) stored
202 :param smbconf: Path to the smb.conf file
203 :return: A list with the path of important provision objects"""
204 if targetdir is not None:
205 etcdir = os.path.join(targetdir, "etc")
206 if not os.path.exists(etcdir):
207 os.makedirs(etcdir)
208 smbconf = os.path.join(etcdir, "smb.conf")
209 if smbconf is None:
210 smbconf = param.default_path()
211
212 if not os.path.exists(smbconf):
213 raise ProvisioningError("Unable to find smb.conf")
214
215 lp = param.LoadParm()
216 lp.load(smbconf)
217 paths = provision_paths_from_lp(lp, lp.get("realm"))
218 return paths
219
220 def update_policyids(names, samdb):
221 """Update policy ids that could have changed after sam update
222
223 :param names: List of key provision parameters
224 :param samdb: An Ldb object conntected with the sam DB
225 """
226 # policy guid
227 res = samdb.search(expression="(displayName=Default Domain Policy)",
228 base="CN=Policies,CN=System," + str(names.rootdn),
229 scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
230 names.policyid = str(res[0]["cn"]).replace("{","").replace("}","")
231 # dc policy guid
232 res2 = samdb.search(expression="(displayName=Default Domain Controllers"
233 " Policy)",
234 base="CN=Policies,CN=System," + str(names.rootdn),
235 scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
236 if len(res2) == 1:
237 names.policyid_dc = str(res2[0]["cn"]).replace("{","").replace("}","")
238 else:
239 names.policyid_dc = None
240
241
242 def newprovision(names, creds, session, smbconf, provdir, logger):
243 """Create a new provision.
244
245 This provision will be the reference for knowing what has changed in the
246 since the latest upgrade in the current provision
247
248 :param names: List of provision parameters
249 :param creds: Credentials for the authentification
250 :param session: Session object
251 :param smbconf: Path to the smb.conf file
252 :param provdir: Directory where the provision will be stored
253 :param logger: A Logger
254 """
255 if os.path.isdir(provdir):
256 shutil.rmtree(provdir)
257 os.mkdir(provdir)
258 logger.info("Provision stored in %s", provdir)
259 provision(logger, session, creds, smbconf=smbconf,
260 targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm,
261 domain=names.domain, domainguid=names.domainguid,
262 domainsid=str(names.domainsid), ntdsguid=names.ntdsguid,
263 policyguid=names.policyid, policyguid_dc=names.policyid_dc,
264 hostname=names.netbiosname.lower(), hostip=None, hostip6=None,
265 invocationid=names.invocation, adminpass=names.adminpass,
266 krbtgtpass=None, machinepass=None, dnspass=None, root=None,
267 nobody=None, wheel=None, users=None,
268 serverrole="domain controller", ldap_backend_extra_port=None,
269 backend_type=None, ldapadminpass=None, ol_mmr_urls=None,
270 slapd_path=None, setup_ds_path=None, nosync=None,
271 dom_for_fun_level=names.domainlevel,
272 ldap_dryrun_mode=None, useeadb=True)
273
274
275 def dn_sort(x, y):
276 """Sorts two DNs in the lexicographical order it and put higher level DN
277 before.
278
279 So given the dns cn=bar,cn=foo and cn=foo the later will be return as
280 smaller
281
282 :param x: First object to compare
283 :param y: Second object to compare
284 """
285 p = re.compile(r'(?<!\\), ?')
286 tab1 = p.split(str(x))
287 tab2 = p.split(str(y))
288 minimum = min(len(tab1), len(tab2))
289 len1 = len(tab1)-1
290 len2 = len(tab2)-1
291 # Note: python range go up to upper limit but do not include it
292 for i in range(0, minimum):
293 ret = cmp(tab1[len1-i], tab2[len2-i])
294 if ret != 0:
295 return ret
296 else:
297 if i == minimum-1:
298 assert len1!=len2,"PB PB PB" + " ".join(tab1)+" / " + " ".join(tab2)
299 if len1 > len2:
300 return 1
301 else:
302 return -1
303 return ret
304
305
306 def identic_rename(ldbobj, dn):
307 """Perform a back and forth rename to trigger renaming on attribute that
308 can't be directly modified.
309
310 :param lbdobj: An Ldb Object
311 :param dn: DN of the object to manipulate
312 """
313 (before, after) = str(dn).split('=', 1)
314 # we need to use relax to avoid the subtree_rename constraints
315 ldbobj.rename(dn, ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), ["relax:0"])
316 ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn, ["relax:0"])
317
318
319 def chunck_acl(acl):
320 """Return separate ACE of an ACL
321
322 :param acl: A string representing the ACL
323 :return: A hash with different parts
324 """
325
326 p = re.compile(r'(\w+)?(\(.*?\))')
327 tab = p.findall(acl)
328
329 hash = {}
330 hash["aces"] = []
331 for e in tab:
332 if len(e[0]) > 0:
333 hash["flags"] = e[0]
334 hash["aces"].append(e[1])
335
336 return hash
337
338
339 def chunck_sddl(sddl):
340 """ Return separate parts of the SDDL (owner, group, ...)
341
342 :param sddl: An string containing the SDDL to chunk
343 :return: A hash with the different chunk
344 """
345
346 p = re.compile(r'([OGDS]:)(.*?)(?=(?:[GDS]:|$))')
347 tab = p.findall(sddl)
348
349 hash = {}
350 for e in tab:
351 if e[0] == "O:":
352 hash["owner"] = e[1]
353 if e[0] == "G:":
354 hash["group"] = e[1]
355 if e[0] == "D:":
356 hash["dacl"] = e[1]
357 if e[0] == "S:":
358 hash["sacl"] = e[1]
359
360 return hash
361
362
363 def get_diff_sddls(refsddl, cursddl, checkSacl = True):
364 """Get the difference between 2 sddl
365
366 This function split the textual representation of ACL into smaller
367 chunck in order to not to report a simple permutation as a difference
368
369 :param refsddl: First sddl to compare
370 :param cursddl: Second sddl to compare
371 :param checkSacl: If false we skip the sacl checks
372 :return: A string that explain difference between sddls
373 """
374
375 txt = ""
376 hash_cur = chunck_sddl(cursddl)
377 hash_ref = chunck_sddl(refsddl)
378
379 if not hash_cur.has_key("owner"):
380 txt = "\tNo owner in current SD"
381 elif hash_cur["owner"] != hash_ref["owner"]:
382 txt = "\tOwner mismatch: %s (in ref) %s" \
383 "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
384
385 if not hash_cur.has_key("group"):
386 txt = "%s\tNo group in current SD" % txt
387 elif hash_cur["group"] != hash_ref["group"]:
388 txt = "%s\tGroup mismatch: %s (in ref) %s" \
389 "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
390
391 parts = [ "dacl" ]
392 if checkSacl:
393 parts.append("sacl")
394 for part in parts:
395 if hash_cur.has_key(part) and hash_ref.has_key(part):
396
397 # both are present, check if they contain the same ACE
398 h_cur = set()
399 h_ref = set()
400 c_cur = chunck_acl(hash_cur[part])
401 c_ref = chunck_acl(hash_ref[part])
402
403 for elem in c_cur["aces"]:
404 h_cur.add(elem)
405
406 for elem in c_ref["aces"]:
407 h_ref.add(elem)
408
409 for k in set(h_ref):
410 if k in h_cur:
411 h_cur.remove(k)
412 h_ref.remove(k)
413
414 if len(h_cur) + len(h_ref) > 0:
415 txt = "%s\tPart %s is different between reference" \
416 " and current here is the detail:\n" % (txt, part)
417
418 for item in h_cur:
419 txt = "%s\t\t%s ACE is not present in the" \
420 " reference\n" % (txt, item)
421
422 for item in h_ref:
423 txt = "%s\t\t%s ACE is not present in the" \
424 " current\n" % (txt, item)
425
426 elif hash_cur.has_key(part) and not hash_ref.has_key(part):
427 txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part)
428 elif not hash_cur.has_key(part) and hash_ref.has_key(part):
429 txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part)
430
431 return txt
432
433
434 def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
435 """Update secrets.ldb
436
437 :param newsecrets_ldb: An LDB object that is connected to the secrets.ldb
438 of the reference provision
439 :param secrets_ldb: An LDB object that is connected to the secrets.ldb
440 of the updated provision
441 """
442
443 messagefunc(SIMPLE, "Update of secrets.ldb")
444 reference = newsecrets_ldb.search(expression="dn=@MODULES", base="",
445 scope=SCOPE_SUBTREE)
446 current = secrets_ldb.search(expression="dn=@MODULES", base="",
447 scope=SCOPE_SUBTREE)
448 assert reference, "Reference modules list can not be empty"
449 if len(current) == 0:
450 # No modules present
451 delta = secrets_ldb.msg_diff(ldb.Message(), reference[0])
452 delta.dn = reference[0].dn
453 secrets_ldb.add(reference[0])
454 else:
455 delta = secrets_ldb.msg_diff(current[0], reference[0])
456 delta.dn = current[0].dn
457 secrets_ldb.modify(delta)
458
459 reference = newsecrets_ldb.search(expression="objectClass=top", base="",
460 scope=SCOPE_SUBTREE, attrs=["dn"])
461 current = secrets_ldb.search(expression="objectClass=top", base="",
462 scope=SCOPE_SUBTREE, attrs=["dn"])
463 hash_new = {}
464 hash = {}
465 listMissing = []
466 listPresent = []
467
468 empty = ldb.Message()
469 for i in range(0, len(reference)):
470 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
471
472 # Create a hash for speeding the search of existing object in the
473 # current provision
474 for i in range(0, len(current)):
475 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
476
477 for k in hash_new.keys():
478 if not hash.has_key(k):
479 listMissing.append(hash_new[k])
480 else:
481 listPresent.append(hash_new[k])
482
483 for entry in listMissing:
484 reference = newsecrets_ldb.search(expression="dn=%s" % entry,
485 base="", scope=SCOPE_SUBTREE)
486 current = secrets_ldb.search(expression="dn=%s" % entry,
487 base="", scope=SCOPE_SUBTREE)
488 delta = secrets_ldb.msg_diff(empty, reference[0])
489 for att in hashAttrNotCopied:
490 delta.remove(att)
491 messagefunc(CHANGE, "Entry %s is missing from secrets.ldb" %
492 reference[0].dn)
493 for att in delta:
494 messagefunc(CHANGE, " Adding attribute %s" % att)
495 delta.dn = reference[0].dn
496 secrets_ldb.add(delta)
497
498 for entry in listPresent:
499 reference = newsecrets_ldb.search(expression="dn=%s" % entry,
500 base="", scope=SCOPE_SUBTREE)
501 current = secrets_ldb.search(expression="dn=%s" % entry, base="",
502 scope=SCOPE_SUBTREE)
503 delta = secrets_ldb.msg_diff(current[0], reference[0])
504 for att in hashAttrNotCopied:
505 delta.remove(att)
506 for att in delta:
507 if att == "name":
508 messagefunc(CHANGE, "Found attribute name on %s,"
509 " must rename the DN" % (current[0].dn))
510 identic_rename(secrets_ldb, reference[0].dn)
511 else:
512 delta.remove(att)
513
514 for entry in listPresent:
515 reference = newsecrets_ldb.search(expression="dn=%s" % entry, base="",
516 scope=SCOPE_SUBTREE)
517 current = secrets_ldb.search(expression="dn=%s" % entry, base="",
518 scope=SCOPE_SUBTREE)
519 delta = secrets_ldb.msg_diff(current[0], reference[0])
520 for att in hashAttrNotCopied:
521 delta.remove(att)
522 for att in delta:
523 if att == "msDS-KeyVersionNumber":
524 delta.remove(att)
525 if att != "dn":
526 messagefunc(CHANGE,
527 "Adding/Changing attribute %s to %s" %
528 (att, current[0].dn))
529
530 delta.dn = current[0].dn
531 secrets_ldb.modify(delta)
532
533 res2 = secrets_ldb.search(expression="(samaccountname=dns)",
534 scope=SCOPE_SUBTREE, attrs=["dn"])
535
536 if (len(res2) == 1):
537 messagefunc(SIMPLE, "Remove old dns account")
538 secrets_ldb.delete(res2[0]["dn"])
539
540
541 def getOEMInfo(samdb, rootdn):
542 """Return OEM Information on the top level Samba4 use to store version
543 info in this field
544
545 :param samdb: An LDB object connect to sam.ldb
546 :param rootdn: Root DN of the domain
547 :return: The content of the field oEMInformation (if any)
548 """
549 res = samdb.search(expression="(objectClass=*)", base=str(rootdn),
550 scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
551 if len(res) > 0 and res[0].get("oEMInformation"):
552 info = res[0]["oEMInformation"]
553 return info
554 else:
555 return ""
556
557
558 def updateOEMInfo(samdb, rootdn):
559 """Update the OEMinfo field to add information about upgrade
560
561 :param samdb: an LDB object connected to the sam DB
562 :param rootdn: The string representation of the root DN of
563 the provision (ie. DC=...,DC=...)
564 """
565 res = samdb.search(expression="(objectClass=*)", base=rootdn,
566 scope=SCOPE_BASE, attrs=["dn", "oEMInformation"])
567 if len(res) > 0:
568 if res[0].get("oEMInformation"):
569 info = str(res[0]["oEMInformation"])
570 else:
571 info = ""
572 info = "%s, upgrade to %s" % (info, version)
573 delta = ldb.Message()
574 delta.dn = ldb.Dn(samdb, str(res[0]["dn"]))
575 delta["oEMInformation"] = ldb.MessageElement(info, ldb.FLAG_MOD_REPLACE,
576 "oEMInformation" )
577 samdb.modify(delta)
578
579 def update_gpo(paths, samdb, names, lp, message, force=0):
580 """Create missing GPO file object if needed
581
582 Set ACL correctly also.
583 Check ACLs for sysvol/netlogon dirs also
584 """
585 resetacls = False
586 try:
587 ntacls.checkset_backend(lp, None, None)
588 eadbname = lp.get("posix:eadb")
589 if eadbname is not None and eadbname != "":
590 try:
591 attribute = samba.xattr_tdb.wrap_getxattr(eadbname,
592 paths.sysvol, xattr.XATTR_NTACL_NAME)
593 except Exception:
594 attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
595 xattr.XATTR_NTACL_NAME)
596 else:
597 attribute = samba.xattr_native.wrap_getxattr(paths.sysvol,
598 xattr.XATTR_NTACL_NAME)
599 except Exception:
600 resetacls = True
601
602 if force:
603 resetacls = True
604
605 dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid)
606 if not os.path.isdir(dir):
607 create_gpo_struct(dir)
608
609 if names.policyid_dc is None:
610 raise ProvisioningError("Policy ID for Domain controller is missing")
611 dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid_dc)
612 if not os.path.isdir(dir):
613 create_gpo_struct(dir)
614 # We always reinforce acls on GPO folder because they have to be in sync
615 # with the one in DS
616 try:
617 set_gpos_acl(paths.sysvol, names.dnsdomain, names.domainsid,
618 names.domaindn, samdb, lp)
619 except TypeError, e:
620 message(ERROR, "Unable to set ACLs on policies related objects,"
621 " if not using posix:eadb, you must be root to do it")
622
623 if resetacls:
624 try:
625 setsysvolacl(samdb, paths.netlogon, paths.sysvol, names.wheel_gid,
626 names.domainsid, names.dnsdomain, names.domaindn, lp)
627 except TypeError, e:
628 message(ERROR, "Unable to set ACLs on sysvol share, if not using"
629 "posix:eadb, you must be root to do it")
630
631 def increment_calculated_keyversion_number(samdb, rootdn, hashDns):
632 """For a given hash associating dn and a number, this function will
633 update the replPropertyMetaData of each dn in the hash, so that the
634 calculated value of the msDs-KeyVersionNumber is equal or superior to the
635 one associated to the given dn.
636
637 :param samdb: An SamDB object pointing to the sam
638 :param rootdn: The base DN where we want to start
639 :param hashDns: A hash with dn as key and number representing the
640 minimum value of msDs-KeyVersionNumber that we want to
641 have
642 """
643 entry = samdb.search(expression='(objectClass=user)',
644 base=ldb.Dn(samdb,str(rootdn)),
645 scope=SCOPE_SUBTREE, attrs=["msDs-KeyVersionNumber"],
646 controls=["search_options:1:2"])
647 done = 0
648 hashDone = {}
649 if len(entry) == 0:
650 raise ProvisioningError("Unable to find msDs-KeyVersionNumber")
651 else:
652 for e in entry:
653 if hashDns.has_key(str(e.dn).lower()):
654 val = e.get("msDs-KeyVersionNumber")
655 if not val:
656 val = "0"
657 version = int(str(hashDns[str(e.dn).lower()]))
658 if int(str(val)) < version:
659 done = done + 1
660 samdb.set_attribute_replmetadata_version(str(e.dn),
661 "unicodePwd",
662 version, True)
663 def delta_update_basesamdb(refsampath, sampath, creds, session, lp, message):
664 """Update the provision container db: sam.ldb
665 This function is aimed for alpha9 and newer;
666
667 :param refsampath: Path to the samdb in the reference provision
668 :param sampath: Path to the samdb in the upgraded provision
669 :param creds: Credential used for openning LDB files
670 :param session: Session to use for openning LDB files
671 :param lp: A loadparam object
672 :return: A msg_diff object with the difference between the @ATTRIBUTES
673 of the current provision and the reference provision
674 """
675
676 message(SIMPLE,
677 "Update base samdb by searching difference with reference one")
678 refsam = Ldb(refsampath, session_info=session, credentials=creds,
679 lp=lp, options=["modules:"])
680 sam = Ldb(sampath, session_info=session, credentials=creds, lp=lp,
681 options=["modules:"])
682
683 empty = ldb.Message()
684 deltaattr = None
685 reference = refsam.search(expression="")
686
687 for refentry in reference:
688 entry = sam.search(expression="dn=%s" % refentry["dn"],
689 scope=SCOPE_SUBTREE)
690 if not len(entry):
691 delta = sam.msg_diff(empty, refentry)
692 message(CHANGE, "Adding %s to sam db" % str(refentry.dn))
693 if str(refentry.dn) == "@PROVISION" and\
694 delta.get(samba.provision.LAST_PROVISION_USN_ATTRIBUTE):
695 delta.remove(samba.provision.LAST_PROVISION_USN_ATTRIBUTE)
696 delta.dn = refentry.dn
697 sam.add(delta)
698 else:
699 delta = sam.msg_diff(entry[0], refentry)
700 if str(refentry.dn) == "@ATTRIBUTES":
701 deltaattr = sam.msg_diff(refentry, entry[0])
702 if str(refentry.dn) == "@PROVISION" and\
703 delta.get(samba.provision.LAST_PROVISION_USN_ATTRIBUTE):
704 delta.remove(samba.provision.LAST_PROVISION_USN_ATTRIBUTE)
705 if len(delta.items()) > 1:
706 delta.dn = refentry.dn
707 sam.modify(delta)
708
709 return deltaattr
710
711
712 def construct_existor_expr(attrs):
713 """Construct a exists or LDAP search expression.
714
715 :param attrs: List of attribute on which we want to create the search
716 expression.
717 :return: A string representing the expression, if attrs is empty an
718 empty string is returned
719 """
720 expr = ""
721 if len(attrs) > 0:
722 expr = "(|"
723 for att in attrs:
724 expr = "%s(%s=*)"%(expr,att)
725 expr = "%s)"%expr
726 return expr
727
728 def update_machine_account_password(samdb, secrets_ldb, names):
729 """Update (change) the password of the current DC both in the SAM db and in
730 secret one
731
732 :param samdb: An LDB object related to the sam.ldb file of a given provision
733 :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
734 provision
735 :param names: List of key provision parameters"""
736
737 expression = "samAccountName=%s$" % names.netbiosname
738 secrets_msg = secrets_ldb.search(expression=expression,
739 attrs=["secureChannelType"])
740 if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
741 res = samdb.search(expression=expression, attrs=[])
742 assert(len(res) == 1)
743
744 msg = ldb.Message(res[0].dn)
745 machinepass = samba.generate_random_password(128, 255)
746 mputf16 = machinepass.encode('utf-16-le')
747 msg["clearTextPassword"] = ldb.MessageElement(mputf16,
748 ldb.FLAG_MOD_REPLACE,
749 "clearTextPassword")
750 samdb.modify(msg)
751
752 res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
753 attrs=["msDs-keyVersionNumber"])
754 assert(len(res) == 1)
755 kvno = int(str(res[0]["msDs-keyVersionNumber"]))
756 secChanType = int(secrets_msg[0]["secureChannelType"][0])
757
758 secretsdb_self_join(secrets_ldb, domain=names.domain,
759 realm=names.realm,
760 domainsid=names.domainsid,
761 dnsdomain=names.dnsdomain,
762 netbiosname=names.netbiosname,
763 machinepass=machinepass,
764 key_version_number=kvno,
765 secure_channel_type=secChanType)
766 else:
767 raise ProvisioningError("Unable to find a Secure Channel"
768 "of type SEC_CHAN_BDC")
769
770 def update_dns_account_password(samdb, secrets_ldb, names):
771 """Update (change) the password of the dns both in the SAM db and in
772 secret one
773
774 :param samdb: An LDB object related to the sam.ldb file of a given provision
775 :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
776 provision
777 :param names: List of key provision parameters"""
778
779 expression = "samAccountName=dns-%s" % names.netbiosname
780 secrets_msg = secrets_ldb.search(expression=expression)
781 if len(secrets_msg) == 1:
782 res = samdb.search(expression=expression, attrs=[])
783 assert(len(res) == 1)
784
785 msg = ldb.Message(res[0].dn)
786 machinepass = samba.generate_random_password(128, 255)
787 mputf16 = machinepass.encode('utf-16-le')
788 msg["clearTextPassword"] = ldb.MessageElement(mputf16,
789 ldb.FLAG_MOD_REPLACE,
790 "clearTextPassword")
791
792 samdb.modify(msg)
793
794 res = samdb.search(expression=expression,
795 attrs=["msDs-keyVersionNumber"])
796 assert(len(res) == 1)
797 kvno = str(res[0]["msDs-keyVersionNumber"])
798
799 msg = ldb.Message(secrets_msg[0].dn)
800 msg["secret"] = ldb.MessageElement(machinepass,
801 ldb.FLAG_MOD_REPLACE,
802 "secret")
803 msg["msDS-KeyVersionNumber"] = ldb.MessageElement(kvno,
804 ldb.FLAG_MOD_REPLACE,
805 "msDS-KeyVersionNumber")
806
807 secrets_ldb.modify(msg)
808 else:
809 raise ProvisioningError("Unable to find an object"
810 " with %s" % expression )
811
812 def search_constructed_attrs_stored(samdb, rootdn, attrs):
813 """Search a given sam DB for calculated attributes that are
814 still stored in the db.
815
816 :param samdb: An LDB object pointing to the sam
817 :param rootdn: The base DN where the search should start
818 :param attrs: A list of attributes to be searched
819 :return: A hash with attributes as key and an array of
820 array. Each array contains the dn and the associated
821 values for this attribute as they are stored in the
822 sam."""
823
824 hashAtt = {}
825 expr = construct_existor_expr(attrs)
826 if expr == "":
827 return hashAtt
828 entry = samdb.search(expression=expr, base=ldb.Dn(samdb, str(rootdn)),
829 scope=SCOPE_SUBTREE, attrs=attrs,
830 controls=["search_options:1:2","bypassoperational:0"])
831 if len(entry) == 0:
832 # Nothing anymore
833 return hashAtt
834
835 for ent in entry:
836 for att in attrs:
837 if ent.get(att):
838 if hashAtt.has_key(att):
839 hashAtt[att][str(ent.dn).lower()] = str(ent[att])
840 else:
841 hashAtt[att] = {}
842 hashAtt[att][str(ent.dn).lower()] = str(ent[att])
843
844 return hashAtt
845
846 def int64range2str(value):
847 """Display the int64 range stored in value as xxx-yyy
848
849 :param value: The int64 range
850 :return: A string of the representation of the range
851 """
852
853 lvalue = long(value)
854 str = "%d-%d" % (lvalue&0xFFFFFFFF, lvalue>>32)
855 return str
reg import