search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba_upgradeprovision: only run rebuild_sd in --full mode
[Samba/gebeck_regimport.git] / source4 / scripting / bin / samba_upgradeprovision
blobc3c0c4e8f98801ebe878604abf54cb5812a52e88
1 #!/usr/bin/env python
2 # vim: expandtab
3 #
4 # Copyright (C) Matthieu Patou <mat@matws.net> 2009 - 2010
5 #
6 # Based on provision a Samba4 server by
7 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
8 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
9 #
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23
24
25 import logging
26 import optparse
27 import os
28 import shutil
29 import sys
30 import tempfile
31 import re
32 import traceback
33 # Allow to run from s4 source directory (without installing samba)
34 sys.path.insert(0, "bin/python")
35
36 import ldb
37 import samba
38 import samba.getopt as options
39
40 from base64 import b64encode
41 from samba.credentials import DONT_USE_KERBEROS
42 from samba.auth import system_session, admin_session
43 from samba import tdb_util
44 from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
45 FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
46 MessageElement, Message, Dn, LdbError)
47 from samba import param, dsdb, Ldb
48 from samba.common import confirm
49 from samba.provision import (find_provision_key_parameters,
50 get_empty_descriptor,
51 get_config_descriptor,
52 get_config_partitions_descriptor,
53 get_config_sites_descriptor,
54 get_config_ntds_quotas_descriptor,
55 get_config_delete_protected1_descriptor,
56 get_config_delete_protected1wd_descriptor,
57 get_config_delete_protected2_descriptor,
58 get_domain_descriptor,
59 get_domain_infrastructure_descriptor,
60 get_domain_builtin_descriptor,
61 get_domain_computers_descriptor,
62 get_domain_users_descriptor,
63 get_domain_controllers_descriptor,
64 get_domain_delete_protected1_descriptor,
65 get_domain_delete_protected2_descriptor,
66 get_dns_partition_descriptor,
67 get_dns_forest_microsoft_dns_descriptor,
68 get_dns_domain_microsoft_dns_descriptor,
69 ProvisioningError, get_last_provision_usn,
70 get_max_usn, update_provision_usn, setup_path)
71 from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
72 from samba.dcerpc import security, drsblobs
73 from samba.dcerpc.security import (
74 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
75 from samba.ndr import ndr_unpack
76 from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
77 get_ldbs, findprovisionrange,
78 usn_in_range, identic_rename, get_diff_sds,
79 update_secrets, CHANGE, ERROR, SIMPLE,
80 CHANGEALL, GUESS, CHANGESD, PROVISION,
81 updateOEMInfo, getOEMInfo, update_gpo,
82 delta_update_basesamdb, update_policyids,
83 update_machine_account_password,
84 search_constructed_attrs_stored,
85 int64range2str, update_dns_account_password,
86 increment_calculated_keyversion_number,
87 print_provision_ranges)
88 from samba.xattr import copytree_with_xattrs
89
90 # make sure the script dies immediately when hitting control-C,
91 # rather than raising KeyboardInterrupt. As we do all database
92 # operations using transactions, this is safe.
93 import signal
94 signal.signal(signal.SIGINT, signal.SIG_DFL)
95
96 replace=2**FLAG_MOD_REPLACE
97 add=2**FLAG_MOD_ADD
98 delete=2**FLAG_MOD_DELETE
99 never=0
100
101
102 # Will be modified during provision to tell if default sd has been modified
103 # somehow ...
104
105 #Errors are always logged
106
107 __docformat__ = "restructuredText"
108
109 # Attributes that are never copied from the reference provision (even if they
110 # do not exist in the destination object).
111 # This is most probably because they are populated automatcally when object is
112 # created
113 # This also apply to imported object from reference provision
114 replAttrNotCopied = [ "dn", "whenCreated", "whenChanged", "objectGUID",
115 "parentGUID", "objectCategory", "distinguishedName",
116 "instanceType", "cn",
117 "lmPwdHistory", "pwdLastSet", "ntPwdHistory",
118 "unicodePwd", "dBCSPwd", "supplementalCredentials",
119 "gPCUserExtensionNames", "gPCMachineExtensionNames",
120 "maxPwdAge", "secret", "possibleInferiors", "privilege",
121 "sAMAccountType", "oEMInformation", "creationTime" ]
122
123 nonreplAttrNotCopied = ["uSNCreated", "replPropertyMetaData", "uSNChanged",
124 "nextRid" ,"rIDNextRID", "rIDPreviousAllocationPool"]
125
126 nonDSDBAttrNotCopied = ["msDS-KeyVersionNumber", "priorSecret", "priorWhenChanged"]
127
128
129 attrNotCopied = replAttrNotCopied
130 attrNotCopied.extend(nonreplAttrNotCopied)
131 attrNotCopied.extend(nonDSDBAttrNotCopied)
132 # Usually for an object that already exists we do not overwrite attributes as
133 # they might have been changed for good reasons. Anyway for a few of them it's
134 # mandatory to replace them otherwise the provision will be broken somehow.
135 # But for attribute that are just missing we do not have to specify them as the default
136 # behavior is to add missing attribute
137 hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
138 "systemOnly":replace, "searchFlags":replace,
139 "mayContain":replace, "systemFlags":replace+add,
140 "description":replace, "operatingSystemVersion":replace,
141 "adminPropertyPages":replace, "groupType":replace,
142 "wellKnownObjects":replace, "privilege":never,
143 "defaultSecurityDescriptor": replace,
144 "rIDAvailablePool": never,
145 "versionNumber" : add,
146 "rIDNextRID": add, "rIDUsedPool": never,
147 "defaultSecurityDescriptor": replace + add,
148 "isMemberOfPartialAttributeSet": delete,
149 "attributeDisplayNames": replace + add,
150 "versionNumber": add}
151
152 dnNotToRecalculate = []
153 dnToRecalculate = []
154 backlinked = []
155 forwardlinked = set()
156 dn_syntax_att = []
157 not_replicated = []
158 def define_what_to_log(opts):
159 what = 0
160 if opts.debugchange:
161 what = what | CHANGE
162 if opts.debugchangesd:
163 what = what | CHANGESD
164 if opts.debugguess:
165 what = what | GUESS
166 if opts.debugprovision:
167 what = what | PROVISION
168 if opts.debugall:
169 what = what | CHANGEALL
170 return what
171
172
173 parser = optparse.OptionParser("provision [options]")
174 sambaopts = options.SambaOptions(parser)
175 parser.add_option_group(sambaopts)
176 parser.add_option_group(options.VersionOptions(parser))
177 credopts = options.CredentialsOptions(parser)
178 parser.add_option_group(credopts)
179 parser.add_option("--setupdir", type="string", metavar="DIR",
180 help="directory with setup files")
181 parser.add_option("--debugprovision", help="Debug provision", action="store_true")
182 parser.add_option("--debugguess", action="store_true",
183 help="Print information on which values are guessed")
184 parser.add_option("--debugchange", action="store_true",
185 help="Print information on what is different but won't be changed")
186 parser.add_option("--debugchangesd", action="store_true",
187 help="Print security descriptor differences")
188 parser.add_option("--debugall", action="store_true",
189 help="Print all available information (very verbose)")
190 parser.add_option("--db_backup_only", action="store_true",
191 help="Do the backup of the database in the provision, skip the sysvol / netlogon shares")
192 parser.add_option("--full", action="store_true",
193 help="Perform full upgrade of the samdb (schema, configuration, new objects, ...")
194 parser.add_option("--very-old-pre-alpha9", action="store_true",
195 help="Perform additional forced SD resets required for a database from before Samba 4.0.0alpha9.")
196
197 opts = parser.parse_args()[0]
198
199 handler = logging.StreamHandler(sys.stdout)
200 upgrade_logger = logging.getLogger("upgradeprovision")
201 upgrade_logger.setLevel(logging.INFO)
202
203 upgrade_logger.addHandler(handler)
204
205 provision_logger = logging.getLogger("provision")
206 provision_logger.addHandler(handler)
207
208 whatToLog = define_what_to_log(opts)
209
210 def message(what, text):
211 """Print a message if this message type has been selected to be printed
212
213 :param what: Category of the message
214 :param text: Message to print """
215 if (whatToLog & what) or what <= 0:
216 upgrade_logger.info("%s", text)
217
218 if len(sys.argv) == 1:
219 opts.interactive = True
220 lp = sambaopts.get_loadparm()
221 smbconf = lp.configfile
222
223 creds = credopts.get_credentials(lp)
224 creds.set_kerberos_state(DONT_USE_KERBEROS)
225
226
227
228 def check_for_DNS(refprivate, private, dns_backend):
229 """Check if the provision has already the requirement for dynamic dns
230
231 :param refprivate: The path to the private directory of the reference
232 provision
233 :param private: The path to the private directory of the upgraded
234 provision"""
235
236 spnfile = "%s/spn_update_list" % private
237 dnsfile = "%s/dns_update_list" % private
238
239 if not os.path.exists(spnfile):
240 shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile)
241
242 if not os.path.exists(dnsfile):
243 shutil.copy("%s/dns_update_list" % refprivate, "%s" % dnsfile)
244
245 if dns_backend not in ['BIND9_DLZ', 'BIND9_FLATFILE']:
246 return
247
248 namedfile = lp.get("dnsupdate:path")
249 if not namedfile:
250 namedfile = "%s/named.conf.update" % private
251 if not os.path.exists(namedfile):
252 destdir = "%s/new_dns" % private
253 dnsdir = "%s/dns" % private
254
255 if not os.path.exists(destdir):
256 os.mkdir(destdir)
257 if not os.path.exists(dnsdir):
258 os.mkdir(dnsdir)
259 shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
260 shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
261 message(SIMPLE, "It seems that your provision did not integrate "
262 "new rules for dynamic dns update of domain related entries")
263 message(SIMPLE, "A copy of the new bind configuration files and "
264 "template has been put in %s, you should read them and "
265 "configure dynamic dns updates" % destdir)
266
267
268 def populate_links(samdb, schemadn):
269 """Populate an array with all the back linked attributes
270
271 This attributes that are modified automaticaly when
272 front attibutes are changed
273
274 :param samdb: A LDB object for sam.ldb file
275 :param schemadn: DN of the schema for the partition"""
276 linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb)
277 backlinked.extend(linkedAttHash.values())
278 for t in linkedAttHash.keys():
279 forwardlinked.add(t)
280
281 def isReplicated(att):
282 """ Indicate if the attribute is replicated or not
283
284 :param att: Name of the attribute to be tested
285 :return: True is the attribute is replicated, False otherwise
286 """
287
288 return (att not in not_replicated)
289
290 def populateNotReplicated(samdb, schemadn):
291 """Populate an array with all the attributes that are not replicated
292
293 :param samdb: A LDB object for sam.ldb file
294 :param schemadn: DN of the schema for the partition"""
295 res = samdb.search(expression="(&(objectclass=attributeSchema)(systemflags:1.2.840.113556.1.4.803:=1))", base=Dn(samdb,
296 str(schemadn)), scope=SCOPE_SUBTREE,
297 attrs=["lDAPDisplayName"])
298 for elem in res:
299 not_replicated.append(str(elem["lDAPDisplayName"]))
300
301
302 def populate_dnsyntax(samdb, schemadn):
303 """Populate an array with all the attributes that have DN synthax
304 (oid 2.5.5.1)
305
306 :param samdb: A LDB object for sam.ldb file
307 :param schemadn: DN of the schema for the partition"""
308 res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb,
309 str(schemadn)), scope=SCOPE_SUBTREE,
310 attrs=["lDAPDisplayName"])
311 for elem in res:
312 dn_syntax_att.append(elem["lDAPDisplayName"])
313
314
315 def sanitychecks(samdb, names):
316 """Make some checks before trying to update
317
318 :param samdb: An LDB object opened on sam.ldb
319 :param names: list of key provision parameters
320 :return: Status of check (1 for Ok, 0 for not Ok) """
321 res = samdb.search(expression="objectClass=ntdsdsa", base=str(names.configdn),
322 scope=SCOPE_SUBTREE, attrs=["dn"],
323 controls=["search_options:1:2"])
324 if len(res) == 0:
325 print "No DC found. Your provision is most probably broken!"
326 return False
327 elif len(res) != 1:
328 print "Found %d domain controllers. For the moment " \
329 "upgradeprovision is not able to handle an upgrade on a " \
330 "domain with more than one DC. Please demote the other " \
331 "DC(s) before upgrading" % len(res)
332 return False
333 else:
334 return True
335
336
337 def print_provision_key_parameters(names):
338 """Do a a pretty print of provision parameters
339
340 :param names: list of key provision parameters """
341 message(GUESS, "rootdn :" + str(names.rootdn))
342 message(GUESS, "configdn :" + str(names.configdn))
343 message(GUESS, "schemadn :" + str(names.schemadn))
344 message(GUESS, "serverdn :" + str(names.serverdn))
345 message(GUESS, "netbiosname :" + names.netbiosname)
346 message(GUESS, "defaultsite :" + names.sitename)
347 message(GUESS, "dnsdomain :" + names.dnsdomain)
348 message(GUESS, "hostname :" + names.hostname)
349 message(GUESS, "domain :" + names.domain)
350 message(GUESS, "realm :" + names.realm)
351 message(GUESS, "invocationid:" + names.invocation)
352 message(GUESS, "policyguid :" + names.policyid)
353 message(GUESS, "policyguiddc:" + str(names.policyid_dc))
354 message(GUESS, "domainsid :" + str(names.domainsid))
355 message(GUESS, "domainguid :" + names.domainguid)
356 message(GUESS, "ntdsguid :" + names.ntdsguid)
357 message(GUESS, "domainlevel :" + str(names.domainlevel))
358
359
360 def handle_special_case(att, delta, new, old, useReplMetadata, basedn, aldb):
361 """Define more complicate update rules for some attributes
362
363 :param att: The attribute to be updated
364 :param delta: A messageElement object that correspond to the difference
365 between the updated object and the reference one
366 :param new: The reference object
367 :param old: The Updated object
368 :param useReplMetadata: A boolean that indicate if the update process
369 use replPropertyMetaData to decide what has to be updated.
370 :param basedn: The base DN of the provision
371 :param aldb: An ldb object used to build DN
372 :return: True to indicate that the attribute should be kept, False for
373 discarding it"""
374
375 # We do most of the special case handle if we do not have the
376 # highest usn as otherwise the replPropertyMetaData will guide us more
377 # correctly
378 if not useReplMetadata:
379 flag = delta.get(att).flags()
380 if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and
381 ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT,"
382 "CN=Services,CN=Configuration,%s" % basedn)
383 == old[0].dn):
384 return True
385 if (att == "userAccountControl" and flag == FLAG_MOD_REPLACE and
386 ldb.Dn(aldb, "CN=Administrator,CN=Users,%s" % basedn)
387 == old[0].dn):
388 message(SIMPLE, "We suggest that you change the userAccountControl"
389 " for user Administrator from value %d to %d" %
390 (int(str(old[0][att])), int(str(new[0][att]))))
391 return False
392 if (att == "minPwdAge" and flag == FLAG_MOD_REPLACE):
393 if (long(str(old[0][att])) == 0):
394 delta[att] = MessageElement(new[0][att], FLAG_MOD_REPLACE, att)
395 return True
396
397 if (att == "member" and flag == FLAG_MOD_REPLACE):
398 hash = {}
399 newval = []
400 changeDelta=0
401 for elem in old[0][att]:
402 hash[str(elem).lower()]=1
403 newval.append(str(elem))
404
405 for elem in new[0][att]:
406 if not hash.has_key(str(elem).lower()):
407 changeDelta=1
408 newval.append(str(elem))
409 if changeDelta == 1:
410 delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
411 else:
412 delta.remove(att)
413 return True
414
415 if (att in ("gPLink", "gPCFileSysPath") and
416 flag == FLAG_MOD_REPLACE and
417 str(new[0].dn).lower() == str(old[0].dn).lower()):
418 delta.remove(att)
419 return True
420
421 if att == "forceLogoff":
422 ref=0x8000000000000000
423 oldval=int(old[0][att][0])
424 newval=int(new[0][att][0])
425 ref == old and ref == abs(new)
426 return True
427
428 if att in ("adminDisplayName", "adminDescription"):
429 return True
430
431 if (str(old[0].dn) == "CN=Samba4-Local-Domain, %s" % (names.schemadn)
432 and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE):
433 return True
434
435 if (str(old[0].dn) == "CN=Title, %s" % (str(names.schemadn)) and
436 att == "rangeUpper" and flag == FLAG_MOD_REPLACE):
437 return True
438
439 if (str(old[0].dn) == "%s" % (str(names.rootdn))
440 and att == "subRefs" and flag == FLAG_MOD_REPLACE):
441 return True
442 #Allow to change revision of ForestUpdates objects
443 if (att == "revision" or att == "objectVersion"):
444 if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0:
445 return True
446 if str(delta.dn).endswith("CN=DisplaySpecifiers, %s" % names.configdn):
447 return True
448
449 # This is a bit of special animal as we might have added
450 # already SPN entries to the list that has to be modified
451 # So we go in detail to try to find out what has to be added ...
452 if (att == "servicePrincipalName" and delta.get(att).flags() == FLAG_MOD_REPLACE):
453 hash = {}
454 newval = []
455 changeDelta = 0
456 for elem in old[0][att]:
457 hash[str(elem)]=1
458 newval.append(str(elem))
459
460 for elem in new[0][att]:
461 if not hash.has_key(str(elem)):
462 changeDelta = 1
463 newval.append(str(elem))
464 if changeDelta == 1:
465 delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
466 else:
467 delta.remove(att)
468 return True
469
470 return False
471
472 def dump_denied_change(dn, att, flagtxt, current, reference):
473 """Print detailed information about why a change is denied
474
475 :param dn: DN of the object which attribute is denied
476 :param att: Attribute that was supposed to be upgraded
477 :param flagtxt: Type of the update that should be performed
478 (add, change, remove, ...)
479 :param current: Value(s) of the current attribute
480 :param reference: Value(s) of the reference attribute"""
481
482 message(CHANGE, "dn= " + str(dn)+" " + att+" with flag " + flagtxt
483 + " must not be changed/removed. Discarding the change")
484 if att == "objectSid" :
485 message(CHANGE, "old : %s" % ndr_unpack(security.dom_sid, current[0]))
486 message(CHANGE, "new : %s" % ndr_unpack(security.dom_sid, reference[0]))
487 elif att == "rIDPreviousAllocationPool" or att == "rIDAllocationPool":
488 message(CHANGE, "old : %s" % int64range2str(current[0]))
489 message(CHANGE, "new : %s" % int64range2str(reference[0]))
490 else:
491 i = 0
492 for e in range(0, len(current)):
493 message(CHANGE, "old %d : %s" % (i, str(current[e])))
494 i+=1
495 if reference is not None:
496 i = 0
497 for e in range(0, len(reference)):
498 message(CHANGE, "new %d : %s" % (i, str(reference[e])))
499 i+=1
500
501 def handle_special_add(samdb, dn, names):
502 """Handle special operation (like remove) on some object needed during
503 upgrade
504
505 This is mostly due to wrong creation of the object in previous provision.
506 :param samdb: An Ldb object representing the SAM database
507 :param dn: DN of the object to inspect
508 :param names: list of key provision parameters
509 """
510
511 dntoremove = None
512 objDn = Dn(samdb, "CN=IIS_IUSRS, CN=Builtin, %s" % names.rootdn)
513 if dn == objDn :
514 #This entry was misplaced lets remove it if it exists
515 dntoremove = "CN=IIS_IUSRS, CN=Users, %s" % names.rootdn
516
517 objDn = Dn(samdb,
518 "CN=Certificate Service DCOM Access, CN=Builtin, %s" % names.rootdn)
519 if dn == objDn:
520 #This entry was misplaced lets remove it if it exists
521 dntoremove = "CN=Certificate Service DCOM Access,"\
522 "CN=Users, %s" % names.rootdn
523
524 objDn = Dn(samdb, "CN=Cryptographic Operators, CN=Builtin, %s" % names.rootdn)
525 if dn == objDn:
526 #This entry was misplaced lets remove it if it exists
527 dntoremove = "CN=Cryptographic Operators, CN=Users, %s" % names.rootdn
528
529 objDn = Dn(samdb, "CN=Event Log Readers, CN=Builtin, %s" % names.rootdn)
530 if dn == objDn:
531 #This entry was misplaced lets remove it if it exists
532 dntoremove = "CN=Event Log Readers, CN=Users, %s" % names.rootdn
533
534 objDn = Dn(samdb,"CN=System,CN=WellKnown Security Principals,"
535 "CN=Configuration,%s" % names.rootdn)
536 if dn == objDn:
537 oldDn = Dn(samdb,"CN=Well-Known-Security-Id-System,"
538 "CN=WellKnown Security Principals,"
539 "CN=Configuration,%s" % names.rootdn)
540
541 res = samdb.search(expression="(distinguishedName=%s)" % oldDn,
542 base=str(names.rootdn),
543 scope=SCOPE_SUBTREE, attrs=["dn"],
544 controls=["search_options:1:2"])
545
546 res2 = samdb.search(expression="(distinguishedName=%s)" % dn,
547 base=str(names.rootdn),
548 scope=SCOPE_SUBTREE, attrs=["dn"],
549 controls=["search_options:1:2"])
550
551 if len(res) > 0 and len(res2) == 0:
552 message(CHANGE, "Existing object %s must be replaced by %s. "
553 "Renaming old object" % (str(oldDn), str(dn)))
554 samdb.rename(oldDn, objDn, ["relax:0", "provision:0"])
555
556 return 0
557
558 if dntoremove is not None:
559 res = samdb.search(expression="(cn=RID Set)",
560 base=str(names.rootdn),
561 scope=SCOPE_SUBTREE, attrs=["dn"],
562 controls=["search_options:1:2"])
563
564 if len(res) == 0:
565 return 2
566 res = samdb.search(expression="(distinguishedName=%s)" % dntoremove,
567 base=str(names.rootdn),
568 scope=SCOPE_SUBTREE, attrs=["dn"],
569 controls=["search_options:1:2"])
570 if len(res) > 0:
571 message(CHANGE, "Existing object %s must be replaced by %s. "
572 "Removing old object" % (dntoremove, str(dn)))
573 samdb.delete(res[0]["dn"])
574 return 0
575
576 return 1
577
578
579 def check_dn_nottobecreated(hash, index, listdn):
580 """Check if one of the DN present in the list has a creation order
581 greater than the current.
582
583 Hash is indexed by dn to be created, with each key
584 is associated the creation order.
585
586 First dn to be created has the creation order 0, second has 1, ...
587 Index contain the current creation order
588
589 :param hash: Hash holding the different DN of the object to be
590 created as key
591 :param index: Current creation order
592 :param listdn: List of DNs on which the current DN depends on
593 :return: None if the current object do not depend on other
594 object or if all object have been created before."""
595 if listdn is None:
596 return None
597 for dn in listdn:
598 key = str(dn).lower()
599 if hash.has_key(key) and hash[key] > index:
600 return str(dn)
601 return None
602
603
604
605 def add_missing_object(ref_samdb, samdb, dn, names, basedn, hash, index):
606 """Add a new object if the dependencies are satisfied
607
608 The function add the object if the object on which it depends are already
609 created
610
611 :param ref_samdb: Ldb object representing the SAM db of the reference
612 provision
613 :param samdb: Ldb object representing the SAM db of the upgraded
614 provision
615 :param dn: DN of the object to be added
616 :param names: List of key provision parameters
617 :param basedn: DN of the partition to be updated
618 :param hash: Hash holding the different DN of the object to be
619 created as key
620 :param index: Current creation order
621 :return: True if the object was created False otherwise"""
622
623 ret = handle_special_add(samdb, dn, names)
624
625 if ret == 2:
626 return False
627
628 if ret == 0:
629 return True
630
631
632 reference = ref_samdb.search(expression="(distinguishedName=%s)" % (str(dn)),
633 base=basedn, scope=SCOPE_SUBTREE,
634 controls=["search_options:1:2"])
635 empty = Message()
636 delta = samdb.msg_diff(empty, reference[0])
637 delta.dn
638 skip = False
639 try:
640 if str(reference[0].get("cn")) == "RID Set":
641 for klass in reference[0].get("objectClass"):
642 if str(klass).lower() == "ridset":
643 skip = True
644 finally:
645 if delta.get("objectSid"):
646 sid = str(ndr_unpack(security.dom_sid, str(reference[0]["objectSid"])))
647 m = re.match(r".*-(\d+)$", sid)
648 if m and int(m.group(1))>999:
649 delta.remove("objectSid")
650 for att in attrNotCopied:
651 delta.remove(att)
652 for att in backlinked:
653 delta.remove(att)
654 depend_on_yettobecreated = None
655 for att in dn_syntax_att:
656 depend_on_yet_tobecreated = check_dn_nottobecreated(hash, index,
657 delta.get(str(att)))
658 if depend_on_yet_tobecreated is not None:
659 message(CHANGE, "Object %s depends on %s in attribute %s. "
660 "Delaying the creation" % (dn,
661 depend_on_yet_tobecreated, att))
662 return False
663
664 delta.dn = dn
665 if not skip:
666 message(CHANGE,"Object %s will be added" % dn)
667 samdb.add(delta, ["relax:0", "provision:0"])
668 else:
669 message(CHANGE,"Object %s was skipped" % dn)
670
671 return True
672
673 def gen_dn_index_hash(listMissing):
674 """Generate a hash associating the DN to its creation order
675
676 :param listMissing: List of DN
677 :return: Hash with DN as keys and creation order as values"""
678 hash = {}
679 for i in range(0, len(listMissing)):
680 hash[str(listMissing[i]).lower()] = i
681 return hash
682
683 def add_deletedobj_containers(ref_samdb, samdb, names):
684 """Add the object containter: CN=Deleted Objects
685
686 This function create the container for each partition that need one and
687 then reference the object into the root of the partition
688
689 :param ref_samdb: Ldb object representing the SAM db of the reference
690 provision
691 :param samdb: Ldb object representing the SAM db of the upgraded provision
692 :param names: List of key provision parameters"""
693
694
695 wkoPrefix = "B:32:18E2EA80684F11D2B9AA00C04F79F805"
696 partitions = [str(names.rootdn), str(names.configdn)]
697 for part in partitions:
698 ref_delObjCnt = ref_samdb.search(expression="(cn=Deleted Objects)",
699 base=part, scope=SCOPE_SUBTREE,
700 attrs=["dn"],
701 controls=["show_deleted:0",
702 "show_recycled:0"])
703 delObjCnt = samdb.search(expression="(cn=Deleted Objects)",
704 base=part, scope=SCOPE_SUBTREE,
705 attrs=["dn"],
706 controls=["show_deleted:0",
707 "show_recycled:0"])
708 if len(ref_delObjCnt) > len(delObjCnt):
709 reference = ref_samdb.search(expression="cn=Deleted Objects",
710 base=part, scope=SCOPE_SUBTREE,
711 controls=["show_deleted:0",
712 "show_recycled:0"])
713 empty = Message()
714 delta = samdb.msg_diff(empty, reference[0])
715
716 delta.dn = Dn(samdb, str(reference[0]["dn"]))
717 for att in attrNotCopied:
718 delta.remove(att)
719
720 modcontrols = ["relax:0", "provision:0"]
721 samdb.add(delta, modcontrols)
722
723 listwko = []
724 res = samdb.search(expression="(objectClass=*)", base=part,
725 scope=SCOPE_BASE,
726 attrs=["dn", "wellKnownObjects"])
727
728 targetWKO = "%s:%s" % (wkoPrefix, str(reference[0]["dn"]))
729 found = False
730
731 if len(res[0]) > 0:
732 wko = res[0]["wellKnownObjects"]
733
734 # The wellKnownObject that we want to add.
735 for o in wko:
736 if str(o) == targetWKO:
737 found = True
738 listwko.append(str(o))
739
740 if not found:
741 listwko.append(targetWKO)
742
743 delta = Message()
744 delta.dn = Dn(samdb, str(res[0]["dn"]))
745 delta["wellKnownObjects"] = MessageElement(listwko,
746 FLAG_MOD_REPLACE,
747 "wellKnownObjects" )
748 samdb.modify(delta)
749
750 def add_missing_entries(ref_samdb, samdb, names, basedn, list):
751 """Add the missing object whose DN is the list
752
753 The function add the object if the objects on which it depends are
754 already created.
755
756 :param ref_samdb: Ldb object representing the SAM db of the reference
757 provision
758 :param samdb: Ldb object representing the SAM db of the upgraded
759 provision
760 :param dn: DN of the object to be added
761 :param names: List of key provision parameters
762 :param basedn: DN of the partition to be updated
763 :param list: List of DN to be added in the upgraded provision"""
764
765 listMissing = []
766 listDefered = list
767
768 while(len(listDefered) != len(listMissing) and len(listDefered) > 0):
769 index = 0
770 listMissing = listDefered
771 listDefered = []
772 hashMissing = gen_dn_index_hash(listMissing)
773 for dn in listMissing:
774 ret = add_missing_object(ref_samdb, samdb, dn, names, basedn,
775 hashMissing, index)
776 index = index + 1
777 if ret == 0:
778 # DN can't be created because it depends on some
779 # other DN in the list
780 listDefered.append(dn)
781
782 if len(listDefered) != 0:
783 raise ProvisioningError("Unable to insert missing elements: "
784 "circular references")
785
786 def handle_links(samdb, att, basedn, dn, value, ref_value, delta):
787 """This function handle updates on links
788
789 :param samdb: An LDB object pointing to the updated provision
790 :param att: Attribute to update
791 :param basedn: The root DN of the provision
792 :param dn: The DN of the inspected object
793 :param value: The value of the attribute
794 :param ref_value: The value of this attribute in the reference provision
795 :param delta: The MessageElement object that will be applied for
796 transforming the current provision"""
797
798 res = samdb.search(base=dn, controls=["search_options:1:2", "reveal:1"],
799 attrs=[att])
800
801 blacklist = {}
802 hash = {}
803 newlinklist = []
804 changed = False
805
806 for v in value:
807 newlinklist.append(str(v))
808
809 for e in value:
810 hash[e] = 1
811 # for w2k domain level the reveal won't reveal anything ...
812 # it means that we can readd links that were removed on purpose ...
813 # Also this function in fact just accept add not removal
814
815 for e in res[0][att]:
816 if not hash.has_key(e):
817 # We put in the blacklist all the element that are in the "revealed"
818 # result and not in the "standard" result
819 # This element are links that were removed before and so that
820 # we don't wan't to readd
821 blacklist[e] = 1
822
823 for e in ref_value:
824 if not blacklist.has_key(e) and not hash.has_key(e):
825 newlinklist.append(str(e))
826 changed = True
827 if changed:
828 delta[att] = MessageElement(newlinklist, FLAG_MOD_REPLACE, att)
829 else:
830 delta.remove(att)
831
832 return delta
833
834
835 def checkKeepAttributeWithMetadata(delta, att, message, reference, current,
836 hash_attr_usn, basedn, usns, samdb):
837 """ Check if we should keep the attribute modification or not
838
839 :param delta: A message diff object
840 :param att: An attribute
841 :param message: A function to print messages
842 :param reference: A message object for the current entry comming from
843 the reference provision.
844 :param current: A message object for the current entry commin from
845 the current provision.
846 :param hash_attr_usn: A dictionnary with attribute name as keys,
847 USN and invocation id as values.
848 :param basedn: The DN of the partition
849 :param usns: A dictionnary with invocation ID as keys and USN ranges
850 as values.
851 :param samdb: A ldb object pointing to the sam DB
852
853 :return: The modified message diff.
854 """
855 global defSDmodified
856 isFirst = True
857 txt = ""
858 dn = current[0].dn
859
860 for att in list(delta):
861 if att in ["dn", "objectSid"]:
862 delta.remove(att)
863 continue
864
865 # We have updated by provision usn information so let's exploit
866 # replMetadataProperties
867 if att in forwardlinked:
868 curval = current[0].get(att, ())
869 refval = reference[0].get(att, ())
870 delta = handle_links(samdb, att, basedn, current[0]["dn"],
871 curval, refval, delta)
872 continue
873
874
875 if isFirst and len(list(delta)) > 1:
876 isFirst = False
877 txt = "%s\n" % (str(dn))
878
879 if handle_special_case(att, delta, reference, current, True, None, None):
880 # This attribute is "complicated" to handle and handling
881 # was done in handle_special_case
882 continue
883
884 attrUSN = None
885 if hash_attr_usn.get(att):
886 [attrUSN, attInvId] = hash_attr_usn.get(att)
887
888 if attrUSN is None:
889 # If it's a replicated attribute and we don't have any USN
890 # information about it. It means that we never saw it before
891 # so let's add it !
892 # If it is a replicated attribute but we are not master on it
893 # (ie. not initially added in the provision we masterize).
894 # attrUSN will be -1
895 if isReplicated(att):
896 continue
897 else:
898 message(CHANGE, "Non replicated attribute %s changed" % att)
899 continue
900
901 if att == "nTSecurityDescriptor":
902 cursd = ndr_unpack(security.descriptor,
903 str(current[0]["nTSecurityDescriptor"]))
904 refsd = ndr_unpack(security.descriptor,
905 str(reference[0]["nTSecurityDescriptor"]))
906
907 diff = get_diff_sds(refsd, cursd, names.domainsid)
908 if diff == "":
909 # FIXME find a way to have it only with huge huge verbose mode
910 # message(CHANGE, "%ssd are identical" % txt)
911 # txt = ""
912 delta.remove(att)
913 continue
914 else:
915 delta.remove(att)
916 message(CHANGESD, "%ssd are not identical:\n%s" % (txt, diff))
917 txt = ""
918 if attrUSN == -1:
919 message(CHANGESD, "But the SD has been changed by someonelse "
920 "so it's impossible to know if the difference"
921 " cames from the modification or from a previous bug")
922 dnNotToRecalculate.append(str(dn))
923 else:
924 dnToRecalculate.append(str(dn))
925 continue
926
927 if attrUSN == -1:
928 # This attribute was last modified by another DC forget
929 # about it
930 message(CHANGE, "%sAttribute: %s has been "
931 "created/modified/deleted by another DC. "
932 "Doing nothing" % (txt, att))
933 txt = ""
934 delta.remove(att)
935 continue
936 elif not usn_in_range(int(attrUSN), usns.get(attInvId)):
937 message(CHANGE, "%sAttribute: %s was not "
938 "created/modified/deleted during a "
939 "provision or upgradeprovision. Current "
940 "usn: %d. Doing nothing" % (txt, att,
941 attrUSN))
942 txt = ""
943 delta.remove(att)
944 continue
945 else:
946 if att == "defaultSecurityDescriptor":
947 defSDmodified = True
948 if attrUSN:
949 message(CHANGE, "%sAttribute: %s will be modified"
950 "/deleted it was last modified "
951 "during a provision. Current usn: "
952 "%d" % (txt, att, attrUSN))
953 txt = ""
954 else:
955 message(CHANGE, "%sAttribute: %s will be added because "
956 "it did not exist before" % (txt, att))
957 txt = ""
958 continue
959
960 return delta
961
962 def update_present(ref_samdb, samdb, basedn, listPresent, usns):
963 """ This function updates the object that are already present in the
964 provision
965
966 :param ref_samdb: An LDB object pointing to the reference provision
967 :param samdb: An LDB object pointing to the updated provision
968 :param basedn: A string with the value of the base DN for the provision
969 (ie. DC=foo, DC=bar)
970 :param listPresent: A list of object that is present in the provision
971 :param usns: A list of USN range modified by previous provision and
972 upgradeprovision grouped by invocation ID
973 """
974
975 # This hash is meant to speedup lookup of attribute name from an oid,
976 # it's for the replPropertyMetaData handling
977 hash_oid_name = {}
978 res = samdb.search(expression="objectClass=attributeSchema", base=basedn,
979 controls=["search_options:1:2"], attrs=["attributeID",
980 "lDAPDisplayName"])
981 if len(res) > 0:
982 for e in res:
983 strDisplay = str(e.get("lDAPDisplayName"))
984 hash_oid_name[str(e.get("attributeID"))] = strDisplay
985 else:
986 msg = "Unable to insert missing elements: circular references"
987 raise ProvisioningError(msg)
988
989 changed = 0
990 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
991 controls = ["search_options:1:2", "sd_flags:1:%d" % sd_flags]
992 message(CHANGE, "Using replPropertyMetadata for change selection")
993 for dn in listPresent:
994 reference = ref_samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn,
995 scope=SCOPE_SUBTREE,
996 controls=controls)
997 current = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn,
998 scope=SCOPE_SUBTREE, controls=controls)
999
1000 if (
1001 (str(current[0].dn) != str(reference[0].dn)) and
1002 (str(current[0].dn).upper() == str(reference[0].dn).upper())
1003 ):
1004 message(CHANGE, "Names are the same except for the case. "
1005 "Renaming %s to %s" % (str(current[0].dn),
1006 str(reference[0].dn)))
1007 identic_rename(samdb, reference[0].dn)
1008 current = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn,
1009 scope=SCOPE_SUBTREE,
1010 controls=controls)
1011
1012 delta = samdb.msg_diff(current[0], reference[0])
1013
1014 for att in backlinked:
1015 delta.remove(att)
1016
1017 for att in attrNotCopied:
1018 delta.remove(att)
1019
1020 delta.remove("name")
1021
1022 nb_items = len(list(delta))
1023
1024 if nb_items == 1:
1025 continue
1026
1027 if nb_items > 1:
1028 # Fetch the replPropertyMetaData
1029 res = samdb.search(expression="(distinguishedName=%s)" % (str(dn)), base=basedn,
1030 scope=SCOPE_SUBTREE, controls=controls,
1031 attrs=["replPropertyMetaData"])
1032 ctr = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
1033 str(res[0]["replPropertyMetaData"])).ctr
1034
1035 hash_attr_usn = {}
1036 for o in ctr.array:
1037 # We put in this hash only modification
1038 # made on the current host
1039 att = hash_oid_name[samdb.get_oid_from_attid(o.attid)]
1040 if str(o.originating_invocation_id) in usns.keys():
1041 hash_attr_usn[att] = [o.originating_usn, str(o.originating_invocation_id)]
1042 else:
1043 hash_attr_usn[att] = [-1, None]
1044
1045 delta = checkKeepAttributeWithMetadata(delta, att, message, reference,
1046 current, hash_attr_usn,
1047 basedn, usns, samdb)
1048
1049 delta.dn = dn
1050
1051
1052 if len(delta) >1:
1053 # Skip dn as the value is not really changed ...
1054 attributes=", ".join(delta.keys()[1:])
1055 modcontrols = []
1056 relaxedatt = ['iscriticalsystemobject', 'grouptype']
1057 # Let's try to reduce as much as possible the use of relax control
1058 for attr in delta.keys():
1059 if attr.lower() in relaxedatt:
1060 modcontrols = ["relax:0", "provision:0"]
1061 message(CHANGE, "%s is different from the reference one, changed"
1062 " attributes: %s\n" % (dn, attributes))
1063 changed += 1
1064 samdb.modify(delta, modcontrols)
1065 return changed
1066
1067 def reload_full_schema(samdb, names):
1068 """Load the updated schema with all the new and existing classes
1069 and attributes.
1070
1071 :param samdb: An LDB object connected to the sam.ldb of the update
1072 provision
1073 :param names: List of key provision parameters
1074 """
1075
1076 schemadn = str(names.schemadn)
1077 current = samdb.search(expression="objectClass=*", base=schemadn,
1078 scope=SCOPE_SUBTREE)
1079 schema_ldif = ""
1080 prefixmap_data = ""
1081
1082 for ent in current:
1083 schema_ldif += samdb.write_ldif(ent, ldb.CHANGETYPE_NONE)
1084
1085 prefixmap_data = open(setup_path("prefixMap.txt"), 'r').read()
1086 prefixmap_data = b64encode(prefixmap_data)
1087
1088 # We don't actually add this ldif, just parse it
1089 prefixmap_ldif = "dn: %s\nprefixMap:: %s\n\n" % (schemadn, prefixmap_data)
1090
1091 dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif, schemadn)
1092
1093
1094 def update_partition(ref_samdb, samdb, basedn, names, schema, provisionUSNs, prereloadfunc):
1095 """Check differences between the reference provision and the upgraded one.
1096
1097 It looks for all objects which base DN is name.
1098
1099 This function will also add the missing object and update existing object
1100 to add or remove attributes that were missing.
1101
1102 :param ref_sambdb: An LDB object conntected to the sam.ldb of the
1103 reference provision
1104 :param samdb: An LDB object connected to the sam.ldb of the update
1105 provision
1106 :param basedn: String value of the DN of the partition
1107 :param names: List of key provision parameters
1108 :param schema: A Schema object
1109 :param provisionUSNs: A dictionnary with range of USN modified during provision
1110 or upgradeprovision. Ranges are grouped by invocationID.
1111 :param prereloadfunc: A function that must be executed just before the reload
1112 of the schema
1113 """
1114
1115 hash_new = {}
1116 hash = {}
1117 listMissing = []
1118 listPresent = []
1119 reference = []
1120 current = []
1121
1122 # Connect to the reference provision and get all the attribute in the
1123 # partition referred by name
1124 reference = ref_samdb.search(expression="objectClass=*", base=basedn,
1125 scope=SCOPE_SUBTREE, attrs=["dn"],
1126 controls=["search_options:1:2"])
1127
1128 current = samdb.search(expression="objectClass=*", base=basedn,
1129 scope=SCOPE_SUBTREE, attrs=["dn"],
1130 controls=["search_options:1:2"])
1131 # Create a hash for speeding the search of new object
1132 for i in range(0, len(reference)):
1133 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
1134
1135 # Create a hash for speeding the search of existing object in the
1136 # current provision
1137 for i in range(0, len(current)):
1138 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
1139
1140
1141 for k in hash_new.keys():
1142 if not hash.has_key(k):
1143 if not str(hash_new[k]) == "CN=Deleted Objects, %s" % names.rootdn:
1144 listMissing.append(hash_new[k])
1145 else:
1146 listPresent.append(hash_new[k])
1147
1148 # Sort the missing object in order to have object of the lowest level
1149 # first (which can be containers for higher level objects)
1150 listMissing.sort(dn_sort)
1151 listPresent.sort(dn_sort)
1152
1153 # The following lines is to load the up to
1154 # date schema into our current LDB
1155 # a complete schema is needed as the insertion of attributes
1156 # and class is done against it
1157 # and the schema is self validated
1158 samdb.set_schema(schema)
1159 try:
1160 message(SIMPLE, "There are %d missing objects" % (len(listMissing)))
1161 add_deletedobj_containers(ref_samdb, samdb, names)
1162
1163 add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
1164
1165 prereloadfunc()
1166 message(SIMPLE, "Reloading a merged schema, which might trigger "
1167 "reindexing so please be patient")
1168 reload_full_schema(samdb, names)
1169 message(SIMPLE, "Schema reloaded!")
1170
1171 changed = update_present(ref_samdb, samdb, basedn, listPresent,
1172 provisionUSNs)
1173 message(SIMPLE, "There are %d changed objects" % (changed))
1174 return 1
1175
1176 except StandardError, err:
1177 message(ERROR, "Exception during upgrade of samdb:")
1178 (typ, val, tb) = sys.exc_info()
1179 traceback.print_exception(typ, val, tb)
1180 return 0
1181
1182
1183 def check_updated_sd(ref_sam, cur_sam, names):
1184 """Check if the security descriptor in the upgraded provision are the same
1185 as the reference
1186
1187 :param ref_sam: A LDB object connected to the sam.ldb file used as
1188 the reference provision
1189 :param cur_sam: A LDB object connected to the sam.ldb file used as
1190 upgraded provision
1191 :param names: List of key provision parameters"""
1192 reference = ref_sam.search(expression="objectClass=*", base=str(names.rootdn),
1193 scope=SCOPE_SUBTREE,
1194 attrs=["dn", "nTSecurityDescriptor"],
1195 controls=["search_options:1:2"])
1196 current = cur_sam.search(expression="objectClass=*", base=str(names.rootdn),
1197 scope=SCOPE_SUBTREE,
1198 attrs=["dn", "nTSecurityDescriptor"],
1199 controls=["search_options:1:2"])
1200 hash = {}
1201 for i in range(0, len(reference)):
1202 refsd_blob = str(reference[i]["nTSecurityDescriptor"])
1203 hash[str(reference[i]["dn"]).lower()] = refsd_blob
1204
1205
1206 for i in range(0, len(current)):
1207 key = str(current[i]["dn"]).lower()
1208 if hash.has_key(key):
1209 cursd_blob = str(current[i]["nTSecurityDescriptor"])
1210 cursd = ndr_unpack(security.descriptor,
1211 cursd_blob)
1212 if cursd_blob != hash[key]:
1213 refsd = ndr_unpack(security.descriptor,
1214 hash[key])
1215 txt = get_diff_sds(refsd, cursd, names.domainsid, False)
1216 if txt != "":
1217 message(CHANGESD, "On object %s ACL is different"
1218 " \n%s" % (current[i]["dn"], txt))
1219
1220
1221
1222 def fix_wellknown_sd(samdb, names):
1223 """This function fix the SD for partition/wellknown containers (basedn, configdn, ...)
1224 This is needed because some provision use to have broken SD on containers
1225
1226 :param samdb: An LDB object pointing to the sam of the current provision
1227 :param names: A list of key provision parameters
1228 """
1229
1230 list_wellknown_dns = []
1231
1232 # Then subcontainers
1233 subcontainers = [
1234 ("%s" % str(names.domaindn), get_domain_descriptor),
1235 ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor),
1236 ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor),
1237 ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor),
1238 ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor),
1239 ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor),
1240 ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor),
1241 ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor),
1242 ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor),
1243
1244 ("%s" % str(names.configdn), get_config_descriptor),
1245 ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor),
1246 ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
1247 ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor),
1248 ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
1249 ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
1250 ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
1251 ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
1252 ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
1253 ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor),
1254 ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor),
1255
1256 ("%s" % str(names.schemadn), get_schema_descriptor),
1257 ]
1258
1259 if names.dnsforestdn is not None:
1260 c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor)
1261 subcontainers.append(c)
1262 c = ("CN=Infrastructure,%s" % str(names.dnsforestdn),
1263 get_domain_delete_protected1_descriptor)
1264 subcontainers.append(c)
1265 c = ("CN=LostAndFound,%s" % str(names.dnsforestdn),
1266 get_domain_delete_protected2_descriptor)
1267 subcontainers.append(c)
1268 c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn),
1269 get_dns_forest_microsoft_dns_descriptor)
1270 subcontainers.append(c)
1271
1272 if names.dnsdomaindn is not None:
1273 c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor)
1274 subcontainers.append(c)
1275 c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn),
1276 get_domain_delete_protected1_descriptor)
1277 subcontainers.append(c)
1278 c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn),
1279 get_domain_delete_protected2_descriptor)
1280 subcontainers.append(c)
1281 c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn),
1282 get_dns_domain_microsoft_dns_descriptor)
1283 subcontainers.append(c)
1284
1285 for [dn, descriptor_fn] in subcontainers:
1286 list_wellknown_dns.append(dn)
1287 if dn in dnToRecalculate:
1288 delta = Message()
1289 delta.dn = Dn(samdb, str(dn))
1290 descr = descriptor_fn(names.domainsid, name_map=names.name_map)
1291 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
1292 "nTSecurityDescriptor" )
1293 samdb.modify(delta)
1294 message(CHANGESD, "nTSecurityDescriptor updated on wellknown DN: %s" % delta.dn)
1295
1296 return list_wellknown_dns
1297
1298 def rebuild_sd(samdb, names):
1299 """Rebuild security descriptor of the current provision from scratch
1300
1301 During the different pre release of samba4 security descriptors
1302 (SD) were notarly broken (up to alpha11 included)
1303
1304 This function allows to get them back in order, this function works
1305 only after the database comparison that --full mode uses and which
1306 populates the dnToRecalculate and dnNotToRecalculate lists.
1307
1308 The idea is that the SD can be safely recalculated from scratch to get it right.
1309
1310 :param names: List of key provision parameters"""
1311
1312 listWellknown = fix_wellknown_sd(samdb, names)
1313
1314 hash = {}
1315 for dn in dnToRecalculate:
1316 if hash.has_key(dn):
1317 continue
1318 # fetch each dn to recalculate and their child within the same partition
1319 res = samdb.search(expression="objectClass=*", base=dn,
1320 scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
1321 for obj in res:
1322 hash[str(obj["dn"])] = obj["whenCreated"]
1323
1324 listKeys = list(set(hash.keys()))
1325 listKeys.sort(dn_sort)
1326
1327 if len(dnToRecalculate) != 0:
1328 message(CHANGESD, "%d DNs have been marked as needed to be recalculated"
1329 ", recalculating %d due to inheritance"
1330 % (len(dnToRecalculate), len(listKeys)))
1331
1332 for key in listKeys:
1333 # well known SDs have already been reset
1334 if key in listWellknown:
1335 continue
1336 if key in dnNotToRecalculate:
1337 continue
1338 delta = Message()
1339 delta.dn = Dn(samdb, key)
1340 sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
1341 try:
1342 descr = get_empty_descriptor(names.domainsid)
1343 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
1344 "nTSecurityDescriptor")
1345 samdb.modify(delta, ["sd_flags:1:%d" % sd_flags,"relax:0","local_oid:%s:0" % dsdb.DSDB_CONTROL_DBCHECK])
1346 except LdbError, e:
1347 samdb.transaction_cancel()
1348 res = samdb.search(expression="objectClass=*", base=str(delta.dn),
1349 scope=SCOPE_BASE,
1350 attrs=["nTSecurityDescriptor"],
1351 controls=["sd_flags:1:%d" % sd_flags])
1352 badsd = ndr_unpack(security.descriptor,
1353 str(res[0]["nTSecurityDescriptor"]))
1354 message(ERROR, "On %s bad stuff %s" % (str(delta.dn),badsd.as_sddl(names.domainsid)))
1355 return
1356
1357 def hasATProvision(samdb):
1358 entry = samdb.search(expression="(distinguishedName=@PROVISION)", base = "",
1359 scope=SCOPE_BASE,
1360 attrs=["dn"])
1361
1362 if entry is not None and len(entry) == 1:
1363 return True
1364 else:
1365 return False
1366
1367 def removeProvisionUSN(samdb):
1368 attrs = [samba.provision.LAST_PROVISION_USN_ATTRIBUTE, "dn"]
1369 entry = samdb.search(expression="(distinguishedName=@PROVISION)", base = "",
1370 scope=SCOPE_BASE,
1371 attrs=attrs)
1372 empty = Message()
1373 empty.dn = entry[0].dn
1374 delta = samdb.msg_diff(entry[0], empty)
1375 delta.remove("dn")
1376 delta.dn = entry[0].dn
1377 samdb.modify(delta)
1378
1379 def remove_stored_generated_attrs(paths, creds, session, lp):
1380 """Remove previously stored constructed attributes
1381
1382 :param paths: List of paths for different provision objects
1383 from the upgraded provision
1384 :param creds: A credential object
1385 :param session: A session object
1386 :param lp: A line parser object
1387 :return: An associative array whose key are the different constructed
1388 attributes and the value the dn where this attributes were found.
1389 """
1390
1391
1392 def simple_update_basesamdb(newpaths, paths, names):
1393 """Update the provision container db: sam.ldb
1394 This function is aimed at very old provision (before alpha9)
1395
1396 :param newpaths: List of paths for different provision objects
1397 from the reference provision
1398 :param paths: List of paths for different provision objects
1399 from the upgraded provision
1400 :param names: List of key provision parameters"""
1401
1402 message(SIMPLE, "Copy samdb")
1403 tdb_util.tdb_copy(newpaths.samdb, paths.samdb)
1404
1405 message(SIMPLE, "Update partitions filename if needed")
1406 schemaldb = os.path.join(paths.private_dir, "schema.ldb")
1407 configldb = os.path.join(paths.private_dir, "configuration.ldb")
1408 usersldb = os.path.join(paths.private_dir, "users.ldb")
1409 samldbdir = os.path.join(paths.private_dir, "sam.ldb.d")
1410
1411 if not os.path.isdir(samldbdir):
1412 os.mkdir(samldbdir)
1413 os.chmod(samldbdir, 0700)
1414 if os.path.isfile(schemaldb):
1415 tdb_util.tdb_copy(schemaldb, os.path.join(samldbdir,
1416 "%s.ldb"%str(names.schemadn).upper()))
1417 os.remove(schemaldb)
1418 if os.path.isfile(usersldb):
1419 tdb_util.tdb_copy(usersldb, os.path.join(samldbdir,
1420 "%s.ldb"%str(names.rootdn).upper()))
1421 os.remove(usersldb)
1422 if os.path.isfile(configldb):
1423 tdb_util.tdb_copy(configldb, os.path.join(samldbdir,
1424 "%s.ldb"%str(names.configdn).upper()))
1425 os.remove(configldb)
1426
1427
1428 def update_samdb(ref_samdb, samdb, names, provisionUSNs, schema, prereloadfunc):
1429 """Upgrade the SAM DB contents for all the provision partitions
1430
1431 :param ref_sambdb: An LDB object conntected to the sam.ldb of the reference
1432 provision
1433 :param samdb: An LDB object connected to the sam.ldb of the update
1434 provision
1435 :param names: List of key provision parameters
1436 :param provisionUSNs: A dictionnary with range of USN modified during provision
1437 or upgradeprovision. Ranges are grouped by invocationID.
1438 :param schema: A Schema object that represent the schema of the provision
1439 :param prereloadfunc: A function that must be executed just before the reload
1440 of the schema
1441 """
1442
1443 message(SIMPLE, "Starting update of samdb")
1444 ret = update_partition(ref_samdb, samdb, str(names.rootdn), names,
1445 schema, provisionUSNs, prereloadfunc)
1446 if ret:
1447 message(SIMPLE, "Update of samdb finished")
1448 return 1
1449 else:
1450 message(SIMPLE, "Update failed")
1451 return 0
1452
1453
1454 def backup_provision(paths, dir, only_db):
1455 """This function backup the provision files so that a rollback
1456 is possible
1457
1458 :param paths: Paths to different objects
1459 :param dir: Directory where to store the backup
1460 :param only_db: Skip sysvol for users with big sysvol
1461 """
1462 if paths.sysvol and not only_db:
1463 copytree_with_xattrs(paths.sysvol, os.path.join(dir, "sysvol"))
1464 tdb_util.tdb_copy(paths.samdb, os.path.join(dir, os.path.basename(paths.samdb)))
1465 tdb_util.tdb_copy(paths.secrets, os.path.join(dir, os.path.basename(paths.secrets)))
1466 tdb_util.tdb_copy(paths.idmapdb, os.path.join(dir, os.path.basename(paths.idmapdb)))
1467 tdb_util.tdb_copy(paths.privilege, os.path.join(dir, os.path.basename(paths.privilege)))
1468 if os.path.isfile(os.path.join(paths.private_dir,"eadb.tdb")):
1469 tdb_util.tdb_copy(os.path.join(paths.private_dir,"eadb.tdb"), os.path.join(dir, "eadb.tdb"))
1470 shutil.copy2(paths.smbconf, dir)
1471 shutil.copy2(os.path.join(paths.private_dir,"secrets.keytab"), dir)
1472
1473 samldbdir = os.path.join(paths.private_dir, "sam.ldb.d")
1474 if not os.path.isdir(samldbdir):
1475 samldbdir = paths.private_dir
1476 schemaldb = os.path.join(paths.private_dir, "schema.ldb")
1477 configldb = os.path.join(paths.private_dir, "configuration.ldb")
1478 usersldb = os.path.join(paths.private_dir, "users.ldb")
1479 tdb_util.tdb_copy(schemaldb, os.path.join(dir, "schema.ldb"))
1480 tdb_util.tdb_copy(usersldb, os.path.join(dir, "configuration.ldb"))
1481 tdb_util.tdb_copy(configldb, os.path.join(dir, "users.ldb"))
1482 else:
1483 os.mkdir(os.path.join(dir, "sam.ldb.d"), 0700)
1484
1485 for ldb in os.listdir(samldbdir):
1486 tdb_util.tdb_copy(os.path.join(samldbdir, ldb),
1487 os.path.join(dir, "sam.ldb.d", ldb))
1488
1489
1490 def sync_calculated_attributes(samdb, names):
1491 """Synchronize attributes used for constructed ones, with the
1492 old constructed that were stored in the database.
1493
1494 This apply for instance to msds-keyversionnumber that was
1495 stored and that is now constructed from replpropertymetadata.
1496
1497 :param samdb: An LDB object attached to the currently upgraded samdb
1498 :param names: Various key parameter about current provision.
1499 """
1500 listAttrs = ["msDs-KeyVersionNumber"]
1501 hash = search_constructed_attrs_stored(samdb, names.rootdn, listAttrs)
1502 if hash.has_key("msDs-KeyVersionNumber"):
1503 increment_calculated_keyversion_number(samdb, names.rootdn,
1504 hash["msDs-KeyVersionNumber"])
1505
1506 # Synopsis for updateprovision
1507 # 1) get path related to provision to be update (called current)
1508 # 2) open current provision ldbs
1509 # 3) fetch the key provision parameter (domain sid, domain guid, invocationid
1510 # of the DC ....)
1511 # 4) research of lastProvisionUSN in order to get ranges of USN modified
1512 # by either upgradeprovision or provision
1513 # 5) creation of a new provision the latest version of provision script
1514 # (called reference)
1515 # 6) get reference provision paths
1516 # 7) open reference provision ldbs
1517 # 8) setup helpers data that will help the update process
1518 # 9) (SKIPPED) we no longer update the privilege ldb by copying the one of referecence provision to
1519 # the current provision, because a shutil.copy would break the transaction locks both databases are under
1520 # and this database has not changed between 2009 and Samba 4.0.3 in Feb 2013 (at least)
1521 # 10)get the oemInfo field, this field contains information about the different
1522 # provision that have been done
1523 # 11)Depending on if the --very-old-pre-alpha9 flag is set the following things are done
1524 # A) When alpha9 or alphaxx not specified (default)
1525 # The base sam.ldb file is updated by looking at the difference between
1526 # referrence one and the current one. Everything is copied with the
1527 # exception of lastProvisionUSN attributes.
1528 # B) Other case (it reflect that that provision was done before alpha9)
1529 # The base sam.ldb of the reference provision is copied over
1530 # the current one, if necessary ldb related to partitions are moved
1531 # and renamed
1532 # The highest used USN is fetched so that changed by upgradeprovision
1533 # usn can be tracked
1534 # 12)A Schema object is created, it will be used to provide a complete
1535 # schema to current provision during update (as the schema of the
1536 # current provision might not be complete and so won't allow some
1537 # object to be created)
1538 # 13)Proceed to full update of sam DB (see the separate paragraph about i)
1539 # 14)The secrets db is updated by pull all the difference from the reference
1540 # provision into the current provision
1541 # 15)As the previous step has most probably modified the password stored in
1542 # in secret for the current DC, a new password is generated,
1543 # the kvno is bumped and the entry in samdb is also updated
1544 # 16)For current provision older than alpha9, we must fix the SD a little bit
1545 # administrator to update them because SD used to be generated with the
1546 # system account before alpha9.
1547 # 17)The highest usn modified so far is searched in the database it will be
1548 # the upper limit for usn modified during provision.
1549 # This is done before potential SD recalculation because we do not want
1550 # SD modified during recalculation to be marked as modified during provision
1551 # (and so possibly remplaced at next upgradeprovision)
1552 # 18)Rebuilt SD if the flag indicate to do so
1553 # 19)Check difference between SD of reference provision and those of the
1554 # current provision. The check is done by getting the sddl representation
1555 # of the SD. Each sddl in chuncked into parts (user,group,dacl,sacl)
1556 # Each part is verified separetly, for dacl and sacl ACL is splited into
1557 # ACEs and each ACE is verified separately (so that a permutation in ACE
1558 # didn't raise as an error).
1559 # 20)The oemInfo field is updated to add information about the fact that the
1560 # provision has been updated by the upgradeprovision version xxx
1561 # (the version is the one obtained when starting samba with the --version
1562 # parameter)
1563 # 21)Check if the current provision has all the settings needed for dynamic
1564 # DNS update to work (that is to say the provision is newer than
1565 # january 2010). If not dns configuration file from reference provision
1566 # are copied in a sub folder and the administrator is invited to
1567 # do what is needed.
1568 # 22)If the lastProvisionUSN attribute was present it is updated to add
1569 # the range of usns modified by the current upgradeprovision
1570
1571
1572 # About updating the sam DB
1573 # The update takes place in update_partition function
1574 # This function read both current and reference provision and list all
1575 # the available DN of objects
1576 # If the string representation of a DN in reference provision is
1577 # equal to the string representation of a DN in current provision
1578 # (without taking care of case) then the object is flaged as being
1579 # present. If the object is not present in current provision the object
1580 # is being flaged as missing in current provision. Object present in current
1581 # provision but not in reference provision are ignored.
1582 # Once the list of objects present and missing is done, the deleted object
1583 # containers are created in the differents partitions (if missing)
1584 #
1585 # Then the function add_missing_entries is called
1586 # This function will go through the list of missing entries by calling
1587 # add_missing_object for the given object. If this function returns 0
1588 # it means that the object needs some other object in order to be created
1589 # The object is reappended at the end of the list to be created later
1590 # (and preferably after all the needed object have been created)
1591 # The function keeps on looping on the list of object to be created until
1592 # it's empty or that the number of defered creation is equal to the number
1593 # of object that still needs to be created.
1594
1595 # The function add_missing_object will first check if the object can be created.
1596 # That is to say that it didn't depends other not yet created objects
1597 # If requisit can't be fullfilled it exists with 0
1598 # Then it will try to create the missing entry by creating doing
1599 # an ldb_message_diff between the object in the reference provision and
1600 # an empty object.
1601 # This resulting object is filtered to remove all the back link attribute
1602 # (ie. memberOf) as they will be created by the other linked object (ie.
1603 # the one with the member attribute)
1604 # All attributes specified in the attrNotCopied array are
1605 # also removed it's most of the time generated attributes
1606
1607 # After missing entries have been added the update_partition function will
1608 # take care of object that exist but that need some update.
1609 # In order to do so the function update_present is called with the list
1610 # of object that are present in both provision and that might need an update.
1611
1612 # This function handle first case mismatch so that the DN in the current
1613 # provision have the same case as in reference provision
1614
1615 # It will then construct an associative array consiting of attributes as
1616 # key and invocationid as value( if the originating invocation id is
1617 # different from the invocation id of the current DC the value is -1 instead).
1618
1619 # If the range of provision modified attributes is present, the function will
1620 # use the replMetadataProperty update method which is the following:
1621 # Removing attributes that should not be updated: rIDAvailablePool, objectSid,
1622 # creationTime, msDs-KeyVersionNumber, oEMInformation
1623 # Check for each attribute if its usn is within one of the modified by
1624 # provision range and if its originating id is the invocation id of the
1625 # current DC, then validate the update from reference to current.
1626 # If not or if there is no replMetatdataProperty for this attribute then we
1627 # do not update it.
1628 # Otherwise (case the range of provision modified attribute is not present) it
1629 # use the following process:
1630 # All attributes that need to be added are accepted at the exeption of those
1631 # listed in hashOverwrittenAtt, in this case the attribute needs to have the
1632 # correct flags specified.
1633 # For attributes that need to be modified or removed, a check is performed
1634 # in OverwrittenAtt, if the attribute is present and the modification flag
1635 # (remove, delete) is one of those listed for this attribute then modification
1636 # is accepted. For complicated handling of attribute update, the control is passed
1637 # to handle_special_case
1638
1639
1640
1641 if __name__ == '__main__':
1642 global defSDmodified
1643 defSDmodified = False
1644
1645 # From here start the big steps of the program
1646 # 1) First get files paths
1647 paths = get_paths(param, smbconf=smbconf)
1648 # Get ldbs with the system session, it is needed for searching
1649 # provision parameters
1650 session = system_session()
1651
1652 # This variable will hold the last provision USN once if it exists.
1653 minUSN = 0
1654 # 2)
1655 ldbs = get_ldbs(paths, creds, session, lp)
1656 backupdir = tempfile.mkdtemp(dir=paths.private_dir,
1657 prefix="backupprovision")
1658 backup_provision(paths, backupdir, opts.db_backup_only)
1659 try:
1660 ldbs.startTransactions()
1661
1662 # 3) Guess all the needed names (variables in fact) from the current
1663 # provision.
1664 names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
1665 paths, smbconf, lp)
1666 # 4)
1667 lastProvisionUSNs = get_last_provision_usn(ldbs.sam)
1668 if lastProvisionUSNs is not None:
1669 v = 0
1670 for k in lastProvisionUSNs.keys():
1671 for r in lastProvisionUSNs[k]:
1672 v = v + 1
1673
1674 message(CHANGE,
1675 "Find last provision USN, %d invocation(s) for a total of %d ranges" %
1676 (len(lastProvisionUSNs.keys()), v /2 ))
1677
1678 if lastProvisionUSNs.get("default") is not None:
1679 message(CHANGE, "Old style for usn ranges used")
1680 lastProvisionUSNs[str(names.invocation)] = lastProvisionUSNs["default"]
1681 del lastProvisionUSNs["default"]
1682 else:
1683 message(SIMPLE, "Your provision lacks provision range information")
1684 if confirm("Do you want to run findprovisionusnranges to try to find them ?", False):
1685 ldbs.groupedRollback()
1686 minobj = 5
1687 (hash_id, nb_obj) = findprovisionrange(ldbs.sam, ldb.Dn(ldbs.sam, str(names.rootdn)))
1688 message(SIMPLE, "Here is a list of changes that modified more than %d objects in 1 minute." % minobj)
1689 message(SIMPLE, "Usually changes made by provision and upgradeprovision are those who affect a couple"
1690 " of hundred of objects or more")
1691 message(SIMPLE, "Total number of objects: %d" % nb_obj)
1692 message(SIMPLE, "")
1693
1694 print_provision_ranges(hash_id, minobj, None, str(paths.samdb), str(names.invocation))
1695
1696 message(SIMPLE, "Once you applied/adapted the change(s) please restart the upgradeprovision script")
1697 sys.exit(0)
1698
1699 # Objects will be created with the admin session
1700 # (not anymore system session)
1701 adm_session = admin_session(lp, str(names.domainsid))
1702 # So we reget handle on objects
1703 # ldbs = get_ldbs(paths, creds, adm_session, lp)
1704
1705 if not sanitychecks(ldbs.sam, names):
1706 message(SIMPLE, "Sanity checks for the upgrade have failed. "
1707 "Check the messages and correct the errors "
1708 "before rerunning upgradeprovision")
1709 ldbs.groupedRollback()
1710 sys.exit(1)
1711
1712 # Let's see provision parameters
1713 print_provision_key_parameters(names)
1714
1715 # 5) With all this information let's create a fresh new provision used as
1716 # reference
1717 message(SIMPLE, "Creating a reference provision")
1718 provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
1719 prefix="referenceprovision")
1720 result = newprovision(names, creds, session, smbconf, provisiondir,
1721 provision_logger)
1722 result.report_logger(provision_logger)
1723
1724 # TODO
1725 # 6) and 7)
1726 # We need to get a list of object which SD is directly computed from
1727 # defaultSecurityDescriptor.
1728 # This will allow us to know which object we can rebuild the SD in case
1729 # of change of the parent's SD or of the defaultSD.
1730 # Get file paths of this new provision
1731 newpaths = get_paths(param, targetdir=provisiondir)
1732 new_ldbs = get_ldbs(newpaths, creds, session, lp)
1733 new_ldbs.startTransactions()
1734
1735 populateNotReplicated(new_ldbs.sam, names.schemadn)
1736 # 8) Populate some associative array to ease the update process
1737 # List of attribute which are link and backlink
1738 populate_links(new_ldbs.sam, names.schemadn)
1739 # List of attribute with ASN DN synthax)
1740 populate_dnsyntax(new_ldbs.sam, names.schemadn)
1741 # 9) (now skipped, was copy of privileges.ldb)
1742 # 10)
1743 oem = getOEMInfo(ldbs.sam, str(names.rootdn))
1744 # Do some modification on sam.ldb
1745 ldbs.groupedCommit()
1746 new_ldbs.groupedCommit()
1747 deltaattr = None
1748 # 11)
1749 message(GUESS, oem)
1750 if oem is None or hasATProvision(ldbs.sam) or not opts.very_old_pre_alpha9:
1751 # 11) A
1752 # Starting from alpha9 we can consider that the structure is quite ok
1753 # and that we should do only dela
1754 deltaattr = delta_update_basesamdb(newpaths.samdb,
1755 paths.samdb,
1756 creds,
1757 session,
1758 lp,
1759 message)
1760 else:
1761 # 11) B
1762 simple_update_basesamdb(newpaths, paths, names)
1763 ldbs = get_ldbs(paths, creds, session, lp)
1764 removeProvisionUSN(ldbs.sam)
1765
1766 ldbs.startTransactions()
1767 minUSN = int(str(get_max_usn(ldbs.sam, str(names.rootdn)))) + 1
1768 new_ldbs.startTransactions()
1769
1770 # 12)
1771 schema = Schema(names.domainsid, schemadn=str(names.schemadn))
1772 # We create a closure that will be invoked just before schema reload
1773 def schemareloadclosure():
1774 basesam = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp,
1775 options=["modules:"])
1776 doit = False
1777 if deltaattr is not None and len(deltaattr) > 1:
1778 doit = True
1779 if doit:
1780 deltaattr.remove("dn")
1781 for att in deltaattr:
1782 if att.lower() == "dn":
1783 continue
1784 if (deltaattr.get(att) is not None
1785 and deltaattr.get(att).flags() != FLAG_MOD_ADD):
1786 doit = False
1787 elif deltaattr.get(att) is None:
1788 doit = False
1789 if doit:
1790 message(CHANGE, "Applying delta to @ATTRIBUTES")
1791 deltaattr.dn = ldb.Dn(basesam, "@ATTRIBUTES")
1792 basesam.modify(deltaattr)
1793 else:
1794 message(CHANGE, "Not applying delta to @ATTRIBUTES because "
1795 "there is not only add")
1796 # 13)
1797 if opts.full:
1798 if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
1799 schema, schemareloadclosure):
1800 message(SIMPLE, "Rolling back all changes. Check the cause"
1801 " of the problem")
1802 message(SIMPLE, "Your system is as it was before the upgrade")
1803 ldbs.groupedRollback()
1804 new_ldbs.groupedRollback()
1805 shutil.rmtree(provisiondir)
1806 sys.exit(1)
1807 else:
1808 # Try to reapply the change also when we do not change the sam
1809 # as the delta_upgrade
1810 schemareloadclosure()
1811 sync_calculated_attributes(ldbs.sam, names)
1812 res = ldbs.sam.search(expression="(samaccountname=dns)",
1813 scope=SCOPE_SUBTREE, attrs=["dn"],
1814 controls=["search_options:1:2"])
1815 if len(res) > 0:
1816 message(SIMPLE, "You still have the old DNS object for managing "
1817 "dynamic DNS, but you didn't supply --full so "
1818 "a correct update can't be done")
1819 ldbs.groupedRollback()
1820 new_ldbs.groupedRollback()
1821 shutil.rmtree(provisiondir)
1822 sys.exit(1)
1823 # 14)
1824 update_secrets(new_ldbs.secrets, ldbs.secrets, message)
1825 # 14bis)
1826 res = ldbs.sam.search(expression="(samaccountname=dns)",
1827 scope=SCOPE_SUBTREE, attrs=["dn"],
1828 controls=["search_options:1:2"])
1829
1830 if (len(res) == 1):
1831 ldbs.sam.delete(res[0]["dn"])
1832 res2 = ldbs.secrets.search(expression="(samaccountname=dns)",
1833 scope=SCOPE_SUBTREE, attrs=["dn"])
1834 update_dns_account_password(ldbs.sam, ldbs.secrets, names)
1835 message(SIMPLE, "IMPORTANT!!! "
1836 "If you were using Dynamic DNS before you need "
1837 "to update your configuration, so that the "
1838 "tkey-gssapi-credential has the following value: "
1839 "DNS/%s.%s" % (names.netbiosname.lower(),
1840 names.realm.lower()))
1841 # 15)
1842 message(SIMPLE, "Update machine account")
1843 update_machine_account_password(ldbs.sam, ldbs.secrets, names)
1844
1845 dnToRecalculate.sort(dn_sort)
1846 # 16) SD should be created with admin but as some previous acl were so wrong
1847 # that admin can't modify them we have first to recreate them with the good
1848 # form but with system account and then give the ownership to admin ...
1849 if opts.very_old_pre_alpha9:
1850 message(SIMPLE, "Fixing very old provision SD")
1851 rebuild_sd(ldbs.sam, names)
1852
1853 # We calculate the max USN before recalculating the SD because we might
1854 # touch object that have been modified after a provision and we do not
1855 # want that the next upgradeprovision thinks that it has a green light
1856 # to modify them
1857
1858 # 17)
1859 maxUSN = get_max_usn(ldbs.sam, str(names.rootdn))
1860
1861 # 18) We rebuild SD if a we have a list of DN to recalculate or if the
1862 # defSDmodified is set.
1863 if opts.full and (defSDmodified or len(dnToRecalculate) >0):
1864 message(SIMPLE, "Some (default) security descriptors (SDs) have "
1865 "changed, recalculating them")
1866 ldbs.sam.set_session_info(adm_session)
1867 rebuild_sd(ldbs.sam, names)
1868
1869 # 19)
1870 # Now we are quite confident in the recalculate process of the SD, we make
1871 # it optional. And we don't do it if there is DN that we must touch
1872 # as we are assured that on this DNs we will have differences !
1873 # Also the check must be done in a clever way as for the moment we just
1874 # compare SDDL
1875 if len(dnNotToRecalculate) == 0 and (opts.debugchangesd or opts.debugall):
1876 message(CHANGESD, "Checking recalculated SDs")
1877 check_updated_sd(new_ldbs.sam, ldbs.sam, names)
1878
1879 # 20)
1880 updateOEMInfo(ldbs.sam, str(names.rootdn))
1881 # 21)
1882 check_for_DNS(newpaths.private_dir, paths.private_dir, names.dns_backend)
1883 # 22)
1884 update_provision_usn(ldbs.sam, minUSN, maxUSN, names.invocation)
1885 if opts.full and (names.policyid is None or names.policyid_dc is None):
1886 update_policyids(names, ldbs.sam)
1887
1888 if opts.full:
1889 try:
1890 update_gpo(paths, ldbs.sam, names, lp, message)
1891 except ProvisioningError, e:
1892 message(ERROR, "The policy for domain controller is missing. "
1893 "You should restart upgradeprovision with --full")
1894
1895 ldbs.groupedCommit()
1896 new_ldbs.groupedCommit()
1897 message(SIMPLE, "Upgrade finished!")
1898 # remove reference provision now that everything is done !
1899 # So we have reindexed first if need when the merged schema was reloaded
1900 # (as new attributes could have quick in)
1901 # But the second part of the update (when we update existing objects
1902 # can also have an influence on indexing as some attribute might have their
1903 # searchflag modificated
1904 message(SIMPLE, "Reopening samdb to trigger reindexing if needed "
1905 "after modification")
1906 samdb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp)
1907 message(SIMPLE, "Reindexing finished")
1908
1909 shutil.rmtree(provisiondir)
1910 except StandardError, err:
1911 message(ERROR, "A problem occurred while trying to upgrade your "
1912 "provision. A full backup is located at %s" % backupdir)
1913 if opts.debugall or opts.debugchange:
1914 (typ, val, tb) = sys.exc_info()
1915 traceback.print_exception(typ, val, tb)
1916 sys.exit(1)
reg import