3 # Copyright (C) Matthieu Patou <mat@matws.net> 2009
5 # Based on provision a Samba4 server by
6 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
7 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
33 # Find right directory when running from source tree
34 sys
.path
.insert(0, "bin/python")
36 from base64
import b64encode
39 from samba
.credentials
import DONT_USE_KERBEROS
40 from samba
.auth
import system_session
, admin_session
42 from ldb
import SCOPE_SUBTREE
, SCOPE_ONELEVEL
, SCOPE_BASE
, LdbError
44 import samba
.getopt
as options
45 from samba
.samdb
import SamDB
46 from samba
import param
47 from samba
.provision
import ProvisionNames
,provision_paths_from_lp
,find_setup_dir
,FILL_FULL
,provision
48 from samba
.schema
import get_dnsyntax_attributes
, get_linked_attributes
, Schema
49 from samba
.dcerpc
import misc
, security
50 from samba
.ndr
import ndr_pack
, ndr_unpack
52 replace
=2^ldb
.FLAG_MOD_REPLACE
53 add
=2^ldb
.FLAG_MOD_ADD
54 delete
=2^ldb
.FLAG_MOD_DELETE
61 # Attributes that not copied from the reference provision even if they do not exists in the destination object
62 # This is most probably because they are populated automatcally when object is created
63 hashAttrNotCopied
= { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1,"replPropertyMetaData": 1,"uSNChanged": 1,\
64 "uSNCreated": 1,"parentGUID": 1,"objectCategory": 1,"distinguishedName": 1,\
65 "showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\
66 "nTMixedDomain": 1,"versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,\
67 "dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\
68 "maxPwdAge":1, "mail":1, "secret":1}
70 # Usually for an object that already exists we do not overwrite attributes as they might have been changed for good
71 # reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow.
72 hashOverwrittenAtt
= { "prefixMap": replace
, "systemMayContain": replace
,"systemOnly":replace
, "searchFlags":replace
,\
73 "mayContain":replace
, "systemFlags":replace
,
74 "oEMInformation":replace
, "operatingSystemVersion":replace
, "adminPropertyPages":1,"possibleInferiors":replace
+delete
}
77 def define_what_to_log(opts
):
81 if opts
.debugchangesd
:
82 what
= what | CHANGESD
86 what
= what | CHANGEALL
91 parser
= optparse
.OptionParser("provision [options]")
92 sambaopts
= options
.SambaOptions(parser
)
93 parser
.add_option_group(sambaopts
)
94 parser
.add_option_group(options
.VersionOptions(parser
))
95 credopts
= options
.CredentialsOptions(parser
)
96 parser
.add_option_group(credopts
)
97 parser
.add_option("--setupdir", type="string", metavar
="DIR",
98 help="directory with setup files")
99 parser
.add_option("--debugprovision", help="Debug provision", action
="store_true")
100 parser
.add_option("--debugguess", help="Print information on what is different but won't be changed", action
="store_true")
101 parser
.add_option("--debugchange", help="Print information on what is different but won't be changed", action
="store_true")
102 parser
.add_option("--debugchangesd", help="Print information security descriptors differences", action
="store_true")
103 parser
.add_option("--debugall", help="Print all available information (very verbose)", action
="store_true")
104 parser
.add_option("--targetdir", type="string", metavar
="DIR",
105 help="Set target directory")
107 opts
= parser
.parse_args()[0]
109 whatToLog
= define_what_to_log(opts
)
111 def messageprovision(text
):
112 """print a message if quiet is not set."""
113 if opts
.debugprovision
or opts
.debugall
:
116 def message(what
,text
):
117 """print a message if quiet is not set."""
121 if len(sys
.argv
) == 1:
122 opts
.interactive
= True
123 lp
= sambaopts
.get_loadparm()
124 smbconf
= lp
.configfile
126 creds
= credopts
.get_credentials(lp
)
127 creds
.set_kerberos_state(DONT_USE_KERBEROS
)
128 setup_dir
= opts
.setupdir
129 if setup_dir
is None:
130 setup_dir
= find_setup_dir()
132 session
= system_session()
134 # Create an array of backlinked attributes
135 def populate_backlink(newpaths
,creds
,session
,schemadn
):
136 newsam_ldb
= Ldb(newpaths
.samdb
, session_info
=session
, credentials
=creds
,lp
=lp
)
137 backlinked
.extend(get_linked_attributes(ldb
.Dn(newsam_ldb
,str(schemadn
)),newsam_ldb
).values())
139 # Get Paths for important objects (ldb, keytabs ...)
140 def get_paths(targetdir
=None,smbconf
=None):
141 if targetdir
is not None:
142 if (not os
.path
.exists(os
.path
.join(targetdir
, "etc"))):
143 os
.makedirs(os
.path
.join(targetdir
, "etc"))
144 smbconf
= os
.path
.join(targetdir
, "etc", "smb.conf")
146 smbconf
= param
.default_path()
148 if not os
.path
.exists(smbconf
):
149 print >>sys
.stderr
, "Unable to find smb.conf .."
153 lp
= param
.LoadParm()
155 # Normaly we need the domain name for this function but for our needs it's pointless
156 paths
= provision_paths_from_lp(lp
,"foo")
159 # This function guess(fetch) informations needed to make a fresh provision from the current provision
160 # It includes: realm, workgroup, partitions, netbiosname, domain guid, ...
161 def guess_names_from_current_provision(credentials
,session_info
,paths
):
162 lp
= param
.LoadParm()
163 lp
.load(paths
.smbconf
)
164 names
= ProvisionNames()
165 # NT domain, kerberos realm, root dn, domain dn, domain dns name
166 names
.domain
= string
.upper(lp
.get("workgroup"))
167 names
.realm
= lp
.get("realm")
168 rootdn
= "DC=" + names
.realm
.replace(".",",DC=")
169 names
.domaindn
= rootdn
170 names
.dnsdomain
= names
.realm
171 names
.realm
= string
.upper(names
.realm
)
173 secrets_ldb
= Ldb(paths
.secrets
, session_info
=session_info
, credentials
=credentials
,lp
=lp
, options
=["modules:samba_secrets"])
174 # Get the netbiosname first (could be obtained from smb.conf in theory)
175 attrs
= ["sAMAccountName"]
176 res
= secrets_ldb
.search(expression
="(flatname=%s)"%names
.domain
,base
="CN=Primary Domains", scope
=SCOPE_SUBTREE
, attrs
=attrs
)
177 names
.netbiosname
= str(res
[0]["sAMAccountName"]).replace("$","")
179 names
.smbconf
= smbconf
180 #It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ...
181 samdb
= Ldb(paths
.samdb
, session_info
=session_info
,
182 credentials
=credentials
, lp
=lp
)
184 # That's a bit simplistic but it's ok as long as we have only 3 partitions
185 attrs2
= ["schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
186 res2
= samdb
.search(expression
="(objectClass=*)",base
="", scope
=SCOPE_BASE
, attrs
=attrs2
)
188 names
.configdn
= res2
[0]["configurationNamingContext"]
189 configdn
= str(names
.configdn
)
190 names
.schemadn
= res2
[0]["schemaNamingContext"]
191 if not (rootdn
== str(res2
[0]["rootDomainNamingContext"])):
192 print >>sys
.stderr
, "rootdn in sam.ldb and smb.conf is not the same ..."
194 names
.rootdn
=res2
[0]["rootDomainNamingContext"]
197 res3
= samdb
.search(expression
="(objectClass=*)",base
="CN=Sites,"+configdn
, scope
=SCOPE_ONELEVEL
, attrs
=attrs3
)
198 names
.sitename
= str(res3
[0]["cn"])
200 # dns hostname and server dn
201 attrs4
= ["dNSHostName"]
202 res4
= samdb
.search(expression
="(CN=%s)"%names
.netbiosname
,base
="OU=Domain Controllers,"+rootdn
, \
203 scope
=SCOPE_ONELEVEL
, attrs
=attrs4
)
204 names
.hostname
= str(res4
[0]["dNSHostName"]).replace("."+names
.dnsdomain
,"")
206 names
.serverdn
= "CN=%s,CN=Servers,CN=%s,CN=Sites,%s" % (names
.netbiosname
, names
.sitename
, configdn
)
209 attrs5
= ["invocationId"]
210 res5
= samdb
.search(expression
="(objectClass=*)",base
="CN=Sites,"+configdn
, scope
=SCOPE_SUBTREE
, attrs
=attrs5
)
211 for i
in range(0,len(res5
)):
212 if ( len(res5
[i
]) > 0):
213 names
.invocation
= str(ndr_unpack( misc
.GUID
,res5
[i
]["invocationId"][0]))
216 attrs6
= ["objectGUID", "objectSid", ]
217 res6
= samdb
.search(expression
="(objectClass=*)",base
=rootdn
, scope
=SCOPE_BASE
, attrs
=attrs6
)
218 names
.domainguid
= str(ndr_unpack( misc
.GUID
,res6
[0]["objectGUID"][0]))
219 names
.domainsid
= str(ndr_unpack( security
.dom_sid
,res6
[0]["objectSid"][0]))
222 attrs7
= ["cn","displayName"]
223 res7
= samdb
.search(expression
="(displayName=Default Domain Policy)",base
="CN=Policies,CN=System,"+rootdn
, \
224 scope
=SCOPE_ONELEVEL
, attrs
=attrs7
)
225 names
.policyid
= str(res7
[0]["cn"]).replace("{","").replace("}","")
227 attrs8
= ["cn","displayName"]
228 res8
= samdb
.search(expression
="(displayName=Default Domain Controllers Policy)",base
="CN=Policies,CN=System,"+rootdn
, \
229 scope
=SCOPE_ONELEVEL
, attrs
=attrs7
)
231 names
.policyid_dc
= str(res8
[0]["cn"]).replace("{","").replace("}","")
233 names
.policyid_dc
= None
235 attrs9
= ["objectGUID" ]
236 exp
= "(dn=CN=NTDS Settings,%s)"%(names
.serverdn
)
238 res9
= samdb
.search(expression
="(dn=CN=NTDS Settings,%s)"%(names
.serverdn
),base
=str(names
.configdn
), scope
=SCOPE_SUBTREE
, attrs
=attrs9
)
239 names
.ntdsguid
= str(ndr_unpack( misc
.GUID
,res9
[0]["objectGUID"][0]))
245 def print_names(names
):
246 message(GUESS
, "rootdn :"+str(names
.rootdn
))
247 message(GUESS
, "configdn :"+str(names
.configdn
))
248 message(GUESS
, "schemadn :"+str(names
.schemadn
))
249 message(GUESS
, "serverdn :"+names
.serverdn
)
250 message(GUESS
, "netbiosname :"+names
.netbiosname
)
251 message(GUESS
, "defaultsite :"+names
.sitename
)
252 message(GUESS
, "dnsdomain :"+names
.dnsdomain
)
253 message(GUESS
, "hostname :"+names
.hostname
)
254 message(GUESS
, "domain :"+names
.domain
)
255 message(GUESS
, "realm :"+names
.realm
)
256 message(GUESS
, "invocationid:"+names
.invocation
)
257 message(GUESS
, "policyguid :"+names
.policyid
)
258 message(GUESS
, "policyguiddc:"+str(names
.policyid_dc
))
259 message(GUESS
, "domainsid :"+names
.domainsid
)
260 message(GUESS
, "domainguid :"+names
.domainguid
)
261 message(GUESS
, "ntdsguid :"+names
.ntdsguid
)
263 # Create a fresh new reference provision
264 # This provision will be the reference for knowing what has changed in the
265 # since the latest upgrade in the current provision
266 def newprovision(names
,setup_dir
,creds
,session
,smbconf
):
268 provdir
=os
.path
.join(os
.environ
["HOME"],"provision"+str(int(100000*random
.random())))
269 logstd
=os
.path
.join(provdir
,"log.std")
270 os
.chdir(os
.path
.join(setup_dir
,".."))
273 provision(setup_dir
, messageprovision
,
274 session
, creds
, smbconf
=smbconf
, targetdir
=provdir
,
275 samdb_fill
=FILL_FULL
, realm
=names
.realm
, domain
=names
.domain
,
276 domainguid
=names
.domainguid
, domainsid
=names
.domainsid
,ntdsguid
=names
.ntdsguid
,
277 policyguid
=names
.policyid
,policyguid_dc
=names
.policyid_dc
,hostname
=names
.hostname
,
278 hostip
=None, hostip6
=None,
279 invocationid
=names
.invocation
, adminpass
=None,
280 krbtgtpass
=None, machinepass
=None,
281 dnspass
=None, root
=None, nobody
=None,
282 wheel
=None, users
=None,
283 serverrole
="domain controller",
284 ldap_backend_extra_port
=None,
291 ldap_dryrun_mode
=None)
292 print >>sys
.stderr
, "provisiondir: "+provdir
295 # This function sorts two dn in the lexicographical order and put higher level DN before
296 # So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller (-1) as it has less
299 p
= re
.compile(r
'(?<!\\),')
300 tab1
= p
.split(str(x
))
301 tab2
= p
.split(str(y
))
303 if (len(tab1
) > len(tab2
)):
305 elif (len(tab1
) < len(tab2
)):
312 # Note: python range go up to upper limit but do not include it
313 for i
in range(0,min):
314 ret
=cmp(tab1
[len1
-i
],tab2
[len2
-i
])
320 print >>sys
.stderr
,"PB PB PB"+space
.join(tab1
)+" / "+space
.join(tab2
)
327 # check from security descriptors modifications return 1 if it is 0 otherwise
328 # it also populate hash structure for later use in the upgrade process
329 def handle_security_desc(ischema
,att
,msgElt
,hashallSD
,old
,new
):
330 if ischema
== 1 and att
== "defaultSecurityDescriptor" and msgElt
.flags() == ldb
.FLAG_MOD_REPLACE
:
332 hashSD
["oldSD"] = old
[0][att
]
333 hashSD
["newSD"] = new
[0][att
]
334 hashallSD
[str(old
[0].dn
)] = hashSD
336 if att
== "nTSecurityDescriptor" and msgElt
.flags() == ldb
.FLAG_MOD_REPLACE
:
339 hashSD
["oldSD"] = ndr_unpack(security
.descriptor
,str(old
[0][att
]))
340 hashSD
["newSD"] = ndr_unpack(security
.descriptor
,str(new
[0][att
]))
341 hashallSD
[str(old
[0].dn
)] = hashSD
345 # Hangle special cases ... That's when we want to update an attribute only
346 # if it has a certain value or if it's for a certain object or
348 # It can be also if we want to do a merge of value instead of a simple replace
349 def handle_special_case(att
,delta
,new
,old
,ischema
):
350 flag
= delta
.get(att
).flags()
351 if (att
== "gPLink" or att
== "gPCFileSysPath") and flag
== ldb
.FLAG_MOD_REPLACE
and str(new
[0].dn
).lower() == str(old
[0].dn
).lower():
354 if att
== "forceLogoff":
355 ref
=0x8000000000000000
356 oldval
=int(old
[0][att
][0])
357 newval
=int(new
[0][att
][0])
358 ref
== old
and ref
== abs(new
)
360 if (att
== "adminDisplayName" or att
== "adminDescription") and ischema
:
362 if (str(old
[0].dn
) == "CN=Samba4-Local-Domain,%s"%(str(names
.schemadn
)) and att
== "defaultObjectCategory" and flag
== ldb
.FLAG_MOD_REPLACE
):
364 if (str(old
[0].dn
) == "CN=S-1-5-11,CN=ForeignSecurityPrincipals,%s"%(str(names
.rootdn
)) and att
== "description" and flag
== ldb
.FLAG_MOD_DELETE
):
366 if (str(old
[0].dn
) == "CN=Title,%s"%(str(names
.schemadn
)) and att
== "rangeUpper" and flag
== ldb
.FLAG_MOD_REPLACE
):
368 if ( (att
== "member" or att
== "servicePrincipalName") and flag
== ldb
.FLAG_MOD_REPLACE
):
373 for elem
in old
[0][att
]:
375 newval
.append(str(elem
))
377 for elem
in new
[0][att
]:
378 if not hash.has_key(str(elem
)):
380 newval
.append(str(elem
))
382 delta
[att
] = ldb
.MessageElement(newval
, ldb
.FLAG_MOD_REPLACE
, att
)
386 if (str(old
[0].dn
) == "%s"%(str(names
.rootdn
)) and att
== "subRefs" and flag
== ldb
.FLAG_MOD_REPLACE
):
388 if str(delta
.dn
).endswith("CN=DisplaySpecifiers,%s"%names
.configdn
):
392 def update_secrets(newpaths
,paths
,creds
,session
):
393 newsecrets_ldb
= Ldb(newpaths
.secrets
, session_info
=session
, credentials
=creds
,lp
=lp
)
394 secrets_ldb
= Ldb(paths
.secrets
, session_info
=session
, credentials
=creds
,lp
=lp
, options
=["modules:samba_secrets"])
395 res
= newsecrets_ldb
.search(expression
="dn=@MODULES",base
="", scope
=SCOPE_SUBTREE
)
396 res2
= secrets_ldb
.search(expression
="dn=@MODULES",base
="", scope
=SCOPE_SUBTREE
)
397 delta
= secrets_ldb
.msg_diff(res2
[0],res
[0])
398 delta
.dn
= res2
[0].dn
399 secrets_ldb
.modify(delta
)
401 newsecrets_ldb
= Ldb(newpaths
.secrets
, session_info
=session
, credentials
=creds
,lp
=lp
)
402 secrets_ldb
= Ldb(paths
.secrets
, session_info
=session
, credentials
=creds
,lp
=lp
)
403 res
= newsecrets_ldb
.search(expression
="objectClass=top",base
="", scope
=SCOPE_SUBTREE
,attrs
=["dn"])
404 res2
= secrets_ldb
.search(expression
="objectClass=top",base
="", scope
=SCOPE_SUBTREE
,attrs
=["dn"])
410 empty
= ldb
.Message()
411 for i
in range(0,len(res
)):
412 hash_new
[str(res
[i
]["dn"]).lower()] = res
[i
]["dn"]
414 # Create a hash for speeding the search of existing object in the current provision
415 for i
in range(0,len(res2
)):
416 hash[str(res2
[i
]["dn"]).lower()] = res2
[i
]["dn"]
418 for k
in hash_new
.keys():
419 if not hash.has_key(k
):
420 listMissing
.append(hash_new
[k
])
422 listPresent
.append(hash_new
[k
])
423 for entry
in listMissing
:
424 res
= newsecrets_ldb
.search(expression
="dn=%s"%entry
,base
="", scope
=SCOPE_SUBTREE
)
425 res2
= secrets_ldb
.search(expression
="dn=%s"%entry
,base
="", scope
=SCOPE_SUBTREE
)
426 delta
= secrets_ldb
.msg_diff(empty
,res
[0])
427 for att
in hashAttrNotCopied
.keys():
429 message(CHANGE
,"Entry %s is missing from secrets.ldb"%res[0].dn
)
431 message(CHANGE
," Adding attribute %s"%att
)
433 secrets_ldb
.add(delta
)
435 for entry
in listPresent
:
436 res
= newsecrets_ldb
.search(expression
="dn=%s"%entry
,base
="", scope
=SCOPE_SUBTREE
)
437 res2
= secrets_ldb
.search(expression
="dn=%s"%entry
,base
="", scope
=SCOPE_SUBTREE
)
438 delta
= secrets_ldb
.msg_diff(res2
[0],res
[0])
440 for att
in hashAttrNotCopied
.keys():
445 message(CHANGE
," Adding/Changing attribute %s to %s"%(att
,res2
[0].dn
))
447 delta
.dn
= res2
[0].dn
448 secrets_ldb
.modify(delta
)
450 # Check difference between the current provision and the reference provision.
451 # It looks for all object which base DN is name if ischema is false then scan is done in
452 # cross partition mode.
453 # If ischema is true, then special handling is done for dealing with schema
454 def check_diff_name(newpaths
,paths
,creds
,session
,basedn
,names
,ischema
):
462 # Connect to the reference provision and get all the attribute in the partition referred by name
463 newsam_ldb
= Ldb(newpaths
.samdb
, session_info
=session
, credentials
=creds
,lp
=lp
)
464 sam_ldb
= Ldb(paths
.samdb
, session_info
=session
, credentials
=creds
,lp
=lp
, options
=["modules:samba_dsdb"])
466 res
= newsam_ldb
.search(expression
="objectClass=*",base
=basedn
, scope
=SCOPE_SUBTREE
,attrs
=["dn"])
467 res2
= sam_ldb
.search(expression
="objectClass=*",base
=basedn
, scope
=SCOPE_SUBTREE
,attrs
=["dn"])
469 res
= newsam_ldb
.search(expression
="objectClass=*",base
=basedn
, scope
=SCOPE_SUBTREE
,attrs
=["dn"],controls
=["search_options:1:2"])
470 res2
= sam_ldb
.search(expression
="objectClass=*",base
=basedn
, scope
=SCOPE_SUBTREE
,attrs
=["dn"],controls
=["search_options:1:2"])
472 # Create a hash for speeding the search of new object
473 for i
in range(0,len(res
)):
474 hash_new
[str(res
[i
]["dn"]).lower()] = res
[i
]["dn"]
476 # Create a hash for speeding the search of existing object in the current provision
477 for i
in range(0,len(res2
)):
478 hash[str(res2
[i
]["dn"]).lower()] = res2
[i
]["dn"]
480 for k
in hash_new
.keys():
481 if not hash.has_key(k
):
482 listMissing
.append(hash_new
[k
])
484 listPresent
.append(hash_new
[k
])
486 # Sort the missing object in order to have object of the lowest level first (which can be
487 # containers for higher level objects)
488 listMissing
.sort(dn_sort
)
489 listPresent
.sort(dn_sort
)
492 # The following lines (up to the for loop) is to load the up to date schema into our current LDB
493 # a complete schema is needed as the insertion of attributes and class is done against it
494 # and the schema is self validated
495 # The double ldb open and schema validation is taken from the initial provision script
496 # it's not certain that it is really needed ....
497 sam_ldb
= Ldb(session_info
=session
, credentials
=creds
, lp
=lp
)
498 schema
= Schema(setup_path
, security
.dom_sid(names
.domainsid
), schemadn
=basedn
, serverdn
=names
.serverdn
)
499 # Load the schema from the one we computed earlier
500 sam_ldb
.set_schema_from_ldb(schema
.ldb
)
501 # And now we can connect to the DB - the schema won't be loaded from the DB
502 sam_ldb
.connect(paths
.samdb
)
503 sam_ldb
.transaction_start()
505 sam_ldb
.transaction_start()
507 empty
= ldb
.Message()
508 print "There are %d missing objects"%(len(listMissing
))
509 for dn
in listMissing
:
510 res
= newsam_ldb
.search(expression
="dn=%s"%(str(dn
)),base
=basedn
, scope
=SCOPE_SUBTREE
,controls
=["search_options:1:2"])
511 delta
= sam_ldb
.msg_diff(empty
,res
[0])
512 for att
in hashAttrNotCopied
.keys():
514 for att
in backlinked
:
518 sam_ldb
.add(delta
,["relax:0"])
521 for dn
in listPresent
:
522 res
= newsam_ldb
.search(expression
="dn=%s"%(str(dn
)),base
=basedn
, scope
=SCOPE_SUBTREE
,controls
=["search_options:1:2"])
523 res2
= sam_ldb
.search(expression
="dn=%s"%(str(dn
)),base
=basedn
, scope
=SCOPE_SUBTREE
,controls
=["search_options:1:2"])
524 delta
= sam_ldb
.msg_diff(res2
[0],res
[0])
525 for att
in hashAttrNotCopied
.keys():
527 for att
in backlinked
:
529 delta
.remove("parentGUID")
532 msgElt
= delta
.get(att
)
535 if handle_security_desc(ischema
,att
,msgElt
,hashallSD
,res2
,res
):
538 if (not hashOverwrittenAtt
.has_key(att
) or not (hashOverwrittenAtt
.get(att
)&2^msgElt
.flags())):
539 if handle_special_case(att
,delta
,res
,res2
,ischema
)==0 and msgElt
.flags()!=ldb
.FLAG_MOD_ADD
:
542 message(CHANGE
, "dn= "+str(dn
)+ " "+att
+ " with flag "+str(msgElt
.flags())+ " is not allowed to be changed/removed, I discard this change ...")
543 for e
in range(0,len(res2
[0][att
])):
544 message(CHANGE
,"old %d : %s"%(i
,str(res2
[0][att
][e
])))
545 if msgElt
.flags() == 2:
547 for e
in range(0,len(res
[0][att
])):
548 message(CHANGE
,"new %d : %s"%(i
,str(res
[0][att
][e
])))
551 if len(delta
.items()) >1:
552 attributes
=",".join(delta
.keys())
553 message(CHANGE
,"%s is different from the reference one, changed attributes: %s"%(dn
,attributes
))
554 changed
= changed
+ 1
555 sam_ldb
.modify(delta
)
557 sam_ldb
.transaction_commit()
558 print "There are %d changed objects"%(changed)
562 # This function updates SD for AD objects.
563 # As SD in the upgraded provision can be different for various reasons
564 # this function check if an automatic update can be performed and do it
565 # or if it can't be done.
566 def update_sds(diffDefSD
,diffSD
,paths
,creds
,session
,rootdn
,domSIDTxt
):
567 sam_ldb
= Ldb(paths
.samdb
, session_info
=session
, credentials
=creds
,lp
=lp
)
568 sam_ldb
.transaction_start()
569 domSID
= security
.dom_sid(domSIDTxt
)
571 admin_session_info
= admin_session(lp
, str(domSID
))
572 system_session_info
= system_session()
574 for dn
in diffSD
.keys():
575 newSD
= diffSD
[dn
]["newSD"].as_sddl(domSID
)
576 oldSD
= diffSD
[dn
]["oldSD"].as_sddl(domSID
)
577 message(CHANGESD
, "ntsecuritydescriptor for %s has changed old %s new %s"%(dn
,oldSD
,diffSD
[dn
]["newSD"].as_sddl(domSID
)))
578 # First let's find the defaultSD for the object which SD is different from the reference one.
579 res
= sam_ldb
.search(expression
="dn=%s"%(dn),base
=rootdn
, scope
=SCOPE_SUBTREE
,attrs
=["objectClass"],controls
=["search_options:1:2"])
580 classObj
= res
[0]["objectClass"][-1]
582 if hashClassSD
.has_key(classObj
):
583 defSD
= hashClassSD
[classObj
]
585 res2
= sam_ldb
.search(expression
="lDAPDisplayName=%s"%(classObj),base
=rootdn
, scope
=SCOPE_SUBTREE
,attrs
=["defaultSecurityDescriptor"],controls
=["search_options:1:2"])
587 defSD
= str(res2
[0]["defaultSecurityDescriptor"])
588 hashClassSD
[classObj
] = defSD
589 # Because somewhere between alpha8 and alpha9 samba4 changed the owner of ACLs in the AD so
590 # we check if it's the case and if so use the "old" owner to see if the ACL is a direct calculation
591 # from the defaultSecurityDescriptor
592 session
= admin_session_info
593 if oldSD
.startswith("O:SYG:BA"):
594 session
= system_session_info
595 descr
= security
.descriptor
.ntsd_from_defaultsd(defSD
, domSID
,session
)
596 if descr
.as_sddl(domSID
) != oldSD
:
597 print "nTSecurity Descriptor for %s do not directly inherit from the defaultSecurityDescriptor and is different from the one of the reference provision, therefor I can't upgrade i"
598 print "Old Descriptor: %s"%(oldSD)
599 print "New Descriptor: %s"%(newSD)
600 if diffDefSD
.has_key(classObj
):
601 # We have a pending modification for the defaultSecurityDescriptor of the class Object of the currently inspected object
602 # and we have a conflict so write down that we won't upgrade this defaultSD for this class object
603 diffDefSD
[classObj
]["noupgrade"]=1
605 # At this point we know that the SD was directly generated from the defaultSecurityDescriptor
606 # so we can take the new SD and replace the old one
608 delta
= ldb
.Message()
609 delta
.dn
= ldb
.Dn(sam_ldb
,dn
)
610 delta
["nTSecurityDescriptor"] = ldb
.MessageElement( ndr_pack(diffSD
[dn
]["newSD"]),ldb
.FLAG_MOD_REPLACE
,"nTSecurityDescriptor" )
611 sam_ldb
.modify(delta
)
613 sam_ldb
.transaction_commit()
614 print "%d nTSecurityDescriptor attribute(s) have been updated"%(upgrade)
615 sam_ldb
.transaction_start()
618 message(CHANGESD
, "DefaultSecurityDescriptor for class object %s has changed"%(dn))
619 if not diffDefSD
[dn
].has_key("noupgrade"):
621 delta
= ldb
.Message()
622 delta
.dn
= ldb
.Dn(sam_ldb
,dn
)
623 delta
["defaultSecurityDescriptor"] = ldb
.MessageElement(diffDefSD
[dn
]["newSD"],ldb
.FLAG_MOD_REPLACE
,"defaultSecurityDescriptor" )
624 sam_ldb
.modify(delta
)
626 message(CHANGESD
,"Not updating the defaultSecurityDescriptor for class object %s as one or more dependant object hasn't been upgraded"%(dn))
628 sam_ldb
.transaction_commit()
629 print "%d defaultSecurityDescriptor attribute(s) have been updated"%(upgrade)
632 for root
, dirs
, files
in os
.walk(topdir
, topdown
=False):
634 os
.remove(os
.path
.join(root
, name
))
636 os
.rmdir(os
.path
.join(root
, name
))
639 # For each partition check the differences
641 def check_diff(newpaths
,paths
,creds
,session
,names
):
643 shutil
.copy(newpaths
.samdb
,paths
.samdb
)
645 print "Update ldb names if needed"
646 schemaldb
=os
.path
.join(paths
.private_dir
,"schema.ldb")
647 configldb
=os
.path
.join(paths
.private_dir
,"configuration.ldb")
648 usersldb
=os
.path
.join(paths
.private_dir
,"users.ldb")
649 samldbdir
=os
.path
.join(paths
.private_dir
,"sam.ldb.d")
651 if not os
.path
.isdir(samldbdir
):
653 os
.chmod(samldbdir
,0700)
654 if os
.path
.isfile(schemaldb
):
655 shutil
.copy(schemaldb
,os
.path
.join(samldbdir
,"%s.ldb"%str
(names
.schemadn
).upper()))
657 if os
.path
.isfile(usersldb
):
658 shutil
.copy(usersldb
,os
.path
.join(samldbdir
,"%s.ldb"%str
(names
.rootdn
).upper()))
660 if os
.path
.isfile(configldb
):
661 shutil
.copy(configldb
,os
.path
.join(samldbdir
,"%s.ldb"%str
(names
.configdn
).upper()))
663 shutil
.copy(os
.path
.join(newpaths
.private_dir
,"privilege.ldb"),os
.path
.join(paths
.private_dir
,"privilege.ldb"))
665 print "Doing schema update"
666 hashdef
= check_diff_name(newpaths
,paths
,creds
,session
,str(names
.schemadn
),names
,1)
667 print "Done with schema update"
668 print "Scanning whole provision for updates and additions"
669 hashSD
= check_diff_name(newpaths
,paths
,creds
,session
,str(names
.rootdn
),names
,0)
670 print "Done with scanning"
671 print "Updating secrets"
672 update_secrets(newpaths
,paths
,creds
,session
)
673 # update_sds(hashdef,hashSD,paths,creds,session,str(names.rootdn),names.domainsid)
675 # From here start the big steps of the program
676 # First get files paths
677 paths
=get_paths(targetdir
=opts
.targetdir
,smbconf
=smbconf
)
678 paths
.setup
= setup_dir
679 def setup_path(file):
680 return os
.path
.join(setup_dir
, file)
681 # Guess all the needed names (variables in fact) from the current
683 names
= guess_names_from_current_provision(creds
,session
,paths
)
686 # With all this information let's create a fresh new provision used as reference
687 provisiondir
= newprovision(names
,setup_dir
,creds
,session
,smbconf
)
688 # Get file paths of this new provision
689 newpaths
= get_paths(targetdir
=provisiondir
)
690 populate_backlink(newpaths
,creds
,session
,names
.schemadn
)
691 # Check the difference
692 check_diff(newpaths
,paths
,creds
,session
,names
)
693 # remove reference provision now that everything is done !