3 # Copyright (C) Matthieu Patou <mat@matws.net> 2009
5 # Based on provision a Samba4 server by
6 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
7 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
10 # This program is free software; you can redistribute it and/or modify
11 # it under the terms of the GNU General Public License as published by
12 # the Free Software Foundation; either version 3 of the License, or
13 # (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program. If not, see <http://www.gnu.org/licenses/>.
33 # Allow to run from s4 source directory (without installing samba)
34 sys.path.insert(0, "bin/python")
38 import samba.getopt as options
39 from samba.credentials import DONT_USE_KERBEROS
40 from samba.auth import system_session, admin_session
42 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError,\
43 FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,\
44 MessageElement, Message, Dn
45 from samba.samdb import SamDB
46 from samba import param
47 from samba import glue
48 from samba.misc import messageEltFlagToString
49 from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join
50 from samba.provisionexceptions import ProvisioningError
51 from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema, get_schema_descriptor
52 from samba.dcerpc import misc, security
53 from samba.ndr import ndr_pack, ndr_unpack
54 from samba.dcerpc.misc import SEC_CHAN_BDC
55 from samba.upgradehelpers import dn_sort, get_paths, newprovision, find_provision_key_parameters, rmall
58 replace=2^FLAG_MOD_REPLACE
60 delete=2^FLAG_MOD_DELETE
62 #Errors are always logged
71 # Attributes that are never copied from the reference provision (even if they
72 # do not exist in the destination object).
73 # This is most probably because they are populated automatcally when object is
75 # This also apply to imported object from reference provision
76 hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1, "objectGUID": 1, "replPropertyMetaData": 1, "uSNChanged": 1,
77 "uSNCreated": 1, "parentGUID": 1, "objectCategory": 1, "distinguishedName": 1,
78 "showInAdvancedViewOnly": 1, "instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,
79 "nTMixedDomain": 1, "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,
80 "dBCSPwd":1, "supplementalCredentials":1, "gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,
81 "maxPwdAge":1, "mail":1, "secret":1, "possibleInferiors":1, "sAMAccountType":1}
83 # Usually for an object that already exists we do not overwrite attributes as
84 # they might have been changed for good reasons. Anyway for a few of them it's
85 # mandatory to replace them otherwise the provision will be broken somehow.
86 hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, "systemOnly":replace, "searchFlags":replace,
87 "mayContain":replace, "systemFlags":replace, "description":replace,
88 "oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":replace,
89 "defaultSecurityDescriptor": replace, "wellKnownObjects":replace, "privilege":delete, "groupType":replace,
90 "rIDAvailablePool": never}
95 def define_what_to_log(opts):
99 if opts.debugchangesd:
100 what = what | CHANGESD
103 if opts.debugprovision:
104 what = what | PROVISION
106 what = what | CHANGEALL
110 parser = optparse.OptionParser("provision [options]")
111 sambaopts = options.SambaOptions(parser)
112 parser.add_option_group(sambaopts)
113 parser.add_option_group(options.VersionOptions(parser))
114 credopts = options.CredentialsOptions(parser)
115 parser.add_option_group(credopts)
116 parser.add_option("--setupdir", type="string", metavar="DIR",
117 help="directory with setup files")
118 parser.add_option("--debugprovision", help="Debug provision", action="store_true")
119 parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true")
120 parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true")
121 parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
122 parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
123 parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
125 opts = parser.parse_args()[0]
127 whatToLog = define_what_to_log(opts)
129 def messageprovision(text):
130 """print a message if quiet is not set."""
131 if opts.debugprovision or opts.debugall:
134 def message(what,text):
135 """print a message if quiet is not set."""
136 if (whatToLog & what) or (what <= 0 ):
139 if len(sys.argv) == 1:
140 opts.interactive = True
141 lp = sambaopts.get_loadparm()
142 smbconf = lp.configfile
144 creds = credopts.get_credentials(lp)
145 creds.set_kerberos_state(DONT_USE_KERBEROS)
146 setup_dir = opts.setupdir
147 if setup_dir is None:
148 setup_dir = find_setup_dir()
150 session = system_session()
152 # simple helper to allow back and forth rename
153 def identic_rename(ldbobj,dn):
154 (before,sep,after)=str(dn).partition('=')
155 ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
156 ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
158 # Create an array of backlinked attributes
159 def populate_backlink(newpaths,creds,session,schemadn):
160 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
161 linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
162 backlinked.extend(linkedAttHash.values())
164 # Create an array of attributes with a dn synthax (2.5.5.1)
165 def populate_dnsyntax(newpaths,creds,session,schemadn):
166 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
167 res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
168 scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
170 dn_syntax_att.append(elem["lDAPDisplayName"])
174 def sanitychecks(credentials,session_info,names,paths):
175 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
176 # First update the SD for the rootdn
177 sam_ldb.set_session_info(session)
178 res = sam_ldb.search(expression="objectClass=ntdsdsa",base=str(names.configdn),
179 scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
181 print "No DC found, your provision is most probalby hardly broken !"
184 print "Found %d domain controllers, for the moment upgradeprovision is not able to handle upgrade on \
185 domain with more than one DC, please demote the other(s) DC(s) before upgrading"%len(res)
192 def print_provision_key_parameters(names):
193 message(GUESS, "rootdn :"+str(names.rootdn))
194 message(GUESS, "configdn :"+str(names.configdn))
195 message(GUESS, "schemadn :"+str(names.schemadn))
196 message(GUESS, "serverdn :"+str(names.serverdn))
197 message(GUESS, "netbiosname :"+names.netbiosname)
198 message(GUESS, "defaultsite :"+names.sitename)
199 message(GUESS, "dnsdomain :"+names.dnsdomain)
200 message(GUESS, "hostname :"+names.hostname)
201 message(GUESS, "domain :"+names.domain)
202 message(GUESS, "realm :"+names.realm)
203 message(GUESS, "invocationid:"+names.invocation)
204 message(GUESS, "policyguid :"+names.policyid)
205 message(GUESS, "policyguiddc:"+str(names.policyid_dc))
206 message(GUESS, "domainsid :"+str(names.domainsid))
207 message(GUESS, "domainguid :"+names.domainguid)
208 message(GUESS, "ntdsguid :"+names.ntdsguid)
209 message(GUESS, "domainlevel :"+str(names.domainlevel))
211 # Check for security descriptors modifications return 1 if it is and 0 otherwise
212 # it also populate hash structure for later use in the upgrade process
213 def handle_security_desc(ischema, att, msgElt, hashallSD, old, new):
214 if ischema == 1 and att == "defaultSecurityDescriptor" and msgElt.flags() == FLAG_MOD_REPLACE:
216 hashSD["oldSD"] = old[0][att]
217 hashSD["newSD"] = new[0][att]
218 hashallSD[str(old[0].dn)] = hashSD
220 if att == "nTSecurityDescriptor" and msgElt.flags() == FLAG_MOD_REPLACE:
223 hashSD["oldSD"] = ndr_unpack(security.descriptor, str(old[0][att]))
224 hashSD["newSD"] = ndr_unpack(security.descriptor, str(new[0][att]))
225 hashallSD[str(old[0].dn)] = hashSD
229 # Handle special cases ... That's when we want to update a particular attribute
230 # only, e.g. if it has a certain value or if it's for a certain object or
232 # It can be also if we want to do a merge of value instead of a simple replace
233 def handle_special_case(att, delta, new, old, ischema):
234 flag = delta.get(att).flags()
235 if (att == "gPLink" or att == "gPCFileSysPath") and \
236 flag == FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
239 if att == "forceLogoff":
240 ref=0x8000000000000000
241 oldval=int(old[0][att][0])
242 newval=int(new[0][att][0])
243 ref == old and ref == abs(new)
245 if (att == "adminDisplayName" or att == "adminDescription") and ischema:
248 if (str(old[0].dn) == "CN=Samba4-Local-Domain,%s"%(str(names.schemadn))\
249 and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE):
252 if (str(old[0].dn) == "CN=Title,%s"%(str(names.schemadn)) and att == "rangeUpper" and flag == FLAG_MOD_REPLACE):
255 if ( (att == "member" or att == "servicePrincipalName") and flag == FLAG_MOD_REPLACE):
259 for elem in old[0][att]:
261 newval.append(str(elem))
263 for elem in new[0][att]:
264 if not hash.has_key(str(elem)):
266 newval.append(str(elem))
268 delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
273 if (str(old[0].dn) == "%s"%(str(names.rootdn)) and att == "subRefs" and flag == FLAG_MOD_REPLACE):
275 if str(delta.dn).endswith("CN=DisplaySpecifiers,%s"%names.configdn):
279 def update_secrets(newpaths, paths, creds, session):
280 message(SIMPLE,"update secrets.ldb")
281 newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
282 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp, options=["modules:samba_secrets"])
283 reference = newsecrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
284 current = secrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
285 delta = secrets_ldb.msg_diff(current[0],reference[0])
286 delta.dn = current[0].dn
287 secrets_ldb.modify(delta)
289 newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
290 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
291 reference = newsecrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
292 current = secrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
299 for i in range(0,len(reference)):
300 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
302 # Create a hash for speeding the search of existing object in the
304 for i in range(0,len(current)):
305 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
307 for k in hash_new.keys():
308 if not hash.has_key(k):
309 listMissing.append(hash_new[k])
311 listPresent.append(hash_new[k])
312 for entry in listMissing:
313 reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
314 current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
315 delta = secrets_ldb.msg_diff(empty,reference[0])
316 for att in hashAttrNotCopied.keys():
318 message(CHANGE,"Entry %s is missing from secrets.ldb"%reference[0].dn)
320 message(CHANGE," Adding attribute %s"%att)
321 delta.dn = reference[0].dn
322 secrets_ldb.add(delta)
324 for entry in listPresent:
325 reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
326 current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
327 delta = secrets_ldb.msg_diff(current[0],reference[0])
329 for att in hashAttrNotCopied.keys():
335 message(CHANGE,"Found attribute name on %s, must rename the DN "%(current[0].dn))
336 identic_rename(secrets_ldb,reference[0].dn)
340 for entry in listPresent:
341 reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
342 current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
343 delta = secrets_ldb.msg_diff(current[0],reference[0])
345 for att in hashAttrNotCopied.keys():
350 message(CHANGE," Adding/Changing attribute %s to %s"%(att,current[0].dn))
352 delta.dn = current[0].dn
353 secrets_ldb.modify(delta)
355 def dump_denied_change(dn,att,flagtxt,current,reference):
356 message(CHANGE, "dn= "+str(dn)+" "+att+" with flag "+flagtxt+" is not allowed to be changed/removed, I discard this change ...")
357 if att != "objectSid" :
359 for e in range(0,len(current)):
360 message(CHANGE,"old %d : %s"%(i,str(current[e])))
362 if reference != None:
364 for e in range(0,len(reference)):
365 message(CHANGE,"new %d : %s"%(i,str(reference[e])))
368 message(CHANGE,"old : %s"%str(ndr_unpack( security.dom_sid,current[0])))
369 message(CHANGE,"new : %s"%str(ndr_unpack( security.dom_sid,reference[0])))
371 #This function is for doing case by case treatment on special object
373 def handle_special_add(sam_ldb,dn,names):
375 if str(dn).lower() == ("CN=Certificate Service DCOM Access,CN=Builtin,%s"%names.rootdn).lower():
376 #This entry was misplaced lets remove it if it exists
377 dntoremove="CN=Certificate Service DCOM Access,CN=Users,%s"%names.rootdn
379 if str(dn).lower() == ("CN=Cryptographic Operators,CN=Builtin,%s"%names.rootdn).lower():
380 #This entry was misplaced lets remove it if it exists
381 dntoremove="CN=Cryptographic Operators,CN=Users,%s"%names.rootdn
383 if str(dn).lower() == ("CN=Event Log Readers,CN=Builtin,%s"%names.rootdn).lower():
384 #This entry was misplaced lets remove it if it exists
385 dntoremove="CN=Event Log Readers,CN=Users,%s"%names.rootdn
387 if dntoremove != None:
388 res = sam_ldb.search(expression="objectClass=*",base=dntoremove, scope=SCOPE_BASE,attrs=["dn"],controls=["search_options:1:2"])
390 message(CHANGE,"Existing object %s must be replaced by %s, removing old object"%(dntoremove,str(dn)))
391 sam_ldb.delete(res[0]["dn"])
393 #Check if the one of the dn in the listdn will be created after the current dn
394 #hash is indexed by dn to be created, with each key is associated the creation order
395 #First dn to be created has the creation order 0, second has 1, ...
396 #Index contain the current creation order
397 def check_dn_nottobecreated(hash,index,listdn):
401 key = str(dn).lower()
402 if hash.has_key(key) and hash[key] > index:
406 #This function tries to add the missing object "dn" if this object depends on some others
407 # the function returns 0, if the object was created 1 is returned
408 def add_missing_object(newsam_ldb, sam_ldb, dn, names, basedn, hash, index):
409 handle_special_add(sam_ldb,dn,names)
410 reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn,
411 scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
413 delta = sam_ldb.msg_diff(empty,reference[0])
414 for att in hashAttrNotCopied.keys():
416 for att in backlinked:
418 depend_on_yettobecreated = None
419 for att in dn_syntax_att:
420 depend_on_yet_tobecreated = check_dn_nottobecreated(hash,index,delta.get(str(att)))
421 if depend_on_yet_tobecreated != None:
422 message(CHANGE,"Object %s depends on %s in attribute %s, delaying the creation"
423 %(str(dn),depend_on_yet_tobecreated,str(att)))
426 message(CHANGE,"Object %s will be added"%dn)
427 sam_ldb.add(delta,["relax:0"])
430 def gen_dn_index_hash(listMissing):
432 for i in range(0,len(listMissing)):
433 hash[str(listMissing[i]).lower()] = i
436 def add_missing_entries(newsam_ldb, sam_ldb, names, basedn,list):
440 while(len(listDefered) != len(listMissing) and len(listDefered) > 0):
442 listMissing = listDefered
444 hashMissing = gen_dn_index_hash(listMissing)
445 for dn in listMissing:
446 ret = add_missing_object(newsam_ldb,sam_ldb,dn,names,basedn,hashMissing,index)
449 #DN can't be created because it depends on some other DN in the list
450 listDefered.append(dn)
451 if len(listDefered) != 0:
452 raise ProvisioningError("Unable to insert missing elements: circular references")
457 # Check difference between the current provision and the reference provision.
458 # It looks for all objects which base DN is name. If ischema is "false" then
459 # the scan is done in cross partition mode.
460 # If "ischema" is true, then special handling is done for dealing with schema
461 def check_diff_name(newpaths, paths, creds, session, basedn, names, ischema):
469 # Connect to the reference provision and get all the attribute in the
470 # partition referred by name
471 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
472 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
473 sam_ldb.transaction_start()
475 reference = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
476 current = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
478 reference = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
479 current = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
481 sam_ldb.transaction_commit()
482 # Create a hash for speeding the search of new object
483 for i in range(0,len(reference)):
484 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
486 # Create a hash for speeding the search of existing object in the
488 for i in range(0,len(current)):
489 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
491 for k in hash_new.keys():
492 if not hash.has_key(k):
494 listMissing.append(hash_new[k])
496 listPresent.append(hash_new[k])
498 # Sort the missing object in order to have object of the lowest level
499 # first (which can be containers for higher level objects)
500 listMissing.sort(dn_sort)
501 listPresent.sort(dn_sort)
504 # The following lines (up to the for loop) is to load the up to
505 # date schema into our current LDB
506 # a complete schema is needed as the insertion of attributes
507 # and class is done against it
508 # and the schema is self validated
509 # The double ldb open and schema validation is taken from the
510 # initial provision script
511 # it's not certain that it is really needed ....
512 sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
513 schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
514 # Load the schema from the one we computed earlier
515 sam_ldb.set_schema_from_ldb(schema.ldb)
516 # And now we can connect to the DB - the schema won't be loaded
518 sam_ldb.connect(paths.samdb)
520 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
522 sam_ldb.transaction_start()
524 message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
525 add_missing_entries(newsam_ldb,sam_ldb,names,basedn,listMissing)
527 for dn in listPresent:
528 reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
529 current = sam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
530 if ((str(current[0].dn) != str(reference[0].dn)) and (str(current[0].dn).upper() == str(reference[0].dn).upper())):
531 message(CHANGE,"Name are the same but case change, let's rename %s to %s"%(str(current[0].dn),str(reference[0].dn)))
532 identic_rename(sam_ldb,reference[0].dn)
533 current = sam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
535 delta = sam_ldb.msg_diff(current[0],reference[0])
536 for att in hashAttrNotCopied.keys():
538 for att in backlinked:
540 delta.remove("parentGUID")
544 msgElt = delta.get(att)
550 if handle_security_desc(ischema,att,msgElt,hashallSD,current,reference):
553 if (not hashOverwrittenAtt.has_key(att) or not (hashOverwrittenAtt.get(att)&2^msgElt.flags())):
554 if hashOverwrittenAtt.has_key(att) and hashOverwrittenAtt.get(att)==never:
557 if handle_special_case(att,delta,reference,current,ischema)==0 and msgElt.flags()!=FLAG_MOD_ADD:
559 if opts.debugchange or opts.debugall:
561 dump_denied_change(dn,att,messageEltFlagToString(msgElt.flags()),current[0][att],reference[0][att])
563 dump_denied_change(dn,att,messageEltFlagToString(msgElt.flags()),current[0][att],None)
566 if len(delta.items()) >1:
567 attributes=",".join(delta.keys())
568 message(CHANGE,"%s is different from the reference one, changed attributes: %s"%(dn,attributes))
569 changed = changed + 1
570 sam_ldb.modify(delta)
572 sam_ldb.transaction_commit()
573 message(SIMPLE,"There are %d changed objects"%(changed))
576 # Check that SD are correct
577 def check_updated_sd(newpaths, paths, creds, session, names):
578 newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
579 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
580 reference = newsam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
581 current = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
583 for i in range(0,len(reference)):
584 hash_new[str(reference[i]["dn"]).lower()] = ndr_unpack(security.descriptor,str(reference[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
586 for i in range(0,len(current)):
587 key = str(current[i]["dn"]).lower()
588 if hash_new.has_key(key):
589 sddl = ndr_unpack(security.descriptor,str(current[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
590 if sddl != hash_new[key]:
591 print "%s new sddl/sddl in ref"%key
592 print "%s\n%s"%(sddl,hash_new[key])
594 # Simple update method for updating the SD that rely on the fact that nobody
595 # should have modified the SD
596 # This assumption is safe right now (alpha9) but should be removed asap
597 def update_sd(paths, creds, session, names):
598 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
599 sam_ldb.transaction_start()
600 # First update the SD for the rootdn
601 sam_ldb.set_session_info(session)
602 res = sam_ldb.search(expression="objectClass=*", base=str(names.rootdn), scope=SCOPE_BASE,\
603 attrs=["dn", "whenCreated"], controls=["search_options:1:2"])
605 delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
606 descr = get_domain_descriptor(names.domainsid)
607 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE, "nTSecurityDescriptor")
608 sam_ldb.modify(delta,["recalculate_sd:0"])
610 res = sam_ldb.search(expression="objectClass=*",base=str(names.configdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
612 delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
613 descr = get_config_descriptor(names.domainsid)
614 delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
615 sam_ldb.modify(delta,["recalculate_sd:0"])
617 res = sam_ldb.search(expression="objectClass=*",base=str(names.schemadn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
619 delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
620 descr = get_schema_descriptor(names.domainsid)
621 delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
622 sam_ldb.modify(delta,["recalculate_sd:0"])
626 res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
628 if not (str(obj["dn"]) == str(names.rootdn) or
629 str(obj["dn"]) == str(names.configdn) or \
630 str(obj["dn"]) == str(names.schemadn)):
631 hash[str(obj["dn"])] = obj["whenCreated"]
633 listkeys = hash.keys()
634 listkeys.sort(dn_sort)
639 delta.dn = Dn(sam_ldb,key)
640 delta["whenCreated"] = MessageElement( hash[key],FLAG_MOD_REPLACE,"whenCreated" )
641 sam_ldb.modify(delta,["recalculate_sd:0"])
643 sam_ldb.transaction_cancel()
644 res = sam_ldb.search(expression="objectClass=*", base=str(names.rootdn), scope=SCOPE_SUBTREE,\
645 attrs=["dn","nTSecurityDescriptor"], controls=["search_options:1:2"])
646 print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
648 sam_ldb.transaction_commit()
651 def update_basesamdb(newpaths, paths, names):
652 message(SIMPLE,"Copy samdb")
653 shutil.copy(newpaths.samdb,paths.samdb)
655 message(SIMPLE,"Update partitions filename if needed")
656 schemaldb=os.path.join(paths.private_dir,"schema.ldb")
657 configldb=os.path.join(paths.private_dir,"configuration.ldb")
658 usersldb=os.path.join(paths.private_dir,"users.ldb")
659 samldbdir=os.path.join(paths.private_dir,"sam.ldb.d")
661 if not os.path.isdir(samldbdir):
663 os.chmod(samldbdir,0700)
664 if os.path.isfile(schemaldb):
665 shutil.copy(schemaldb,os.path.join(samldbdir,"%s.ldb"%str(names.schemadn).upper()))
667 if os.path.isfile(usersldb):
668 shutil.copy(usersldb,os.path.join(samldbdir,"%s.ldb"%str(names.rootdn).upper()))
670 if os.path.isfile(configldb):
671 shutil.copy(configldb,os.path.join(samldbdir,"%s.ldb"%str(names.configdn).upper()))
674 def update_privilege(newpaths, paths):
675 message(SIMPLE,"Copy privilege")
676 shutil.copy(os.path.join(newpaths.private_dir,"privilege.ldb"),os.path.join(paths.private_dir,"privilege.ldb"))
678 # For each partition check the differences
679 def update_samdb(newpaths, paths, creds, session, names):
681 message(SIMPLE, "Doing schema update")
682 hashdef = check_diff_name(newpaths,paths,creds,session,str(names.schemadn),names,1)
683 message(SIMPLE,"Done with schema update")
684 message(SIMPLE,"Scanning whole provision for updates and additions")
685 hashSD = check_diff_name(newpaths,paths,creds,session,str(names.rootdn),names,0)
686 message(SIMPLE,"Done with scanning")
688 def update_machine_account_password(paths, creds, session, names):
689 secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
690 secrets_ldb.transaction_start()
691 secrets_msg = secrets_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["secureChannelType"])
692 sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
693 sam_ldb.transaction_start()
694 if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
695 res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=[])
696 assert(len(res) == 1)
698 msg = ldb.Message(res[0].dn)
699 machinepass = glue.generate_random_password(128, 255)
700 msg["userPassword"] = ldb.MessageElement(machinepass, ldb.FLAG_MOD_REPLACE, "userPassword")
703 res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname),
704 attrs=["msDs-keyVersionNumber"])
705 assert(len(res) == 1)
706 kvno = int(str(res[0]["msDs-keyVersionNumber"]))
708 secretsdb_self_join(secrets_ldb, domain=names.domain,
710 domainsid=names.domainsid,
711 dnsdomain=names.dnsdomain,
712 netbiosname=names.netbiosname,
713 machinepass=machinepass,
714 key_version_number=kvno,
715 secure_channel_type=int(secrets_msg[0]["secureChannelType"][0]))
716 sam_ldb.transaction_prepare_commit()
717 secrets_ldb.transaction_prepare_commit()
718 sam_ldb.transaction_commit()
719 secrets_ldb.transaction_commit()
721 secrets_ldb.transaction_cancel()
723 def setup_path(file):
724 return os.path.join(setup_dir, file)
726 # From here start the big steps of the program
727 # First get files paths
728 paths=get_paths(param,smbconf=smbconf)
729 paths.setup = setup_dir
730 # Guess all the needed names (variables in fact) from the current
733 names = find_provision_key_parameters(param, creds, session, paths, smbconf)
734 if not sanitychecks(creds,session,names,paths):
735 message(SIMPLE,"Sanity checks for the upgrade fails, checks messages and correct it before rerunning upgradeprovision")
738 print_provision_key_parameters(names)
739 # With all this information let's create a fresh new provision used as reference
740 message(SIMPLE,"Creating a reference provision")
741 provisiondir = tempfile.mkdtemp(dir=paths.private_dir, prefix="referenceprovision")
742 newprovision(names, setup_dir, creds, session, smbconf, provisiondir, messageprovision)
743 # Get file paths of this new provision
744 newpaths = get_paths(param, targetdir=provisiondir)
745 populate_backlink(newpaths, creds, session,names.schemadn)
746 populate_dnsyntax(newpaths, creds, session,names.schemadn)
747 # Check the difference
748 update_basesamdb(newpaths, paths,names)
751 update_samdb(newpaths, paths, creds, session, names)
752 update_secrets(newpaths, paths, creds, session)
753 update_privilege(newpaths, paths)
754 update_machine_account_password(paths, creds, session, names)
755 # SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
756 # to recreate them with the good form but with system account and then give the ownership to admin ...
757 admin_session_info = admin_session(lp, str(names.domainsid))
758 message(SIMPLE,"Updating SD")
759 update_sd(paths, creds, session,names)
760 update_sd(paths, creds, admin_session_info, names)
761 check_updated_sd(newpaths, paths, creds, session, names)
762 message(SIMPLE,"Upgrade finished !")
763 # remove reference provision now that everything is done !