# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import ldb
import logging
import optparse
import os
# Allow to run from s4 source directory (without installing samba)
sys.path.insert(0, "bin/python")
+import ldb
import samba
import samba.getopt as options
from samba.credentials import DONT_USE_KERBEROS
MessageElement, Message, Dn)
from samba import param
from samba.provision import (find_setup_dir, get_domain_descriptor,
- get_config_descriptor, secretsdb_self_join,
+ get_config_descriptor,
ProvisioningError, get_last_provision_usn,
get_max_usn, update_provision_usn)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security, drsblobs
from samba.ndr import ndr_unpack
-from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
find_provision_key_parameters, get_ldbs,
usn_in_range, identic_rename, get_diff_sddls,
update_secrets, CHANGE, ERROR, SIMPLE,
CHANGEALL, GUESS, CHANGESD, PROVISION,
updateOEMInfo, getOEMInfo, update_gpo,
- delta_update_basesamdb, update_policyids)
+ delta_update_basesamdb, update_policyids,
+ update_machine_account_password)
replace=2**FLAG_MOD_REPLACE
add=2**FLAG_MOD_ADD
delta.remove(att)
return True
- if (att in ("gPLink", "gPCFileSysPath") and
+ if (att in ("gPLink", "gPCFileSysPath") and
flag == FLAG_MOD_REPLACE and
str(new[0].dn).lower() == str(old[0].dn).lower()):
delta.remove(att)
empty = Message()
delta = samdb.msg_diff(empty, reference[0])
delta.dn
+ if delta.get("objectSid"):
+ sid = str(ndr_unpack(security.dom_sid, str(reference[0]["objectSid"])))
+ m = re.match(r".*-(\d+)$", sid)
+ if m and int(m.group(1))>999:
+ delta.remove("objectSid")
for att in hashAttrNotCopied.keys():
delta.remove(att)
for att in backlinked:
depend_on_yet_tobecreated = check_dn_nottobecreated(hash, index,
delta.get(str(att)))
if depend_on_yet_tobecreated is not None:
- message(CHANGE, "Object %s depends on %s in attribute %s,"
- "delaying the creation" % (dn,
+ message(CHANGE, "Object %s depends on %s in attribute %s,"
+ "delaying the creation" % (dn,
depend_on_yet_tobecreated, att))
return False
delta.dn = dn
message(CHANGE,"Object %s will be added" % dn)
samdb.add(delta, ["relax:0"])
+
return True
def gen_dn_index_hash(listMissing):
if attrUSN == -1:
# This attribute was last modified by another DC forget
# about it
- message(CHANGE, "%sAttribute: %s has been"
+ message(CHANGE, "%sAttribute: %s has been"
"created/modified/deleted by another DC,"
" do nothing" % (txt, att ))
txt = ""
delta.remove(att)
continue
elif not usn_in_range(int(attrUSN), usns):
- message(CHANGE, "%sAttribute: %s has been"
- "created/modified/deleted not during a"
- " provision or upgradeprovision: current"
+ message(CHANGE, "%sAttribute: %s has been"
+ "created/modified/deleted not during a"
+ " provision or upgradeprovision: current"
" usn %d , do nothing" % (txt, att, attrUSN))
txt = ""
delta.remove(att)
if att == "defaultSecurityDescriptor":
defSDmodified = True
if attrUSN:
- message(CHANGE, "%sAttribute: %s will be modified"
- "/deleted it was last modified"
- "during a provision, current usn:"
+ message(CHANGE, "%sAttribute: %s will be modified"
+ "/deleted it was last modified"
+ "during a provision, current usn:"
"%d" % (txt, att, attrUSN))
txt = ""
else:
- message(CHANGE, "%sAttribute: %s will be added because"
+ message(CHANGE, "%sAttribute: %s will be added because"
" it hasn't existed before " % (txt, att))
txt = ""
continue
delta.dn = dn
if len(delta.items()) >1:
attributes=", ".join(delta.keys())
- message(CHANGE, "%s is different from the reference one, changed"
+ message(CHANGE, "%s is different from the reference one, changed"
" attributes: %s\n" % (dn, attributes))
changed += 1
samdb.modify(delta)
controls=["search_options:1:2"])
for obj in res:
if not (str(obj["dn"]) == str(names.rootdn) or
- str(obj["dn"]) == str(names.configdn) or
+ str(obj["dn"]) == str(names.configdn) or
str(obj["dn"]) == str(names.schemadn)):
hash[str(obj["dn"])] = obj["whenCreated"]
return 0
-def update_machine_account_password(samdb, secrets_ldb, names):
- """Update (change) the password of the current DC both in the SAM db and in
- secret one
-
- :param samdb: An LDB object related to the sam.ldb file of a given provision
- :param secrets_ldb: An LDB object related to the secrets.ldb file of a given
- provision
- :param names: List of key provision parameters"""
-
- message(SIMPLE, "Update machine account")
- expression = "samAccountName=%s$" % names.netbiosname
- secrets_msg = secrets_ldb.search(expression=expression,
- attrs=["secureChannelType"])
- if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
- res = samdb.search(expression=expression, attrs=[])
- assert(len(res) == 1)
-
- msg = Message(res[0].dn)
- machinepass = samba.generate_random_password(128, 255)
- msg["userPassword"] = MessageElement(machinepass, FLAG_MOD_REPLACE,
- "userPassword")
- samdb.modify(msg)
-
- res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
- attrs=["msDs-keyVersionNumber"])
- assert(len(res) == 1)
- kvno = int(str(res[0]["msDs-keyVersionNumber"]))
- secChanType = int(secrets_msg[0]["secureChannelType"][0])
-
- secretsdb_self_join(secrets_ldb, domain=names.domain,
- realm=names.realm or sambaopts._lp.get('realm'),
- domainsid=names.domainsid,
- dnsdomain=names.dnsdomain,
- netbiosname=names.netbiosname,
- machinepass=machinepass,
- key_version_number=kvno,
- secure_channel_type=secChanType)
- else:
- raise ProvisioningError("Unable to find a Secure Channel"
- "of type SEC_CHAN_BDC")
-
-
def setup_path(file):
return os.path.join(setup_dir, file)
# 12)
schema = Schema(setup_path, names.domainsid, schemadn=str(names.schemadn),
- serverdn=str(names.serverdn))
+ serverdn=str(names.serverdn))
# 13)
if opts.full:
if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
schema):
- message(SIMPLE, "Rollbacking every changes. Check the reason"
+ message(SIMPLE, "Rollbacking every changes. Check the reason"
" of the problem")
- message(SIMPLE, "In any case your system as it was before"
+ message(SIMPLE, "In any case your system as it was before"
" the upgrade")
ldbs.groupedRollback()
new_ldbs.groupedRollback()
# 14)
update_secrets(new_ldbs.secrets, ldbs.secrets, message)
# 15)
+ message(SIMPLE, "Update machine account")
update_machine_account_password(ldbs.sam, ldbs.secrets, names)
# 16) SD should be created with admin but as some previous acl were so wrong