4 # Copyright (C) Matthieu Patou <mat@matws.net> 2009 - 2010
6 # Based on provision a Samba4 server by
7 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
8 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
33 # Allow to run from s4 source directory (without installing samba)
34 sys.path.insert(0, "bin/python")
38 import samba.getopt as options
40 from base64 import b64encode
41 from samba.credentials import DONT_USE_KERBEROS
42 from samba.auth import system_session, admin_session
43 from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
44 FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,
45 MessageElement, Message, Dn)
46 from samba import param, dsdb, Ldb
47 from samba.provision import (get_domain_descriptor,
48 get_config_descriptor,
49 ProvisioningError, get_last_provision_usn,
50 get_max_usn, update_provision_usn, setup_path)
51 from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
52 from samba.dcerpc import security, drsblobs, xattr
53 from samba.ndr import ndr_unpack
54 from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
55 find_provision_key_parameters, get_ldbs,
56 usn_in_range, identic_rename, get_diff_sddls,
57 update_secrets, CHANGE, ERROR, SIMPLE,
58 CHANGEALL, GUESS, CHANGESD, PROVISION,
59 updateOEMInfo, getOEMInfo, update_gpo,
60 delta_update_basesamdb, update_policyids,
61 update_machine_account_password,
62 search_constructed_attrs_stored,
63 int64range2str, update_dns_account_password,
64 increment_calculated_keyversion_number)
66 replace=2**FLAG_MOD_REPLACE
68 delete=2**FLAG_MOD_DELETE
72 # Will be modified during provision to tell if default sd has been modified
75 #Errors are always logged
77 __docformat__ = "restructuredText"
79 # Attributes that are never copied from the reference provision (even if they
80 # do not exist in the destination object).
81 # This is most probably because they are populated automatcally when object is
83 # This also apply to imported object from reference provision
84 hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1,
85 "objectGUID": 1, "uSNCreated": 1,
86 "replPropertyMetaData": 1, "uSNChanged": 1,
87 "parentGUID": 1, "objectCategory": 1,
88 "distinguishedName": 1, "nTMixedDomain": 1,
89 "showInAdvancedViewOnly": 1, "instanceType": 1,
90 "msDS-Behavior-Version":1, "nextRid":1, "cn": 1,
91 "lmPwdHistory":1, "pwdLastSet": 1,
92 "ntPwdHistory":1, "unicodePwd":1,"dBCSPwd":1,
93 "supplementalCredentials":1, "gPCUserExtensionNames":1,
94 "gPCMachineExtensionNames":1,"maxPwdAge":1, "secret":1,
95 "possibleInferiors":1, "privilege":1,
98 # Usually for an object that already exists we do not overwrite attributes as
99 # they might have been changed for good reasons. Anyway for a few of them it's
100 # mandatory to replace them otherwise the provision will be broken somehow.
101 # But for attribute that are just missing we do not have to specify them as the default
102 # behavior is to add missing attribute
103 hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
104 "systemOnly":replace, "searchFlags":replace,
105 "mayContain":replace, "systemFlags":replace+add,
106 "description":replace, "operatingSystemVersion":replace,
107 "adminPropertyPages":replace, "groupType":replace,
108 "wellKnownObjects":replace, "privilege":never,
109 "defaultSecurityDescriptor": replace,
110 "rIDAvailablePool": never,
111 "rIDNextRID": add, "rIDUsedPool": never,
112 "defaultSecurityDescriptor": replace + add,
113 "isMemberOfPartialAttributeSet": delete,
114 "attributeDisplayNames": replace + add,
115 "versionNumber": add}
118 forwardlinked = set()
120 def define_what_to_log(opts):
124 if opts.debugchangesd:
125 what = what | CHANGESD
128 if opts.debugprovision:
129 what = what | PROVISION
131 what = what | CHANGEALL
135 parser = optparse.OptionParser("provision [options]")
136 sambaopts = options.SambaOptions(parser)
137 parser.add_option_group(sambaopts)
138 parser.add_option_group(options.VersionOptions(parser))
139 credopts = options.CredentialsOptions(parser)
140 parser.add_option_group(credopts)
141 parser.add_option("--setupdir", type="string", metavar="DIR",
142 help="directory with setup files")
143 parser.add_option("--debugprovision", help="Debug provision", action="store_true")
144 parser.add_option("--debugguess", action="store_true",
145 help="Print information on what is different but won't be changed")
146 parser.add_option("--debugchange", action="store_true",
147 help="Print information on what is different but won't be changed")
148 parser.add_option("--debugchangesd", action="store_true",
149 help="Print security descriptor differences")
150 parser.add_option("--debugall", action="store_true",
151 help="Print all available information (very verbose)")
152 parser.add_option("--resetfileacl", action="store_true",
153 help="Force a reset on filesystem acls in sysvol / netlogon share")
154 parser.add_option("--full", action="store_true",
155 help="Perform full upgrade of the samdb (schema, configuration, new objects, ...")
157 opts = parser.parse_args()[0]
159 handler = logging.StreamHandler(sys.stdout)
160 upgrade_logger = logging.getLogger("upgradeprovision")
161 upgrade_logger.setLevel(logging.INFO)
163 upgrade_logger.addHandler(handler)
165 provision_logger = logging.getLogger("provision")
166 provision_logger.addHandler(handler)
168 whatToLog = define_what_to_log(opts)
170 def message(what, text):
171 """Print a message if this message type has been selected to be printed
173 :param what: Category of the message
174 :param text: Message to print """
175 if (whatToLog & what) or what <= 0:
176 upgrade_logger.info("%s", text)
178 if len(sys.argv) == 1:
179 opts.interactive = True
180 lp = sambaopts.get_loadparm()
181 smbconf = lp.configfile
183 creds = credopts.get_credentials(lp)
184 creds.set_kerberos_state(DONT_USE_KERBEROS)
188 def check_for_DNS(refprivate, private):
189 """Check if the provision has already the requirement for dynamic dns
191 :param refprivate: The path to the private directory of the reference
193 :param private: The path to the private directory of the upgraded
196 spnfile = "%s/spn_update_list" % private
197 dnsfile = "%s/dns_update_list" % private
198 namedfile = lp.get("dnsupdate:path")
201 namedfile = "%s/named.conf.update" % private
203 if not os.path.exists(spnfile):
204 shutil.copy("%s/spn_update_list" % refprivate, "%s" % spnfile)
206 if not os.path.exists(dnsfile):
207 shutil.copy("%s/dns_update_list" % refprivate, "%s" % dnsfile)
209 destdir = "%s/new_dns" % private
210 dnsdir = "%s/dns" % private
212 if not os.path.exists(namedfile):
213 if not os.path.exists(destdir):
215 if not os.path.exists(dnsdir):
217 shutil.copy("%s/named.conf" % refprivate, "%s/named.conf" % destdir)
218 shutil.copy("%s/named.txt" % refprivate, "%s/named.txt" % destdir)
219 message(SIMPLE, "It seems that your provision did not integrate "
220 "new rules for dynamic dns update of domain related entries")
221 message(SIMPLE, "A copy of the new bind configuration files and "
222 "template has been put in %s, you should read them and "
223 "configure dynamic dns updates" % destdir)
226 def populate_links(samdb, schemadn):
227 """Populate an array with all the back linked attributes
229 This attributes that are modified automaticaly when
230 front attibutes are changed
232 :param samdb: A LDB object for sam.ldb file
233 :param schemadn: DN of the schema for the partition"""
234 linkedAttHash = get_linked_attributes(Dn(samdb, str(schemadn)), samdb)
235 backlinked.extend(linkedAttHash.values())
236 for t in linkedAttHash.keys():
240 def populate_dnsyntax(samdb, schemadn):
241 """Populate an array with all the attributes that have DN synthax
244 :param samdb: A LDB object for sam.ldb file
245 :param schemadn: DN of the schema for the partition"""
246 res = samdb.search(expression="(attributeSyntax=2.5.5.1)", base=Dn(samdb,
247 str(schemadn)), scope=SCOPE_SUBTREE,
248 attrs=["lDAPDisplayName"])
250 dn_syntax_att.append(elem["lDAPDisplayName"])
253 def sanitychecks(samdb, names):
254 """Make some checks before trying to update
256 :param samdb: An LDB object opened on sam.ldb
257 :param names: list of key provision parameters
258 :return: Status of check (1 for Ok, 0 for not Ok) """
259 res = samdb.search(expression="objectClass=ntdsdsa", base=str(names.configdn),
260 scope=SCOPE_SUBTREE, attrs=["dn"],
261 controls=["search_options:1:2"])
263 print "No DC found. Your provision is most probably broken!"
266 print "Found %d domain controllers. For the moment " \
267 "upgradeprovision is not able to handle an upgrade on a " \
268 "domain with more than one DC. Please demote the other " \
269 "DC(s) before upgrading" % len(res)
275 def print_provision_key_parameters(names):
276 """Do a a pretty print of provision parameters
278 :param names: list of key provision parameters """
279 message(GUESS, "rootdn :" + str(names.rootdn))
280 message(GUESS, "configdn :" + str(names.configdn))
281 message(GUESS, "schemadn :" + str(names.schemadn))
282 message(GUESS, "serverdn :" + str(names.serverdn))
283 message(GUESS, "netbiosname :" + names.netbiosname)
284 message(GUESS, "defaultsite :" + names.sitename)
285 message(GUESS, "dnsdomain :" + names.dnsdomain)
286 message(GUESS, "hostname :" + names.hostname)
287 message(GUESS, "domain :" + names.domain)
288 message(GUESS, "realm :" + names.realm)
289 message(GUESS, "invocationid:" + names.invocation)
290 message(GUESS, "policyguid :" + names.policyid)
291 message(GUESS, "policyguiddc:" + str(names.policyid_dc))
292 message(GUESS, "domainsid :" + str(names.domainsid))
293 message(GUESS, "domainguid :" + names.domainguid)
294 message(GUESS, "ntdsguid :" + names.ntdsguid)
295 message(GUESS, "domainlevel :" + str(names.domainlevel))
298 def handle_special_case(att, delta, new, old, usn, basedn, aldb):
299 """Define more complicate update rules for some attributes
301 :param att: The attribute to be updated
302 :param delta: A messageElement object that correspond to the difference
303 between the updated object and the reference one
304 :param new: The reference object
305 :param old: The Updated object
306 :param usn: The highest usn modified by a previous (upgrade)provision
307 :param basedn: The base DN of the provision
308 :param aldb: An ldb object used to build DN
309 :return: True to indicate that the attribute should be kept, False for
312 flag = delta.get(att).flags()
313 # We do most of the special case handle if we do not have the
314 # highest usn as otherwise the replPropertyMetaData will guide us more
317 if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and
318 ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT,"
319 "CN=Services,CN=Configuration,%s" % basedn)
322 if (att == "userAccountControl" and flag == FLAG_MOD_REPLACE and
323 ldb.Dn(aldb, "CN=Administrator,CN=Users,%s" % basedn)
325 message(SIMPLE, "We suggest that you change the userAccountControl"
326 " for user Administrator from value %d to %d" %
327 (int(str(old[0][att])), int(str(new[0][att]))))
329 if (att == "minPwdAge" and flag == FLAG_MOD_REPLACE):
330 if (long(str(old[0][att])) == 0):
331 delta[att] = MessageElement(new[0][att], FLAG_MOD_REPLACE, att)
334 if (att == "member" and flag == FLAG_MOD_REPLACE):
338 for elem in old[0][att]:
339 hash[str(elem).lower()]=1
340 newval.append(str(elem))
342 for elem in new[0][att]:
343 if not hash.has_key(str(elem).lower()):
345 newval.append(str(elem))
347 delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
352 if (att in ("gPLink", "gPCFileSysPath") and
353 flag == FLAG_MOD_REPLACE and
354 str(new[0].dn).lower() == str(old[0].dn).lower()):
358 if att == "forceLogoff":
359 ref=0x8000000000000000
360 oldval=int(old[0][att][0])
361 newval=int(new[0][att][0])
362 ref == old and ref == abs(new)
365 if att in ("adminDisplayName", "adminDescription"):
368 if (str(old[0].dn) == "CN=Samba4-Local-Domain, %s" % (names.schemadn)
369 and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE):
372 if (str(old[0].dn) == "CN=Title, %s" % (str(names.schemadn)) and
373 att == "rangeUpper" and flag == FLAG_MOD_REPLACE):
376 if (str(old[0].dn) == "%s" % (str(names.rootdn))
377 and att == "subRefs" and flag == FLAG_MOD_REPLACE):
379 #Allow to change revision of ForestUpdates objects
380 if (att == "revision" or att == "objectVersion"):
381 if str(delta.dn).lower().find("domainupdates") and str(delta.dn).lower().find("forestupdates") > 0:
383 if str(delta.dn).endswith("CN=DisplaySpecifiers, %s" % names.configdn):
386 # This is a bit of special animal as we might have added
387 # already SPN entries to the list that has to be modified
388 # So we go in detail to try to find out what has to be added ...
389 if (att == "servicePrincipalName" and flag == FLAG_MOD_REPLACE):
393 for elem in old[0][att]:
395 newval.append(str(elem))
397 for elem in new[0][att]:
398 if not hash.has_key(str(elem)):
400 newval.append(str(elem))
402 delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
409 def dump_denied_change(dn, att, flagtxt, current, reference):
410 """Print detailed information about why a change is denied
412 :param dn: DN of the object which attribute is denied
413 :param att: Attribute that was supposed to be upgraded
414 :param flagtxt: Type of the update that should be performed
415 (add, change, remove, ...)
416 :param current: Value(s) of the current attribute
417 :param reference: Value(s) of the reference attribute"""
419 message(CHANGE, "dn= " + str(dn)+" " + att+" with flag " + flagtxt
420 + " must not be changed/removed. Discarding the change")
421 if att == "objectSid" :
422 message(CHANGE, "old : %s" % ndr_unpack(security.dom_sid, current[0]))
423 message(CHANGE, "new : %s" % ndr_unpack(security.dom_sid, reference[0]))
424 elif att == "rIDPreviousAllocationPool" or att == "rIDAllocationPool":
425 message(CHANGE, "old : %s" % int64range2str(current[0]))
426 message(CHANGE, "new : %s" % int64range2str(reference[0]))
429 for e in range(0, len(current)):
430 message(CHANGE, "old %d : %s" % (i, str(current[e])))
432 if reference is not None:
434 for e in range(0, len(reference)):
435 message(CHANGE, "new %d : %s" % (i, str(reference[e])))
438 def handle_special_add(samdb, dn, names):
439 """Handle special operation (like remove) on some object needed during
442 This is mostly due to wrong creation of the object in previous provision.
443 :param samdb: An Ldb object representing the SAM database
444 :param dn: DN of the object to inspect
445 :param names: list of key provision parameters
449 objDn = Dn(samdb, "CN=IIS_IUSRS, CN=Builtin, %s" % names.rootdn)
451 #This entry was misplaced lets remove it if it exists
452 dntoremove = "CN=IIS_IUSRS, CN=Users, %s" % names.rootdn
455 "CN=Certificate Service DCOM Access, CN=Builtin, %s" % names.rootdn)
457 #This entry was misplaced lets remove it if it exists
458 dntoremove = "CN=Certificate Service DCOM Access,"\
459 "CN=Users, %s" % names.rootdn
461 objDn = Dn(samdb, "CN=Cryptographic Operators, CN=Builtin, %s" % names.rootdn)
463 #This entry was misplaced lets remove it if it exists
464 dntoremove = "CN=Cryptographic Operators, CN=Users, %s" % names.rootdn
466 objDn = Dn(samdb, "CN=Event Log Readers, CN=Builtin, %s" % names.rootdn)
468 #This entry was misplaced lets remove it if it exists
469 dntoremove = "CN=Event Log Readers, CN=Users, %s" % names.rootdn
471 objDn = Dn(samdb,"CN=System,CN=WellKnown Security Principals,"
472 "CN=Configuration,%s" % names.rootdn)
474 oldDn = Dn(samdb,"CN=Well-Known-Security-Id-System,"
475 "CN=WellKnown Security Principals,"
476 "CN=Configuration,%s" % names.rootdn)
478 res = samdb.search(expression="(dn=%s)" % oldDn,
479 base=str(names.rootdn),
480 scope=SCOPE_SUBTREE, attrs=["dn"],
481 controls=["search_options:1:2"])
483 res2 = samdb.search(expression="(dn=%s)" % dn,
484 base=str(names.rootdn),
485 scope=SCOPE_SUBTREE, attrs=["dn"],
486 controls=["search_options:1:2"])
488 if len(res) > 0 and len(res2) == 0:
489 message(CHANGE, "Existing object %s must be replaced by %s. "
490 "Renaming old object" % (str(oldDn), str(dn)))
491 samdb.rename(oldDn, objDn, ["relax:0", "provision:0"])
495 if dntoremove is not None:
496 res = samdb.search(expression="(cn=RID Set)",
497 base=str(names.rootdn),
498 scope=SCOPE_SUBTREE, attrs=["dn"],
499 controls=["search_options:1:2"])
503 res = samdb.search(expression="(dn=%s)" % dntoremove,
504 base=str(names.rootdn),
505 scope=SCOPE_SUBTREE, attrs=["dn"],
506 controls=["search_options:1:2"])
508 message(CHANGE, "Existing object %s must be replaced by %s. "
509 "Removing old object" % (dntoremove, str(dn)))
510 samdb.delete(res[0]["dn"])
516 def check_dn_nottobecreated(hash, index, listdn):
517 """Check if one of the DN present in the list has a creation order
518 greater than the current.
520 Hash is indexed by dn to be created, with each key
521 is associated the creation order.
523 First dn to be created has the creation order 0, second has 1, ...
524 Index contain the current creation order
526 :param hash: Hash holding the different DN of the object to be
528 :param index: Current creation order
529 :param listdn: List of DNs on which the current DN depends on
530 :return: None if the current object do not depend on other
531 object or if all object have been created before."""
535 key = str(dn).lower()
536 if hash.has_key(key) and hash[key] > index:
542 def add_missing_object(ref_samdb, samdb, dn, names, basedn, hash, index):
543 """Add a new object if the dependencies are satisfied
545 The function add the object if the object on which it depends are already
548 :param ref_samdb: Ldb object representing the SAM db of the reference
550 :param samdb: Ldb object representing the SAM db of the upgraded
552 :param dn: DN of the object to be added
553 :param names: List of key provision parameters
554 :param basedn: DN of the partition to be updated
555 :param hash: Hash holding the different DN of the object to be
557 :param index: Current creation order
558 :return: True if the object was created False otherwise"""
560 ret = handle_special_add(samdb, dn, names)
569 reference = ref_samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
570 scope=SCOPE_SUBTREE, controls=["search_options:1:2"])
572 delta = samdb.msg_diff(empty, reference[0])
576 if str(reference[0].get("cn")) == "RID Set":
577 for klass in reference[0].get("objectClass"):
578 if str(klass).lower() == "ridset":
581 if delta.get("objectSid"):
582 sid = str(ndr_unpack(security.dom_sid, str(reference[0]["objectSid"])))
583 m = re.match(r".*-(\d+)$", sid)
584 if m and int(m.group(1))>999:
585 delta.remove("objectSid")
586 for att in hashAttrNotCopied.keys():
588 for att in backlinked:
590 depend_on_yettobecreated = None
591 for att in dn_syntax_att:
592 depend_on_yet_tobecreated = check_dn_nottobecreated(hash, index,
594 if depend_on_yet_tobecreated is not None:
595 message(CHANGE, "Object %s depends on %s in attribute %s. "
596 "Delaying the creation" % (dn,
597 depend_on_yet_tobecreated, att))
602 message(CHANGE,"Object %s will be added" % dn)
603 samdb.add(delta, ["relax:0", "provision:0"])
605 message(CHANGE,"Object %s was skipped" % dn)
609 def gen_dn_index_hash(listMissing):
610 """Generate a hash associating the DN to its creation order
612 :param listMissing: List of DN
613 :return: Hash with DN as keys and creation order as values"""
615 for i in range(0, len(listMissing)):
616 hash[str(listMissing[i]).lower()] = i
619 def add_deletedobj_containers(ref_samdb, samdb, names):
620 """Add the object containter: CN=Deleted Objects
622 This function create the container for each partition that need one and
623 then reference the object into the root of the partition
625 :param ref_samdb: Ldb object representing the SAM db of the reference
627 :param samdb: Ldb object representing the SAM db of the upgraded provision
628 :param names: List of key provision parameters"""
631 wkoPrefix = "B:32:18E2EA80684F11D2B9AA00C04F79F805"
632 partitions = [str(names.rootdn), str(names.configdn)]
633 for part in partitions:
634 ref_delObjCnt = ref_samdb.search(expression="(cn=Deleted Objects)",
635 base=part, scope=SCOPE_SUBTREE,
637 controls=["show_deleted:0",
639 delObjCnt = samdb.search(expression="(cn=Deleted Objects)",
640 base=part, scope=SCOPE_SUBTREE,
642 controls=["show_deleted:0",
644 if len(ref_delObjCnt) > len(delObjCnt):
645 reference = ref_samdb.search(expression="cn=Deleted Objects",
646 base=part, scope=SCOPE_SUBTREE,
647 controls=["show_deleted:0",
650 delta = samdb.msg_diff(empty, reference[0])
652 delta.dn = Dn(samdb, str(reference[0]["dn"]))
653 for att in hashAttrNotCopied.keys():
656 modcontrols = ["relax:0", "provision:0"]
657 samdb.add(delta, modcontrols)
660 res = samdb.search(expression="(objectClass=*)", base=part,
662 attrs=["dn", "wellKnownObjects"])
664 targetWKO = "%s:%s" % (wkoPrefix, str(reference[0]["dn"]))
668 wko = res[0]["wellKnownObjects"]
670 # The wellKnownObject that we want to add.
672 if str(o) == targetWKO:
674 listwko.append(str(o))
677 listwko.append(targetWKO)
680 delta.dn = Dn(samdb, str(res[0]["dn"]))
681 delta["wellKnownObjects"] = MessageElement(listwko,
686 def add_missing_entries(ref_samdb, samdb, names, basedn, list):
687 """Add the missing object whose DN is the list
689 The function add the object if the objects on which it depends are
692 :param ref_samdb: Ldb object representing the SAM db of the reference
694 :param samdb: Ldb object representing the SAM db of the upgraded
696 :param dn: DN of the object to be added
697 :param names: List of key provision parameters
698 :param basedn: DN of the partition to be updated
699 :param list: List of DN to be added in the upgraded provision"""
704 while(len(listDefered) != len(listMissing) and len(listDefered) > 0):
706 listMissing = listDefered
708 hashMissing = gen_dn_index_hash(listMissing)
709 for dn in listMissing:
710 ret = add_missing_object(ref_samdb, samdb, dn, names, basedn,
714 # DN can't be created because it depends on some
715 # other DN in the list
716 listDefered.append(dn)
718 if len(listDefered) != 0:
719 raise ProvisioningError("Unable to insert missing elements: "
720 "circular references")
722 def handle_links(samdb, att, basedn, dn, value, ref_value, delta):
723 """This function handle updates on links
725 :param samdb: An LDB object pointing to the updated provision
726 :param att: Attribute to update
727 :param basedn: The root DN of the provision
728 :param dn: The DN of the inspected object
729 :param value: The value of the attribute
730 :param ref_value: The value of this attribute in the reference provision
731 :param delta: The MessageElement object that will be applied for
732 transforming the current provision"""
734 res = samdb.search(expression="dn=%s" % dn, base=basedn,
735 controls=["search_options:1:2", "reveal:1"],
743 newlinklist.extend(value)
747 # for w2k domain level the reveal won't reveal anything ...
748 # it means that we can readd links that were removed on purpose ...
749 # Also this function in fact just accept add not removal
751 for e in res[0][att]:
752 if not hash.has_key(e):
753 # We put in the blacklist all the element that are in the "revealed"
754 # result and not in the "standard" result
755 # This element are links that were removed before and so that
756 # we don't wan't to readd
760 if not blacklist.has_key(e) and not hash.has_key(e):
761 newlinklist.append(str(e))
764 delta[att] = MessageElement(newlinklist, FLAG_MOD_REPLACE, att)
769 msg_elt_flag_strs = {
770 ldb.FLAG_MOD_ADD: "MOD_ADD",
771 ldb.FLAG_MOD_REPLACE: "MOD_REPLACE",
772 ldb.FLAG_MOD_DELETE: "MOD_DELETE" }
775 def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
776 """ This function updates the object that are already present in the
779 :param ref_samdb: An LDB object pointing to the reference provision
780 :param samdb: An LDB object pointing to the updated provision
781 :param basedn: A string with the value of the base DN for the provision
783 :param listPresent: A list of object that is present in the provision
784 :param usns: A list of USN range modified by previous provision and
786 :param invocationid: The value of the invocationid for the current DC"""
789 # This hash is meant to speedup lookup of attribute name from an oid,
790 # it's for the replPropertyMetaData handling
792 res = samdb.search(expression="objectClass=attributeSchema", base=basedn,
793 controls=["search_options:1:2"], attrs=["attributeID",
797 strDisplay = str(e.get("lDAPDisplayName"))
798 hash_oid_name[str(e.get("attributeID"))] = strDisplay
800 msg = "Unable to insert missing elements: circular references"
801 raise ProvisioningError(msg)
804 controls = ["search_options:1:2", "sd_flags:1:2"]
805 for dn in listPresent:
806 reference = ref_samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
809 current = samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
810 scope=SCOPE_SUBTREE, controls=controls)
813 (str(current[0].dn) != str(reference[0].dn)) and
814 (str(current[0].dn).upper() == str(reference[0].dn).upper())
816 message(CHANGE, "Names are the same except for the case. "
817 "Renaming %s to %s" % (str(current[0].dn),
818 str(reference[0].dn)))
819 identic_rename(samdb, reference[0].dn)
820 current = samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
824 delta = samdb.msg_diff(current[0], reference[0])
826 for att in hashAttrNotCopied.keys():
829 for att in backlinked:
834 if len(delta.items()) > 1 and usns is not None:
835 # Fetch the replPropertyMetaData
836 res = samdb.search(expression="dn=%s" % (str(dn)), base=basedn,
837 scope=SCOPE_SUBTREE, controls=controls,
838 attrs=["replPropertyMetaData"])
839 ctr = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
840 str(res[0]["replPropertyMetaData"])).ctr
844 # We put in this hash only modification
845 # made on the current host
846 att = hash_oid_name[samdb.get_oid_from_attid(o.attid)]
847 if str(o.originating_invocation_id) == str(invocationid):
848 # Note we could just use 1 here
849 hash_attr_usn[att] = o.originating_usn
851 hash_attr_usn[att] = -1
856 for att in list(delta):
858 # We have updated by provision usn information so let's exploit
859 # replMetadataProperties
860 if att in forwardlinked:
861 curval = current[0].get(att, ())
862 refval = reference[0].get(att, ())
863 handle_links(samdb, att, basedn, current[0]["dn"],
864 curval, refval, delta)
867 if isFirst == 0 and len(delta.items())>1:
869 txt = "%s\n" % (str(dn))
871 # There is always a dn attribute after a msg_diff
873 if att == "rIDAvailablePool":
876 if att == "objectSid":
879 if att == "creationTime":
882 if att == "oEMInformation":
885 if att == "msDs-KeyVersionNumber":
886 # This is the kvno of the computer/user it's a very bad
890 if handle_special_case(att, delta, reference, current, usns, basedn, samdb):
891 # This attribute is "complicated" to handle and handling
892 # was done in handle_special_case
894 attrUSN = hash_attr_usn.get(att)
895 if att == "forceLogoff" and attrUSN is None:
900 if att == "nTSecurityDescriptor":
901 cursd = ndr_unpack(security.descriptor,
902 str(current[0]["nTSecurityDescriptor"]))
903 cursddl = cursd.as_sddl(names.domainsid)
904 refsd = ndr_unpack(security.descriptor,
905 str(reference[0]["nTSecurityDescriptor"]))
906 refsddl = cursd.as_sddl(names.domainsid)
908 if get_diff_sddls(refsddl, cursddl) == "":
909 message(CHANGE, "sd are identical")
911 message(CHANGE, "sd are not identical")
913 # This attribute was last modified by another DC forget
915 message(CHANGE, "%sAttribute: %s has been "
916 "created/modified/deleted by another DC. "
917 "Doing nothing" % (txt, att))
921 elif not usn_in_range(int(attrUSN), usns):
922 message(CHANGE, "%sAttribute: %s was not "
923 "created/modified/deleted during a "
924 "provision or upgradeprovision. Current "
925 "usn: %d. Doing nothing" % (txt, att,
931 if att == "defaultSecurityDescriptor":
934 message(CHANGE, "%sAttribute: %s will be modified"
935 "/deleted it was last modified "
936 "during a provision. Current usn: "
937 "%d" % (txt, att, attrUSN))
940 message(CHANGE, "%sAttribute: %s will be added because "
941 "it did not exist before" % (txt, att))
946 # Old school way of handling things for pre alpha12 upgrade
948 msgElt = delta.get(att)
950 if att == "nTSecurityDescriptor":
957 if not hashOverwrittenAtt.has_key(att):
958 if msgElt.flags() != FLAG_MOD_ADD:
959 if not handle_special_case(att, delta, reference, current,
960 usns, basedn, samdb):
961 if opts.debugchange or opts.debugall:
963 dump_denied_change(dn, att,
964 msg_elt_flag_strs[msgElt.flags()],
965 current[0][att], reference[0][att])
967 dump_denied_change(dn, att,
968 msg_elt_flag_strs[msgElt.flags()],
969 current[0][att], None)
973 if hashOverwrittenAtt.get(att)&2**msgElt.flags() :
975 elif hashOverwrittenAtt.get(att)==never:
980 if len(delta.items()) >1:
981 attributes=", ".join(delta.keys())
983 relaxedatt = ['iscriticalsystemobject', 'grouptype']
984 # Let's try to reduce as much as possible the use of relax control
985 #for checkedatt in relaxedatt:
986 for attr in delta.keys():
987 if attr.lower() in relaxedatt:
988 modcontrols = ["relax:0", "provision:0"]
989 message(CHANGE, "%s is different from the reference one, changed"
990 " attributes: %s\n" % (dn, attributes))
992 samdb.modify(delta, modcontrols)
995 def reload_full_schema(samdb, names):
996 """Load the updated schema with all the new and existing classes
999 :param samdb: An LDB object connected to the sam.ldb of the update
1001 :param names: List of key provision parameters
1004 current = samdb.search(expression="objectClass=*", base=str(names.schemadn),
1005 scope=SCOPE_SUBTREE)
1010 schema_ldif += samdb.write_ldif(ent, ldb.CHANGETYPE_NONE)
1012 prefixmap_data = open(setup_path("prefixMap.txt"), 'r').read()
1013 prefixmap_data = b64encode(prefixmap_data)
1015 # We don't actually add this ldif, just parse it
1016 prefixmap_ldif = "dn: cn=schema\nprefixMap:: %s\n\n" % prefixmap_data
1018 dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif)
1021 def update_partition(ref_samdb, samdb, basedn, names, schema, provisionUSNs, prereloadfunc):
1022 """Check differences between the reference provision and the upgraded one.
1024 It looks for all objects which base DN is name.
1026 This function will also add the missing object and update existing object
1027 to add or remove attributes that were missing.
1029 :param ref_sambdb: An LDB object conntected to the sam.ldb of the
1031 :param samdb: An LDB object connected to the sam.ldb of the update
1033 :param basedn: String value of the DN of the partition
1034 :param names: List of key provision parameters
1035 :param schema: A Schema object
1036 :param provisionUSNs: The USNs modified by provision/upgradeprovision
1038 :param prereloadfunc: A function that must be executed just before the reload
1049 # Connect to the reference provision and get all the attribute in the
1050 # partition referred by name
1051 reference = ref_samdb.search(expression="objectClass=*", base=basedn,
1052 scope=SCOPE_SUBTREE, attrs=["dn"],
1053 controls=["search_options:1:2"])
1055 current = samdb.search(expression="objectClass=*", base=basedn,
1056 scope=SCOPE_SUBTREE, attrs=["dn"],
1057 controls=["search_options:1:2"])
1058 # Create a hash for speeding the search of new object
1059 for i in range(0, len(reference)):
1060 hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
1062 # Create a hash for speeding the search of existing object in the
1064 for i in range(0, len(current)):
1065 hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
1068 for k in hash_new.keys():
1069 if not hash.has_key(k):
1070 if not str(hash_new[k]) == "CN=Deleted Objects, %s" % names.rootdn:
1071 listMissing.append(hash_new[k])
1073 listPresent.append(hash_new[k])
1075 # Sort the missing object in order to have object of the lowest level
1076 # first (which can be containers for higher level objects)
1077 listMissing.sort(dn_sort)
1078 listPresent.sort(dn_sort)
1080 # The following lines is to load the up to
1081 # date schema into our current LDB
1082 # a complete schema is needed as the insertion of attributes
1083 # and class is done against it
1084 # and the schema is self validated
1085 samdb.set_schema(schema)
1087 message(SIMPLE, "There are %d missing objects" % (len(listMissing)))
1088 add_deletedobj_containers(ref_samdb, samdb, names)
1090 add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
1093 message(SIMPLE, "Reloading a merged schema, which might trigger "
1094 "reindexing so please be patient")
1095 reload_full_schema(samdb, names)
1096 message(SIMPLE, "Schema reloaded!")
1098 changed = update_present(ref_samdb, samdb, basedn, listPresent,
1099 provisionUSNs, names.invocation)
1100 message(SIMPLE, "There are %d changed objects" % (changed))
1103 except StandardError, err:
1104 message(ERROR, "Exception during upgrade of samdb:")
1105 (typ, val, tb) = sys.exc_info()
1106 traceback.print_exception(typ, val, tb)
1110 def check_updated_sd(ref_sam, cur_sam, names):
1111 """Check if the security descriptor in the upgraded provision are the same
1114 :param ref_sam: A LDB object connected to the sam.ldb file used as
1115 the reference provision
1116 :param cur_sam: A LDB object connected to the sam.ldb file used as
1118 :param names: List of key provision parameters"""
1119 reference = ref_sam.search(expression="objectClass=*", base=str(names.rootdn),
1120 scope=SCOPE_SUBTREE,
1121 attrs=["dn", "nTSecurityDescriptor"],
1122 controls=["search_options:1:2"])
1123 current = cur_sam.search(expression="objectClass=*", base=str(names.rootdn),
1124 scope=SCOPE_SUBTREE,
1125 attrs=["dn", "nTSecurityDescriptor"],
1126 controls=["search_options:1:2"])
1128 for i in range(0, len(reference)):
1129 refsd = ndr_unpack(security.descriptor,
1130 str(reference[i]["nTSecurityDescriptor"]))
1131 hash[str(reference[i]["dn"]).lower()] = refsd.as_sddl(names.domainsid)
1134 for i in range(0, len(current)):
1135 key = str(current[i]["dn"]).lower()
1136 if hash.has_key(key):
1137 cursd = ndr_unpack(security.descriptor,
1138 str(current[i]["nTSecurityDescriptor"]))
1139 sddl = cursd.as_sddl(names.domainsid)
1140 if sddl != hash[key]:
1141 txt = get_diff_sddls(hash[key], sddl)
1143 message(CHANGESD, "On object %s ACL is different"
1144 " \n%s" % (current[i]["dn"], txt))
1148 def fix_partition_sd(samdb, names):
1149 """This function fix the SD for partition containers (basedn, configdn, ...)
1150 This is needed because some provision use to have broken SD on containers
1152 :param samdb: An LDB object pointing to the sam of the current provision
1153 :param names: A list of key provision parameters
1155 # First update the SD for the rootdn
1156 res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
1157 scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
1158 controls=["search_options:1:2"])
1160 delta.dn = Dn(samdb, str(res[0]["dn"]))
1161 descr = get_domain_descriptor(names.domainsid)
1162 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
1163 "nTSecurityDescriptor")
1165 # Then the config dn
1166 res = samdb.search(expression="objectClass=*", base=str(names.configdn),
1167 scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
1168 controls=["search_options:1:2"])
1170 delta.dn = Dn(samdb, str(res[0]["dn"]))
1171 descr = get_config_descriptor(names.domainsid)
1172 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
1173 "nTSecurityDescriptor" )
1175 # Then the schema dn
1176 res = samdb.search(expression="objectClass=*", base=str(names.schemadn),
1177 scope=SCOPE_BASE, attrs=["dn", "whenCreated"],
1178 controls=["search_options:1:2"])
1181 delta.dn = Dn(samdb, str(res[0]["dn"]))
1182 descr = get_schema_descriptor(names.domainsid)
1183 delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
1184 "nTSecurityDescriptor" )
1187 def rebuild_sd(samdb, names):
1188 """Rebuild security descriptor of the current provision from scratch
1190 During the different pre release of samba4 security descriptors (SD)
1191 were notarly broken (up to alpha11 included)
1192 This function allow to get them back in order, this function make the
1193 assumption that nobody has modified manualy an SD
1194 and so SD can be safely recalculated from scratch to get them right.
1196 :param names: List of key provision parameters"""
1200 res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
1201 scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"],
1202 controls=["search_options:1:2"])
1204 if not (str(obj["dn"]) == str(names.rootdn) or
1205 str(obj["dn"]) == str(names.configdn) or
1206 str(obj["dn"]) == str(names.schemadn)):
1207 hash[str(obj["dn"])] = obj["whenCreated"]
1209 listkeys = hash.keys()
1210 listkeys.sort(dn_sort)
1212 for key in listkeys:
1215 delta.dn = Dn(samdb, key)
1216 delta["whenCreated"] = MessageElement(hash[key], FLAG_MOD_REPLACE,
1218 samdb.modify(delta, ["recalculate_sd:0"])
1220 # XXX: We should always catch an explicit exception.
1221 # What could go wrong here?
1222 samdb.transaction_cancel()
1223 res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
1224 scope=SCOPE_SUBTREE,
1225 attrs=["dn", "nTSecurityDescriptor"],
1226 controls=["search_options:1:2"])
1227 badsd = ndr_unpack(security.descriptor,
1228 str(res[0]["nTSecurityDescriptor"]))
1229 print "bad stuff %s" % badsd.as_sddl(names.domainsid)
1232 def removeProvisionUSN(samdb):
1233 attrs = [samba.provision.LAST_PROVISION_USN_ATTRIBUTE, "dn"]
1234 entry = samdb.search(expression="dn=@PROVISION", base = "",
1235 scope=SCOPE_SUBTREE,
1236 controls=["search_options:1:2"],
1239 empty.dn = entry[0].dn
1240 delta = samdb.msg_diff(entry[0], empty)
1242 delta.dn = entry[0].dn
1245 def remove_stored_generated_attrs(paths, creds, session, lp):
1246 """Remove previously stored constructed attributes
1248 :param paths: List of paths for different provision objects
1249 from the upgraded provision
1250 :param creds: A credential object
1251 :param session: A session object
1252 :param lp: A line parser object
1253 :return: An associative array whose key are the different constructed
1254 attributes and the value the dn where this attributes were found.
1258 def simple_update_basesamdb(newpaths, paths, names):
1259 """Update the provision container db: sam.ldb
1260 This function is aimed at very old provision (before alpha9)
1262 :param newpaths: List of paths for different provision objects
1263 from the reference provision
1264 :param paths: List of paths for different provision objects
1265 from the upgraded provision
1266 :param names: List of key provision parameters"""
1268 message(SIMPLE, "Copy samdb")
1269 shutil.copy(newpaths.samdb, paths.samdb)
1271 message(SIMPLE, "Update partitions filename if needed")
1272 schemaldb = os.path.join(paths.private_dir, "schema.ldb")
1273 configldb = os.path.join(paths.private_dir, "configuration.ldb")
1274 usersldb = os.path.join(paths.private_dir, "users.ldb")
1275 samldbdir = os.path.join(paths.private_dir, "sam.ldb.d")
1277 if not os.path.isdir(samldbdir):
1279 os.chmod(samldbdir, 0700)
1280 if os.path.isfile(schemaldb):
1281 shutil.copy(schemaldb, os.path.join(samldbdir,
1282 "%s.ldb"%str(names.schemadn).upper()))
1283 os.remove(schemaldb)
1284 if os.path.isfile(usersldb):
1285 shutil.copy(usersldb, os.path.join(samldbdir,
1286 "%s.ldb"%str(names.rootdn).upper()))
1288 if os.path.isfile(configldb):
1289 shutil.copy(configldb, os.path.join(samldbdir,
1290 "%s.ldb"%str(names.configdn).upper()))
1291 os.remove(configldb)
1294 def update_privilege(ref_private_path, cur_private_path):
1295 """Update the privilege database
1297 :param ref_private_path: Path to the private directory of the reference
1299 :param cur_private_path: Path to the private directory of the current
1300 (and to be updated) provision."""
1301 message(SIMPLE, "Copy privilege")
1302 shutil.copy(os.path.join(ref_private_path, "privilege.ldb"),
1303 os.path.join(cur_private_path, "privilege.ldb"))
1306 def update_samdb(ref_samdb, samdb, names, highestUSN, schema, prereloadfunc):
1307 """Upgrade the SAM DB contents for all the provision partitions
1309 :param ref_sambdb: An LDB object conntected to the sam.ldb of the reference
1311 :param samdb: An LDB object connected to the sam.ldb of the update
1313 :param names: List of key provision parameters
1314 :param highestUSN: The highest USN modified by provision/upgradeprovision
1316 :param schema: A Schema object that represent the schema of the provision
1317 :param prereloadfunc: A function that must be executed just before the reload
1321 message(SIMPLE, "Starting update of samdb")
1322 ret = update_partition(ref_samdb, samdb, str(names.rootdn), names,
1323 schema, highestUSN, prereloadfunc)
1325 message(SIMPLE, "Update of samdb finished")
1328 message(SIMPLE, "Update failed")
1332 def copyxattrs(dir, refdir):
1333 """ Copy owner, groups, extended ACL and NT acls from
1334 a reference dir to a destination dir
1336 Both dir are supposed to hold the same files
1337 :param dir: Destination dir
1338 :param refdir: Reference directory"""
1341 for root, dirs, files in os.walk(dir, topdown=True):
1343 subdir=root[len(dir):]
1344 ref = os.path.join("%s%s" % (refdir, subdir), name)
1345 statsinfo = os.stat(ref)
1346 tgt = os.path.join(root, name)
1349 os.chown(tgt, statsinfo.st_uid, statsinfo.st_gid)
1350 # Get the xattr attributes if any
1352 attribute = samba.xattr_native.wrap_getxattr(ref,
1353 xattr.XATTR_NTACL_NAME)
1354 samba.xattr_native.wrap_setxattr(tgt,
1355 xattr.XATTR_NTACL_NAME,
1359 attribute = samba.xattr_native.wrap_getxattr(ref,
1360 "system.posix_acl_access")
1361 samba.xattr_native.wrap_setxattr(tgt,
1362 "system.posix_acl_access",
1367 subdir=root[len(dir):]
1368 ref = os.path.join("%s%s" % (refdir, subdir), name)
1369 statsinfo = os.stat(ref)
1370 tgt = os.path.join(root, name)
1372 os.chown(os.path.join(root, name), statsinfo.st_uid,
1375 attribute = samba.xattr_native.wrap_getxattr(ref,
1376 xattr.XATTR_NTACL_NAME)
1377 samba.xattr_native.wrap_setxattr(tgt,
1378 xattr.XATTR_NTACL_NAME,
1382 attribute = samba.xattr_native.wrap_getxattr(ref,
1383 "system.posix_acl_access")
1384 samba.xattr_native.wrap_setxattr(tgt,
1385 "system.posix_acl_access",
1392 def backup_provision(paths, dir):
1393 """This function backup the provision files so that a rollback
1396 :param paths: Paths to different objects
1397 :param dir: Directory where to store the backup
1400 shutil.copytree(paths.sysvol, os.path.join(dir, "sysvol"))
1401 copyxattrs(os.path.join(dir, "sysvol"), paths.sysvol)
1402 shutil.copy2(paths.samdb, dir)
1403 shutil.copy2(paths.secrets, dir)
1404 shutil.copy2(paths.idmapdb, dir)
1405 shutil.copy2(paths.privilege, dir)
1406 if os.path.isfile(os.path.join(paths.private_dir,"eadb.tdb")):
1407 shutil.copy2(os.path.join(paths.private_dir,"eadb.tdb"), dir)
1408 shutil.copy2(paths.smbconf, dir)
1409 shutil.copy2(os.path.join(paths.private_dir,"secrets.keytab"), dir)
1411 samldbdir = os.path.join(paths.private_dir, "sam.ldb.d")
1412 if not os.path.isdir(samldbdir):
1413 samldbdir = paths.private_dir
1414 schemaldb = os.path.join(paths.private_dir, "schema.ldb")
1415 configldb = os.path.join(paths.private_dir, "configuration.ldb")
1416 usersldb = os.path.join(paths.private_dir, "users.ldb")
1417 shutil.copy2(schemaldb, dir)
1418 shutil.copy2(usersldb, dir)
1419 shutil.copy2(configldb, dir)
1421 shutil.copytree(samldbdir, os.path.join(dir, "sam.ldb.d"))
1426 def sync_calculated_attributes(samdb, names):
1427 """Synchronize attributes used for constructed ones, with the
1428 old constructed that were stored in the database.
1430 This apply for instance to msds-keyversionnumber that was
1431 stored and that is now constructed from replpropertymetadata.
1433 :param samdb: An LDB object attached to the currently upgraded samdb
1434 :param names: Various key parameter about current provision.
1436 listAttrs = ["msDs-KeyVersionNumber"]
1437 hash = search_constructed_attrs_stored(samdb, names.rootdn, listAttrs)
1438 if hash.has_key("msDs-KeyVersionNumber"):
1439 increment_calculated_keyversion_number(samdb, names.rootdn,
1440 hash["msDs-KeyVersionNumber"])
1442 # Synopsis for updateprovision
1443 # 1) get path related to provision to be update (called current)
1444 # 2) open current provision ldbs
1445 # 3) fetch the key provision parameter (domain sid, domain guid, invocationid
1447 # 4) research of lastProvisionUSN in order to get ranges of USN modified
1448 # by either upgradeprovision or provision
1449 # 5) creation of a new provision the latest version of provision script
1450 # (called reference)
1451 # 6) get reference provision paths
1452 # 7) open reference provision ldbs
1453 # 8) setup helpers data that will help the update process
1454 # 9) update the privilege ldb by copying the one of referecence provision to
1455 # the current provision
1456 # 10)get the oemInfo field, this field contains information about the different
1457 # provision that have been done
1458 # 11)Depending on whether oemInfo has the string "alpha9" or alphaxx (x as an
1459 # integer) or none of this the following things are done
1460 # A) When alpha9 or alphaxx is present
1461 # The base sam.ldb file is updated by looking at the difference between
1462 # referrence one and the current one. Everything is copied with the
1463 # exception of lastProvisionUSN attributes.
1464 # B) Other case (it reflect that that provision was done before alpha9)
1465 # The base sam.ldb of the reference provision is copied over
1466 # the current one, if necessary ldb related to partitions are moved
1468 # The highest used USN is fetched so that changed by upgradeprovision
1469 # usn can be tracked
1470 # 12)A Schema object is created, it will be used to provide a complete
1471 # schema to current provision during update (as the schema of the
1472 # current provision might not be complete and so won't allow some
1473 # object to be created)
1474 # 13)Proceed to full update of sam DB (see the separate paragraph about i)
1475 # 14)The secrets db is updated by pull all the difference from the reference
1476 # provision into the current provision
1477 # 15)As the previous step has most probably modified the password stored in
1478 # in secret for the current DC, a new password is generated,
1479 # the kvno is bumped and the entry in samdb is also updated
1480 # 16)For current provision older than alpha9, we must fix the SD a little bit
1481 # administrator to update them because SD used to be generated with the
1482 # system account before alpha9.
1483 # 17)The highest usn modified so far is searched in the database it will be
1484 # the upper limit for usn modified during provision.
1485 # This is done before potential SD recalculation because we do not want
1486 # SD modified during recalculation to be marked as modified during provision
1487 # (and so possibly remplaced at next upgradeprovision)
1488 # 18)Rebuilt SD if the flag indicate to do so
1489 # 19)Check difference between SD of reference provision and those of the
1490 # current provision. The check is done by getting the sddl representation
1491 # of the SD. Each sddl in chuncked into parts (user,group,dacl,sacl)
1492 # Each part is verified separetly, for dacl and sacl ACL is splited into
1493 # ACEs and each ACE is verified separately (so that a permutation in ACE
1494 # didn't raise as an error).
1495 # 20)The oemInfo field is updated to add information about the fact that the
1496 # provision has been updated by the upgradeprovision version xxx
1497 # (the version is the one obtained when starting samba with the --version
1499 # 21)Check if the current provision has all the settings needed for dynamic
1500 # DNS update to work (that is to say the provision is newer than
1501 # january 2010). If not dns configuration file from reference provision
1502 # are copied in a sub folder and the administrator is invited to
1503 # do what is needed.
1504 # 22)If the lastProvisionUSN attribute was present it is updated to add
1505 # the range of usns modified by the current upgradeprovision
1508 # About updating the sam DB
1509 # The update takes place in update_partition function
1510 # This function read both current and reference provision and list all
1511 # the available DN of objects
1512 # If the string representation of a DN in reference provision is
1513 # equal to the string representation of a DN in current provision
1514 # (without taking care of case) then the object is flaged as being
1515 # present. If the object is not present in current provision the object
1516 # is being flaged as missing in current provision. Object present in current
1517 # provision but not in reference provision are ignored.
1518 # Once the list of objects present and missing is done, the deleted object
1519 # containers are created in the differents partitions (if missing)
1521 # Then the function add_missing_entries is called
1522 # This function will go through the list of missing entries by calling
1523 # add_missing_object for the given object. If this function returns 0
1524 # it means that the object needs some other object in order to be created
1525 # The object is reappended at the end of the list to be created later
1526 # (and preferably after all the needed object have been created)
1527 # The function keeps on looping on the list of object to be created until
1528 # it's empty or that the number of defered creation is equal to the number
1529 # of object that still needs to be created.
1531 # The function add_missing_object will first check if the object can be created.
1532 # That is to say that it didn't depends other not yet created objects
1533 # If requisit can't be fullfilled it exists with 0
1534 # Then it will try to create the missing entry by creating doing
1535 # an ldb_message_diff between the object in the reference provision and
1537 # This resulting object is filtered to remove all the back link attribute
1538 # (ie. memberOf) as they will be created by the other linked object (ie.
1539 # the one with the member attribute)
1540 # All attributes specified in the hashAttrNotCopied associative array are
1541 # also removed it's most of the time generated attributes
1543 # After missing entries have been added the update_partition function will
1544 # take care of object that exist but that need some update.
1545 # In order to do so the function update_present is called with the list
1546 # of object that are present in both provision and that might need an update.
1548 # This function handle first case mismatch so that the DN in the current
1549 # provision have the same case as in reference provision
1551 # It will then construct an associative array consiting of attributes as
1552 # key and invocationid as value( if the originating invocation id is
1553 # different from the invocation id of the current DC the value is -1 instead).
1555 # If the range of provision modified attributes is present, the function will
1556 # use the replMetadataProperty update method which is the following:
1557 # Removing attributes that should not be updated: rIDAvailablePool, objectSid,
1558 # creationTime, msDs-KeyVersionNumber, oEMInformation
1559 # Check for each attribute if its usn is within one of the modified by
1560 # provision range and if its originating id is the invocation id of the
1561 # current DC, then validate the update from reference to current.
1562 # If not or if there is no replMetatdataProperty for this attribute then we
1564 # Otherwise (case the range of provision modified attribute is not present) it
1565 # use the following process:
1566 # All attributes that need to be added are accepted at the exeption of those
1567 # listed in hashOverwrittenAtt, in this case the attribute needs to have the
1568 # correct flags specified.
1569 # For attributes that need to be modified or removed, a check is performed
1570 # in OverwrittenAtt, if the attribute is present and the modification flag
1571 # (remove, delete) is one of those listed for this attribute then modification
1572 # is accepted. For complicated handling of attribute update, the control is passed
1573 # to handle_special_case
1577 if __name__ == '__main__':
1578 global defSDmodified
1579 defSDmodified = False
1580 # From here start the big steps of the program
1581 # 1) First get files paths
1582 paths = get_paths(param, smbconf=smbconf)
1583 # Get ldbs with the system session, it is needed for searching
1584 # provision parameters
1585 session = system_session()
1587 # This variable will hold the last provision USN once if it exists.
1590 ldbs = get_ldbs(paths, creds, session, lp)
1591 backupdir = tempfile.mkdtemp(dir=paths.private_dir,
1592 prefix="backupprovision")
1593 backup_provision(paths, backupdir)
1595 ldbs.startTransactions()
1597 # 3) Guess all the needed names (variables in fact) from the current
1599 names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
1602 lastProvisionUSNs = get_last_provision_usn(ldbs.sam)
1603 if lastProvisionUSNs is not None:
1605 "Find a last provision USN, %d range(s)" % len(lastProvisionUSNs))
1607 # Objects will be created with the admin session
1608 # (not anymore system session)
1609 adm_session = admin_session(lp, str(names.domainsid))
1610 # So we reget handle on objects
1611 # ldbs = get_ldbs(paths, creds, adm_session, lp)
1613 if not sanitychecks(ldbs.sam, names):
1614 message(SIMPLE, "Sanity checks for the upgrade have failed. "
1615 "Check the messages and correct the errors "
1616 "before rerunning upgradeprovision")
1619 # Let's see provision parameters
1620 print_provision_key_parameters(names)
1622 # 5) With all this information let's create a fresh new provision used as
1624 message(SIMPLE, "Creating a reference provision")
1625 provisiondir = tempfile.mkdtemp(dir=paths.private_dir,
1626 prefix="referenceprovision")
1627 newprovision(names, creds, session, smbconf, provisiondir,
1632 # We need to get a list of object which SD is directly computed from
1633 # defaultSecurityDescriptor.
1634 # This will allow us to know which object we can rebuild the SD in case
1635 # of change of the parent's SD or of the defaultSD.
1636 # Get file paths of this new provision
1637 newpaths = get_paths(param, targetdir=provisiondir)
1638 new_ldbs = get_ldbs(newpaths, creds, session, lp)
1639 new_ldbs.startTransactions()
1641 # 8) Populate some associative array to ease the update process
1642 # List of attribute which are link and backlink
1643 populate_links(new_ldbs.sam, names.schemadn)
1644 # List of attribute with ASN DN synthax)
1645 populate_dnsyntax(new_ldbs.sam, names.schemadn)
1647 update_privilege(newpaths.private_dir, paths.private_dir)
1649 oem = getOEMInfo(ldbs.sam, str(names.rootdn))
1650 # Do some modification on sam.ldb
1651 ldbs.groupedCommit()
1652 new_ldbs.groupedCommit()
1655 if re.match(".*alpha((9)|(\d\d+)).*", str(oem)):
1657 # Starting from alpha9 we can consider that the structure is quite ok
1658 # and that we should do only dela
1659 deltaattr = delta_update_basesamdb(newpaths.samdb,
1667 simple_update_basesamdb(newpaths, paths, names)
1668 ldbs = get_ldbs(paths, creds, session, lp)
1669 removeProvisionUSN(ldbs.sam)
1671 ldbs.startTransactions()
1672 minUSN = int(str(get_max_usn(ldbs.sam, str(names.rootdn)))) + 1
1673 new_ldbs.startTransactions()
1676 schema = Schema(names.domainsid, schemadn=str(names.schemadn))
1677 # We create a closure that will be invoked just before schema reload
1678 def schemareloadclosure():
1679 basesam = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp,
1680 options=["modules:"])
1682 if deltaattr is not None and len(deltaattr) > 1:
1685 deltaattr.remove("dn")
1686 for att in deltaattr:
1687 if att.lower() == "dn":
1689 if (deltaattr.get(att) is not None
1690 and deltaattr.get(att).flags() != FLAG_MOD_ADD):
1692 elif deltaattr.get(att) is None:
1695 message(CHANGE, "Applying delta to @ATTRIBUTES")
1696 deltaattr.dn = ldb.Dn(basesam, "@ATTRIBUTES")
1697 basesam.modify(deltaattr)
1699 message(CHANGE, "Not applying delta to @ATTRIBUTES because "
1700 "there is not only add")
1703 if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
1704 schema, schemareloadclosure):
1705 message(SIMPLE, "Rolling back all changes. Check the cause"
1707 message(SIMPLE, "Your system is as it was before the upgrade")
1708 ldbs.groupedRollback()
1709 new_ldbs.groupedRollback()
1710 shutil.rmtree(provisiondir)
1713 # Try to reapply the change also when we do not change the sam
1714 # as the delta_upgrade
1715 schemareloadclosure()
1716 sync_calculated_attributes(ldbs.sam, names)
1717 res = ldbs.sam.search(expression="(samaccountname=dns)",
1718 scope=SCOPE_SUBTREE, attrs=["dn"],
1719 controls=["search_options:1:2"])
1721 message(SIMPLE, "You still have the old DNS object for managing "
1722 "dynamic DNS, but you didn't supply --full so "
1723 "a correct update can't be done")
1724 ldbs.groupedRollback()
1725 new_ldbs.groupedRollback()
1726 shutil.rmtree(provisiondir)
1729 update_secrets(new_ldbs.secrets, ldbs.secrets, message)
1731 res = ldbs.sam.search(expression="(samaccountname=dns)",
1732 scope=SCOPE_SUBTREE, attrs=["dn"],
1733 controls=["search_options:1:2"])
1736 ldbs.sam.delete(res[0]["dn"])
1737 res2 = ldbs.secrets.search(expression="(samaccountname=dns)",
1738 scope=SCOPE_SUBTREE, attrs=["dn"])
1739 update_dns_account_password(ldbs.sam, ldbs.secrets, names)
1740 message(SIMPLE, "IMPORTANT!!! "
1741 "If you were using Dynamic DNS before you need "
1742 "to update your configuration, so that the "
1743 "tkey-gssapi-credential has the following value: "
1744 "DNS/%s.%s" % (names.netbiosname.lower(),
1745 names.realm.lower()))
1747 message(SIMPLE, "Update machine account")
1748 update_machine_account_password(ldbs.sam, ldbs.secrets, names)
1750 # 16) SD should be created with admin but as some previous acl were so wrong
1751 # that admin can't modify them we have first to recreate them with the good
1752 # form but with system account and then give the ownership to admin ...
1753 if not re.match(r'.*alpha(9|\d\d+)', str(oem)):
1754 message(SIMPLE, "Fixing old povision SD")
1755 fix_partition_sd(ldbs.sam, names)
1756 rebuild_sd(ldbs.sam, names)
1758 # We calculate the max USN before recalculating the SD because we might
1759 # touch object that have been modified after a provision and we do not
1760 # want that the next upgradeprovision thinks that it has a green light
1764 maxUSN = get_max_usn(ldbs.sam, str(names.rootdn))
1766 # 18) We rebuild SD only if defaultSecurityDescriptor is modified
1767 # But in fact we should do it also if one object has its SD modified as
1768 # child might need rebuild
1770 message(SIMPLE, "Updating SD")
1771 ldbs.sam.set_session_info(adm_session)
1772 # Alpha10 was a bit broken still
1773 if re.match(r'.*alpha(\d|10)', str(oem)):
1774 fix_partition_sd(ldbs.sam, names)
1775 rebuild_sd(ldbs.sam, names)
1778 # Now we are quite confident in the recalculate process of the SD, we make
1780 # Also the check must be done in a clever way as for the moment we just
1782 if opts.debugchangesd:
1783 check_updated_sd(new_ldbs.sam, ldbs.sam, names)
1786 updateOEMInfo(ldbs.sam, str(names.rootdn))
1788 check_for_DNS(newpaths.private_dir, paths.private_dir)
1790 if lastProvisionUSNs is not None:
1791 update_provision_usn(ldbs.sam, minUSN, maxUSN)
1792 if opts.full and (names.policyid is None or names.policyid_dc is None):
1793 update_policyids(names, ldbs.sam)
1794 if opts.full or opts.resetfileacl:
1796 update_gpo(paths, ldbs.sam, names, lp, message, 1)
1797 except ProvisioningError, e:
1798 message(ERROR, "The policy for domain controller is missing. "
1799 "You should restart upgradeprovision with --full")
1801 message(ERROR, "Setting ACL not supported on your filesystem")
1804 update_gpo(paths, ldbs.sam, names, lp, message, 0)
1805 except ProvisioningError, e:
1806 message(ERROR, "The policy for domain controller is missing. "
1807 "You should restart upgradeprovision with --full")
1808 ldbs.groupedCommit()
1809 new_ldbs.groupedCommit()
1810 message(SIMPLE, "Upgrade finished!")
1811 # remove reference provision now that everything is done !
1812 # So we have reindexed first if need when the merged schema was reloaded
1813 # (as new attributes could have quick in)
1814 # But the second part of the update (when we update existing objects
1815 # can also have an influence on indexing as some attribute might have their
1816 # searchflag modificated
1817 message(SIMPLE, "Reopenning samdb to trigger reindexing if needed "
1818 "after modification")
1819 samdb = Ldb(paths.samdb, session_info=session, credentials=creds, lp=lp)
1820 message(SIMPLE, "Reindexing finished")
1822 shutil.rmtree(provisiondir)
1823 except StandardError, err:
1824 message(ERROR, "A problem occurred while trying to upgrade your "
1825 "provision. A full backup is located at %s" % backupdir)
1826 if opts.debugall or opts.debugchange:
1827 (typ, val, tb) = sys.exc_info()
1828 traceback.print_exception(typ, val, tb)