s4-s3upgrade: Try harder to get group memberships on upgrade

This fixes an issue where some group types were not upgraded, as we
did not upgrade alias memberships.

It also uses enum_group_memberships() to try and find the memberships
from the other direction, by asking which groups a user is a member
of.  As Samba3 (and NT4) does not implement nested groups, this should
be safe.

Andrew Bartlett

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 216ad4104755870c65492f09514fc5b7d7875a37..ce9683e1274bb07abf22d3ec794bb8075cfa0cdf 100644 (file)
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -536,6 +536,7 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa
         if group.sid_name_use == lsa.SID_NAME_ALIAS:
             try:
                 members = s3db.enum_aliasmem(group.sid)
+                groupmembers[str(group.sid)] = members
             except passdb.error, e:
                 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
                             group.nt_name, group.sid, e)
@@ -543,11 +544,11 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa
         elif group.sid_name_use == lsa.SID_NAME_DOM_GRP:
             try:
                 members = s3db.enum_group_members(group.sid)
+                groupmembers[str(group.sid)] = members
             except passdb.error, e:
                 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
                             group.nt_name, group.sid, e)
                 continue
-            groupmembers[group.nt_name] = members
         elif group.sid_name_use == lsa.SID_NAME_WKN_GRP:
             (group_dom_sid, rid) = group.sid.split()
             if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
@@ -557,13 +558,14 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, useeadb=Fa
             # A number of buggy databases mix up well known groups and aliases.
             try:
                 members = s3db.enum_aliasmem(group.sid)
+                groupmembers[str(group.sid)] = members
             except passdb.error, e:
                 logger.warn("Ignoring group '%s' %s listed but then not found: %s",
                             group.nt_name, group.sid, e)
                 continue
         else:
-            logger.warn("Ignoring group '%s' with sid_name_use=%d",
-                        group.nt_name, group.sid_name_use)
+            logger.warn("Ignoring group '%s' %s with sid_name_use=%d",
+                        group.nt_name, group.sid, group.sid_name_use)
             continue
 
     # Export users from old passdb backend
@@ -615,6 +617,19 @@ Please fix this account before attempting to upgrade again
         if username.lower() == 'administrator':
             admin_user = username
 
+        try:
+            group_memberships = s3db.enum_group_memberships(user);
+            for group in group_memberships:
+                if str(group) in groupmembers:
+                    if user.user_sid not in groupmembers[str(group)]:
+                        groupmembers[str(group)].append(user.user_sid)
+                else:
+                    groupmembers[str(group)] = [user.user_sid];
+        except passdb.error, e:
+            logger.warn("Ignoring group memberships of '%s' %s: %s",
+                        username, user.user_sid, e)
+
+
     logger.info("Next rid = %d", next_rid)
 
     # Check for same username/groupname
@@ -706,8 +721,8 @@ Please fix this account before attempting to upgrade again
 
     logger.info("Adding users to groups")
     for g in grouplist:
-        if g.nt_name in groupmembers:
-            add_users_to_group(result.samdb, g, groupmembers[g.nt_name], logger)
+        if str(g.sid) in groupmembers:
+            add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
 
     # Set password for administrator
     if admin_user: