summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2010-07-11 17:27:13 +0400
committerAndrew Bartlett <abartlet@samba.org>2010-07-15 22:08:21 +1000
commit36b5feceee2ea23d6da757999f238e28ab7de485 (patch)
tree664f78c35d03f22c812e62fe9416329af5d97093
parenta748402f61b4b3ea0df6666f4ec90f42fb45eaf8 (diff)
downloadsamba-36b5feceee2ea23d6da757999f238e28ab7de485.tar.gz
samba-36b5feceee2ea23d6da757999f238e28ab7de485.tar.bz2
samba-36b5feceee2ea23d6da757999f238e28ab7de485.zip
s4 upgradeprovision: Adapt the list of attribute modified
* isMemberOfPartialAttributeSet is now allowed to be deleted (on schema objects) * attributeDisplayNames is now allowed to be added and modified (used on display specifiers) * spnMapping is now allowed to be altered on Directory Service objects * minPwdAge is now modified if the previous value was 0 We issue a clear information about the userControl attribute for administrator to invite the user to modify himself the value. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rwxr-xr-xsource4/scripting/bin/upgradeprovision29
1 files changed, 25 insertions, 4 deletions
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index f073dbcad7..deb50e36fb 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -105,7 +105,9 @@ hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace,
"wellKnownObjects":replace, "privilege":never,
"defaultSecurityDescriptor": replace,
"rIDAvailablePool": never,
- "defaultSecurityDescriptor": replace + add }
+ "defaultSecurityDescriptor": replace + add,
+ "isMemberOfPartialAttributeSet": delete,
+ "attributeDisplayNames": replace + add}
backlinked = []
@@ -287,7 +289,7 @@ def print_provision_key_parameters(names):
message(GUESS, "domainlevel :" + str(names.domainlevel))
-def handle_special_case(att, delta, new, old, usn):
+def handle_special_case(att, delta, new, old, usn, basedn, aldb):
"""Define more complicate update rules for some attributes
:param att: The attribute to be updated
@@ -296,6 +298,8 @@ def handle_special_case(att, delta, new, old, usn):
:param new: The reference object
:param old: The Updated object
:param usn: The highest usn modified by a previous (upgrade)provision
+ :param basedn: The base DN of the provision
+ :param aldb: An ldb object used to build DN
:return: True to indicate that the attribute should be kept, False for
discarding it"""
@@ -304,6 +308,23 @@ def handle_special_case(att, delta, new, old, usn):
# highest usn as otherwise the replPropertyMetaData will guide us more
# correctly
if usn is None:
+ if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and
+ ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT,"
+ "CN=Services,CN=Configuration,%s" % basedn)
+ == old[0].dn):
+ return True
+ if (att == "userAccountControl" and flag == FLAG_MOD_REPLACE and
+ ldb.Dn(aldb, "CN=Administrator,CN=Users,%s" % basedn)
+ == old[0].dn):
+ message(SIMPLE, "We suggest that you change the userAccountControl"
+ " for user Administrator from value %d to %d" %
+ (int(str(old[0][att])), int(str(new[0][att]))))
+ return False
+ if (att == "minPwdAge" and flag == FLAG_MOD_REPLACE):
+ if (long(str(old[0][att])) == 0):
+ delta[att] = MessageElement(new[0][att], FLAG_MOD_REPLACE, att)
+ return True
+
if (att == "member" and flag == FLAG_MOD_REPLACE):
hash = {}
newval = []
@@ -825,7 +846,7 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
# idea to change it
delta.remove(att)
continue
- if handle_special_case(att, delta, reference, current, usns):
+ if handle_special_case(att, delta, reference, current, usns, basedn, samdb):
# This attribute is "complicated" to handle and handling
# was done in handle_special_case
continue
@@ -883,7 +904,7 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
if not hashOverwrittenAtt.has_key(att):
if msgElt.flags() != FLAG_MOD_ADD:
if not handle_special_case(att, delta, reference, current,
- usns):
+ usns, basedn, samdb):
if opts.debugchange or opts.debugall:
try:
dump_denied_change(dn, att,