diff options
author | Andrew Bartlett <abartlet@samba.org> | 2013-04-11 09:32:13 +1000 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-05-16 19:02:01 +0200 |
commit | 2e1f14355c162dde0190ac2cb105a34607134e02 (patch) | |
tree | 9a4d23b0c092f628abaaa99c88424a341825bb46 | |
parent | 20445415307ae3d6524995d0128862dcbc119684 (diff) | |
download | samba-2e1f14355c162dde0190ac2cb105a34607134e02.tar.gz samba-2e1f14355c162dde0190ac2cb105a34607134e02.tar.bz2 samba-2e1f14355c162dde0190ac2cb105a34607134e02.zip |
python-samba-tool domain classicupgrade: Skip machine accounts that do not end in $
These accounts will not work anyway, as all the domain member lookup code in netlogon expects the $.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | python/samba/upgrade.py | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py index af854ef0e0..df5ab41021 100644 --- a/python/samba/upgrade.py +++ b/python/samba/upgrade.py @@ -698,16 +698,17 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, user = s3db.getsampwnam(username) acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST)) - if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST): - pass - - elif acct_type == samr.ACB_SVRTRUST: + if acct_type == samr.ACB_SVRTRUST: logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username[:-1]) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST elif acct_type == samr.ACB_DOMTRUST: logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1]) + elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$': + logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username) + continue + elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$': logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) @@ -716,6 +717,12 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username) user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) + elif acct_type == 0 and username[-1] != '$': + user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL) + + elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST): + pass + else: raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X). |