summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-11-22 16:22:30 +0100
committerMichael Adam <obnox@samba.org>2012-11-30 17:17:20 +0100
commit4136d969cab5d4690f00c855bd98dc01253d73d9 (patch)
tree1cad960c949d1f88377c61473b97989112183d74
parent118db4ca11bec17b8f5955f188c07f154b85c87b (diff)
downloadsamba-4136d969cab5d4690f00c855bd98dc01253d73d9.tar.gz
samba-4136d969cab5d4690f00c855bd98dc01253d73d9.tar.bz2
samba-4136d969cab5d4690f00c855bd98dc01253d73d9.zip
s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd
The sd_flags:1:15 control together with an empty security_descriptor has the same effect as the recalculate_sd:0 control (which is samba only). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
-rwxr-xr-xsource4/scripting/bin/samba_upgradeprovision21
1 files changed, 14 insertions, 7 deletions
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index b3fb0b0c97..7060b73f23 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -46,11 +46,13 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
from samba import param, dsdb, Ldb
from samba.common import confirm
from samba.provision import (get_domain_descriptor, find_provision_key_parameters,
- get_config_descriptor,
+ get_config_descriptor, get_empty_descriptor,
ProvisioningError, get_last_provision_usn,
get_max_usn, update_provision_usn, setup_path)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security, drsblobs
+from samba.dcerpc.security import (
+ SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
from samba.ndr import ndr_unpack
from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
get_ldbs, findprovisionrange,
@@ -1032,7 +1034,8 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns):
raise ProvisioningError(msg)
changed = 0
- controls = ["search_options:1:2", "sd_flags:1:0"]
+ sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
+ controls = ["search_options:1:2", "sd_flags:1:%d" % sd_flags]
if usns is not None:
message(CHANGE, "Using replPropertyMetadata for change selection")
for dn in listPresent:
@@ -1352,16 +1355,20 @@ def rebuild_sd(samdb, names):
continue
delta = Message()
delta.dn = Dn(samdb, key)
+ sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
try:
delta["whenCreated"] = MessageElement(hash[key], FLAG_MOD_REPLACE,
"whenCreated" )
- samdb.modify(delta, ["recalculate_sd:0","relax:0"])
+ descr = get_empty_descriptor(names.domainsid)
+ delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
+ "nTSecurityDescriptor")
+ samdb.modify(delta, ["sd_flags:1:%d" % sd_flags,"relax:0"])
except LdbError, e:
samdb.transaction_cancel()
- res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
- scope=SCOPE_SUBTREE,
- attrs=["dn", "nTSecurityDescriptor"],
- controls=["search_options:1:2"])
+ res = samdb.search(expression="objectClass=*", base=str(delta.dn),
+ scope=SCOPE_BASE,
+ attrs=["nTSecurityDescriptor"],
+ controls=["sd_flags:1:%d" % sd_flags])
badsd = ndr_unpack(security.descriptor,
str(res[0]["nTSecurityDescriptor"]))
message(ERROR, "On %s bad stuff %s" % (str(delta.dn),badsd.as_sddl(names.domainsid)))