summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-02-18 15:05:00 +1100
committerStefan Metzmacher <metze@samba.org>2013-03-04 08:33:41 +0100
commit9bc32bfd65700c816ebb2a3004ad568327218f86 (patch)
treef505076bf61dcc657d987039402386be55c8831c
parent81cda856faf2a5efd38965fd4c3b1f5551ad94d9 (diff)
downloadsamba-9bc32bfd65700c816ebb2a3004ad568327218f86.tar.gz
samba-9bc32bfd65700c816ebb2a3004ad568327218f86.tar.bz2
samba-9bc32bfd65700c816ebb2a3004ad568327218f86.zip
samba_upgradeprovision: only run rebuild_sd in --full mode
This is a potentially destructive routine, and should not be run by default. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rwxr-xr-xsource4/scripting/bin/samba_upgradeprovision37
1 files changed, 17 insertions, 20 deletions
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 6b5df1e201..c3c0c4e8f9 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -1298,32 +1298,28 @@ def fix_wellknown_sd(samdb, names):
def rebuild_sd(samdb, names):
"""Rebuild security descriptor of the current provision from scratch
- During the different pre release of samba4 security descriptors (SD)
- were notarly broken (up to alpha11 included)
- This function allow to get them back in order, this function make the
- assumption that nobody has modified manualy an SD
- and so SD can be safely recalculated from scratch to get them right.
+ During the different pre release of samba4 security descriptors
+ (SD) were notarly broken (up to alpha11 included)
+
+ This function allows to get them back in order, this function works
+ only after the database comparison that --full mode uses and which
+ populates the dnToRecalculate and dnNotToRecalculate lists.
+
+ The idea is that the SD can be safely recalculated from scratch to get it right.
:param names: List of key provision parameters"""
listWellknown = fix_wellknown_sd(samdb, names)
hash = {}
- if len(dnToRecalculate) == 0:
- res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
- scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"],
- controls=["search_options:1:2"])
- for obj in res:
- hash[str(obj["dn"])] = obj["whenCreated"]
- else:
- for dn in dnToRecalculate:
- if hash.has_key(dn):
- continue
+ for dn in dnToRecalculate:
+ if hash.has_key(dn):
+ continue
# fetch each dn to recalculate and their child within the same partition
- res = samdb.search(expression="objectClass=*", base=dn,
- scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
- for obj in res:
- hash[str(obj["dn"])] = obj["whenCreated"]
+ res = samdb.search(expression="objectClass=*", base=dn,
+ scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
+ for obj in res:
+ hash[str(obj["dn"])] = obj["whenCreated"]
listKeys = list(set(hash.keys()))
listKeys.sort(dn_sort)
@@ -1334,6 +1330,7 @@ def rebuild_sd(samdb, names):
% (len(dnToRecalculate), len(listKeys)))
for key in listKeys:
+ # well known SDs have already been reset
if key in listWellknown:
continue
if key in dnNotToRecalculate:
@@ -1863,7 +1860,7 @@ if __name__ == '__main__':
# 18) We rebuild SD if a we have a list of DN to recalculate or if the
# defSDmodified is set.
- if defSDmodified or len(dnToRecalculate) >0:
+ if opts.full and (defSDmodified or len(dnToRecalculate) >0):
message(SIMPLE, "Some (default) security descriptors (SDs) have "
"changed, recalculating them")
ldbs.sam.set_session_info(adm_session)