diff options
author | Matthieu Patou <mat+Informatique.Samba@matws.net> | 2009-11-27 17:37:14 +0300 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-11-28 09:56:06 +1100 |
commit | db41a0afc6412934e166b8a3ed428ce549ba7c66 (patch) | |
tree | 2b8888e0c0a627523382a3c7521b81494662c288 /source4 | |
parent | f7c28db475261fa859e8f1888a629ced6c447c60 (diff) | |
download | samba-db41a0afc6412934e166b8a3ed428ce549ba7c66.tar.gz samba-db41a0afc6412934e166b8a3ed428ce549ba7c66.tar.bz2 samba-db41a0afc6412934e166b8a3ed428ce549ba7c66.zip |
s4: fix SD update and password change in upgrade script
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 15 | ||||
-rw-r--r-- | source4/lib/ldb/common/ldb_controls.c | 27 | ||||
-rw-r--r-- | source4/lib/ldb/include/ldb.h | 6 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap_controls.c | 20 | ||||
-rwxr-xr-x | source4/scripting/bin/upgradeprovision | 172 | ||||
-rw-r--r-- | source4/scripting/python/samba/provision.py | 8 | ||||
-rw-r--r-- | source4/scripting/python/samba/schema.py | 4 | ||||
-rw-r--r-- | source4/setup/schema_samba4.ldif | 2 |
8 files changed, 161 insertions, 93 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index f9992e3c9e..da80ee540e 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -594,13 +594,13 @@ static int descriptor_do_mod(struct descriptor_context *ac) const struct dsdb_class *objectclass; struct ldb_message *msg; struct ldb_control *sd_control; + struct ldb_control *sd_control2; struct ldb_control **saved_controls; int flags = 0; uint32_t sd_flags = 0; ldb = ldb_module_get_ctx(ac->module); schema = dsdb_get_schema(ldb); - msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message); objectclass_element = ldb_msg_find_element(ac->search_oc_res->message, "objectClass"); objectclass = get_last_structural_class(schema, objectclass_element); @@ -611,6 +611,7 @@ static int descriptor_do_mod(struct descriptor_context *ac) return LDB_ERR_OPERATIONS_ERROR; } sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID); + sd_control2 = ldb_request_get_control(ac->req, LDB_CONTROL_RECALCULATE_SD_OID); if (sd_control) { struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; sd_flags = sdctr->secinfo_flags; @@ -637,7 +638,11 @@ static int descriptor_do_mod(struct descriptor_context *ac) return ret; } tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor"); - tmp_element->flags = flags; + if (sd_control2) { + tmp_element->flags = LDB_FLAG_MOD_REPLACE; + } else { + tmp_element->flags = flags; + } } ret = ldb_build_mod_req(&mod_req, ldb, ac, msg, @@ -679,7 +684,6 @@ static int descriptor_do_add(struct descriptor_context *ac) if (mem_ctx == NULL) { return LDB_ERR_OPERATIONS_ERROR; } - switch (ac->req->operation) { case LDB_ADD: msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); @@ -768,6 +772,7 @@ static int descriptor_do_add(struct descriptor_context *ac) static int descriptor_change(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; + struct ldb_control *sd_control; struct ldb_request *search_req; struct descriptor_context *ac; struct ldb_dn *parent_dn, *dn; @@ -784,7 +789,9 @@ static int descriptor_change(struct ldb_module *module, struct ldb_request *req) case LDB_MODIFY: dn = req->op.mod.message->dn; sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor"); - if (!sd_element) { + /* This control allow forcing the recalculation of the SD */ + sd_control = ldb_request_get_control(req, LDB_CONTROL_RECALCULATE_SD_OID); + if (!sd_element && !sd_control) { return ldb_next_request(module, req); } break; diff --git a/source4/lib/ldb/common/ldb_controls.c b/source4/lib/ldb/common/ldb_controls.c index 82bd34bda5..f2ab61bde6 100644 --- a/source4/lib/ldb/common/ldb_controls.c +++ b/source4/lib/ldb/common/ldb_controls.c @@ -513,6 +513,33 @@ struct ldb_control **ldb_parse_control_strings(struct ldb_context *ldb, void *me continue; } + if (strncmp(control_strings[i], "recalculate_sd:", 15) == 0) { + const char *p; + int crit, ret; + + p = &(control_strings[i][15]); + ret = sscanf(p, "%d", &crit); + if ((ret != 1) || (crit < 0) || (crit > 1)) { + error_string = talloc_asprintf(mem_ctx, "invalid recalculate_sd control syntax\n"); + error_string = talloc_asprintf_append(error_string, " syntax: crit(b)\n"); + error_string = talloc_asprintf_append(error_string, " note: b = boolean"); + ldb_set_errstring(ldb, error_string); + talloc_free(error_string); + return NULL; + } + + ctrl[i] = talloc(ctrl, struct ldb_control); + if (!ctrl[i]) { + ldb_oom(ldb); + return NULL; + } + ctrl[i]->oid = LDB_CONTROL_RECALCULATE_SD_OID; + ctrl[i]->critical = crit; + ctrl[i]->data = NULL; + + continue; + } + if (strncmp(control_strings[i], "domain_scope:", 13) == 0) { const char *p; int crit, ret; diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h index 62cd2b8c64..f2b4a48b45 100644 --- a/source4/lib/ldb/include/ldb.h +++ b/source4/lib/ldb/include/ldb.h @@ -463,7 +463,13 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque); \sa <a href="http://opends.dev.java.net/public/standards/draft-zeilenga-ldap-managedit.txt">draft managedit</a>. */ #define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12" +/** + OID for recalculate SD control. This control force the + dsdb code to recalculate the SD of the object as if the + object was just created. +*/ +#define LDB_CONTROL_RECALCULATE_SD_OID "1.3.6.1.4.1.7165.4.3.5" /** OID for the paged results control. This control is included in the searchRequest and searchResultDone messages as part of the controls diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c index 7a7da30639..0ea80a648e 100644 --- a/source4/libcli/ldap/ldap_controls.c +++ b/source4/libcli/ldap/ldap_controls.c @@ -1270,6 +1270,25 @@ static bool decode_relax_request(void *mem_ctx, DATA_BLOB in, void *_out) return true; } +static bool encode_recalculate_sd_request(void *mem_ctx, void *in, DATA_BLOB *out) +{ + if (in) { + return false; + } + + *out = data_blob(NULL, 0); + return true; +} + +static bool decode_recalculate_sd_request(void *mem_ctx, DATA_BLOB in, void *_out) +{ + if (in.length != 0) { + return false; + } + + return true; +} + static const struct ldap_control_handler ldap_known_controls[] = { { "1.2.840.113556.1.4.319", decode_paged_results_request, encode_paged_results_request }, { "1.2.840.113556.1.4.529", decode_extended_dn_request, encode_extended_dn_request }, @@ -1292,6 +1311,7 @@ static const struct ldap_control_handler ldap_known_controls[] = { { "1.3.6.1.4.1.7165.4.3.2", NULL, NULL }, /* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */ { "1.3.6.1.4.1.7165.4.4.1", NULL, NULL }, + { LDB_CONTROL_RECALCULATE_SD_OID, decode_recalculate_sd_request, encode_recalculate_sd_request}, { DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference}, { LDB_CONTROL_RELAX_OID, decode_relax_request, encode_relax_request }, { NULL, NULL, NULL } diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision index 9298c02672..2f0ce84653 100755 --- a/source4/scripting/bin/upgradeprovision +++ b/source4/scripting/bin/upgradeprovision @@ -45,9 +45,10 @@ import ldb import samba.getopt as options from samba.samdb import SamDB from samba import param -from samba.provision import ProvisionNames,provision_paths_from_lp,find_setup_dir,FILL_FULL,provision +from samba import glue +from samba.provision import ProvisionNames,provision_paths_from_lp,find_setup_dir,FILL_FULL,provision, get_domain_descriptor, get_config_descriptor, secretsdb_self_join from samba.provisionexceptions import ProvisioningError -from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema +from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema, get_schema_descriptor from samba.dcerpc import misc, security from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc.misc import SEC_CHAN_BDC @@ -72,7 +73,7 @@ hashAttrNotCopied = { "dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1 "showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\ "nTMixedDomain": 1,"versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,\ "dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\ - "maxPwdAge":1, "mail":1, "secret":1} + "maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1} # Usually for an object that already exists we do not overwrite attributes as they might have been changed for good # reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow. @@ -224,7 +225,7 @@ def guess_names_from_current_provision(credentials,session_info,paths): attrs6 = ["objectGUID", "objectSid", ] res6 = samdb.search(expression="(objectClass=*)",base=basedn, scope=SCOPE_BASE, attrs=attrs6) names.domainguid = str(ndr_unpack( misc.GUID,res6[0]["objectGUID"][0])) - names.domainsid = str(ndr_unpack( security.dom_sid,res6[0]["objectSid"][0])) + names.domainsid = ndr_unpack( security.dom_sid,res6[0]["objectSid"][0]) # policy guid attrs7 = ["cn","displayName"] @@ -258,7 +259,7 @@ def print_names(names): message(GUESS, "invocationid:"+names.invocation) message(GUESS, "policyguid :"+names.policyid) message(GUESS, "policyguiddc:"+str(names.policyid_dc)) - message(GUESS, "domainsid :"+names.domainsid) + message(GUESS, "domainsid :"+str(names.domainsid)) message(GUESS, "domainguid :"+names.domainguid) message(GUESS, "ntdsguid :"+names.ntdsguid) @@ -281,7 +282,7 @@ def newprovision(names,setup_dir,creds,session,smbconf): provision(setup_dir, messageprovision, session, creds, smbconf=smbconf, targetdir=provdir, samdb_fill=FILL_FULL, realm=names.realm, domain=names.domain, - domainguid=names.domainguid, domainsid=names.domainsid,ntdsguid=names.ntdsguid, + domainguid=names.domainguid, domainsid=str(names.domainsid),ntdsguid=names.ntdsguid, policyguid=names.policyid,policyguid_dc=names.policyid_dc,hostname=names.netbiosname, hostip=None, hostip6=None, invocationid=names.invocation, adminpass=None, @@ -503,7 +504,7 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema): # The double ldb open and schema validation is taken from the initial provision script # it's not certain that it is really needed .... sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp) - schema = Schema(setup_path, security.dom_sid(names.domainsid), schemadn=basedn, serverdn=str(names.serverdn)) + schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn)) # Load the schema from the one we computed earlier sam_ldb.set_schema_from_ldb(schema.ldb) # And now we can connect to the DB - the schema won't be loaded from the DB @@ -566,75 +567,76 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema): message(SIMPLE,"There are %d changed objects"%(changed)) return hashallSD - -# This function updates SD for AD objects. -# As SD in the upgraded provision can be different for various reasons -# this function check if an automatic update can be performed and do it -# or if it can't be done. -def update_sds(diffDefSD,diffSD,paths,creds,session,rootdn,domSIDTxt): +# Check that SD are correct +def check_updated_sd(newpaths,paths,creds,session,names): + newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp) sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) - sam_ldb.transaction_start() - domSID = security.dom_sid(domSIDTxt) - hashClassSD = {} - admin_session_info = admin_session(lp, str(domSID)) - system_session_info = system_session() - upgrade = 0 - for dn in diffSD.keys(): - newSD = diffSD[dn]["newSD"].as_sddl(domSID) - oldSD = diffSD[dn]["oldSD"].as_sddl(domSID) - message(CHANGESD, "ntsecuritydescriptor for %s has changed old %s new %s"%(dn,oldSD,diffSD[dn]["newSD"].as_sddl(domSID))) - # First let's find the defaultSD for the object which SD is different from the reference one. - res = sam_ldb.search(expression="dn=%s"%(dn),base=rootdn, scope=SCOPE_SUBTREE,attrs=["objectClass"],controls=["search_options:1:2"]) - classObj = res[0]["objectClass"][-1] - defSD = "" - if hashClassSD.has_key(classObj): - defSD = hashClassSD[classObj] - else: - res2 = sam_ldb.search(expression="lDAPDisplayName=%s"%(classObj),base=rootdn, scope=SCOPE_SUBTREE,attrs=["defaultSecurityDescriptor"],controls=["search_options:1:2"]) - if len(res2) > 0: - defSD = str(res2[0]["defaultSecurityDescriptor"]) - hashClassSD[classObj] = defSD - # Because somewhere between alpha8 and alpha9 samba4 changed the owner of ACLs in the AD so - # we check if it's the case and if so use the "old" owner to see if the ACL is a direct calculation - # from the defaultSecurityDescriptor - session = admin_session_info - if oldSD.startswith("O:SYG:BA"): - session = system_session_info - descr = security.descriptor.ntsd_from_defaultsd(defSD, domSID,session) - if descr.as_sddl(domSID) != oldSD: - message(SIMPLE, "nTSecurity Descriptor for %s do not directly inherit from the defaultSecurityDescriptor and is different from the one of the reference provision, therefor I can't upgrade i") - message(SIMPLE,"Old Descriptor: %s"%(oldSD)) - message(SIMPLE,"New Descriptor: %s"%(newSD)) - if diffDefSD.has_key(classObj): - # We have a pending modification for the defaultSecurityDescriptor of the class Object of the currently inspected object - # and we have a conflict so write down that we won't upgrade this defaultSD for this class object - diffDefSD[classObj]["noupgrade"]=1 - else: - # At this point we know that the SD was directly generated from the defaultSecurityDescriptor - # so we can take the new SD and replace the old one - upgrade = upgrade +1 - delta = ldb.Message() - delta.dn = ldb.Dn(sam_ldb,dn) - delta["nTSecurityDescriptor"] = ldb.MessageElement( ndr_pack(diffSD[dn]["newSD"]),ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" ) - sam_ldb.modify(delta) + res = newsam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"]) + res2 = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"]) + hash_new = {} + for i in range(0,len(res)): + hash_new[str(res[i]["dn"]).lower()] = ndr_unpack(security.descriptor,str(res[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid) - sam_ldb.transaction_commit() - message(SIMPLE,"%d nTSecurityDescriptor attribute(s) have been updated"%(upgrade)) + for i in range(0,len(res2)): + key = str(res2[i]["dn"]).lower() + if hash_new.has_key(key): + sddl = ndr_unpack(security.descriptor,str(res2[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid) + if sddl != hash_new[key]: + print "%s new sddl/sddl in ref"%key + print "%s\n%s"%(sddl,hash_new[key]) + +# Simple update method for updating the SD that rely on the fact that nobody should have modified the SD +# This assumption is safe right now (alpha9) but should be removed asap +def update_sd(newpaths,paths,creds,session,names): + sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) sam_ldb.transaction_start() - upgrade = 0 - for dn in diffDefSD: - message(CHANGESD, "DefaultSecurityDescriptor for class object %s has changed"%(dn)) - if not diffDefSD[dn].has_key("noupgrade"): - upgrade = upgrade +1 + # First update the SD for the rootdn + sam_ldb.set_session_info(session) + res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"]) + delta = ldb.Message() + delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"])) + descr = get_domain_descriptor(names.domainsid) + delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" ) + sam_ldb.modify(delta,["recalculate_sd:0"]) + # Then the config dn + res = sam_ldb.search(expression="objectClass=*",base=str(names.configdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"]) + delta = ldb.Message() + delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"])) + descr = get_config_descriptor(names.domainsid) + delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" ) + sam_ldb.modify(delta,["recalculate_sd:0"]) + # Then the schema dn + res = sam_ldb.search(expression="objectClass=*",base=str(names.schemadn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"]) + delta = ldb.Message() + delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"])) + descr = get_schema_descriptor(names.domainsid) + delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" ) + sam_ldb.modify(delta,["recalculate_sd:0"]) + + # Then the rest + hash = {} + res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","whenCreated"],controls=["search_options:1:2"]) + for obj in res: + if not (str(obj["dn"]) == str(names.rootdn) or + str(obj["dn"]) == str(names.configdn) or \ + str(obj["dn"]) == str(names.schemadn)): + hash[str(obj["dn"])] = obj["whenCreated"] + + listkeys = hash.keys() + listkeys.sort(dn_sort) + + for key in listkeys: + try: delta = ldb.Message() - delta.dn = ldb.Dn(sam_ldb,dn) - delta["defaultSecurityDescriptor"] = ldb.MessageElement(diffDefSD[dn]["newSD"],ldb.FLAG_MOD_REPLACE,"defaultSecurityDescriptor" ) - sam_ldb.modify(delta) - else: - message(CHANGESD,"Not updating the defaultSecurityDescriptor for class object %s as one or more dependant object hasn't been upgraded"%(dn)) - + delta.dn = ldb.Dn(sam_ldb,key) + delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" ) + sam_ldb.modify(delta,["recalculate_sd:0"]) + except: + sam_ldb.transaction_cancel() + res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"]) + print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid) + return sam_ldb.transaction_commit() - message(SIMPLE,"%d defaultSecurityDescriptor attribute(s) have been updated"%(upgrade)) def rmall(topdir): for root, dirs, files in os.walk(topdir, topdown=False): @@ -681,37 +683,36 @@ def update_samdb(newpaths,paths,creds,session,names): message(SIMPLE,"Scanning whole provision for updates and additions") hashSD = check_diff_name(newpaths,paths,creds,session,str(names.rootdn),names,0) message(SIMPLE,"Done with scanning") -# update_sds(hashdef,hashSD,paths,creds,session,str(names.rootdn),names.domainsid) -def update_machine_account_password(newpaths,paths,creds,session,names): +def update_machine_account_password(paths,creds,session,names): - secrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp) + secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp) secrets_ldb.transaction_start() secrets_msg = secrets_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["secureChannelType"]) sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp) - if secrets_msg[0]["secureChannelType"][0] == SEC_CHAN_BDC: - sam_ldb.transaction_start() + sam_ldb.transaction_start() + if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC: res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=[]) assert(len(res) == 1) msg = ldb.Message(res[0].dn) - machinepass = msg["userPassword"] = glue.generate_random_str(12) - for el in msg: - el.set_flags(ldb.FLAG_MOD_REPLACE) + machinepass = glue.generate_random_str(12) + msg["userPassword"] = ldb.MessageElement(machinepass, ldb.FLAG_MOD_REPLACE, "userPassword") sam_ldb.modify(msg) res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["msDs-keyVersionNumber"]) assert(len(res) == 1) - kvno = res[0]["msDs-keyVersionNumber"] + kvno = int(str(res[0]["msDs-keyVersionNumber"])) secretsdb_self_join(secrets_ldb, domain=names.domain, realm=names.realm, + domainsid=names.domainsid, dnsdomain=names.dnsdomain, netbiosname=names.netbiosname, machinepass=machinepass, key_version_number=kvno, - secure_channel_type=secrets_msg[0]["secureChannelType"]) + secure_channel_type=int(secrets_msg[0]["secureChannelType"][0])) sam_ldb.transaction_prepare_commit() secrets_ldb.transaction_prepare_commit() sam_ldb.transaction_commit() @@ -739,9 +740,16 @@ populate_backlink(newpaths,creds,session,names.schemadn) update_basesamdb(newpaths,paths,names) update_secrets(newpaths,paths,creds,session) update_privilege(newpaths,paths) -update_machine_account_password(newpaths,paths,creds,session,names) +update_machine_account_password(paths,creds,session,names) + if opts.full: update_samdb(newpaths,paths,creds,session,names) +# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first +# to recreate them with the good form but with system account and then give the ownership to admin ... +admin_session_info = admin_session(lp, str(names.domainsid)) +update_sd(newpaths,paths,creds,session,names) +update_sd(newpaths,paths,creds,admin_session_info,names) +check_updated_sd(newpaths,paths,creds,session,names) message(SIMPLE,"Upgrade finished !") # remove reference provision now that everything is done ! rmall(provisiondir) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index af956579a8..f9f7ec9d59 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -95,7 +95,7 @@ def get_config_descriptor(domain_sid): "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" sec = security.descriptor.from_sddl(sddl, domain_sid) - return b64encode(ndr_pack(sec)) + return ndr_pack(sec) def get_domain_descriptor(domain_sid): sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ @@ -148,7 +148,7 @@ def get_domain_descriptor(domain_sid): "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" sec = security.descriptor.from_sddl(sddl, domain_sid) - return b64encode(ndr_pack(sec)) + return ndr_pack(sec) DEFAULTSITE = "Default-First-Site-Name" @@ -897,7 +897,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, else: domainguid_line = "" - descr = get_domain_descriptor(domainsid) + descr = b64encode(get_domain_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), { "DOMAINDN": names.domaindn, "DOMAINGUID": domainguid_line, @@ -920,7 +920,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, }) message("Adding configuration container") - descr = get_config_descriptor(domainsid); + descr = b64encode(get_config_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), { "CONFIGDN": names.configdn, "DESCRIPTOR": descr, diff --git a/source4/scripting/python/samba/schema.py b/source4/scripting/python/samba/schema.py index 6f45859ead..8913e53b00 100644 --- a/source4/scripting/python/samba/schema.py +++ b/source4/scripting/python/samba/schema.py @@ -46,7 +46,7 @@ def get_schema_descriptor(domain_sid): "(AU;SA;CR;;;DU)(OU;SA;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;WD)" \ "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" sec = security.descriptor.from_sddl(sddl, domain_sid) - return b64encode(ndr_pack(sec)) + return ndr_pack(sec) class Schema(object): @@ -79,7 +79,7 @@ class Schema(object): "SERVERDN": serverdn, }) - descr = get_schema_descriptor(domain_sid) + descr = b64encode(get_schema_descriptor(domain_sid)) self.schema_dn_add = read_and_sub_file(setup_path("provision_schema_basedn.ldif"), {"SCHEMADN": schemadn, "DESCRIPTOR": descr diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index fd663fd97b..3216f4f7c9 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -177,7 +177,7 @@ #Allocated: DSDB_CONTROL_CURRENT_PARTITION_OID 1.3.6.1.4.1.7165.4.3.2 #Allocated: DSDB_CONTROL_REPLICATED_UPDATE_OID 1.3.6.1.4.1.7165.4.3.3 - +#Allocated: LDB_CONTROL_RECALCULATE_SD_OID 1.3.6.1.4.1.7165.4.3.5 #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1 #Allocated: DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID 1.3.6.1.4.1.7165.4.4.2 #Allocated: LDB_EXTENDED_SEQUENCE_NUMBER 1.3.6.1.4.1.7165.4.4.3 |