summaryrefslogtreecommitdiff
path: root/source4/scripting/bin/upgradeprovision
diff options
context:
space:
mode:
Diffstat (limited to 'source4/scripting/bin/upgradeprovision')
-rwxr-xr-xsource4/scripting/bin/upgradeprovision279
1 files changed, 48 insertions, 231 deletions
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 1d58f5e2c9..ca5613fcc2 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -29,35 +29,33 @@ import sys
import random
import string
import re
-import base64
import tempfile
-# Find right directory when running from source tree
+# Allow to run from s4 source directory (without installing samba)
sys.path.insert(0, "bin/python")
-from base64 import b64encode
import samba
+import samba.getopt as options
from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session, admin_session
-from samba import Ldb, DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008, DS_DC_FUNCTION_2008_R2
-from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
-import ldb
-import samba.getopt as options
+from samba import Ldb
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError, FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE, MessageElement, Message, Dn
from samba.samdb import SamDB
from samba import param
from samba import glue
from samba.misc import messageEltFlagToString
-from samba.provision import ProvisionNames,provision_paths_from_lp,find_setup_dir,FILL_FULL,provision, get_domain_descriptor, get_config_descriptor, secretsdb_self_join
+from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join
from samba.provisionexceptions import ProvisioningError
from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import misc, security
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc.misc import SEC_CHAN_BDC
+from samba.upgradehelpers import dn_sort, get_paths, newprovision, find_provision_key_parameters, rmall
never=0
-replace=2^ldb.FLAG_MOD_REPLACE
-add=2^ldb.FLAG_MOD_ADD
-delete=2^ldb.FLAG_MOD_DELETE
+replace=2^FLAG_MOD_REPLACE
+add=2^FLAG_MOD_ADD
+delete=2^FLAG_MOD_DELETE
#Errors are always logged
ERROR = -1
@@ -152,42 +150,23 @@ session = system_session()
# simple helper to allow back and forth rename
def identic_rename(ldbobj,dn):
(before,sep,after)=str(dn).partition('=')
- ldbobj.rename(dn,ldb.Dn(ldbobj,"%s=foo%s"%(before,after)))
- ldbobj.rename(ldb.Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
+ ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
+ ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
# Create an array of backlinked attributes
def populate_backlink(newpaths,creds,session,schemadn):
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
- linkedAttHash = get_linked_attributes(ldb.Dn(newsam_ldb,str(schemadn)),newsam_ldb)
+ linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
backlinked.extend(linkedAttHash.values())
# Create an array of attributes with a dn synthax (2.5.5.1)
def populate_dnsyntax(newpaths,creds,session,schemadn):
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
- res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=ldb.Dn(newsam_ldb,str(schemadn)), scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
+ res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
+ scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
for elem in res:
dn_syntax_att.append(elem["lDAPDisplayName"])
-# Get Paths for important objects (ldb, keytabs ...)
-def get_paths(targetdir=None,smbconf=None):
- if targetdir is not None:
- if (not os.path.exists(os.path.join(targetdir, "etc"))):
- os.makedirs(os.path.join(targetdir, "etc"))
- smbconf = os.path.join(targetdir, "etc", "smb.conf")
- if smbconf is None:
- smbconf = param.default_path()
-
- if not os.path.exists(smbconf):
- message(ERROR,"Unable to find smb.conf ..")
- parser.print_usage()
- sys.exit(1)
-
- lp = param.LoadParm()
- lp.load(smbconf)
-# Normally we need the domain name for this function but for our needs it's
-# pointless
- paths = provision_paths_from_lp(lp,"foo")
- return paths
def sanitychecks(credentials,session_info,names,paths):
@@ -206,93 +185,8 @@ domain with more than one DC, please demote the other DC before upgrading"%len(r
return 1
-# This function guesses (fetches) informations needed to make a fresh provision
-# from the current provision
-# It includes: realm, workgroup, partitions, netbiosname, domain guid, ...
-def guess_names_from_current_provision(credentials,session_info,paths):
- lp = param.LoadParm()
- lp.load(paths.smbconf)
- names = ProvisionNames()
- # NT domain, kerberos realm, root dn, domain dn, domain dns name
- names.domain = string.upper(lp.get("workgroup"))
- names.realm = lp.get("realm")
- basedn = "DC=" + names.realm.replace(".",",DC=")
- names.dnsdomain = names.realm
- names.realm = string.upper(names.realm)
- # netbiosname
- secrets_ldb = Ldb(paths.secrets, session_info=session_info, credentials=credentials,lp=lp, options=["modules:samba_secrets"])
- # Get the netbiosname first (could be obtained from smb.conf in theory)
- attrs = ["sAMAccountName"]
- res = secrets_ldb.search(expression="(flatname=%s)"%names.domain,base="CN=Primary Domains", scope=SCOPE_SUBTREE, attrs=attrs)
- names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
-
- names.smbconf = smbconf
- # It's important here to let ldb load with the old module or it's quite
- # certain that the LDB won't load ...
- samdb = Ldb(paths.samdb, session_info=session_info,
- credentials=credentials, lp=lp, options=["modules:samba_dsdb"])
-
- # That's a bit simplistic but it's ok as long as we have only 3
- # partitions
- attrs2 = ["defaultNamingContext", "schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
- current = samdb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2)
-
- names.configdn = current[0]["configurationNamingContext"]
- configdn = str(names.configdn)
- names.schemadn = current[0]["schemaNamingContext"]
- if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb, current[0]["defaultNamingContext"][0]))):
- raise ProvisioningError(("basedn in %s (%s) and from %s (%s) is not the same ..." % (paths.samdb, str(current[0]["defaultNamingContext"][0]), paths.smbconf, basedn)))
-
- names.domaindn=current[0]["defaultNamingContext"]
- names.rootdn=current[0]["rootDomainNamingContext"]
- # default site name
- attrs3 = ["cn"]
- res3= samdb.search(expression="(objectClass=*)",base="CN=Sites,"+configdn, scope=SCOPE_ONELEVEL, attrs=attrs3)
- names.sitename = str(res3[0]["cn"])
-
- # dns hostname and server dn
- attrs4 = ["dNSHostName"]
- res4= samdb.search(expression="(CN=%s)"%names.netbiosname,base="OU=Domain Controllers,"+basedn, \
- scope=SCOPE_ONELEVEL, attrs=attrs4)
- names.hostname = str(res4[0]["dNSHostName"]).replace("."+names.dnsdomain,"")
-
- server_res = samdb.search(expression="serverReference=%s"%res4[0].dn, attrs=[], base=configdn)
- names.serverdn = server_res[0].dn
-
- # invocation id/objectguid
- res5 = samdb.search(expression="(objectClass=*)",base="CN=NTDS Settings,%s" % str(names.serverdn), scope=SCOPE_BASE, attrs=["invocationID","objectGUID"])
- names.invocation = str(ndr_unpack( misc.GUID,res5[0]["invocationId"][0]))
- names.ntdsguid = str(ndr_unpack( misc.GUID,res5[0]["objectGUID"][0]))
-
- # domain guid/sid
- attrs6 = ["objectGUID", "objectSid","msDS-Behavior-Version" ]
- res6 = samdb.search(expression="(objectClass=*)",base=basedn, scope=SCOPE_BASE, attrs=attrs6)
- names.domainguid = str(ndr_unpack( misc.GUID,res6[0]["objectGUID"][0]))
- names.domainsid = ndr_unpack( security.dom_sid,res6[0]["objectSid"][0])
- if res6[0].get("msDS-Behavior-Version") == None or int(res6[0]["msDS-Behavior-Version"][0]) < DS_DOMAIN_FUNCTION_2000:
- names.domainlevel = DS_DOMAIN_FUNCTION_2000
- else:
- names.domainlevel = int(res6[0]["msDS-Behavior-Version"][0])
-
- # policy guid
- attrs7 = ["cn","displayName"]
- res7 = samdb.search(expression="(displayName=Default Domain Policy)",base="CN=Policies,CN=System,"+basedn, \
- scope=SCOPE_ONELEVEL, attrs=attrs7)
- names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
- # dc policy guid
- attrs8 = ["cn","displayName"]
- res8 = samdb.search(expression="(displayName=Default Domain Controllers Policy)",base="CN=Policies,CN=System,"+basedn, \
- scope=SCOPE_ONELEVEL, attrs=attrs7)
- if len(res8) == 1:
- names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
- else:
- names.policyid_dc = None
-
-
- return names
-
# Debug a little bit
-def print_names(names):
+def print_provision_key_parameters(names):
message(GUESS, "rootdn :"+str(names.rootdn))
message(GUESS, "configdn :"+str(names.configdn))
message(GUESS, "schemadn :"+str(names.schemadn))
@@ -311,77 +205,6 @@ def print_names(names):
message(GUESS, "ntdsguid :"+names.ntdsguid)
message(GUESS, "domainlevel :"+str(names.domainlevel))
-# Create a fresh new reference provision
-# This provision will be the reference for knowing what has changed in the
-# since the latest upgrade in the current provision
-def newprovision(names,setup_dir,creds,session,smbconf):
- message(SIMPLE, "Creating a reference provision")
- provdir=tempfile.mkdtemp(dir=paths.private_dir, prefix="referenceprovision")
- if os.path.isdir(provdir):
- rmall(provdir)
- logstd=os.path.join(provdir,"log.std")
- os.chdir(os.path.join(setup_dir,".."))
- os.mkdir(provdir)
- os.close(2)
- sys.stderr = open("%s/provision.log"%provdir, "w")
- message(PROVISION, "Reference provision stored in %s"%provdir)
- message(PROVISION, "STDERR message of provision will be logged in %s/provision.log"%provdir)
- sys.stderr = open("/dev/stdout", "w")
- provision(setup_dir, messageprovision,
- session, creds, smbconf=smbconf, targetdir=provdir,
- samdb_fill=FILL_FULL, realm=names.realm, domain=names.domain,
- domainguid=names.domainguid, domainsid=str(names.domainsid),ntdsguid=names.ntdsguid,
- policyguid=names.policyid,policyguid_dc=names.policyid_dc,hostname=names.netbiosname,
- hostip=None, hostip6=None,
- invocationid=names.invocation, adminpass=None,
- krbtgtpass=None, machinepass=None,
- dnspass=None, root=None, nobody=None,
- wheel=None, users=None,
- serverrole="domain controller",
- ldap_backend_extra_port=None,
- backend_type=None,
- ldapadminpass=None,
- ol_mmr_urls=None,
- slapd_path=None,
- setup_ds_path=None,
- nosync=None,
- dom_for_fun_level=names.domainlevel,
- ldap_dryrun_mode=None,useeadb=True)
- return provdir
-
-# This function sorts two DNs in the lexicographical order and put higher level
-# DN before.
-# So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller
-# (-1) as it has less level
-def dn_sort(x,y):
- p = re.compile(r'(?<!\\),')
- tab1 = p.split(str(x))
- tab2 = p.split(str(y))
- min = 0
- if (len(tab1) > len(tab2)):
- min = len(tab2)
- elif (len(tab1) < len(tab2)):
- min = len(tab1)
- else:
- min = len(tab1)
- len1=len(tab1)-1
- len2=len(tab2)-1
- space = " "
- # Note: python range go up to upper limit but do not include it
- for i in range(0,min):
- ret=cmp(tab1[len1-i],tab2[len2-i])
- if(ret != 0):
- return ret
- else:
- if(i==min-1):
- if(len1==len2):
- message(ERROR,"PB PB PB"+space.join(tab1)+" / "+space.join(tab2))
- if(len1>len2):
- return 1
- else:
- return -1
- return ret
-
# Check for security descriptors modifications return 1 if it is and 0 otherwise
# it also populate hash structure for later use in the upgrade process
def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
@@ -406,7 +229,7 @@ def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
# It can be also if we want to do a merge of value instead of a simple replace
def handle_special_case(att,delta,new,old,ischema):
flag = delta.get(att).flags()
- if (att == "gPLink" or att == "gPCFileSysPath") and flag == ldb.FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
+ if (att == "gPLink" or att == "gPCFileSysPath") and flag == FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
delta.remove(att)
return 1
if att == "forceLogoff":
@@ -417,13 +240,12 @@ def handle_special_case(att,delta,new,old,ischema):
return 1
if (att == "adminDisplayName" or att == "adminDescription") and ischema:
return 1
- if (str(old[0].dn) == "CN=Samba4-Local-Domain,%s"%(str(names.schemadn)) and att == "defaultObjectCategory" and flag == ldb.FLAG_MOD_REPLACE):
+ if (str(old[0].dn) == "CN=Samba4-Local-Domain,%s"%(str(names.schemadn)) and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE):
return 1
-# if (str(old[0].dn) == "CN=S-1-5-11,CN=ForeignSecurityPrincipals,%s"%(str(names.rootdn)) and att == "description" and flag == ldb.FLAG_MOD_DELETE):
-# return 1
- if (str(old[0].dn) == "CN=Title,%s"%(str(names.schemadn)) and att == "rangeUpper" and flag == ldb.FLAG_MOD_REPLACE):
+
+ if (str(old[0].dn) == "CN=Title,%s"%(str(names.schemadn)) and att == "rangeUpper" and flag == FLAG_MOD_REPLACE):
return 1
- if ( (att == "member" or att == "servicePrincipalName") and flag == ldb.FLAG_MOD_REPLACE):
+ if ( (att == "member" or att == "servicePrincipalName") and flag == FLAG_MOD_REPLACE):
hash = {}
newval = []
@@ -437,11 +259,11 @@ def handle_special_case(att,delta,new,old,ischema):
changeDelta=1
newval.append(str(elem))
if changeDelta == 1:
- delta[att] = ldb.MessageElement(newval, ldb.FLAG_MOD_REPLACE, att)
+ delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
else:
delta.remove(att)
return 1
- if (str(old[0].dn) == "%s"%(str(names.rootdn)) and att == "subRefs" and flag == ldb.FLAG_MOD_REPLACE):
+ if (str(old[0].dn) == "%s"%(str(names.rootdn)) and att == "subRefs" and flag == FLAG_MOD_REPLACE):
return 1
if str(delta.dn).endswith("CN=DisplaySpecifiers,%s"%names.configdn):
return 1
@@ -466,7 +288,7 @@ def update_secrets(newpaths,paths,creds,session):
listMissing = []
listPresent = []
- empty = ldb.Message()
+ empty = Message()
for i in range(0,len(reference)):
hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
@@ -581,7 +403,7 @@ def add_missing_object(newsam_ldb,sam_ldb,dn,names,basedn,hash,index):
handle_special_add(sam_ldb,dn,names)
reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn,
scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
- empty = ldb.Message()
+ empty = Message()
delta = sam_ldb.msg_diff(empty,reference[0])
for att in hashAttrNotCopied.keys():
delta.remove(att)
@@ -726,7 +548,7 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
if hashOverwrittenAtt.has_key(att) and hashOverwrittenAtt.get(att)==never:
delta.remove(att)
continue
- if handle_special_case(att,delta,reference,current,ischema)==0 and msgElt.flags()!=ldb.FLAG_MOD_ADD:
+ if handle_special_case(att,delta,reference,current,ischema)==0 and msgElt.flags()!=FLAG_MOD_ADD:
i = 0
if opts.debugchange or opts.debugall:
try:
@@ -772,24 +594,24 @@ def update_sd(paths,creds,session,names):
# First update the SD for the rootdn
sam_ldb.set_session_info(session)
res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
+ delta = Message()
+ delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
descr = get_domain_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
+ delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
sam_ldb.modify(delta,["recalculate_sd:0"])
# Then the config dn
res = sam_ldb.search(expression="objectClass=*",base=str(names.configdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
+ delta = Message()
+ delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
descr = get_config_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
+ delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
sam_ldb.modify(delta,["recalculate_sd:0"])
# Then the schema dn
res = sam_ldb.search(expression="objectClass=*",base=str(names.schemadn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,str(res[0]["dn"]))
+ delta = Message()
+ delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
descr = get_schema_descriptor(names.domainsid)
- delta["nTSecurityDescriptor"] = ldb.MessageElement( descr,ldb.FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
+ delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
sam_ldb.modify(delta,["recalculate_sd:0"])
# Then the rest
@@ -806,9 +628,9 @@ def update_sd(paths,creds,session,names):
for key in listkeys:
try:
- delta = ldb.Message()
- delta.dn = ldb.Dn(sam_ldb,key)
- delta["whenCreated"] = ldb.MessageElement( hash[key],ldb.FLAG_MOD_REPLACE,"whenCreated" )
+ delta = Message()
+ delta.dn = Dn(sam_ldb,key)
+ delta["whenCreated"] = MessageElement( hash[key],FLAG_MOD_REPLACE,"whenCreated" )
sam_ldb.modify(delta,["recalculate_sd:0"])
except:
sam_ldb.transaction_cancel()
@@ -817,14 +639,6 @@ def update_sd(paths,creds,session,names):
return
sam_ldb.transaction_commit()
-def rmall(topdir):
- for root, dirs, files in os.walk(topdir, topdown=False):
- for name in files:
- os.remove(os.path.join(root, name))
- for name in dirs:
- os.rmdir(os.path.join(root, name))
- os.rmdir(topdir)
-
def update_basesamdb(newpaths,paths,names):
message(SIMPLE,"Copy samdb")
@@ -899,24 +713,27 @@ def update_machine_account_password(paths,creds,session,names):
else:
secrets_ldb.transaction_cancel()
+def setup_path(file):
+ return os.path.join(setup_dir, file)
# From here start the big steps of the program
# First get files paths
-paths=get_paths(smbconf=smbconf)
+paths=get_paths(param,smbconf=smbconf)
paths.setup = setup_dir
-def setup_path(file):
- return os.path.join(setup_dir, file)
# Guess all the needed names (variables in fact) from the current
# provision.
-names = guess_names_from_current_provision(creds,session,paths)
+
+names = find_provision_key_parameters(param,creds,session,paths,smbconf)
if not sanitychecks(creds,session,names,paths):
- print "Sanity checks for the upgrade fails, checks messages and correct it before rerunning upgradeprovision"
+ message(SIMPLE,"Sanity checks for the upgrade fails, checks messages and correct it before rerunning upgradeprovision")
sys.exit(1)
# Let's see them
-print_names(names)
+print_provision_key_parameters(names)
# With all this information let's create a fresh new provision used as reference
-provisiondir = newprovision(names,setup_dir,creds,session,smbconf)
+message(SIMPLE,"Creating a reference provision")
+provisiondir = tempfile.mkdtemp(dir=paths.private_dir, prefix="referenceprovision")
+newprovision(names,setup_dir,creds,session,smbconf,provisiondir,messageprovision)
# Get file paths of this new provision
-newpaths = get_paths(targetdir=provisiondir)
+newpaths = get_paths(param,targetdir=provisiondir)
populate_backlink(newpaths,creds,session,names.schemadn)
populate_dnsyntax(newpaths,creds,session,names.schemadn)
# Check the difference