summaryrefslogtreecommitdiff
path: root/source4/scripting/bin/upgradeprovision
diff options
context:
space:
mode:
Diffstat (limited to 'source4/scripting/bin/upgradeprovision')
-rwxr-xr-xsource4/scripting/bin/upgradeprovision195
1 files changed, 172 insertions, 23 deletions
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index 3ce6ae422a..ac9ab64e37 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -68,6 +68,8 @@ GUESS = 0x04
PROVISION = 0x08
CHANGEALL = 0xff
+__docformat__ = "restructuredText"
+
# Attributes that are never copied from the reference provision (even if they
# do not exist in the destination object).
# This is most probably because they are populated automatcally when object is
@@ -127,12 +129,17 @@ opts = parser.parse_args()[0]
whatToLog = define_what_to_log(opts)
def messageprovision(text):
- """print a message if quiet is not set."""
+ """Print a message if quiet is not set
+
+ :param text: Message to print """
if opts.debugprovision or opts.debugall:
print text
def message(what,text):
- """print a message if quiet is not set."""
+ """Print a message if this message type has been selected to be printed
+
+ :param what: Category of the message
+ :param text: Message to print """
if (whatToLog & what) or (what <= 0 ):
print text
@@ -145,35 +152,57 @@ creds = credopts.get_credentials(lp)
creds.set_kerberos_state(DONT_USE_KERBEROS)
setup_dir = opts.setupdir
if setup_dir is None:
- setup_dir = find_setup_dir()
+ setup_dir = find_setup_dir()
session = system_session()
-# simple helper to allow back and forth rename
def identic_rename(ldbobj,dn):
+ """Perform a back and forth rename to trigger renaming on attribute that can't be directly modified.
+
+ :param lbdobj: An Ldb Object
+ :param dn: DN of the object to manipulate """
(before,sep,after)=str(dn).partition('=')
ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
-# Create an array of backlinked attributes
def populate_backlink(newpaths,creds,session,schemadn):
+ """Populate an array with all the back linked attributes
+
+ This attributes that are modified automaticaly when
+ front attibutes are changed
+
+ :param newpaths: a list of paths for different provision objects
+ :param creds: credential for the authentification
+ :param session: session for connexion
+ :param schemadn: DN of the schema for the partition"""
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
backlinked.extend(linkedAttHash.values())
# Create an array of attributes with a dn synthax (2.5.5.1)
def populate_dnsyntax(newpaths,creds,session,schemadn):
+ """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1)
+
+ :param newpaths: a list of paths for different provision objects
+ :param creds: credential for the authentification
+ :param session: session for connexion
+ :param schemadn: DN of the schema for the partition"""
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
for elem in res:
dn_syntax_att.append(elem["lDAPDisplayName"])
-
-
def sanitychecks(credentials,session_info,names,paths):
+ """Populate an array with all the attributes that have DN synthax (oid 2.5.5.1)
+
+ :param creds: credential for the authentification
+ :param session_info: session for connexion
+ :param names: list of key provision parameters
+ :param paths: list of path to provision object
+ :return: Status of check (1 for Ok, 0 for not Ok) """
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
- # First update the SD for the rootdn
+
sam_ldb.set_session_info(session)
res = sam_ldb.search(expression="objectClass=ntdsdsa",base=str(names.configdn),
scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
@@ -188,8 +217,10 @@ domain with more than one DC, please demote the other(s) DC(s) before upgrading"
return 1
-# Debug a little bit
def print_provision_key_parameters(names):
+ """Do a a pretty print of provision parameters
+
+ :param names: list of key provision parameters """
message(GUESS, "rootdn :"+str(names.rootdn))
message(GUESS, "configdn :"+str(names.configdn))
message(GUESS, "schemadn :"+str(names.schemadn))
@@ -208,9 +239,18 @@ def print_provision_key_parameters(names):
message(GUESS, "ntdsguid :"+names.ntdsguid)
message(GUESS, "domainlevel :"+str(names.domainlevel))
-# Check for security descriptors modifications return 1 if it is and 0 otherwise
-# it also populate hash structure for later use in the upgrade process
def handle_security_desc(ischema, att, msgElt, hashallSD, old, new):
+ """Check if the security descriptor has been modified.
+
+ This function also populate a hash used for the upgrade process.
+ :param ischema: Boolean that indicate if it's the schema that is updated
+ :param att: Name of the attribute
+ :param msgElt: MessageElement object
+ :param hashallSD: Hash table with DN as key and the old SD as value
+ :param old: The updated LDAP object
+ :param new: The reference LDAP object
+ :return: 1 to indicate that the attribute should be kept, 0 for discarding it
+ """
if ischema == 1 and att == "defaultSecurityDescriptor" and msgElt.flags() == FLAG_MOD_REPLACE:
hashSD = {}
hashSD["oldSD"] = old[0][att]
@@ -226,11 +266,16 @@ def handle_security_desc(ischema, att, msgElt, hashallSD, old, new):
return 0
return 0
-# Handle special cases ... That's when we want to update a particular attribute
-# only, e.g. if it has a certain value or if it's for a certain object or
-# a class of object.
-# It can be also if we want to do a merge of value instead of a simple replace
def handle_special_case(att, delta, new, old, ischema):
+ """Define more complicate update rules for some attributes
+
+ :param att: The attribute to be updated
+ :param delta: A messageElement object that correspond to the difference between the updated object and the reference one
+ :param new: The reference object
+ :param old: The Updated object
+ :param ischema: A boolean that indicate that the attribute is part of a schema object
+ :return: 1 to indicate that the attribute should be kept, 0 for discarding it
+ """
flag = delta.get(att).flags()
if (att == "gPLink" or att == "gPCFileSysPath") and \
flag == FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
@@ -277,6 +322,13 @@ def handle_special_case(att, delta, new, old, ischema):
return 0
def update_secrets(newpaths, paths, creds, session):
+ """Update secrets.ldb
+
+ :param newpaths: a list of paths for different provision objects from the reference provision
+ :param paths: a list of paths for different provision objects from the upgraded provision
+ :param creds: credential for the authentification
+ :param session: session for connexion"""
+
message(SIMPLE,"update secrets.ldb")
newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp, options=["modules:samba_secrets"])
@@ -309,6 +361,7 @@ def update_secrets(newpaths, paths, creds, session):
listMissing.append(hash_new[k])
else:
listPresent.append(hash_new[k])
+
for entry in listMissing:
reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
@@ -353,6 +406,14 @@ def update_secrets(newpaths, paths, creds, session):
secrets_ldb.modify(delta)
def dump_denied_change(dn,att,flagtxt,current,reference):
+ """Print detailed information about why a changed is denied
+
+ :param dn: DN of the object which attribute is denied
+ :param att: Attribute that was supposed to be upgraded
+ :param flagtxt: Type of the update that should be performed (add, change, remove, ...)
+ :param current: Value(s) of the current attribute
+ :param reference: Value(s) of the reference attribute"""
+
message(CHANGE, "dn= "+str(dn)+" "+att+" with flag "+flagtxt+" is not allowed to be changed/removed, I discard this change ...")
if att != "objectSid" :
i = 0
@@ -368,9 +429,13 @@ def dump_denied_change(dn,att,flagtxt,current,reference):
message(CHANGE,"old : %s"%str(ndr_unpack( security.dom_sid,current[0])))
message(CHANGE,"new : %s"%str(ndr_unpack( security.dom_sid,reference[0])))
-#This function is for doing case by case treatment on special object
-
def handle_special_add(sam_ldb,dn,names):
+ """Handle special operation (like remove) on some object needed during upgrade
+
+ This is mostly due to wrong creation of the object in previous provision.
+ :param sam_ldb: An Ldb object representing the SAM database
+ :param dn: DN of the object to inspect
+ :param names: list of key provision parameters"""
dntoremove=None
if str(dn).lower() == ("CN=Certificate Service DCOM Access,CN=Builtin,%s"%names.rootdn).lower():
#This entry was misplaced lets remove it if it exists
@@ -395,6 +460,16 @@ def handle_special_add(sam_ldb,dn,names):
#First dn to be created has the creation order 0, second has 1, ...
#Index contain the current creation order
def check_dn_nottobecreated(hash,index,listdn):
+ """Check if one of the DN present in the list has a creation order greater than the current.
+
+ Hash is indexed by dn to be created, with each key is associated the creation order
+ First dn to be created has the creation order 0, second has 1, ...
+ Index contain the current creation order
+ :param hash: Hash holding the different DN of the object to be created as key
+ :param index: Current creation order
+ :param listdn: List of DNs on which the current DN depends on
+ :return: None if the current object do not depend on other object or if all object have been
+ created before."""
if listdn == None:
return None
for dn in listdn:
@@ -403,9 +478,18 @@ def check_dn_nottobecreated(hash,index,listdn):
return str(dn)
return None
-#This function tries to add the missing object "dn" if this object depends on some others
-# the function returns 0, if the object was created 1 is returned
def add_missing_object(newsam_ldb, sam_ldb, dn, names, basedn, hash, index):
+ """Add a new object if the dependencies are satisfied
+
+ The function add the object if the object on which it depends are already created
+ :param newsam_ldb: Ldb object representing the SAM db of the reference provision
+ :param sam_ldb: Ldb object representing the SAM db of the upgraded provision
+ :param dn: DN of the object to be added
+ :param names: List of key provision parameters
+ :param basedn: DN of the partition to be updated
+ :param hash: Hash holding the different DN of the object to be created as key
+ :param index: Current creation order
+ :return: 1 if the object was created 0 otherwise"""
handle_special_add(sam_ldb,dn,names)
reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn,
scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
@@ -428,12 +512,25 @@ def add_missing_object(newsam_ldb, sam_ldb, dn, names, basedn, hash, index):
return 1
def gen_dn_index_hash(listMissing):
+ """Generate a hash associating the DN to its creation order
+
+ :param listMissing: List of DN
+ :return: Hash with DN as keys and creation order as values"""
hash = {}
for i in range(0,len(listMissing)):
hash[str(listMissing[i]).lower()] = i
return hash
def add_missing_entries(newsam_ldb, sam_ldb, names, basedn,list):
+ """Add the missing object whose DN is the list
+
+ The function add the object if the object on which it depends are already created
+ :param newsam_ldb: Ldb object representing the SAM db of the reference provision
+ :param sam_ldb: Ldb object representing the SAM db of the upgraded provision
+ :param dn: DN of the object to be added
+ :param names: List of key provision parameters
+ :param basedn: DN of the partition to be updated
+ :param list: List of DN to be added in the upgraded provision"""
listMissing = []
listDefered = list
@@ -459,6 +556,19 @@ def add_missing_entries(newsam_ldb, sam_ldb, names, basedn,list):
# the scan is done in cross partition mode.
# If "ischema" is true, then special handling is done for dealing with schema
def check_diff_name(newpaths, paths, creds, session, basedn, names, ischema):
+ """Check differences between the reference provision and the upgraded one.
+
+ This function will also add the missing object and update existing object to add
+ or remove attributes that were missing.
+ :param newpaths: List of paths for different provision objects from the reference provision
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param creds: Credential for the authentification
+ :param session: Session for connexion
+ :param basedn: DN of the partition to update
+ :param names: List of key provision parameters
+ :param ischema: Boolean indicating if the update is about the schema only
+ :return: Hash of security descriptor to update"""
+
hash_new = {}
hash = {}
hashallSD = {}
@@ -573,8 +683,15 @@ def check_diff_name(newpaths, paths, creds, session, basedn, names, ischema):
message(SIMPLE,"There are %d changed objects"%(changed))
return hashallSD
-# Check that SD are correct
def check_updated_sd(newpaths, paths, creds, session, names):
+ """Check if the security descriptor in the upgraded provision are the same as the reference
+
+ :param newpaths: List of paths for different provision objects from the reference provision
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param creds: Credential for the authentification
+ :param session: Session for connexion
+ :param basedn: DN of the partition to update
+ :param names: List of key provision parameters"""
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
reference = newsam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
@@ -591,10 +708,18 @@ def check_updated_sd(newpaths, paths, creds, session, names):
print "%s new sddl/sddl in ref"%key
print "%s\n%s"%(sddl,hash_new[key])
-# Simple update method for updating the SD that rely on the fact that nobody
-# should have modified the SD
-# This assumption is safe right now (alpha9) but should be removed asap
def update_sd(paths, creds, session, names):
+ """Update security descriptor of the current provision
+
+ During the different pre release of samba4 security descriptors (SD) were notarly broken (up to alpha11 included)
+ This function allow to get them back in order, this function make the assumption that nobody has modified manualy an SD
+ and so SD can be safely recalculated from scratch to get them right.
+
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param creds: Credential for the authentification
+ :param session: Session for connexion
+ :param names: List of key provision parameters"""
+
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
sam_ldb.transaction_start()
# First update the SD for the rootdn
@@ -649,6 +774,12 @@ def update_sd(paths, creds, session, names):
def update_basesamdb(newpaths, paths, names):
+ """Update the provision container db: sam.ldb
+
+ :param newpaths: List of paths for different provision objects from the reference provision
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param names: List of key provision parameters"""
+
message(SIMPLE,"Copy samdb")
shutil.copy(newpaths.samdb,paths.samdb)
@@ -672,11 +803,22 @@ def update_basesamdb(newpaths, paths, names):
os.remove(configldb)
def update_privilege(newpaths, paths):
+ """Update the privilege database
+
+ :param newpaths: List of paths for different provision objects from the reference provision
+ :param paths: List of paths for different provision objects from the upgraded provision"""
message(SIMPLE,"Copy privilege")
shutil.copy(os.path.join(newpaths.private_dir,"privilege.ldb"),os.path.join(paths.private_dir,"privilege.ldb"))
# For each partition check the differences
def update_samdb(newpaths, paths, creds, session, names):
+ """Upgrade the SAM DB contents for all the provision
+
+ :param newpaths: List of paths for different provision objects from the reference provision
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param creds: Credential for the authentification
+ :param session: Session for connexion
+ :param names: List of key provision parameters"""
message(SIMPLE, "Doing schema update")
hashdef = check_diff_name(newpaths,paths,creds,session,str(names.schemadn),names,1)
@@ -686,6 +828,13 @@ def update_samdb(newpaths, paths, creds, session, names):
message(SIMPLE,"Done with scanning")
def update_machine_account_password(paths, creds, session, names):
+ """Update (change) the password of the current DC both in the SAM db and in secret one
+
+ :param paths: List of paths for different provision objects from the upgraded provision
+ :param creds: Credential for the authentification
+ :param session: Session for connexion
+ :param names: List of key provision parameters"""
+
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
secrets_ldb.transaction_start()
secrets_msg = secrets_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["secureChannelType"])